Posts by Justin Pasher

@wolfetone Re: Is SSLv2 still supported in OpenSSL?

Actually it depends. The Debian binaries removed the SSLv2 protocol from OpenSSL back in 1.0.0c-2 (i.e. post-squeeze, pre-wheezy).

https://www.debian.org/security/2016/dsa-3500

Re: wrong problem to be solving.

Just grab the specific version you want directly from the "FTP" site.

http://ftp.mozilla.org/pub/firefox/releases/

Re: Unsurprising. This is *monitors* after all

@toughluck: Everything sounded great until you said "If you're using a HDMI 1.4 compliant cable". There's no such thing as an "HDMI 1.4 compliant cable". That's a marketing thing (just like contrast ratio). There are only four types of HDMI cables.

Standard

Standard with Ethernet

High Speed

High Speed with Ethernet

HDMI 1.4 is a software specification, not a hardware specification. A cable knows nothing about software, because, well, it's hardware. It's like saying an ethernet cable is "IPv6 compliant"

Re: Wot no SPF?

If that's what the domain owner has declared, then yes. It is. That's what ownership means.

So when user B doesn't get user A's email because user B has configured a forwarder and the email is rejected due to a violation of user A's SPF record, it's user B's fault?

Well, you have some strange ideas about SPF and make that claim. I use it, and would not. Perhaps you might like to wonder if there is more than just mere correlation to that...

I HAVE been using SPF for a long time now, mainly because of "hey, it's one more thing you can try to make email deliverability work better". The fact that I say it's a joke doesn't mean I say no one should use it. It means don't put much faith behind it.

And the fact that you use it and would not make the claim that it is an ineffective anti-forgery system does not make the opposite true. Please do share anything that was not true about my anti-forgery statement.

Re: The War on Customers (was: Unlimited doesn't mean unlimited then...)

Can I get an explanation for why these two things are actually separate to the point where one demands metering and the other not? Except for, you know, "marketing segmentation we want to impose" kind of reasons?

Seems pretty obvious to me. It's a lot easier to suck up a huge amount of bandwidth by tethering a laptop to a cell phone's data connection than being restricted to the capabilities of the phone/installed apps. Then there's also the fact that you could use tethering to set up a mobile hot spot for others that do not have unlimited data, thus "reselling" your unlimited data plan to others for free. Now you have people that are not paying T-Mobile a dime but potentially using a lot of their bandwidth.

If the problem was REALLY wide spread (which it's not), you have the situation where T-Mobile thinks "we have X million customers, so we need Y infrastructure", when in reality they would have X million customers + however many mobile hot spot users are tethering for free.

You do realize that something called libel still exists, even in the days of the internet, and it's illegal, right? Whether this will constitute that is up to the courts.

Re: No legal use...

"You could route VOIP through your VPN/Firewall so that your calls from home are coming from work."

And if your work uses a traditional PBX without VoIP support? Maybe the UK is different, but VoIP is far from universal in the US for businesses.

Re: PermitRootLogin no

Although I wouldn't necessarily say that "not a lot of people permit root login any more" (at least intentionally), in Debian Jessie they finally made the default config option "PermitRootLogin without-password" to help with people that just run out-of-the-box setups.

Re: Arctic sea ice extent for June 2015 was the third lowest in the satellite record.

You realize that the two reports are measuring two different things, right?

Sea ice extent vs Sea ice thickness

Which one is more important? I would imagine volume is a bigger deal than surface area, considering you can have a little visible surface area with a lot volume (and vice versa), but I'm not a climatologist (for lack of a better term).

@Pheasant Plucker: Silverlight

"They certainly do with Silverlight. Still do with Silverlight."

Technically it is not being overridden. It is released under a new KB number, so it's treated like a different update.

Why mess with Ghost when CloneZilla does it for free (and with a Live CD/USB)?

Re: Sounds complicated

Obligatory xkcd

https://what-if.xkcd.com/26/

Re: startls

The situation we are in now is a little like trying to put the toothpaste back in the tube.

You can run an implicit SSL SMTP server on port 465 (port 993 is IMAPS, btw) and other could connect, but a much larger percentage of the SMTP servers out there don't do this versus those that do. The only way you would know is if you attempt a connection first (which will most likely fail), and then you have to fall back to regular port 25 anyway, thus increasing the overhead for sending emails.

Fundamentally, an implicit SSL connection and a clear text connection where you issue STARTTLS are the same, but the advantage of STARTTLS is that you only have to connect to one port (which should always be open for any public SMTP server), and you can then secure up the session. Granted, you might have the fallback to an unecrypted session depending on the client/server config. It is possible to set up some SMTPd servers to require TLS when connecting to remote servers, even by using STARTTLS, but you still end up in the same situation (many servers do not support it).

