General July 2014

general@lists.hackerspace.pl

41 participants
37 discussions

etnoprojekt.pl
by "٩(-̮̮̃-̃)۶" 23 Jul '14

23 Jul '14

Panowie, do naszej piwnicy przyszła niewiasta, która ma pewne trudności z naszymi listami dyskusyjnymi, a na wiadomości na naszym fejsbuczku zostały zsagowane. tl;dr 10 dni jeżdżenia po polsce i tworzenie projektów przez 3 ostatnie dni http://etnoprojekt.pl/2.0/etno-projekt-2-0-w-skrocie/ wszystko za darmo, od 1 do 10 września, rejestracja do 28

1 0

iOS compromised. By Apple. By design.
by rysiek 22 Jul '14

22 Jul '14

Cześć, doskonała prezentacja: http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Atta… -- Pozdr rysiek

1 0

Re: [HS General] [HS WAW Off Topic] Copyright trolling - jakie kancelarie mają dowody?
by rysiek 22 Jul '14

22 Jul '14

Dnia wtorek, 22 lipca 2014 11:41:28 Zbigniew Łukasiak pisze: > Kancelarie podobno do setek tysięcy ludzi ściągających filmy przez > bittorrent wysyłają wezwania do zapłaty jakiś opłat 'ugodowych'. > Sprawa jest świetnie opisana w Dzienniku Internautów: > http://di.com.pl/news/50282,0,Kancelaria_zada_juz_750_zl_za_rzekome_piractwo > _Ludzie_nie_boja_sie_kar_ale_przeszukan-Marcin_Maj.html (i wiele innych tam > zalinkowanych). Partia Piratów też oczywiście w tej sprawie złożyła > oświadczenie: > http://polskapartiapiratow.pl/2014/07/oswiadczenie-w-sprawie-copyright-troll > ing/ > > Czy ktoś wie jakie dowody kancelarie przedstawiają prokuraturze? Czy > oni po prostu ściągają listy udostępniających z trackerów? Czy może > podglądają pakiety jakie ludzie między sobą przesyłają? Jeśli miałbym strzelać: odpalają klienty Torrenta i zaczynają pobierać materiały, w które "celują", i spisują adresy IP seederów. -- Pozdr rysiek P.S. Odpowiadam na general@, bo dotyczy to całego kraju, a nie tylko Warszawy, i nie jest off-topem.

2 4

Web never forgets
by rysiek 22 Jul '14

22 Jul '14

Cześć, natrafiłem na ciekawy pejper: "The Web never forgets: Persistent tracking mechanisms in the wild is the first large-scale study of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies." -- https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html -- Pozdr rysiek

1 0

XX Woodstock za 10 dni, a my z nim
by rysiek 21 Jul '14

21 Jul '14

Elo, jak wiecie, FWiOO, HSWAW, HSKRK, Panoptykon i Centrum Cyfrowe robią wspólnie stoisko na Woodstocku: https://fwioo.pl/article/392/xx-przystanek-woodstock-juz-za-10-dni/ W planie różne fajne rzeczy, a my wciąż zbieramy kasę na paliwo, namiot i inne imponderabilia: https://fwioo.pl/article/388/apel-o-darowizne-przystanek-woodstock-2014/ Halp? :) Każda złotówka się liczy. Oslo, puszczajcie info. Oslo, odwiedźcie nas na Przystanku! -- Pozdr rysiek

1 0

Privacy is dead
by rysiek 21 Jul '14

21 Jul '14

Cześć, obowiązkowa pozycja do obejrzenia: http://new.livestream.com/accounts/686369/events/3195566/videos/57038514/pl… / dzięki za podrzucenie do osoby, która podrzuciła, a nie wiem, czy chce być explicite podana ;) / -- Pozdr rysiek

2 1

Fwd: Identifying back doors, attack points, and surveillance mechanisms in iOS devices
by rysiek 21 Jul '14

