Blog‎ > ‎

CloudFlare, Shellshock, Ubiquitous Encryption, Secure Erase SSD (ESE), Knox

posted Oct 1, 2014, 7:50 AM by Sami Lehtinen   [ updated Oct 1, 2014, 7:50 AM ]
  • Excellent post by CloudFlare describing how different Inteernet bandwidth pricing is around the globe. But they didn't mention Africa or Russia, or maybe some of the stats does include those? But which one?
  • These maps are very related to the cloudflare server locations and bandwidth pricing. If you liked those maps, you'll can find lot more from NASA's Socioeconomic Data Center (SEDAC). http://sedac.ciesin.columbia.edu/maps/gallery/search
  • If almost all of your communications are in the clear and then you suddenly use Tor or PGP for something. It's clear indication that now you're doing something important which you want to keep secret. That's exactly why you should always encrypt everything, so using encryption doesn't highlight any individual communication events. So let's use ubiquitous encryption. Encrypt all the things!
  • I know that I don't know many things. Which keeps me safer, I don't assume to be on the safe side, ever.
  • Finnish Cyber security / communication regulatory authority has approved Samsung Android 4.4.2 Knox for secure use. Knox securely separates classified information from non-classified consumer data. 
  • They also approved Blancco 5 for data erasure. I'm personally very curious about how Blancco 5 verifies that SSD/HDD is really clean. Because as far as I know, there's no way to do that. Unless, you have independently verified that code which is used for secure erase in the SSD devices firmware. I'm also very curious how that handles cases when there's no way to independently verify results. What if there's memory cell that's actually broken and can't be verified. Of course reading data from from this kind of device after erasure requires specialized lab, with probably alternate controller for the memory chips. But it might be possible to still read data from the SSD for some of the cells, even after secure erase. If you don't know exact implementation details of the firmware and the process, you can't state, that secure erase is secure erase. Actually it's ridiculous that there's something called Enhanced Secure Erase (ESE). If the secure erase works as it's supposed to do, how you can enhance it?
    "Secure erase overwrites all user data areas with binary zeroes. Enhanced secure erase writes predetermined data patterns (set by the manufacturer) to all user data areas, including sectors that are no longer in use due to reallocation." - Based on this statement, it sounds like the secure erase ... Wasn't exactly secure.
  • CloudFlare's Universal SSL (UniverSSL) is very nice idea. Of course this allows them to MitM all connections. But in general it's great advancement, because many sites just don't care enough security, that they would bother to implement SSL them selves. It's also really great that they also provide Universal IPv6 for all sites as well utilize IPv6 address space to provide SSL even for browsers which do not support SNI. Providing Universal SPDY support for everyone is also great news.
  • Excellent post by CloudFlare about Shellshock exploit vectors and examples what kind of attacks they've been seeing. There was just only one strange thing. They say that base64 hash, uh eh. Well, I guess the post isn't written as clearly as it should. Of course you can base64 encode hash results and that's what they're trying to say. But it's just written badly and looks like they would base64 encode data with salt.