A great presentation from Instagram.
Original source: http://speakerdeck.com/u/mikeyk/p/secrets-to-lightning-fast-mobile-design
Permanent link to this article: http://negativefoo.org/2012/05/secrets-to-lighting-fast-mobile-design/
Feb 11 2012
How to Say You’ve Been Hacked… in a Good Way
I received an e-mail from TEDxBigApple this morning that started with the line:
We’ve been hacked!
Now, since TED is all about innovation, I assumed this was a (not so) clever marketing attempt at using the “other” definition of hacker, so I read on.
No, no. They were hacked.
As you know, Feb 4th was centered around Disruptive Ideas, and as poetic justice would have it, our success means we have been unfortunately pranked by a Disruptive force. Someone or someones surreptitiously gained access to our registered database and has sent out an invitation to join a site called biapplepulse.com.
Wait, what?
Ok, so it’s not incompetence anymore, but poetic justice; hacking is now being pranked, and criminals are just a Disruptive force?
As much as I hate the corporate “come to Jesus”-style notifications, they usually have quite a bit less BS than this. When a company is hacked, and data lost, I expect a number of things:
- I want to know what was lost, specifically. Was it just my name and e-mail address? A hashed password? If so, how was it hashed? Where was the salt stored? How many records were lost?
- What was the root cause? Was a system not patched? Did an administrator use a password of password1? Did the founder just give the list to their buddy?
- Who was responsible? Was this an organized campaign by a foreign nation? Some jerk running metasploit and selling the information to others?
- What is being done to make sure this never happens again? Saying things like “we’re strengthening our security measures… (blah blah blah)” is not sufficient. If you had taken security seriously before, you would have had those strengthened security measures set up in the first place. Oh, so NOW you realize that security is important. As a customer, I want to know specifically what is being done. No generalities anymore.
As an organization that customers put their trust in with their personal information, the data breach exposes the fact that you are in fact not trustworthy, and the onus on you to earn back that trust. The points above are a good start, but in general, you need to be honest and transparent when you alert your customers as soon as possible. If your lawyers are telling you to delay notification or hide facts from the public, it’s time to get new lawyers.
After the Zappos breach in January 2012, I sent a letter to the company asking for clarification on their existing security practices and the nature of the data lost:
First, the Zappos website states that “[you] also encrypt payment information traveling within our company as well. All payment information is encrypted while in storage within a network that is firewalled off from the rest of the company and the internet.”. I don’t understand how the last four digits of my credit card number (clearly, “payment information”) could have been disclosed if they were encrypted, unless the cryptographic keys were also disclosed.
Second, the notification e-mail mentions that my password is “cryptographically scrambled”. As I’m sure you know, there is a world of difference between weak and strong methods of cryptographic hashing. Which method of hashing was used, and was a per-user and/or static salt used to further protect the passwords? This is important because many users re-use passwords between sites, and users need to know whether they need to change their passwords on all sites or not.
Third, your website also mentions in a few areas that you use the Trustwave Trusted Commerce Seal as an “assurance that [you] use industry standard measures to secure [my] personal information”. The image is from 2007 and I cannot find any active links showing current Trustwave certification. Did Zappos have current certification from Trustwave at the time of the breach?
Finally, and probably the most important. Has Zappos undergone regular, external penetration tests on your critical systems? Were the systems breached included in these security assessments? Was the root cause of the breach a zero-day / APT-style attack, out of date patches, insider attack, lack of policy, or something else? Your customers need to understand if Zappos is trustworthy enough to continue doing business with, and prompt disclosure if a good first step, the devil is in the details, and the world is watching. I would be happy to discuss these matters under NDA, though for the benefit of your users, I would hope that you would consider public disclosure in the best interests of the company.
I received the following, totally unhelpful response.
Thank you for contacting the Zappos.com Customer Loyalty Team.
We are currently cooperating with the FBI in an ongoing investigation, including undergoing digital forensics. We sincerely apologize that we have been unable to answer your questions.
