Gatekeeper
via MacObserver's John F. Braun, comes this chilling tale of a fundamental flaw in Apple Inc.'s MAC OS X Gatekeeper, and how to apply apropos bandaidery, as it were...
Sunday Security Maxim
Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product. Comment: Fear is a good vaccine against both arrogance and ignorance. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Google Creates Quantum Chip →
News, via Wired's Robert McMillan, of trouble in paradise. In this case, an error prone computational quantum platform the search leviathan Google Inc. (NasdqGS: GOOG) is running, down yonder in Mountain View...
"The crux of the problem is a phenomenon called bit-flipping. This happens when some kind of interference—cosmic rays, for example—causes the bits stored in memory to “switch state”—to jump from a 0 to a 1 or vice versa. On a PC or a server, error correction is relatively easy." - via Wired's Robert McMillan
- Image depicts a D-WAVE branded quantum computational device
Saturday Security Maxim
Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Bad Decisions At Oracle
Meanwhile, in idiotic-decisions-made-by-a-Fortune-500-Company news... Quite likely one of the world's largest software publishers - Oracle Corporation (NYSE: ORCL) has been installing adware along with the JAVA SE Runtime and other JAVA applications on user machines. Evidence of Greed or just Bad Decisions, you be the judge. In this case, when installing the JAVA bits, the ASK.com toolbar is loaded onto the unfortunate victims machine (users can opt-out, but it is not an easy choice to make).
"Tests on a Mac running the latest OS X release proved Oracle's newest Java installer will tack on the Ask extension to both Google's Chrome browser and Apple's Safari, using what some may consider deceptive practices. The option to install Ask is selected by default, meaning users proceeding through installer pop-ups are unlikely to notice the adware until they open a new browser window. Once installed, Ask's extension points the browser's homepage to Ask.com and inserts the Ask toolbar just below the address bar." - via AppleInsider
Rubbing Out FREAK →
News, via iMore's Rene Ritchie, of the latest attack vector on iOS - monikered FREAK (aka "Factoring RSA Export Keys"). Plans to rub-it-out early next week, in the midst of Apple Inc.'s (NasdaqGS: AAPL) latest iOS update process have been published. Better late than never, eh?
Ristić Releases OpenSSL Cookbook 2nd Edition →
News, via Ivan Ristić, announcing the availability of his latest reference work - OpenSSL Cookbook, 2nd Edition. Published at no cost to you, simply traverse the open interwebs to FeistyDuck to download your free copy in EPUB, PDF or Kindle/MOBI formats. You can also read the document on-line.
Google Initiates Attack Site Reporting
via Anthony Freed, writing at Norse Coporation's Darkmatters blog, comes this better-late-than-never tale of Google Inc.'s (NasdaqGS: GOOG) effort to warn users of attack sites prior to the user opening up the miscreant's page.
Uber's Private DB Key On Public GitHub Page →
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.
Verne, Cryptologist →
In which, we are enthralled by Le Bon Professeur Jules Verne. Via a typically superb post - crafted by Nick Pelling at his Tremendous Cipher Mysteries site; further, by way of a fascinating article in the United States Army Signal Corps Bulletin of April to June 1940 detailing Monsieur Verne's prediliction for both transpositional and Vigenère ciphers. Outstanding.
Sunday Security Maxim
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Saturday Security Maxim
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Comment: This is probably true because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
QOTD Sadserver
'Statistically speaking it's more likely for you to be mauled by a bear than for you to properly secure WordPress.' - via @Sadserver - today's Quote of the Day.