Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 31, 2017

Malware Subscriptions and the Long Tail of Patching (What you get for $100)

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:20 pm

Hacker Fantastic and x0rz have been deriding Shadow Brokers Response Team is creating open & transparent crowd-funded analysis of leaked NSA tools.

In part because whitehats will get the data at the same time.

Even if whitehats could instantly generate patches for all the vulnerabilities in each monthly release, if the vulnerabilities do have value, always an open question, they will retain that value for years, even more than a decade.

Why?

Roger Grimes recites the folk wisdom:


Folk wisdom says that patching habits can be divided into quarters: 25 percent of people patch within the first week; 25 percent patch within the first month; 25 percent patch after the first month, and 25 percent never apply the patch. The longer the wait, the greater the increased risk.

Or to put that another way:


50% of all vulnerable systems remain so 30+ days after the release.

25% of all vulnerable systems remain so forever.

Here’s a “whitehat” graphic that makes a similar point:

(From: Website Security Statistics Report 2015)

For $100 each by 2500 people, assuming there are vulnerabilities in the first Shadow Brokers monthly release, you get:

Vulnerabilities for 25% of systems forever (assuming patches are possible), vulnerabilities for 50% of systems are vulnerable for more than a month (assuming patches are possible), for some industries offer years of vulnerability, especially government systems.

For a $100 investment?

Modulo my preference for a group buy, then distribute model, that’s not a bad deal.

If there are no meaningful vulnerabilities in the first release, then don’t spend the second $100.

A commodity marketplace for malware weakens the NSA and its kindred. That’s reason enough for me to invest.

Disclosure = No action/change/consequences

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:42 pm

What would you do if you discovered:


A cache of more than 60,000 files were discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

?

Dell Cameron reports in: Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password this result:


UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices).

The mission of UpGuard’s Cyber Risk Team is to locate and secure leaked sensitive records, so Vickery’s first email on Wednesday was to Joe Mahaffee, Booz Allen’s chief information security officer. But after received no immediate response, he went directly the agency. “I emailed the NGA at 10:33am on Thursday. Public access to the leak was cut off nine minutes later,” he said.

What an unfortunate outcome.

Not faulting Chris Vickery, who was doing his job.

But responsible disclosure to Booz Allen Hamilton and then NGA, will result in no change to Booz Allen Hamilton’s position as a government IT supplier.

Public distribution of these files might not result in significant changes at government agencies and their IT contractors.

On the other hand, no consequences for agencies and their IT contractors hasn’t improved security.

Shouldn’t we give real world consequences a chance?

May 30, 2017

Crowd-Funding Public Access to NSA Tools!

Filed under: Cybersecurity,Government,NSA,Security — Patrick Durusau @ 6:51 pm

Awesome! (with a caveat below)

Shadow Brokers Response Team is creating open & transparent crowd-funded analysis of leaked NSA tools.

The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures.

The leaks of information seen so far have included weaponized reliable exploits for the following platforms:

  • Cisco
  • Juniper
  • Solaris
  • Microsoft Windows
  • Linux

The Shadow Brokers have announced they are offering a “monthly dump” service which requires a subscription of 100 ZCASH coins. Currently this is around £17688.29 but could change due to the fleeting nature of cryptocurrency. By paying the Shadow Brokers the cash they asked for we hope to pool resources and avert any future WannaCry type incidents. This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data.

The goal here is to raise sufficient funds from interested parties to purchase a subscription to the new data leak. We are attempting to perform the following task:

  • Raise funds to purchase 100 ZCASH coins
  • Purchase 100 ZCASH coins from a reputable exchange
  • Transfer 100 ZCASH coins to ShadowBrokers with email address
  • Access the data from the ShadowBrokers and distribute to backers
  • Perform analysis on data leak and ascertain risk / perform disclosures

The Shadow Brokers have implied that the leak could be any of the following items of interest:

  • web browser, router, handset exploits and tools
  • newer material from NSA ops disk including Windows 10 exploits
  • misc compromised network data (SWIFT or Nuclear programmes)

    • … (emphasis in original)

An almost excellent plan that with enough contributors, reduces the risk to any one person to a manageable level.

Two-hundred and fifty contributors at $100 each, makes the $25,000 goal. That’s quite doable.

My only caveat is the “…whitehat ethical hacker…” language for sharing the release. Buying a share in the release should be just that, buying a share. What participants do or don’t do with their share is not a concern.

Kroger clerks don’t ask me if I am going to use flour to bake bread for the police and/or terrorists.

Besides, the alleged NSA tools weren’t created by “…whitehat ethical hackers….” Yes? No government has a claim on others to save them from their own folly.

Any competing crowd-funded subscriptions to the Shadow Brokers release?

May 29, 2017

Innovations In Security: Put All Potential Bombs In Cargo

Filed under: Security,Terrorism — Patrick Durusau @ 7:38 pm

US Wants to Extend Laptop Ban to All International Flights by Catalin Cimpanu.

From the post:

US Secretary of Homeland Security Gen. John Kelly revealed in an interview over the weekend that the US might expand its current laptop ban to all flights into the US in the near future.