The email communication that was sent to you by our CEO was also sent to our employees. Here at Zappos, our customers come first, as soon as we are able to provide more information we will let you know.
As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail.
To stay up-to-date on all current information regarding this situation, please see:
www.zappos.com/passwordchangeSincerely,
The Zappos.com Customer Loyalty Team
Not surprisingly, nothing new has been posted to the link above since January 20th.
Unfortunately, I see only two ways of disclosure moving in this direction:
- Regulation. The only reason that companies tell their customers anything is that they’re required to by law. They don’t have your best interests in mind, and they don’t really feel sorry for the breach. Stronger regulations that require more detailed disclosure would go a long way toward informing customers of the actual risk they face. In addition, if monetary damages were included, perhaps companies in general would more appropriately fund security programs. If Sony knew they would have had to pay $250 to each customer lost, for each of the 75 million records lost, don’t you think they would have invested a bit more in their security program?
- Loss of Customers. Hardly a day goes by when some company needs to alert customers of a data breach. Familiarity breeds apathy in this regard, and the outrage that followed the CardSystems and TJ MAXX breaches has become only a dull groan of displeasure. If customers immediately ceased to do business with any company that loses their records, it would also increase (quite significantly) the cost of a data breach to the company.
I’ve included the full text of the e-mail received from TEDxBigApple.
Apologies from TEDxBigApple…
We’ve been hacked!
As you know, Feb 4th was centered around Disruptive Ideas, and as poetic justice would have it, our success means we have been unfortunately pranked by a Disruptive force. Someone or someones surreptitiously gained access to our registered database and has sent out an invitation to join a site called biapplepulse.com. We would like to be clear that this site is in no way affiliated with TED, TEDx, or TEDxBigApple. If you received this email we sincerely apologize. As a precautionary step you may want to block all emails coming from an address ending with @bigapplepulse.com, but that is entirely up to you.
All information pertaining to TEDxBigApple will come from info@tedxbigapple.com and noone else. If you receive any messages from third parties please feel free to inform us and we will investigate the source of the problem.
We hope that you have been enjoying seeing some photos of the event, and we are working hard to bring you all the videos by the end of next week!
In the meantime if you would like to be removed from our email list we will be sad, but of course respect your wishes. Your information and involvement with TEDxBigApple means a lot to us and we hope that you will continue to be a part of our events moving forward.
Let’s strengthen the innovation community together.
Warmly,
-TEDxBigApple Team
Permanent link to this article: http://negativefoo.org/2012/02/how-to-say-youve-been-hacked-in-a-good-way/
Permanent link to this article: http://negativefoo.org/2012/01/html-5-multimedia-browser-native-video-audio-and-canvas/
Jan 15 2012
Slides from Infiltrate 2011
Here are slides from the Infiltrate 2011 conference. Originally downloaded from http://immunityinc.com/infiltrate/2011/presentations/.
Permanent link to this article: http://negativefoo.org/2012/01/slides-from-infiltrate-2011/
Permanent link to this article: http://negativefoo.org/2012/01/smooth-coffeescript-free-ebook/
Nov 23 2011
Viewing All G-Mail Messages Hack
I don’t really consider this worthy of being called a “hack”, but I noticed that if you load the all anchor within G-Mail, you see all received messages, regardless of whether they’re in your Inbox, your archive, or in a folder. It could be useful if you know you received a message at a certain time, but not sure where it went.
