The collective noises of the interwebz
This post was syndicated from: Чорба от греховете на dzver and was written by: dzver. Original post: at Чорба от греховете на dzver
Това е важно.
Наденицата “Стара планина” на вкус е същата, като наденицата от дупета. Идеята, че ядеш наденица от месо обаче я прави в нещо специално.
11 кинта килото.
This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net
Ubuntu 10.10 (Maverick Meerkat) beta is available for testing. The Ubuntu
10.10 family of Kubuntu, Xubuntu, Edubuntu, Ubuntu Studio, and Mythbuntu,
have also reached beta status. Maverick Meerkat is scheduled for a final
release on October 10, 2010.
This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net
Debian has updated barnowl (denial
of service).
Fedora has updated rekonq (F13, F12:
cross-site scripting), sssd (F13, F12: authentication bypass), wireshark
(F13, F12:
multiple vulnerabilities), and F12: kernel
(privilege escalation).
Gentoo has updated wxgtk (arbitrary
code execution).
Mandriva has updated wget (code
execution).
Pardus has updated openssl (denial
of service) and flashplugin (multiple
vulnerabilities).
Red Hat has updated kernel
(privilege escalation).
SUSE has updated kernel (multiple
vulnerabilities).
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
On her blog, Mackenzie Morgan reports on efforts to increase the number of women speakers at Ohio LinuxFest. Due to the outreach, the number of women speakers went from five of 31 last year to 14 of 38 this year. “Recognising the various concerns women speakers can face, we tried to specifically address potential issues in the email sent to women-focused mailing lists. Some of these known issues include lack of confidence in new speakers, not being clear what the intended audience is, or the “imposter syndrome,” where someone doesn’t recognize that they are qualified to speak on a topic. The woman to woman dialog made the difference.“.
This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Nathan Willis. Original post: at Linux How-Tos and Linux Tutorials
Last weekend, we looked at how to enable your Web site to accept OpenID logins. But accepting OpenID authentication is only half of the issue — if you care about online privacy and identity, the chances are that you will want to control your own OpenID. Fortunately, setting up your site to serve as an OpenID provider is not that difficult — and makes a great weekend project.
This post was syndicated from: трънки и блогинки and was written by: Пейо. Original post: at трънки и блогинки
С подновяването на работата на Парламента, се поднови и работата по проекта за Избирателен кодекс, а с него се заговори отново и за въвеждането на електронно и интернет гласуване. Следях отблизо предишните опити за въвеждане на електронно гласуване и категоричното ми мнение беше, че това беше чиста технологична бутафория. Сега се говори по-настоятелно за въвеждане на интернет гласуване, което за мен е опасно, защото няма разумен технически начин по който да се реализира без да се нарушат основните конституционни изисквания към упражняване правото на глас:
Чл. 10. Изборите, националните и местните референдуми се произвеждат въз основа на общо, равно и пряко избирателно право с тайно гласуване.
Тайна на избора
Гласуването трябва да е тайно, защото само гарантираната тайна осигурява свободата на избора и независимостта от външни фактори. Подаденият глас не трябва да може да се свърже с гласоподавателя и от направения избор не трябва да могат да произтекат положителни или негативни последствия за личността. Пример за възможни „положителни“ последствия са получаването на пари или каквато и да е друга облага при т.нар. „продажбата на гласове“. „Контролирането на вота“, чрез заплаха с насилие, загуба на работа или доход, или друга форма на социална или материална принуда са от възможните „негативни“ последствия от нарушаването тайната на гласуването. Въвеждането на интернет гласуване не решава тези проблеми, а чрез улесненията единствено ще благоприятства разпространението на този тип злоупотреби.
Избирателните процедури трябва да са организирани по начин, който пречи на гласоподавателя да продаде гласа си, както и да го защитава от натиск за контролиране на вота му. Разбира се, необходим е активен контрол, защото процедурите сами по себе си не могат да премахнат търговията с гласове и опитите за контролиране на вота, но също така не трябва да съдържат в себе си предпоставки, които ги опосредстват или улесняват.
За осигуряване тайната на вота се създават специални и еднакви за всички условия за гласуване. Такива условия са контролираната обстановка за гласуване в „тъмна“ стаичка, недопускането на придружители, еднаквите бюлетини, непрозрачните пликове и други. При отдалеченото гласуване гаранции за такава обстановка липсват. Гласоподавателят сам избира или може против волята му да бъде поставен в среда, която да даде възможност други да узнаят със сигурност начина, по който е гласувал. Липсата на условия за гарантиране на тайната на вота са предпоставка за опорочаване на избора и това е основна пречка пред „гласуването по Интернет“.
Прозрачност на процеса
Всеки трябва да може да разбере и възприеме механизма на упражняване на глас. Тази възможност не трябва да зависи от образование или техническа компетентност – гласуването трябва да става по максимално прозрачен начин. Процесът трябва да е ясен и разбираем, за да може всеки гласоподавател или наблюдател на изборите да се увери, че неговият глас се подава и отчита по правилния начин.
