Wednesday, December 17, 2014

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users | WIRED

Thursday, November 27, 2014


Monday, November 24, 2014

Stealthy, sophisticated 'Regin' malware has been infecting computers since 2008 | PCWorld

Monday, November 3, 2014

Ghosts in the machine language – Elevate

Friday, September 12, 2014

Fwd: [cap-talk] A new type of phishing attack

Sent from my iPhone

Begin forwarded message:

From: Sandro Magi <>
Date: September 12, 2014 at 9:33:18 EDT
To: "General discussions concerning capability systems." <>
Subject: [cap-talk] A new type of phishing attack
Reply-To: "General discussions concerning capability systems." <>

Interesting new phishing idea:

Basically exploiting a typical user's workflow where they have multiple tabs open. This highlights the real need for a functional petname system.

As a trivial countermeasure, I wonder if it's really necessary for JavaScript to run on inactive tabs.


cap-talk mailing list

Wednesday, August 13, 2014

Fwd: [Caja] Rich-text editors compatible with Caja

Sent from my iPhone

Begin forwarded message:

From: "'Kevin Reid' via Google Caja Discuss" <>
Date: August 13, 2014 at 13:17:43 EDT
To: Google Caja Discuss <>
Subject: Re: [Caja] Rich-text editors compatible with Caja

On Tue, Aug 12, 2014 at 5:04 PM, Andrew Stillman <> wrote:
Before I lose faith, can anyone comment on whether there a known or documented compatible rich text editor for Caja?

Unfortunately, most rich text editor components depend on the "contenteditable" browser feature, which is difficult if not impossible to support in a way which meets Caja's security requirements. You would have to use an editor which does not make use of contenteditable (perhaps, as MarkM suggested in another message, a markup editor with preview).

For the technically interested, the problem, as I understand it, is that contenteditable allows arbitrary HTML to be pasted into the document; that HTML can then attack the host page even if it was pasted into the guest. This does not mean that a guest could launch an attack by itself, but it could ask users to perform such an apparently-innocuous action as visiting another page ("try our templates!") and copying content from it.

(Don't take this as the final word; I wasn't present for the original decision and may not have the analysis right.)

I have a hypothesis that this could be mitigated by arranging to sanitize the content immediately after it is pasted, but I haven't tried this idea out to see if it even vaguely works.


You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Tuesday, July 22, 2014

Do airplanes evolve like birds? -

Tuesday, July 8, 2014

How a bug in Windows might be costing humanity over 600 years of wasted time per day - garry's posthaven

Friday, June 27, 2014


Sent from my iPhone

Thursday, June 19, 2014

Cyber attack on oil firms ‘could cost billions’ - Top stories - The Scotsman

Sunday, June 8, 2014

About seL4 | seL4

Sent from my iPhone

Saturday, June 7, 2014

Fwd: [cap-talk] Fwd: seL4 is going open source

Sent from my iPhone

Begin forwarded message:

From: "Mark S. Miller" <>
Date: June 5, 2014 at 8:58:24 EDT
To: "General discussions concerning capability systems." <>
Subject: Re: [cap-talk] Fwd: seL4 is going open source
Reply-To: "General discussions concerning capability systems." <>

Toby, this is great news! Congratulations!

Why the 54 day delay? Why not open source what you have now? If the reason is only to celebrate the anniversary, that seems a silly reason for maintaining the threat of legal action for activities you now intend to allow. Today, as it happens, is also Reset The Net day <>. Perhaps that could serve as a good enough reason to make the announcement today rather than in 54 days?

In any case, this is awesome news. It may very well change the world. Thanks for this work and this gift to the world!

On Thu, Jun 5, 2014 at 4:24 AM, Toby Murray <> wrote:

seL4, a capability-based microkernel whose implementation has been
comprehensively formally verified, is soon to be open source along
with its formal proofs and associated tools.

If you're interested, you can find out more at

For those who like academic papers, an overview of seL4 and its
verification is described in the following paper (which I can assure
you is readable without a strong background in formal methods):

Comprehensive formal verification of an OS microkernel
Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas
Sewell, Rafal Kolanski and Gernot Heiser
ACM Transactions on Computer Systems, vol. 32, no. 1, pp. 2:1--2:70, Feb. 2014


cap-talk mailing list

cap-talk mailing list

Thursday, May 29, 2014

What To Do If Your iPhone Is Hacked And Remotely Locked : All Tech Considered : NPR

Iranian Hackers Stalked U.S. Officials, Report Says - Bloomberg

Scientists achieve reliable quantum teleportation for first time Einstein is wrong? That's the potential outcome of a quantum mechanics study as scientists race to disprove his views on entanglement.

Sent from my iPhone

Edward Snowden responds to release of e-mail by U.S. officials - The Washington Post

Estonia exercise shows NATO's growing worry about cyber attacks | Science & Technology | Worldbulletin News

Friday, May 23, 2014

The biggest ever cyber attacks and security breaches - Telegraph

Wednesday, May 21, 2014

Car-Hacking Goes Viral In London - Forbes

Dozens of Arrests in 'Blackshades' Hacking Around the World - ABC News

Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam -

Military acquisition rules hamper U.S. ability to counter cyber threats

Hackers ramp up computer attacks that demand 'ransom'

Monday, May 19, 2014

Chinese military officers charged with hacking U.S. Steel, Allegheny Technologies, Westinghouse - Pittsburgh Business Times

Dozens of Arrests in 'Blackshades' Hacking Around the World - ABC News

Lockheed Martin says cyber attacks swell - Computer Business Review

Hackers ramp up computer attacks that demand 'ransom'

Sunday, May 18, 2014


Cyber crime and serious consequences result from the unfettered power gifted to hackers and malware by general purpose computers. Rampant cyber crime and malware is debilitating. This threat and uncertainty limits progress. It is the unpleasant consequence of undetected digital trespass that is actually authorized by the shortcomings of general purpose computers 
Dangerous default privileges are granted that allow malware to interfere and spy, steal and cause deliberately targeted harm. It is the result of over exposed data in a dangerous digital framework where authority and boundaries overlap. When data is left naked as a shared binary image, malware takes easy advantage
Crafted cyber attacks enter through cracks in security to exploit time shared digital space. This harms the most vital machines of modern cyber society. To solve the problem, computers should guarantee digital integrity by limiting digital authority based on need, following a POLA mantra
When the natural form of programs and data coincide with native functionality critical membranes separate private assets and innately protect each independent digital organs of activity. A typed computer guards these organs as natural, safely embedded objects in a body of software. This removes the voids and cracks of unnatural space that lead to undetected infection and ensuing criminal activity in general purpose computers 
A typed computer is the antithesis of a general purpose computer. It is technology hardened and easily programmed. It needs no operating system. It uses no privileged modes. It has no default power. It is a direct drive solution with private peer to peer communication. It shares namespace addressing across a network. It is reprogrammed in real time, on-the-fly, call by call, domain by domain. This solves the problem of deterministic memory-safety and enables click-safe usability. 
The individual citizens and the unattended control systems of cyber society could be automatically protected by typed computers but is there time and is there a will to change?
Ken Hamer-Hodges

Exclusive: Meet the Fed's First Line of Defense Against Cyber Attacks