Friday, September 12, 2014

Fwd: [cap-talk] A new type of phishing attack



Sent from my iPhone

Begin forwarded message:

From: Sandro Magi <smagi@higherlogics.net>
Date: September 12, 2014 at 9:33:18 EDT
To: "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>
Subject: [cap-talk] A new type of phishing attack
Reply-To: "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>

Interesting new phishing idea:

http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

Basically exploiting a typical user's workflow where they have multiple tabs open. This highlights the real need for a functional petname system.

As a trivial countermeasure, I wonder if it's really necessary for JavaScript to run on inactive tabs.

Sandro

_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

Wednesday, August 13, 2014

Fwd: [Caja] Rich-text editors compatible with Caja



Sent from my iPhone

Begin forwarded message:

From: "'Kevin Reid' via Google Caja Discuss" <google-caja-discuss@googlegroups.com>
Date: August 13, 2014 at 13:17:43 EDT
To: Google Caja Discuss <google-caja-discuss@googlegroups.com>
Subject: Re: [Caja] Rich-text editors compatible with Caja
Reply-To: google-caja-discuss@googlegroups.com

On Tue, Aug 12, 2014 at 5:04 PM, Andrew Stillman <astillman@gmail.com> wrote:
Before I lose faith, can anyone comment on whether there a known or documented compatible rich text editor for Caja?

Unfortunately, most rich text editor components depend on the "contenteditable" browser feature, which is difficult if not impossible to support in a way which meets Caja's security requirements. You would have to use an editor which does not make use of contenteditable (perhaps, as MarkM suggested in another message, a markup editor with preview).



For the technically interested, the problem, as I understand it, is that contenteditable allows arbitrary HTML to be pasted into the document; that HTML can then attack the host page even if it was pasted into the guest. This does not mean that a guest could launch an attack by itself, but it could ask users to perform such an apparently-innocuous action as visiting another page ("try our templates!") and copying content from it.

(Don't take this as the final word; I wasn't present for the original decision and may not have the analysis right.)

I have a hypothesis that this could be mitigated by arranging to sanitize the content immediately after it is pasted, but I haven't tried this idea out to see if it even vaguely works.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Saturday, June 7, 2014

Fwd: [cap-talk] Fwd: seL4 is going open source



Sent from my iPhone

Begin forwarded message:

From: "Mark S. Miller" <erights@google.com>
Date: June 5, 2014 at 8:58:24 EDT
To: "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>
Subject: Re: [cap-talk] Fwd: seL4 is going open source
Reply-To: "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>

Toby, this is great news! Congratulations!

Why the 54 day delay? Why not open source what you have now? If the reason is only to celebrate the anniversary, that seems a silly reason for maintaining the threat of legal action for activities you now intend to allow. Today, as it happens, is also Reset The Net day <https://www.resetthenet.org/>. Perhaps that could serve as a good enough reason to make the announcement today rather than in 54 days?

In any case, this is awesome news. It may very well change the world. Thanks for this work and this gift to the world!



On Thu, Jun 5, 2014 at 4:24 AM, Toby Murray <tobycmurray@googlemail.com> wrote:
cap-talkers:

seL4, a capability-based microkernel whose implementation has been
comprehensively formally verified, is soon to be open source along
with its formal proofs and associated tools.

If you're interested, you can find out more at http://sel4.systems

For those who like academic papers, an overview of seL4 and its
verification is described in the following paper (which I can assure
you is readable without a strong background in formal methods):

Comprehensive formal verification of an OS microkernel
Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas
Sewell, Rafal Kolanski and Gernot Heiser
ACM Transactions on Computer Systems, vol. 32, no. 1, pp. 2:1--2:70, Feb. 2014
http://ssrg.nicta.com.au/publications/nictaabstracts/Klein_AEMSKH_14.abstract.pml

Cheers

Toby
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk



--
    Cheers,
    --MarkM
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

Thursday, May 29, 2014

What To Do If Your iPhone Is Hacked And Remotely Locked : All Tech Considered : NPR

http://www.npr.org/blogs/alltechconsidered/2014/05/27/316349812/what-to-do-if-you-iphone-is-hacked-and-remotely-locked


Sent from my iPhone

Iranian Hackers Stalked U.S. Officials, Report Says - Bloomberg

http://mobile.bloomberg.com/news/2014-05-29/iranian-hackers-stalked-u-s-officials-report-says.html


Sent from my iPhone

Scientists achieve reliable quantum teleportation for first time

http://www.cnet.com/news/scientists-achieve-reliable-quantum-teleportation-for-the-first-time/ Einstein is wrong? That's the potential outcome of a quantum mechanics study as scientists race to disprove his views on entanglement.


Sent from my iPhone

Edward Snowden responds to release of e-mail by U.S. officials - The Washington Post

http://m.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html


Sent from my iPhone

Estonia exercise shows NATO's growing worry about cyber attacks | Science & Technology | Worldbulletin News

http://www.worldbulletin.net/science-technology/137567/estonia-exercise-shows-natos-growing-worry-about-cyber-attacks


Sent from my iPhone

Sunday, May 18, 2014

THE UNCERTAINTY OF GENERAL PURPOSE DIGITAL COMPUTERS

Cyber crime and serious consequences result from the unfettered power gifted to hackers and malware by general purpose computers. Rampant cyber crime and malware is debilitating. This threat and uncertainty limits progress. It is the unpleasant consequence of undetected digital trespass that is actually authorized by the shortcomings of general purpose computers 
Dangerous default privileges are granted that allow malware to interfere and spy, steal and cause deliberately targeted harm. It is the result of over exposed data in a dangerous digital framework where authority and boundaries overlap. When data is left naked as a shared binary image, malware takes easy advantage
Crafted cyber attacks enter through cracks in security to exploit time shared digital space. This harms the most vital machines of modern cyber society. To solve the problem, computers should guarantee digital integrity by limiting digital authority based on need, following a POLA mantra
When the natural form of programs and data coincide with native functionality critical membranes separate private assets and innately protect each independent digital organs of activity. A typed computer guards these organs as natural, safely embedded objects in a body of software. This removes the voids and cracks of unnatural space that lead to undetected infection and ensuing criminal activity in general purpose computers 
A typed computer is the antithesis of a general purpose computer. It is technology hardened and easily programmed. It needs no operating system. It uses no privileged modes. It has no default power. It is a direct drive solution with private peer to peer communication. It shares namespace addressing across a network. It is reprogrammed in real time, on-the-fly, call by call, domain by domain. This solves the problem of deterministic memory-safety and enables click-safe usability. 
The individual citizens and the unattended control systems of cyber society could be automatically protected by typed computers but is there time and is there a will to change?
Ken Hamer-Hodges

Exclusive: Meet the Fed's First Line of Defense Against Cyber Attacks

http://www.foreignpolicy.com/articles/2014/04/28/exclusive_meet_the_secret_fed_cyber_security_unit_keeping_trillions_of_dollars_s


Sent from my iPhone