Sunday, October 30, 2005

EFF breaks secret tracking "dot code"

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer's secret tracking information.


This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew "bunnie" Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.


New favorite word: Hoffing

Hackers no hassle: Hoff - People - Entertainment - theage.com.au



More from Oracle's CSO

Wow. Note how she says that she researches "hacking techniques" as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the "big picture" strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.

-Jason


-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of InfoSec News
Sent: Wednesday, October 19, 2005 12:03 AM
To: [email protected]
Subject: [spam]::[ISN] Davidson: Lessons of warfare for IT security

http://www.fcw.com/article91127-10-17-05-Web

By Mary Ann Davidson
Oct. 17, 2005

As a security professional, I research the latest issues, threats and
hacking techniques. For pleasure, however, I read mostly military
history, which shapes my view of information security. As a result, I
offer the following lessons from military history for federal agency
information technology security professionals.

Most security professionals attempt to implement programs to defend
all access points because intruders need to find only one way in. But
because agency resources are finite, boundaries typically exceed
resources. To best apply limited resources to maximize defense
success, carefully select your turf.

Risk management approaches to security must move beyond identifying
and defending the most important assets to include an analysis of a
network's strategic points where intruders could attack.

Here are some IT security lessons from military history.


* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of
World War II in the Pacific rim. The victory hinged partly on U.S.
code crackers' breaking JN25 naval cipher to learn that the Japanese
planned to attack Midway. Adm. Chester Nimitz, commander of the U.S.
Pacific fleet, sent two carrier task forces to Midway to ambush the
Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.

Security professionals have many means of defense at their disposal.
Through network mapping, they can determine the landscape of their
networks. Knowing how many systems are locked down and adequately
patched, they can assess their readiness. Using intrusion-detection
systems, they can know the types of probes the enemy has attempted.

But some organizations don't use or act on the intelligence they have.
Many turn off their auditing systems, fail to review the logs or
ignore alarms. A military parallel is Pearl Harbor, the attack in
which the United States ignored radar detecting the incoming Japanese
planes.


* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and
extranet access have surged. The model of hardened perimeters and
wide-open interiors is no longer adequate.

During the 1879 defense of Rorke's Drift in South Africa, about 150
British soldiers held off 4,000 Zulus by defending the inherently
indefensible. They created makeshift barricades from grain sacks and
biscuit boxes to secure the perimeter. They had fallback positions and
used them.

Security professionals can learn from this example. A network is not
defensible if attackers breach the perimeter and the rest of the
network is wide open.

Today, administrators segment networks with interior firewalls.
Tomorrow, networks may be able to create dynamic barriers in response
to worm and virus invasions.

Admirals and generals set strategies, but individuals who make
tactical decisions and take the initiative win battles. Every federal
agency employee has a responsibility to make IT security a priority.

Davidson is Oracle's chief security officer.


More PHP web application security tips

Hacks From Pax: PHP Web Application Security - The Community's Center for Security


Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities.


Preventing future threats: not with a "lack of protective imagination"

And, after hurricane Katrina, I would add that on top of a "lack of protective imagination", government continues to suffer as well from "pork barrel security projects" and "visible-but-ineffective security projects" that divert precious resources away from the real or more likely threats.

An unfortunate example of this is how "The federal government will pay the overtime of cops and emergency medical workers if the drill involves an act of terrorism, but it won't if locals rehearse for a natural disaster." So, the government is still making it difficult for localities, such as Seattle, to prepare for _likely threats_ and instead they have to fake it by running drills for the more unlikely terrorism-related scenarios instead. See Is Seattle Really Ready?

The other glaringly-apparent issue is that unqualified people are being put into positions of authority of governmental agencies that are in charge of protection and response for natural disasters and other events. I have lost my belief that government can be a reliable first line of assistance and that individual citizens and localities have to take matters into their own hands to be prepared, just like you would do for a retirement plan. Don't rely on social security, welfare, or unemployment as your sole safety net and now add to that governmental response to disasters.

I'm going to be reactivating my local neighborhood disaster preparedness facility since I can't believe that if there was any kind of significant event that there could be a reasonable expectation of a decent national response.


Forwarded from: Richard Forno

The London bombs went off over 12 hours ago.

So why is CNN-TV still splashing "breaking news" on the screen?

There's been zero new developments in the past several hours.
Perhaps the "breaking news" is that CNN's now playing spooky "terror
attack" music over commercial bumpers now filled with dramatic
camera-phone images from London commuters that appeared on the Web
earlier this morning.

Aside from that, the only new development since about noon seems to be
the incessant press conferences held by public officials in cities
around the country showcasing what they've done since 9/11 and what
they're doing here at home to respond to the blasts in London.....which
pretty much comes down to lots of guys with guns running around
America's mass transit system in an effort to present the appearance of
"increased security" to reassure the public. While such activities are a
political necessity to show that our leaders are 'doing something'
during a time of crisis we must remember that talk or activity is no
substitute for progress or effectiveness.

Forget the fact that regular uniformed police officers and rail
employees can sweep or monitor a train station just as well as a
fully-decked-out SWAT team -- not to mention, they know it better, too.
Forget that even with an added law enforcement presence, it's quite
possible to launch a suicide attack on mass transit. Forget that a
smart terrorist now knows that the DHS response to attacks is to
"increase" the security of related infrastructures (e.g., train
stations) and just might attack another, lesser-protected part of
American society potentially with far greater success. In these and
other ways today following the London bombings, the majority of security
attention has been directed at mass transit. However, while we can't
protect everything against every form of attack, our American responses
remain conventional and predictable -- just as we did after the Madrid
train bombings in 2004 and today's events in London, we continue to
respond in ways designed to "prevent the last attack."

