Saturday, January 5, 2013 - 19:37

Another major SSL Fuckup. This time it's TURKTRUST issuing subCAs.

TURKTRUST mistakenly issued two certificates with CA extensions of which one was used to issue a wildcard certificate for * The claimed story behind it is rather revealing.
Monday, December 17, 2012 - 18:21

Critical security issue with various Exynos 4 based phones including Samsung's Galaxy S II and III

A couple of days ago a user on xda-developers pointed out a rather nasty issue on various Exynos 4 based smartphones including - but not limited to - Samsung's Galaxy S II, III and the Note 2.
Wednesday, November 28, 2012 - 07:40

Piwik 1.9.2 came with a backdoor and now ignores IE10 DNT headers

The 1.9.2 release of Piwik came - aside from a backdoor for some installations - with a nifty new feature. It ignores IE10's DoNotTrack settings completely and it also lies to you about it in the settings.

Thursday, September 1, 2011 - 01:30

DigiNotar. Obviously you can make a worst-case scenario go down the drain big time.

If you thought - and I did - that the Comodo gig was ridiculous you might already have heard of DigiNotar. And I'm somewhat running out of superlatives that have no religious context with this one. While Comodo's fuck-up was serious it was at least within expected proportions.  If you fuck up in this business it usually draws some circles. That's why you should try hard not to. But the way DigiNotar screwed up is way out of scope. And the best part about it is the way they are handling it.

A quote taken from their website

Thursday, August 25, 2011 - 00:20

Apache bug in range handling has potential to wreak havoc

Current versions of apache have a neat bug in their byte-range handling that has quite some potential to crash a site with minimal to no effort at all. Byte-ranges are a feature of HTTP 1.1. They are used to partially transfer documents. If multiple ranges are requested in a slightly untidy way apache gets out of step big time. A single remote connection with a lousy dsl line can wreak havoc to various degrees on your system. If you ever want to see your load hit the moon give it a try.

There's - as of now - no patch yet. But there're two workarounds.

Sunday, July 10, 2011 - 19:36

Datendiebstahl beim Zoll.

Der Staat hat mal wieder zugeschlagen. Diesmal der Zoll. Wenn man tiefer ins Klo gegriffen hätte, würde einem wohl eine Amputation in Schulterhöhe bevorstehen. Bedauerlicherweise werden die Verantwortlichen wohl von dieser Maßnahme verschont bleiben.

Thursday, June 9, 2011 - 00:35

Google Chrome and password security

While looking for information if anything has changed recently on the master password front I found a somewhat dated but still valid statement from Google. And I think it's fundamentally flawed.

Monday, April 25, 2011 - 18:34

Android permissions revisited. It still sucks.

The usual answer you hear when you raise the topic of permissions with Android is "Works as intended" and all I can say about that one is: If that was your intention you might reconsider visiting the drawing board because your intention sucks big time.

Wednesday, January 19, 2011 - 00:22

New exploits in Android Market

There are certain things that you can actually wait for to happen and this is one of them. Google is running the market in a way that's doomed to hit the wall and it has nothing really to do with liberal politics vs. Apple's ... ah well. Let's call those restrictive.

Monday, January 17, 2011 - 17:18

StUXNET: In security tests we trust...or not. Maybe we even fake them.

Isn't it lovely. You deliver your piece of code or hardware for a security audit and get it back all shiny and clean. Except for the little bug that happens to be handy when someone would have to sabotage one of your customers nuclear reactors. A customer like Iran. Ignoring the political magnitude of this it has a very bad taste to it. Even more so if Siemens was not a part in this but a conveniently available source for exploitation through inspection.