Man-In-the-Middle Vulnerability For SSL and TLS

News of a new vulnerability in SSL/TLS has been making the rounds today. I first noticed it over at Slashdot which had a link to the guy who discovered the vulnerability, Ben Laurie a member of the Shmoo Group. You can read his post about the vulnerability here.

In a nutshell (and with as little IT speak as possible) a special set of circumstances results in a server attempting to “renegotiate” the certificate that enables the client to communicate in an encrypted manner with the server. During this renegotiation a gap exists that allows an attacker to insert a plaintext header that allows the attack to insert themselves inbetween. The client then sends their encrypted information to the “man in the middle” who then forwards it on to the server. In effect then two different encrypted sessions are established. One between the client and the rogue server. Another between the rogue server and the victim server.

This impacts other protocols which depends on SSL/TLS such as the widely used HTTPS protocol. A patch for OpenSSL that prohibits all renegotiation has been released and an official patch is expected soon. If your site depends on renegotiation to work then there is no alternative for you at the moment.

Red Cliff

Not sure how this escaped my radar for so long, but the upcoming American release of John Woo’s latest film is based on the story of the Three Kingdoms.  The film is named Red Cliff, and it looks hawt.

If you’ve never played any of the Romance of the Three Kingdoms or Dynasty Warrior games, then you are missing out.  I spent hours as a kid playing the original RotTK on Nintendo, and many since playing the newer versions of each.

Sadly, upon further inspection of the release locations, my city is sadly missing.  A road trip to California may be in my future.

Review: Pandorum

Pandorum is the recently released sci-fi thriller starring Dennis Quaid and Ben Foster.  It is the story of a space ship bound for an Earth-like planet to start fresh after humanity has run out of resources on Earth.

The movie opens up with Foster waking up inside his sleep chamber, and any one who has ever played a video game is instantly right at home.  The entire movie is practically begging to be a video game, and is probably the closest you will get to a Dead Space movie without it being the real thing.  Likewise, many parts reminded me of the Silent Hill movie, also based on a video game.

Foster wakes his commanding officer up, Dennis Quaid, and they try and discover why they were woken up and why no one was there to greet them.  As they explore, they run into various denizens of the ship, included mutated humans trying to eat them.  Foster runs into several other humans who he convinces to help him in his goal of restarting the reactor before complete power is lost all the while trying to avoid being eaten alive.

My opinion of these types of movies is a bit nuanced.  Hard for me to pass up any space-themed movie regardless of content, but I have a pretty love-hate relationship with horror movies.  As a twenty eight year old man, I am not above putting my fingers in my ears and closing my eyes.

The pacing of the movie did seem a bit forced, after years in space, giving the characters less than an hour to meet the goal seems a bit ridiculous.  But end result, I really enjoyed the movie, and was pleasantly surprised by the ending.  I am a huge fan of Ben Foster, and while the part didn’t really give him the chance for his acting talent to shine, it’s still good to see him get a lead roll.  Hopefully the first of many.

Still on my to-see list this next week are Surrogates and Zombieland, but if you are headed to the movies any time time, you probably won’t be dissappointed with Pandorum.  Unless you are the type of person who hate when the characters use the name of the movie in the movie itself, in which case, avoid at all cost. 

I Am Alive

Found this one by accident.  Halfway thought it was going to be a movie at first.  Obviously the above video doesn’t show any gameplay, but if the wiki is true, it looks like it will be somewhat untraditional.  The main character will spend his time finding resources and organizing survivors after an earthquake.  Looking forward to it.

Putin and Firearms Safety

This is a bit different from my usual posts. However, in every instance of unintentional or wrongful actions that occur with a firearm, they all could have been prevented by following these simple rules.

What prompted this was seeing this photo:

I rather enjoy following Putin and what he gets up to as well as his numerous well-timed photo opportunities.

My mind immediately reacted to two violations. Though knowing Putin’s background and his love for the camera in the end I came to the conclusion that this must be a staged photograph. It seems unlikely he would act unprofessionally except for the uninformed masses.

By the end of this post you should be able to quickly recognise the slew of unsafe firearms practice that the media throws at the public on a regular basis.

