Create an Account
username: password:
  MemeStreams Logo

The place with the things, and the stuff...


Picture of k
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

k's topics
   Sci-Fi/Fantasy Literature
   Electronic Music
   Rap & Hip Hop
   Indie Rock
  Tech Industry
  Markets & Investing
  Video Games
   PC Video Games
Health and Wellness
  Weight Loss
Home and Garden
Current Events
  War on Terrorism
  Cars and Trucks
  Martial Arts
  Camping and Hiking
Local Information
  United States
  Nano Tech
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
  Skiing & Snowboarding
   (Computer Security)
   PC Hardware
   Human Computer Interaction
   Knowledge Management
   Computer Networking
   Computing Platforms
    Microsoft Windows
   Software Development
    Open Source Development
    Perl Programming
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!

Current Topic: Computer Security

RE: FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack
Topic: Computer Security 9:58 am EST, Jan  7, 2008

Decius wrote:

Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.

"There are places where the networks are not touching, and there are places where they are," she said.

What?! Either the networks are connected or they are not. There is no middle ground. This isn't some enterprise network where you've got to have connectivity and you put in a firewall but every once in a while a virus outbreak happens anyway and you loose a day. This is an airplane. One virus outbreak on your internal network and you kill a lot of people. Conclusion: REAL, REAL f*#king stupid!

Agreed, this is completely insane.

On the other hand, I'm sure abaddon would love to fly his own 747, and now he can! Might not be worth the trip to guantanamo however.

RE: FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

w00t is Merriam-Webster's Word of the Year for 2007 - Boing Boing
Topic: Computer Security 10:24 am EST, Dec 13, 2007

Voters at Merriam-Webster's Word of the Year 2007 poll have chosen "w00t" as 2007's most iconic word. M-W says that the word is a gamer's acronym for "we own the other team," but I'm inclined to think that that's a backronym, a back-formed acronym created to explain a word already in use.

I am simultaneously amazed and annoyed at the misattribution of this word.

Not to mention that they at least 5 years, possibly 10 years behind.

Tards. F M-W. Oxford FTW, bitches.

w00t is Merriam-Webster's Word of the Year for 2007 - Boing Boing

YouTube - NBC Dateline Reporter flees Defcon 15
Topic: Computer Security 11:37 am EDT, Aug  4, 2007

NBC Reporter with hidden camera in purse hoping to catch conference attendees committing to crimes (according to Defcon staff) flees Defcon 15 after being outed.


For more information on this awesome totally ethical NBC program, see this.

Stupid dateline.

YouTube - NBC Dateline Reporter flees Defcon 15

RE: Voting System Bakeoff
Topic: Computer Security 4:27 pm EDT, Jul 16, 2007

Decius wrote:

Four teams of researchers from universities in the U.S., Canada, Poland and the United Kingdom begin competing today in Portland, Oregon, to win a prize for the best open-source voting system. The three-day University Voting System Competition, which ends July 18th, is sponsored by the National Science Foundation.

Some interesting approaches will be demoed here.

And then, likely, promptly ignored by everyone.

Sorry, too cynical?

I really do hope it goes somewhere, but I'm not betting on it.

RE: Voting System Bakeoff

Proximity Cards
Topic: Computer Security 4:50 pm EST, Feb 27, 2007

This is rather magical, considering that the tag is credit card-thin and contains no battery. The trick is the same as for RFID tags. The reader constantly transmits a rather strong carrier; the tag derives its power and clock from this carrier, kind of like a crystal radio. The tag changes how much carrier it reflects back at the reader—loosely, it makes the circuit across its antenna more like a short or more like an open—to transmit its code. The reader and the tag both have antenna coils tuned to the carrier frequency; they work like a loosely-coupled resonant transformer.

I'm not sure this is a correct assumption in all cases. Certainly there are many passive cards (perhaps most of them?) which utilize the induced current from the sensor to drive the action of the card.

I believe, however, that there are also active cards, with an internal battery, which work by receiving an activation signal from the reader, thus causing them to transmit their ID. Crucially, the range of that transmission wouldn't be related to the power of the reader's signal, because it's generated internally. You could trigger the card to send it's ID from arbitrarily (as powerful as you could make the signal) far away, but the card's never going to transmit with enough power to be read at that same distance.

The one semi-sensible thing the HID representative said was that a cloning attack would be far more difficult for such active cards. Not impossible, just difficult. You really would have to get the cloning sensor within a couple of inches, perhaps less.

I know for a fact that I've had cards which contain batteries and when they fail, the reader does nothing... not denial, not error, nothing. This indicates to me that the card itself controls the power and therefore the range of the signal carrying the ID code.

That being said, if such a cloning attack is so hard, why is it so dangerous to release schematics for a cloner? It's paradoxical for the company to say simultaneously that the attack is almost impossible to execute and that it's a dangerous and irresponsible thing to discuss.

The truth is at the crossroads of all these things. For some cards, this is a danger, for others, much less so. Regardless, customers of these systems will get nervous and it'll cost the vendors time and money, possibly a lot of it. Ergo, no matter how real the threat is, the vendors will shut it down so as to save the implicit loss of customer trust. They should rely on their customers to listen to them when they say, "Yes, this was demonstrated, it's not a threat against X, Y and Z product lines because of A, B, C reasons and product line Q is being phased out for precisely these reasons." Twisting the legal system to derail security research is wrong.

