Podcasts about sha1

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: LLMs and computation complexity, published by Jonathan Marcus on April 28, 2023 on LessWrong. Epistemic status: Speculative. I've built many large AI systems in my previous HFT career but have never worked with generative AIs. I am leveling up in LLMs by working things out from base principles and observations. All feedback is very welcome. Tl;dr: An LLM cannot solve computationally hard problems. Its ability to write code is probably its skill of greatest potential. I think this reduces p(near term doom). An LLM takes the same amount of computation for each generated token, regardless of how hard it is to predict. This limits the complexity of any problem an LLM is trying to solve. Consider two statements: "The richest country in North America is the United States of ______" "The SHA1 of 'abc123', iterated 500 times, is _______" An LLM's goal is to predict the best token to fill in the blank given its training and the previous context. Completing statement 1 requires knowledge about the world but is computationally trivial. Statement 2 requires a lot of computation. Regardless, the LLM performs the same amount of work for either statement. It cannot correctly solve computationally hard statements like #2. Period. If it could, that would imply that all problems can be solved in constant time, which is provably (and obviously) false. Why does this matter? It puts some bounds on what an LLM can do. Zvi writes: Eliezer Yudkowsky does not see any of this as remotely plausible. He points out that in order to predict all the next word in all the text on the internet and all similar text, you need to be able to model the processes that are generating that text. And that predicting what you would say is actually a good bit harder than it is to be a being that says things - predicting that someone else would say is tricker and requires more understanding and intelligence than the someone else required to say it, the problem is more constrained. And then he points out that the internet contains text whose prediction outright requires superhuman capabilities, like figuring out hashes, or predicting the results of scientific experiments, or generating the result of many iterations of refinement. A perfect predictor of the internet would be a superintelligence, it won't ‘max out' anywhere near human. I interpret this the opposite way. Being a perfect predictor of the internet would indeed require a superintelligence, but it cannot be done by an LLM. How does an LLM compute? What kinds of problems fall into category 2 (i.e., clearly unanswerable by an LLM)? Let's dig in to how an LLM computes. For each token, it reviews all the tokens in its context window "at least once", call it O(1) time. To produce n tokens, it does O(n^2) work. Without being too precise about the details, this roughly means it can't solve problems that are more complex than O(n^2). Consider some examples (all tested with GPT-4): Addition, O(1) It's not always accurate, but it's usually able to do addition correctly. Sorting, O(n log n) I asked it to sort 100 random integers that I'd generated, and it got it right. My guess is that it doesn't have the internal machinery to do a quick sort, and was probably doing something more like O(n^2), but either way that's within its powers to get right, and it got it. Matrix multiplication, O(n^3) I generated a 3x3 matrix called A and told it to compute AA. This was interesting, let's look at what it did: Pretty cool! It executed the naive matrix multiplication algorithm by using O(n^3) tokens to do it step-by-step. If I ask it to do it without showing its work, it hallucinates an incorrect answer: The result was the right shape, and the elements had approximately the right number of digits. Slight problem: the elements are all incorrect. Whoops. This makes sense though....

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: LLMs and computation complexity, published by Jonathan Marcus on April 28, 2023 on LessWrong. Epistemic status: Speculative. I've built many large AI systems in my previous HFT career but have never worked with generative AIs. I am leveling up in LLMs by working things out from base principles and observations. All feedback is very welcome. Tl;dr: An LLM cannot solve computationally hard problems. Its ability to write code is probably its skill of greatest potential. I think this reduces p(near term doom). An LLM takes the same amount of computation for each generated token, regardless of how hard it is to predict. This limits the complexity of any problem an LLM is trying to solve. Consider two statements: "The richest country in North America is the United States of ______" "The SHA1 of 'abc123', iterated 500 times, is _______" An LLM's goal is to predict the best token to fill in the blank given its training and the previous context. Completing statement 1 requires knowledge about the world but is computationally trivial. Statement 2 requires a lot of computation. Regardless, the LLM performs the same amount of work for either statement. It cannot correctly solve computationally hard statements like #2. Period. If it could, that would imply that all problems can be solved in constant time, which is provably (and obviously) false. Why does this matter? It puts some bounds on what an LLM can do. Zvi writes: Eliezer Yudkowsky does not see any of this as remotely plausible. He points out that in order to predict all the next word in all the text on the internet and all similar text, you need to be able to model the processes that are generating that text. And that predicting what you would say is actually a good bit harder than it is to be a being that says things - predicting that someone else would say is tricker and requires more understanding and intelligence than the someone else required to say it, the problem is more constrained. And then he points out that the internet contains text whose prediction outright requires superhuman capabilities, like figuring out hashes, or predicting the results of scientific experiments, or generating the result of many iterations of refinement. A perfect predictor of the internet would be a superintelligence, it won't ‘max out' anywhere near human. I interpret this the opposite way. Being a perfect predictor of the internet would indeed require a superintelligence, but it cannot be done by an LLM. How does an LLM compute? What kinds of problems fall into category 2 (i.e., clearly unanswerable by an LLM)? Let's dig in to how an LLM computes. For each token, it reviews all the tokens in its context window "at least once", call it O(1) time. To produce n tokens, it does O(n^2) work. Without being too precise about the details, this roughly means it can't solve problems that are more complex than O(n^2). Consider some examples (all tested with GPT-4): Addition, O(1) It's not always accurate, but it's usually able to do addition correctly. Sorting, O(n log n) I asked it to sort 100 random integers that I'd generated, and it got it right. My guess is that it doesn't have the internal machinery to do a quick sort, and was probably doing something more like O(n^2), but either way that's within its powers to get right, and it got it. Matrix multiplication, O(n^3) I generated a 3x3 matrix called A and told it to compute AA. This was interesting, let's look at what it did: Pretty cool! It executed the naive matrix multiplication algorithm by using O(n^3) tokens to do it step-by-step. If I ask it to do it without showing its work, it hallucinates an incorrect answer: The result was the right shape, and the elements had approximately the right number of digits. Slight problem: the elements are all incorrect. Whoops. This makes sense though....

