Super Volatile

Radcliffe, who is a diabetic with a wireless, always-attached insulin pump, was slightly worried that someone might hack his pump, meddle with its settings, and kill him — and so, in true hacker fashion, he has spent the last two years trying to hack it himself. Unfortunately, he was very successful. He managed to intercept the wireless control signals, reverse them, inject some fake data, and then send it back to the pump. He could increase the amount of insulin injected by the pump, or reduce it. In both cases the pump showed no signs of being tampered with, and it did not generate a warning that he was probably about to die.

On one hand, it's scary. On the other hand, but will this experiment really make the world a safer place? Or will it rather introduce a new fear and encourage some idiots to really try to repeat the exercise? If it took the guy two years to hack the pump, it probably wasn't a threat that would invite serious black hat hackers. Especially since there are more effective ways to kill people.

Traditionally Web applications are untrusted, treated as potentially malicious, and hence "sandboxed" to deny them the ability to affect the user's system or access user data. As we add capabilities to the Web platform, we sometimes encounter situations where legitimate applications want functionality that must be denied to malicious applications. A natural solution is to ask the user whether such requests should be permitted.

Robert O'Callahan of Mozilla compares usability of permission model of Android and web browsers.

Three main concerns are enumerated in the post: WebGL exposes too much sensitive, privileged, or unhardened code to the Web; depends too heavily on third-party code for security; and is too susceptible to denial of service attacks. The first of these is perhaps most significant. Video hardware and video drivers are traditionally only exposed to relatively "trusted" code—programs that the user has explicitly chosen to install. Display drivers are notoriously unstable and buggy, and developers of 3D software have to go to quite some effort to ensure their programs do not use (or misuse) the 3D hardware in such a way as to cause problems.

Microsoft refuses to implement WebGL, giving security as a reason. Interestingly, it's not an issue for every other browser out there and even for Microsoft's very own Silverlight... It's worth to read response of the VP of Technology at Mozilla, Mike Shaver.

The issue still exists as a wider problem with domains. I still could have accessed the person's Amazon account using a wildcard email address. The lesson is no less serious, don't let your domains expire with your accounts attached to them.

The articles demonstrates how scary are the consequences of domain expiration. It doesn't only affect Google Apps. Have you thought what will happen if the email you used on a thousand of websites to register will be taken by somebody else? Or expire?

Russian company ElcomSoft is claiming to have cracked the 256-bit hardware encryption Apple uses to protect the data on iOS 4 devices, and is offering software that allows anyone to do it.

On a bright side, it's good to know that my data always has been encrypted.

While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous' previous ill-will towards the company to distract users from the fact the outage is actually an internal problem with the company's servers.

While it's still unclear who exactly did attack Sony's servers, Sony put some part of the blame on Anonymous.

Escaping &, <, >, ", ', , !, @, $, %, (, ), =, +, {, }, [, and ] is almost enough

All those characters up there (including the space character!) can be used to break out of an unquoted HTML attribute value. If you escape every last one of them, then you’re probably pretty close to being safe. But you’re still not so safe that you can just start throwing around user input willy nilly.

Why? Because this still doesn’t cover some context-specific cases like inserting user input into the body of an inline <script> element or using user input as part of a URL.

I have yet to see an application or library that escapes all these characters. Nevertheless, the article is an interesting read.

Global PKI, as currently implemented in browsers, does not work.

An article explaining problems with with Public Key Infrastructure and proposing an alternative based on TOFU/POP: Trust On First Use; Persistence of Pseudonym. Ironically, while sharing this presentation on Posterous I did get a security warning in my browser.

Speaking at the Chaos Computer Club (CCC) Congress here Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software.

GSM standard contains some large loopholes that can be exploited. The article compares its current state the “the age of innocence” of computer networks in 1990's, before security was taken more seriously.

People would login successfully once, pay for a subscription, then login later and the sub would be gone. Turns out that Yahoo and Google have a different idea about what Open ID is supposed to do - because the the Identifier used for these users would change based on... some voodoo (sorry, but that's all I can deduce).

All of a sudden Google (by far our most popular provider) would change the token (the encrypted value on the end of the Open ID) and boom - you're completely lost to us. We have no other way of knowing who you are - and more than once I've had to track people by their PayPal accounts (we track the transaction ids - which we can look up through PayPal to find out who you are).

Open ID was taunted to be a solution to the web authentication hassle. It turned out to introduce its own problems, however, as this story shows.