Security

i just got hold of interesting document. let me quote it: As remarked in this table the Windows version of TrueCrypt 7.0a deviates from the Linux version in that it fills the last 65024 bytes of the header with random values whereas the Linux version fills this with encrypted zero bytes. From the point of view of a security analysis the behavior of the Windows version is problematic. By an analysis of the decrypted header data it can’t be distinguished whether these are indeed random values or a second encryption of the master and XTS key with a back door password. From the analysis of the source code we could preclude that this is a back door. For the readability of the source code this duplication of code which does the same thing in slightly different ways was however a great impediment. It certainly must also hamper the maintainability of the code. ...

on the upcoming thursday, 10th of october at 7pm i’ll do a short talk with Maciej Broniarz from Warsaw University about security from not-so-typical point of view. please register and see you in Leon Koźmiński Academy hall.

Maciej Broniarz invited us to take part in new security focused conference. Aegis (just like Aegis - American integrated naval weapons system) will take place on 2nd and 3rd July at University of Warsaw. i hope that most of you will decide to take part of it, as judging from agenda. together with Maciej we’d like to also have a panel on DDoS attacks, and then we’ll deliver session together - ‘security by duct tape’. in other words, we’re going to show you best examples of security practices to avoid following. ...

next thursday, april 11th, i’ll be visiting Warsaw University on invitation from Maciej Broniarz to have a chat about security from service provider point of view. note it will be mechnism and best practice related talk, not vendor pitch. i’ll mention blackholing as well ;) i may have some gadgets and freebies to give away - so please prepare good questions and see you there!

last CloudFlare DDoS demonstrated, that 300Gbps is no longer some magic barrier for attackers. given such throughput, you can easily drop country like Poland from Internet. of course, immediately such concepts like ‘critical infrastructure’, country financial stability come to mind. i’ll be one of the panelists of RIPE 66 meeting dedicated to BCP 38. it’s one of the things (implementing BCP38!) that you just have to do, to make sure internet is safer. of course closing open resolvers is another one. take care of your network hygiene! and big FIBs! and 100GE interfaces! ...

we’re back with Cisco security focused conference in the fall. during Cisco SECURE 2012 we’ll try to demonstrate you the whole security architecture. during two full days of presentations, we’ll try to showcase you all interesting bits and pieces from our portfolio. we already have agenda up, and i’ll be happy to present along Gaweł our security solutions for cloud and data centers - including CSR 1000v, ASAv and other interesting products. ...

i highly recommend this article from Wired. while we have to live with situation where such wealthy people like Kaspersky himself can influence ITU decisions, we still can stand up and work to make internet free and independent. it’s kind of naive of course, but consequences of having too much money and power - frighten me again every day.

if you visit Western portals or if you look into English-language wikipedia from time to time, you have noticed a significant protest happening today against the two legal acts US advocates want to introduce. the way it unfolds, leads to strong belief controlling everything and everything (due to - of course - money) is true goal. it presents interesting point of view in a discussion on cloud technologies and their real application - take a look here to get some feeling about scale of the games happening at an international level. even if you don’t like it, we already live to a large extent in the world perfectly portrayed in the ‘1984’ book. the question is just how much more we will give in the name of getting rich, or stated differently - when we finally notice as humanity that it is worth focusing on other things. other than money increasing on our bank accounts. ...

there’s a lot of discussions around the net neutrality, as obviously the subject is currently still pretty hot. from the one side we have enormous amount of money from advertising business, spend in interesting, devious and - tempting way. from the other side, we have the ideal information society, in which all information are free from filtering, and available for all willing to read. we point to China, Iran or Saudi Arabia as bad examples, filtering all that their citizens can view using the Internet - but we all use google. the same Google, that for the two PCs, depending on their source IP, browser, operating system - and what’s more interesting - depending on your cookies and your google profile (you logged off, right?) - show different answers for the same query. personalization? but using your own money, dear internet user :) i highly recommend reading this book, and before it arrives, read this and this. ...

IPsec code in OpenBSD is source of constant discussions. it seems there’s no reason to panic (and OpenBSD penetration is anyway minimal), but there’s a lot of interesting discussions and rumours around code itself and it’s origin. in particular i’d recommend to read this short piece (and this tweet) with code references. they demonstrate for the n-th time, that OpenBSD team, and in particular Theo is really building creative marketing and at the same time patch bugs silently without disclosing them. ...