Gearing up for the break - Happy Holidays to All! Eric does some christmas light wardriving, Jon has a cookie party and has gifts delivered. Apple introduces new security features and Google encrypts some emails. NIST retires SHA1 and Apple fixes another zero-day. Eric rains on Jon's fusion parade and Jon relives 6 times his mind was blown. 0:00 - Intro 11:00 - Apple Security Features 16:29 - Gmail Encryption 18:26 - NIST Retires SHA1 21:02 - Apple Zero Day 23:44 - Why Fusion Will Never Happen 31:25 - Mind Blowing Quantum Physics

Google ads lead to fake software pages pushing IcedID (Bokbot) https://isc.sans.edu/diary/Google%20ads%20lead%20to%20fake%20software%20pages%20pushing%20IcedID%20%28Bokbot%29/29344 HTML smugglers turn to SVG images https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/ GitHub Improvements https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/ NIST Retires SHA-1 https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Google ads lead to fake software pages pushing IcedID (Bokbot) https://isc.sans.edu/diary/Google%20ads%20lead%20to%20fake%20software%20pages%20pushing%20IcedID%20%28Bokbot%29/29344 HTML smugglers turn to SVG images https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/ GitHub Improvements https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/ NIST Retires SHA-1 https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Topics - - Apple Wallet and Personal Data Storage - Public Health will start gathering Canadians' cellphone location data - Canadian Surveillance Concerns - NON KYC Bitcoin Way You Can Support The Podcast - Direct Donations and tips on our support page https://www.closedntwrk.com/support/ Download a Podcast 2.0 app. We recommend Breez or Fountain. You can load them up with Bitcoin / Sats and stream sats to the podcast. https://podcastindex.org/apps - NEWPODCASTAPPS.COM Leave a review for the podcast, you can do this by visiting https://www.closedntwrk.com/reviews/ Reviews are greatly appreciated and of course share the podcast with friends or family Great blog with self hosting articles and guides https://theselfhostingblog.com/ KYC / AML Bitcoin Options https://twitter.com/econoalchemist/status/1483247933877223424?s=20 New sensitive breach: "ShockGore", a site for sharing graphic content of gore and animal cruelty was breached in Aug 2020. Data included email, IP, unsalted SHA1 hashes and private messages, many asking for depraved material. 36% already in @haveibeenpwned https://haveibeenpwned.com Tweet Reference - https://twitter.com/haveibeenpwned/status/1483955633045258240?s=20 Opinion: It's dangerously stupid to put your state ID in your Apple Wallet - https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-wallet Public Health will start gathering Canadians' cellphone location data - https://www.rebelnews.com/public_health_will_start_gathering_canadians_cell_phone_location_data

Photo:  Aerial view of Apple Park, the corporate headquarters of Apple Inc., located in Cupertino, California. The roof is covered in solar panels with an output of 17 MWp, making it one of the biggest solar roofs in the world. Photo taken from a Cessna 172M.. CBS Eyes on the World with John Batchelor CBS Audio Network @Batchelorshow What of Silicon Valley's devotion to Gavin Newsom? @RichardAEpstein @HooverInst https://www.hoover.org/research/what-drives-california-recall-election Permissions: 15 April 2018, 00:05:32 UTC Source | Own work Author | Daniel L. Lu (user:dllu) Raw file SHA1 sum | d01e7c6d0a14768cbc3b36ba69da6fde7fd2fd5d I, the copyright holder of this work, Daniel L. Lu (user:dllu), hereby publish it under the following license: This file is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. | You are free: to share – to copy, distribute and transmit the work — to remix – to adapt the work Under the following conditions: attribution – You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. ..

Beschreibung: Authentisierung, Authentifizierung oder Autorisierung? Wir erklären die Unterschiede und besprechen und diskutieren die unterschiedlichen Möglichkeiten sich zu authentisieren. Was sind die Probleme mit Passwörtern und wie speichert man eigentlich Passwörter sicher im Backend? Und was bringen eigentlich diese Hardware-Token? All das erkären wir in dieser Episode. Viel Spaß beim Hören! Shownotes: Ranked: The World’s Top 100 Worst Passwords CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc. Getting Started Cracking Password Hashes With John the Ripper xkcd: Password Strength Pass: The Standard Unix Password Manager KeePass Password Safe Rainbow table - Wikipedia Pepper (cryptography) - Wikipedia PBKDF2 - Wikipedia ‘If you want, I can store the encrypted password’: A Password-Storage Field Study with Freelance Developers CryptoLUX > Argon2 haveibeenpwned CCC Anleitung Fingerabdruck fälschen - YouTube media.ccc.de -Hacken der Iriserkennung im Samsung Galaxy S8 Apple 5G Song from 2020 Presentation IPhone 12 - YouTube Clickjacking / UI Redressing - GeeksforGeeks Google Authenticator - Apps on Google Play HMAC-based One-time Password algorithm - Wikipedia Getting started with security keys Yubico YubiKeys Nitrokeys Using your YubiKey with OpenPGP Ultimate Yubikey Setup Guide with ed25519 How to configure SSH with Yubikey WebAuthn.io

In our last Programming By Stealth we learned about the concept of version control, and the evolution from client/server version control to peer-to-peer version control and the creation of Git. In this installment we start learning the fundamental concepts of Git. We learn about the database, the working copy, and the index and understanding the difference is critical to effectively using Git. We also dig into the Git database and begin to learn the terminology inside it, which oddly uses normal English words but those words might not mean what you think they mean. We gain an understanding of why Git uses SHA1 hashes but not for encryption. We start to get into the power of Git as we learn about commits, staging, stashes, and tags. We didn't get to play with Git yet but the challenge is to install Git and if you want the extra credit, choose and download one ore more Git GUI clients.

In our last Programming By Stealth we learned about the concept of version control, and the evolution from client/server version control to peer-to-peer version control and the creation of Git. In this installment we start learning the fundamental concepts of Git. We learn about the database, the working copy, and the index and understanding the difference is critical to effectively using Git. We also dig into the Git database and begin to learn the terminology inside it, which oddly uses normal English words but those words might not mean what you think they mean. We gain an understanding of why Git uses SHA1 hashes but not for encryption. We start to get into the power of Git as we learn about commits, staging, stashes, and tags. We didn't get to play with Git yet but the challenge is to install Git and if you want the extra credit, choose and download one ore more Git GUI clients.

California's Privacy Law, SHA1 exploit, Ransomware Storage, Ring Voyeurs, 20 vs. 2020, ATT&CK ICS, Telecom SMS, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…

In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.     We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O'Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp     Show Notes: Authentication Classic MD5 Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn't appear commonly used GTSM, and how it can be better than the previous option in some cases Basic prefix filtering: From your customers: allow any number of their own AS prepended From the Internet: block bogons (RFC1918, class D/E, etc) To your peers: only your local space (ie, your customers) From your peers: only routes originating from their AS (any # of prepends) BCP38 Techniques for spoofing prevention Describe with a simple snail mail analogy Usually uRPF strict or loose, depending Sometimes ACLs with specific IPs as sources are used too Best suited for true customer edge, not transit/peering edge (performance) Origin Security Try to prevent the hijacking of routes Hijacking is often used by spammers, etc., to source junk The main idea is — is this AS number really tied to this address block? The RPKI Signed x.500 certificates Carried around through a synchronized database (rsync) The certificates are rooted in the RIRs Which means that if you don't pay your bill, your certificate is withdrawn — you lose the ability to route MANRS As your provider, I should know what addresses you plan to source services from If you try to source something from a space you didn't tell me about, and I can't verify, I should block it To some degree, relies on uRPF — Not always realistic, so deployed on a case by case basis Path Security BGPsec Onion signing of all BGP updates This isn't ever going to happen according to Russ Kills performance — packing, per hop public key crypto Either you have a timer in the update, converting BGP to RIP, or you have permanent replay attacks — there's no clear solution to this problem OpenBMP, IRRs Community and history information Can be as accurate as the information gathered and stored First hop, graph overlay Validate first hop in RPKI or some other system Removes many of the real world problems, but not all of them All of these are active research Remotely triggered blackhole (RTBH) Some router is the trigger Add a static route with specific community ASBRs match on this community and set next-hop to some TEST-NET IP ASBRs have static route to this TEST-NET IP pointing to null → fast path drops Pair it with uRPF at the ASBR for source-based RTBH too Remote static route from trigger router when DoS/DDoS attack ends BGP flowspec QPPB on steroids More granular than RTBH QoS and security policy distribution and enforcement over BGP Russ White Guest Nicholas Russo Guest Jordan Martin Co-Host Eyvonne Sharp Co-Host Outro Music: Danger Storm Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/ The post Episode 22 – Securing BGP appeared first on Network Collective.

