* Posts by mike acker

76 publicly visible posts • joined 1 Jul 2012


We're 90 per cent sure the FCC's robocall kill plan won't have the slightest impact

mike acker


the real solution is to provide a WHITELIST option on phones. If a company like Blackberry would offer WHITELIST control of incomming calls -- I'd switch service Monday.

WHITELIST Control of Incomming calls: If you are not in my Contact List you call is REJECTED leaving only a log entry. It DOES NOT RING

the other feature that is really needed on phones is a 1-button vehicle mode. this to silence all ringing and let calls go to voice mail sms messages to log.

US Congress to NSA: How many Americans do you illegally spy on?

mike acker

NSA answer? You can't be serious

certainly no one expects an answer from the NSA

Snowden answered for us -- and now he's wanted for espionage

UK defence secretary: Russian hacks are destabilising Western democracy

mike acker


Focus: the problem is insecure software.

as long as it's easy to hack -- hacking will be pervasive.

we face a question: clean up the software -- or re-think how we use it.

it's just that simple.

Email security: We CAN fix the tech, but what about the humans?

mike acker

wrong tree

wrong tree

it's the OEM software makers who need to be guided -- either by free market competition -- or by government regulation -- into providing secure software and authentication

the "people" -- will gladly embrace it

but where the makers want to promote selling above all else everything must be "easy peasey"

and it's easy-peasey for the hackers as well; "sophisticated hacks" and "state sponsored attacks" -- are just white-washed excuses for sloppy work.

Speaking in Tech: Nope, sorry waiter. I won't pay with that card reader

mike acker

Pay cash

you don't have to use "Plastic" -- you can pay cash.

once you pay off the card company you are in for a pleasant surprise: you'll have money!

Linus Torvalds in sweary rant about punctuation in kernel comments

mike acker

/* -----------------------------------------------------

everybody knows

comments are supposed to be in

little boxes

------------------------------------------------------ */

Third of US banks OK with passwords even social networks reject

mike acker

Passwords work

Passwords work

just ask the FBI : why can't they crack that iPhone ? can't even get past a 6 digit passcode?

not if it's administered properly

biometrics are just a scheme to eliminate anonymity -- and -- they suffer from the disastrous problem: once compromised you can't change them .

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

mike acker

Client must generate session key

Bruce Schnieer notes "Complexity is the enemy of security" He's right, as usual.

and HTTPS / SSL is a perfect example: the session key HAS to be generated by the CLIENT

when the session starts you have only half of a PGP secure link: client has the public key for

the server and the the sever holds the corresponding private key

what this means is: the client can authenticate a message from the server -- but the server

cannot authenticate the client except for the use of a user ID and password .

for this reason the session must start with the server sending an signed copy of its letterhead

to the client . the client can authenticate this -- using the X.509 certificate it thinks*

belongs to the server it is attempting to connect

if the letterhead authenticates then the CLIENT can generate a session key, encrypt it for the

SERVER and send it. it cannot be done in reverse because the server does not have a public key

for the client. end of story.

simplicity is the answer.


* x.509 certificates are printed and broadcast like losing lotto tickets. we must develop a

process wherein the CLIENT has a PGP key and is able to SIGN for TRUSTED x.509 certificates.

this will require the development and deployment of a KEK device: you cannot use smart phones

for this: you must use a single purpose device so that updates can be STRICTLY controlled .

Apple fires legal salvo at FBI for using All Writs law in iPhone brouhaha

mike acker

all writs is not applicable

to envoke the All Writs act to force assitance you must meet the 3 tests

the last one asks "is this necessary"

in the case of AAPL: no: it is not necessary

all that needs be done is: have the cops FedEx the "subject device" to Cupertino; include a check to cover the costs, and a copy of the search warrant as required by law .

AAPL can the give the feds/cops the data they demand without releasing a backdoor package . cops that lose their personal side arms in bath rooms and leave them in cars in front of the white house and hang out in the brothels of Colombia cannot be trusted with sensitive software .