Proximity Cards

Topic: Computer Security 3:52 pm EST, Feb 27, 2007

HID has claimed that teaching others about the information violates two of the company's patents, IOActive's CEO Josh Pennell told reporters in a conference call on Tuesday. On the advice of lawyers, Pennell would not describe other details about the claims.

This really does seem completely insane. How, in any rational sense, can this violate patent law. I thought the only way to violate a patent was to produce a *product* which incorporates methods or technologies that have been patented. Are they trying to make the claim that since information is the product of this company and researcher that the words themselves are derivative works? I don't get it.

"If I say anything, HID will sue us," he said. "Large companies have lots of resources, and small companies, such as IOActive, don't."

It feels like July, '05 all over again. I feel bad for the researcher... maybe abaddon can send him one of those fancy White Hats with "Good" emblazoned on the front, just as a consolation.

Fuck HID.

I like the statement

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.

In other words, "we know our shit is insecure and it will cost us a lot to fix it and even more if our clients" -- government being the largest, presumably -- "get freaked out." What a bunch of garbage.

"These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

This is a direct re-hash of the arguments made against Mike 2 years ago. "It's all for publicity." "It's irresponsible."

Of course, it's totally ok to sweep known security issues under the carpet and pretend everything's secure for your government clients...


Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.
Topic: Computer Security 5:08 pm EST, Nov 29, 2006

A long-overdue wake up call for the information security community.

This popped up on Slashdot recently. I'm curious to get feedback from the security experts here at Memestreams.

I'm no security expert, but he seems about on target to me. He has someone in there quoted as saying the internet is "one exploit away from a complete meltdown" and know of at least one memestreams regular (ahem) who can certainly speak to that (though legally not in great detail).

Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.

Guardian Unlimited Technology | Technology | Scientists, be on guard ... ET might be a malicious hacker
Topic: Computer Security 11:38 am EST, Nov 28, 2005

He believes scientists searching the heavens for signals from extra-terrestrial civilisations are putting Earth's security at risk, by distributing the jumble of signals they receive to computers all over the world.

Now why didn't I think of that!

[ This concept has been found in sci-fi for as long as there have been networks of computers. Vernor Vinge, in particular, comes back to the concept of manipulating plantary data netwoks in many books (including the pre-cyberspace-era True Names, which is considered a very important work by many very smart people). I don't think we have much to worry about. Not because I don't think it can be done... surely digital computers wouldn't be beyond an advanced race, but becuase I think they'd have to be nearby. Latency to other star systems is a bitch.

I suppose it's not impossible that some race is broadcasting a cleverly mutating virus targeted at digital systems, but I kinda doubt it. -k]

Guardian Unlimited Technology | Technology | Scientists, be on guard ... ET might be a malicious hacker

CRM News: RFID : Chase Bank Rolls Out Contactless Credit Cards
Topic: Computer Security 1:39 pm EDT, Jun 13, 2005

Security experts familiar with the cards' radio frequency identification (RFID) technology, described by Chase as "contactless functionality," expressed some concern over the devices' security strength. Some have suggested that they may make it easy for perpetrators to commit fraud or identity theft.

Saw an add for ChaseBlink tonight. This ought to be interesting... Contactless credit card purchases. No signature. No pin. Just waive it over the reader. I can tell you how I'd have designed it, but I would be suprised if there were no vulnerabilities here.

While this is rather elaborate, a computer controlled rfid device connected to increasingly common cellular wireless internet systems relays the transaction to another reader, maybe taped to a chair in a shopping mall foodcourt.

[ I just got one of these in the mail. I had been a BankOne customer, and then Chase bought them up. So my BankOne visa is now a Chase visa with Blink. I'm not 100% happy about it. I think this one may end up getting cancelled, since I'm not *really* into walking around with a foil wrapped credit card. Still, if anyone's got a reader, we might be able to play with it... i'm kinda curious what's on there.


CRM News: RFID : Chase Bank Rolls Out Contactless Credit Cards

Diebold Machines
Topic: Computer Security 9:01 pm EDT, Jul 20, 2004

Well, I voted today. A few impressions.

[ My feelings echo Tom's somewhat. I think the most dangerous aspect of these machines is the certification process, pre-election access to the devices, malicious or shitty code, and hardware failure.

If you could pull smartcard shenanigans, as Decius says, it'd be all over... no one pays attention once you walk up there and pop in the card. I did notice that the cards were yellow today, but were white the last time i voted. Perhaps you'd need to take the step to match the color if you were gonna swap.

The machines plainly indicate how many votes it's taken for the day. When i went at about 10 am, my machine had already processed about 30 votes. That's only 10 an hour, so maybe each machine registers 100-250 votes... Even if somehow you could get 2 minutes per person average, you could only cram in 360 for the day. As Decius says, this substantially mitigates the effect of a single machine compromise... the election would have to very close.

I'm still not happy with these things, overall, but it could be worse. -k]

Diebold Machines

<< 1 - 2 >> Older (First)
Powered By Industrial Memetics