Profile

Cover photo
Jacob Prystowsky
2,129,285 views
AboutPostsPhotosVideosReviews

Stream

6
3
Eugene Crosser's profile photoモレノアリ(アリー)'s profile photolifespace of nerds's profile photoAdam Dymitruk's profile photo
10 comments
 
+Christopher Meid
- https://www1.informatik.uni-erlangen.de/frost
- possibly a vulnerability in the system that allows access to RAM (that would be unexploitable if the attacker had to cold boot, but may be exploitable if the system is running).
Add a comment...
 
Exciting. Simple end-to-end OpenPGP for all!
3
2
lifespace of nerds's profile photoSteven Harper's profile photo
Add a comment...
 
 
http://truecrypt.sourceforge.net/

The TrueCrypt devs have suddenly ceased development after many years and declared their product unfit for security use. The original page has been set to redirect to SourceForge, containing data migration instructions. They've released a new binary offering non-create access to TC volumes.

This doesn't smell like a prank or a "hack" to me. This does smell possibly like a warrant canary (http://goo.gl/73i6Zf), which would be the best possible case. Either way, it's sad -- this was possibly the only accepted, reasonably FOSS-like whole drive/virtual drive/deniable encryption tool we had.

Hopefully the community can come together and fill this new void with a freer and better tool. And I hope that the TrueCrypt devs are safe if they've been compromised, and if this is a canary, I thank them for their service.

H/t various hacker friends and others.
3
1
Claire Farron's profile photoMehran Toreihi's profile photolifespace of nerds's profile photoNoah Friedman's profile photo
 
It will be interesting to see how they implement OpenPGP if they do.
 
Will PGP encryption be an option for #Gmail users? http://bit.ly/1iDlOvb
Google wants to make it easier for Gmail users to encrypt their emails, according to a report in VentureBeat. PGP has been an open-source encryption standard for nearly 20 years, but usability...
14 comments on original post
6
2
Takayuki Kawamoto's profile photoOrion Greymoon's profile photo
Add a comment...

Jacob Prystowsky
owner

Discussion  - 
 
Anyone up for the challenge?
 
+CloudFlare believes the Heartbleed OpenSSL vulnerability will not allow your private SSL keys to be compromised after all. While still dangerous, this would make Heartbleed not as dangerous as initially thought.

In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all.

CloudFlare is willing to put their research to the test in a pretty public way. Their service: https://www.cloudflarechallenge.com/heartbleed is unpatched and vulnerable. They're asking hackers and crackers from around the globe to try and compromise their private SSL key.

This will be interesting to see how this plays out.

via +The Verge 
13 comments on original post
3
2
Eric Kolb's profile photoMike O'Day's profile photoThomas Junk's profile photoClaire Farron's profile photo
3 comments
 
Disaster - I should have crossed them harder! 
Add a comment...

Jacob Prystowsky

Shared publicly  - 
 
Please do not adjust your screen. The disappearance of data is intentional, and it will continue.

I have grown weary of the constant bickering and circle-jerking that is social media and the 24 hour news cycle, now seemingly one and the same. It is an insidious time suck, designed to trick you into divulging far more than you should so that large entities can predict your actions.

As a technology professional, I have serious concerns about where this all is heading, and as a human, I am tired of the endless divisiveness and distraction.

Someday, I hope, women and men of all shapes, sizes, colors, and temperaments will realize that they are all more or less the same. Until then, as we are manipulated into fighting one another, we shall collectively reap what we have sown.
5
Travis Owens's profile photoEric Davis's profile photoJacob Prystowsky's profile photo
8 comments
 
+Eric Davis You distinguish between the government and major corporations? :)
Add a comment...

Jacob Prystowsky
owner

Vulnerabilities/Weaknesses  - 
 
 
Early ChangeCipherSpec (TLS) attack: http://bit.ly/1hfqt8l  - you know the drill, update your servers to OpenSSL 1.0.1h... pronto!

"If a ChangeCipherSpec message is injected into the connection after the ServerHello, but before the master secret has been generated, then ssl3_do_change_cipher_spec will generate the keys (2) and the expected Finished hash (3) for the handshake with an empty master secret. This means that both are based only on public information. Additionally, the keys will be latched because of the check at (1) - further ChangeCipherSpec messages will regenerate the expected Finished hash, but not the keys."
3 comments on original post
1
1
Claire Farron's profile photoErik Hively's profile photo
 
This is why I like ArchLinux: Stuff like this gets updated so damn fast, it's often before it hits the news.
Add a comment...

Jacob Prystowsky
owner

Discussion  - 
 
 
A nice human-readable explanation of padding oracle cipher attacks. Don't be the next ASP.net!
3
Add a comment...

Jacob Prystowsky
owner

Group News  - 
 
Happy 1,000 members! Welcome to all of the newcomers, and thank you to everyone who has helped grow this community from the ground up. Here's to the next 1,000!
4
Add a comment...
 
This relates to the previous discussion of Chrome's strange behavior regarding revoked certs.
 
NOTE: If you are using Google Chrome, read this article. If you don't want to read the article, go to the last paragraph and do what it says.
In the aftermath of Heartbleed, it has become clear that revoking potentially compromised certificates is essential. On Thursday, CloudFlare announced it was
22 comments on original post
1
David Jao's profile photoHarry Smith's profile photoJacob Prystowsky's profile photo
14 comments
 
+Harry Smith I haven't seen either of those specifically. Thanks!
Add a comment...
 
 
Critical OpenSSL security bug shows why all websites need perfect forward secrecy.
6 comments on original post
2
Add a comment...
 
Has there been any serious review of the crypto-js library? Concerns about browser-based crypto aside (not that they're not critical -- they are), does anyone know how well respected/reviewed this lib is, or if there are better ones that have had more serious analysis?
2
Ionuț Ambrosie's profile photo
 
https://github.com/bitwiseshiftleft/sjcl <- This should be OK
http://www.w3.org/TR/WebCryptoAPI/ - NOT stable

However, I know nothing about any reviews of crypto-js.
Add a comment...
Story
Tagline
I do stuff with computers, and other things
Links
Basic Information
Gender
Male
Looking for
Friends, Networking
Unacceptably slow service and poor quality food.
Public - 6 months ago
reviewed 6 months ago
Public - 9 months ago
reviewed 9 months ago
Public - 9 months ago
reviewed 9 months ago
Fantastic beer. No other way to put it.
Public - 9 months ago
reviewed 9 months ago
109 reviews
Map
Map
Map
Public - 9 months ago
reviewed 9 months ago
Public - 9 months ago
reviewed 9 months ago
Great pho! The banh mi is also fantastic.
Public - 9 months ago
reviewed 9 months ago