“I might,” said Gen. Kelly yesterday on Fox News Sunday. “There’s a real threat. There’s numerous threats against aviation. That’s really the thing they’re really obsessed with, the terrorists, the idea of knocking down an airplane in flight, particularly if it is a US carrier, particularly if it is full of mostly US folks.”

Is there an FOIA exception to obtaining the last fitness report on US Secretary of Homeland Security Gen. John F. Kelly when he was serving with the Marines?

Loading fire-prone laptops, which may potentially also contain bombs, into a planes cargo hold for “safety,” raises serious questions about Kelly’s mental competence.

Banning laptops could be a ruse to get passengers to use cloud services for their data, making it more easily available to the NSA.

As the general says, there are people obsessed with “the idea of knocking down an airplane in fight,” but those are mostly found in the Department of Homeland Security.

You need not take my word for it, consider the Wikipedia timeline of airline bombings shows eight such bombings since December of 2001. I find it difficult to credit “obsession” when worldwide there is only one bomb attack on an airline every two years.

Moreover, the GAO in Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates (2016) found the TSA has not evaluated the vulnerability at 81% of the 437 commercial airports. US airports are vulnerable and the TSA can’t say which ones or by how much.

If terrorists truly were “obsessed,” in General Kelly’s words, the abundance of vulnerable US airports should see US aircraft dropping like flies. Except they’re not.

PS: Anticipating a complete ban on laptops, now would be a good time to invest in airport laptop rental franchises.

The “blue screen of death” lives! (Humorous HTML Links)

Filed under: Cybersecurity,Humor,Microsoft,Security — Patrick Durusau @ 3:54 pm

A simple file naming bug can crash Windows 8.1 and earlier by Steve J. Vaughan-Nichols.

From the post:

In a blast from the past, a Russian researcher has uncovered a simple bug in the NTFS file system that consistently crashed Windows Vista to 8.1 PCs.

Like the infamous Windows 95/98 /con/con bug, by simply entering a file name with “$MFT” the file-system bug locks up Windows at best, or dumps it into a “blue screen of death” at worse.

The bug won’t deliver malware but since it works in URLs (except for Chrome), humorous HTML links in emails are the order of the day.

Enjoy!

May 25, 2017

Hacking Fingerprints (Yours, Mine, Theirs)

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 4:46 pm

Neural networks just hacked your fingerprints by Thomas McMullan.

From the post:

Fingerprints are supposed to be unique markers of a person’s identity. Detectives look for fingerprints in crime scenes. Your phone’s fingerprint sensor means only you can unlock the screen. The truth, however, is that fingerprints might not be as secure as you think – at least not in an age of machine learning.

A team of researchers has demonstrated that, with the help of neural networks, a “masterprint” can be used to fool verification systems. A masterprint, like a master key, is a fingerprint that can be open many different doors. In the case of fingerprint identification, it does this by tricking a computer into thinking the print could belong to a number of different people.

“Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting,” the researchers ­– Philip Bontrager, Julian Togelius and Nasir Memon – claim in a paper.

The tweet that brought this post to my attention didn’t seem to take this as good news.

But it is, very good news!

Think about it for a moment. Who is most likely to have “strict security settings?”

Your average cubicle dweller/home owner or …, large corporation or government entity?

What is more, if you, as a cubicle dweller are ever accosted for a breach of security, leaking fingerprint protected files, etc., what better defense than known spoofing of fingerprints?

Not that you would be guilty of such an offense but its always nice to have a credible defense in addition to being innocent!

For further details:

DeepMasterPrint: Generating Fingerprints for Presentation Attacks by Philip Bontrager, Julian Togelius, Nasir Memon.

Abstract:

We present two related methods for creating MasterPrints, synthetic fingerprints that a fingerprint verification system identifies as many different people. Both methods start with training a Generative Adversarial Network (GAN) on a set of real fingerprint images. The generator network is then used to search for images that can be recognized as multiple individuals. The first method uses evolutionary optimization in the space of latent variables, and the second uses gradient-based search. Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting.

Defeating fingerprints as “conclusive proof” of presence is an important step towards freedom for us all.

Banking Malware Tip: Don’t Kill The Goose

Filed under: Cybersecurity,Security — Patrick Durusau @ 1:56 pm

Dridex: A History of Evolution by Nikita Slepogin.

From the post:

The Dridex banking Trojan, which has become a major financial cyberthreat in the past years (in 2015, the damage done by the Trojan was estimated at over $40 million), stands apart from other malware because it has continually evolved and become more sophisticated since it made its first appearance in 2011. Dridex has been able to escape justice for so long by hiding its main command-and-control (C&C) servers behind proxying layers. Given that old versions stop working when new ones appear and that each new improvement is one more step forward in the systematic development of the malware, it can be concluded that the same people have been involved in the Trojan’s development this entire time. Below we provide a brief overview of the Trojan’s evolution over six years, as well as some technical details on its latest versions.

Compared to the 2015 GDP of the United States at ~$18 trillion, the ~$40 million damage from Dridex is a rounding error.