In other words, we are demonstrating a lack of protective imagination.

Contrary to America's infatuation with instant gratification, protective
imagination is not quickly built, funded, or enacted. It takes years to
inculcate such a mindset brought about by outside the box,
unconventional, and daring thinking from folks with expertise and years
of firsthand knowledge in areas far beyond security or law enforcement
and who are encouraged to think freely and have their analyses seriously
considered in the halls of Washington. Such a radical way of thinking
and planning is necessary to deal with an equally radical adversary, yet
we remain entrenched in conventional wisdom and responses.

Here at home, for all the money spent in the name of homeland security,
we're not acting against the terrorists, we're reacting against them,
and doing so in a very conventional, very ineffective manner. Yet
nobody seems to be asking why.

While this morning's events in London is a tragedy and Londoners deserve
our full support in the coming days, it's sad to see that regarding the
need for effective domestic preparedness here in the United States,
nearly 4 years after 9/11, it's clear that despite the catchy
sound-bytes and flurry of activity in the name of protecting the
homeland, the more things seem to change, the more they stay the same.

-rick
Infowarrior.org


Even MORE evidence of PHP becoming the new C

Another example of how PHP can be dangerous. Having to know the internal workings of variable acceptance to implement secure data checking seems to negate the value of having a higher-order programming language.

And, it is common in other languages to work with variables in a REQUEST structure of some sort.

PHP should provide a built-in set of semantics for data input filtering that work across all of the possible input types so that each application doesn't have to build their own. I even remember when you used to have to build your own PHP session management or use additional PHP modules (PHPlib was a great implementation) before it got rolled into PHP 4.

Also check out the Hardened-PHP Project for this advisory and many others for PHP applications, and some PHP security basics talks.

-J


-----Original Message-----
From: Stefan Esser [mailto:[email protected]]
Sent: Saturday, July 02, 2005 12:09 AM
To: [email protected]; [email protected]
Subject: Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened - PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: Cacti Multiple SQL Injection Vulnerabilities Release Date: 2005/07/01 Last Modified: 2005/07/01
Author: Stefan Esser [[email protected]]

Application: Cacti <= 0.8.6e
Severity: Wrongly implemented user input filters lead to
multiple SQL Injection vulnerabilities which can
lead f.e. to disclosure of the admin password hash
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-032005.php


Overview:

Quote from http://www.cacti.net
"Cacti is a complete network graphing solution designed to harness
the power of RRDTool's data storage and graphing functionality.
Cacti provides a fast poller, advanced graph templating, multiple
data acquisition methods, and user management features out of the
box. All of this is wrapped in an intuitive, easy to use interface
that makes sense for LAN-sized installations up to complex
networks with hundreds of devices."

Because it is usually fun to audit software which was previously
audited by experts from iDEFENSE we scanned through their reported
vulnerabilities and found that most are not properly fixed.


Details:

With the recent release of iDEFENSE's Cacti advisories version
0.8.6e of Cacti was released which according to iDEFENSE fixes
all reported flaws. But this is not true.

However the user input filters that were added to the Cacti
codebase to address the possible SQL Injections are wrongly
implemented and therefore can be tricked to let attackers
through.

To demonstrate the problem here a snipset of "graph.php"

/* ================= input validation ================= */
input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
input_validate_input_number(get_request_var("local_graph_id"));
/* ==================================================== */

if ($_GET["rra_id"] == "all") {
$sql_where = " where id is not null";
}else{
$sql_where = " where id=" . $_GET["rra_id"];
}

On the first look this code looks safe, because it checks that
the 'rra_id' request parameter is either a number or the string
"all" before inserting it into a part of the SQL Query.

To realize that this check is however worth nothing one has to
dig deeper and look into the implementation of get_request_var()

function get_request_var($name, $default = "")
{
if (isset($_REQUEST[$name]))
{
return $_REQUEST[$name];
} else
{
return $default;
}
}

This actually means that the filter in this example is applied to
the content of $_REQUEST["rra_id"] and not to $_GET["rra_id"].
The problem with this is, that $_REQUEST is a merged version of
the $_GET, $_POST and $_COOKIE arrays and therefore array keys of
the same name will overwrite each other in $_REQUEST.

In the default configuration of PHP which is usually not changed
by anyone the merge order is GPC. This means when the request
contains both $_GET["rra_id"] and $_POST["rra_id"], only the
posted value will end up in the $_REQUEST array.

This however means, that nearly all of the implemented filters can
be bypassed by supplying the attack string through the URL and
supplying a good string through POST or through the COOKIE.


Proof of Concept:

The Hardened-PHP Project is not going to release exploits
for this vulnerabilities to the public.


Disclosure Timeline:

25. June 2005 - Contacted Cacti developers via email
29. June 2005 - Review of patch from our side
1. July 2005 - Release of updated Cacti and Public Disclosure


Recommendation:

We strongly recommend upgrading to Cacti 0.8.6f which you can get at

http://www.cacti.net/download_cacti.php


Summary for Secunia:

Because Secunia proofed several times in the past, that they have
enormous problems with reading advisories and crediting the right
parties in their advĂ­sory rip-offs, here a short summary.

This bug was not found by iDEFENSE. On the contrary it is a bug
in the input filters that were implemented because of iDEFENSE
and where nodded through by them.


