GNUPG has just released a fix for a dangerous side-channel attack that could expose your private key, a leak of NASDAQ test data was picked up by real news organizations and caused a bit of a panic & the fascinating story of a security researched who managed to take over all .io domains with a little sleuthing and a few domain registrations.

Plus Dan’s got so much new stuff it has its own segment, and of course your feedback, a fantastic round-up & so much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

• HD Video
• MP3 Audio
• YouTube
• HD Torrent

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

GUNPG encryption broken

• Fixed in Libgcrypt version 1.7.8

• The study – PDF

• obtain a very efficient full key recovery for RSA-1024

• For RSA-2048 the attack is efficient for 13% of keys (i.e. 1 in 8).

NASDAQ leaks test data

• Financial Times link- paywall

• A data glitch briefly made online games group Zynga more valuable than Goldman Sachs when prices of a host of Nasdaq-listed stocks including Amazon, Apple and Microsoft were reset to exactly $123.47.

• Prices on Nasdaq’s official website appeared unaltered but those shown on financial data services including Bloomberg, Thomson Reuters and Google Finance did display the price changes to $123.47.

• New York Stock Exchange data were unaffected. Typically, vendors discard the test prices when checks are done. While the reason this did not happen for Nasdaq on Monday is not known, there was speculation it was linked to changed timings on the eve of the US Independence Day holiday.

• “It was no error by Nasdaq,” the exchange operator said. “Some vendors took test data and put it out as live prices.”

• Nasdaq said the glitch did not affect any market trading, including after hours. However, traders in Hong Kong said they saw a handful of trades reported at those prices, although many deals were subsequently cancelled.

Taking Control of All .io Domains With a Targeted Registration

• Previous post same person – The Hidden Risks of Domain Extensions

• The .io domain has several top level DNS servers under .io (e.g. a1.io)

• Not so much an exploit as failure of TLD to protect its assets

• Hard part is finding the servers which can be registered and then registering them

• Dan notes that .org does not suffer as easily from this problem because all of the .org NS records are under a given domain: org.afilias-nst.info. (re dig NS org. @k.root-servers.net.)

In the what’s new category for Dan

• Two Samsung 850 EVO 500GB SSDs in ICY DOCK MB882SP-1S-3B converters so I can mount them in 3.5″ drive trays.

• ‘Divider Boxes’ from @LeeValleyTools, set of 5 for CAD$9.50.

• LTO-4 labels for my laser printer

• Inserted 2nd of 6 5TB drives to replace my 3TB drives.

• Uploaded two scripts for my Let’s Encrypt project to GitHub: collect-certs & check-for-new-certs

Feedback

• RISC is Good?

• ZFS checksum errors on DigitalOcean block storage volume

• Alternate e-mail hosting service

• Check Your Backups! You might learn pg_dump better

• Google, MX, email, $1?

• vim customization

Round Up:

• Let’s code a TCP/IP stack, 5: TCP Retransmission

• OpenBSD Will Get Unique Kernels on Each Reboot. Do You Hear That Linux, Windows? – as detailed in BSDNow Episode 199: Read the source, KARL

• Privileged Ports Cause Climate Change – “I’m going to hazard a guess that the same 16-24 core Xeon with ~256gb of RAM that probably hosts less than a hundred 768mb VMs could probably host thousands of user workloads if those workloads ran directly on the same kernel without the cost of a hypervisor or the bloat of containers.” – FreeBSD jails – each one runs on the same kernel

• Pokemon or Big Data