And that password is: <<< %s(un='%s') = %u.
Source: How to log into any backdoored Juniper firewall – hard-coded password published
How to log into any backdoored Juniper firewall – hard-coded password published
Reply
Star Wars and Empire Strikes Back despecialised editions
Swedish researchers reveal (fixable) security hole in quantum cryptography
The energy-time entanglement technology for quantum encryption studied here is based on testing the connection at the same time as the encryption key is created. Two photons are sent out at exactly the same time in different directions. At both ends of the connection is an interferometer where a small phase shift is added. This provides the interference that is used to compare similarities in the data from the two stations. If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.
On the other hand if the connection is secure and free from noise, you can use the remaining data, or photons, as an encryption key to protect your message.
What the LiU researchers Jan-Åke Larsson and his doctoral student Jonathan Jogenfors have revealed about energy-time entanglement is that if the photon source is replaced with a traditional light source, an eavesdropper can identify the key, the code string. Consequently they can also read the message without detection. The security test, which is based on Bell’s inequality, does not react – even though an attack is underway.
Physicists at Stockholm University have subsequently been able to demonstrate in practical experiments that it is perfectly possible to replace the light source and thus also eavesdrop on the message.
But this problem can also be solved.
“In the article we propose a number of countermeasures, from simple technical solutions to rebuilding the entire machine,” said Jonathan Jogenfors.
Source: Swedish researchers reveal security hole
The First Person to Hack the iPhone Built a Self-Driving Car. In His Garage.
George Hotz is taking on Google and Tesla by himself,
Source: The First Person to Hack the iPhone Built a Self-Driving Car. In His Garage.
He’s sticking it to Elon Musk, who isn’t very happy about it!
Which is why they’ve issued a “correction” which sounds highly petulant.
BadWinmail (Flash) Microsoft Outlook Bug Can Give Attackers Control Over PCs
When a user opens an Outlook email or previews the email in one of the Outlook panels, the OLE mechanism will automatically read the embedded Flash object and try to execute it, to provide a preview.
Since most Flash exploits only need to be executed to work, and because there’s a flaw in the Outlook security sandboxing system, an attacker can easily embed malicious Flash objects inside emails and have other malicious code executed via older (Flash) vulnerabilities.
Source: BadWinmail Microsoft Outlook Bug Can Give Attackers Control Over PCs
Some Rainbows Don’t Have Every Color of the Rainbow: there are 12 types
There are at least 12 kinds of rainbows, a new study reveals, and some skip a color or two.
Since the 1950s, rainbow classification has been based on the size of the raindrops that create them. The bigger the drops, the more vivid the colors.
Another attempt organized them by the height of the sun above the horizon. At about 70 degrees, a rainbow is dominated by blues and greens. Closer to the horizon, there are mostly reds and yellows.
“At sunset or sunrise, the color of the sun and the intensity of the incoming light change dramatically,” Ricard said. When the sun is low in the horizon, rays of light must pass through more of the Earth’s atmosphere. “The red manages to go through,” he explained. “Other wavelengths are completely gone.”
Catch the Rainbows
To capture this rainbow diversity, Ricard and his colleagues gathered hundreds of pictures of rainbows, sorting them into 12 categories based on the visibility of the six colors, the strength of the dark band, and whether any supernumerary bands can be seen. One type lacks a band of green, for instance, another is missing blue and violet, and a third type has only red and blue.
The system is so simple that most anyone could look at a picture of a rainbow, put it in a class, and understand what’s going on, he said. A misty red rainbow, for instance, could only be created near sunrise or sunset with tiny raindrops.
Source: Some Rainbows Don’t Have Every Color of the Rainbow
RayZone InterApp: The Gadget That Can Spy on Any Smartphone
InterApp can allow its operators to break into nearby smartphones that have their WiFi connection open, and then, employing a diverse arsenal of security vulnerabilities, gain root permission on devices and exfiltrate information to a tactical server.
According to Rayzone, InterApp can steal a user’s email address password and content, passwords for social networking apps, Dropbox passwords and files, the user’s phone contact list, and his photo gallery.
Additionally, the gadget can also acquire the phone’s previous geographical locations and plot them on a map, IMEI details, MSISDN data, MAC address, device model, OS info, and personal information on the target, such as gender, age, address, education, and more.
