http://securitypundit.org/blog Streaming unconciousness ..!... Tue, 26 Aug 2008 18:45:01 +0000 http://backend.userland.com/rss092 en I'm still waiting to get an iPhone in Spain. It seems stock is either being sold too quickly, Im too slow, or there's simply a lack of available products. One amusing thing regarding the iPhone and Spain is that Movistar (mobile operator), who is the Apple partner for the launch here, ... http://securitypundit.org/blog/2008/08/26/iphone-iwait/ Windows allows users to set a password hint. A user can set this hint to be the same value as their password (on XP SP2, not tested on others). Wrong. Then I came across this (Vista SP1+): http://support.microsoft.com/kb/946042 In summary: Setting a hint is now mandatory, but wait, if you don't want to ... http://securitypundit.org/blog/2008/07/24/windows-password-hint/ This popped up in my inbox today: http://hexblog.com/2008/07/ida_on_iphone.html 0x417765736f6d6521 Another reason to get one ;-) http://securitypundit.org/blog/2008/07/24/idapro-on-the-iphone/ There, I said it. Tell me: Why some checks have to be answered manually? (where some = too many) Why the "cis value" and the observed system state(s) are NOT displayed in the report? (you have to dig through an XML file for them, pah!) Why is said data not presented in detail, i.e. ... http://securitypundit.org/blog/2008/07/23/cis-benchmark-tools-suck/ Something popped up today regarding estimation of entropy in relation to session IDs. Here's the example: Given a session ID of length 24 and with a character set of 26, what is its potential entropy? I'm putting this here as a reminder, as I had forgotten and had to look it up.  The ... http://securitypundit.org/blog/2008/07/22/a-short-note-on-entropy/ Just before I took a break, Hannaford was reported to have been compromised, resulting in the exposure of sensitive user data. Doh. However, the interesting aspect of this story (let's face it, there are many breaches of personal data) was the fact that Hannaford were confirmed as being PCI DSS certified. ... http://securitypundit.org/blog/2008/07/19/why-does-everyone-hate-the-pci-dss/ Some light hearted repition that claiming to be “secure” (especially 100% secure) can lead to a negative return on one’s marketing efforts. For example, make bold statement: Reap negative rewards: Whilst security through obscurity is not recommended, making oneself a target should also be avoided. Perhaps this was not the reason, but it ... http://securitypundit.org/blog/2008/07/19/setting-your-virtual-stall-out/ According to Ferbrache [1], virus development began on an Apple II. Little did these researches know that Apple would be able to turn this early blemish into a powerful marketing tool for future generations of Mac products … I guess every cloud does have its brushed steel lining. [1] http://portal.acm.org/citation.cfm?id=573893 http://securitypundit.org/blog/2008/07/19/the-origin-of-the-species/ Welcome to the site. Things will be a bit slow to start, but we'll get there eventually ... or maybe not. I guess that's the paradox. http://securitypundit.org/blog/2008/07/19/hello-world/