nods of approval, winces of sympathy, for sysadmins and hackers | submit a hack

Sep 3

Aug 21

Aug 20

Aug 18



The WinSCP website is hosted on insecure HTTP, and the binary executable downloads over HTTP too. While the site does have checksums for the downloads, the checksums are hosted on the same HTTP website, and could easily be modified in a man-in-the-middle attack. 




(Submitted by Lenard Szolnoki)

Jul 24

Jul 23

Jul 21


Forensic scientist and author Jonathan Zdziarski has posted the slides (PDF) from his talk at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices.

The HOPE conference started in 1994 and bills itself as “one of the most creative and diverse hacker events in the world.”

In December 2013, an NSA program dubbed DROPOUTJEEP was reveled by security researcher Jacob Appelbaum that reportedly gave the agency almost complete access to the iPhone.

The leaked document, dated 2008, noted that the malware required “implant via close access methods” (presumably physical access to the iPhone) but ominously noted that “a remote installation capability will be pursued for a future release.”

According to one slide the iPhone is “reasonably secure” to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government. But he notes that Apple has “worked hard to ensure that it can access data on end-user devices on behalf of law enforcement” and links to Apple’s Law Enforcement Process Guidelines, which clearly spell this out.

Jul 18

Jul 10

Jul 9

Page 1 of 44