Предимството на хартиената бюлетина, е че случващото се с нея може да бъде сетивно възприето и разбрано от всеки. Всеки знае как работи хартията, но не съществува нито един човек, който да познава на същото ниво всички технологии, които са нужни да се реализира електронното гласуване. Преминаването от хартиено към електронно гласуване не е напредък, защото е преход от разбиране, основано на познания, към вяра, основана на сляпо доверие.
Основния проблем с електронните изявления е осигуряването на тяхната цялост и непроменимост, като в случая на гласуването автора трябва да остане таен. Гласуването е различно и много по-сложно от изпращането на нормален електронен документ, защото в началото имаме явен автор,който трябва да подаде таен глас, а на края имаме преобразуване в явен и обобщен глас, но с таен автор. Няма логическа схема, по която това преобразуване да е възможно без да се използва трета страна.
Проблемът с наличието на третата страна е точно проблемът за нейната независимост. Избирателното право е пряко, което означава, че подаването на гласа не трябва да бъде опосредствано. Глупаво е да се избират органи на държавна власт, като самата държавна власт извършва процеса, защото избираният не трябва да може да окаже влияние върху избора.
Това са само две от основните принципни пречки пред успешната реализация на гласуване по интернет. Цената, възможностите за злоупотреби и реалната полза от предимствата са други доводи против, на които не съм срещал добри отговори.
This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков
Ония ден ми спря нета. Изцяло и без предупреждение. В Пловдив сме към ТВСатКом. От там ни обясниха, че съдружниците им се разделяли и явно не е било с добро. Едните режели кабелите на другите, взели си сървъра и нета спрял. Кабелната обаче все още върви.
Аз в тази ситуация съм доста нервен. Не, че нямам нет – на телефона използвам предплатен на Globul, но излиза скъпо да си го вържа към компа. Не знам дали ви се е случвало да сте дълго време без нет, но е неудобно. В един момент се чувства все едно сте без ток – може да си светите със свещи, но е кофти. После като дойде нета сядате, свършвате си работата за 5 мин. и си се чудите за какво сте били толкова нервни преди това.
Не, че вися постоянно в нета (въпреки, че има такива дни), но има моменти, в които ми трябва на момента. Примерно тия дни исках да пусна промените в Lipsva, но ще трябва да изчакам като отида в Германия. Впрочем сега съм в К2 – любимото ми заведение с нет в Пловдив. След 2 часа ще се срещна с кореспондент на Pro.bg във връзка със сайта за изчезнали. Има голям интерес, но ще се радвам и ако някой изяви желание да го направя модератор.
PS: Някой знае ли добър доставчик на кабелен нет в Кючука?
This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security
Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft’s software trusts more than 100 private and government institutions.
Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren’t tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motorsand a UAE mobile phone company called Etisalat.
In 2005, a company called CyberTrustwhich has since been purchased by Verizon gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here’s why this is trouble: Since browsers now automatically trust Etisalat to confirm a site’s identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.
This post was syndicated from: Дневникът на Георги and was written by: georgi. Original post: at Дневникът на Георги
Подготвям доста код за минаване към php 5.3 и леко псувам заради
махането на ereg, split, ereg_replace. Доста е дразнещо работещ код
да го променяш с всичкия потенциал за тъпи грешки само за да не
използваш функции, които са решили, че скоро няма да се поддържат.
Остават ми само 930 използвания на ereg и около 150 на ereg_replace,
тестове и отново четене на release notes на php 5.3 пък после ще видим
какво ще стане. Мрън.
This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside
This program intends to detect a malicious file in two ways; online and offline. It calculates the md5 hash of a specified file and searches it in its current hash set (offline) or on VirusTotal site (online) and shows the result. It has http proxy support and update (for hash set) feature. It’s a simple [...]
Read the full post at darknet.org.uk
This post was syndicated from: Fergie's Tech Blog and was written by: Fergie. Original post: at Fergie's Tech Blog
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
- ferg
This post was syndicated from: Gatta's Today and was written by: GattaNegra. Original post: at Gatta's Today
В момента, когато се върнах от морето разбрах, че “малко тук да боядисам” според майка ми означава” да се боядиса каквото има за боядисване смело и със здрава ръка, че кой-знае кога ще ми се занимава пак!”. При завръщането си установих, че е захванала всичко с бялата боя. Убедих я, че ще е по-добре да [...]
This post was syndicated from: Gatta's Today and was written by: GattaNegra. Original post: at Gatta's Today
И така, славната ни компания се наторвари на 15-ти Август в бубу-то и потеглихме към големиия син аспирин. Ненужно е да изпадам в подробности относно пътуването. Достатъчно е да спомена, че в едната кола имаше бременно момиче, а в другата съвсем малко бебе. Никакво пушене в колата (и по-добре, защото 4 възрастни човека и едно [...]
This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com
This post was syndicated from: Packetstan and was written by: Judy Novak. Original post: at Packetstan
If you’re currently using the Open Source intrusion detection/prevention system Suricata, I urge you to upgrade to the recently released version 1.0.2 as soon as possible. In my recent research, I’ve found more than half a dozen TCP evasions in code from prior versions.