The Dridex authors are not killing the goose that lays golden eggs.

Compare the WannaCry ransomware attack, which provoked a worldwide, all hands on deck response, including Microsoft releasing free patches for unsupported software!

Maybe you can breach an FBI file server and dump its contents to Pastebin. That attracts a lot of attention and is likely to be your only breach of that server.

Strategy is as important in cyberwarfare as in more traditional warfare.

May 23, 2017

China Draws Wrong Lesson from WannaCry Ransomware

Filed under: Cybersecurity,Government,NSA,Open Source,Security — Patrick Durusau @ 7:48 pm

Chinese state media says US should take some blame for cyberattack

From the post:


China’s cyber authorities have repeatedly pushed for what they call a more “equitable” balance in global cyber governance, criticizing U.S. dominance.

The China Daily pointed to the U.S. ban on Chinese telecommunication provider Huawei Technologies Co Ltd, saying the curbs were hypocritical given the NSA leak.

Beijing has previously said the proliferation of fake news on U.S. social media sites, which are largely banned in China, is a reason to tighten global cyber governance.

The newspaper said that the role of the U.S. security apparatus in the attack should “instill greater urgency” in China’s mission to replace foreign technology with its own.

The state-run People’s Daily compared the cyber attack to the terrorist hacking depicted in the U.S. film “Die Hard 4”, warning that China’s role in global trade and internet connectivity opened it to increased risks from overseas.

China is certainly correct to demand a place at the table for China and other world powers in global cyber governance.

But China is drawing the wrong lesson from the WannaCry ransomeware attacks if that is used as a motivation for closed source Chinese software to replace “foreign” technology.

NSA staffers may well be working for Microsoft and/or Oracle, embedding NSA produced code in their products. With closed source code, it isn’t possible to verify the absence of such code or to prevent its introduction.

Sadly, the same is true if closed source code is written by Chinese programmers, some of who may have agendas, domestic or foreign, of their own.

The only defense to rogue code is to invest in open source projects. Not everyone will read every line of code but being available for being read, is a deterrent to obvious subversion of an applications security.

China should have “greater urgency” to abandon closed source software, but investing in domestic closed source only replicates the mistake of investing in foreign closed source software.

Opensource projects cover every office, business and scientific need.

Chinese government support for Chinese participation in existing and new opensource projects can make these projects competitors to closed and potential spyware products.

The U.S. made the closed source mistake for critical cyber infrastructure. China should not make the same mistake.

May 17, 2017

Memo To File (Maybe Bad OpSec)

Filed under: Government,Security — Patrick Durusau @ 3:02 pm

What an FBI memo like Comey’s on Trump looks like by Josh Gerstein.

From the post:

The existence of memos that former FBI Director James Comey reportedly prepared detailing his conversations with President Donald Trump about the bureau’s Russia investigation is far from shocking to FBI veterans, who say documenting such contacts in highly sensitive investigations is par for the course.

“A conversation with a subject of an investigation is evidentiary, no matter what is discussed,” said former FBI official Tom Fuentes, who stressed that he doesn’t know what the president’s status is with respect to the ongoing probe of Russia’s alleged meddling in the 2016 election. “Any conversation with Trump is going to be noteworthy….If you drop dead of a heart attack, your successor is going to want to know what was going on, so you would record that whether it’s to aid your future memory or for a successor two or three years down the line.”

Comey documented Trump’s request to curtail the FBI investigation into Russian meddling in the 2016 election the day after former national security adviser Michael Flynn resigned, according to a New York Times report subsequently confirmed by a source to POLITICO. The White House has denied the president made any such request.

A “memo to file” isn’t complicated and especially if done on a routine basis, has high value as evidence. Gerstein includes a link to an actual “memo to file.” (see his post)

I mention this because a practice of “memo to file,” much like Nixon’s Watergate tapes, can prove to be a two-edged sword.

Like calendars, travel logs, expense records, etc., a series of “memo(s) to file” may not agree with your current memory of events. The “record” will be presumed to be more reliable than your present memory.

Just a warning to make sure the record you preserve is the one you want quoted back to yourself in the future.

Don’t Blame NSA For Ransomware Attack!

Filed under: Cybersecurity,Government,NSA,Security — Patrick Durusau @ 1:40 pm

Stop Blaming NSA For The Ransomware Attack by Patrick Tucker.

Most days I think the NSA should be blamed for everything from global warming to biscuits that fail to rise.

But for leaked cyber weapons? No blame whatsoever.

Why? The answer lies in the NSA processing of vulnerabilities.

From the post:


“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed—responsibly disclosed —to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”

Dukes said the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.

We may choose to restrict a vulnerability for offensive purposes, like breaking into an adversary’s network, he said. But that doesn’t mean we’re not also constantly looking for signs whether another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.

You may think that is a “thoughtful process” but that’s not why I suggest the NSA should be held blameless.

Look at the numbers on vulnerabilities:

80% disclosed by the NSA for remediation.

20% concealed by the NSA.

