More Certificate Authority Problems!

In the mist of  #antisec and on the heels of the Vegas Hacker/Security conferences, another CA (DigiNotar) was hacked.  This time the hackers got Google’s security certificates.   With that criminals could use a technique known as a Man in the Middle attack to impersonate google and nothing can stop them.  Personally i have heard @ioerror rant about the fundamental flaws of our present SSL system.  Perhaps this will help bring about a change more quickly but for now we can blacklist the offending certificates.  here is how (on a mac)

To protect Safari, the solution is, apparently, to run Applications/Utilities/Keychain Access, click on “System Root” on the upper-left, and “All items” on the lower-left, then type “DigiNotar” into the upper-right searchbox, then doubleclick on all the certs that show up (you may only have one), open the “Trust” detail area, and change “When using this certificate” to “Never Trust”, then close the dialog box.

For Firefox users, go to Firefox’s Preferences, click on Advanced, then the Encryption tab, then click on “View Certificates”, click on the “Authorities” tab, scroll down to DigiNotar, click on “DigiNotar Root or CA”, then click on “Delete…” or “Delete or Distrust…” below (depends on your version).

Read more here:
http://www.computerworld.com/s/article/9219606/Hackers_stole_Google_SSL_certificate_Dutch_firm_admits?taxonomyId=85

Vupen broke Google’s Sandbox!

After 3 straight years of pwn2own invincibility, someone finally bested all of chrome’s mighty security to downloaded and run code. French security research firm @vupen used two exploits to bypass ASLR, DEP, and leave the sandbox to run a calculator (in this demo). The calculator might be innocuous, but method is quite significant. Impressive work by the good guys.

Look ma, it runs android!

I finally got around to installed android on my old 2g. Thanks to the hard work from the guys over at http://iphodroid.com/ it’s easier then ever. here is a film i made of it booting up, enjoy. iphone-2g-boots-android or iphone-2g-boots-android-small.

since there is very little documentation on this, here is some quick advice:

  • Run 3.1.2 (not 3.1.3)
  • jailbreak with redsn0w or pwnagetool (not spirit).
  • install OpenSSH (leave default password)

Google, what are you searching for?

After watching their superbowl ad, i started searching for something i was very interested in.  Me.  I’ve had an internet presence since before altavista.digital.com.  I’m not hard to find, so i don’t imagine many people googling for me, but i was curious to what i would find.

Google Search for be3n

it made me wonder, what does google really know?  They’ve been indexing the internet all day every day for who know’s how long. . . just this week, you’ve visited my website 2400 times (that’s right, more robots then people read this).  When i googled myself, i found my twitter profile on top (not entirely surprised), followed by my be3n.com site “under construction” for years.  standard.  after that, what did i find?  Number three on google?  Any of my countless profiles on countless websites?  Any of my blog posts from here?  nah?  that’s too easy.  google hands you a 3 year old comment i left on a photograph from panoramio.

That comment is listed before any of my more active profiles.  It eventually lists my wikipedia user page and my last.fm profile, but that’s later.  somethingdotsomething.com barely makes the 2nd page.  Only after posts of leetspeak, Even though it is the most frequently updated site i’m involved with.  does google prefer consistency to freshness?  let me know what you think.

Zen cart no more!

After hours of trying to make my zen cart work again with google checkout.  I finally threw it away for a simple wordpress plugin.  Now i take credit cards again!  Super easy solution for anyone thinking of building a simple web store.

plugin site:  http://www.jasoncapshaw.com/blog/simple-google-checkout-cart-wordpress-plugin/
(although, somehow his blog has shifted from the geeky)