Quick Information About POODLE SSLv3 Attack

Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE’s dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.


For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

open -a “Google Chrome” –args –ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome – bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, “When the shell exits”.  Change the value to be, “close if the shell exited cleanly”.  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I’m not vulnerable, the command line arguments from Errata work for me.


TED: Glenn Greenwald, Why Privacy Matters

At the TEDGlobal 2014 conference Glenn Greenwald (THE//INTERCEPT) provides his views on privacy in his session, VIDEO:Why Privacy Matters.  A focal point of Greenwald’s session is a key viewpoint held by many Americans – privacy is only important for those with something to hide.

Post Edward Snowden revelations, we know that since the 9/11 terrorist attacks the government expanded the scope of it’s warrantless surveillance operations to include average Americans (e.g., bulk surveillance).  When the news broke there were two sharply divided camps, those strongly opposed and a much larger group of the public generally apathetic.  Most of those who are apathetic believe privacy is only important for those with something to hide.  The hold, bad people, are people who plot terrorist attacks,  engage in criminal acts, and have a reason to hide their activities.  Good people, are people who go to work, raise children, watch television, use the Internet to read the news, find recipes, or plan kids Little League games, etc.  These good people, are doing nothing wrong and have nothing to hide and therefore no reason to fear government monitoring.  Greenwald explains most of these people have sharply defined world views and deprecate themselves.

“The people who say that, that privacy is not really important, they don’t actually believe it”, Glenn Greenwald

Greenwald continues to explain how noteworthy tech industry figures like Eric Schmidt (Google, Chief Executive Chairman) and Mark Zuckerberg (Facebook, CEO) tell the public privacy is only for those with something to hide yet they take strong personal measures to safeguard their own privacy, a seeming double standard.  Returning back to the apathetic point of view on privacy, Greenwald explains an approach to uncover how people truly feel about privacy.  To uncover these feelings, Greenwald tells people provide their user ids and passwords to all their email accounts, including the secret ones, and other applications.  Greenwald then says he will open each account to find information of interest that he may decide to publish later.  In all the people Greenwald has spoken with none have taken him up on his offer.  His point is that everyone has at least some information they don’t want to share publicly.  While most of us say we don’t have much to hide, we don’t desire to be completely open either.  Since we have always had the expectation of privacy (4th Amendment) it’s difficult to know how privacy could be valuable when we no longer have it.

Greenwald goes on to explain a design for prisons called the Panopticon.  The salient point of the panopticon design is that it’s not possible for prison inmates to know when those in control are observing inmates and when they are not.  The effect is that, behavior options are reduced, and inmate behavior is altered.  A virtual prison within the mind of the inmate.  Greenwald says a similar situation has occurred on the Internet.  A combination of the lack of anonymity and constant surveillance create an environment where the public self-censors or polices their own Internet online behavior, a powerful virtual prison, like inmates in a panopticon.


PIN Number Analysis

Interesting article by Data Genetics on PIN Analysis sent via Bruno Borges (Twitter: @brunoborges).  I included one of their tables (photo to left).  As an example,  if an adversary chooses pin “1234” they will be correct about about 11% of the time.  This implies, if they steal 100 ATM cards and try 1234 for the pin number they will likely be successful on 11 cards.  Furthermore, 26.83% of all pins could be guessed choosing only numbers from the table – better odds than Vegas.  Readers will also learn how to choose better pin numbers among other interesting pin factoids.