Viewing posts by Subreption LLC
The Blue Hat Prize: A late April Fools joke
Posted by: Subreption LLC in Security Money Critiques 9 months, 2 weeks ago It's August 2011. The weather has been getting warmer and warmer over the course of the last few weeks. The sun is roasting all Vegas sentient life against the pavement, while swarms of security professionals stroll down the sidewalks. It's been a very strange year so far. Keeping up with the hype-n'-bake modus operandi of the industry in the past decade, Microsoft has announced the Blue Hat Prize Contest with a "whopping" prize (but not a cash prize while at it) for building new "security mitigation technologies". Circa 260,000 USD are at stake, including paid travel and expenses to Black Hat 2012, that is, if the world doesn't implode with the help of the naive and the people at Microsoft Outreach.Disregarding of the fact that the very same people offering this prize have been consistently developing business intelligence on the industry, gathering gossip and influence from unsuspecting and not-so-unsuspecting professionals and "sceners", we have decided, as the independent, enfant terrible ensemble company we are, to completely vivisect this contest and explain, summing up the lengthier article in as few words as possible, why you should really not sell yourselves so cheap. Tags: stunts microsoft bluehat mitigationsread more / Comments
Privacy violations in Blind-Carbon-Copy mail
Posted by: Subreption LLC in Security Privacy Cryptography 10 months, 1 week ago Barth and Boneh published in 2005 a great academic paper on the privacy concerns found in BCC mail distribution when deploying cryptography solutions such as PGP/GPG. The issue boils down to the fact that most of the time public key material is publicly available (such as in websites and key servers), thus rendering the entire purpose of BCC useless, especially when contacts being mailed have public key material from other BCC recipients in their key rings.For organizations distributing sensitive information across multiple recipients with complex confidentiality and privacy inter-relationships, the usual (and extremely cumbersome) solution is to create recipient-specific keys or certificates, and carefully selecting these either manually or through mail aliases. Ultimately this approach has several weaknesses and is prone to human error.From their excerpt: Tags: gpg pgpread more / Comments
Mac OS X Lion: Did security mitigations manage to squeeze in?
Posted by: Subreption LLC in Security Apple 10 months, 2 weeks ago They say a picture is worth a thousand words, or so the saying goes. Therefore, the output from the now classic paxtest tool (which exposed the practical differences of ExecShield and PaX, among an array of other interesting tidbits) follows: Tags: mitigations macosx pax nxread more / Comments
Virtual machine series: Lightweight embeddable languages
Posted by: Subreption LLC in Security Research & Development Software Development 1 year, 2 months ago Soon we will be publishing several articles about open source embeddable virtual machines available today. Among them we will be talking on LUA, Forth, Pawn (originally Small), Squirrel, specialty implementations of Python such as PyMite, Io, NekoVM, Falcon and Parrot. Depending on time availability it might take some time until all of these languages are covered. Mileage will also vary regarding detail and depth of evaluation.The rationale behind these articles is the lack of summarized, objective information about the implementations of embedded languages, the differences between them at implementation level, limitations and features, et cetera. If you are looking for such information to make a decision about which VM or language suits you best, these articles might be of help to have a reasonably solid base for your evaluation process. Tags: vm embeddedread more / Comments
Why Linux security has failed (for the past 10 years)
Posted by: Subreption LLC in Linux 2 years, 6 months ago Apparently there's been an increased interest on bringing Linux kernel security issues to attention, for the past few months. It is a natural reaction to a policy which has been long time tacitly agreed upon by mostly all people involved in Linux kernel development (and more so, those with security-relevant roles, particularly a specific vendor). That is, a policy of silence. It is no surprise that Linux security currently looks much better on paper and marketing propaganda than it does in reality.It takes decent amounts of will and dedication to summarize, categorize and review every potential security vulnerability for such a huge project, requiring collaboration between different vendors, who might or might not have agendas of their own, conflicting the interests of the users, or the rest of vendors themselves. It takes approximately ten minutes for an average computer user to write a summary of why SELinux can help your organization cut down security risks.What you don't now is that you will have to go through the learning curve of writing policies, reviewing all software being used (including commercial applications which might not conflict with any 'learning' mode at kernel level, but consistently prevent targeted reverse engineering or make it even more tiresome), testing the setup and adapting its architecture to the real needs of your organization. MLS is rarely used out of certain circles. Tags: linux mls selinux grsecurityread more / Comments