In my experience with Open Source intrusion detection systems like Snort, accurate and thorough TCP reassembly is extremely difficult. Snort’s TCP stream reassembly code has transitioned from being pretty lame and rudimentary (see Stick and Snot attacks) into to a flawed stream4 implementation, finally evolving into a solid and comprehensive stream5 module–over a decade later.
I’ve been interested in Suricata’s stream reassembly code since they offered their first beta release over a year ago. When they released their first non-beta stable 1.0 release this past July, I felt it was finally fair game to try some evasions. Unfortunately, it was fairly easy to find them. Some, like the failure to properly perform TCP checksum validation, were trivial; others like the one discussed below took more poking.
My intent was to find evasions that were more or less universal – not affiliated with a particular operating system (AKA target-based). I crafted the evasion techniques with Scapy and sent them to a destination operating system running Linux first and later Windows Vista. Obviously, TCP evasions are most dangerous when Windows is the destination host since Windows is still the most prevalent OS. In all fairness, I ran any TCP evasion that I discovered against Suricata later against a current version of Snort – 2.8.6.1. Snort alerted on all of the techniques that successfully evaded Suricata.
Suricata currently looks for malicious traffic only within the application layers that they decode. While Suricata covers most of the major protocols – HTTP, DCE/RPC (see source code app-layer-detect-proto.c for applications and detection methods), there is currently no way to configure Suricata to examine other ports for malicious traffic. Say, for instance, that a new and very effective spear phishing attack (i.e., an email-based attack specifically targeted towards an organization) managed to convince users to open a malicious PDF that created a backdoor on port 4444. As far as I can tell, there is no way for Suricata to examine traffic on this unusual port. Personally, I find this troublesome and yet another reason I wouldn’t abandon Snort just yet.
Let’s examine one of the several Suricata TCP evasions I was able to uncover in versions prior to 1.0.2. Suricata uses Snort rules. Assume that the following Snort rule exists and is configured for use:
alert tcp any any -> any 80 (msg:”EVILSTUFF alert”; flow:to_server, established; content: “EVILSTUFF”; http_uri; sid:1234; )
This rule looks for the content of “EVILSTUFF” in an HTTP URL.
First, here is the Scapy code that I used. I’m not going to go over the specifics of the code since I covered how to create the client side of the code in the blog post on an unusual response from a bad acknowledgement on the last segment of the three-way handshake. The code for this evasion shares many of the concepts and some of the code.
Now, let’s take a look at the client side traffic that the the Scapy code generated.
Segment 1 represents a SYN with a crafted Initial Sequence Number (ISN) of 10. The next crafted segment 2 shows the acknowledgement of the server’s SYN/ACK. Next, I reset the connection in segment 3. This should be the end of tracking this session.
Segment 4 is a SYN sent about 5 seconds after the reset and is identical to the first SYN, except it uses an ISN of 11. Segment 5 completes the acknowledgement of the three-way handshake from the new session and segments 6 and 7 contain the malicious split content of “EVILSTUFF”. Suricata fails to alert here; we assume this is because it gets confused after improperly closing/cleaning up after the first session and mistakenly considers the new session as a continuation of old one. It doesn’t track the new session SYN with the ISN of 11 and when the malicious content is sent later—with a sequence number one more than Suricata expects—it creates a gap in sequence numbers for Suricata. Suricata cannot properly reassemble the malicious content since there is a missing sequence number before it, causing the evasion.
The failure to properly close one session and distinguish it from a new one is neither a trivial nor a target-based issue. So please make sure that you upgrade right away if you are currently using Suricata.
Additionally, if you have or are considering dumping Snort in favor of Suricata, my advice is: Don’t do it yet! Suricata is a work in progress. I don’t mean to diminish the hard work of some very talented people, but the product needs to mature before I would consider using it as my exclusive means of IDS/IPS. And please note that I’ve scrutinized only a specific aspect of the product and have found what I consider to be substantial issues. The Suricata team has fixed the issues I reported, so the stream reassembly has improved; but it is still only currently capable of looking for malicious traffic only in application layers that they support.
In the interest of full disclosure, I worked at Sourcefire on the Vulnerability Research Team for about 5 years. Specifically, I did research on Snort’s current stream reassembly preprocessor known as stream5. Steve Sturges translated the research and improved stream4 to produce stream5. It was at Sourcefire that I learned Scapy and began to use it to try to evade other companies’ TCP stream reassembly as well as help build a regression suite to ensure that code changes to stream5 or other modules didn’t accidentally introduce unintended consequences. So, yes – I am somewhat biased in my preferences for Snort; I very much appreciate the opportunities presented to me at Sourcefire and I have an abundance of loyalty and allegiance to this day. But, I’ve got no current financial or other investment in Sourcefire, so I’ve nothing to gain monetarily from exposing Suricata’s TCP reassembly issues.
I’d like to thank Todd Wease, who used to work for Sourcefire on the Snort team, for validating the evasions I found and for examining the code to help me understand the logic issues. And, I’d like to thank Jen Harvey, Co-Founder at Voxilate, for reviewing this post and cleaning it up so it is coherent.
