Security in USB is broken

Researchers Karsten Nohl and Jakob Lell created a proof-of-concept malicious malware, BadUSB, highlighting how fundamentally the USB security is broken. The malware resides in the firmware of the USB device. Currently there is no way of knowing if the firmware has been altered… Great!

Take a look at the article here: http://www.wired.com/2014/07/usb-security/

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

LibreSSL – new fork of OpenSSL

Tags

,

The OpenBSD project is starting a new fork of OpenSSL. Based on blogs and comments, it seems that a cleanup of the code is overdue. The new fork can be found here: http://www.libressl.org/. They need donations to support Multi-OS version of the software. Consider supporting them here: http://www.openbsdfoundation.org/donations.html

The first release is targeted for OpenBSD 5.6, which should be released Nov 1st, 2014. Support for other OS’es should follow after that.

Some articles about the fork:

DayOne and MultiMarkdown

Tags

, ,

I am using DayOne to make journal enries now and then. Started to look if I could automatically create DayOne entries, because I am considering adding weather prognosis and information from web pages automatically.

It is probably not possible to create entries from the command line in windows, due to the fact that I store the data on iCloud. Alternatively I could use Dropbox for syncing the entries. DayOne released a support document for Syncing with Dropbox.

There is a command line tool, jrnl, which seems to be installable on Windows. It also supports multiple journals, so I can have a separate journal for work.  DayOne currently does not support more than one journal. Adding more journals is planned for a future update.

Looking at the files in the journal.dayone folder:

  • it seems that all filenames are unique
    • The unique id can be found inside the file as well, in the ‘UUID’ key.
  • file extension for the entries are .doentry
  • stored in the mac property list XML fileformat .plist.
    • Python library for handle .plist files: plistlib

The journal entry is stored with in the .doentry file in the ‘Entry Text’ key. The format is in the Markdown format, as described in their Markdown Guide. Are they supporting the MultiMarkdown syntax? They have footnotes in their syntax… Seems so from version 1.9 of the IOS app.

Should I use MultiMarkdown as a basis for all documentation I do? There are converters to: HTML/XHTML, LaTeX (->PDF), OpenDocument, OPML (MindManager, iThoughtsHD on IOS, …).

Applications Supporting for MarkDown:

  • MarkdownPad Windows Markdown editor. Export to html (css support) and pdf.

Is Pandoc better than MultiMarkdown? Why I switched from MultiMarkdown to Pandoc.

Pandoc is a universal document converter, converting from one markup format into another. It is your swiss-army knife…? Installed it, so now I just need to test it. Seems to work fine! :-)

Follow

Get every new post delivered to your Inbox.