SSL certificates are signed using a one-way hash — usually SHA-1.
Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1, posted Sep '14 by peter in online security testing toread
If you run a website that uses SSL, you can test your website using a small SHA-1 testing tool I built that will tell you what you need to do.
Even if you don't, I encourage you to read on. In the rest of this post, I'll cover how SSL and SHA-1 work together on the web, why it's as urgent as Google says it is, and what web browsers are doing.
blog.emsisoft.com/2014/08/29/what-happens-when-a-tech-support-scammer-cold-calls-a-security-expert/?ref=ticker140829&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140829, posted Aug '14 by peter in humor scam security windows
It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.
Did you ever wish to have all relevant information about a visitor right when he hits your site? Think of (full) name, gender and maybe hobbies and interests? Thanks to social networks we could at least get some of that data. All you need is the URL to that visitors (public) Facebook or Google+ profile – but if he doesn’t actively give it to you, you’re probably out of luck.
What if we could get that profile URL without the user even noticing it?
Avast, which makes security software for Windows, Mac, and Android, recently bought 20 used Android handsets on eBay. Then company employees used digital analysis software that's readily available and fairly easy to use to see if there was anything left on the 20 devices from the original owners. It turns out there was. Avast researchers found more than 40,000 photos, 750 emails or text messages, and 250 contacts. The group was also able to deduce the identities of the previous owners of four of the phones.
It's important to note that Avast makes its own reset software, which the company claims does a much better job of completely wiping Android devices. So part of the motivation for this study is presumably to promote Avast's alternative service. Still, the results are pretty startling. Whether they make you want to buy Avast's software or someone else's, this test at least raises awareness of how hard it is to scrub personal data before reselling or donating old devices.
Since the very first Snowden leak a year ago, one of the more common refrains from defenders of the program is "but it's just metadata, not actual content, so what's the big deal?" Beyond the fact that other programs do collect content, we've pointed out time and time again that the "just metadata, don't worry" argument only makes sense if you don't know what metadata reveals. Anyone with any knowledge of the subject knows that metadata reveals a ton of private info. Furthermore, we've even pointed out that the NSA regularly uses "just metadata" to pick targets for drone assassinations. As one person called it: "death by unreliable metadata."
The Bitcoin cryptocurrency records its transactions in a public log called the blockchain. Its security rests critically on the distributed protocol that maintains the blockchain, run by participants called miners. Conventional wisdom asserts that the protocol is incentive-compatible and secure against colluding minority groups, i.e., it incentivizes miners to follow the protocol as prescribed.
We show that the Bitcoin protocol is not incentive-compatible. We present an attack with which colluding miners obtain a revenue larger than their fair share. This attack can have signi cant consequences for Bitcoin: Rational miners will prefer to join the sel sh miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency.
Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) | The Data Center Overlords
datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/, posted Dec '13 by peter in howto reference security toread
So you have the choice, buy an overpriced SSL certificate from a CA (certificate authority), or get those errors. Well, there’s a third option, one where you can create a private certificate authority, and setting it up is absolutely free.
At the time, a gag order prevented him from discussing the details of his situation. But court documents unsealed on Wednesday reveal that the FBI wanted Levinson to hand over encryption keys that would have given federal agents "real time" access to not just Snowden's account, but the accounts of all 40,000 of Lavabit's customers. § [...] § He certainly deserves credit for his pluck. Levinson complied with the letter of the order, but he delivered the encryption keys as strings of numbers printed out on paper, rather than as electronic files. What's more, he intentionally printed them in a font designed to be hard to scan, one prosecutors described as "largely illegible."
LEAP's multi-year plan to secure everyday communication breaks down into discrete services, to be rolled out one at a time. When we introduce a new service, integrated support will be added to both the user-facing LEAP Client and the server-side LEAP Platform for Service Providers. All communication content will be client-side encrypted, and as much of the metadata as possible. Most importantly, all LEAP services will be based on our plan for federated secure identity and unmappable routing.