The sloth is coming! Quick, get MD5 out of our internet protocols

mike acker

face the real problem

the big factor in hacking is insecure operating software

an operating system that allows itself to be compromised by the activity of an application program is not secure and is a serious risk if used in any application where security is required .

quit treating the symptoms and face the music

Cisco Jabbers in the clear due to STARTTLS bug

mike acker

ssl/tls overly complex

it is generally conceeded that "complexity is the enemy of security"

if you look at SSL/TLS you can see the start sequence is overly complex. let's review:

what you have, when the client first contacts the server:

the client has an x.509 certificate that it thinks is correct for the server;

the server holds the corresponding private key but DOES NOT have a Public Key for the Client;

if you examine this situation you'll see that initially:

the client can send a secure message to the server bu the server cannot send a secure message to the client . this is because the server does not hold a public key for the client -- and this is normal

as a result: on initial contact: the server must send an encrypted HELLO message to the client. the client can verify that this is in fact from the desired server becuse it holds the x.509 certificate for that server. or at least this is supposed to be the case . we proceed on the basis that the validity of the x.509 certificate is questionalble and that that issue must be resolved in order to proceed with secure communication

once the client has validated the server's HELLO message then the CLIENT must generate the session key. this is done using the server's x.509 certificate as the _ key encryption key _ ( "KEK" ) .

once the server receives the session key the dialog can proceed with messages encrypted using the session key .

as things stand now the client has no way of knowing which x.509 certificates are valid. these are broadcast like newspapers and fraud has already been discovered on several occasions . this is the REAL problem with SSL/TLS

to fix it the client needs a KEK device that can be used to countersign -- and thus to validate -- x.509 certificates . only important x.509 need to be validated and the client will need sources with which such verification can be effected . this is the REAL issue with SSL/TLS.

In 2015, your Windows PC can be owned by opening a spreadsheet

mike acker

whac-whac-whac that same old mole

we've been whacking that same old mole for 10 years

time to throw that game out the back and down the alley

Break from the future: Hold the new stuff and fix the web first

mike acker

go back and fix stuff? not likely

fixing stuff that's broken is basically a defensive effort,-- something we only do to stop loss

as there is no product liability for software there is no loss for defective work . until that issue is addressed no one will give up the glitter of the new announcement for the drudgery of fix and repair .

Microsoft throws crypto foes an untouchable elliptic curveball

mike acker

publish source code

i see they offer the source code

i didn't think they would

Don't want to upgrade to Windows 10? You'll download it WHETHER YOU LIKE IT OR NOT

mike acker

i will not be receiving the update: i took my Windows/7 system off the net.

there are only 2 apps on it i still need to use and they work fine offline

everything else is on Linux now

NSA-resistant email service Lavaboom goes BOOM! (we think)

mike acker

special service not needed

1. before any discussion of security can begin you have to have a secure operating system. a secure O/S is one which will not allow itself to be compromised by the activity of an application program and which prevents any one application from compromising another application.

it is generally agreed we don't have such a system although it is also agreed some options are much better than others. Get LINUX.

2. with LINUX you get the Thunderbird e/mail client, ENIGMAIL and the Gnu Privacy Guard -- GmuPG -- all included. and all this stuff is free.

3. n.b. nobody is going to do this for you; nobody is going to give you security.

4. generate your key-pair and start learning.

Cloud computing’s refuseniks: How long can they hold out?

mike acker

news,-- or propaganda?

is the above article news or propaganda? at times advertisers will attempt to use articles that look like news in an attempt to fix into the mind of consumers that x, or y, or z -- is "where it's at" -- "everybody's doing it and so if you are lagging behind you're a luddite"

it's just a marketing ploy.

cloud computing has two problems: 1 network latency and reliability, and 2 privacy

"cloud computing" -- just ain't where it's at: it's a Bad Idea at the start.

No, Microsoft: Your one-billion Windows 10 goal is just sad ... really sad

mike acker

msft O/S : unacceptable

MSFT does not produce a secure o/s . their o/s is intended for other purposes and is un-acceptable in a network environment. their o/s will be phased out as soon as critical applications can be ported to secure operating environments . this is a change that has to happen .

