KDE-Apps.org Applications for the KDE-Desktop 
 GTK-Apps.org Applications using the GTK Toolkit 
 GnomeFiles.org Applications for GNOME 
 MeeGo-Central.org Applications for MeeGo 
 CLI-Apps.org Command Line Applications 
 Qt-Apps.org Free Qt Applications 
 Qt-Prop.org Proprietary Qt Applications 
 Maemo-Apps.org Applications for the Maemo Plattform 
 Java-Apps.org Free Java Applications 
 eyeOS-Apps.org Free eyeOS Applications 
 Wine-Apps.org Wine Applications 
 Server-Apps.org Server Applications 
 apps.ownCloud.com ownCloud Applications 
 KDE-Look.org Artwork for the KDE-Desktop 
 GNOME-Look.org Artwork for the GNOME-Desktop 
 Xfce-Look.org Artwork for the Xfce-Desktop 
 Box-Look.org Artwork for your Windowmanager 
 E17-Stuff.org Artwork for Enlightenment 
 Beryl-Themes.org Artwork for the Beryl Windowmanager 
 Compiz-Themes.org Artwork for the Compiz Windowmanager 
 EDE-Look.org Themes for your EDE Desktop 
 Debian-Art.org Stuff for Debian 
 Gentoo-Art.org Artwork for Gentoo Linux 
 SUSE-Art.org Artwork for openSUSE 
 Ubuntu-Art.org Artwork for Ubuntu 
 Kubuntu-Art.org Artwork for Kubuntu 
 LinuxMint-Art.org Artwork for Linux Mint 
 Arch-Stuff.org Art And Stuff for Arch Linux 
 Frugalware-Art.org Themes for Frugalware 
 Fedora-Art.org Artwork for Fedora Linux 
 Mandriva-Art.org Artwork for Mandriva Linux 
 KDE-Files.org Files for KDE Applications 
 OpenTemplate.org Documents for OpenOffice.org
 GIMPStuff.org Files for GIMP
 InkscapeStuff.org Files for Inkscape
 ScribusStuff.org Files for Scribus
 BlenderStuff.org Textures and Objects for Blender
 VLC-Addons.org Themes and Extensions for VLC
 KDE-Help.org Support for your KDE Desktop 
 GNOME-Help.org Support for your GNOME Desktop 
 Xfce-Help.org Support for your Xfce Desktop 
openDesktop.orgopenDesktop.org:   Applications   Artwork   Linux Distributions   Documents    Linux42.org    OpenSkillz.com   

- News . 
click to vote up

Nicolas Valcárcel: The lies of security.

Published Apr 25 2013 via RSS

Since i can remember i was delighted by computer security and always wanted to make a career on that field and be like one of those hackers in dark room with a black screen with green letters in front of me while i hacked into government computers in a matter of seconds like we can see in any hollywood movie, but after i started building my career in the field i found out the reality: cracking is not as glorious as hollywood claims. Working on security is harder, more boring and even waaay easier and no-brainer than media, hollywood and basically every non-computer person thinks.

Don't get me wrong, computer security is indeed a hard work and requieres a deep knowledge of the computing stack, starting from the physics that make the energy flow around the computer to make it work to the highest level known as OSI's eight layer (a.k.a. the user) because a bug can be at any part of that: buffer overflows, scam, MITM, phishing, etc...

There are a lot of saying on the matter, the one i like and say the most if always:

"A system is as secure as its weakest link"

This is the most true anyone can get to a saying in security, and guess which is always the weakest link? No clue? Einstein knew:

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

And here i leave you with a j!nx t-shirt:

So back to the topic of security holes and why i say the media is always wrong. I recently confirmed that a bug that i reported a couple of years ago it's fixed, so let me illustrate what i'm saying with the example. A hotspot company offered internet connection on different establishments for an hourly fee, when you got to the network the only place you can go was the company's establishment site and pay the fee or you won't be able to get into the internet, i think everyone has come across one so i won't get into the details. Also the same company on other establishments offered the connection in exchange of you watching some videos or fill a form and that could only be done in some establishments. Until now this is a pretty good and secure system, you get to establishment A, pay the fee, get internet, go to B, watch a video, get internet, you can't watch a video in A because there is no option for that, all good. Well, not quite, once i went from B where i failed to connect and needed to go right before i clicked "watch the video" and then went to A, to my surprise i got access to B's site and the option to watch the video, so i clicked there and got an internet connection. I never "cracked" anything, used a whole of my technical knowledge or anything, just happend to bypass the security of a system by accident. I tested this a couple of times to be sure what was exactly going on, documented it and informed the hotspot company, no awesome hollywood glorious nonsense or hours in front of a computer hacking, just an iPod with the wrong URL open on it to be able to "crack" a system.

Ok, that's just one time, i was lucky, that doesn't prove your point. Well, i have another example, recently i was playing one of those heavily addictive facebook flash-based games where they give you lifes so you don't play all day long, so i run out of lifes after a while and noticed i had a second tab with the game open, when i went to it to closed guess what happened? My lifes where full! Game gifting lifes? Not really, another bug. The AWESOME flash architecture was playing on my side (yes, i hate flash), so once again i tested it to confirm the bug and what's going on. So once you open the game it downloads this game, checks how many lifes you have and let's you play in case you do and doesn't contact the backend until it needs more data or store some more, so what happens here is i can open a few tabs with the game while i have lifes, backend will report i do have lifes and the game will wait for me to do something, so i can play in one tab, run out of lifes, go to the next tab and i have lifes again! Not all of them are playable, because once the game reports that i lose it will answer with the lifes i do have which is 0, but i can play as many times as tabs i have open. Again no-brainer hack, just terrible architecture.

Ok, i believe you, but what does this has to do with the human being the weakest link always and human stupidity, this is just a technical error. Well yes, but then there is this other times when people find that i'm a security guy and ALWAYS asks me about wikileaks and annonymous and how do they hack this awesomely secure government machines, and i always answer with those quotes, i don't have a single doubt about those hackers skills, but it's quite easy to start the hack for one simple reason: it doesn't matter how secure company computers are, there is every time someone that sends the company confidential files to his personal e-mail account to open it later in the family computer that the wife or kids have already infected with malware surfing the web, and bingo, confidential documents in an easy to steal computer, attach the virus to the file, wait for the user to open it in the company network again and you are done, access to the extra secure network for free! (This is the point where you say "yes i do send company files to my personal e-mail account all the time")

It doesn't matter how skilled or not you are, there are always tricks to fool you, if you don't believe me and think you will never get fooled i dare to attend defcon and open your e-mail in the event's wifi (PROTIP: Do it in front of the wall of sheep and wait :D)

So, in conclusion, don't believe everything the media says, they don't understand computer security so most of the lies are just the result of ignorance, it's not a source to trust. Oh! and no, you didn't won a million dollars in a contest you didn't even signed in, no one is that lucky. And again no, the bank is not asking your personal details over e-mail, they already have them, including your password, why would they ask for information they already have? (This is the point where you go "OMG and what about privacy?" that's for another post, this one is already to long)

BackRead original postSend to a friend

Add comment

Add comment
Show all posts

 Who we are
More about us
Frequently Asked Questions
Updates on identi.ca
Updates on Twitter
Content RSS   
Events RSS   

Add App
Public API
About GTK-Apps.org
Legal Notice
Spreadshirt Shop
CafePress Shop
Sponsor us
Report Abuse

Copyright 2007-2016 GTK-Apps.org Team  
All rights reserved. GTK-Apps.org is not liable for any content or goods on this site.
All contributors are responsible for the lawfulness of their uploads.