Audrey, Antonio, Emmanuel et Guillaume discutent Google Cloud Next, quelques nouveautés de JDK 9, Docker EE (?!), Cloudbleed, SHAttered, Uber et sa culture poison et comment scaler une architecture horizontalement. Entre autre. Enregistré le 14 mars 2017 Téléchargement de l’épisode LesCastCodeurs-Episode–165.mp3 News Langages Emmanuel le nouveau Java champion !!! 55 nouvelles fonctionalites de JDK 9 jlink, multi jar file, repl, collection factory methods, HTML5 javadoc, SHA–3, G1, semantic versioning etc Construire des JARs multi-release avec Maven Nouvelle version de Groovy 2.4.9 Introduction à CompletableStage en Java Retrofit 2.2 Migration a Swift 3 - cest chaud reflexions sur la backward compatibility de Java Unicode expliqué en 15 minutes Middleware Les librairies Java inratables en 2017 Blockchain Etherium en Java Interview sur l’ORM Doctrine de PHP Une overview de Spanner, la base qui taquine CAP CockroachDB Java EE 8 les dates affinees gRPC donné à la Cloud Native Computing Foundation Lagom 1.3 est sorti Kubernetes et son abstraction du runtime de container WePay et le change data capture Vert.x 3.4.0 Infrastructure Docker EE Cloud Post-mortem d’Amazon S3 Comment AWS voit sa competition Google Cloud Next 2017 Les 100 annonces de Cloud Next Free trial / Free tier amélioré Compute: App Engine Flex (GA), Cloud Functions (beta) et Firebase Functions, new regions, committed use discount, Skylake et 64 vCPU BigData: Dataprep, data transfer service pour BigQuery, Datalab (GA) Databases: Spanner, PostgreSQL Machine Learning: Cloud Machine Learning Engine (GA), video intelligence API, rachat de Kaggle Security: KMS (GA), 2FA, Data Loss Prevention API, Identity-Aware Proxy, Titan security chip Formations Google Cloud sur Coursera Outillage Adopte un desktop Linux par PAG Chrome les dix ans et la genèse du projet Apache Maven 3.5 avec de la couleur ! Gradle 3.4 dépote avec la compilation incrémentale Sécurité Le coût des Ransomware CloudBleed - CloudFlare et l’overrun à un million de dollars Le post-mortem de CloudFlare SHA–1 et la premiere collision: Shattered - les details des chercheurs SHA1 et Linux Google pourrait reporter la publication du code Loi et société et organisation GitHub termes de service Uber et segregation des femmes developpeurs Le premier temoignage Dernières évolutions 1/2 Dernières évolutions 2/2 Antoine Sabot-Durand est star spec lead La transformation ING en equipes microservices 12 startups souhaitent inventer la ville de demain avec la Mairie de Paris et NUMA Tim Berners-Lee: I invented the web. Here are three things we need to change to save it Question crowdcasting Morgan Durand nous pose une question sur la scalabilité horizontale et les données. Conférences Devoxx France les 5–7 avril 2017 Devoxx4Kids Paris le 8 avril 2017 Mix-IT les 20–21 avril 2017 Breizhcamp les 19–21 avril 2017 RivieraDev les 11–12 mai 2017 Web2day 7–9 juin, le CfP est ouvert DevFest Lille 9 juin - inscriptions et CfP ouvert Voxxed Days au Luxembourg le 22 juin Jenkins User Conference Paris - 11 juillet Nous contacter Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/ Flattr-ez nous (dons) sur https://lescastcodeurs.com/ En savoir plus sur le sponsoring? sponsors@lescastcodeurs.com  

We made it! After taking a short flight, and re-assembling the crew in Atlanta, we finally made it to DevNexus, the conference run by Atlanta Java User Group. DevNexus is not just a great conference in itself, but it's a great place to run and talk to top tier speakers without breaking the bank. We did our own talking by running into Ted Neward (@tedneward) and Chris Richardson (@crichardson)! We actually manage to sucker-punch them into playing a little game of Trivia with us! At the end, we explore if the Cloud the new Mainframe, and came to some interesting conclusions. An episode like no other, you definitively need to listen to this one!   DO follow us on twitter @offheap SHA1 collition Who wants to be a Byte-o-naire