As a final note: You, too, can attempt to find evasions such as these in your IDS/IPSes packet-crafting with Scapy. There’s still time and room to sign up for my Power Packet Crafting Using Scapy course in Las Vegas at the end of September. Please come join me in Las Vegas in September!
This post was syndicated from: Backblaze Blog and was written by: Brian Wilson. Original post: at Backblaze Blog
Backblaze has made a new release available and all users are scheduled to be
automatically upgraded over the next two weeks. Below are the enhancements
in this release:
Release Date: 9/2/10
Version: 1.5.0.311
Auto-Update: All Users
• Increased frequency of updating summaries in customer accounts (helps
Transfer Backup State reflect accurate information).
• Minor security enhancements.
• On Macintosh only – opening System Preferences automatically fixes missing menu
item problem.
• For IT departments in companies – added “push” deployment support to
installer.
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
Michael Opdenacker has announced the availability of videos from this year’s Embedded Linux Conference, which was held in San Francisco in April. The slides and Theora video are available for most, if not all, of the talks. Opdenacker and the Free Electrons team do the community a great service by doing the work to record and transcode the videos. “If you are interested in such talks, what about joining the European
edition of the conference? It will take place in Cambridge (UK), on
October 27-28, and will be colocated with the GStreamer conference
(October 26). See http://www.embeddedlinuxconference.com/elc_europe10/
and http://gstreamer.freedesktop.org/conference/ for details.”
This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green
Today, Microsoft released a new version of their Enhanced Mitigation Experience Toolkit. A rather unwieldy name, but quite interesting technology – with EMET, legacy applications on OS versions as far back as WindowsXP can now also be protected with Data Execution Prevention (DEP), Exception Handler Overwrite Protection (SEHOP) and more, and the application doesn’t even have to be DEP-aware. If you have vulnerable legacy apps on Windows that you need to keep alive for a little while longer, I suggest to take a look at EMETv2.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security
Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.
Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. “Our hack gave 100% knowledge of the key, with zero disturbance to the system,” he says.
[...]
The cunning part is that while blinded, Bob’s detector cannot function as a ‘quantum detector’ that distinguishes between different quantum states of incoming light. However, it does still work as a ‘classical detector’ recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.
That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob’s readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.
“We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing,” says Makarov.
Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. “Once I had the systems in the lab, it took only about two months to develop a working hack,” says Makarov.
Just because something is secure in theory doesn’t mean it’s secure in practice. Or, to put it more cleverly: in theory, theory and practice are the same; but in practice, they’re very different.
The paper is here.
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
Mandriva has updated thunderbird
(multiple vulnerabilities).
Ubuntu has updated wget (arbitrary
code execution).
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
Tiago Vignatti has put together a report on the development X.org 1.9. In the tradition of the kernel statistics reported on LWN, and the more recent GNOME census, he ranks developers and employers based on the number of changes made to various pieces of the X.org tree during the development of 1.9 (April 2 to August 20). The statistics are broken up along functional lines into several categories: X implementation, X input drivers, user space video drivers, Pixman, X11 conformance testing, and X documentation. “Of course lines of code and changeset are far from being a good metric to see actually how the development happened. But still, it does represents something.”
This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security
This is beyond stupid:
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas—but it is still wrestling with how to pursue the strategy legally.
The department is developing a range of weapons capabilities, including tools that would allow “attack and exploitation of adversary information systems” and that can “deceive, deny, disrupt, degrade and destroy” information and information systems, according to Defense Department budget documents.
But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.
“Some” officials are questioning it. The rest are trying to ignore the issue.
I wrote about this back in 2007.
This post was syndicated from: РККА / WBCA and was written by: Vasil Kolev. Original post: at РККА / WBCA
Около едно обсъждане в twitter няколко девойки поискаха да напиша защо София е хубав град.
Като за начало, от градовете, в които съм бил единствено Дъблин ми е харесвал повече (бил съм в Берлин, Мюнхен, Лос Анджелис, Финикс и едно прилично количество български градове), може би защото уцелих точния тип есенно време (бях там само ден и половина, за съжаление).
На първо място, в София има нужните подробности от цивилизацията – денонощни магазини на прилично разстояние (при желание можеш да не изтрезняваш денонощно), денонощни заведения (Кривото ме е спасявало от почти гладна смърт в 4 сутринта не веднъж), хубави заведения по принцип (една компания пробвали една година всеки ден да ходят да ядат на различно място и пак не ги обиколили всичките), книжарници (няма денонощни още, но вероятно аз съм единствения идиот, който го интересува подобно нещо), сравнително поносим транспорт (метро, таксита, разни автобуси – които и са прилично евтини). Ако пуснат едно метро през нощта през един час, ще избият рибата просто.
(като за пример, повечето сравнително нормални държави почти нямат денонощни магазини и подобни неща)
Градът всъщност не е чак толкова голям – може да бъде извървян от единия до другия край за около 4 часа. Почти няма квартал, който да няма парк достатъчно наблизо, а по мои наблюдения там може човек да се разхожда спокойно по всяко време, хора има основно в почивните дни, основно по централните алеи. Разхождането например по малките пътечки на Борисовата градина през нощта е много приятно, няма начин да се загубиш и като цяло не е екстремния спорт, който много хора си представят.
