This post was imported from an old blog archive, and predates the creation of AdamCaudill.com.
It seems the personal web site of Eric Sink has been hacked & defaced. Why? What drives people to do such heartless acts? Eric takes his valuable time to help so many people and share his valuable insight, and some miscreant hacker wannabe comes along and does this. It’s wrong, in so many ways, it’s just wrong.
While checking my favorite blogs early this morning, I clicked the bookmark taking me to his site, needless to say I was stunned. As of this writing the site has been pulled offline. It’s really sad to see this happen. I wish Eric the best of luck in getting everything cleaned up. Hope to see this great resource back online soon.
Update: It seems that this is how that attack happened, and based on a quick Google search, it shows around 1,500 hosts that have been hit so far.
If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics.
The announcement covered a few new features being added to the next version of Apple’s operating systems, namely:
Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.
During a recent discussion about the DarkMatter CA on a Mozilla mailing list, it was found that their 64-bit serial numbers weren’t actually 64 bits, and it opened a can of worms. It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B Forum Baseline Requirements that state it must contain 64 bits of output from a secure random number generator (CSPRNG). As a result of this finding, 2,000,000 certificates or more may need to be replaced by Google, Apple, GoDaddy and various others.
The debate around how, where, and when to disclose a vulnerability – and of course to whom – is nearly as old as the industry that spawned the vulnerabilities. This debate will likely continue as long as humans are writing software. Unfortunately, the debate is hampered by poor terminology.
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.
Two years of discussions, months of planning, weekly meetings, and thousands of dollars – BSides Knoxville 2015, the first BSides Knoxville that is, is in the books. By any metric I can think of, it was a resounding success – the feedback was great, awesome talks, good food, and a great atmosphere.
I would like to give a little insight into the event, some of what I learned from it, what went right, went wrong, and how to make something like this without going insane.
I’ve been a (fairly quiet) critic of WikiLeaks for a long time, the core of the mission I agree with – information should be free, and should be preserved – but the implementation is deeply flawed. But then, that’s not really news is it? Two and half years ago when I last wrote about WikiLeaks, I pointed out that Julian Assange was the organization’s biggest problem. So what do we have today?
