Comments for Chakraborty Software http://www.chakraborty.ch Information Security Consulting Services Mon, 24 Oct 2011 14:26:46 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on French Researchers “Hack” TOR by Ralph http://www.chakraborty.ch/exploits/french-researchers-hack-tor/comment-page-1/#comment-4762 Ralph Mon, 24 Oct 2011 14:26:46 +0000 http://www.chakraborty.ch/?p=471#comment-4762 So, a french engineering school can do something the FBI and DOJ can't, with their resources? by DDOSing FBI nodes (presumably clean)? Wonder if they got "Anonymous", who've been attacking some of the sites too. We'll see. So, a french engineering school can do something the FBI and DOJ can’t, with their resources? by DDOSing FBI nodes (presumably clean)? Wonder if they got “Anonymous”, who’ve been attacking some of the sites too.
We’ll see.

]]> Comment on French Researchers “Hack” TOR by Rob_OEM http://www.chakraborty.ch/exploits/french-researchers-hack-tor/comment-page-1/#comment-4761 Rob_OEM Mon, 24 Oct 2011 13:50:20 +0000 http://www.chakraborty.ch/?p=471#comment-4761 I agree with you on the poor details-to-buzzwords ratio. We'll see what it's all about after they show it. However, concerning the inventory phase, I might be able to clarify a thing. In the article they say <cite>most nodes' IP addresses are accessible publicly or using the system's source code</cite> from which I infer <em>all TOR exit nodes are public, some other nodes are hardcoded in the source, most nodes can be discovered using public APIs.</em> The rest of the attack, you got that part, involves the compromise of existing nodes or adding rogue nodes, and DoSing all the others (lame, but they mention a way of essentially making messages loop through fixed nodes in TOR, which sounds great-if-real) I agree with you on the poor details-to-buzzwords ratio. We’ll see what it’s all about after they show it. However, concerning the inventory phase, I might be able to clarify a thing.
In the article they say most nodes’ IP addresses are accessible publicly or using the system’s source code from which I infer all TOR exit nodes are public, some other nodes are hardcoded in the source, most nodes can be discovered using public APIs.
The rest of the attack, you got that part, involves the compromise of existing nodes or adding rogue nodes, and DoSing all the others (lame, but they mention a way of essentially making messages loop through fixed nodes in TOR, which sounds great-if-real)

]]> Comment on Windows Vista Security Guide, Medical Computers by Medical PC http://www.chakraborty.ch/best-practices/windows-vista-security-guide-medical-computers/comment-page-1/#comment-4759 Medical PC Mon, 10 Oct 2011 20:59:47 +0000 http://www.chakraborty.ch/blog/?p=22#comment-4759 excellent article! security is always an issue when your talking about medical computers and the equipment used to store patient information inside hospital and doctors offices. excellent article! security is always an issue when your talking about medical computers and the equipment used to store patient information inside hospital and doctors offices.

]]> Comment on iPad Security — My Overview by Arjo http://www.chakraborty.ch/architecture-design/ipad-security-my-overview/comment-page-1/#comment-4752 Arjo Thu, 07 Jul 2011 20:57:49 +0000 http://www.chakraborty.ch/?p=209#comment-4752 Wait till Max publishes his findings on the iPad....you may not want one...then again, just make sure you don't leave it lying around and let someone like Max gets his hands on it for about 2 minutes. (yep, i saw some of his findings in a demo he did for me)...yikes Wait till Max publishes his findings on the iPad….you may not want one…then again, just make sure you don’t leave it lying around and let someone like Max gets his hands on it for about 2 minutes. (yep, i saw some of his findings in a demo he did for me)…yikes

]]> Comment on iPad Security — My Overview by Laptops and Border Controls » Chakraborty Software http://www.chakraborty.ch/architecture-design/ipad-security-my-overview/comment-page-1/#comment-4114 Laptops and Border Controls » Chakraborty Software Tue, 23 Nov 2010 07:25:20 +0000 http://www.chakraborty.ch/?p=209#comment-4114 [...] iPad Security — My Overview Recent CommentsMr Lakofski on Firesheep and Credentials Sniffing — First ImpressionsAdi on Getting Started in Securityjohn on SSL / SSH and MTU Problemspenglx on SSL / SSH and MTU ProblemsPeter on Securitrons and the Thunk Test [...] [...] iPad Security — My Overview Recent CommentsMr Lakofski on Firesheep and Credentials Sniffing — First ImpressionsAdi on Getting Started in Securityjohn on SSL / SSH and MTU Problemspenglx on SSL / SSH and MTU ProblemsPeter on Securitrons and the Thunk Test [...]