21 Jul '14

---------- Treść przekazywanej wiadomości ---------- Temat: Identifying back doors, attack points, and surveillance mechanisms in iOS devices Data: sobota, 19 lipca 2014, 18:20:18 Od: coderman doubt this will surprise anyone; iOS intentionally designed to support surveillance. --- http://www.sciencedirect.com/science/article/pii/S1742287614000036 "Identifying back doors, attack points, and surveillance mechanisms in iOS devices" by Jonathan Zdziarski Abstract The iOS operating system has long been a subject of interest among the forensics and law enforcement communities. With a large base of interest among consumers, it has become the target of many hackers and criminals alike, with many celebrity thefts (For example, the recent article “How did Scarlett Johansson's phone get hacked?”) of data raising awareness to personal privacy. Recent revelations (Privacy scandal: NSA can spy on smart phone data, 2013 and How the NSA spies on smartphones including the BlackBerry) exposed the use (or abuse) of operating system features in the surveillance of targeted individuals by the National Security Agency (NSA), of whom some subjects appear to be American citizens. This paper identifies the most probable techniques that were used, based on the descriptions provided by the media, and today's possible techniques that could be exploited in the future, based on what may be back doors, bypass switches, general weaknesses, or surveillance mechanisms intended for enterprise use in current release versions of iOS. More importantly, I will identify several services and mechanisms that can be abused by a government agency or malicious party to extract intelligence on a subject, including services that may in fact be back doors introduced by the manufacturer... ''' ----------------------------------------- -- Pozdr rysiek

1 0

konwent postapo Old Town
by Paweł Leszczyński 19 Jul '14

19 Jul '14

Czołem, ryś zasugerował, żeby wrzucić tutaj informację o konwencie posapo. Jest dość późno, konwent zaczyna się od poniedziałku, ale może ktoś będzie chciał ogarnąć. A jak nie teraz to w przyszłym roku. https://www.youtube.com/watch?v=KgBCE4Tq0_E Na poprzednim była prezentacja bety BarBota, pojawia się też sporo środowisk okołohaesowych :-) nF

5 6

CfP: Jesień Linuksowa, dbConf
by rysiek 19 Jul '14

19 Jul '14

Cześć Hakiery, mam info od PLUGU, że cały czas otwarte są Call for Papers na: - Jesień Linuksową: http://www.jesien.org/2014/pl/aktualnosci,nadal-trwa-przyjmowanie-propozycj… - dbConf: http://www.dbconf.pl/2014/pl/aktualnosci,nadal-trwa-przyjmowanie-propozycji… Zachęcam. Ja swoje propozycje na Jesień zapodałem (na dbConf za cienki jestem w uszach jako prelegent ;) ). -- Pozdr rysiek

1 0

Fwd: Strong Security Processes Require Strong Privacy Protections
by rysiek 18 Jul '14

