CERT released an advisory today on DNS Amplification Attacks. These attacks are nothing new; in fact dealing with this kind of load is business as usual for the Tier1/2 providers. But I was surprised with how little apparently CERT has to offer in the way of advice to thwart the attacks.
Hey guys,
I think your company is great, but haven’t had a chance to use you yet. How many people (myself included) are in the same boat?
I read about your latest music festival contest on HN. Maybe that’s ‘Mission Accomplished’ for you already. But I think you should consider running a different kind of contest. I think it comes down to: What market are you targeting with multicontinental music festivals? I can’t quite figure out if you only book multi-continent ’round-the-world’ flights, or if you’re up for more run of the mill business trips and family vacations? Do you just do the flight, or can you do the hotel accommodations as well? What about something like flights to Europe plus hotel and train travel between countries?
How about running a contest a few more of us could relate to. Show us how great you could be at planning a budget trip for a family of 4 with kids of different ages. That would solve an immediate problem for a lot of people, not just some sexy corner case. A quality budget experience when kids are involved means no hostels, no campgrounds (unless that’s the whole point), and age appropriate attractions. I’m sure your experts could justify the ‘finders fee’ with some of the great trips they could cook up!
I think part of the problem is I don’t understand what your target market actually is. It doesn’t click who exactly you are trying to serve. It’s the difference between me taking the time to learn about your ‘system’ and maybe even trying it out, and just ‘doing it the old way’.
Note to reader: This SRP vulnerability applies only if a 256-bit modulus is being used. For example, in Blizzard’s Battle.net 2 protocol, the modulus is 1024-bit [1].
In my prior blog post, I explained how an attacker can use a dictionary attack to try to guess users’ passwords based on the recent Blizzard data breach, where they were using SRP to store the passwords. Some readers have pointed out, it is significantly slower to dictionary attack SRP than raw SHA1, so SRP at least protects users who have chosen strong / random passwords. However, depending on the bit-length of the modulus, there may be an improved technique which could allow significantly faster attacks.
Blizzard announced today they they have suffered a major data breach, and sensitive user data was stolen from their servers. According to their statement the specific data stolen includes email address, the answer to the personal security question, and information relating to two-factor authentication. They also lost their SRP server-side verifier database, which is the database they use to verify user passwords.
And despite what Blizzard is claiming, I believe the majority of their users’ plain text passwords have been exposed as well.
Note to reader, please consider the following as a DRAFT only. I’m still working on the software which will let you collaboratively edit it with me (if you so choose) without having to register.
If you listen to Facebook’s earnings call and you read the latest from the analysts then you already know that FB is looking for the technology which will give them the boost they need in mobile advertising.
Google Groups has been an amazing asset to me for the last several years. I use it, as I’m sure many do, as an archived listserv for various groups I participate in. What’s great is you can setup the group as invite only, but allow anyone to post. People outside the group send email in, but only members of the group can read it.
Incredibly common, incredibly useful, but recently on Google Groups, incredibly broken.
For a while now, certain venture capitalists have had an unwritten rule: a good team consists of a developer, a designer, and a CEO. But I have news. It’s not a designer you need. It’s a system architect.
Why are sites insecure? Because security is treated like a feature.
Mozilla Persona, the public face of the BrowserID initiative, is a fresh, dead simple, and compelling vision for how authentication should work on the web. Unfortunately, it’s also poorly executed and fundamentally flawed. If you are considering using BrowserID for authentication on your website, the following is my personal assessment on the shortcomings, flawed assumptions, and inherent weaknesses of the current implementation as well as the overall architecture that Mozilla has defined.
A guest post, from Shawn, in response to the NY Times article titled Goldman Sachs and a Sale Gone Horribly Awry…
They made two mistakes. The first, and smallest, was paying $5M to GS without understanding what they were getting in return.
The second, and major mistake was doing an all-stock deal. Or else, in exchange for stock, they should have granted an exclusive license instead of selling the technology outright.
Frankly, I side with GS. They hired GS to make a deal and GS made a deal that they accepted. The fact that the deal turned out to be a bad one is not the fault of GS. That whole due diligence kerfluffle is what you, yourself, would call 20-20 hindsight.
My point:: An existing product is a mostly sure thing and stock is a gamble. You don’t trade a sure thing for a gamble. You might trade a mostly sure thing for cash and a small wager.