]]> Comment on Firesheep and Credentials Sniffing — First Impressions by Mr Lakofski http://www.chakraborty.ch/exploits/firesheep-and-credentials-sniffing/comment-page-1/#comment-3988 Mr Lakofski Wed, 27 Oct 2010 13:32:16 +0000 http://www.chakraborty.ch/?p=298#comment-3988 You know who this will annoy the most? Our friends in domestic intelligence. You know who this will annoy the most? Our friends in domestic intelligence.

]]> Comment on Getting Started in Security by Adi http://www.chakraborty.ch/organization/getting-started-in-security/comment-page-1/#comment-3925 Adi Tue, 24 Aug 2010 07:33:10 +0000 http://www.chakraborty.ch/?p=199#comment-3925 I am a recent entry in to this field working as an analyst since about a year, having previously worked on grid computing. I can vouch for everything you have listed as being right on the mark, especially about people who end up in this field not starting in it. Your blog has a lighter vein to it making it an extremely enjoyable read, which is a rare thing in this field full of MIB. Keep it coming. I am a recent entry in to this field working as an analyst since about a year, having previously worked on grid computing. I can vouch for everything you have listed as being right on the mark, especially about people who end up in this field not starting in it.

Your blog has a lighter vein to it making it an extremely enjoyable read, which is a rare thing in this field full of MIB. Keep it coming.

]]> Comment on SSL / SSH and MTU Problems by john http://www.chakraborty.ch/standards/ssl-ssh-and-mtu-problems/comment-page-1/#comment-3465 john Wed, 05 May 2010 20:53:38 +0000 http://www.chakraborty.ch/blog/?p=61#comment-3465 Hiya, sorry, what is "B/S"? What kind of SSL gateway are you referring to (product)? Is this the same for everyone? Can you post a link to the customer's page? Hiya,

sorry, what is “B/S”?

What kind of SSL gateway are you referring to (product)? Is this the same for everyone? Can you post a link to the customer’s page?

]]> Comment on SSL / SSH and MTU Problems by penglx http://www.chakraborty.ch/standards/ssl-ssh-and-mtu-problems/comment-page-1/#comment-3464 penglx Wed, 05 May 2010 09:27:18 +0000 http://www.chakraborty.ch/blog/?p=61#comment-3464 we accerd a problem while our customer use the pppoe through ssl Gateway proxy the B/S Application System. the problem show as while the MTU of SSL Gateway set as 1200 we can visit the App(through SSL GATEWAY) but the net action is very slow as open a page need 30 seconds; while the MTU of SSL GATEWAY set higher than 1200(such as 1300 1400) we can't visit the App can you give me some suggestions thank u Best wishes we accerd a problem while our customer use the pppoe through ssl Gateway proxy the B/S Application System.

the problem show as
while the MTU of SSL Gateway set as 1200 we can visit the App(through SSL GATEWAY) but the net action is very slow as open a page need 30 seconds;
while the MTU of SSL GATEWAY set higher than 1200(such as 1300 1400) we can’t visit the App

can you give me some suggestions

thank u
Best wishes

]]> Comment on Securitrons and the Thunk Test by Peter http://www.chakraborty.ch/best-practices/securitrons-and-the-thunk-test/comment-page-1/#comment-3453 Peter Sun, 31 Jan 2010 17:52:02 +0000 http://www.chakraborty.ch/?p=163#comment-3453 As someone that has worked in several bank security management functions with high "thunk" factors, I think there is a solution. However, that solution will require acceptance that a large part of the "thunk" has zero contribution to security, but is there for political and legal reasons, and that demands courage. As yet, I'm not convinced the courage, the will and especially the vision is there to reduce the amount of trees that go into security management. A "thunk" says "we've put some work into this", which translates into "we did everything we could" if things go wrong. It takes a brave person to state that the single sheet of A4 is equivalent.. As someone that has worked in several bank security management functions with high “thunk” factors, I think there is a solution. However, that solution will require acceptance that a large part of the “thunk” has zero contribution to security, but is there for political and legal reasons, and that demands courage.

As yet, I’m not convinced the courage, the will and especially the vision is there to reduce the amount of trees that go into security management. A “thunk” says “we’ve put some work into this”, which translates into “we did everything we could” if things go wrong. It takes a brave person to state that the single sheet of A4 is equivalent..

]]>