The Matrix Data Bank – Page 88 – Messages from a far away land in the constellation of Kasterborous

Try answering the question, or you’ve failed…

I just did something that I never have done in the past…. And I shouldn’t be surprised at the results…

I just read the “What’s the risk” help screen for the ActiveX installer prompt. Â You know the annoying prompt, where it asks “do you want to install this ActiveX control” or “What’s the risk?”.

You know what I learned? Â Nothing. Â Sure, there are some sweeping statements, like:

You should always be cautious about allowing Web sites to run ActiveX controls on your computer. If an ActiveX control is not essential to your computer activity, try to avoid installing it.
You should be certain that you trust the publisher of the ActiveX control before you decide to install the control on your computer.
Because ActiveX controls are potentially hazardous to your computer, you should be certain that you trust the publisher of the ActiveX control before you decide to install the control on your computer.
The Web site should tell you what this ActiveX control is for and any special details you need to know before you install it. If this information is not available, you should not install the control.
Don’t install an ActiveX control unless you absolutely trust the Web site that is giving you the control.

Oh, but so clever, at least my copy of the Microsoft Help, has “What are ActiveX controls” shrunk down, it’s not expanded by default. And here is some meat and potatoes….

These programs can, however, malfunction or give you content you donâ€™t want. In some cases, these programs might be used to collect information from your computer in ways you might not approve of, possibly damage data on your computer, install software on your computer without your consent, or allow someone else to control your computer remotely. Given these risks, you should only install these programs if you completely trust the publisher.

Right… Â The section on risks appears to be hidden by default, and everything else basically says “Do you trust the provider”. Â First, the documentation appears to be trying to hide the risk factors, and presenting us with very little useful information. Â At least no useful information from a security prespective.

Is this truly useful to the customer? Â I’ll leave that for you to decide….

YouTube – “Big One” has one lazy method to eat

Yes, this is one of our cats….

Indigo Server authentication

I am working on an python wrapper around the Indigo Restful interface, and discovered that the Indigo Server requires remote logins to be with a Digest based password. Â Is this good? Â Yes, indeed it is. Â Digest authentication is designed to be the significantly more secure and when your talking about the security of your home authomation you would prefer it to be secure.

But what is Digest Access Authentication? Â The digest access authentication was originally speced in RFC 2069. Â In this, the password is encrypted by a nonce (Number used once), and is used to calculate a MD5 digest of the password. Â So no plain text passwords, and due to the nonce (among other things) your password is not a simple reversible hash.

What does the Nonce do to help? Â Why a Nonce? Â This makes the encryption key change each time there is a authentication challenge, and thus making replay attacks, and dictionary attacks, virtually impossible to break the encryption.

But this security is not impossible to defeat. Â If your password is too simple, for example, 12345. Â In theory, an attacker could attempt an brute force attack, and see if they could match an valid password digest.

Advantages

HTTP digest authentication is designed to be more secure than traditional digest authentication schemes; e.g., “significantly stronger than (e.g.)CRAM-MD-5.

Some of the security strengths of HTTP digest authentication are:

The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementationsÂ to store HA1 rather than the cleartextÂ password.
Client nonceÂ was introduced in RFC2617, which allows the client to prevent chosen plaintextÂ attacks (which otherwise makes e.g. rainbow tablesÂ a threat to digest authentication schemes).
Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks.
Server is also allowed to maintain a list of recently issued or used server nonce values to prevent reuse.

Disadvantages

Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication, which is extremely weak. It is not, however, intended to replace strong authentication protocols, such as public-keyÂ or KerberosÂ authentication.

In terms of security, there are several drawbacks with digest access authentication:

Many of the security options in RFC 2617Â are optional. If quality-of-protection (qop) is not specified by the server, the client will operate in a security-reduced legacy RFC 2069Â mode.
Digest access authentication is vulnerable to a man-in-the-middle (MitM) attack. For example, a MitM attacker could tell clients to use basic access authentication or legacy RFC2069 digest access authentication mode. To extend this further, digest access authentication provides no mechanism for clients to verify the server’s identity.
Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password.

What if Time Crisis (Arcade game) was real?

Welcome iOS 4.02 & 3.22

Apple has today released an update for iOS 4 and iPad software. The update fixes a PDF exploit that came to light last week after it was used to aid in the Jailbreaking of iPhones. Fears were raised early last week that the exploit could be used for malicious purposes.

The update which brings iOS to version 4.0.2 and the iPad to 3.2.2 lists only the PDF fix as included.

The update is available for:

iPhone 4
iPhone 3GS
iPhone 3G
iPad Wi-Fi
iPad Wi-Fi + 3G

Users can update via syncing with iTunes.

How Star Trek artists imagined the iPad… 23 years ago

Ars Technica takes a look back at how Star Trek predicated the iPad, and some other items of the future.

How Star Trek artists imagined the iPad… 23 years ago.

Better to be late, then never, I guess… (Flash H.264)

Adobe has just stated that the new Flash Player (10.1.82.76) now contains a H.264 hardware decoding layer for the GPU….

We just pushed a few minutes ago a new version of the Flash Player 10.1.82.76 containing a nice feature that was in beta until now called â€œGalaâ€. Yes, H.264 GPU decoding in Mac OSX is now officially enabled in the Flash Player.

I guess it’s better to be late than, never offer the feature…

Plants vs. Zombies GOTY

Great news for Steam users who are fans of Plants vs. Zombies. PopCap and Valve announced the release of Plants vs. Zombies: Game of the Year EditionÂ for Steam.

It’s just like the regular PC version which released a couple of weeks ago, with the zombie avatar creator and achievements. Except the Steam release offers support for the Steam Cloud to access your save game from anywhere. Did we mention that now there is Steam Play for cross compatibility on Mac. Â Steam users that already own Plants Vs. Zombies will automatically get the Game of the Year Edition for free…

Plants vs. Zombies GOTY Edition