Fremdschämen (external shame)
Have you ever watched someone make a fool of themselves, only to find yourself cringing in embarrassment for them? Then you’ve most likely experienced fremdschämen. This German word is made up of two parts, with fremd meaning “foreign” and schämen meaning “to be embarrassed.” The term is typically used to describe someone who feels embarrassment on behalf of someone else. The corresponding noun for this feeling is Fremdscham.
Fremdschämen (pronounce: "Fremmd-Shamen") is the German word for the sentiment of joint embarassment. In the literal sense it means "external shame".
Use it in a sentence!Today's example was prompted by the Eurovision Song Contest, always a good opportunity to feel embarassed for others.
"Bereits nach den ersten Klängen des diesjährigen Beitrags von Großbritannien zum Eurovision Song Contest zuckte das Publikum innerlich zusammen. Ein europaweites Fremdschämen machte sich breit."
"Right after the first notes of Great Britain's contribution to this year's Eurovision Song Contest, the audience winced innerly. A feeling of Fremdschämen spread throughout Europe."
Too harsh? You be the judge.
Enjoy!
If online security is complicated, then online privacy is imposible. The public is slowly learning the difference between these two topics. Unfortunate situations such as the infamous fappening has brought both of these topics to the attention of the cyber muggles.
Online security can be reduced to 1s and 0s algorithms and ciphers, there is a finite outcome when you are looking at crypto. Math dose not lie, and we have the ability to create a secure cyber world. Where security breaks down is the implementation. Complicated software (open and proprietary), lack of proper vetting, and some times just laziness are a few of the causes.
Online privacy on the other hand is much darker and deeper then anyone wants to admit. From the government to politicians to the telco companies to advertisers, your privacy is a commodity that is sold, stolen, and bartered for. Free google email is a perfect example. If you sign up for email (which I have) you should understand that your email will probably be secure, but you are giving up privacy through google targeted marketing bots that crawl every email you get.
But there are groups looking out for the publics interests even if they didn't now they needed it.
- The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in the United States.
- The American Civil Liberties Union (ACLU) is a nonpartisan non-profit organization whose stated mission is "to defend and preserve the individual rights and liberties guaranteed to every person in this country by the Constitution and laws of the United States."
Below I have listed some links to privacy and security audits that have been performed for many of the services we use today. I though they where interesting and wanted to gather what I could find in one place.
Well they have used up all the awesome vulnerability names, hence the POODLE Attack (Padding Oracle In Downgraded Legacy Encryption). Twitter security chatter has increased around the POODLE Attack and there has been a CVE number assigned CVE20143566.
Links to both the google paper and the CVE.
F5 response to the CVE
https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Link to F5 SOL article
https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html
Link to F5 removing SSLV3:
https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
High Level Explanation:
The quick and dirty is even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around server side interoperability bugs. In the google security advisory, they discuss how attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0.
The only real work around is to disable SSL 3.0 but for many web admins supporting legacy clients, Window XP running i.e.6 for example, disabling SSL 3.0 is not an option.
If you end up enabling SSL3.0 you can enable TLS_FALLBACK_SCSV. This forces a more controlled negations of ssl between the client and the server limiting the possibility of clients and servers skipping protocols during the SSL negotion.
I will add more specifics to the F5 and how you would enable the TLS_Fallback command, as well as how to order your SSL protocol and cypher strengths.
***UPDATE***
According to F5 they do not currently support the TLS_FALLBACK_SCSV cipher. There is talk about an engineering hot fix that may include support but there is no solid ETA. F5 is recommending you disable SSL 3.0 where you can.
OpenSSL command to test if a webserver supports SSL3.0:
***UPDATE***
According to F5 they do not currently support the TLS_FALLBACK_SCSV cipher. There is talk about an engineering hot fix that may include support but there is no solid ETA. F5 is recommending you disable SSL 3.0 where you can.
OpenSSL command to test if a webserver supports SSL3.0:
openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.
Another Defcon and Holly Shit there where lot of people. I registered Friday morning and they had run out of badges. Defcon has out grown the Rio, and to support that theory where rumors the Con would be moving. For conventions over 14,000 attendees the options narrow. On the Defcon Wikipedia page and the Defcon DC News site they list Defcon 23 will be at both the Paris and Bally's hotels. Not sure how that will workout, but it definitely needs a larger facility. This may be mis information though, remember Defcon is canceled every year.
The theme this year at least the talks I attended was Botnets... Botnets... Botnets... The first talk I attended was Domain Name Problems and Solutions with Dr. Paul Vixie. His talk was a deep dive into how Botnets and other nefarious entities are exploiting DNS. The industries movement to provide convenient and low priced DNS names are fueling the fire. He also went into analysis of DNS meta data and how it is used in DNS RPZ or a (DNS Firewall.)
Don't DDOS Me Bro: Practical DDOS Defense presented by Blake Self and Cisco Ninja, was one of the better talks I attended. They spoke about Layer7 DDOS detection and defense, and brought some real world data from their site soldierx.com. They presented some examples of multi layer defenses from F5 rules to Apache tools. They also released their DDOS monitoring tool RoboAmp that will run on a Raspberry Pi.
Lastly and trust me it was a tough talk to get to was Catching Malware En Masse: DNS and IP Style. OpenDNS presented tools and techniques they have developed to identify bonnet and malware traffic on the internet. They also presented an awesome 3D visualization engine they use to graph and identify this rouge DNS and IP traffic.
Between the parting and binge consumption there was a lot to take away from this years Defcon. It was good catching up with old friends and meeting new ones, and I can wait till next year.