* Posts by Dom De Vitto

10 publicly visible posts • joined 17 Oct 2016

Here's a neat exploit to trick someone into inadvertently emailing their files to you from their Mac, iPhone via Safari

Dom De Vitto

Lots of more sensitive files than /etc/password !

... /mobile/Library/SMS/sms.db - SMS and iMessage database :-(

....

....

.... :-(

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

Dom De Vitto

Re: The biggest weakness in the whole TLS arena

Trust in HTTPS is "pretty low" ?

Compared to WHAT ?

HTTPS, with other browser security - HTKP, for instance - is brilliant. I would put that way above a VPN service (or TOR) with HTTP alone.

.....

You're not Boeing to believe this, but... Another deadly 737 Max control bug found

Dom De Vitto

Patch Tuesday....

Anyone else feeling the second Tuesday of every month is a bad day to fly?

Accused hacker Lauri Love to sue National Crime Agency to retrieve confiscated computing kit

Dom De Vitto

Interesting angle.

Firstly,

Solicitors ('lawyers??') aren't used to these kinds of cases - it's literally pointless hiring one for this, it would be like asking a GP to do brain surgery.

A barrister, however, is a different kettle of fish - they are sharks. But I doubt one wanted to take this trivial case.

I think he's just pushing the CPS - prosecute now, or drop the charges and give me my stuff.

It's a smart move, as if they have the evidence they need (possibly hoping to brute-force the crypto), pushing won't matter, if they don't, it could cause the case to be dropped. Of course, the police can always come back to their *copy* of the evidence, if they can break the crypto in 5 years - they don't actually need to originals, just 'best available evidence', as they can prove the originals were his, and the encrypted copies of the data is a 'true copy'.

Neat move on his part, and hopefully will mean someone in the CPS makes a decision - which is what's causing his anxiety....

Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you're visiting

Dom De Vitto

Ermmmm, been this way forever?

This is literally a cute way to do something you could always do.

Load a object, compare load/compile/execute times to determine if it's was downloaded or already downloaded.

Bucketing the cache per "requester site" would resolve this, but also impact performance.

The real impact here is when you consider iterating though a graph of social media to find the particular persons profile using basic set theory & finally iteration over the short list of people who've seen the recent posts from DUP Supporters, UK Parliament News and LGBT weekly.

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Dom De Vitto

Obviously everything is preventable.

According to their own statement, they detected it themselves.

F-35 'incomparable' to Harrier jump jet, top test pilot tells El Reg

Dom De Vitto

Wow, are you actually saying the SIMILATOR works ? Because I was playing Elite in 1985, and it seemed about the same, maybe better.

Crypto-busters reverse nearly 320 million hashed passwords

Dom De Vitto

Oh dear.

Firstly, max of any number of characters is silly - you're stream hashing, so length limits are dumb.

Secondly, known dumb password check is good, but increased complexity is better e.g. mandating symbols.

Thirdly, re-hashing a hash isn't necessarily better - or the writers of SHA512 would have done it. e.g. collisions are going to be increased, and that means *less* security. Every rehash is another chance your super-secure password will collide with 'Password1'.

Fourthly, user specific salting is great....if it includes internal values (account number etc.) - just adding the username to the front isn't going to help any. This also needs to be longer than the hash (512 bits+)....

Fifthly - global salt values, hope that's another longer-than-hash value...

UK's 'FBI' hit by DDoS barrage

Dom De Vitto

Re: Haven't they just been given oodles of cash to protect us agains this kind of thing?

If it has no value, it should be shut down....

BRAND damage here is the cost - especially for a new organisation that is trying to gain respect.

They should have just stuck the site on a CDN & forgotten about it, like Krebs did....

New GCHQ unit: Psst, breached biz bods. We won't rat you out to the ICO

Dom De Vitto

Re: Far off the topic, but I had to..

You've had worse.....