…
Presumably, this means that keyloggers can detect that you’re typing a password by observing that the sequence of keypresses has high entropy. I believe this is an actual technique that’s used to identify password-like strings from a disk dump (although I’m unable to find the reference right now). However, I didn’t think it made sense in the keylogging context, and indeed someone who says he’s looked at a lot of keylogger data confirms that detecting when a password is typed is fairly trivial, regardless of what kind of characters your password uses.
A researcher at the ShmooCon hacker conference yesterday demonstrated how BlackBerry applications can be used to expose sensitive information without the use of exploits. Tyler Shields, senior researcher for Veracode’s Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, DC, that forces the victim’s BlackBerry to hand over its contacts and messages and can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS.
via @amberbaldet via @infil00p via @oxbloodruffin
I wish that I could use a stronger password for this site. 8 characters are NOT enough.
Response (Gaurav Sharma) 02/06/2010 05:53 AM
Thank you for your email regarding your online password.
I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.
The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.
Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.
Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.
Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.
We value your membership and wish goodness and health to you and your family.Sincerely,
Gaurav Sharma
Email Servicing Team
American Express Interactive Services
O_o
As the Android kernel code is now gone from the Linux kernel, as of the 2.6.33 kernel release, I’m starting to get a lot of questions about what happened, and what to do next with regards to Android. So here’s my opinion on the whole matter… First off, let me say that I love the Android phone platform. Until last week, I used my developer G1, that I bought, every day. It worked wonderfully for me, and as a user, I was more than happy. I’m also very happy about Android from a technical perspective. It’s amazing that Google has taken the Linux kernel, and nothing else from a “traditional” Linux system, and created a portable and robust phone platform. It’s so different that you can drop in a “real” Linux system image on top of the Android system, and they both work just fine with no changes needed.
1. Kill injured monsters first
When facing multiple bad guys, the temptation is to go after the one who’s hitting you hardest. This is often a mistake. That injured razorback, the one who is running away? He’ll be back in 15 seconds, likely with other baddies in tow. So take a few clicks to kill him now. Once he’s dead, you can focus completely on the guy who’s smacking you.__
The real world may not have druids and paladins, but it’s chock full of monsters. They’re called “term papers” and “errands” and “mysterious car problems.” At any given moment, there may be one monster that looms larger than all of the others, who clearly needs to be attacked. But before you do, look around for injured monsters — the half-finished tasks that probably need only a few more minutes to complete. If you don’t deal with them now, they’ll be a constant distraction, and may eventually come back stronger.
As I continue to research and write my upcoming book on wikis, I keep hearing one word over and over again. That word is “BUT” (complete with all-caps), as in, “I would like to use a wiki, BUT…” or “We tried using a wiki, BUT…” What follows is usually an excuse for why the speaker feels that a wiki isn’t a worthwhile tool for collaboration in his or her environment. I use the word “excuse” deliberately, because rarely does anyone articulate an actual business reason, such as a lack of need. When I ask deeper questions, I invariably find that the objection isn’t to the wiki technology itself, but instead to the concept of collaborative authoring and a perceived loss of control over the content.
Secretary of State Hillary Clinton’s announcement of a new U.S. policy on global Internet Freedom included a bold new statement about the responsibilities of American technology companies:
“…We are urging U.S. media companies to take a proactive role in challenging foreign governments’ demands for censorship and surveillance. The private sector has a shared responsibility to help safeguard free expression. And when their business dealings threaten to undermine this freedom, they need to consider what’s right, not simply what’s a quick profit.”
We couldn’t agree more. While Clinton focuses on media companies — meaning Internet media companies like Google, Yahoo! and Microsoft — there are plenty of other companies deserving scrutiny. Specfically, many U.S. (and multinational) technology companies may be knowingly selling Chinese authorities the surveillance equipment used to commit or facilitate human rights abuses. We think it’s high time to pay attention to them as well.
If you’re a registered broker or work for firm that sells any sort of investment products, you’ll want to think twice before blurting out anything that could be construed as investment advice on Facebook, Twitter, or any other social networking site. The Financial Industry Regulatory Authority (FINRA) has updated its guidelines for interpreting the rules that govern how brokers present advice to the public to cover online social networks; and, in some cases, the guidelines rely on social network monitoring and archiving technology that doesn’t even exist yet.
When Google launched Extensions for Chrome in December, they had around 300 of them ready to go in their gallery. A day later, that number was already up to 500. By now, there are a few thousand available, and that number just got multiple by several times as Google has announced that the latest official version of Chrome, version 4, now natively supports Greasemoneky user scripts.
Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin’s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
Having done several years of Flash development and having worked with many Flash developers, the recent controversy between Apple and Adobe over Flash on the iPad is very amusing to me. First, there are a few arguments that I want to address directly:
A major hurdle to producing fusion energy using lasers has been swept aside, results in a new report show. The controlled fusion of atoms - creating conditions like those in our Sun - has long been touted as a possible revolutionary energy source. However, there have been doubts about the use of powerful lasers for fusion energy because the “plasma” they create could interrupt the fusion. An article in Science showed the plasma is far less of a problem than expected. The report is based on the first experiments from the National Ignition Facility (Nif) in the US that used all 192 of its laser beams. Along the way, the experiments smashed the record for the highest energy from a laser - by a factor of 20.
Late Wednesday evening, Google employees posted an “Internet-Draft” outlining proposed changes to the DNS protocol that allow authoritative DNS servers to see the addresses of clients. This way, geographically distributed content delivery networks can tailor their answers to a specific client’s network location. So a client from California would talk to a server in California, while a client in the Netherlands would talk to a server in the Netherlands.
As we continue our collective foray into the brave new world of social networking, we keep learning the same lesson over and over again: don’t post photos of yourself doing stupid things. This is doubly true if said stupid thing is illegal, as yet another intellectually challenged Facebook user has discovered.