Flash HOLED AGAIN TWICE below waterline in fresh Hacking Team reveals

mike acker


it would be news,-- if flash went for a week without needing a patch

KILLER! Adobe Flash, Windows zero-day vulns leak from Hacking Team raid

mike acker


does anyone still seriously believe this is all due to sloppy work or just oversights? Santa will bring you everything on your Santa Letter! :)

Whoops, there goes my data! Hold onto your privates in the Dropbox era

mike acker

Best Practice

the Corporate Intranet -- must be carefully isolated from the Public Internet. Otherwise troub;e is sure to follow.

Samsung caught disabling Windows Update to run its own bloatware

mike acker

bad idea

Samsung: this is a good way to get onto the DO NOT BUY list

go back and figure out a better way.

Windows 10 Device Guard: Microsoft's effort to keep malware off PCs

mike acker

not addressing the Core Problem

this is another band-aid,-- and it does not address the Core Problem: an application program should not be able to affect(compromise) its host operating software.

hacking involves corrupting a program that is already running via which privilege escallation may be obtained,-- thus to corrupt the o/s itself.

this fundamental issue must be corrected if MSFT/Windows wishes to become a viable commercial OS

IPv4 addresses now EXHAUSTED in Latin America and the Caribbean

mike acker

two errors

the it industry made two errors. both stupid, like dropping a ground ball:

1. no specification for routing ipv4 onto ipv6 was made as part of the standard.

2. mobil devices were allowed to have ipv4 addresses.

Comcast exec says wired broadband customers should pay-as-they-go

mike acker

Cohen is right

Cohen is right on each point.

it doesn't make sense for average users to foot the bill for every high-volume video enthusiast.

I would dearly love to see the national cable plant changed to fiber optics with speed in the 100GB range so that we could exchange video like we do jpegs .

but that's down the road a piece. things will all be different before we get there .

Torvalds rails at Linux developer: 'I'm f*cking tired of your code'

mike acker

Re: Odd timing

you forgot John McAffee

Security guru Bruce Schneier to leave employer BT

mike acker

favorite terms

one of my favorite terms is "sophisticated attack". it seems to be a favorite of the media.

and when you get info on the issue they always seem to be the same old crap. after a while one would begin to think this stuff is just so much propaganda: some elements of the industry want us to think security is not possible. that would indeed be propaganda. has anything Bruce has written dispelled this concept?

articles around the net late last week and this morning report that google yanked the app control feature out of their android. yeah, go figure.

Europe, SAVE US! Patriot Act author begs for help to curb NSA spying

mike acker

commercial at the start

they call it 'market research'. market research is gathering information about customers so that marketing campaigns can be conducted. these are more successful when they are directed to a selected or 'target' audience.

any type of communication that you participate in can be used to facilitate this 'market research' -- Web, e/mail, social nets, phone systems, ...

an article offered by Bruce Schneier recently suggests that the NSA isn't the real villian but rather has simply started to participate in the process.

Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike

mike acker

no need to build - learn to use pgp

there is no need for anyone to build anything. for secure mail what you want is already available,-- for free.

start by switching to Linux,-- I recommend MINT

read and follow instructions regarding maintenance: stick to the official software store.

switch your e/mail to a commercial supplier -- not one of the free ones like Hotmail, Google, or Yahoo. I use Charter, and CoreComm services.

next switch your e/mail onto the THUNDERBIRD client -- that comes with Linux/MINT (also Ubuntu if you prefer ). spend a little time learning to use Thunderbird. it uses IMAP servers -- so you can share mail on your iphone (that isn't encrypted) .

activate the ENIGMAIL plugin on Thunderbird. this uses the GnuPG version of PGP.

use the OpenPGP dialog on Thunderbird to generate your PGP keypair. set 1 year expiration date; load your public key to the keyserver. be sure to generate and save the key revoke certificate (JIC).

locate, dowload, and read Phil Zimmerman's essay on PGP, paying particular attention to the section on protecting public keys from tampering. learn what the Trust Model is -- and how to control it.