Source: InterApp: The Gadget That Can Spy on Any Smartphone
Database leak exposes 3.3 million Hello Kitty fans
A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts, and has ties to a number of other Hello Kitty portals.
The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.
Source: Database leak exposes 3.3 million Hello Kitty fans
The Secret Surveillance Catalogue
A source provided The Intercept with a secret, internal catalogue of cell-phone surveillance devices used by the military and intelligence agencies.
Source: The Secret Surveillance Catalogue
Juniper ScreenOS® contains unauthorised code, opens your VPNs
Project Zero: FireEye security appliance Exploited by passing jar file through it
FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.
Source: Project Zero: FireEye Exploitation: Project Zero’s Vulnerability of the Beast
All you need to do is send the jar in an email or get someone to visit a site with the jar on it and you can modify the bios and get access to their network information.
Bionic eye will send images direct to the brain to restore sight via 500 pixel “display”
The plan is to implant up to 11 small tiles, each loaded with 43 electrodes, into areas of the brain that deal with vision. When these areas are stimulated, people report seeing flashes of light. Lowery believes that each electrode could create a dot of light that is similar to seeing one pixel. In total, the tiles will provide around 500 pixels – enough to create a simple image. Although this resolution is far cruder than the 1 to 2 million pixel image a normal eye can produce, it should restore the basic
Source: Bionic eye will send images direct to the brain to restore sight | New Scientist
Microsoft: Upgrade to Windows 10 NOW or TONIGHT!
The large pop-up screen, which first appeared over the weekend, gives users the option of upgrading straight away or … that evening. Users can still opt out by clicking on the red ‘X’ in the top right corner of the window, but less savvy computer users (part of Redmond’s core market segments) might not figure that out.
Source: Microsoft steps up Windows 10 nagging
Wow, guys, we don’t want your massive privacy invasion called Windows 10!
Machine Learning Inspired by Human Learning – AI can learn handwriting using a single example
Taking inspiration from the way humans seem to learn, scientists have created AI software capable of picking up new knowledge in a far more efficient and sophisticated way.
The new AI program can recognize a handwritten character about as accurately as a human can, after seeing just a single example. The best existing machine-learning algorithms, which employ a technique called deep learning, need to see many thousands of examples of a handwritten character in order to learn the difference between an A and a Z.
Source: Machine Learning Inspired by Human Learning | MIT Technology Review
Philips Hue will be kept open after all
Philips draait het besluit om zijn Philips Hue systeem niet langer open te stellen voor andere lampenleveranciers terug. Het bedrijf werkt aan nieuwe firmware, waarmee de veranderingen ongedaan worden gemaakt.
Source: Philips stelt zijn Hue systeem alsnog open voor derden – Emerce
Many complaints caused a turn around.
Congress strips out privacy protections from CISA ‘security’ bill
Under the original CISA legislation, companies would share their users’ information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.
But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don’t have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don’t have to report security failings even if they spot them.
Source: Congress strips out privacy protections from CISA ‘security’ bill
Privacy advocates like EU new privacy law proposal. Big business and advertisers not so much.
IAB Europe maakt zich grote zorgen over de nieuwe geharmoniseerde privacywetten die in 2018 van kracht worden in Europa. Ook Apple, Google, Microsoft en Nederland ICT zien economische hindernissen ontstaan.
Source: IAB: ‘Nieuwe privacywet maakt online branche kreupel’ – Emerce
Grub2 Authentication Bypass: press backspace 28 times
A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.
Source: Back to 28: Grub2 Authentication Bypass 0-Day
Oops
Cox Is Liable for Pirating Subscribers, Ordered to pay $25 million
Internet provider Cox Communications is responsible for the copyright infringements of its subscribers, a Virginia federal jury has ruled. The ISP is guilty of willful contributory copyright infringement and must pay music publisher BMG $25 million in damages.
cox-logoToday marks the end of a crucial case that will define how U.S. Internet providers deal with online piracy in the future.
Following a two-week trial a Virginia federal jury reached a verdict earlier today (pdf), ruling that Cox is guilty of willful contributory copyright infringement.
