Open Systems Journal

It’s the first day of the rest of your life, and, of course, 2009. We didn’t hit 1,000,000 members, but I predict SQLServerCentral will pass that mark in 2009. Not a difficult prediction, but that should keep me from missing completely on my guesses.
I saw a poll asking for predictions for 2009 and thought it [...]

A leap second will be added to the clock at 12/31/2008 23:59:59 UTC tonight. Clocks will go:
12/31/2008 23:59:58
12/31/2008 23:59:59
12/31/2008 23:59:60
01/01/2009 00:00:00
01/01/2009 00:00:01
Hopefully most IT folks will be otherwise occupied at that time and not focusing on their system clocks.
Have a Happy 1-second Delayed New Year.
David Goldsmith
Go to Source

Vulnerability Note VU#836068
MD5 vulnerable to collision attacks
OverviewWeaknesses in the MD5 algorithm allow for collisions in output. As a result, attackers can generate cryptographic tokens or other data that illegitimately appear to be authentic.
I. DescriptionA secure cryptographic hash algorithm is one that generates a unique identifier of a fixed size (known as a "digest" or [...]

Secure government Web sites, e-mail vulnerable to forgeries; RSA, VeriSign called out for using outdated hashing techniques.
Go to Source

Security bypass attack
Conversations relayed through cordless household phones might be far easier to snoop upon than previously suspected.…
Go to Source

Hewlett-Packard apparently has plans to soon announce two
high-performance desktop PC’s that have a slim, eco-friendly design,
thus defying the concept that bulk and big is best.
Go to Source

A new study finds Obama election supporters are eager to use the Net to push the new president’s agenda forward. But can anyone really control 13 million independent-minded voters? by Richard Koman
Go to Source

Guest post by Chris Eng In the wake of this morning’s 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I’ve read so far has focused on the technical details and real-world impact of their findings. Rightly so — their paper describing the attack…
Go to Source

US-CERT is aware of a public report describing how MD5 collisions can be leveraged to generate rogue SSL CA certificates. A rogue CA certificate could be used by an attacker to generate valid SSL certificates for arbitrary web sites. Using these certificates in DNS redirection attacks, an attacker could spoof an SSL protected web site [...]

I would like to quickly summarize the SSL MD5 issue presented at the CCC congress in Berlin today. Let me start with a quick FAQ:
How bad is it?
Bad. But we will survive. The problem makes it possible to create perfect phishing sites with valid SSL certificates. The [...]