To do this, open your G-Mail Inbox and change #inbox to #all in the URL. It should look something like this:
https://mail.google.com/mail/u/0/#all
In fact, after examining some of the JavaScript that comes down with the G-Mail page:
function Ol(b){nl.call(this,"all",b)}function Pl(b){nl.call(this,"archive",b)}function Ql(b){nl.call(this,"chats",b)}function Rl(b){nl.call(this,"delivered",b)}function Sl(b){nl.call(this,"drafts",b)}function Tl(b){nl.call(this,"inbox",b)}function Ul(b){nl.call(this,"muted",b)}function Vl(b){nl.call(this,"outbox",b)}function Wl(b){nl.call(this,"sent",b)}function Xl(b){nl.call(this,"spam",b)}function Yl(b){nl.call(this,"starred",b)}function Zl(b){nl.call(this,"trash",b)}
It seems that you can use any of these to bookmark a specific view into G-Mail:
- all: View all messages
- archive: View archived messages
- chats: View chats
- delivered: Not sure
- drafts: View drafts
- inbox: Default, view your inbox
- muted: Not sure
- outbox: Outbox, but doesn’t seem to work
- sent: View sent items
- spam: View your spam folder
- starred: View starred messages only
- trash: View trashed messages
Permanent link to this article: http://negativefoo.org/2011/11/viewing-all-g-mail-messages-hack/
Nov 22 2011
DARPA Colloquium on Future Directions in Cyber Security Presentations
On November 7, 2011, DARPA conducted the Colloquium on Future Directions in Cyber Security in Arlington, Virginia. Below are all of the presentations given. Original Presentation Source
Permanent link to this article: http://negativefoo.org/2011/11/darpa-colloquium-on-future-directions-in-cyber-security-presentations/
Nov 18 2011
500 Most Common Passwords
I came across a list of the 500 most common passwords (originally from http://www.whatsmypass.com/?p=415 and from Perfect Passwords by Mark Burnett). I’ve de-HTMLized the list and its now available in text format for easy parsing. It will also be included as a plug-in for Yasca, my source code analyzer.
The ten most common passwords from the list are:
- 123456
- password
- 12345678
- 1234
- (a type of feline / female body part)
- 12345
- dragon
- qwerty
- 696969
- mustang
A recent post at Acunetix shows statistics on 10,000 recently leaked Hotmail passwords. The ten most common passwords on that list are:
- 123456 (0.6%)
- 123456789 (0.17%)
- alejandra (0.10%)
- 111111 (0.10%)
- alberto (0.09%)
- tequiero (0.09%)
- alejandro (0.09%)
- 12345678 (0.09%)
- 1234567 (0.08%)
- estrella (0.07%)
More information is available in this blog article.
Download the list:
- Text Format
- HTML Format (from original source)
Permanent link to this article: http://negativefoo.org/2011/11/500-most-common-passwords/
Nov 18 2011
ANSI Color Codes (in RGB)
A list of RGB color codes that correspond to the sixteen ANSI colors.
| Color Name | RGB Color Code | Color |
| Black | #000000 | |
| Red | #aa0000 | |
| Green | #00aa00 | |
| Blue | #0000aa | |
| Cyan | #00aaaaa | |
| Brown/td>
#aa5500 |
||
| Light Grey | #aaaaaa | |
| Dark Grey | #555555 | |
| Light Red | #ff5555 | |
| Light Green | #55ff55 | |
| Light Blue | #5555ff | |
| Light Cyan | #55ffff | |
| Light Purple | #ff55ff | |
| Yellow | #ffff55 | |
| White | #ffffff |
Permanent link to this article: http://negativefoo.org/2011/11/ansi-color-codes-in-rgb/
Nov 17 2011
How to Flush DNS Cache
Instructions for flushing your DNS cache in various operating systems.
Microsoft Windows
To flush your DNS cache within Windows, open a command prompt and run the following command:
ipconfig /flushdns
Linux
To flush DNS cache within Linux, you can restart the ncsd daemon, which could be done in any of the following ways. (It depends on your specific Linux distribution.)
sudo /etc/init.d/nscd reload
sudo /etc/rc.d/init.d/nscd reload
sudo service nscd reload
If you don’t have nscd installed, you can install it by doing one of the following:
apt-get install nscd
yum install nscd
If you’re using Bind, you can flush the daemon’s cache by doing:
sudo rndc flush
Mac OSX
You can flush your DNS cache by using either the lookupd or the dscacheutil command, depending on your version of OSX:
lookupd -flushcache ; Leopard
dscacheutil -flushcache ; Snow Lepoard and Lion
Permanent link to this article: http://negativefoo.org/2011/11/how-to-flush-dns-cache/
Loading tweets...