X-Geek

Extreme geekiness

There are 699 posts filed in X-Geek (this is page 25 of 70).

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

An Android developer has uncovered convincing evidence that Google inexplicably and deliberately dumbed-down Android’s SSL security.

“The change from the strong OpenSSL cipher list to a hardcoded one starting with weak ciphers is either a sign of horrible ignorance, security incompetence or a clever disguise for an NSA-influenced manipulation – you decide!”

Android is using the combination of horribly broken RC4 and MD5 as the first default cipher on all SSL connections. This impacts all apps that did not care enough to change the list of enabled ciphers (i.e. almost all existing apps). This post investigates why RC4-MD5 is the default cipher, and why it replaced better ciphers which were in use prior to the Android 2.3 release in December 2010.

via Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010.

Waking Up Tired? Blame Electricity

Fascinating.

Our internal clocks are drifting out of sync, and indoor lighting may be to blame. A new study suggests that just a few days in the great outdoors puts us back in tune with the solar cycle, and reconnecting with the sun could make us less drowsy.

Electricity has given us the freedom to choose our bedtimes; staying up after dark is as easy as flipping a light switch. But we pay a price for this luxury, says integrative physiologist Kenneth Wright of the University of Colorado, Boulder, who led the new study. People with later bedtimes and wake times are exposed to more artificial light and less sunlight, he says, which means their bodies aren’t getting the natural cues humans once relied on.

via Waking Up Tired? Blame Electricity | Science/AAAS | News.

NSA’s $2B Spy Center is Going Up in Flames

Whoopsie.

The National Security Agency’s $2 billion mega spy center is going up in flames.Technical glitches have sparked fiery explosions within the NSA’s newest and largest data storage facility in Utah, destroying hundreds of thousands of dollars worth of equipment, and delaying the facility’s opening by one year.And no one seems to know how to fix it.

Within the last 13 months, at least 10 electric surges have each cost about $100,000 in damages, according to documents obtained by the Wall Street Journal. Experts agree that the system, which requires about 64 megawatts of electricity—that’s about a $1 million a month energy bill–isn’t able to run all of its computers and servers while keeping them cool, which is likely triggering the meltdowns.

via $2 Billion NSA Spy Center is Going Up in Flames | The Fiscal Times.

Photographing a Color Run Will Destroy Your Camera Gear–Don’t Do It

Yikes! This color run powder is nasty stuff on camera lenses. Imagine what it must do to your lungs!

If there hasn’t been a Color Run 5k or 10k race near you, there probably will be soon. And with all that color, you certainly want to take some pictures, right? Not with your camera you don’t.

I’m never one to worry much about lens dust, but the color bombs they throw out at Color Runs are different. In the last month my lens rental business has had over 20 lenses and several cameras nearly ruined by these things. For what it’s worth, all of the renters tell us they really weren’t near any of the major ‘color bombs.’

via Photographing a Color Run Will Destroy Your Camera Gear–Don’t Do It.

Latest Casualty Of NSA Spying Revelations: Web Advertising Based On Tracking Users

I’m so trendy.

As we’ve noted before, Edward Snowden’s revelations about the globe-spanning spying being conducted by the NSA are have all sorts of interesting knock-on consequences. Here’s another: people are starting to worry about being tracked by online advertisers, and taking action to avoid it,

via Latest Casualty Of NSA Spying Revelations: Web Advertising Based On Tracking Users | Techdirt.

Becoming a flasher

Now that our daughter’s in middle school and is involved with extra-curricular activities we needed to get her her own phone, so she inherited my smartphone as I upgraded mine. Having a new phone has provided me the opportunity to try out something I’d been meaning to do for a while: flash my phone with an open-source version of Android.

What’s the worst that can happen? Well, flashing a new ROM onto your phone can turn your sophisticated pocket computer into an expensive doorstop. Known as “bricking” your phone, a mistake in the process can make it inoperative. Fortunately, there are plenty of guides which walk you through the process as well as simple “one-click” programs which will do the dirty work for you. And even if you goof up, you can almost always fix things up again.
Continue reading

Linux Weekly News discusses 2003 Linux kernel attempted hack

Here’s a technical explanation from a Linux Weekly News contributor on the 2003 Linux Kernel hack.

An attempt to backdoor the kernel
[Posted November 6, 2003 by corbet]

The mainline 2.4 and 2.6.0-test kernels are both currently maintained in BitKeeper repositories. As a service for those who, for whatever reason, are unable or unwilling to use BitKeeper, however, the folks at BitMover have set up a separate CVS repository. That repository contains the current code and the full revision history. It is not, however, the place where new changes are committed. So, when somebody managed to push some changes directly into CVS, Larry McVoy noticed quickly.

Over the years, people have had numerous things to say about BitKeeper and the people behind it. Nobody, however, has accused them of being insufficiently careful. Every change in the CVS repository includes backlink information tying it to the equivalent BitKeeper changesets. The changes in question lacked that information, and thus stood out immediately.
Continue reading

Revisiting a 2003 attack on the Linux kernel

Back in 2003, someone tried and failed to plant a security exploit into the Linux kernel code in a sophisticated and well-though-out operation. In light of yesterday’s revelations of NSA teams actively working to weaken software security, this incident from a decade ago raises some questions.

It also highlights why having the source code to your software is the only way to be sure it’s secure.

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, stored at a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said Thursday.

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person’s privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected–and only during a 24-hour period, he added.

via Attempted attack on Linux kernel foiled – CNET News.

US and UK spy agencies defeat privacy and security on the internet

Shocking, or long suspected?

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

via US and UK spy agencies defeat privacy and security on the internet | World news | The Guardian.