LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted October 31, 2012 by jake]

It checks to see if the /mnt/ubi_boot/mfg_test/enable file exists, and if so, it fires up a telnet service (among other things). However, the mfg_test directory doesn't exist at all on the production system [...] But with the SSID command injection vulnerability, we can easily create it. The commands to create the file are too long to fit into the restricted 32-character SSID input field, so we'll echo them piecemeal into a shell script and then execute that script [...]

Rooted with nothing but the remote control it came with.

-- /dev/ttyS0 on jailbreaking the Netgear NTV300 "NeoTV"

The industry standard is most Social Security numbers are not encrypted. A lot of banks don't encrypt. It's very complicated. It's very cumbersome. There's a lot of numbers involved with it.
-- South Carolina governor Nikki Haley

If you're going to allow users to download all of their data with one command, you might want to double- and triple-check that command. Otherwise it's going to become an attack vector for identity theft and other malfeasance.
-- Bruce Schneier on "data portability" risks

I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, [etc.] But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
-- John Butler shows how to change a boarding pass for less TSA screening

This iommu encrypts addresses on the device bus to avoid [divulging] information to hackers equipped with bus analyzers. Following 3DES, addresses are encrypted multiple times. A XOR cypher is employed for efficiency.
-- Avi Kivity (thanks to Michael S. Tsirkin.)
(Log in to post comments)

Security quotes of the week

Posted Nov 8, 2012 18:56 UTC (Thu) by ccurtis (guest, #49713) [Link]

Oh come on, South Carolina, really?

First, there's Miss Teen USA 2007: http://www.youtube.com/watch?v=lj3iNxZ8Dww

And now in 2012 your governor, a female, stands in front of the world and says math is hard. http://www.youtube.com/watch?v=NO0cvqT1tAE

So very disappointing :-(

Security quotes of the week

Posted Nov 11, 2012 17:10 UTC (Sun) by Baylink (subscriber, #755) [Link]

The problem isn't that math is hard (or even that so many female non-Danica McKellar fans just go shopping)...

the problem is that the SSN is an *IDENTIFIER*. Not an authenticator.

As long as we do not make it a federal crime to treat knowledge of an SSN as an authenticator, and put actual people in actual jails, we're going to continue to have this problem ad infinitum.

And I don't mean programmers. I mean project managers and CTOs; O-6 and above, please.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds