Tuesday, August 12, 2014

Nerd News: LastPass Back Up

LastPass has been down for a while, but according to LastPass and other reports it should be back up, though there may still be some issues.

Sounds like they only use 2 datacenters, or maybe even only single primary one with a "backup".
"Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%. "
       Source http://blog.lastpass.com/

"Aug 12, 2014 - One of LastPass' datacenters has been down since 3:57am EDT. The service is now running fully off one Herndon VA datacenter and we have been engaged with our provider all morning. Currently favicons/sprites are impacted. We are doing what we can to minimize the impact and apologize for the inconvenience. "

       Source https://lastpass.com/status.php

Also http://www.isitdownrightnow.com/lastpass.com.html 

For LastPass users that want an offline solution to prevent this type of problem in future consider LastPass Pocket

This is LastPass link specifically about offline access https://helpdesk.lastpass.com/password-manager-basics/your-lastpass-vault/offline-access-to-your-lastpass-vault/ 

Monday, August 11, 2014

Def Con 21: "Pentesting with an Army of Low-power Low-cost Devices"

Couldn't go to Def Con 22, waiting for vods to come out, so started watching some of the Def Con 21 Youtubes in the meanwhile.

I like this one about Pen Testing with cheap Arm devices by Dr. Philip Polstra aka Dr. Phil the Hacker his Twitter is ppolstra | https://twitter.com/ppolstra.

He uses the BeagleBoard Black as the starting point for his hardware.

Some useful links:
For new readers of my blog, I have labels at bottom left of every post & selected labels at left side of the blog to help find related posts.

These labels can be booked marked so you can just check topics your interested in, so for more posts like this you could click on:

Security & Hacking: The Matasano Crypto Challenges

Really cool the Matasano Crypto Challenges is "a collection of 48 exercises that demonstrate attacks on real-world crypto."

It's designed to teach real Crypto attacks by doing, great for improving the security of code you write, or to get an idea of what Pen Testing or malicious hacking involves.

Very good review, worth reading in it's own right here https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/

Note in the Pinboard review the original link for Matasano Crypto Challenges  didn't update for server move, current working link (I have correct link at top of this blog post of mine as well) is http://web.archive.org/web/20140213141638/http://www.matasano.com/articles/crypto-challenges/

Wednesday, June 11, 2014

Hope? Federal Appeals Court ruled Police need Warrant for cell phone location history

"For the first time, a federal appeals court has ruled that law enforcement must obtain a warrant to get people’s phone location histories from their cell service companies."
Source & full article at https://www.aclu.org/technology-and-liberty/first-time-appeals-court-rules-warrant-required-cell-phone-location-tracking

PDF of the ruling itself at https://www.aclu.org/sites/default/files/assets/q_davis_opinion_0.pdf

A little hope, my understanding is that this ruling would only apply to jurisdiction of the court that made the ruling, and I suspect governments (local/state/federal?) will appeal.

Security & Hacking: Windows Patch Tuesday Reminder

In case you forgot, yesterday was patch Tuesday for Windows.

Some critical fixes in this patch, for quick details on Patch Tuesdays I always recommend Brian Krebs posts http://krebsonsecurity.com/2014/06/adobe-microsoft-push-critical-security-fixes-4/

Excellent match from SPL2014: Maru vs effOrt

Jinair vs CJ series, Maru vs effOrt match.

Great game, I really liked seeing a Zerg that uses Overlords more effectively than typical Zerg.

Don't want to spoil it, so no more comments for now.

Thursday, May 29, 2014

Snowden responds to email NSA released via ICON

I Blogged here about supposedly only email NSA could find where Snowden seemed to be following procedure for complaints, concerns, & whistle blowing.

I had more than one sad chuckle reading Snowden's response at The Washington Post http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Like I speculated in my previous blog post, Snowden realized the official system wasn't designed to correct problems.

He states that in the article linked above.

But more telling, he mentions another specific correspondence that they certainly have:

"Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities - such as breaking into the back-haul communications of major US internet companies - are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations."

Source for quote same as link at top http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Sure sounds to me like Snowden's focus is to bring accountability to NSA & other agencies under the DNI http://en.wikipedia.org/wiki/Director_of_National_Intelligence.

I'd also suggest reading http://www.emptywheel.net/2014/05/29/snowdens-emailed-question-addresses-one-abuse-revealed-by-his-leaks/

TrueCrypt Alternatives

Updated:  Wanted to add https://www.grc.com/misc/truecrypt/truecrypt.htm green shaded box (scroll down a little) shows correspondence from devs of Truecrypt.

TL:DR Confirms that this was just an odd way of quitting.


For the couple people that might have missed drama with TrueCrypt see http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

TL:DR Looks like people(s) behind TrueCrypt are done supporting it & suggest people use something else, additionally version released with this information only decrypts previously encrypted data, won't encrypt.

In light of this situation, many people are looking for alternatives, best list I have found so far, though I know very little about the suggestions, is http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/

Security & Hacking: NSA & Snowden email correspondence

http://icontherecord.tumblr.com/post/87218708448/edward-j-snowden-email-inquiry-to-the-nsa-office is link for most recently released email, released by NSA, of correspondence between Snowden & Office of General Counsel.

[Edited to add:  Strange that they released this email, they claimed Snowden's emails were exempt from FOIA & that they didn't have records, because he was never a NSA or CSS employee? see https://www.muckrock.com/foi/united-states-of-america-10/edward-snowden-employeecontractor-reviewsagreements-5971/]

He asks for some clarification about Executive Orders, that they are of lesser authority than Federal Statues.

In addition to the email, IC On The Record states that they can't find any other evidence that Snowden was trying to fix problems through official procedures or channels.

Based on this statement:
"There are numerous avenues that Mr. Snowden could have used to raise other concerns or whistleblower allegations. We have searched for additional indications of outreach from him in those areas and to date have not discovered any engagements related to his claims."
It seems clear they (Executive Branch of Government) are continuing to portray Snowden as someone who refused to follow correct procedures and just wanted some personal gain or revenge.

That doesn't fit the facts very well.

Consider that Snowden turned over the document collection to the reporters that he had decided to trust.  And refused to dictate the agenda.

He certainly could have released fewer documents, or only documents that targeted what he wanted revenge against, or even had sold the documents.

He didn't do that.

Funny thing is, many of the claims of government officials & politicians have repeatedly been proven to be false by the documents released so far.

Not to mention court cases that had been denied because standing couldn't be proved until documents Snowden released were published by reporters.  Or in other words, Snowden enabled Courts to actually provide a check on Executive branch of government, including NSA, like they are supposed to do.

More on US Seperation of Powers:

More on IC On The Record, according to info on their site http://icontherecord.tumblr.com/post/58838654347/welcome-to-ic-on-the-recordCreated at the direction of the President of the United States, IC ON THE RECORD provides immediate, ongoing and direct access to factual information related to the lawful foreign surveillance activities carried out by the U.S. Intelligence Community

Despite that data, some still try to claim Snowden did this for fame/notoriety or out of spite.

I suppose that is possible based on the evidence we have so far, but it doesn't seem targeted, or focused, with that as a primary goal.

Also based on the pattern of denials by Government, followed by documentation that prove those denials false, I wouldn't be surprised if eventually, documentation surfaces showing that Snowden did attempt to resolve at least some issues through official means.

Need to remember that Snowden seems smart, one of the most frequent comments from people that meet him.

Note smart people tend to learn quickly, I doubt it would have taken many failures to fix things through official means for Snowden to realize the official means were designed to maintain status quo, not fix things.

Being a smart nerd, he would have then searched for some way to fix that problem.