JBreak https://2017.jbreak.ru JPoint https://jpoint.ru CodeFest 2017 https://2017.codefest.ru GPUs are now available for Google Compute Engine and Cloud Machine Learning http://bit.ly/TAOP132gcgpu Evernote shuts down its data centers after moving to Google Cloud http://bit.ly/TAOP132en Evernote Reaches the Cloud: Migration to Google Cloud Platform Complete http://bit.ly/TAOP132en2 Cloud Spanner https://cloud.google.com/spanner/ Spanner: Google's Globally-Distributed Database https://research.google.com/archive/spanner.html Amazon Web Services issue is breaking the entire internet http://bit.ly/TAOP132aws Incident report on memory leak caused by Cloudflare parser bug http://bit.ly/TAOP132cf Announcing the first SHA1 collision http://bit.ly/TAOP132sha1 Nokia 3310 http://bit.ly/TAOP132n3310 GitLab.com melts down after wrong directory deleted, backups fail http://bit.ly/TAOP132gl Лариса Шрагина, Марк Меерович Технология творческого мышления http://bit.ly/TastyBooks59shared   Новый патрон Konstantin Kovrizhnykh Благодарности патронам: Sergey Kiselev, Sergii Zhuk, Aleksandr Kiriushin, Nikolay Ushmodin, Pavel Drobushevich, Pavel Sitnikov, Bogdan Storozhuk, B7W, Лагуновский Иван, Sergey Vinyarsky, Yakov Krainov, Sergey Petrov, Konstantin Kovrizhnykh Поддержи подкаст http://bit.ly/TAOPpatron Подпишись в iTunes http://bit.ly/TAOPiTunes Подпишись без iTunes http://bit.ly/TAOPrss Скачай подкаст http://bit.ly/TAOP132mp3 Старые выпуски http://bit.ly/oldtaop

Llegó el café informativo de sysarmy. Noticias del mundo Linux, Administración de sistemas y DevOps, mezclado con novedades sobre eventos, meetups, etc. Esta vez charlamos sobre el traspié que está siendo este 2017 con la caída de Gitlab, la colisión en SHA1, Cloudbleed, y el outage de AWS S3. == Mencionados en este episodio == GitLab.com Incident - 2017/01/31: https://goo.gl/qGRUja SHA1 function is now dead: https://goo.gl/7nFx2M the Impact of "Cloudbleed": https://goo.gl/zJ4EkT Amazon S3 Service Disruption: https://goo.gl/ojWeoo == Otros mencionados == EkoSpace en Facebook: https://goo.gl/VOzYle EkoSpace en Twitter: https://goo.gl/umJHVp FLISOL CABA: https://goo.gl/34b6IY FLISOL LATAM: https://goo.gl/Z9sUyb Sin humo podcast: https://goo.gl/9mthTY == Meetups == Meetup de sysarmy: https://goo.gl/mJDvzD Meetup de Datascience: https://goo.gl/yhqz3L == Búsquedas laborales == Jampp - Full Stack Javascript Developer: https://goo.gl/HU75Mq Talent IT up - DevOps Engineer: https://goo.gl/skUvhh MuleSoft - DevOps Engineer (AWS + SaltStack): https://goo.gl/jo9gPT == Buscanos en == Web: http://sysar.my Twitter: @sysarmy Facebook: Elección Root IRC en Freenode: #sysarmy Pocketcast: pca.st/D3H0 iTunes: goo.gl/Nrt22g

While Todd basks in the freetime of his unemployment he still finds time to keep up on SharePoint, Office 365, and Azure. This week he and Shane talk about a fantastic PowerShell script Shane wrote to move files around in SharePoint Online. Some new sync functionality is next on the list. Not to be outdone Azure AD adds group based functionality, and SHA1 is kaput! That, and Todd going to the moon, all on this week's podcast.

A creepy teddybear leaks two million voicemail messages, Windows 10 pushes you into only installing vetted apps, and Boeing warns 36,000 employees their personal information could have been exposed after a worker sends a spreadsheet to his wife. All this and more is discussed by computer security veterans Graham Cluley, Vanja Svajcer and Carole Theriault. SHOW NOTES: Announcing the first SHA1 collision Tavis Ormandy: Cloudflare Reverse Proxies are Dumping Uninitialized Memory Incident report on memory leak caused by Cloudflare parser bug List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak Quantifying the impact of "CloudBleed" CloudPets commercial Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages Microsoft slaps Apple Gatekeeper-like controls on Windows 10: Install only apps from store Boeing Notifies 36,000 Employees Following Breach   This episode of Smashing Security is sponsored by NetFort - https://www.netfort.com/  NetFort LANGuardian is easy-to-use network traffic and security monitoring software that tells you what is really happening on your network - no specialist hardware required! Check out the demo of LANGuardian and download a free trial from https://www.netfort.com/. Mention "Smashing Security" and you'll save 20% off your order! Thanks to NetFort for sponsoring this episode of Smashing Security. Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes. Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Special Guest: Vanja Švajcer.

Google heard you like hashes so they broke SHA1, we've got the details. Plus we dive in to Cloudflare's data disaster, Dan shows us his rack, your feedback, a huge roundup & so much more!