Complete NSA disclosure means the 20% now concealed, vanishes for everyone.

That damages everyone seeking government transparency.

Don’t wave your arms in the air crying “ransomware! ransomeware! Help me! Help me!,” or “Blame the NSA! “Blame the NSA.”

Use FOIA requests, leaks and cyber vulnerabilities to peel governments of their secrecy, like lettuce, one leaf at a time.

May 16, 2017

Correction to Financial Times on EsteemAudit

Filed under: Cybersecurity,NSA,Security — Patrick Durusau @ 7:08 pm

Hackers prime second classified US cyber weapon by Sam Jones and Max Seddon.

From the post:

Criminal hacking groups have repurposed a second classified cyber weapon stolen from US spies and have made it available on the so-called dark web after the success of the WannaCry attack that swept across the globe on Friday.

The hacking tool, developed by the US National Security Agency and called EsteemAudit, has been adapted and is now available for criminal use, according to security analysts.

Correction:

“…is now available for criminal use…” should read:

“…is now available for widespread criminal use….”

NSA cyber weapons have always in use by criminals. The debate now is over more criminals using the same weapons.

If those weapons are used against the NSA and its co-conspirators, I don’t see a problem.

Marketing Advice For Shadow Brokers

Filed under: Cybersecurity,Hillary Clinton,NSA,Security — Patrick Durusau @ 4:13 pm

Shadow Brokers:

I read your post OH LORDY! Comey Wanna Cry Edition outlining your plans for:

In June, TheShadowBrokers is announcing “TheShadowBrokers Data Dump of the Month” service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

More details in June.

OR IF RESPONSIBLE PARTY IS BUYING ALL LOST DATA BEFORE IT IS BEING SOLD TO THEPEOPLES THEN THESHADOWBROKERS WILL HAVE NO MORE FINANCIAL INCENTIVES TO BE TAKING CONTINUED RISKS OF OPERATIONS AND WILL GO DARK PERMANENTLY YOU HAVING OUR PUBLIC BITCOIN ADDRESS
… (emphasis in original)

I don’t know your background in subscription marketing but I don’t see Shadow Brokers as meeting the criteria for a successful subscription business. 9 Keys to Building a Successful Subscription Business.

Unless you want to get into a vulnerability as commodity business, with its attendant needs for a large subscriber base, advertising, tech support, etc., with every service layer adding more exposure, I just don’t see it. The risk of exposure is too great and the investment before profit too large.

I don’t feel much better about a bulk purchase from a major government or spy agency. The likely buyers already have the same or similar data so don’t have an acquisition motive.

Moreover, likely buyers don’t trust the Shadow Brokers. As a one time seller, Shadow Brokers could collect for the “lost data” and then release it for free in the wild.

You say that isn’t the plan of Shadow Brokers, but likely buyers are untrustworthy and expect the worst of others.

If I’m right and traditional subscription and/or direct sales models aren’t likely to work, that doesn’t mean that a sale of the “lost data” is impossible.

Consider the Wikileak strategy with the the Podesta emails.

The Podesta emails were replete with office chatter, backbiting remarks, and other trivia.

Despite the lack of intrinsic value, their importance was magnified by the release of small chunks of texts, each of which might include something important.

With each release, main stream media outlets such as the New York Times, the Washington Post, and others went into a frenzy of coverage.

That was non-technical data so a similar strategy with “lost data” will require supplemental, explanatory materials for the press.

Dumping one or two tasty morsels every Friday, for example, will extend media coverage, not to mention building public outrage that could, no guarantees, force one or more governments to pony up for the “lost data.”

Hard to say unless you try.

PS: For anyone who thinks this post runs afoul of “aiding hackers” prohibitions, you have failed to consider the most likely alternate identity of Shadow Brokers, that of the NSA itself.

Ask yourself:

Who wants real time surveillance of all networks? (NSA)

What will drive acceptance of real time surveillance of all networks? (Hint, ongoing and widespread data breaches.)

Who wants to drive adoption of Windows 10? (Assuming NSA agents wrote backdoors into the 50 to 60 million lines of code in Windows 10.)

Would a government that routinely assassinates people and overthrows other governments hesitate to put ringers to work at Microsoft? Or other companies?

Is suborning software verboten? (Your naiveté is shocking.)

May 14, 2017

WCry/WanaCry Analysis – Reading For Monday, May 15, 2017.

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:23 pm

The chief of Europol warns the WCry/WanaCry crisis to grow Monday, May 15, 2017. That exhausted Europol’s reservoir of the useful comments for this “crisis.”

“Crisis” with parentheses because only unpatched but supported Windows systems and no longer supported Windows systems are vulnerable to WCry/Wanacry.

Exception for non-supported systems: Microsoft issued a patch for Windows XP, unfortunately, to protect against WCry/WanaCry.

Translation: If you are running Windows XP without the WCry/WanaCry patch, you can still be a victim.

