Tuesday, February 24, 2009

Important Ruling on 5th Amendment Case Involving Handling Over Encryption keys to Government

Since I know I won't do it the justice it deserves, please check out this post on the Volokh Conspiracy blog.

Quick summary - the user doesn't have to hand over the keys, but most provide decrypted contents of a hard-drive.

Thursday, February 19, 2009

What's Old is New Again

What do you call a 14+ year old vulnerability? Sloppy, ridiculous? Not sure....

FreeBSD was just hit by essentially the same bug that was present in a large number of Unix variants back in 1995.

The original vulnerability is here:

CERT® Advisory CA-1995-14 Telnetd Environment Vulnerability


The vulnerability allows a remote user to specify Unix environment variables to the the target system. If they override an environment variable such as LD_LIBRARY_PATH or LD_PRELOAD then they can override the behavior of programs that telnetd calls, such as /bin/login.

Looks like the FreeBSD guys just had a recurrence of almost exactly the same vuln.... Interesting to say the least.

FreeBSD-SA-09:05.telnetd

Friday, February 13, 2009

I thought I was the greatest hacker

But according to Fox News, I'm definitely not.

Alas, not enough misspent youth....

Job Openings

We're hiring some internal application and project security consultants and a security manager. I'll update this post with a link when I get one I can put up as a URL (silly brassring) but if you go to:

https://www.paypal.com/html/paypal_jobs.html

you can search PayPal jobs with a keyword of "information security" to find the job descriptions.

Update: Here are some easily clickable links:

Manager, Information Security - Phoenix
Principal Information Security Engineer - Phoenix
Principal Information Security Engineer - San Jose