Bitfever

via netzpilitik

Today I received an advertisement mail from a hotel in Italy I once stayed at. The subject line reads:

From Foo Bar Guest Houses - Rome and Florence (SAFE TO OPEN)

That makes me feel real secure now, so much in fact, that I would like to assure you my readers that this blog is Safe to read.

ix von wirres.net beschreibt sehr anschaulich, was der gute Bruce Schneier Movie Plot Security nennen würde:

[…] er erstarrt. man sieht vor seinem inneren auge sein letztes sicherheitstraining vorbeiflimmern: „verdächtiger, herrenloser gegenstand? immer die bundespolizei benachrichtigen!“ das wort „bombe“ kommt ihm offensichtlich in den sinn, noch vor dem wort „durst“. er geht auf die beiden gegenstände zu und horcht ob sie ticken. […]

As you probably have heard a very large number of myspace.com passwords has appeared on the net via the FullDisclosure mailinglist.

According to this report, this is the result of a phishing attack. They got a lot of people fooled, but not this guy:

thisistheworstattempt@gettingpasswords.ever:sillylittlefaggots..www.someurl.com-look for somenick

or this guy

ya right like im going to fall for this:hahaloser

Some people even discovered where to get the passwords an commented

hmmmmm://www.marcolano.com/login/myspace.txt. I WILL MAKE GOOD USE OF THE FRUITS OF YOUR EFFORTS

I did a very rough analysis of the file which showed that about 95% of the passwords and email adresses seem valid. Most of the rest seem to be random input errors. 0.4% entered a phrase indicating that they recognized this as scam.

This also shows that the phishers did not (yet) care about validating the data the collected.

"[…] Sei der schon von Crimeware Gangs ausgenutzten Lücke im DirectAnimation-Control schlagen die Redmonder in einem Fehlerbericht vor, das entsprechende Kill-Bit zu setzen, um es mangels verfügbarem Patch zu deaktivieren […]"
heise Security

Über einen neuen – mal wieder Katasrophalen – Browserbug im Internet Explorer. Man beachte die Phrase Crimeware Gangs. So weit sind wir schon bei der Internetsicherheit das es Crimeware gibt. Interessanter Terminus, mal sehen ob er sich durchsetzen wird...

The Security Update 2006-002 released today after the Security Update 2006-001 corrects a massiv problem wich keeps rsync from functioning correctly. The Knowledge-Base document reads like "the first time we mae an emergency fix, so nobdy could blame us for not responding - now the real fix!"

rsync: A regression in rsync that prevented the "--delete" command line option from functioning is corrected with this update.

Thanks Apple.

About e-mail, encrypion and why noone uses it

Starbucks makes good coffee indeed. Yes expensive, but good. And ofcourse they all have WLAN (powerd by T-Mobile - I did I mention that I hate mangenta). Because T-Mobile is afraid that WLAN will eat up their UMTS margin and bacause all Mobile Providers seem to think, that we will pay their gigantc prices for data traffic (just look at the GPRS prices).

So to push their WLAN service it is free again (from April-November 2003 you had to pay for WLAN at Starbucks - in this time I can only remeber one person actually using the WLAN - they don't get it Internet is just a additional gimmick, people will preferr the coffe house whick has it, but they will not pay for it.)

Free WLAN means that there are actually people using the WLAN - most of them don't seem to know about the securety issues (although they have checked the "there is no privat informaton" button). This means people are sendig out e-mail - over a non-SSL connection of course.

This is not ver suprising, although most (free mail, and thats what people are using) providers are offering SSL-encryption people don't use it. Even if it is offerd for free (at least for POP, but you can still sniff all passwords and you can still read every outgoing mail like a postcard) you can't blame anyone for not using it - most "users" do not know anything about what a POP server is or that it is unencrypted. And if you ask them: "hey, do you know, that everyone here at Starbucks, and even the people in the office at the opposite side of the street can read all of you mail and even get you password?" Most people respond like: "Ohh, but who want to get my password, I don't get any interesting e-mails. I don't care." Well I guess for that you can blame the people or the people who tought those users how to use email and the web. The point is that if I don't care if the door of my home is locked, everyone will blame me that someone went into the front door and took my stereo away.

So please no complaints about that.

The only thing you can complain about is that the email providers don't seem to care either. I tried to find one provider who would offer me a SSL POP3 and SSL for SMTP together with secure authentification (something like MD5 Chalange/response at least) for free - it doesn't cost anything mor than offering the same without security, but you have more, uhm,...security.

That one thing I don't understand: they don't offer all of those things to the people who actualy pay them for their mail-accounts. Too bad for them, they have one customer less. But I always wanted to get root-server for keeping my mail and hosting my website, so thats what I'll do.