Google heard you like hashes so they broke SHA1, we've got the details. Plus we dive in to Cloudflare's data disaster, Dan shows us his rack, your feedback, a huge roundup & so much more!

Google heard you like hashes so they broke SHA1, we've got the details. Plus we dive in to Cloudflare's data disaster, Dan shows us his rack, your feedback, a huge roundup & so much more!

CloudBleed, SHA1-1, White House Leaks, Planets, Satellites, Drones vs. Eagles, InfoSec Jobs, ExFil, IQ and Creativity in a Post-work World, Weaponized Narrative, Security Tools, Tons of Great Links, and more… Support the show: https://danielmiessler.com/support/ See omnystudio.com/listener for privacy information.

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do. We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal? All that and more this week on Brakeing Down Security Podcast!  Check out our official #Slack Channel! Sign up at https://brakesec.signup.team Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw  https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705  (ebook is available of Safari books online)   BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack   Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document: https://twitter.com/boettcherpwned/status/799726266693713920 Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3 Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes: https://twitter.com/newsyc200/status/799761390915424261   #BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack ICMP Type 3, Code 3 (Destination Port unreachable)  http://www.faqs.org/rfcs/rfc792.html #SHA1 deprecated on website certs by Chrome on 1 January 2017 http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522 #Benevolent #malware (buenoware) https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703 #Atombombing http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/ http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2 Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

This week, we find ourselves understanding the #Cryptonite that can weaken devs and software creators when dealing with #cryptographic #algorithms and #passwords. Lack of proper crypto controls and hardcoded passwords can quickly turn your app into crap. Remember the last time you heard about a hardcoded #SSH private key, or have you been at work when a developer left the #API keys in his #github #repo? We go through some gotchas from the excellent book "24 Deadly Sins of Software Security". Anyone doing a threat analysis, or code audit needs to check for these things to ensure you don't end up in the news with a hardcoded password in your home router firmware, like these guys: https://securityledger.com/2015/08/hardcoded-firmware-password-sinks-home-routers/   Book: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751 Show Notes: https://docs.google.com/document/d/1MUPj8CCzDodik61_1K8lCKywkv0JbfBkve20rxwbmzE/edit?usp=sharing *NEW* we are on Stitcher!: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss Comments, Questions, Feedback: bds.podcast@gmail.com Direct Download: http://traffic.libsyn.com/brakeingsecurity/2016-002-Cryptonite.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-002-cryptonite-or-how/id799131292?i=360440391&mt=2  

For long time listeners of the podcast, back when Brian and I wanted to do the podcast, we were working at the same company, and the first podcast we did was on hashes.    Bob story: Bob was getting tired of explaining what MD5, SHA1, SHA2 were to developers, so as we were developing our idea for the podcast, this was the first episode we had. Mr. Boettcher had several ideas for podcasts prior to. I was actually gonna go it alone, but wanted him to join me. Thankfully, he broached the idea of being on the podcast. This was actually the second take, as the first one was done in our office and we didn't want any legal issues doing it at work, so we trahed that one and made this version. I thought the first take was better, but what are gonna do... :)  

Topics covered Apple has been making news, issuing guidance, and refuting a hack - all around iCloud http://www.padgadget.com/2014/09/03/apple-warns-developers-not-to-store-health-data-in-icloud/ http://www.padgadget.com/2014/09/03/apple-says-celebrity-photo-leak-was-not-due-to-icloud-breach/ http://www.cio-today.com/article/index.php?story_id=94027 HealthCare.gov was hacked, but no worries it was only a test server and no 'data was taken/viewed'. Does this sound like something you've faced in the enterprise ... hmmmm?If only there was someone warning them about the insecurity of that site! h/t to Dave Kennedy for standing up and taking political heat. http://www.nationalreview.com/article/387182/healthcaregov-hack-reminiscent-earlier-vermont-exchange-attack-jillian-kay-melchior http://www.computerworld.com/article/2603929/healthcare-gov-hacked-if-only-someone-had-warned-it-was-hackable-oh-wait.html Home Depot apparently has suffered a massive breach, much like Target. Interesting? Or ho-hum? (did you Buy The Dip? h/t @DearestLeader ) http://seekingalpha.com/article/2478055-home-depot-potential-data-breach-may-have-presented-a-good-opportunity-to-buy-the-stock http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/ http://www.csoonline.com/article/2601082/security-leadership/are-you-prepared-to-handle-the-rising-tide-of-ransomware.html Norway's Oil & Gas industry is now the target of hackers, seeking to get intelligence on production, exploration - and that all-important state-sponsored competitive edge. http://www.thelocal.no/20140827/norwegian-oil-companies-hacked Google is deprecating (in a big way) the use of SHA-1 in certificate way ahead of the set schedule. Is this "Google the game-changer" or "Google the bully"? You decide - tweet us at #DtR http://www.csoonline.com/article/2602108/security-leadership/do-you-agree-with-googles-tactics-to-speed-adoption-of-sha-2-certificates.html http://www.zdnet.com/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous-7000033159/