(повечето големи градове извън България, особено в САЩ са много големи като площ и ходенето не е особено подходящ метод за придвижване)
Въздухът в София вече е сравнително добре. Откакто спряха Мордор (отбелязан на картите като “Кремиковци”) всъщност си е съвсем добре (аз мога да ходя по няколко часа покрай пътищата и не усещам някакъв проблем). Помага и това, че е на високо и дори в убийствените жеги миналия месец пак не беше чак толкова задушно (като пример – във Варна при 10 градуса по-ниска температура не можеше да се диша). Освен всичко планините наоколо са на една крачка (има си и автобуси, и маршрутки до там, а и пеша не са особено далече), ако на някой му се прииска истински чист въздух.
София е и истинския център на България – тук Internet-ът е най-бърз, има работа, има развитие на града, събират се всякакви хора от цялата страна (и не само), най-големите университети са тук, голяма част от големите концерти също са тук, свестните co-location центрове също са в София и т.н., и т.н..
Познавам доста хора, които мърморят колко ужасен бил градът и които все пак си стоят тук, въпреки че за тях не е толкова сложно да се махнат. Познавам и хора, които наистина са се махнали, но те са или близо до София, или напуснаха страната по работни причини (което е тема за една съвсем друга публикация).
Мога да изброя и много проблеми на града – разбити пътища, задръствания, мръсотия на разни места, некадърно строителство и какво ли още не, но в крайна сметка нито един от тях не е непреодолим.
За това всеки път, когато се връщам се чувствам щастлив.
update: Всъщност, понеже ме питаха какво е красивото на София – освен, че е естествена и органична, както и жизнерадостна на приципа на Анкх-Морпорк (като умряло куче върху мравуняк), има и още нещо. Как може я да погледнеш през прозореца или просто да се разхождаш и изведнъж да видиш нещо красиво, някъде ей-така останало скрито. Я как се отразява луната в teleport-а на Neterra, може би планината, огряна от някакъв заблуден слънчев сноп, тунела на метрото в мъглата, някакви странно поставени графити, даже от време на време някоя жена с вкус…
This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside
The trend of paying for bugs is certainly catching on, the most recent entrant to the field is Deutsche Post the German postal service. They announced this week a security cup for their new online secure messaging service. The bug bounty trend has resurfaced recently with Mozilla increasing its bounty to $3000 and Google increasing [...]
Read the full post at darknet.org.uk
This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]
Пред Съда на ЕС е поставен въпрос от български съд за равно третиране / пенсионирането на университетските професори на 65-годишна възраст (съединени дела С-250/09 и С-268/09):
Допуска ли се национална правна уредба, която позволява на работодател да прекрати трудовия договор на университетски професор, навършил 65-годишна възраст, и предвижда, че след тази възраст трудовото правоотношение може единствено да бъде продължено под формата на срочни договори за една година, но за не повече от три години.
Ето и заключението на генералния адвокат от днес:
Според разпоредбите на Директивата държавите могат да регламентират, че “разлики в третирането на основание възраст не представлява дискриминация, ако в контекста на национално право, те са обективно и обосновано оправдани от законосъобразна цел, включително законосъобразна политика по заетостта, трудов пазар и цели на професионалното обучение и, ако средствата за постигане на тази цел са подходящи и необходими”.
В заключение, г-н Bot смята, че Директивата трябва да се тълкува в смисъл, че допуска национална правна уредба като разглежданата пред националния съд, която позволява на работодател да прекрати трудовия договор на университетски професор, навършил 65-годишна възраст, и предвижда, че след тази възраст трудовото правоотношение може единствено да бъде продължено под формата на срочни договори за една година, но за не повече от три години, доколкото целта на тази правна уредба е да разпредели между поколенията възможностите за заетост в рамките на тази професия, което националният съд следва да провери.
This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]
На 19 септември в Швеция има избори. Време за политическа реклама. TV4 взема решение да не допусне реклама на антиимигрантска партия (избирате между намаляване на бюджета за пенсии или за имигранти).
Шведски продуцентски компании са отказали да работят с партията, а датски медии съобщават, че и датските продуценти не биха приели поръчка, ако са знаели отначало за какво става дума.
В коментари пред световни агенции представители на опозицията защитават решението на TV4: Страхът от загуба на демократичните свободи не е проблем за Швеция. Това, което се вижда, е опит да се внушава омраза. Трябва да се прави разлика между свободата на словото и насърчаването на омраза към етнически групи.
Рекламата в Spiegel, via Вихър от Право на ЕС
This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]
Вчера представители на ЕК са информирали членовете на Европейския парламент за хода на договорите по АСТА (след поредния кръг във Вашингтон през август и преди този в Япония през септември).
Тестът не е предоставен, нито може да бъде публикуван, както са искали депутатите, поради позицията на САЩ срещу огласяването на проекта (EurActiv).
През март ЕП прие резолюция само с 13 гласа против, в която напомни на ЕК, че в резултат от влизането в сила на Договора от Лисабон Парламентът ще трябва да одобри текста на споразумението ACTA, преди споразумението да влезе в сила.
