State Machine Attacks against TLS →
Clever research leading to the inevitable conclusion that Java is horribly broken:
This figure shows that JSSE clients allow the peer to skip all messages related to key exchange and authentication. In particular, a network attacker can send the certificate of any arbitrary website, and skip the rest of the protocol messages. A vulnerable JSSE client is then willing to accept the certificate and start exchanging unencrypted application data. In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years.
US Air Traffic Control Computer System Vulnerable to Hackers →
The weaknesses that threaten the Federal Aviation Administration's ability to ensure the safety of flights include the failure to patch known three-year-old security holes, the transmission and storage of unencrypted passwords, and the continued use of "end-of-life" key servers.
I can't even begin to explain exactly how unsurprised I am by this.
Send in The Weathermen →
SOWTs were on the ground ahead of the raid that killed Osama bin Laden, according to military sources, and their work has helped nail pirates, free hostages and respond to humanitarian disasters. Overall, their ranks have tripled in recent years, with more growth expected. No position in the Air Force is a higher priority for recruiters.
But the work of SOWTs is still invisible to the general public; it's often overshadowed by members of the military's rougher quarters, who rarely seem to tire of mocking their colleagues with the weather balloons.
The valedictorians of the military parachute into enemy territory and launch weather balloons. Grand article.
Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet →
For nearly a year, the researchers [Kaspersky] have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date.
See also Ars Technica:
The accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.
The attackers managed to rewrite hard drives' firmware to enable persistence. Reuters quotes sources saying it was in fact the NSA and quotes Kaspersky's argument:
The authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," [lead Kaspersky researcher Costin Raiu] said.
Incredible.
Happy Valentine's Day.
Happy Valentine's Day.
The FCC's Net Neutrality Regime, Explained →
Wow, seems perfectly reasonable. I'm sure I'm missing an existential threat to Internet companies' ability to earn a profit, though.
Man Saves Wife's Sight by 3D Printing Her Tumor →
A neurosurgeon there agreed to consider a minimally invasive operation in which he would access the tumor through Scott's left eyelid and remove it using a micro drill. Balzer had adapted the volume renderings for 3D printing and produced a few full-size models of the front section of Scott's skull on his MakerBot. To help the surgeon vet his micro drilling idea and plan the procedure, Balzer packed up one of the models and shipped it off to Pittsburgh.
The accessibility of medical technology is starting to allow us to do amazing things.