Re: Maemo 5 as a vulnerability / "hacking" victim
 

I should have been more precise. :( That configuration is static because both side know shared secret. This secret is never changed unless you change it manually on both sides.

Just read the following:
http://openvpn.net/index.php/open-so...mentation.html

I've stumbled somewhere on explanation of protocol, that states the payload is encrypted than HMAC-ed. The problem is that the HMAC value is known to attacker as well. In order to exploit it the attacker has to know the value of IV which is the pre-shared secrete between client and server, which allows creation of packets with valid HMAC.


Well its a handy pocket knife, not the double-handed sword.

SHA1 is getting fair share of attention as well.

There were some really good papers from Chinese regarding the reduction of brute-force attempts.

Re: Maemo 5 as a vulnerability / "hacking" victim
 

Momcio was saying that Nokia had to make compromises when they picked the browser. Something that has a forgiving licence like BSD and is relatively stable. They though didn't pay so much attention to security as they had a timeline to keep. I hope it makes more sense now:)

Re: Maemo 5 as a vulnerability / "hacking" victim
 

Here is what I could dig up(the last 2 were both from tls mode options):

'OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.'

'--tls-auth file [direction]
Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.

file (required) is a key file which can be in one of two formats:

(1) An OpenVPN static key file generated by --genkey (required if direction parameter is used).

(2) A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands.'

'It should be emphasized that this feature is optional and that the passphrase/key file used with --tls-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data.'

According to this the HMAC key is static and is not used in the authenication.(2048bit FYI)

Re: Maemo 5 as a vulnerability / "hacking" victim
 

As long as you don't encounter someone carrying pocket quantum
calculator, you'll be just fine.
;)

Re: Maemo 5 as a vulnerability / "hacking" victim
 

Hehe, maybe not anytime soon. ;) Mind you I heard of a system that hooks up different compuer systems sharing computing task over the internet to solve complicated, hence powerhungry mathematical problems. Unfortunately I can't remember it's name, but I heard it on one of the Linux podcasts out there. I wonder if a hacker could make any use of it:)

Re: Maemo 5 as a vulnerability / "hacking" victim
 

Back to MicroB what alternatives we have? I mean solution, not browser.

Damn I hate closed source!

Re: Maemo 5 as a vulnerability / "hacking" victim
 

Not too much, speaking of MicroB. It'll require more than 'mad skillz' to update it without having the closed-source core bits. You'll have to stick with Firefox Fennec or Opera. Last one is closed source but it has the quickest interval between updates. I dont list Chromium because is almost unusable, like Firefox Fennec that is REALLY REALLY slow.
I see Opera as the best browser for everyday use in Maemo (even if it's closed-source), and the most up-to-date one. I really doubt there are vulnerabilities for it. Sad thing is you'll be forced to use MicroB if you want Flash.
Another alternative is to use browsers in Easy Debian (wich I don't tested too much).

Re: Maemo 5 as a vulnerability / "hacking" victim
 

not true I would prefer to sniff alot more on a schoolgirl i Japan than a N900 ;)

Re: Maemo 5 as a vulnerability / "hacking" victim
 

I haven't looked much into this; but, I bet there are many vulnerabilities in our current version of adobe flash, and maybe the stock web browser seeing as they haven't been updated in a long time.

I'd suggest using Opera whilst you are there, and blocking flash.

(Input would be appreciated if anyone can confirm the weakness of flash or microb).

Re: Maemo 5 as a vulnerability / "hacking" victim
 

And i suggest using Iceweasel via Easy Debian as mentioned before, cause opera is one f*** of annoying browser, not to mention closed source, so we can only guess if it's safe or not (ho ever i agree that it's probably safer than microB that wasn't updated in ages - but again, PROBABLY).

Also, i don't think You'll encounter many people prepared to attack microB, as N900 is (fortunately in this case) much less popular than android "kiddy" phones. Security through obscurity, that is ;) Remember that even most talented "hackers" are as good in these situations, as "tools" they have with them. I don't suppose that anyone will write special script to hack you, even on Security Conference, just because hes annoyed that You got better handheld than her/his new 1k dolars one ;)