find a pardner to begin exchanging PGP mail with

remember there are 3 main advantages to PGP (ENIGMAIL) mail




authentication allows you to ascertain with reasonable certainty that an e/mail is from the party which clains to have sent it. without this i can send you an e/mail and mark it from anyone i want -- your boss -- or Nixon or Kruschev

integrity allows you to be reasonably sure that you have a correct copy of a message; that the message has not been modified in-transit by someone using (e.g.) a "Man in the Middle" attack. This is CRITICAL for software distributions and financial transactions .

security allows you to encrypt messages so that you can be reasonbly sure only the intended recipient can read them . this is a lot better than putting a disclaimer in your signature block saying something to the effect "if you weren't supposed to get this please cover for me, thanks"

NSA can still apply a traffic analysis on you: ascertain who you are talking to and this won't ever go away on public networks -- switched circuit -- or packet switched . but to get the messages now they have to hit YOU with a subpoena. hitting your ISP won't help: Your ISPcouldn't read your traffic in any reasonable timeframe or at any reasonable cost -- no matter how much they wanted to .

remember though you are subject to the AUP you signed with you ISP. the government could tell ISPs that PGP mail traffic must not be allowed. in which case we'll come up with a new Plan .

Have you reinstalled Windows yet? No, I just want to PRINT THIS DAMN PAGE

mike acker


in the first place a computer is not a printing system

disconnect the printer and take it to the recycling center. now that you have that done you can also junk the fax machine. use computer output fax for those who are still mired in paper base systems .

now: (1) install dual monitors so you don't need to print documents that you need to reference while working;

(2) get a nice tab so you can review dox while away from your desk.

i've known more that one person who felt they had to print out an e/mail in order to read it.

'Microsoft Word is a tyrant of the imagination'

mike acker

right on

Word is a "pita"

fortunately msft strong-armed the ISO into adopting their ooxml standards for the new iso open document standards.

i note that LibreOffice v.4 is now better at compatibility with the hated ms/word . hopefully others e.g. Google Docs will join in breaking this nasty ms/word monopoly like a punkin after Halloween

MS Word deserves DEATH says Brit SciFi author Charles Stross

mike acker

untergang ss redmond

actually the whole mess known as msft, aka ss redmond -- needs to go under. i think it's well on its way: from a security standpoint -- which is a requirement for online computing -- ms windows os is simply un-acceptable.

Snowden's email provider gave crypto keys to FBI – on paper printouts

mike acker

alternate decryption key (ADK)

ladar's error is in having an alternate decryption key.

of course you would have to wonder: if he was using x.509 certificates and SSL -- rather than real PGP -- what was he thinking

evidently that was the problem: he wasn't thinking .

IETF floats plan to PRISM-proof the Internet

mike acker

Two step process

becomming snoop proof is a 2 step process

1. clean up the end-points.

this requires that the end-point be subjected to a software intentory and audit to insure that all and only the desired software is present. open source o/s preferred

you cannot have a meaningful discussion about encryption until you have satisfied (1) (above) .

2. use GnuPG -- again open source -- to authenticate and secure communication links. this is a task that each user will have to learn and practice . the current practice of thransmitting masses of x.509 certificates authenticated by massive "Certificate Authorities" -- has been compromised on occasion and has ben the subject of significant inquiries by good COMSEC folks.

Silicon Valley slurped millions of NSA cash for PRISM participation

mike acker

how long havn't you know that?

Torvalds frustrated at missing simultaneous release

mike acker

you mean make it like msft/windows? FT

if you do design an improved micro kernel os you need to make use of ring 1-2 as wellas just 0,3 so that kernel related processes -- which are privileged programs -- run protected.

Ubuntu puts forums back online, reveals autopsy of a brag hacker

mike acker

not back to normal

they now force user to use a "Single Signon" to access both their Ubuntu1 drop-box as well as the BBS

this is not regarded as a "best practice" : anything of a sensitive nature -- should have a separate password. and your drop-box may be sensitive -- depending on what you use it for

'It's GOOD we stopped selling the iPhone'

mike acker

I guess we all need to learn to cuss in Finnish!!

seriously Heaven forbid we were without Linus. I personally think LINUX may be capable of correcting some of the extreemly bad thinking that has been incorporated into some software -- which now causes a LOT of Security Trouble