The case was initiated by BMG Rights Management, which held the ISP responsible for tens of thousands of copyright infringements that were committed by its subscribers.
During the trial hearings BMG revealed that the tracking company Rightscorp downloaded more than 150,000 copies of their copyrighted works directly from Cox subscribers.
It also became apparent that Cox had received numerous copyright infringement warnings from Rightscorp which it willingly decided not to act on.
The case was restricted to 1,397 copyrighted works and a six-person jury awarded #25 million in damages. The award is lower than the statutory maximum, which would have been over $200 million.
Source: Cox Is Liable for Pirating Subscribers, Ordered to pay $25 million – TorrentFreak
Apart from the sum, which is amazing, the way the information was collected (downloading directly from subscribers) is in itself a form of piracy and therefore this evidence, being illegal, must be inadmissable?
MacKeeper leaks 13m customer records
Ted Cruz campaign using firm that harvested data on millions of unwitting Facebook users
Ted Cruz’s presidential campaign is using psychological data based on research spanning tens of millions of Facebook users, harvested largely without their permission, to boost his surging White House run and gain an edge over Donald Trump and other Republican rivals, the Guardian can reveal.
A little-known data company (Cambridge Analytica), now embedded within Cruz’s campaign and indirectly financed by his primary billionaire benefactor, paid researchers at Cambridge University to gather detailed psychological profiles about the US electorate using a massive pool of mainly unwitting US Facebook users built with an online survey.
Watch the Guardian’s sit-down interview with Ted Cruz: ‘Minorities suffer when police are vilified’As part of an aggressive new voter-targeting operation, Cambridge Analytica – financially supported by reclusive hedge fund magnate and leading Republican donor Robert Mercer – is now using so-called “psychographic profiles” of US citizens in order to help win Cruz votes, despite earlier concerns and red flags from potential survey-takers.
Source: Ted Cruz campaign using firm that harvested data on millions of unwitting Facebook users
MIT Creates messaging system which becomes unsniffable through chaffing data: Vuvuzela
Vuvuzela relies on dummy traffic to hide the real connections
Before it’s decided where to store its content, the message goes through different servers, which send out dummy traffic to all interconnected users.
The server notifies the recipient that there’s a message for them, the user then goes to retrieve it, also passing through different mailboxes to get at the message’s location. When a connection is made through one of these mailboxes by a recipient searching for their message, each of these servers sends out dummy network packets on the network.
With so much fake traffic, and with senders and recipients moving past their destinations to intentionally create even more fake traffic after they’ve left or retrieved the actual message, you can only imagine how much data an attacker would have to sniff out before getting a clue of who’s talking to whom.
MIT researchers claim that attackers can even infiltrate more than half of its mailbox network, but if at least one mailbox server is left intact, users will be able to safely communicate because of all the fake traffic.
Source: MIT Creates Untraceable Anonymous Messaging System Called Vuvuzela
Latest Philips Hue update closes the system, makes it impossible to connect other ZigBee lights
Haven’t they learned from Apple? Closing your system makes users run for more open products. Not a good idea, Philips, I’m not buying this anymore!
De laatste firmware-update voor de Philips Hue bridge brengt een onaangekondigde wijziging. Slimme lampen van andere fabrikanten kunnen niet langer gekoppeld
Source: Philips Hue wordt een gesloten systeem
UK citizens may soon need licenses to photograph some stuff they already own
Copyright strikes again, with photographers and publishers hit particularly hard.
Changes to UK copyright law will soon mean that you may need to take out a licence to photograph classic designer objects even if you own them. That’s the result of the Enterprise and Regulatory Reform Act 2013, which extends the copyright of artistic objects like designer chairs from 25 years after they were first marketed to 70 years after the creator’s death. In most cases, that will be well over a hundred years after the object was designed. During that period, taking a photo of the item will often require a licence from the copyright owner regardless of who owns the particular object in question.
Source: UK citizens may soon need licenses to photograph some stuff they already own
What is with these people? Are they determined to kill creativity and innovation? How can they possibly justify these kinds of period? Really? After the creator’s death? Why doesn’t the creator have to work daily like the rest of us? 5 years max, please. Nutters. This is an agenda being pushed by rich people who want to keep getting richer without having to do anything for it.