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

Roll your own High-Entropy (Hardware) Randomness Generator

High-Entropy Randomness Generator


In this paper, we explain how to construct a High-Entropy Randomness Generator, suitable for a wide range of applications, including extremely demanding ones. We will explain and then use some key theoretical ideas:

* We start with a raw input, typically from a good-quality sound card.
* We obtain a reliable lower bound on the raw input’s entropy density (as defined in appendix A). This is calculated based on physics principles plus a few easily-measured macroscopic properties of the sound card. (This stands in stark contrast to other approaches, which obtain a loose upper bound based on statistical tests on the data.)
* We make use of the hash saturation principle, as discussed in section 3.2. The resulting output has essentially 100% entropy density. This is provably correct under mild assumptions.
* We use no secret internal state and therefore require no seed.
* We do not depend on assumptions about “one-way functions”.

We have implemented a generator using these principles. The result is what most people would call a True Random Number Generator. Salient engineering features include:

* It costs next to nothing. It uses the thermal fluctuations intrinsic to the computer’s audio I/O system.
* It emphatically does not depend on imperfections in the audio I/O system. Indeed, high-quality sound cards are much more suitable than low-quality ones. It relies on fundamental physics, plus the most basic, well-characterized properties of the audio system: gain and bandwidth.
* It can produce thousands of bytes per second of output.
* Remarkably little CPU time is required.
* It includes optional integrity-monitoring and tamper-resistance capabilities.


Flashback: More on PHP Security

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.

-J


-----Original Message-----
From: David Wheeler [mailto:[email protected]]
Sent: Wednesday, August 08, 2001 2:06 PM
To: me
Subject: PHP

Ben Ford said:

>>Don't call it a weakness of the language, call it by its true name:
>> Lazy Programming.

If this was a common problem in other languages, I might agree with you.
But it's not. Essentially all other computer languages do _NOT_ let
attackers set the state of arbitrary program variables to arbitrary
values, and then require programmers to constantly reset
values if they'd like to prevent attackers from controlling them.

I'm not saying that PHP is some horrible, unfixable language.
I've posted to PHP-DEV a relatively simple set of changes that would
make it possible to eliminate the problem, and others have proposed
other approaches. And those who can control their PHP configuration can
obviously do so and eliminate the problem right now for their
applications.

Yes, you can write secure applications in PHP. But it requires
herculean effort. It's "obvious" when the application is small
that some variable needs to be unset, that's true, assuming you know to
look.
But once you call functions, you have to have global knowledge of all
global values that the function uses, including the complete transitive
closure of all functions it calls directly & indirectly -- and that
INCLUDES the implementation of the library functions you call. And you have to
redo the analysis when you use a new version of PHP. You could argue
that all PHP developers do this... but I wouldn't believe you.

It's certainly true that all languages have "gotchas".
This one is larger than most (in my opinion), though. And we should be
striving in our computer languages to make it easy, not hard, to write
secure programs.

If some application can be used securely in theory, but its user
interface is so hard to use that it cannot PRACTICALLY be used securely,
then it's still insecure. I argue that the same is true for programming languages.


Study: Correlation between more sex and more happiness

Planned Parenthood Federation of America, Inc. - Sex And Happiness: What's The Connection?

If I had to choose, I'd choose more sex over wealth even before reading about this study :-)


In a recent preliminary and unpublished study, "Money, Sex, and Happiness," researchers from Dartmouth College and Warwick University (UK) found that people who consider themselves happiest are those who are having the most sex. The study does not claim that having sex causes happiness or vice versa. But of the 16,000 people in the research sample, happiness was associated with sex for both women and men and people under and over the age of 40. And despite the notion that money can buy happiness, researchers found little — if any — connection between increased wealth and long-term happiness.


Federal Judge Rules Pledge Unconstitutional

http://www.npr.org/templates/story/story.php?storyId=4847626&ft=1&f=1001


U.S. District Judge Lawrence Karlton ruled that the pledge's reference to one nation "under God" violates school children's right to be "free from a coercive requirement to affirm God."


Just take the freaking words "under God" out of the pledge that weren't there to begin with and the problem goes away!

Is PHP the new C?

I've been wondering lately if PHP is much like C from a security perspective in that the chances that if you are using PHP for an application that your application is secure depends on tribal knowledge about "what not to do" with the basic language. Another way to say this is that like C, PHP gives you plenty of rope to hang yourself if you don't know what you are doing. Which is unfortunate for a language that should be safer by default for use by UI programmers.

This posting from Andrew van der Stock brings up some specific issues with the PHP language that could really help improve security in the same way that GCC compiler warnings when using insecure functions help with awareness.


-----Original Message-----
From: Andrew van der Stock [mailto:[email protected]]
Sent: Friday, June 24, 2005 10:07 PM
To: Benjamin Livshits
Cc: [email protected]
Subject: Re: Languages/platforms used for Web apps. Any stats?

I don't know of any stats, but if anyone was to make a study, that's
where I'd focus on.

However, saying that:

* I review J2EE finance apps used in very large institutions. I find
plenty of problems which need fixing
* I look after a PHP forum, which definitely could improve
* In my previous job, the most vulnerable app I ever reviewed was
written in ASP in VBScript

I don't think the language has much to do with it beyond basic security
posture. PHP could do a lot to redress the problems, for example, by:

* making echo do htmlentities by default, and having a special echo /
print which doesn't in case you really meant to spit out HTML
* deprecating the old function based MySQL drivers (ie warnings when
E_ALL is used) in favor of the MySQLi drivers or PDO which have prepared
statements
* in the next version of PHP, remove support for register_globals and
make url_fopen permanently false
* Remove implicit declarations and add optional strong typing which
really means it

The basic security posture of PHP has been improving, but honestly, it
really depends on the quality of the coders and if they are aware of the
security options open to them. The other thing is that there is a lot of
PHP code out there written in the PHP 3 days which sorta runs okay on
PHP 4 and 5, which shouldn't. PHP 3 really was a security nightmare -
everything in the interpreter was set to be the most insecure possible
posture with maximal attack surface area.