АСТА е споразумение относно межуднародните стандарти в областта на защитата на интелектуалната собственост.
This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials
Are you a budding artist? Or are you already a professional graphic artist looking to expand the hardware you have to use? And are you hoping to shed the last remnants of either the Windows or Mac operating system? If any of these are true you might be looking at one of the many drawing tablets that can be connected, via USB, to your laptop or PC. These tablets make for a far superior graphic experience, giving the artist much more control over the cursor than with a standard mouse. Unfortunately tablets can quickly become a hurdle for Linux users. In some cases the installation is a snap; just plug in the tablet, install a simple application, and go. In other cases, the process can be a real nightmare.
This post was syndicated from: Како Сийке, не съм от тях! and was written by: Longanlon. Original post: at Како Сийке, не съм от тях!
Видният културен, политически и икономически мислител Вежди Рашидов сметнал, че държавата не прави достатъчно за естрадните певци, ами трябва да им дава ордени, които вървят с парични награди. За да им били спокойни старините, че били дали много на България. Че те ли са единствените, които са дали на България?!?
(Чети още…) (569 думи)
This post was syndicated from: Harald Welte's blog and was written by: Harald Welte's blog. Original post: at Harald Welte's blog
For those who don’t know: The Motorola Ming was the A1200, a commercially
very successful Linux-based phone in China and other parts of Asia, using the
EZX software platform, i.e. the kind of hardware that we once built the OpenEZX software.
Motorola has recently announced that they will follow-up with some android
based ming phones. It is my suspicion that apart from some mechanical design
aspects, those phones will not resemble the ming in any way, neither on the baseband
hardware side, nor on the application processor side, and particularly not on
the software side.
So it’s probably nothing than a marketing coup, trying to connect to successes
of the past. Not interesting from the OpenEZX point of view, I guess.
This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net
The LWN.net Weekly Edition for September 2, 2010 is available.
This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green
We’re under a targeted malware attack!, a friend of mine yelled into the phone. We are getting lots of oddly named PDFs, attached to personalized emails, sent only to certain employees in our firm!. From some past experience with chewing through our nasty malware repository here at SANS ISC, I had learned a thing or two about malicious PDFs, so I agreed to take a look.
One hour later, it was clear that the PDFs in this case were free of any exploit, completely harmless, and contained only the average I AM A COUSIN OF THE LATE ZESKEKE NGAGWENE type of Nigerian 419 (advance-fee) fraud spam.
But the whole episode gave me pause. It really looks like the past two years of never ending new waves of PDF exploits have degraded PDF in the mind of every security analyst to a level somewhere at par with ANI and SCR files: No matter what it claims to be, it ain’t nothing good.
I very much agree with Stephen Northcutt’s comment in SANS Newsbites two months ago. He asked: Is there an alternative to a .pdf? It was supposed to be a printable image of what you saw on the screen. At least that was the idea 15 years ago. It should not need launch functions to do that. Do you remember five or six years ago, you weren’t supposed to send an excel spreadsheet or a word document because they might contain malware, you were supposed to send a .pdf. Guess that has changed!
Time for SDF – the Safe Document Format. You know, one that just supports pixels in various shades of gray, and does not need to include the ability to play a movie in 3D accompanied by surround sound. Just a nice plain document that can be opened, read and printed, without any of the nagging feeling of dread that nowadays accompanies clicking on a PDF.
Anyone?
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
On his blog, Harald Welte writes about work he is doing as part of the gpl-violations.org project. “Right now I’m facing what I’d consider the most outrageous case that I’ve been involved so far: A manufacturer of Linux-based embedded devices (no, I will not name the company) really has the guts to go in front of court and sue another company for modifying the firmware on those devices. More specifically, the only modifications to program code are on the GPL licensed parts of the software. None of the proprietary userspace programs are touched! None of the proprietary programs are ever distributed either.” If the manufacturer were to succeed with its claims, it could jeopardize many different projects that provide alternate code for devices, he says.
This post was syndicated from: Fergie's Tech Blog and was written by: Fergie. Original post: at Fergie's Tech Blog
Brian Krebs writes on CSO Online:
The Federal Communications Commission (FCC) is asking for help in developing a “Cybersecurity Roadmap,” an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments.The one piece of advice I will offer the commission is to begin measuring the responsiveness of Internet service providers (ISPs) and hosting companies in quashing malicious threats that take up residence on their networks. This is an imperative first step to prevent attacks on the Internet infrastructure, in addition to making the Internet a friendlier place for users.
The FCC said that it is seeking comments on how to proceed with the roadmap, which is part of the commission’s National Broadband Plan to roll high-speed Internet services to more Americans.
The commission made the request at almost the same time as the Pew Research Center’s Internet & American Life Project issued its finding that more than half of Americans disagree with federal efforts to expand broadband deployment, an effort for which the Obama administration has allocated more than $7 billion. The Pew report came as the FCC was releasing data showing that most Americans who are paying for high-speed access aren’t getting anywhere near the Internet speeds they’ve been promised.
