Security and the Net

News and opinions about security, the internet and more

iPhone 3GS encryption “useless”?

Wired has a report about the iPhone 3GS encryption feature. Jonathan Zdziarski is quoted as saying the encryption is basically worthless; while that quote alone wouldn’t normally attract my attention, the article has a lot of details that should make a lot of businesses think twice about relying on the “wipe my phone” feature. [Read the rest of this entry…]

92% of Flash users affected by 0-day hole?

Secunia released some interesting statistics last week; according to their numbers, at least 92% of the people using their PSI scanner that have Flase Player installed are running a version that is affected by the zero-day attack that was recently discovered. The real number might be even higher; they didn’t release combined numbers for users that had Flash 9 or Flash 10 installed.


Meanwhile, Adobe is warning users to “[..] exercise caution in browsing untrusted websites.” While being cautious when browsing the web is good advice in general, I’d suggest disabling or deinstalling Flash Player entirely until Adobe releases a patch. The scheduled release date for a fixed Flash Player 10 is next thursday.

IPv6: downsides of a larger address space

With the increasing uptake of the new IPv6 internet protocol, people are starting to notice some of the downsides of the larger amount of IP addresses that will become available. An excellent example are the MTU issues Geoff Huston wrote about earlier this year, and as IPv6 adoption increases more problems are likely to appear. The number of IPv6 addresses in use is growing rapidly:


The current address assignment policies for IPv6 addresses suggest that every internet connection should be assigned at least a “/64” subnet; this includes home computers that currently receive only a single IP address. A /64 subnet contains 18.446.744.073.709.551.616 addresses; and if that isn’t enough, it’s recommended to assign companies a /48 subnet (65536 /64 subnets!), and the same for individual users.

While this is all very nice (it removes the need for NAT, doesn’t require you to get a “business-grade” connection to get multiple IP address, et cetera), it also raises some new issues. I recently talked to a provider of anti-spam services that foresaw some major issues for blacklists. Even if the blacklists list only complete /64 subnets instead of single hosts, a typical enduser might be listed 65536 times; it might make sense for malware to try sending from a different subnet if too much delivery attempts are blocked. This makes the storage requirements for the blacklists explode, making operating them much more expensive.

In addition to that, the use of blacklists with IPv6 will also put more load on DNS servers; right now a typical lookup looks like this: For an IPv6 address, the standard is to use the hexadecimal notation for the address; for example:

This means DNS traffic to the DNSBL servers will increase, and so will the amount of memory needed for storing the responses. Because most machines will be using a public IP address, instead of entire networks being NATed to a single IP, there will be more of these lookups as well, and to make matters even worse most machines will be using privacy extensions. Since IPv6 privacy extensions make every machine change it’s IP address regulary, there will appear to be even more hosts for which DNSBL lookups are needed.

My personal expectation is that a mass migration to IPv6 will mean the end of free DNSBL services; has already thrown in the towel and SORBS is currently having difficulties finding a hosting location. Which, in turn, will leave more mail for everyone to sort through.


Browser Security Lessons from the Chrome team

ACM Queue has just added a new paper by Charles Reis, Adam Barth and Carlos Pizano. It expands upon the information published earlier about the effectiveness various browsers’ update mechanisms, adding information about the measures taken to keep users from visiting malicious websites and, more importantly, the ways in which they prevent the inevitable bugs in their browser from being exploited.


[Read the rest of this entry…]

New guess about YouTube losses

New research by analyst firm RampRate suggests that a previous report by Credit Suisse that claimed YouTube was losing over a million dollars a day was based on wrong assumptions. The number RampRate arrives at is way lower; they estimate a loss of $174.2 million a year.


[Read the rest of this entry…]

Belgian government releases source code for election software

The Belgian government has just released the source code for the software used in the 2008 elections to the public. The news was first reported by the Open Source Observatory & Repository Europe; the files are presented in two zipfiles that contain mostly C and C++ source code. [Read the rest of this entry…]

50 ways to inject your SQL

No, this is not a list of 50 ways to inject SQL; it’s a link to a “50 ways to leave your lover” parody.

The singer won’t win any awards for this performance, but the lyrics are great!

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Should Twitter manage their own hosting?

As several news articles made clear yesterday, Twitter depends on NTT for hosting its website. They have only been with NTT for about a year now; the move there was announced in february of last year.

While the move was part of their efforts to make their service more reliable, yesterday’s maintenance issue shows that sooner or later this will cause them problems. There are reports that the State Department contacted NTT to keep Twitter online because its important role for the protesters in Iran; if they hadn’t stepped in there would have been a chance that the site had been taken offline temporarily due to maintenance by NTT. [Read the rest of this entry…]

Spammers are stupid

I just found the funniest comment I’ve ever seen in my moderation queue. It appears the spammer didn’t quite understand his automated comment-spam-posting software, so he posted his entire template instead:

Hi Fellow Blogger, I’ve never posted before, {but|only} your article was so {good|genuine} I just had to {stop|come} in and say GREAT JOB :) ! P.S. Two thumbs up the wife is wacking me to tell she loves it to!

Seriously, if you can’t even post spam properly, it’s time for a career change! It’s not even clear to me what website he’s trying to promote, because he forgot to fill in that field as well…


Apple admits Mac OS users can get viruses

It’s taken them several years to finally get to this point, but Apple has acknowledged that Mac users are not immune from viruses. During WWDC, their Mac OS security page was updated with the following text:

mac_virus_notice [Read the rest of this entry…]