For the more technically minded, Amanda Rousseau writes in: WCry/WanaCry Ransomware Technical Analysis:

As we discussed when this outbreak began, the WCry or WanaCrypt0r ransomware spread quickly across Europe and Asia, impacting almost 100 countries and disrupting or closing 45 hospitals in the UK. As the ransomware continued to propagate, I got my hands on a sample and quickly began analyzing the malware. This post will walk through my findings and provide a technical overview of the strain of WCry ransomware which caused the massive impact on Friday. Many have done great work analyzing this malware in action and helping contain its spread, and I hope my comprehensive static analysis will provide a good overall picture of this particular ransomware variant on top of that.

I assume you are:

  1. Not running Windows
  2. Are running supported and patched Windows
  3. Are running patched Windows XP (please don’t tell anyone)

If any of those are true, then Rousseau’s post makes great reading material for Monday, May 15, 2017.

If you are exposed, you should take steps to end your exposure now. Rousseau’s post can wait until you are safe.

May 13, 2017

Effective versus Democratic Action

Filed under: Cybersecurity,Government,Privacy,Security — Patrick Durusau @ 7:54 pm

OpenMedia is hosting an online petition: Save our Security — Strong Encryption Keeps Us Safe to:

Leaked docs reveal the UK Home Office’s secret plan to gain real-time access to our text messages and online communications AND force companies like WhatsApp to break the security on its own software.1 This reckless plan will make all of us more vulnerable to attacks like the recent ransomware assault against the NHS.2

If enough people speak out right now and flood the consultation before May 19, then Home Secretary Amber Rudd will realise she’s gone too far.

Tell Home Secretary Amber Rudd: Encryption keeps us safe. Do not weaken everyone’s security by creating backdoors that hackers and malicious actors can exploit.
… (emphasis in original, footnotes omitted)

+1! on securing your privacy, but -1! on democratic action.

Assume the consultation is “flooded” and Home Secretary Amber Rudd says:

Hearing the outcry of our citizens, we repent of our plan for near real time monitoring of your conversations….

I’m sorry, why would you trust Home Secretary Amber Rudd or any other member of government, when they make such a statement?

They hide the plans for monitoring your communications in near real time, as OpenMedia makes abundantly clear.

What convinces you Home Secretary Rudd and her familiars won’t hide government monitoring of your communications?

A record of trustworthy behavior in the past?

You can flood the consultation if you like but effective actions include:

  • Anyone with access to government information should leak that information whenever possible.
  • Anyone employed by government should use weak passwords, follow links in suspected phishing emails and otherwise practice bad cybersecurity.
  • If you don’t work for a government or have access to government information, copy, repost, forward, and otherwise spread any leaked government information you encounter.
  • If you have technical skills, devote some portion of your work week to obtaining information a government prefers to keep secret.

The only trustworthy government is a transparent government.

May 12, 2017

WanaCrypt0r: The Wages Of False Economy

Filed under: Cybersecurity,NSA,Security — Patrick Durusau @ 8:26 pm

Malware that attacks unsupported or unpatched Microsoft software started making the rounds today.

Just some of the coverage:

Malware Stolen From The NSA Cripples Computers In 74 Countries (And Counting)

Massive ransomware cyber-attack hits computers in 74 countries

Cyber-attack hits 74 countries with UK hospitals among targets – live updates

Cyberattack Hits Dozen Nations ‘Using Leaked NSA Hacking Tool’

Massive ransomware attack hits 99 countries

Criminals used leaked NSA cyberweapon in crippling ransomware attack, experts say

Global cyberattack disrupts shipper FedEx, UK health system

Hackers use leaked NSA bug in massive global cyber attack

Wanna Decrypter 2.0 ransomware attack: what you need to know

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

You will see phrases like “weapons grade malware,” “NSA exploit,” “NSA cyberweapon,” etc., and many others over the coming days.

It will be mentioned but few consequences will be seen for managers who practiced false economy, in not upgrading their Microsoft systems in a timely fashion.

It is equally unlikely that sysadmins will suffer for their failure to patch currently supported Microsoft systems in a timely manner.

Given those two likely outcomes, the next “massive global cyber attack,” is a question of when, not if. Managers will continue to practice false economies and sysadmins won’t follow good patching practices.

My suggestions:

  1. Upgrade to supported Microsoft software.
  2. Implement and audit patch application.
  3. Buy Microsoft stock.

The first two will help keep you safe and the third one will enable you to profit from the periodic panics among unsupported Microsoft software users.

May 10, 2017

Did You Miss The Macron Leak? @ErrataBob To The Rescue!

Filed under: BitTorrent,Cybersecurity,Security — Patrick Durusau @ 3:01 pm

If you missed the Macron leak, or leaks deleted before you can copy them, don’t despair!

Robert Graham, @ErrataBob, rides to the rescue with: Hacker dumps, magnet links, and you.

From the post:


Along with downloading files, BitTorrent software on your computer also participates in a “distributed hash” network. When using a torrent file to download, your BitTorrent software still tell other random BitTorrent clients about the hash. Knowledge of this hash thus spreads throughout the BitTorrent world. It’s only 16 bytes in size, so the average BitTorrent client can keep track of millions of such hashes while consuming very little memory or bandwidth.