18 Jul '14

---------- Treść przekazywanej wiadomości ---------- Temat: Strong Security Processes Require Strong Privacy Protections Data: piątek, 18 lipca 2014, 06:16:09 Od: coderman Do: Full Disclosure <fulldisclosure(a)seclists.org>, liberationtech <liberationtech(a)mailman.stanford.edu>, cpunks <cypherpunks(a)cpunks.org>, oss- security(a)lists.openwall.com "Strong Security Processes Require Strong Privacy Protections" A request for all security conscious organizations handling vulnerability reports to deploy privacy enhancing technologies. --- With the Snowden disclosures and Google's Project Zero on the minds of security professionals everywhere, it is time to evaluate one more aspect of this renewed focus on 0day and targeted attacks: vulnerability submission to vendors. [0][1] Software vulnerabilities of use to nation states and espionage organizations are recognized as a threat to privacy and basic human rights. Their impact no longer dismissable or discounted given evidence of misuse. I will not discuss hardware vulnerabilities in this treatment as they entail different considerations and constraints. [2] Reporting vulnerabilities of this nature in turn requires strong privacy protections commensurate with the five and six digit monetary values they command, and the adversaries intent on discouraging their discovery or mitigation. [3][4] --- Therefore, any organization handling vulnerability reports must support strong privacy for vulnerability submission. This is mandatory even if most or all issues received via this channel are not 0day, not high value, and entail very little risk to users. The characteristics of a strong private reporting method are: - Email must not be used. In the best circumstances email leaks too much information. In common situations it is passed around clear text, trivially interfered with, and winds through software with huge usability and vulnerability problems. Email for initial security vulnerability reporting must cease immediately. [5][6] - Public web systems for vulnerability reporting must not be used. Like email, this leaks too much information and is vulnerable to a wide array of attacks destroying any privacy intended. [7][8] - Submission of reports via hidden site required. This has become fashionable in media organizations as the "secure drop" for whistleblowers, and it is equally apropriate for vulnerability reporting. This significantly raises the cost of surveilling a vulnerability reporting service, and ensures that passive interception of reported vulnerabilities is impossible. [9] - Encryption of submitted reports required. PGP and GPG are wonderful tools, despite encrypted email being a dismal failure. While the hidden drop may protect the privacy of the reporter, encryption of the report content to specific vulnerability researchers' keys ensures privacy to the receiver. A compromise of the hidden site must not lead to access of reported vulnerabilities. [10] - Submitter anonymity the default. Submissions and communication must accomodate an anonymous identity. If a researcher wishes to claim credit they must opt-in and provide additional information. No psuedonymous account requirements, no key linking across submissions. - Obfuscated disclosure should be available if desired. Capturing 0day in the wild used for espionage or cyber effects is a rare event. Publicly disclosing when, where, and how you obtained such captures ensures you're likely never to see any others. Researchers in position to observe and inspect such events should be able to report the vulnerabilities without credit and without indicating the origin. A vendor could provide a "cover story" for how the vulnerability was discovered internally, to best protect sources' ability to continue to discover these types of weaponized exploits in the wild. Finally, it goes without saying that this privacy applies during reporting and mitigation phases of defect resolution. Once a patch is prepared and public the details of the vulnerability should be public as well, via email list, public blog, or any other useful medium. --- As participants in the security industry it behooves us all to set an example for others and to demonstrate a committment to security and privacy via action. Security conscious organizations handling vulnerability reports can support strong privacy and send a clear message deploying private reporting methods described above. Security researchers must demand strong privacy from organizations they collaborate with, even in the most trivial or minor of circumstances, so that infrequent severe vulnerabilities may also be reported in confidence. Privacy is a basic human right we must all support. Let's demonstrate our support by using privacy enhancing technologies to resolve risks to privacy! best regards, 0. "The NSA Revelations All in One Chart" https://projects.propublica.org/nsa-grid/ 1. "Announcing Project Zero" No link as the announcement is only supported over HTTP; attempt HTTPS and you're redirected to plain-text. This is an embarassment that should be fixed, Google Project Zero! (the other plain-text sites below have not unreasonable exuses ;) 2. "New technologies are radically advancing our freedoms but they are also enabling unparalleled invasions of privacy" https://www.eff.org/issues/privacy 3. "A Declaration of Cyber-War" http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104 '''On July 15, the day Stuxnet’s existence became widely known, the Web sites of two of the world’s top mailing lists for newsletters on industrial-control-systems security fell victim to distributed-denial-of-service attacks...''' 4. "The Real Story of Stuxnet" http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet '''Just as Kaspersky’s engineers were tricking Gauss into communicating with their own servers, those very servers suddenly went down,...''' 5. "Universal Email Encryption Specification" http://ritter.vg/blog-uee_email_encryption.html 6. "Pond" (not like email) https://pond.imperialviolet.org/tech.html 7. "Bullrun (decryption program)" https://en.wikipedia.org/wiki/Bullrun_%28decryption_program%29 8. "How secure is HTTPS today? How often is it attacked?" https://www.eff.org/deeplinks/2011/10/how-secure-https-today 9. "How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID" https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html (this is what a hard to attack system looks like, and keeping disclosure entirely within the network from clients to hidden sites amplifies the difficulty significantly.) 10. "The Rise of the Middle and the Future of End-to-End: Reflections on the Evolution of the Internet Architecture" https://www.ietf.org/rfc/rfc3724.txt ----------------------------------------- -- Pozdr rysiek

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

General July 2014