viveksec | 12 years ago | on: A Hacker's Replacement for Gmail
viveksec's comments
viveksec | 12 years ago | on: A Hacker's Replacement for Gmail
Google serves up static content uses DHE. We've noticed only Google sites using DSA certs with ECDHE. A report on what we found http://trisul.org/blog/dsa-xdrill/post.html
viveksec | 13 years ago | on: Nokia: Yes, we decrypt your HTTPS data, but don’t worry about it
I work in deep packet analytics and have interacted with several telcos and vendors. If you are developing a packet analytics or metrics product the temptation to tap into your production traffic, if only for validating your product is too strong. In our segment, access to live traffic is the primary "raw material" to develop, test, and enhance the products. So they may not use your data to "spy" but there is no protection against your data making it into packet captures (tcpdumps or pcaps) which then acquire a life of their own. I am not saying Nokia does this, but that any telco/vendor including this one who makes packet analysis products has to fight the temptation not to do it.
I would never ever use a service that decrypts HTTPS traffic. How do we know that the other side is encrypted ? For all you know, the other side of the proxy could not even use SSL for services that offer both modes (google,facebook,twitter, etc etc).
viveksec | 13 years ago | on: How should I deal with an employee who has slept with my wife?
I think the OP is balancing the economic costs of firing with the psychological advantages to be had by chucking him and clearing his mind. If the guy wasnt "close to indispensible", he'd likely be gone by now. One way out could be to bring some other employees up to speed and then fire the guy.
Overall I agree with the top comment. Having the guy around for long would inflict a negative air at the top that might permeate the entire organization. Gotta go for sure.
viveksec | 14 years ago | on: Sinclair's ZX Spectrum turns 30
I had one too in India when I was 13. The ZX Spectrum 48K. Loved it to death. Magazines were a bit hard to come by here, but I managed to get my hands on one book, I think it was called "Machine code with ZXSpectrum". I remember a program called HELPA, which you had to first enter by hand, then you could use that to enter machine code. I remember writing my first program using HELPA, a block which would change colors randomly. I still remember being stunned by how much faster machine code was compared to BASIC.
Also cant forget my favorite game at the time - Highway Encounter.
viveksec | 14 years ago | on: Judge: Americans can be forced to decrypt their laptops
This sounds airtight. The analogy with the physical safe is completely destroyed by True Crypt's hidden partitions.
Any lawyers want to comment on this ?
viveksec | 14 years ago | on: Why 37signals Doesn't Hire Programmers Based on Brainteasers
Puzzle solving ability is a reliable indicator only if the candidate hasnt specifically prepared for them. Many Indian IT companies in the mid-late 90's conducted exams with difficult programming puzzles in them. This was great for a while, but soon those who wrote these exams told everyone else and the puzzle pool dried up. Future groups scored really well due to being better prepared against a known pool of puzzles. These days most IT companies have moved on to SAT/GRE style analytical problems.
Imagine your luck if you are at a Google interview and already know the Pascal triangle. You can just put up an act pretending to analyze various aspects before unveiling your grand solution.
If companies are merely using analytical ability as a filter, a SAT/GRE style exam will do better because the problem pool is much larger making it less vulnerable to preparation.
viveksec | 14 years ago | on: I am done with the freemium business model
Great point. I wonder how the Freemium model works for something like Splunk. Do free users constitute a completely different universe or there is significant conversion of free to paying users ?
viveksec | 14 years ago | on: Zendesk CEO calls Freshdesk a freaking rip off - Freshdesk responds
I am Indian and I wish we would lighten up. Things aren't pure as milk here either. There are quite a few Indian companies which ask their employees to use Western names while creating online content such as on support forums, twitter accounts, etc.
viveksec | 14 years ago | on: Image Ad Blending Works Really, Really Well
How else can you pull this off unless you design to image to be as close to organic results as possible ? But I wonder what happens if the site owner decides to change the styles, the image would then foolishly look fake.
The rating stars however are a different story and are definitely in the dark gray area (say at #333). The "rated by lots" will make users draw a comparison with the other unpaid listings without realizing it is fake, atleast in the sense the other stars arent fake.
viveksec | 14 years ago | on: Twitter Bootstrap v1.4.0 Released
I highly recommend Twitter bootstrap combined with the generator Stasis (stasis.me) for people rolling out new static websites.
The bootstrap elements are particularly well suited for documentation pages - see http://trisul.org
page 1
Actually dont see how you can have PFS on DHE either if one of the endpoints doesnt co-operate. You can simply dump the master keys and provide those to the decrypting app.