On to the rules:

1. All guns are always loaded.

I don’t care if you know you just unloaded the firearm. I don’t care if you think it’s a toy gun and not a real gun. Treat them at all times as if they are loaded.

This prevents any “accidental” (I would rather call it criminally negligent) discharges. If someone ever tells you to not worry because the firearm “isn’t loaded” you are dealing with an unsafe and unprofessional individual.

2. Never let the muzzle cover anything you are not willing to destroy.

In other words unless you are willing to shoot something, do not point the firearm at it. Simple really, but constantly violated in media depictions of firearms.

This also relates to how you carry your firearm at a “ready” position. The position you see Putin in the photo above holding the firearm is known as the “Hollywood”. This is because holding the firearm in this manner was established by the movie industry to be able to get a close up shot of the actors face with the firearm. Carrying a firearm up in this manner is significantly less safe than pointing the firearm down in any one of other preferred “ready” positions.

3. Keep your finger off the trigger until your sights are on the target and you are ready to shoot.

The human body flinches and reacts to all sorts of stimuli. Keeping you finger on the trigger only allows the possibility of “accidentally” pulling the trigger from being surprised during a high-stress critical incident. Again I would say it wasn’t an accident. It was negligent to have pulled the trigger unintentionally. Keeping you finger off the trigger prevents this from happening.

This is also constantly depicted on television and in the movies. Watch an action movie and you are much more likely than not to see numerous “FOT” finger-on-trigger violations.

As you can see in the photo above Putin has his finger on the trigger. One could argue that perhaps he just finished firing. However, if he’s fired his weapon and has returned it to his ready position, even if it is the “Hollywood” ready then there is no reason to have the finger on the trigger. The firearm is not pointed at his target and he is not ready to shoot. If someone were to surprise him from behind an “accidental” discharge could very well occur.

4. Be sure of your target and your surroundings.

If you are not absolutely sure of what you are shooting at. Do not fire! There is no excuse for a case of mistaken identity. There is absolutely no excuse for hitting your target and then having the bullet pass through the target and into a home or crowd behind it.

The best media example I can think of in this case is where the bad guy is surrounded by a squad of soldiers or cops who are all pointing their firearms at the bad guy… except if they were to actually fire they would end up not only hitting their target but also their own team!

Final Thoughts

Above all else if you wish to handle and use firearms TRAIN.

Owning a violin does not mean you can stand up in front of an audience and play that violin. Likewise, owning a firearm does not mean you will be able to use it when you are under stress.

The next time you hear about an “accidental” or “unintentional” injury or death with a firearm. Look closely, chances are extremely high one or more of these rules were violated.

Synchrosity and Social Networking

For a long time I saw no value in social networking. Particularly during the advent and subsequent rise of MySpace. It appeared to me to be an exercise solely in personal exhibitionism. I didn’t have anything I wanted to share and I didn’t feel I really needed to know anything more about what my friends were eating for dinner.

As an individual who works with information security, social networking appeared to just be another way to disseminate private information to the public. A public that often does not have your best interests at heart.

I’ve often argued that there is less effort needed on the part of governments today who wish to keep an eye on their citizens. In nations where blogs, forums and social networking are the norm one need only to trawl the vast amounts of public information to relatively quickly and anonymously put together a good idea of what a net-user’s opinions and behaviors look like.

In other words, there is no need to snoop on your citizens when they are already publicly posting large amounts of private information. Why spy on them, when you can simply encourage them to voluntarily post more information about themselves?

This works for criminals as well. Trawling through status updates, one could perhaps find posts about vacations, weekend trips or school outings thus providing actionable pre-operational intel for a burglar or kidnapper with none of the normal risks associated with gathering such information using traditional methods.

Hence, the necessity of being aware of and using the security options provided by your social networking tools of choice. No one expects a kidnapper to target their child, but why make it easy for one if they do? Similarly, no one expects a fire, but we still install smoke detectors and fire extinguishers.