Does voting machine technology affect the outcome of elections?

Some interesting results found in a study of 2000-2004 election data.


We first show that there is a positive correlation between use of touch-screen voting and the level of electoral support for George Bush. This is true in models that compare the 2000-2004 changes in vote shares between adopting and nonadopting counties within a state, after controlling for income, demographic composition, and other factors. Although small, the effect could have been large enough to influence the final results in some closely contested states.


They also found:


Touch-screen voting could also indirectly affect vote shares by influencing the relative turnout of different groups. We find that the adoption of touch-screen voting has a negative effect on estimated turnout rates, controlling for state effects and a variety of county-level controls.


Fixes to the PATRIOT act seen as sufficient to address concerns

Appropriate rational commentary on the specifics that need to be changed about the PATRIOT act to address privacy and governmental power and oversight issues.



The Wall Street Journal


November 12, 2004

COMMENTARY


Patriot Fixes

By BOB BARR
November 12, 2004; Page A12


The most common charge levied against critics of the Patriot Act -- one
that Alberto Gonzales, the new face of Justice, is likely to repeat in
his days ahead -- is that they're "misinformed." Well, as a former U.S.
attorney appointed by President Reagan, a former CIA lawyer and analyst,
and a former Congressman who sat on the Judiciary Committee, I can go
mano a mano with any law-enforcement or intelligence official on the
facts. And the facts say that the Patriot Act needs to be reviewed and
refined by Congress.

Critics of the Act are not calling for full repeal. Only about a dozen
of the 150 provisions need to be reformed; these, however, do pose
singular threats to civil liberties. Here's how to bring them back in
line with the Constitution.

The two most significant problems are sections 213 and 215. The first
authorized the use of delayed-notification search warrants, which allow
the police to search and seize property from homes and businesses
without contemporaneously telling the occupants. The Justice Department
often claims that this new statutory "sneak and peek" power is
innocuous, because the use of such warrants was commonplace before.
Actually, the Patriot Act's sneak and peek authority is a whole new
creature. Before, law enforcement certainly engaged in
delayed-notification searches, especially in drug investigations.
Importantly, this authority was available in terrorism investigations.
Courts, however, put specific checks on these
warrants: They could only be authorized when notice would threaten life
or safety (including witness intimidation), endanger evidence, or incite
flight from prosecution. It was a limited and extraordinary power.

The Patriot Act greatly expanded potential justifications for delay. The
criminal code now allows secret search warrants whenever notice would
"jeopardize" an investigation or "delay" a trial -- extremely broad
rationales. The exception has become the rule. Congress should remove
that catch-all justification and impose strict monitoring on the use of
these secret warrants.

The other primary problem is the "library records" provision, Section
215.
This amended a minor section of the 1978 Foreign Intelligence
Surveillance Act, which created a specialized court for the review of
spy-hunting surveillance and search requests. This "business records"
section allowed agents to seize personal records held by certain types
of third-parties, including common carriers and vehicle rental
companies. The Patriot Act made two changes to this relatively limited
power: It allowed the seizure of any "tangible thing" from any
third-party record holder (including medical, library, travel and
genetic records); and it removed the particularized suspicion required
in the original statute.

Pre-2001, investigators had to show "specific and articulable facts" --
a standard much lower than criminal probable cause -- that a target was
a spy or terrorist. Now, that already low standard has been lowered
further.
Agents simply certify to the intelligence court that the records desired
are relevant to an investigation -- any investigation -- and the judge
has no real authority to question that assertion, rendering judicial
review meaningless.

Reformers on the left and right want two fixes to this section. First,
reinstall the individualized suspicion requirement. This reflects the
Fourth Amendment notion that the government cannot invade privacy and
gather evidence unless it has reasonable suspicion that one has done
wrong.
The proposed "fix" would retain the section's broad "tangible things"
scope, but with a safeguard against abuse. The authorities would still
be able to go to a criminal grand jury to demand the production of the
same records, providing additional flexibility for counterterrorism
work.
Second, Congress should require additional reporting requirements.

There are other refinements desired by the Act's critics. The new
definition of domestic terrorism in Section 802 can be used by
prosecutors to turn on an array of invasive new authorities, including
broad asset-forfeiture powers, even when the underlying crime does not
rise to the level of "terrorism." The preferred legislative reform keeps
the definition, but links it to specific crimes like assassination or
kidnapping.

Reasonable critics of the expansive provisions of the Patriot Act, on
both sides of the aisle and in both Houses, have introduced legislation
that would implement these modest changes. Far from gutting the Act,
these would secure the important powers of the law, but place modest
limits on their use. For most of us who voted for the Act, what sealed
the deal was the inclusion of provisions that would require us to take a
sober second look at the most contentious provisions in the Act by the
end of 2005, before reauthorizing them. That time is coming, and the
Justice Department does not want to lose the emergency powers it won in
the aftermath of 9/11. But Congress should resist its overtures, move
forward on the sunsets, and enact additional Patriot fixes if it
believes them needed.

