Advertisement
Bienvenido a Squishdot Reportes Anuncios Debian Ciencia Linux
 principal
 nivel superior
 enviar artículo
 buscar
 administrar
 acerca de ...
 rdf
 rss
 main


La salsa de soya de la seguridad
Reportes Posted by jergas on Thursday June 02, @09:26AM el 2011
from the the kriptoman dept. dept.
La criptología no es la salsa de soya de la seguridad! Que quiero decir con esto? Lean la siguiente cita, y si les pareció interesante, abran el árticulo. Si les aburre les invito una sesión de 'argument clinic' la siguiente vez que nos veamos en linea.
But wait, there is more!: Note the serialized_key column. Can you guess what that is for? Well, if you follow some spaghetti in the User class, that is their serialized public/private encryption key pair. You might have heard that Diaspora seeds use encryption when talking between each other so that the prying eyes of Mark Zuckerberg can’t read your status updates. Well, bad news bears: the attacker can silently overwrite your key pair, replacing it with one he generated. Since he now knows your private key, regardless of how well-implemented your cryptography is, he can read your messages at will.
Sobre el lanzamiento de Diaspora y la seguridad (ojon: esta en ingles!) es un fascinante árticulo que detalla de manera hácil y accesible ciertos errores cometidos por los desarrolladores de Diaspora en un principio (al lanzar el alpha, que sin embargo esperamos que desaparezcan antes del omega, heh). Claro, lo que los hace buenos hackers no es saberlo todo al principio, sino que, en las inmortales palabras de el moto de las fuerzas élite gringoamericanas, 'se adaptan, improvisan y triunfan'! Queda claro que prestarle atención a los que revisan tu código es en si una buena práctica de seguridad, o, dicho de otro modo, los miles de ojos no vuelven tus bichos menos profundos si no escuchas a las bocas asociadas. Gracias a Jose por mostrarme este árticulo!

Reporte 3-vi-11 | Reporte 1 Junio  >

 
Related Links
  • Articles on Reportes
  • Also by jergas
  • Contact author
    		•

    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Una presición
    by Víctor Martínez on Thursday June 02, @01:50PM
    El texto es sobre el pre-alpha release, Diaspora esta en Alpha en este momento. Se espera que cosas se rompan y dejen de funcionar, ojala llegue a un stable release pronto. Me gustaron muchas partes del texto pero me quedo con el párrafo final.
    Is Diaspora Secure After The Patches? No. The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed . There are, almost certainly, exploits as severe as the above ones left in the app, and there almost certainly will be zero-day attacks by hackers who would like to make the headline news. Facebook Competitor Diaspora Launches; All Users Data Compromised Immediately makes for a smashing headline in the New York Times, wouldn t you say? Include here the disclaimer that I like OSS, think the Diaspora team is really cool, and don t mean to crush their spirits when I say that their code is unprofessional and not ready to be exposed to dedicated attackers any time soon.

    [ Reply to this ]
    Re: La salsa de soya de la seguridad
    by jergas on Wednesday June 22, @08:02PM

    Cierto, seguira habiendo bugs, pero no ha habido otra noticia tan seria como esa. Igual, el tiempo dira, por lo pronto, justo por eso lo ponemos en un arenero, cierto?
    [ Reply to this ]
    Re: La salsa de soya de la seguridad
    by ernesto on Friday June 03, @09:51AM
    Creo que tienes razón sobre la manera hackeril de proceder. El detalle es ¿cuándo?
    Saludos
    [ Reply to this ]
    • Re: La salsa de soya de la seguridad
      by jergas on Wednesday June 22, @08:04PM
      Cuando que?
      [ Reply to this ]

     
    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Powered by Zope  Squishdot Powered     		  "Any system that depends on reliability is unreliable." -- Nogg's Postulate
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©1999 Butch Landingin.
    [ home | post article | search | admin ]