Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Intel Releases Ivy Bridge Programming Docs Under CC License

Mysteray Re:why is this news? (113 comments)

That's hilarious...as if RDTSC would be difficult to figure out what it did.

more than 2 years ago
top

SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure

Mysteray Re:SSL just encrypts the channel. (62 comments)

But at least the attacker's data is secure in transit.

more than 2 years ago
top

Gaming Clichés That Need To Die

Mysteray How about the one... (416 comments)

...where you're a guy with a knife or a gun and you run around killing things and making blood splatter.

more than 2 years ago
top

Music Industry Sues Irish Government For Piracy

Mysteray Re:Get in line... (341 comments)

>> what is the MAFIAA going get?
Why, the Irish people, of course.

Of course, this solution has been proposed before:

I have been assured by a very knowing American of my acquaintance in London, that a young healthy child well nursed, is, at a year old, a most delicious nourishing and wholesome food, whether stewed, roasted, baked, or boiled; and I make no doubt that it will equally serve in a fricasie, or a ragoust.

more than 2 years ago
top

New Attack Tool Exploits SSL Renegotiation Bug

Mysteray Re:Analysis of this from TLS WG Chair (47 comments)

It's a real attack and a real DoS vector. SSL/TLS is definitely weak in this regard.

But it's not new and it doesn't have much to do with renegotiation.

about 3 years ago
top

New Attack Tool Exploits SSL Renegotiation Bug

Mysteray I'm the guy who found CVE-2009-3555 renego bug (47 comments)

This is not a bug. We fixed renegotiation with the RFC 5746 RI extension! That said, SSL has long been known to impose more work on the server than on the client and renegotiations are no different than initial handshakes in this respect.

Servers that accept client-initiated renegotiation make things slightly more efficient for the DoS attacker, it saves him maybe three packets. More significantly, it may bypass mitigations that are only looking for TCP SYN packets. But the attacker's mileage will vary.

Eric Rescorla (SSL/TLS RFC author) has a good blog post about the issue. http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html

about 3 years ago
top

7 Hackers Who Got Legit Jobs From Their Misdeeds

Mysteray Re:Meh (123 comments)

Even if Geohot had lost the lawsuit it wouldn't make him a criminal. This article submission stinks and I'm ashamed of Slashdot for posting it.

more than 3 years ago
top

How Printed Circuit Boards Are Made

Mysteray Re:Been to a few smaller PCB fabs (88 comments)

He was impressed with the market principals, too:

Lots of guys now order from a couple big shops

more than 3 years ago
top

Flood Berm Collapses At Nebraska Nuclear Plant

Mysteray Re:Well that does it. (417 comments)

I remember the 70's as a little kid.

There was this popular movie "The China Syndrome" with Jane Fonda about a news crew that just happened to be in the right place at the right time to film a nuclear plant accident from the control room. The company tried to cover it up and the good guys got all activist and stuff. http://en.wikipedia.org/wiki/The_China_Syndrome

There was this really weird coincidence where there was an accident at a real nuclear plant (Three Mile Island) at the same time the film was running.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Not as surprising as it should be (103 comments)

Yes, the overall security research community has greatly benefited from some of these large password database disclosures. We've learned a lot about password handling practices both on the back-end (unsalted MD5, or bcrypt?) and users (password crackability). In fact, there has been some overlap in the user base of the breached sites that we can start to look at things like how common password re-use is across multiple sites.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Not as surprising as it should be (103 comments)

For the record, Microsoft pushed out (via Windows Update) a patch fully implementing the fix for this well before many other vendors (including some popular Linux distros) did, even though their server (IIS) wasn't nearly as vulnerable in its default configuration as Apache+OpenSSL.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Unexploitable vuln? (103 comments)

Perhaps, but who's going to pay for the development of the first exploit? The attacker or the defender?

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Unexploitable vuln? (103 comments)

It may be that 2^100 computation will never be practical for any plausible attacker, but it's not the truly cosmic level of work you make it out to be.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Is there a better explanation of the fix? (103 comments)

I mentioned Qualys' SSL Labs nice test utility in another comment.

The fix is to ask your vendor for a patch for CVE-2009-3555 which implements RFC 5746 Transport Layer Security (TLS) Renegotiation Indication Extension. Responsible vendors will have implemented support for RFC 5746 by now so you may already be patched.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Unexploitable vuln? (103 comments)

I'd published packet captures of the exploit in action as part of the initial disclosure. Someone else had working exploit code posted to [Full-Disclosure] within hours.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Unexploitable vuln? (103 comments)

The blind plaintext injection capability that an exploit gives to the attacker was uncommon at the time and the initial reaction among experts was that it looked a lot like a CSRF attack. Most important sites had built in some protections against that.

It wasn't until a few days later when it was demonstrated against a social networking site (Twitter) that the problem was declared "real" (by Slashdot).

So it's a complex exploit and it did take a few days for a consensus to emerge about the actual severity.

more than 3 years ago
top

SSL/TLS Vulnerability Widely Unpatched

Mysteray Re:Self test? (103 comments)

Email them and ask why they haven't applied the fix for CVE-2009-3555!

Note that "not supporting secure renegotiation" doesn't necessarily mean that the site itself is insecure, it means that the browser is unable to determine if it is or not. The degree to which this is a meaningful distinction is a really interesting discussion.

But it does suggest that they have a really clueless vendor or they haven't applied security patches in a long time.

more than 3 years ago
top

Ask Slashdot: Is SHA-512 the Way To Go?

Mysteray Re:Rainbow tables? (223 comments)

Yep. And most typical passwords fall to brute force attack within seconds.

Millions of guesses per second is pretty common for modern GPUs.

more than 3 years ago
top

Ask Slashdot: Is SHA-512 the Way To Go?

Mysteray Re:SHA-1 is fine, but go for SHA-512 (223 comments)

In 2008, Stevens, Sotirov et al. proved that you could, in fact, pwn PKI with just a collision. It doesn't take a full preimage. http://www.win.tue.nl/hashclash/rogue-ca/

Remember, usually all you have to do is confuse the SSL client. There's usually little that can be gained by agonizing over the crypto parameters of the legitimate server cert, because the attacker gets to choose the weakest thing that the client will accept.

more than 3 years ago

Submissions

top

Et tu, Twitter?!

Mysteray Mysteray writes  |  more than 3 years ago

Mysteray (713473) writes "First there was Amazon and DynDNS, then that graphics site. But Twitter?

The hashtags #wikileaks and #imwikileaks and a few others have been surging hard with tweets, for hours. Much faster at times than even the trending topics. Yet there's a conspicuous absence of them on the list of trending topics. Instead we see the usual celebrity buzz and one or two random phrases. People are looking for an explanation."

Link to Original Source

Journals

Mysteray has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?