More here.
This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net
Issue 21 of the GNOME Journal is
out; topics covered include simple real-time games, Grilo, and an interview
with Bradley Kuhn.
This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green
As a heads up, the Exploit Database (exploit-db.com) is publish a month of undisclosed 0day bugs from Abyssec Research. Today there are two bugs published one for cPanel (though it seems more of a bug of fantastico) and one on Adobe Reader and Flash. Expect that the good ones will be weaponized quickly as the disclosures are quite technically detailed and don’t take too much thought to put into place. You may wish to keep up with what they publish as awareness for your own networks.
–
John Bambenek
bambenek at gmail /dot/ com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
This post was syndicated from: Fergie's Tech Blog and was written by: Fergie. Original post: at Fergie's Tech Blog
John E. Dunn writes on TechWorld.com:
Hundreds of lunchtime customers of a diner in the US city of Memphis are believed to have had funds stolen from their debit and credit cards after PCs at the venue became infected with malware.Large numbers of customers reported having had funds taken after using Jason’s Deli in recent weeks, which prompted an investigation by the US Secret Service, part of the Department of Homeland Security.
After establishing that staff were not involved, police discovered that a computer system used by to verify credit cards had been infected with unidentified new-variant malware, which had logged and forwarded the data to criminals believed to be in Russia.
“The computers received a virus that was unknown before this event,” said Special Agent Rick Harlow of the US Secret Service in a news conference. “No antivirus program that we ran against it found it,” he said.
More here.
This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security
As part of NIST’s SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel’s 32 nm ASIC process, and got some impressive performance results (presentation and paper). Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We need help understanding why.
For example, a group led by Brian Baldwin at the Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography implemented all the second-round candidates in FPGA (presentation and paper). Skein performance was terrible, but when they checked their code, they found an error. Their corrected performance comparison (presentation and paper) has Skein performing much better and in the top ten.
We suspect that the adders in all the designs may not be properly optimized, although there may be other performance issues. If we can at least identify (or possibly even fix) the slowdowns in the design, it would be very helpful, both for our understanding and for Skein’s hardware profile. Even if we find that the designs are properly optimized, that would also be good to know.
A group at George Mason University led by Kris Gaj implemented all the second-round candidates in FPGA (presentation, paper, and much longer paper). Skein had the worst performance of any of the implementations. We’re looking for someone who can help us understand the design, and determine if it can be improved.
Another group, led by Stefan Tillich at University of Bristol, implemented all the candidates in 180 nm custom ASIC (presentation and paper). Here, Skein is one of the worst performers. We’re looking for someone who can help us understand what this group did.
Three other groups — one led by Patrick Schaumont of Virginia Tech (presentation and paper), another led by Shin’ichiro Matsuo at National Institute of Information and Communications Technology in Japan (presentation and paper), and a third led by Luca Henzen at ETH Zurich (paper with appendix, and conference version) — implemented the SHA-3 candidates. Again, we need help understanding how their Skein performance numbers are so different from ours.
We’re looking for people with FPGA and ASIC skills to work with the Skein team. We don’t have money to pay anyone; co-authorship on a paper (and a Skein polo shirt) is our primary reward. Please send me e-mail if you’re interested.
This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net
CentOS has updated C5: httpd
(multiple vulnerabilities) and C5: kernel
(privilege escalation).
Debian has updated wireshark
(arbitrary code execution).
Fedora has updated socat (F13, F12:
arbitrary code execution).
Mandriva has updated libgdiplus
(arbitrary code execution), perl-libwww-perl (unexpected download
filename), and openssl (denial of
service).
openSUSE has updated acroread
(multiple vulnerabilities).
SUSE has updated kernel (multiple
vulnerabilities) and acroread (multiple
vulnerabilities).
This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net
On her blog, Máirín Duffy describes four archetypes of Fedora users (Caroline Casual-User, Pamela Packager, Connie Community, and Nancy Ninja) and how they relate to updates of the distribution. Fedora has been discussing its update policy for a bit and Duffy uses the user stories to present her thoughts on how to proceed. “Pamela wants updates to be constant throughout a release, no holds barred — she wants the latest Gimp and she wants it yesterday. Caroline just wants her computer to work — “please don’t change a thing — it worked yesterday — if it breaks before my presentation I’m screwed!” Can both their needs be met? I think so! But it’s easy to completely miss where interests and needs can both be met when the language is so easily interpreted to mean the problem is untenable.”
This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green
– John Bambenek bambenek at gmail /dot/ com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green
– John Bambenek bambenek at gmail /dot/ com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Joe 'Zonker' Brockmeier. Original post: at Linux How-Tos and Linux Tutorials
Mark Twain has been quoted as saying that he respected a person who could spell a word more than one way. Unfortunately, Twain's enthusiasm for creative spelling isn't widely shared today, at least in the professional world. If you need a little help in the spelling department, but prefer the old school way of editing text, you can turn to Vim's spelling support.
This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]
Трудно е да се определят границите на неприличното в медиите, мненията на зрителите не съвпадат, нито на зрителите и медиите, нито на медиите и регулатора, нито на регулатора и съда.
