Blackphone, a “secure” cellular phone was launched earlier this week. To be honest, I am a bit disappointed with this device, especially their choice to run an AOSP based ROM. Of course, the very notion of a ‘secure’ cellular phone is a misnomer. No matter how great their platform is, you’re always going to be carrying a portable tracking beacon.
Robert Graham of Errata Security recently wrote in a blog post that over 300,000 hosts are still vulnerable to the OpenSSL heartbleed bug and posited that people had stopped even trying to patch.
While disconcerting, I imagine that a significant portion of the ~300k reported are embedded systems and that sysadmins are likely aware of the issue but effectively have their hands tied until their vendors submit a patch. Given that many consumer devices like DSL CPE’s are seldom updated, and many ISPs make the mistake of leaving remote administration open without even applying basic security hygeine practices like IP filtering to only their internal networks, I assume that these problems won’t be solved any time soon. Heck, there are still routers affected by the d-link hardcoded administrative password vulnerability that remain accessible.
My canary has been updated as at 13:16 PDT.
The US House of Representatives today passed an amendment that will see NSA programs designed to introduce backdoors are no longer funded. The bipartisan agreement, entitled ‘Massie-Lofgren’ was billed as an exciting development by the EFF, with Mark Rumold – the Foundation’s counsel stating that they “applaud the House for taking this important first step, and we look forward to other elected officials standing up for our right to privacy.” Many, including myself, have questioned as to whether the new bill will truly be effective in curtailing the NSA’s spying – at least on the domestic front. I suspect that it will be business as usual for the NSA and their associated contractors and affiliates.
Matthew Green has an excellent blog post explaining the Triple Handshake TLS vulnerability.
Krebs has an interesting article on an attempt by some whitehats to steal control of the gameover (Zeus) botnet.
The security world sure moves fast! A website (http://truecrypt.ch/) has been created with a stated intent to continue maintaining the Truecrypt code, obviously starting with the last fully functioning code base of 7.1a. The site also has a mirror of the TC installers for various platforms. Whether this will amount to anything is anyone’s guess at this point in time.