If somebody decides they want to download the BitTorrent with that hash, they broadcast that request throughout this “distributed hash” network until they find one or more people with the full torrent. They then get the torrent description file from them, and also a list of peers in the “swarm” who are downloading the file.

Thus, when the original torrent description file, the tracker, and original copy goes away, you can still locate the swarm of downloaders through this hash. As long as all the individual pieces exist in the swarm, you can still successfully download the original file.

Graham provides the magnet link for “langannerch.rar” and as of this AM, I can attest the link is working as described.

Consider a “distributed hash” network as a public service. Even if you aren’t especially interested in a leak, like Macron’s, consider grabbing a copy to assist others who are.

May 9, 2017

Patched != Applied / Patches As Vulnerability Patterns

Filed under: Cybersecurity,Microsoft,Security,Subject Identity — Patrick Durusau @ 7:06 pm

Microsoft’s Microsoft Security Advisory 4022344 in response to MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more by taviso@google.com, was so timely as to deprive the “responsible disclosure” crowd of a chance to bitch about the notice given to Microsoft.

Two aspects of this vulnerability merit your attention.

Patched != Applied

Under Suggested Actions, the Microsoft bulletin reads:

  • Verify that the update is installed

    Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

    For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.

    For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.13704.0 or later.

  • If necessary, install the update

    Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.

    For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.

    For more information on how to manually update the Microsoft Malware Protection Engine and malware definitions, refer to Microsoft Knowledge Base Article 2510781.

Microsoft knows its customers far better than I do and that suggests unpatched systems can be discovered in the wild. No doubt in diminishing numbers but you won’t know unless you check.

Patches As Vulnerability Patterns

You have to visit CVE-2017-0290 to find links to the details of “MsMpEng: Remotely Exploitable Type Confusion….”

Which raises an interesting use case for the Microsoft/MSRC-Microsoft-Security-Updates-API, which I encountered by by way of a PowerShell script for accessing the MSRC Portal API.

Polling the Microsoft/MSRC-Microsoft-Security-Updates-API provides you with notice of vulnerabilities to look for based on unapplied patches.

You can use the CVE links to find deeper descriptions of underlying vulnerabilities. Those descriptions, assuming you mine the sips (statistically improbable phrases), can result in a powerful search tool to find closely related postings.

Untested but searching by patterns for particular programmers (whether named or not), may be more efficient than an abstract search for coding errors.

Reasoning that programmers tend to commit the same errors, reviewers tend to miss the same errors, and so any discovered error, properly patterned, may be the key to a grab bag of other errors.

That’s an issue where tunable subject identity would be very useful.

May 8, 2017

OSS-Fuzz: Five months later, and rewarding projects

Filed under: Cybersecurity,Fuzzing,Security — Patrick Durusau @ 8:10 pm

OSS-Fuzz: Five months later, and rewarding projects

From the post:

Five months ago, we announced OSS-Fuzz, Google’s effort to help make open source software more secure and stable. Since then, our robot army has been working hard at fuzzing, processing 10 trillion test inputs a day. Thanks to the efforts of the open source community who have integrated a total of 47 projects, we’ve found over 1,000 bugs (264 of which are potential security vulnerabilities).

[graphic omitted]

Notable results

OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view restricted so links may show smaller numbers.)

A useful way to improve the quality of software and its security. Not only that, but rewards are offered for projects that adopt the ideal integration guidelines.

The Patch Rewards program now includes rewards for integration of fuzz targets into OSS-Fuzz.

Contributing to open source projects, here by contributing to the use of fuzzing in the development process, is a far cry from the labor market damaging “Hack the Air Force” program. The US Air Force can and does spend $millions if not $billions on insecure software and services.

Realizing it has endangered itself, but unwilling to either contract for better services and/or to hold its present contractors responsible for shabby work, the Air Force is attempting to damage the labor market for defensive cybersecurity services by soliciting free work. Or nearly so given the ratio of the prizes to Air Force spending on software.

$Millions in contributions to open source projects, not a single dime for poorly managed government IT contract results.

Zero-Day versus Tried-n-True Methods

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:38 pm

IBM shipped malware-laden USB sticks to unsuspecting customers by Chris Bing.

From the post:

Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.

An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.

An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.

One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.

Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!

Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.

Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.

Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.

😉

The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.

Guessing Valid GMail Addresses – Not A Bug (Must Be A Feature)

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:55 am

Abusing Gmail to get previously unlisted e-mail addresses

From the post:

tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown. DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉
… (emphasis in original)

Cutting to the chase:


This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.
… (emphasis in original)

When advised of the issue, Google responded its not a security bug.

May 7, 2017

Hijacking Fleets of PCs

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:37 pm

Intel chip vulnerability lets hackers easily hijack fleets of PCs by Zack Whittaker.

From the post:

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The “critical”-rated bug, disclosed by Intel last week, lies in a feature of Intel’s Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer’s keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser — accessible even when the remote PC is asleep — that’s protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.