Mr. Barr is a former Republican congressman.


Study: Motivations for global terrorism over the past 25 years

This is not so much about Islam vs. Christianity (although I think a lot of wacky Christians are making this case still) Courtesy of Bruce Schneier.


An absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980. "The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland."


His book:
or
Reviews:




Another reason to cancel your Time magazine subscription

First Ann Coulter on the cover of Time, now a so-called-news story on religion vs. science (which is a false dichotomy IMHO)

"Welcome to Jesusland" Part Deux...

The United States of Almighty-God

Ugh.

Another state to avoid: Kansas

Close to adopting "intelligent design" in Kansas. They're joining Pennsylvania. FYI, there was an update on NPR from Oct 21 about the Pennsylvania case. It may be good that this is not a jury trial. The defense is now bringing on their witnesses about the merits of the "theory" of intelligent design. At least the science teachers at the schools in question had refused to read the ridiculous statement about intelligent design being another "theory" that is out there.

Also good news: 8 of the 9 school board members are up for reelection. More reason to vote in PA so you can vote these people out who pushed ID BS into schools.

http://www.npr.org/templates/story/story.php?storyId=4795205&sourceCode=RSS


A move to adopt guidelines encouraging Kansas schools to teach an alternative to the theory of evolution -- intelligent design -- gains momentum. The Kansas Board of Education has approved a draft of new science standards proposed by supporters of intelligent design. Approval is expected in October.


Acceptable Risk as a euphamism for shifting fraud liability to the consumer

Financial Cryptography: "Acceptable Risk" - a Euphemism for Selling Fraud?

This is a post from a while back but is still relevant to recent discussions about how the financial industry is still shifting the burden of identity theft and fraud to the customers. Bruce Schneier just wrote about this in regards to phishing in the most recent edition of Crypto-Gram as well.


The "acceptable risk" concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.

The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.


Everything you wanted to know and more on: Teleportation

Teleportation -- Facts, Info, and Encyclopedia article


Teleportation, or teletransportation, is the process of moving objects (or more likely with present techniques, (A particle that is less complex than an atom; regarded as constituents of all matter) elementary particles) from one place to another by encoding information about the object, transmitting the information to another place, such as on a (A communication system based on broadcasting electromagnetic waves) radio signal, and creating a copy of the original object in the new location. The notion of teleportation was first conceived in the course of the Golden Age of (Click link for more info and facts about 20th century) 20th century (Literary fantasy involving the imagined impact of science on society) science fiction (Creative writing of recognized artistic value) literature by authors who considered necessary a form of on-the-spot intangible conveyance tools to hold up the narratives of their tales.


Top 5 Spam Categories

Security Scoop - NSI Watercooler Stories - BankInfoSecurity.com

This seems consistent with what I've seen in spam that comes into axley.net. Spammers and scammers are the scourge.


Top 5 Spam Categories Named
Drum roll please … it’s time to reveal the top five categories of junk e-mail, as tracked by security firm Sophos. The big winner for 2005 so far is medication/pills, which accounts for 41.4% of all spam reports. Next are mortgage offers, which clocked in with 11.1%. That old favorite pornography took the third spot, with 9.5%. Stock scams are growing fast, Sophos says, accounting for 8.5% of all spam thus far this year. In fifth were product-related spam messages, with 8.3%. The remaining 21.2% fall into the “other” category.


Restrictions placed on FBI cellular tracking

FBI Dealt Setback on Cellular Surveillance

Finally some restraint on use of the PATRIOT act powers. Especially in light of recent FOIA documents that EPIC found that show abuses by law enforcement.


The FBI may not track the locations of cell phone users without showing evidence that a crime occurred or is in progress, two federal judges ruled, saying that to do so would violate long-established privacy protections.


Biometrics in ATMs?

InformationWeek > Biometric Security > Privacy Concerns, Expense Keep Biometrics Out Of U.S. ATMs > October 12, 2005

This article is chock full of fun things to comment on.


Ricardo Prieto, who was vice president for system operations at BanCafe when the system was installed, said that at first ATMs failed to recognize fingerprints on the well-worn hands of some elderly customers and laborers such as construction workers.

He said the ATM imaging was improved, and the number of customers whose fingerprints couldn't be read fell from 30 percent to 8 percent.


Wow, that is great progress! Now for a large bank, only 2 million instead of 7.5 million customers will not be able to use my bank's ATMs! Where do I sign?


"Biometrics is certainly the most secure form of authentication," said Avivah Litan, an analyst with Gartner Inc., a Stamford, Conn.-based technology analysis firm. "It's the hardest to imitate and duplicate."


He's right. It is very difficult to "imitate and duplicate" biometrics in ways that could fool sensors.

I also would argue that biometrics is not the most secure form of authentication. Smart cards and tokens are hard to imitate and duplicate and this isn't even a threat model to be concerned about in general because in practice, nobody uses this factor as the only factor. These are used as part of a two-factor authentication system, which is really a much more secure form. For some bizarre reason, biometric holy-grail folks (mostly vendors, I imagine) think that biometrics don't need a second factor. Additionally, there is a nonzero False Acceptance Rate and False Reject Rate (as noted beautifully above) that make biometrics fail in many real world scenarios. Smart cards don't have that problem.


"The real holy grail in biometrics," said Jim Block, Diebold's director of global advanced technology, "is let's get rid of the PIN so no one has anything to steal anymore."


Let's think about that for a minute. Let's ignore for a moment that this came from Diebold, a foremost authority in voting security. He claims that without a PIN, there would be nothing to steal anymore. Really?