US gov SMASHES UP TVs and MICE to nuke tiny malware outbreak

mike acker

that's because there are no certification tools available to test for un-authorized programming. Wolfgang Stiller (Stiller Research) taught us how to do it with his Integrity Master product

you boot from a separate read-only media and make a list of all the software on the subject machine. include CRC, date, and size of modules. check this list against what is supposed to be there. if you have what you're suppose to have, not of it changed, and nothing extra you are good to go.

it will take an FTC rule to force the industry to adopt this practice. a better practice is to stop using vulnerable operating software

Americans attempt to throw off oppressive, unresponsive rulers on 4th of July

mike acker

Thomas Jefferson, 1821: "...when all government... in little as in great things, shall be drawn to Washington as the centre of all power, it will render powerless the checks provided of one government on another and will become as venal and oppressive as the government from which we separated."


mike acker

one of the Critical Questions that is missed by security systems is: WHICH PROGRAM DO YOU WANT TO USE FOR THAT?

when you LOG ONTO your system you are given access to files based on WHO you are and the Ownership of any file you want to open

you might want to review this

for example, if you are running a web page do you really want your browser to be able toaccess anything you have access to ?? remember, it's you AND the web-page running your browser...

to control this you need AppArmor,-- or RACF

mike acker

if you were interested in computer security you would study the methods used by attackers. The question for the hacker is : get code execution.

code execution could be a root kit or just a macro running in a word document or java running off a web page. no matter, it's important to ask: what can that code access, exfiltrate or manipulate?

now that we have polymorphic virus programs and millions of new samples appearing each year the virus scan is less effective that it needs to be . we have to monitor and limit program behavior.

I'm running Linux now, with my browser confined using AppArmor. It's a good package. Sadly, it's not for everyone.

Facebook's first data center DRENCHED by ACTUAL CLOUD

mike acker


you circulate the chilled water to heat exchangers inside the buiding

unless you want to take a bath

Copyright troll Prenda Law accused of seeding own torrents

mike acker

steele better check and see where mcaffee is hiding out these days

PayPal security boss: OBLITERATE passwords from THE PLANET

mike acker

look deeper

this is an effort to get rid of anoniminity

not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online

there is nothing wrong with passwords -- when properly implemented

and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants

Microsoft: All RIGHT, you can have your Start button back

mike acker

looking deeper

looking deeper, if the smart-phone user interface is un-acceptable then it's possible the PC ain't dead after all

we face a nasty backlog of badly written software that only runs on a specific version of an o/s which is making it difficult to dump XP . and Win8 ain't gonna help none .

in a very real sense an o/s IS a "hardware abstraction layer" . the o/s honors the system calls that an app needs in order to "do its thing"

i think Linux has made usable progress on this issue in Torvalds First Rule of kernel coding: don't break the system calls.

hopefully much of the obsoleted software can be ported to Linux.

Apple debuts two-step verification for Apple IDs

mike acker

Second Deadbolt on the Front Door

two factor authentication is like adding a second deadbolt to the Front Door while the Back Door is left flapping in the breeze. "Two Factor" -- is solving the wrong problem: hackers don't generally attack that way:

they are using infecged apps, or application program faults -- to install malware into their victimes. this has NOTHING to do with uder id's and passwords.

mike acker

no effect

sa called "two factor" identification will have no effect on hacking: hackers use the owners keys to install malware into the owners computer

for mobil devices this is often via an infected "app"

after the malware is into the owners computer then the owner is "pwned" and his\her computer does whatever the attacker wants it to do

using the owner's credentials

Facebook devs HACKED in 'sophisticated' Java zero-day attack

mike acker

"sophisticated" ? lol

every hack report i see claims the attack was "sophisticated" . and then I find out it was via some crappy old bug the hackers use all the time .

Worst broadband notspots in the UK named and shamed

mike acker

replace streaming with buffering

it's time to eliminate the streaming protocol and replace it with buffering . all this means if you want to look at a long running stream you wait while the first 20% or so buffers to you rlocal device . with the speeds we have now this shouldn't matter mich and theres no reason video fanbois should expect to pig the net .