Thursday, December 3, 2009

debado gegen Hörsaal 1

Am 24. November haben die Studenten der TU und FH Dortmund den Hörsaal 1 an der Emil-Figge-Straße besetzt, um gegen Studiengebühren und das Bachelor-Master-System zu protestieren.

Nun trifft sich am selben Wochentag (Dienstag) auch immer der Debattierklub Dortmund für seine wöchentliche Debatte. Da lag es nahe den Studies die Zeit zu verkürzen (oder zu verlängern) und eine Debatte über Studiengebühren vor ihnen zu führen. Es wurde im OPD-Format debattiert, und ich war als zweiter Redner der Opposition (zufällig gewählt und in dem Fall für Studiengebühren, als Sie es merkten war der Applaus vorbei ;)) damit beauftragt die protestierende Masse davon zu überzeugen, dass Studiengebühren wirklich wichtig und sinnvoll sind. Spaß, Spaß, Spaß! :-) Leider habe ich keine Fotos... :(


kostenloser Counter


Posted by Thomas at 9:47 AM 0 comments Links to this post
Labels:

Windows Mobile Phones keep Data after cleaning the Storage

I want to sell my HTC Touch Diamond on eBay, it contains a 4GB internal storage which I cleared and formated by using Settings->Clear Storage.

In the past I never trusted this tool therefore I cleared the storage, copied a big random file to the phone and cleared it again. This time copying the random 4GB file tooks very long and I want to make sure I do not waste time with being too paranoid here.

Therefore I used my jpeg-extractor tool to extract everything that looks like a JPEG file from a raw disk/mem image of the internal storage. And after some minutes pictures popped up which are not on the original ROM but are images from podcasts and from the cam etc.

You, like I, already expect it, but this is the proof:

Cleaning Windows Mobile Phones leaves personal Data on the Device.

Take care what you sell on the Internet.

BTW, I always put a back-door on the phones I sell... just kidding. :-)


kostenloser Counter


Posted by Thomas at 9:09 AM 0 comments Links to this post
Labels:

Thursday, November 19, 2009

X-MAS Wish List for the SuSE Security-Team


Good Evening,

you may not have recognized it yet because of the bland climate (at least here in Germany) but X-MAS is approaching.

It is the time of beginning, looking ahead, family and wishes.

I am nipping hot tea from a big cup and want to hear about your wishes... the wishes from our openSUSE community, our SLES customers, the SUSE family if you like.

What should the SuSE Security-Team improve for you and your business in the future?

Write me a mail or leave me a comment!


kostenloser Counter


Posted by Thomas at 1:41 AM 0 comments Links to this post
Labels: ,

Common Vulnerability Scoring System, CVSS

Dear Readers,

you already may have recognized that we start using the CVSS v2 base score in our patch descriptions, security advisories and summary reports. If you want to know the details of CVSS, have a look at the FIRST CVSS Guide.

We should go away from our old and incomplete "Security Metric" which is a stupid^Wsimple metric I "invented" some years ago just to fill the gap.

CVSS is an industry standard which is used by other major vendors too. This allows our customers to rank the security updates we deliver and compare them to updates from other vendors that also use CVSS etc.

To not cause any additional work for us we use the base score as calculated by the people from the National Vulnerability Database (NVD) and no additional scoring for our system configuration (which even could change from version to version, therefore each SLES/openSUSE version would need an own CVSS score).

HTH


kostenloser Counter


Posted by Thomas at 1:35 AM 0 comments Links to this post
Labels: ,

Monday, November 16, 2009

VirtualBox OSE: Guest can trigger Denial-of-Service at Host System

I am surprised - positively of course :) : Sun released an update for a denial-of-service problem in virtualbox-ose:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-271149-1

CVE-2009-3940

Details:

On 10/08/09 13:44, Thomas Biege wrote:
> Hi,
> just a question: Is this a real bug?
>
> VirtualBox-3.0.6_OSE/src/VBox/Additions/linux/module> grep -n -E "XXX.*denial.*" *
>
> vboxmod.c:1032: rc = VbglGRAlloc(&reqFull, cbRequestSize, reqHeader.requestType); // XXX tom: denial of service! better use cbVanillaRequestSize?


kostenloser Counter


Posted by Thomas at 10:41 PM 0 comments Links to this post
Labels: ,

Thursday, November 12, 2009

HDD encryption vs. secure deleting

There are two ways to scramble private data on your hard-drive.

  1. encrypt the device
  2. clean sensitive files securely
In the past I used secure delete to remove browser caches+history, tmp files, image thumbnails for preview etc. while shutting down my system and periodically using cron.

The pros of this method are:
  • better recovery of data in case of hardware failure
  • easy automatic backup
  • remote access to private data possible
  • no performance impact
  • no crypto algorithm dependency
  • ...
But because the tool overwrites the same file several times with random data without caching and without delays the HDDs crash very early in their life. After three completely destroyed HDDs I decided to switch to HDD encryption. ;-)

kostenloser Counter


Posted by Thomas at 6:44 AM 0 comments Links to this post
Labels: ,

Tuesday, November 10, 2009

Command-Line Tool Fuzzer

Yesterday Marcus reminded me that I have written a Fuzzer for command-line tools... honestly I forgot this little PoC tool and it slept in my CVS repository for nearly 1.5 years. Until now, I put it online. Beta-testers are welcome.

kostenloser Counter


Posted by Thomas at 11:37 PM 0 comments Links to this post
Labels: ,
Subscribe to: Posts (Atom)