In this inaugural episode, Bryan and Brian discuss the history of hashes, how hashes are used and how to make them more secure. Intro "Private Eye" and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

Unsupported Operation 84 Misc Not really “new”, but I rediscovered the fact that since Git 1.8.2, that submodules now support following a branch rather than a fixed commit SHA1 - this actually makes them somewhat usable.JDK8 Build 91 available - Sadly, this didn't fix my method handle issue. Atlassian JIRA 6 was released - teases with Bamboo 5 updates Yourkit Profiler 2013 EAP launched, personal licences only US$99 until June 4, 2013.Spring 4 announced, indicates support for JSE8 and Groovy 2 as the first class language, pushing Groovy 2 bigtime.Action Launcher Pro 1.7 for Android was released - best launcher ever. Adds support for icon packs and just makes it that bit more... awesome.Big changes for Redline Smalltalk - now scans classpath for .st files, so works nicely with artifacts/jar files etc. etc.Google Code removes file downloads Maven - Spotlight Plugin of the Week maven-shade-plugin Apache Apache Maven 3.1-alpha-1 available for testing/voting. Release Notes.Maven ShadePlugin, version 2,1 supporting the above 3.1 releaseOpen Web Beans 1.2Apache Ant 1.9.1Apache Wicket 6.8Commons-Logging 1.1.3 (please still remove it from your archives)Subversion 1.8-rc2JSPWiki incubating 2.9.1 Clojure MD did a short clojure-maven-plugin history presentation at the 2nd Auckland Clojure Meetup, this seems to have awaked the bug reporters...Released 1.3.16 and then followed up with 1.3.17 of the clojure-maven-plugin Scala Scala 2.10.2-RC1 now availabledispatch 0.10.1 released, HTTP client libraryScala on Android - new book from Lean Pub, being written by Geoffroy Couprie (@gcouprie) Groovy Groovy 2.1 showcased and goes type checking madGroovy 2.1 type checking extensions for SQL inside a string discussedCedric shows Groovy type checking printf type and number of params Docs for type checking extensions released by CedricGaelyk 2.0 released

Unsupported Operation 67JavaOracle pulls support for JavaFX ScriptJava 7u4b15 developer preview availableMiscDataStax has quietly made their Cassandra documentation available in PDFExcelTestNG - interesting - webdriver/selenium testing driven by Excel spreadsheets, and TestNG.Practical Unit Testing with Mockito and TestNG is nearing publication - now has an ISBN!LogBack 1.0.1Hibernate 4.1Hazelcast 2.0 released - release notes.AIDE - IDE for Android, ON AndroidTerminal-IDE is similar, but gives you a vi based environment.SmartGIT 3.0.1 available - changes - GUI Git client in Java. now supports mercurial and svn since I last checked it out.Gerrit 2.3rc0 availableAtlassian buys an IRC/IM client/server company - closes a 7 year ticket “won’t fix”Web StuffNettoSphere - A WebSocket and HTTP server based on Atmosphere and Netty.vert.x - node.js like asynchronous web server/platform - lets you write applications in js, ruby, and java. comes with distributed event bus, websocket support, tcp/ssl, pre made modules for mailer, authentication, work queuesThymeleaf 2.0 - XML/HTML specific template engine.GateIN 3.2.0 Final - people still use portal servers?JRebel 4.6 released, JRebel for Vaadin announcedApache / Maven / RelatedShavenmaven - super-lightweight dependency management - NO XML - just URLsGrails 2.0.1 now uses RichardStyle composites, and hopefully will make its way to “Apache Maven Central” soon.Apache Jena 0.9.0 - Java framework for building Semantic WebCommons Math 3.0Apache Camel 2.9.1Apache Hama 0.4 - incubating - metrics on HadoopApache Rave 0.8 - incubating - social mashupApache Tomcat Native 1.1.23Apache Ant 1.8.3Directory studio 2.0.M3ApacheDS 2.0.0-M6Apache Directory LDAP 1.0.0-M11Apache Commons Daemon 1.0.10Apache ACE has become a top level projectApache OFBiz 09.04.02 (2nd TLD in a month - DeltaCloud was the other)Apache MyFaces extension for CDI 1.0.4JetbrainsIntelliJ IDEA 11.1 to support JavaScript.next with Traceur compiler.AppCode 1.5 RCGroovyFirst official GroovyFX releaseScalaAkka moved to a new Akka Organisation on GithubAkka 2.0 also released!New Scala proposal for value typesClojureClojure 1.4 beta 4First Github got hacked, then node.js’s NPM, Clojars takes precautions:Hello folks!In light of the recent break-in to the Node.js package hosting site (https://gist.github.com/2001456), I’ve decided to bump the priority of increasing the security on Clojars. I’ve deployed a fix that uses bcrypt (http://codahale.com/how-to-safely-store-a-password/) for password hashing. The first time you log in, it will re-hash your password using bcrypt and wipe the old weak hash.Note that Clojars has NOT had a security breach at this time. This is a preventative measure to protect your password in the event of a future breach. We are also looking into allowing signed jars (and possibly requiring them for releases). If you’re interested in helping out with this effort, (design or code) please join the clojars-maintainers mailing list: http://groups.google.com/group/clojars-maintainersBecause we can’t ensure that everyone will log in to re-hash their password, at some point in the future (probably 2–3 weeks out) we will WIPE all the old password hashes. Otherwise users who have stopped using Clojars or missed the announcement could have their passwords exposed in the event of a future break-in. I will be sure to send out a few more warnings before this happens, but even if your password has been wiped it’s easy to reset it via the “forgot password” functionality.If you have any applications storing passwords hashed with SHA1 (even if you use a salt) I highly recommend you take the same steps; refer to http://codahale.com/how-to-safely-store-a-password/ for details.please log into Clojars to re-hash your password.Thanks for your attention.-PhilRelated news - Bouncy Castle 1.46 releasedStatic code analyzer for Clojure - kibit 0.0.2 now releasedMarginalia v0.7.0 - documentation generator for clojurelein 2.0 preview releases are out, and now preview2 is supported by Travis-CIlein-navem is a lein plugin that converts a maven pom.xml into lein project.cljDatomic is a new database service from Rich Hickey. And dayam it looks nice. Some really nice ideas in here.