It is this dissemination of information that ultimately convinced me of the value social networking. I realized this trait recently whilst talking with a friend on the phone. She was telling me about another friend coming to visit and about a medical procedure about to be performed. Unbeknownst to my friend (who does not use any kind of social networking) I already had more current and detailed information from the individual in question by means of a social networking site. Is this information or example valuable to any one else? No, not necessarily. Does knowing about this provide a tangible benefit to my life? Nope, not this either. However, it is this synchronizing effect that I have come to value. Instead of operating in an entirely individualist environment as I have previously, I now live my life with small injections of information from my various social circles.

This provides a level of situational awareness about my friends that previously was difficult to maintain outside of long and infrequent emails, letters or phone calls.

As with most technologies it can be wielded to our benefit or with malicious intent. Much like a hammer can build a house to improve living conditions, so can it also be used to bash another person’s head in.

While social networking does increase the surface area of attack for information gathering. That same increased substrate provides a greater level of information syncrosity allowing for greater efficiency in other areas. It shares the same traits as other technologies, we simply need to be aware of the risks and implement appropriate measures to mitigate those risks.

There are still numerous social networking updates that are essentially worthless. You will get a clear picture of the over all mental state of your individual friends. The negatives ones will consistently post about their latest headache or whatever “awful” thing is currently happening to them. Anyone can have a bad day certainly… it is rather eye opening how certain people seem to consistently always have bad days… many seem simply to be fishing for sympathy. Thankfully as social networking technology matures it is including a variety of filtering options to keep those who are consistently negative from darkening your day. Conversely, when a friend is moving and posts about it, I can call them up and offer to help.

Finding a balance between too much and too little information is an important part of this. Too much and you’ll quickly learn to filter out and ignore the torrent of information. Too little and the tool quickly loses any value as you use it less and less thereby lessening it’s significance even further.

Social networking certainly is not for everyone. Particularly if you have shallow or boring friends. Or if you yourself fall into these categories. The fundamental shift here however, is not whether the tool is useful but rather whether the information that you and your friends are putting there is worth anything to an audience. The medium, be it the phone network, email or social networking is only made as valuable as the information that you put on it.

Fallout, umm, live action roleplaying?

Every single one of these people wins an award for awesomeness.  I have no idea what is happening in these pictures since its in Russian and I can’t be arsed to visit a translation site, but check out the win.

The armor isn’t as cool as the one in the Headlines, but still pretty amazing on a grand scale.  The fact that Russia even has places to do stuff like this in makes me jealous.

MI6, Facebook and Privacy Settings

Various news articles about the disclosure of the new MI6 chief on Facebook have been making the rounds as of late.

MI6 boss in Facebook entry row

It seems like a good time to revisit a guide that new users to Facebook should take a look at:

10 Privacy Settings Every Facebook User Should Know

I’ll summarize the high points here. Some of these are common sense. Read the article to get the specifics.

1. Use Your Friend Lists
2. Remove Yourself From Facebook Search Results
3. Remove Yourself From Google
4. Avoid the Infamous Photo/Video Tag Mistake
5. Protect Your Albums
6. Prevent Stories From Showing Up in Your Friends’ News Feeds
7. Protect Against Published Application Stories
8. Make Your Contact Information Private
9. Avoid Embarrassing Wall Posts
10. Keep Your Friendships Private

Facebook has added some additional new privacy settings recently so take the time to poke around in there and tighten things down to a level that’s appropriate for you.

Though, I’d say the real lesson here is that when you work in that kind of business you can never completely separate your personal life from your business life. Work always follows you home. Your friends and family either need to be just as well-trained as you are or know nothing at all about the reality of the situation.

Mirror’s Edge 2 Confirmed

This makes me happy.

EA confirms ‘small team’ working on Mirror’s Edge 2

Mirror’s Edge was my most favorite game of the last few years.

Edge of Twilight

Being something of a trailer aficionado, I am posting this trailer not just because the game looks amazing, I’m posting it because this is easily the best video game trailer I’ve ever seen. And quite frankly it’s about time that video games are catching up with movies.

Via Hellforge, his review compares the setting to Perdido Street Station.  I’m not sure I really see that, though the city in the trailer certainly seems comparable to New Crobuzon.  I’d never thought of the book as steampunk but I suppose I haven’t read the others.  Still, looks exciting and should come out within the year.