Post date: Jun 7, 2012 5:05:58 PM
I've been busy reading Lean Startup book with deep thoughts. But here's something light and fun stuff I have been managing to read and study meanwhile.
Google Chrome browser & OS related stuff:
Due LinkedIn passwords hash leak, here's a few password related articles:
HULK (Http Unbearable Load King) was released and I had to play a little with it.
I tested hulk against many services and servers that we run, during night time. It seems that most of services can handle traffic generated by hulk. Main thing is that request handling must be light enough. Only urls which run CGI scripts were naturally heavily affected by hulk attack, due slow request processing. But as we all know, attackers will find these points from system which are slow to handle and exploit those.
All systems should have code which detects attacks and stops serving these IP addresses or whole blocks. It would be preferable if web server would be able to handle these very lightly or even better, if firewall rules would be modified dynamicly to completely drop this traffic.
Only a few modifications were required to make hulk fully Tor compatible and also enable requestion real pages from HTTPS sites, instead of requestin redirects using HTTP.
I also found out that many sites running Drupal are very vulnerable to this attack.
If single Privoxy & Tor & Hulk set isn't enough and won't saturate your own bandwidth, you can naturally run multiple Tor clients and Privoxies in parallel with multiple HULKs, by using different port numbers. It required about 25 parallel process sets to saturate 100/100 Mbit/s (down) link with remote server which was serving static files from attack url and therefore wasn't brought down by hulk attack. This would bring easily down sites which do not process reuqests very efficiently.
What would happen if this attack would be run from several servers with 1 gigabit connection / each, it would be very hard hit to any small to medium site. Of course world class sites wouldn't notice a thing. Also Tor network in general could run out of bandwidth.
Hushmail.com session / password issue:
1. Login to hushmail from two computers
2. Change password
3. Notice that session from another computer is still alive and kicking
Afaik: When password is changed, re-login should be forced at least for all other sessions than the session which changed the password.
This is especially big problem if something like authenticated cookie is stolen, or if password is stolen and they manage to login. Then there is no way to deny their access.
Well, if I remember right dropbox had this very same flaw. But I assume they fixed it already.
Watched long 2 hour long lesson about 3D printing business and current state and future possibilities.
P.S. HSTS header is also missing.
Other stuff:
That's all folks! I also studied and thought some topics which I really would like to write much more about. But I'll do it later. This should be enough for now. See my G+ posts for minor stuff.