Download MP3: Coded Hard & Put Away Wet (& numb) We finally did another show! Sorry for the break we hope to record bi-monthly from now on! In this fantabulous episode we achieve both an ADD & distraction depth. Ben hacking under ice-water! Thanks again Peter for the awesome donation! http://www.pheedcontent.com/click.phdo?i=93c9614b0b5471f03869d13f936859c6 http://www.engadget.com/2011/11/04/ispy-software-can-read-texts-and-steal-passwords-with-its-little/ http://arstechnica.com/apple/news/2011/10/researchers-can-keylog-your-pc-using-your-iphones-accelerometer.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss http://arstechnica.com/business/news/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass.ars http://www.msnbc.msn.com/id/45263325/ns/technology_and_science-security/#.TsAJOUOXunB Sam needs [...]

Today's screencast will demonstrate 2 forms of cryptography: 1) 1-way hashing 2) 2-way encryption/decryption For the hashing, we will be using the SHA1 method and for the encryption, we will be using AES (Advanced Encryption Standard) with 128 bit encryption.

Cryptology is typically defined as cryptography (the construction of cryptographic algorithms) and cryptanalysis (attacks on these algorithms). Both are important, but the latter is more fun. Cryptographic hash functions are one of the core building blocks within both security protocols and other application domains. In the last few decades a wealth of these functions have been developed, but the two in most widespread usage are MD5 and SHA1. Recently, there has been a great deal of activity regarding the cryptanalysis of MD5. We survey the recent attacks on the MD5 hash function from the modest progress in the mid 90s to the startling recent results instigated by Xiaoyun Wang. We will look at the details of these attacks, some recent improvements, two applications, and discuss the current outlook on cryptographic hashing. About the speaker: John Black is an Assistant Professor of Computer Science at the University of Colorado at Boulder. Dr. Black's research interests lie primarily in cryptography and cryptanalysis, particularly in the construction of fast and provably-secure algorithms and in the analysis of cryptography applied to networks and computer systems. Dr. Black received his Ph.D. in Computer Science from the University of California at Davis in 2000. He is the recipient of an NSF CAREER award and a check from Donald Knuth for $2.56.

Cryptology is typically defined as cryptography (the construction of cryptographic algorithms) and cryptanalysis (attacks on these algorithms). Both are important, but the latter is more fun. Cryptographic hash functions are one of the core building blocks within both security protocols and other application domains. In the last few decades a wealth of these functions have been developed, but the two in most widespread usage are MD5 and SHA1. Recently, there has been a great deal of activity regarding the cryptanalysis of MD5. We survey the recent attacks on the MD5 hash function from the modest progress in the mid 90s to the startling recent results instigated by Xiaoyun Wang. We will look at the details of these attacks, some recent improvements, two applications, and discuss the current outlook on cryptographic hashing.

Nous venons de tourner un nouveau SECHebdo en live sur Youtube. Comme d’habitude, si vous avez raté l’enregistrement, vous pouvez le retrouver sur notre chaîne Youtube (vidéo ci-dessus) ou bien au format podcast audio: Au sommaire de cette émission : Todo (00:01:30) { "options": { "theme": "default" }, "extensions": { "ChapterMarks": { "disabled": false }, "EpisodeInfo": {}, "Playlist": { "disabled": true }, "Transcript": { "disabled": true } }, "