Security-Protocols

Good times..

A guy who uses the handle NerveGas on #iphone has figured out how to enable ssh on the iPhone without using the iPhone restore mode as it does not work with all public version of iPhoneInterface. The secret is in overwriting the ‘update’ binary with ‘chmod’ and the plist to trick the iPhone into calling ‘chmod’ on the Dropbear ssh server which makes it an executable. Boom! We now can ssh into our iPhone to send and retrieve files using sftp and or to do other neat things.

gdb anyone?

NerveGas used Nightwatch’s compiler to create iPhone-compatible versions of curl and ps as well as a number of other useful Unix utilities. Big thanks to NerveGas for this!

Links:

http://iphone.fiveforty.net/wiki/index.php/Dropbear-ssh
http://netkas.freeflux.net/blog/archive/2007/07/22/iphone-binary-shell-compiled.html
http://pastebin.com/m7abdb007

Want to make sure your search history is not being recorded and or given to some three letter agency? If so then maybe you should start using Ask.com. Ask.com has developed AskEraser which is a tool that will allow you to wipe your search history. Below is from the Ask.com press release:

“Searchers will have easy access to AskEraser and can change their privacy preference at any time. Once selected, searchers’ privacy settings will be clearly indicated on search results pages so they always know the privacy status of their searches,” the press release stated.

“As search and other online services progress, it’s important for our customers to be able to trust that their information is being used appropriately and in a way that provides value to them,” said Peter Cullen, chief privacy strategist at Microsoft. “We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.”

“AskEraser is a great solution for those looking for an additional level of privacy when they search online,” said Jim Lanzone, CEO of Ask.com. “Anonymous user data can be very useful to enhance search products for all users, and we’re committed to being open and transparent about how such information is used. But we also understand that there are some who are interested in new tools that will help protect their privacy further, and we will give them that control on Ask.com.”

“Anonymous user data can be very useful to enhance search products for all users, but people should have access to privacy controls based on their level of comfort around the storage of their search data,” said Doug Leeds, vice president of product management at Ask.com. “We’re committed to developing new ways to give consumers the control they are entitled to when it comes to searching online, and hope others will join us in engaging in dialogue on these important issues.”

Ask.com and Microsoft / Live.com have proposed that search engine providers, Internet advertising companies and privacy advocates engage in an active dialogue to discuss privacy considerations posed by the proliferation of search and online advertising. The goal is to determine ways that the industry can work together to define privacy principles that take these new considerations into account. The companies will be providing an update on the progress of this sometime in September.

This sure beats Google as they plan to anonymize search logs every 18 months, and set your cookie expiration to _only_ two years. The previous cookie expiration was set to 2038. Nice!!

The Reddit co-founders, Steve Huffman and Alexis Ohanian, sold their company to Conde Nast at the end of 2006 for an undisclosed amount. Now they’re placing two Apple G4 Powerbooks (12″ & 15″) which were used to start Reddit at this eBay auction. All of the proceeds are going to the American Brain Tumor Association.

**Luck not included**

Owning these laptops will of course do nothing to guarantee the success (or failure) of your web 2.0 startup; it just seemed like a nice pitch. Please hurry and bid before we fall even further into Internet obscurity!!!

The laptops come with all those Reddit alien stickers which Alex designed and the palm imprints of the founders themselves. The bidding is starting at $300 + $60 shipping and handling.

VDA Labs announced today that they have updated their fuzzers EFS and GPF. Below are the details:

We have designed and implemented an Evolutionary Fuzzing System (EFS) to help find new vulnerabilities. Traditional fuzzing techniques require that a new fuzzer be built for each protocol, a never ending process. EFS attempts to eliminate this effort by dynamically learning a protocol using code coverage and other feedback mechanisms.

EFS-PaiMei.zip
EFS_Research_Poster.ppt

Fuzzing is a software testing technique where you supply a program with faulty or randomized data in place of its normally expected input. GPF provides developers, security researchers, and quality assurance professionals the capability to quickly search for bugs/vulnerabilities in the exposed interface of networked applications. GPF uses captured packet sessions (from libpcap) to construct a protocol description from real traffic. Users can then configure various types of injected faults, manually modify the capture file, and define custom functions to deal with dynamic data.

GPF.tar.bz2

I would suggest checking them out.