Embedi researchers, credited with finding the bug, explained in a whitepaper posted Friday that a flaw in how the default “admin” account for the web interface processes the user’s passwords effectively lets anyone log in by entering nothing at the log-on prompt.

Opportunity to stretch your technical chops as fixes are due to roll out May 8th and thereafter.

Of course, as Verizon posted last week:

81% of hacking-related breaches leveraged either stolen and/or weak passwords. (page 3)

Decade old hardware bugs grab headlines but human fails are the bread and butter of cybersecurity.

May 5, 2017

Archive.org (Internet Archive) Security Warning!

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:59 pm

Just in case you forgot, every packet of Internet traffic can disclose your identity.

From Twitter today:

I have no idea if this was the actual Macron leaker or an account being used to mask their true identity.

But, it’s worth a quick heads up to say:

Presume every packet from your computer is being captured (not necessarily read if encrypted) somewhere by someone.

Plan accordingly.

Verizon’s Hacking Retrospective For 2016 (2017 Report)

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:07 pm

Instead of running afoul of It’s hard to make predictions, especially about the future, Verizon is looking backwards at hacking in 2016.

The full report runs over seventy pages of hacker success stories but if you lack the time or stomach to read it in full, consider Kelly Sweeney’s Verizon 2017 Data Breach Investigation Report Released, which reads in part:

We follow the Verizon Data Breach Investigation Report each year. It just hit the news stand and as always, is full of insights.

The report collected data from 65 organizations in 84 countries, including 42,068 cybersecurity incidents and 1,935 data breaches.

The major themes of the report are:

  • No one thinks it’s going to be them. Until it is.
  • Organizations think they’ve got the basics covered.
  • People are also still failing to set strong passwords.
  • People rely on how they’ve always done things.

The conclusion is that all organizations and industries are at risk of cyber-attacks, and 61 percent of the data breaches experienced by those responding were companies with less than 1,000 employees.

You should not be asking why there is so much cybercrime, but rather, why isn’t there more?

My unscientific explanation is the number of potential targets out number hackers by two or more orders of magnitude.

Yours?

Hacking Not Limited To Rocket/CS Scientists

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:42 pm

Want be a successful hacker but you’re not a rocket/CS scientist? There’s hope!

Lucian Constantin writes in Cyberspies tap free tools to make powerful malware framework:

Over the past year, a group of attackers has managed to infect hundreds of computers belonging to government agencies with a malware framework stitched together from JavaScript code and publicly available tools.

The attack, analyzed by researchers from antivirus firm Bitdefender, shows that cyberespionage groups don’t necessarily need to invest a lot of money in developing unique and powerful malware programs to achieve their goals. In fact, the use of publicly available tools designed for system administration can increase an attack’s efficiency and makes it harder for security vendors to detect it and link it to a particular threat actor.

The Bitdefender researchers have dubbed the newly discovered attack group Netrepser and traced back some of its attack campaigns to May 2016. The group is still active, but to Bitdefender’s knowledge its attacks have never been publicly documented before, which might be in part because its campaigns are highly targeted.

Some tools were developed at public expense (read CIA) and have gained wider usage.

You may not be Stephen Hawking but the effort you are willing to invest determines your success as a hacker.

The question to ask yourself: What am I going to learn today?

May 3, 2017

Hacker Wish Book 2017 (Who Got Left Out?)

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:46 pm

Symantec continues the Sears Wish Book tradition:

for hackers with the 2017 Internet Security Threat Report (Symantec, ISTR 22).

Like the original, the Hacker Wish Book 2017 has:

Flashy graphics:

(Did you make the top ten?)

Exciting textual tidbits:


Our data found that 76 percent of websites scanned contained vulnerabilities—the same percentage as 2014 and just two percent less than the 2015 figure. at page 33)

Holiday tips (best practices):

  • Targeted attacks: Espionage, subversion, & sabotage (page 22)
  • Email: Malware, spam, & phishing (page 31)
  • Web attacks, toolkits, & exploiting vulnerabilities online (page 36)
  • Cyber crime & the underground economy (page 54)
  • Ransomware: Extorting businesses & consumers (page 62)
  • New frontiers: Internet of Things, mobile, & cloud threats (page 67)
  • Mobile (page 72)
  • Cloud (page 74)

Who Was Left Out?

Before you print a full-color copy of 2017 Internet Security Threat Report (Symantec, ISTR 22) for your “reading” room, ask who was left out?

Hackers are covered by the list of schemes, devices and strategies. Managers are interested in comparative statistics, “see, almost everybody else gets hacked too.” Hmmmm, but a class of people are missing.

Here’s a hint: Use the search function to look for salary (0 hits), hiring (0 hits), training (0 hits), compensation (0 hits).

The cyberdefense community gets no joy from the Hacker Wish Book 2017.

Not one mention of the need to pay competitive compensation for cyberdefense employees (not part-time contractors) with benefits and working conditions suitable for that community.

We have all seen legislatures flail about on cybercrime (CFAA). Not to mention management’s foolish belief that urging present staff “to do better,” is a solution to cyber-insecurity (the best practices mentioned above).