Actually, having a PIN or another second factor can help to thwart these kinds of "steal the biometric" attacks since the biometric by itself is rendered useless. It certainly won't eliminate the threat, but I think it would reduce the likelihood that someone would violently extract the biometric to steal something since they need you alive anyhow to get the PIN or password.

Saturday, October 29, 2005

This Old Porn

Wired News: This Old Porn Is New Again

RetroRaunch maintains a collection of more than 40,000 images of vintage erotica. Keepin' it retro.

Friday, October 28, 2005

Keeping eyes on the prize

Daily Kos: Rove's Lawyer Confirms Rove Remains Under Investigation

Hunter is right on. The investigation is still ongoing and ultimately, this country needs to get to the bottom of the core issue of the Valerie Plame leak, which compromised her safety and national security apparently for political purposes.

And a big "FU" in advance to any in the punditocracy who are preparing to write these charges off as something insignificant. It wan't insignificant during Watergate.


Whether or not Rove is ever charged with anything is less important than simply finding out the facts of what happened in the White House to lead multiple senior officials, Rove and Libby apparently foremost among them, on a press spree outing a NOC agent to at least six Washington journalists.


Friday, October 21, 2005

Must-have Firefox Extensions

I thought it would be good to document the Firefox extensions that I find invaluable:

All-In-One Sidebar
A much nicer integration of common configuration options with the FF GUI at the ready. Also, lets you load up two different pages side-by-side or the source code to a page right next to the site, etc.

Download Statusbar
I find the firefox download manager separate dialog box kind of annoying. This extension shows all download progress right in the statusbar so you don't have to watch multiple windows to track download progress.

FlashGot
This integrates firefox with any currently-installed download manager to quickly perform mass-downloads on pages with a nice right-click context menu.

NoScript
This is a must-have for security. NoScript allows you to set fine-grained policy on which sites you permanently or temporarily allow to run javascript. You can also use this to block Macromedia flash, but I prefer the Objection extension instead to manage the Local Shared Objects.

Scribe
Lets you save long form textbox entries locally so that you don't lose them before you submit them. Very handy for blogging or submitting tech support or forum posts and being safe from the "back button" or your browser crashing and losing your posts. No more need to edit in Vi or Notepad and then paste into the site!

Objection
Allows you to control Macromedia Flash cookies from the privacy settings window.

On Windows:

IE View
Adds a new right-click context menu item that will let you easily launch those pesky IE-only websites that don't show up in Firefox. Yes, there still are some of those around, unfortunately. Hopefully the launch of IE7 will force many to clean up their sites to the latest standards.

Tuesday, October 11, 2005

Rant on Oracle just not "getting it"

Funny and entertaining and sad rant about Oracle's inability to do security in stark contrast to public claims by their CSO, marketing, etc.

This has inspired others to note how there are some Oracle vulnerabilities that have been open for 768 days!! among other comments. Oracle even tried to put the cat back in the bag on some other disclosed vulnerabilities recently. They just don't get it. I'm wondering if Larry Ellison were in Bill Gate's place just how much worse off the Internet and world would be from a security perspective.


---------- Forwarded message ----------
From: David Litchfield
To: [email protected], [email protected]
Date: Thu, 6 Jan 2005 16:01:26 -0000
Subject: Opinion: Complete failure of Oracle security response and utter neglect
of their responsibility to their customers

Dear security community and Oracle users,

Many of my customers run Oracle. Much of the U.K. Critical National
Infrastructure relies on Oracle; indeed this is true for many other
countries as well. I know that there's a lot of private information
about me stored in Oracle databases out there. I have good reason,
like most of us, to be concerned about Oracle security; I want Oracle
to be secure because, in a very real way, it helps maintain my own
personal security. As such, I am writing this open letter

Extract from interview between Mary Ann Davidson and IDG
http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html

IDGNS: "What other advice do you have for customers on security?"

Davidson: "Push your vendor to tell you how they build their software
and ask them if they train people on secure coding practices. "

Now some context has been put in place I can continue.

On the 31st of August 2004, Oracle released a security update (Alert
68 [ http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ])
to address a large number of major security flaws in their database
server product. The patches had been a long time in coming
[ http://www.eweek.com/article2/0,1759,1637213,00.asp ] and we fully
expected that these patches would actually fix the problems but,
unfortunately this is not the case. To date, these flaws are still not
fixed and are still fully exploitable. I reported this to Oracle a
long time ago.

The real problem with this is not that the flaws Alert 68 supposedly
fixed are still exploitable, but rather the approach Oracle took in
attempting to fix these issues. One would expect that, given the
length of time they took to deliver, these security "fixes" would be
well considered and robust; fixes that actually resolve the security
holes. The truth of the matter though is that this is not the case.

Some of Oracle's "fixes" simply attempt to stop the example exploits I
sent them for reprodcution purposes. In other words the actual flaw
was not addressed and with a slight modification to the exploit it
works again. This shows a slapdash approach with no real consideration
for fixing the actual problem itself.

As an example of this, Alert 68 attempts to fix some security holes in
some triggers; the flaws could allow a low privileged user to gain SYS
privileges - in other words gain full control of the database server.
The example exploit I sent to Oracle contained a space in it. Oracle's
fix was to ignore the user's request if the input had a space. What
Oracle somehow failed to see or grasp was that no space is needed in
the exploit. This fix suggests no more than a few minutes of thought
was given to the matter. Why did it take 8 months for this? Further,
how on earth did this get through QA? More, why are we still waiting
for a proper fix for this?

