When Danger is an apt name!

Microsoft\Danger and T-Mobile don’t seem to have quite got the cloud concept yet.  Yes it’s true that cloud users don’t have to worry about ther data – it’s all safely tucked away somewhere and your cloud provider sorts it all out.

Alas it seems that Microsoft\Danger got a bit confused during Cloud Computing 101 and went away thinking that no-one had to worry about the data.  So they didn’t.

They have come clean on the T-Mobile website and told SideKick users not to turn off the devices as the data now lives nowhere else.  In a cruel extra twist, the SideKick Devices are useless now as just about everything it does requires the cloud – it retains nothing at all during reboot for example.

The T-mobile article is here. In the meantime you would be right if you were really nervous about trusting these guys with your data!

It seems that the only person to show incredible foresight was the person that came up with Danger as the name of the company.

Microsoft have had a couple of years now since they acquired Danger to make the services offered resilient.  Seems that they failed.  Epic Fail.

Oh and BTW, Azure, Microsofts flagship cloud OS launches in a month or so.  What-Could-Possibly-Go-Wrong.

Certificate Fingerprints

There have been some very nasty certificate based vulnerabilities announced recently and these amount to an attacker being able to act as  MITM (Man In The Middle) on pretty much any SSL conversation.  All the attacker has to do is insert themselves somewhere in your traffic chain between you and your target web site.

As these vulnerabilities turn into real exploits, you should be really really really (got the picture?) careful what sites you log into and give your personal info to.

The nature of these attacks will mean that your browser is completely fooled into thinking it is talking to the real PayPal.com or Ebay.com. When spoofed, you will most likely experience normal logon and purchasing, but your details are phished for future use.  Even certificate verification checks such as CRL, OCSP Validation and path validation will work as you would expect.  Nasty.

I suggest therefore that for the next few weeks, while we see how bad this really is, you check independently the certs of all sites that you need to log in to.

I have printed out the SSL certs for the sites that I use often so I can check them for myself, but you may want to use this article which has the cert hashes for 4 common sites, PayPal.com, Amazon.com, eBay.com and of course, TurboTas.co.uk.

It would be very hard for an attacker to make the fake cert match these hashes, so that’s what you need to check. Bear in mind though this web page could be MITM attacked too, so unless you know your connection to turbotas.co.uk is unspoofable, don’t trust this source either as the pictures could be replaced.

The best bet all around is for you to print out every cert you encounter for the next few weeks and every time you revisit a website, check the cert against your hard copy.  read on for the certs.

 

 

 

Amazon.com

eBay.com

PayPal.com

TurboTas.co.uk

Google

Yahoo

Amazon Kindle comes to the UK

Two years after the release in the US of the Amazon Kindle, the device finally makes its way to the UK!  As from today you can buy the gadget from Amazon.  this is a special version for the international market with tweaks to ensure it can get network connectivity.

It’s not all good news though – because the international version is a special build, you can only get the Kindle 2, not the DX with the nice screen.  Oh well – I suppose we can’t have everything.

Also bear in mind the Orwelian remote deletion feature which Amazon got slated for earlier in ’09 and maybe you will think twice before you part with your cash.

I’ll put one on my wish list for xmas and can always delete it if the early UK reviews are not encouraging!