ssl
Latest
Twitter adds 'Always use HTTPS' option, makes cyberterrorists FOF
One small checkbox for your mouse pointer, one giant leap for your Twitter account's security. The microblogging site that every techie knows, loves, and occasionally loathes, has added a new option to allow users to go HTTPS full-time. For the unenlightened among you, that means all your communications with Twitter can now be done over an SSL-encrypted channel, which massively boosts their resilience to external attacks. That won't protect you if you're careless with your password or leave your account logged in on computers other than your own, but at least you can sleep a little more restfully knowing that nobody other than yourself will be embarrassing you on the Twittersphere.
Firesheep makes stealing your cookies, accessing your Facebook account laughably easy
A software developer called Eric Butler doesn't just want to make you aware of the lax security of most social networking sites, he wants to force you to do something about it! To that end, he's developed Firesheep, a Firefox add-on that even the least technically inclined among us can use to eavesdrop on open WiFi networks and capture your fellow users' cookies. Any time a site recognized by Firesheep (including Twitter, Flickr, Facebook, and Dropbox) is accessed by a user on your network, Firesheep provides you with an icon and a link to access that account. Sure, had these sites used SSL to begin with this would be nigh in impossible; but they don't, so it is possible. And easy! And fun! Keep in mind, we're not suggesting that you give this a try yourself (far from it!) but we do hope you look into the larger issues involved here, and take the appropriate steps to force sites to use SSL, and protect yourself in the process (we hear that HTTPS Everywhere and Force-TLS are good places to start). Because, really -- Internet security is enough of a problem without giving everybody at the Coffee Bean your Facebook credentials.
1024-bit RSA encryption cracked by carefully starving CPU of electricity
Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device's power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That's why they're presenting a paper at the Design, Automation and Test conference this week in Europe, and that's why -- until RSA hopefully fixes the flaw -- you should keep a close eye on your server room's power supply.
Found Footage: Here, File File! lets you access your Mac's files
When using your iPhone to access your files, you really have two options. First, some apps let you copy files to your phone for later viewing. In the second option, a service such as Dropbox or MobileMe allow you to access a subset of your files. However, none of these options cure I-completely-forgot-to-grab-the-sales-presentation-before-leaving-itis. Here, File File! wants to make it incredibly easy for you to access any file from anywhere. By using a small application running on your Mac, HFF is able to do just that. The app provides user authentication and SSL encryption, as well as content-on-demand to prevent any eavesdropping on your file-access activities. While the app isn't available yet, you can get a good idea of how it will work in the video above. In the video you can see how HFF will allow you to view all of your folders and connected volumes, as well as the files within them. This even includes the ability to stream movies and music. Furthermore, you can attach a file to an email and send it to someone else, or for particularly large files you can send a unique, randomly-generated download link via email. According to the developers of Here, File File!, the app will be available in January for your downloading pleasure. Until then you can peep the video or sign up to be notified when HFF is released.
Credit card terminals for iPhone
It's no secret that the iPhone is much more than just a smartphone. Apple has even started giving iPhones to Apple Store Concierge employees to schedule appointments and manage the store. The ability to complete mobile transactions with credit card terminals is a great use of the iPhone for employees on the go or companies that do home or office calls. Like most applications in the iTunes App Store, there is no shortage of alternatives available for you to try. Here's a roundup of some of the most popular credit card terminals for iPhone. Credit Card Terminal [iTunes Link] - $0.99 This app is pretty awesome. So awesome in fact, that it was featured internationally in an Apple commercial. The 99 cent application offers a (very) cheap alternative to expensive terminals and hardware. With a clean and easy to use interface, users can enter credit card information, complete transactions, and even view and refund past sales. The app also gives you the ability to collect customer information. The developer even offers telephone and email support and will walk you through setup. Billing: Credit Card Terminal [iTunes Link] - $19.99 Another "easy to use" credit card terminal that is guaranteed to help make transactions easier. Sporting a pretty cool, and somewhat different kind of interface, the $20 application makes setting up a sale as simple as tapping a button. One cool feature offered in this version is the ability to get a customer's signature. Some screenshots from the featured applications: %Gallery-73813%
Japan's online games industry steps up security
The potential for having a hacked game account clearly goes hand in hand with online games, regardless of which country you're in. Japan is taking aim at this particular issue through a rather significant partnership with Visa International, reports Nicholas Aaron Khoo for CNET Asia. The Japan Online Game Association (JOGA) has pushed for the industry-wide adoption of Verified by Visa by year's end. Verified by Visa uses SSL encryption as part of its Three-Domain (3-D) Secure platform, and it's hoped that establishing this industry standard will reduce the frequency of stolen accounts. Khoo writes, "According to JOGA, Verified by Visa has already been implemented by over 60 percent of online gaming companies in Japan -- the highest among any online retail and service provider industry categories." You can check out the full story in Khoo's "Peace of mind for Japanese gamers?" as part of his Geekonomics column at CNET Asia.[Via PlayNoEvil]
PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies
Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.[Via ZD Net]