If you credit the Symantec report at all, how would you grade both of those strategies?

If your answer is anything other than “F,” contact me as I have the deed to bridges in New York City. (Apologies to other readers, it’s hard to resist clipping business types with more money than judgment.)

Anyone interested in improved cybersecurity needs to invest in cybersecurity. Including full-time staff and resources.

When I say “full-time” staff, I mean just that. Not sysadmin, DBA, webmaster, and cybersecurity all rolled into one position. Any one of those, with further sub-specialization as necessary, is a full-time job. (Just because you don’t understand a task doesn’t make it easy.)

Of course you can have your data breach figure in the Hacker Wish Book 2018. Or be the first in your industry to get tagged with punitive damages for a data breach. That’s going to happen. The question is: Will it be you?

Your call.

May 2, 2017

One For The Hounds – C & C Servers

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:34 pm

New Shodan Tool Can Find Malware Command and Control (C&C) Servers by Catalin Cimpanu.

From the post:

Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into Shodan, a search engine for discovering Internet-connected devices.

Malware Hunter works via search bots that crawl the Internet looking for computers configured to function as a botnet C&C server.

In order to trick a C&C server to reveal its location, the search bot uses various predefined requests to pretend to be infected computer that’s reporting back to the C&C server. If the scanned computer responds, Malware Hunter logs the IP and makes it available via the Shodan interface.

Take this news as encouragement to step up your game.

On the upside, perhaps Malware Hunter or some successor will “out” government spy malware.

May 1, 2017

Airport WiFi Passwords Map (Frequent Face?)

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:41 pm

A Map Of Wireless Passwords From Airports And Lounges Around The World (Updated Regularly) by Anil Polat.

From the post:

Finding an open wireless connection in many airports isn’t always easy, or possible, without a password (or local phone number which is stupid). The difficulty of getting online is why I asked you for and created an always-up-to-date list of airport wireless passwords around the world. You’ve been sending me your tips regularly and I post on the foXnoMad Facebook page when there’s a new password or airport added.

Recently, reader Zach made a great suggestion that will make it easier for you to search, add, and keep up with this airport wireless password list.
….

I applaud Polat taking the initiative and investing the effort to make this wonderful resource available. Certainly a benefit to travelers who are quite casual about WiFi security.

I say “travelers who are quite casual about WiFi security” because any false WiFi hotspot is going to set the same password as the pay-to-play airport WiFi.

Being charged for a service is no guarantee of non-abuse. Any cable subscriber knows that already.

The password list makes airports sound like great hacking locations. Free WiFi, cheap food, easy targets, but, not such a great spot after all.

Presume all faces are scanned at airports, processed and stored. Becoming a “frequent face (FF)” doesn’t carry the same benefits as “frequent flyer.? You have been warned.

April 26, 2017

How Do Hackers Live on $53.57? (‘Hack the Air Force’)

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 4:27 pm

I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’:

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

You find:


Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.

Let’s see, $75,000 split between 1,400 hackers, that’s $53.57 per hacker, on average. Some got more than average, some got nothing at all.

‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change.

I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks.

However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity.

Not my decision, not my problem.

Want an effective solution?

First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins.

Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it.

Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers.

Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes?

Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts.

April 24, 2017

Metron – A Fist Full of Subjects

Filed under: Cybersecurity,Security,Semantics,Subject Identity — Patrick Durusau @ 8:22 pm

Metron – Apache Incubator

From the description:

Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform.

Metron can be divided into 4 areas:

  1. A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics.
  2. Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the “who” and “where” information that is critical for investigation.
  3. Efficient information storage based on how the information will be used:
    1. Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility
    2. The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent
    3. Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection.
  4. An interface that gives a security investigator a centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.

Big data is a natural fit for powerful security analytics. The Metron framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With Metron, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats.

Some useful links:

Metron (website)

Metron wiki

Metron Jira

Metron Git

Security threats aren’t going to assign themselves unique and immutable IDs. Which means they will be identified by characteristics and associated with particular acts (think associations), which are composed of other subjects, such as particular malware, dates, etc.

Being able to robustly share such identifications (unlike the “we’ve seen this before at some unknown time, with unknown characteristics,” typical of Russian attribution reports) would be a real plus.

Looks like a great opportunity for topic maps-like thinking.

Yes?

April 23, 2017

Anonymous Domain Registration Service [Update: 24 April 2017]

Filed under: Cybersecurity,Security — Patrick Durusau @ 6:47 pm

Pirate Bay Founder Launches Anonymous Domain Registration Service

Does this sound anonymous to you?


With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

Njalla

Perhaps I’m being overly suspicious but what is the basis for trusting Njalla?

I would feel better if Njalla only possessed a key that would decrypt (read authenticate) messages as arriving from the owner of some.domain.

Other than payment, what other interest do they have in an owner’s actual identity?

Perhaps I should bump them about that idea.

Update: On further inquiry, registration only requires an email or jabber contact point. You can handle being anonymous to Njalla at those points. So, more anonymous than I thought.

« Newer PostsOlder Posts »

Powered by WordPress