Tuesday 27 April 2010

security

I am the first to admit I am a sad geek. When I saw this the other day it made me laugh, possibly a little too much; http://abstrusegoose.com/262
What follows is a computer security debate on a fictional character in a fictional universe, I apologise in advance.
Now I have to debate this. I always thought of R2D2 as the ultimate in automated hacking. AI that is constantly writing vulnerabilities, heck he probably has a virtual Imperial System running in his hardware to throw test code at. That and he had physical access to a data port, ala USB, so he may have known some nice little direct memory injections or even a kind of side channel attack if the system was one big computer (which it seems to be) he could have been detecting key inputs from other terminals via power fluctuations in the data port.
If it was a network, he could have known some protocol vulnerability or remote code exec that the good old pompous "no one will be able to get to that vulnerable access port on our space station" Empire would not bother patching, can you imagine the amount of patching the empire would have to do though.

If we take the monolithic single computer per vessel approach (which leaves no room for redundancy) you have at its peak 25000 Star Destroyers, 12 Super star destroyers and around 3 million other vessels (tie fighters, Corvettes, Gunships, Transports, and the Death Star). So let’s say 3 million huge computers, that probably can't be patched while in service, so will only be patched when in for maintenance at a dock, leaving lots of time for Vulnerabilities to be discovered, and vulnerabilities on a non-segregated duty single monolithic computer would be awesome, initiate self destruct anyone?

If we take the multi-computer networked approach (which seems more likely with what we know that the hyper drive computer needed time to spin up and that droids seem independent). A Star Destroyer had about 5000 members in its crew, and the Super Star Destroyer and Death Star about 300,000 crew, we will say the smaller craft had an average of 10 crew (tie fighters, Corvettes, Gunships, and Transports). So that means a total number of service men and women of about 160million, they probably work 3 8 hour shifts a day plus some to cover weekends, so maybe a quarter of those have actual workstations, but there would be servers and central computers, so say 80million computers, plus about 10million network devices near on impossible to have 100% patch rollout on a network of that size, give someone physical access to that network and they will get in somewhere, especially if that someone is a precocious little blue and white droid.

Sources; http://starwars.wikia.com

Thursday 15 April 2010

Altassian and Apache are related?

A very good write up of the impressive attack that was carried out on these two groups; http://www.zdnet.com.au/hackers-use-atlassian-to-compromise-apache-339302448.htm
It is good that this underlines the real power of an XSS, I have heard people dismiss XSS and this will be good to pull out at times like that. But it wasn't just XSS it was a co-ordinated multi-pronged attack. Work of real pro's. Just goes to show if someone wants in badly enough they will get in.
I know some of the people at Altassian and I would say that unfortunately they got attacked by a better opponent. No one is infallible. It is good though how Altassian handled it then how Apache handled the resultant attack. I would say Altassian was the target because of the donation to Apache, it made them a target.

Oh yeah and I have said it before and I will say it again, I hate URL shortening services they should all die in a fire, if twitter wants to stick to the 140 characters (which is a good thing) move to putting URL's in the page as a simple html link that goes at the bottom ala the way Facebook does it.

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F