throwaway125 | 12 years ago | on: OpenSSL site defacement involving hypervisor hack rattles nerves
throwaway125's comments
throwaway125 | 12 years ago | on: Cryptocat Considered Harmful: The Root Cause
Trying to evaluate and attack systems is a vital part of building secure systems. Many of these researchers do work on their own systems (think tor, redphone, ...) while also engaging with the crypto community at large to find flaws and improve methodology.
throwaway125 | 12 years ago | on: Hey programmers, we need to talk
It's important to keep in mind that humans are social beings, and communicating with others by writing witty one liners can be very rewarding in and of itself regardless of the karma points you get. That doesn't mean you never do anything useful though, it just means that you decided to do something you enjoy and find personally rewarding at this moment, maybe to take a break from writing that patch you are working on.
throwaway125 | 12 years ago | on: Ask HN: Those making $1,000+/month on side projects - what did you make?
In other words: yes, it's vulnerable to SSL stripping.
throwaway125 | 12 years ago | on: Ask HN: Those making $1,000+/month on side projects - what did you make?
How did you obtain the right to distribute jab comix for free?
throwaway125 | 12 years ago | on: New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks
That's not true. Given a dictionary of 2048 words that the attacker has complete knowledge about, picking any 4 random words will always give you 44 bits of entropy.
2048^4 = 17592186044416
2^44 = 17592186044416throwaway125 | 12 years ago | on: An nginx configuration for security
The following two headers are also useful:
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
The second prevents browsers from including this site in an iframe or frame, which helps prevent clickjacking attacks. If your site depends on those you can also set the option to SAMEORIGIN.
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Option... https://developer.mozilla.org/en-US/docs/Security/HTTP_Stric... https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
throwaway125 | 12 years ago | on: Saltstack: Changing RSA public exponent from 1 to 65537
Do you have any links to the crypto.cat bug?
throwaway125 | 12 years ago | on: Ubisoft hacked, account data compromised
now enter the first 72 characters of that password in the bcrypt verification function and it'll still say it's correct. bcrypt is a valid technical reason to limit passwords to 72 characters.
throwaway125 | 12 years ago | on: A Great Response to a Cease and Desist Letter
This reply to monster seems a lot more productive than the one from the OP. It got me to look up blue jeans cables and I found a youtube video[1] where Kurt Denke (the person who wrote the C&D reply) talks about the difference between a $17 and a $150 HDMI cable. It's quite long but it's refreshing to see information about cables being spread without the usual marketing lies.
throwaway125 | 12 years ago | on: Jonathan Mayer Threatens To End “Do Not Track” Talks
Giving another company the ability to serve content (javascript) on a subdomain would make ad companies prime targets for all kinds of hacking campaigns. Their ability to serve javascript and probably access session cookies on a large number of domains would turn them in some kind of skeleton key. This is bad for both the advertisers, the websites serving their ads and the visitors of those websites.
I certainly hope people would think twice about actually implementing something like that.
throwaway125 | 13 years ago | on: Evolution of Hacker News
What bothers me personally the most is the way in which downvotes seem to happen. Don't get me wrong, a lot of users downvote in a good way, so it's not all bad.
Still, I often find grey comments that are brought in a completely respectable way. I feel like these comments are getting downvoted because someone disagrees with them, rather than because they are bad or toxic comments.
The opposite is also true, I often find comments with a positive amount of votes that are in the "internet jokester" style and don't really contribute anything meaningful to the topic at hand.
throwaway125 | 13 years ago | on: Mac malware signed with Apple ID infects activist’s laptop
You can hardly call that good. It's like saying that Diginotar being compromised was good because then we could untrust their CA.
It's true that we could do that, but their original purpose was to protect us in the first place. The same is true for code signing certificates, to a certain extent.
throwaway125 | 13 years ago | on: Well, that's one SEO hack... (view-source)
I assume the giant comment is what we're supposed to see, but I'm not sure how that's supposed to have any impact on SEO at all. Seems more like a tribute than a SEO hack.
throwaway125 | 13 years ago | on: IBM open sources new approach to crypto
There are still some restrictions on exporting cryptography. For example, under US law you can't export strong crypto to Iran, North Korea, and a few other countries.
http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_U...
throwaway125 | 13 years ago | on: "How I Explained REST to My Wife" taken down because of gender-oriented nature
Thanks to the internet archive we can still enjoy this article:
http://web.archive.org/web/20110225075111/http://tomayko.com...
throwaway125 | 13 years ago | on: What technical reasons are there to have low maximum password lengths?
To clarify I never meant that the limit is a security issue, just that it's a valid technical limitation to limit the length of a password.
throwaway125 | 13 years ago | on: What technical reasons are there to have low maximum password lengths?
For how much people like to repeat the "Use bcrypt!" mantra I'm amazed no one has mentioned the password length limit of bcrypt.
The hash output of bcrypt stops changing after 72 characters but almost all bcrypt documentation mentions a 55 character limit. I'm not quite sure what that is about, can anyone clarify?
throwaway125 | 13 years ago | on: tmux 1.8 Released
The following line in your vimrc will make vim not expand tabs for every file named "Makefile".
au BufRead,BufNewFile Makefile set noexpandtabthrowaway125 | 13 years ago | on: PeerCDN: WebRTC-based peer-to-peer CDN [video]
the bottom of their site says © 2013 PeerCDN, Inc. Site design inspired by Meteor.
Breaking out of virtual machines is a really interesting process but it's important to remember that a hypervisor can be attacked with pretty much the same techniques you can attack any other program. Virtual machines aren't a magic contain-all-the-hackers solution. There was an interesting talk on DEFCON 19 about breaking out of KVM: http://www.youtube.com/watch?v=tVSVdudfF8Q