Делото Fox v FCC за неприличните думи по телевизията (Боно, Шер и т.н.) стигна до фазата, в която Апелативният съд разсъждава защо в Спасяването на редник Райън някои думи да са допустими, а при връчването на музикални награди да не са. Решението е доста забележително, съдиите отхвърлят политиката на FCC да санкционира неприличен език като неясна с аргументи за магнетичната сила на сексуалното привлечане от Троянската война насам.
От друга страна, през 1978 г. ВС вече е дал право на регулатора да санкционира за неприличен език ( за седемте думи, които не можеш да кажеш по телевизията).
След произнасянето на решението на съда регулаторът каза кратко, че е шокиран, а новината е, че е взел решение да обжалва.
This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]
В дневния ред на Европейския парламент за предстоящата сесия, 7 септември: Проект за резолюция на ЕП относно журналистиката и новите медии – създаване на публична сфера в Европа (2010/2015(INI))
Доклад на Комисията по култура и образование
This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security
Skein is my new hash function. Well, “my” is an overstatement; I’m one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here’s the Skein paper; source code is here. The Skein website is here.
Last week was the Second SHA-3 Candidate Conference. Lots of people presented papers on the candidates: cryptanalysis papers, implementation papers, performance comparisons, etc. There were two cryptanalysis papers on Skein. The first was by Kerry McKay and Poorvi L. Vora (presentation and paper). They tried to extend linear cryptanlysis to groups of bits to attack Threefish (the block cipher inside Skein). It was a nice analysis, but it didn’t get very far at all.
The second was a fantastic piece of cryptanalysis by Dmitry Khovratovich, Ivica Nikolié, and Christian Rechberger. They used a rotational rebound attack (presentation and paper) to mount a “known-key distinguisher attack” on 57 out of 72 Threefish rounds faster than brute force. It’s a new type of attack — some go so far as to call it an “observation” — and the community is still trying to figure out what it means. It only works if the attacker can manipulate both the plaintexts and the keys in a structured way. Against 57-round Threefish, it requires 2503 work — barely better than brute force. And it only distinguishes reduced-round Threefish from a random permutation; it doesn’t actually recover any key bits.
Even with the attack, Threefish has a good security margin. Also, the attack doesn’t affect Skein. But changing one constant in the algorithm’s key schedule makes the attack impossible. NIST has said they’re allowing second-round tweaks, so we’re going to make the change. It won’t affect any performance numbers or obviate any other cryptanalytic results — but the best attack would be 33 out of 72 rounds.
Our update on Skein, which we presented at the conference, is here. All the other papers and presentations are here. (My 2008 essay on SHA-3 is here, and my 2009 update is here.) The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, here. NIST will select approximately five algorithms to go on to the third round by the end of the year.
In other news, we’re once again making Skein polo shirts available to the public. Those of you who attended either of the two SHA-3 conferences might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. Details (with photos) are here. All orders must be received before October 1, and we’ll have all the shirts made in one batch.
This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside
This is a Windows PowerShell Script to help you with blacklisting domains you wish to block in your networks. We have written about PowerShell before, it is something which can make the windows shell a lot more flexible. On the external DNS servers you can create primary zones for the domain names and FQDNs you [...]
Read the full post at darknet.org.uk
This post was syndicated from: Harald Welte's blog and was written by: Harald Welte's blog. Original post: at Harald Welte's blog
In recent days and weeks, I’m doing a bit more work on the gpl-violations.org
project than during the last months and years. I wouldn’t say that I’m happy
about that, but well, somebody has to do it :/
Right now I’m facing what I’d consider the most outrageous case that I’ve been
involved so far: A manufacturer of Linux-based embedded devices (no, I will
not name the company) really has the guts to go in front of court and sue
another company for modifying the firmware on those devices. More specifically,
the only modifications to program code are on the GPL licensed parts of the
software. None of the proprietary userspace programs are touched! None of
the proprietary programs are ever distributed either.
If that manufacturer would succeed with such a lawsuit, it would create
some very nasty precedent and jeopardize the freedom of users of Linux-based
embedded devices. It would be a direct blow against projects that provide
“homebrew” software for embedded devices, such as OpenWRT and many others.
I’ve seen many weird claims and legal strategies when it comes to companies
trying to deprive developers of their freedom to modify and run modified
versions of Free Software. But this is definitely so weird that I still feel
like I’m in a bad dream. This can’t be real. It feels to surreal.
It’s a pity that I cannot speak up more about the specific company in question
right now. I’m desperately looking forward to the point in time where I can
speak up and speak out about what has been happening behind the scenes.
This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com
This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net
alt="[Andrew Morton and Linus Torvalds]" border=0 align="right" hspace=3/>
Linus Torvalds rarely makes appearances at conferences, and it’s even
less common for him to get up in front of the crowd and speak. He made an
exception for LinuxCon Brazil, though, where he and Andrew Morton appeared
in a question and answer session led by Linux Foundation director Jim
Zemlin. The resulting conversation covered many aspects of kernel
development, its processes, and its history. Click below (subscribers
only) for the full report from São Paulo.