Here is another class of thoughtless "fix" implemented by Oracle in
Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL
statement as a parameter which is then executed. This can present a
security risk. Rather than securing these procedures properly Oracle
chose a security through obscurity mechanism. To be able to send the
SQL query and have it executed one needs to know a passphrase. This
passphrase is hardcoded in the procedure and can be extracted with
ease. So all an attacker needs to do now is send the passphrase and
their arbitrary SQL will still be executed.

In other cases Oracle have simply dropped the old procedures and added
new ones - with the same vulnerable code!

I ask again, why does it take two years to write fixes like this?
Perhaps the fixes take this long because Oracle pore through their
code looking for similar flaws? Does the evidence bear this out. No -
it doesn't. In those cases where a flaw was fixed properly, we find
the same flaw a few lines further down in the code. The DRILOAD
package "fixed" in Alert 68 is an example of this; and this is not an
isolated case. This is systemic. Code for objects in the SYS, MDSYS,
CTXSYS and WKSYS schemas all have flaws within close range of "fixed"
problems. These should have been spotted and fixed at the time.

I reported these broken fixes to Oracle in February 2005. It is now
October 2005 and there is still no word of when the "real" fixes are
going to be delivered. In all of this time Oracle database servers
have been easy to crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the quarterly Critical Patch
Updates? Unfortunately it is the same story. Bugs that should have
been spotted left in the code, brand new bugs being introduced and old
ones reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the beginning of this
letter, I'm concerned about Oracle security because it impinges upon
me and my own personal security.

What is apparent is that Oracle has no decent bug
discovery/fix/response process; no QA, no understanding of the
threats; no proactive program of finding and fixing flaws. Is anyone
in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece. They need to be able
to deliver and execute an effective security strategy that actually
deals with problems rather than sweeping them under the carpet or
waste time by blaming others for their own failings. Oracle's CSO has
had five years to make improvements to the security of their products
and their security response but in this time I have seen none. It is
my belief that the CSO has categorically failed. Oracle security has
stagnated under her leadership and it's time for change.

I urge Oracle customers to get on the phone, send a email, demand a
better security response; demand to see an improvement in quality.
It's important that Oracle get it right. Our national security depends
on it; our companies depend on it; and we all, as individuals depend
on it.

Cheers,
David Litchfield


RIAA: The New Mafia?

[infowarrior] - RIAA Takes Shotgun to Traders


Hundreds of people are being wrongly sued by the Recording Industry Association of America for illegally trading music online, legal experts say.

Attorneys representing some of the 14,000 people targeted for illegal music trading say their clients are being bullied into settling as the cheapest way to get out of trouble. Collection agencies posing as "settlement centers" are harassing their clients to pay thousands of dollars for claims about which they know nothing, they say.

Last week a judge in Michigan dismissed a file-sharing case against Candy Chan, a mother who testified in court that the user name identified in the suit belonged to one of her children.

In the court report (.pdf), Judge Lawrence P. Zatkoff wrote: "Chan opposed the motion and asserted that the plaintiffs used a 'shotgun' approach to pursue this action, threatening to sue all of Chan's children and engaging in abusive behavior to attempt to utilize the court as a collection agency."


Clickfest

Google Maps + Craigslist = Housing Maps
http://www.housingmaps.com/

New Washington State Quarter designs. I think that we should use the state quarter designs to vote states out of the union. I'd say that if you put your best on a quarter and all you can come up with is lame crap like "Birthplace of Aviation Pioneers" (as if one resident's coincidental occupancy in your state somehow is noteworthy) then perhaps we don't need you in the union. That said, Washington's proposals are pretty tame. I do like Salmon, the mountains, and apples. Although we are one of the up-and-coming wine regions so perhaps they should pick that instead?
http://www.cnn.com/2005/POLITICS/09/30/bennett.comments/index.html?section=cnn_topstories

Here's some state quarter commentary:
http://www.uwgb.edu/dutchs/PSEUDOSC/Mediocracy0.HTM

And pictures of all current state quarters:
http://en.wikipedia.org/wiki/State_Quarters#External_links

PDA + wi-fi + "borrowed connection" + VOIP software = free cell phone.
http://www.techbuilder.org/recipes/59200427

New Age quotes a coworker is collecting (aka New Age "Wisdom")
http://www.peterga.com/quotes/newage.htm

Now this is a cool looking device. I would like to do something like this in my house to join network + audio sources. I think that a box running MythTV would be cheaper and better though:
http://www.sonos.com/us/index.htm


The New New Creationism: Intelligent Design

Several notes on this Intelligent Design crap driving us toward another Scopes trial.

Evolution Lawsuit Opens in Pennsylvania

US President Jimmy Carter, and an evangelical Christian:

"As a Christian, a trained engineer and scientist, and a professor at Emory University, I am embarrassed by Superintendent Kathy Cox's [Georgia Public Schools] attempt to censor and distort the education of Georgia's students. The existing and long-standing use of the word 'evolution' in our state's textbooks has not adversely affected Georgians' belief in the omnipotence of God as creator of the universe."


The President continues, with my favorite part of his statements. This is exactly what doesn't make sense about the ID and creationist nuts. There is no incompatibility between science and the general faith tenets. Perhaps there are some issues raised with the strict Biblical account, but add them to a huge list already out there that still does not shake most people's faith as they often pick and choose what to take at face value, what to interpret, what to believe, what is an allegory, etc. anyhow. If you believe that the natural world was created by God for you, then why would you go to great lengths to distort our experience and understanding of the natural world, which the only tool we have for this is the lens of science?


