Archive for the 'News' Category

Some Good Stuffs to Read

Well, these articles really enlighten you on matters, even if you know about them. I recommend them to my fellow knowledge-thirsty visitors to take a look at them. – Chris Weber, specializes in Internationalized Software Security

Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Confusables

Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Single Script Confusables

Alex’s Corner – Kuza55, specializes in webappsec.

Racing to downgrade users to cookie-less authentication

Understanding Cookie Security


Hacker Safe

McAfee offers a service call “Hacker Safe” to audit client’s website daily for security issues. That they said : “not only increase sales by increasing shopper confidence, you build your brand with the security seal seen on more top sites than any other.”, yet with such high profile declaration and then getting hacked many times, they get slapped hard on the face.

“Hacker Safe”, and I presume it means “safe from all means of hackers” rather than “safe from most means of hackers” ( then I’m not safe! ). Claiming having no vulnerabilities in a piece of software is no different than claming there are no bugs in a non-trivial software — after all, vulnerabilities are just security bugs. What a misconception and misleading marketing strategy to fool users.

The problem is how many people believe it is really completely secure? The sad part could be it is giving the very wrong impression of the SSL certificate : “Having the green lock is the sign of safety! 128-bit encryption!”. I’m not kidding, I’ve actually met users who told me so.

Jeez. We all better be careful, the web is very dangerous.

Microsoft to acquire Yahoo!.

Well, I guess this is a pretty big piece of news out there. Microsoft announced that they will offer $44.6B to acquire Yahoo! . Ahhh, Microsoft is so determined to get a piece of the online ad service, and I still remember seeing the slide they described how Google will be monopolizing the future ad service.

Microsoft’s worries are not without reasons. As Google already has placed a lot of ads to where the predecessors have thought of, they got a gigantic database of user behaviour to play with. And Google, knowing very well their only source of revenue, has been working very hard to expand to more than the PC and notebooks, now the cellular industry. If it goes well, Google will surely be spanning more area, and thus collecting more user data and display more ad. And Microsoft is not having a large enough user base to do so, and not to mention they are doing badly in their search. In different perspectives about online stuffs, Google has a upper hand.

When you do search in a search engine, it’s bad that it doesn’t get what you want. Most people don’t want to waste time, if Google is going to get you what you want *accurately* most of the time, why That’s many minutes accumulated wasted if added up.

What I am curious is that since Yahoo!’s search algorithms is not as good as Google’s, apparently, what will be the effect of the acquisition on the search engine wars? Can the Microsoft Research center do anything with Yahoo!’s search technology?

By the way, that Microsoft has made such noisy public announcements, they aren’t going to get a no as an answer I bet? Now that they should have talked under the tables, by deduction the acquisition is happening very likely.

The search market will become a 1:1 .

The Ridicule of North Dakota and Hong Kong

There is a case in North Dakota where the judge ultimately declares a spammer not guilty and an anti-spammer guilty. And some of the facts that the judge used as a conclusion includes knowing more :

3. At various other times, Ritz issued a variety of commands, including host -l, helo, and vrfy. The afore-mentioned commands are not commonly known to the average computer user. 

And there’s also the claim that “To find all access “authorized” which is successful would essentially turn the computer crime laws of this country upside down“. Then, I’m afraid if anyone can claim their property “unauthorized”, that could be equally be abused as just another reason to condemn people. Hey, “host -l” ( DNS Zone Transfer ) were put to public for usage and documented in RFC 1034. So does that mean if I “dig” (manual for dig) someone and that brings me to know more than “the average computer user” should know and that makes up a point I am liable to be sued?

There’s a part that states the anti-spammer violated the injunction though, that seems to be a point that actually let him be nailed ( lest I be termed a one-sided saga ), and I agree it is a bad thing for the anti-spammer. As the materials are not exposed publicly, I guesstimate that as a hacker you won’t be stopped from the injunction to find evidence of the spammer. In fact, based on the evidence in the past it is highly probable that the spammer is really involved in such activities.

It seems like it’s better to be on the safe side to let spammers spam, and have the trouble to scour through your spam mails for your mails, than to be put behind bars. At least that is true for North Dakota.

Now, that reminds me of another ridiculous case in Hong Kong regarding posting pornographic hyperlinks. A man posted 8 links to pornographic websites in a notable forum Uwants and was fined HKD $5,000. Posting hyperlinks and be sued? I hope the links I cite here won’t go pornographic suddenly lest I shall be behind bars, or the Google Adsense which everybody use isn’t intelligently pointing to pornographic websites lest the smart Google determines from your text that you want to feed such contents. Basically it is the Control of Obscene and Indecent Articles Ordinance in Hong Kong that prosecuted the man. In fact, according to Control of Obscene and Indecent Articles Ordinance, these “controversial” links, articles and images, etc, should be reviewed and approved prior to publication.

Do you see the ridicule and irony here? Internet has been now built and bred as a place for instantaneous information disclosure and sharing freely crossing boundaries. Yet, the bureaucrats in Hong Kong are driving the city’s advances backwards by pre-censorship. If you have been living in Hong Kong, you’ll know how picky are these people in Hong Kong trying to sue people for nude pictures, whether artistic in nature or not. I have no idea if this precedent set is abused again, and progressively what portion of the computer law in Hong Kong be filled with junk?