Now, if the government enable STARTTLS functionality for inbound and outbound, it still relies on the other client and server to support it. They can't force that to be the case, and if it's not supported on the other end, it defeats the implementation anyway. Thus, implementing the change might give some a false sense of security just to tick another box on the security checklist. I'm not saying they shouldn't implement this at all, however.

@Ken Hagan

"These would be kids who are too young to enter into a legal contract. Sorry, the responsibility for the laptops remains with the last legally responsible entity who had them"

So given that rationale and returning to my previous scenario of a neighbor borrowing something, you'd be perfectly content if the neighbor never returned said item or conveniently lost it since you never had a legal contract between the two of you explaining the terms of the loan?

I'm not arguing from a LEGAL standpoint. I'm arguing from a responsibility stand point. There are plenty of situations where someone cannot be LEGALLY held responsible for something, but that doesn't make it right or something that should be swept under the rug.

Re: Older browsers

By disabling SSLv3, you really don't cut off that many people (communication via older scripts could be a different story). PFS is recommended, but that's not what this is talking about.

Works fine:

------------------------------

Android 2.3.7 - Uses TLS 1.0

IE7 on Vista - Uses TLS 1.0

IE8 on WinXP - Uses TLS 1.0

Safari 5 on OS X 10.6.8 0 - Uses TLS 1.0

Safari 6 on iOS 6 - Uses TLS 1.2

Does not work:

------------------------------

IE6 on WinXP - Uses SSLv3

I'm sorry, but if you are really that concerned about cutting off IE6 users on Windows XP, then you need to contact those people and tell them to get their act together. Either upgrade off an unsupported OS or switch to an alternate browser that was written in the past decade.

Re: Built in battery, no SD slot, no waterproofing?

"I'm curious, what do people need SD cards for?"

Personally, I don't use it for the extra capacity that much. I use it because it is REMOVABLE storage. It's an easy way to get large amounts of data on or off the phone. I can also perform periodic backups with Titanium Backup, which means if the phone conks out, I can still have a copy of my data that doesn't require some on-line cloud-esque sync solution. Granted, ad SD card can die too, but a phone dying takes a lot more down with it.

"There's nothing "only" about a flaw that exposes usernames and password in plaintext."

Although the POTENTIAL was there to expose usernames and passwords, it was still wildly a crap shoot as to what information you could actually obtain from the random memory locations. The fact that you couldn't easily detect an attack is what made it so hard to accurately determine the level of the data leak.

Re: .. but it makes a difference

So what's to stopping them from just using the "high speed internet access" instead? Unless that term is explicitly defined somewhere, I don't see it having the effect that they hope it will have.

Re: Gmail?

There are a surprising number of "odd" characters that are considered valid in an email address per RFC specs (the plus sign being a definitive yes).

http://www.remote.org/jochen/mail/info/chars.html

And RFC 821 has been obsoleted by RFC 2821, which has been obsoleted by RFC 5321.

Re: Numbers printed without challenge

Exactly. The math is off somewhere (or the description of the numbers)

4,000 CPUs each doing 6 billions hands a second = 24,000 billion hands a second

They say more a billion billion hands (1,000,000,000 billion)

1,000,000,000 / 24,000 = 41,666 seconds (less than half a day)

They ran the simulation for 2 months = about 5,184,000 seconds

At that rate, it would calculate about 124 billion billion hands.

As suggested, clock cycles makes much more sense.

Re: Hmm.

In additional to the "convenient" dynamic DNS supported by Foscam devices, some devices will attempt to use UPnP to dynamically forward ports to the camera/NVR device. If your router supports this by default (for example, the ActionTec provided for Verizon FiOS), the device can (unbeknownst to the end user) make itself accessible to the outside world.

I've had this experience with a Q-SEE NVR (although I had read the included "quick setup" guide that mentioned how to access it remotely, so I knew it was doing that). Although changing the default password will "lock it down", it is still a bad idea for the default setting to be "punch holes in my firewall". Come to think of it, I don't even know if the NVR HAD the ability to disable UPnP

Re: So how will this work?

That's not how a typical SSL MITM attack works.

Normally, a nefarious system will try to intercept the end user's traffic secretly. It would do this by jumping in between the two end points of the connection. To make it seamless, the bad guy would need to decrypt an already encrypted session, which is theoretically difficult (although the practicality of it changes over time). If the bad guy doesn't have the server's private key, it has to rely on exploits or weaknesses in the encryption.

Now pretend the private keys of the CA were compromised. This allows someone to sign their own certificates that browsers will automatically trust. It doesn't involve breaking or compromising the encryption of the two end points. In essence, the MITM attack becomes more of a reverse proxy.

Ultimately, that's no different than any other CA getting their private keys compromised. It still has nothing to do with the private keys of the original server providing the SSL connection.