"There can be no incompatibility between Christian faith and proven facts concerning geology, biology, and astronomy. There is no need to teach that stars can fall out of the sky and land on a flat Earth in order to defend our religious faith."


"They're blinding you with NOT science" - Lewis Black on Intelligent Design

I just finished reading Science Friction (ISBN 0-8050-7708-1) which has several essays discussing the interplay between Religion and Science. Chapters 8 and 11 dive into a lot of the fray and Chapter 11 provides "ten arguments and ten answers" against ID which point out the absolute ridiculousness of their position(s). Oh, and the "What type of creationist are you?" is a great one if you run into any proclaimed creationists. There are at least 10 different positions on a continuum so the answer is not binary as many creationists would have you believe and probably believe themselves.

"Open Sesame" opens "High tech" Cockpit doors

The Seattle Times: Business & Technology: Glitch forces fix to cockpit doors

Well, "Open Sesame" works if you say it through a nearby walkie-talkie:


For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes.

But, the doors were not foolproof.

In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn't touched the cockpit door, he heard the sound of its lock operating.


So, other on-board avionics and electronics has to meet strict EMI standards to get on an airplane, but not the new cockpit doors??? Let me guess, the Bush Administration and Congress exempted this new equipment from typical safety and other regulations after 9-11 since those aren't important when there are terrorists out there?

Monday, October 10, 2005

Sharing an HP Printer via CUPS w/o a network printer driver

HP has several printers where they provide huge driver downloads of 75-350 megabytes but none of them come with a network INF installer (you can look in autorun.inf and see references to Drivers/Network but those directories aren't there)

Two printers that I know have this problem are the:

HP PSC 750xi
HP PSC 1210xi

I run a linux print server so I want to connect the printers to the linux box and share them out via IPP provided by CUPS. This requires some software gymnastics on Windows because the typical HP drivers expect the printer to be plugged directly into the local USB cable, not served out over IPP. I saw similar problems of other HP users when they tried to use Windows printer sharing to remote computers on a network.

I have been able to get the latest 750xi driver to install on an IPP printer by pointing to the right INF file in the HP printer driver directory (c:\Program Files\Hewlett-Packard\AiO\hp psc 700 series) after installing the huge software package on the windows box. I never had to plug the printer into windows.

Now, the PSC 1210xi is another story. I had to download the 160 megabyte driver/software package from the HP website and install it as if I were installing the printer locally. However, I could not get any of the INF files to work.

I found the solution on the Internet is to find this section in the win98 INF file (hpoupdrx.inf) and comment out the line with a semicolon:

[ControlFlags]
;ExcludeFromSelect=*

This is what prevents windows from showing a listing of compatible printers when you point to this INF file.

Then, add your network printer and select Have Disk... for the driver. Navigate to c:\temp\HP All-in-One Series Web Release\enu\drivers\win9x_me and the hpoupdrx.inf will show up. When you select this, a list of the printers supported by the driver will show up and you can then select the right driver and proceed and windows will not be the wiser.

This was installed on win2k without any problems.

Friday, October 7, 2005

Is O'Reilly really this much of a dumbass?

O'Reilly compared Irish immigration to enslavement of African-Americans

O'Reilly actually says this. He started talking about his family's plight when the Irish famine was going on, "everybody was starving in Ireland. They had to leave the country, just as Africans had to leave -- African-Americans had to leave Africa and come over on a boat and try to make in the New World with nothing. Nothing."

Yes, you read that correctly. O'Reilly said that Africans came to america:


  1. On a boat ("slave ship" sounds too harsh?)

  2. Willingly (refer back to the "slave ship" note)

  3. Because they were "starving" (He must have meant when they were on the slave ships stacked one on top of the other like cords of wood)

  4. To look for a better life in America (Land of opportunity does not include "forced opportunity")

  5. and get this. According to Mr. Bill, it has worked out beautifully for them: They have "succeeded, succeeded. As did Italians, as did -- and I'll submit to you, African-Americans are succeeding as well. So all of these things can be overcome I think"



Yes, when the song "We shall overcome" is sung, it refers to the Great African famine.

Unbelievable

Can we pleeeze get some real journalists out there?

The Stakeholder: Cute, But No Cigar

The Washington Times takes cruft out of Tom DeLay's mouth and prints it without investigating whether what he was claiming was true or not. Of course it was an outright dissembling on DeLay's part. But what do you expect (both from WaPo and DeLay)?

New Book: Security and Usability

Usable Security Blog Archive O’Reilly Book: Security and Usability

One of the research areas that I am very interested in:


O’Reilly has released Security and Usability: Designing Secure Systems That People Can Use, a collection of 34 essays on security and usability edited by Lorrie Cranor and Simson Garfinkel.


Tuesday, October 4, 2005

Wanker of the day: William Bennett

CNN.com - Bennett under fire for remarks on blacks, crime - Sep 30, 2005


Bennett, who held prominent posts in the administrations of former presidents Ronald Reagan and George Bush, told a caller to his syndicated radio talk show Wednesday: "If you wanted to reduce crime, you could -- if that were your sole purpose -- you could abort every black baby in this country and your crime rate would go down.


He claims that it was okay because it was a hypothetical and that he didn't literally mean that they should do this. So, he stands by his statement. He has gone on the defensive rather than admit that the remark was a bit out of the bounds of appropriateness.

Come on, if the Bush administration thinks its inappropriate, it must really be bad.