Wednesday, November 30, 2005

<strike>Security In Airlines</strike> Airline Insecurity

When people tried to evacuate during Hurricane Katrina, airline security prevented many from being able to leave before the airport had to be shut down. This is where a threat model would have helped make the right decision in the face of competing risks. And where "zero tolerance" policies really show how they are "zero thought" policies.

Hurricane Security and Airline Security Collide

And recently, if you thought that airline security was too strict, it is working. You should know it is only designed to make you _think_ that so that you will keep flying. If they really based it on a real threat model, you would have a very different traveling experience and stupid things like taking fingernail clippers and metal knives away, but allowing you to have full glass bottles of alcohol on planes would not happen. My cousin, who was in the army, recently said, "I'd like a terrorist to try to attack me with fingernail clippers." The implication was that he would kick their ass to a bloody pulp before they got anywhere because that is stupidity masquerading as a threat to airline security.

Here is what happens when a politician says The Emperor Has No Clothes. Good for him to speak the truth. The homeland security budget could be put to use protecting against real threats.

Real threats like the fact that our air traffic control systems have shitty security. It is so bad, they lack cyber security. Oooh.
FAA air-traffic systems lack cyberprotections, GAO finds

Stem cell research breakthrough -- in Korea

WorldNetDaily: Paraplegic breakthrough using adult stem cells

This is truly great news and will be even better if it holds up to peer review and brings about additional breakthroughs. It is proof positive of a couple of things:

  • The critical importance of stem cell research of all kinds for treating serious afflictions and diseases. The research here was done using adult stem cells, but embryonic stem cell research may hold even more promise for finding cures in general.
  • The fact that this breakthrough came from outside the US is a warning of the failure of the US policy on stem cell research and the republicans likening "stem cells" to abortion and creating a false stigma.

In an apparent major breakthrough, scientists in Korea report using umbilical cord blood stem cells to restore feeling and mobility to a spinal-cord injury patient.

The research, published in the peer-reviewed journal Cythotherapy, centered on a woman had been a paraplegic 19 years due to an accident.

After an infusion of umbilical cord blood stem cells, stunning results were recorded:

"The patient could move her hips and feel her hip skin on day 15 after transplantation. On day 25 after transplantation her feet responded to stimulation."

No City Official Left Behind

Local officials nearly fall for H2O hoax - Science -

They should also make sure that their hand isn't larger than their face or they might have cancer.

ALISO VIEJO, Calif. - City officials were so concerned about the potentially dangerous properties of dihydrogen monoxide that they considered banning foam cups after they learned the chemical was used in their production.

Then they learned, to their chagrin, that dihydrogen monoxide — H2O for short — is the scientific term for water.

Hollywood misleads the press on piracy statistics

Hollywood: Thousands Dead From File Sharing

Statements and statistics from the music, movie and software cartels are about as accurate as their claims that they're honest, hard-working companies with consumers' and performers' best interests at heart.

A couple of years back, the Big Four Organized Music family's RIAA said a raid against a New York counterfeit operation resulted in the equivalent of 421 CD burners being seized.

However, Bill Evans had been told the numbers was actually156.

Jon Newton

When he asked for an explanation for the discrepancy, "We stated that the raid was the equivalent of 421 burners, as we need to put these operations in perspective based on burning capacity and output, not the number of physical slots for the discs," RIAA (Recording Industry Association of America) truth adjustment specialist Amy Weiss said.

"Since they burn 4x burners - it is roughly 4xs the numbers of burners."

Good grief. There's more in the article. I don't believe that this is the first revelation of lying with statistics from this industry.

Judges order publishing of breathalyser source code

LiveAmmo Security Blog: Drunk drivers granted access to breathalyser source code

If only I was able to be granted the source code for the laser detector that incorrectly clocked me over the speed limit...

I like when judges don't treat technology as infallible. In my case, there was not any argument that could detract from the "evidence" , even the likely EMI!

Oh, and let's also demand the same for our voting machines!

"A panel of judges in the Florida county of Sarasota has granted a request by a group of over 150 citizens accused of drink-driving to view the source code of the breathalyser that was used to determine their breath alcohol levels.

Attorneys for the defendants had filed a motion to review the source code for the Intoxilyzer 5000 breathalyzer in October.

'The defendants have established that the source code is material to their theory of defense in these cases,' judges David Denkin, Kimberly Bonner and Judy Goldman wrote in their ruling dated 2 November.

Cardinal rebuffs "Intelligent Design"

Evolution in the bible, says Vatican - The Other Side - Breaking News 24/7 -

The vatican taking a modern position? Wow. This doesn't make up for their handling of the sex abuse scandals but it's a positive sign.

THE Vatican has issued a stout defence of Charles Darwin, voicing strong criticism of Christian fundamentalists who reject his theory of evolution and interpret the biblical account of creation literally.
Cardinal Paul Poupard, head of the Pontifical Council for Culture, said the Genesis description of how God created the universe and Darwin's theory of evolution were "perfectly compatible" if the Bible were read correctly.

Penn Jillette: "There Is No God"

NPR : There Is No God

Just in time for the holidays, a piece on what people believe that is not necessarily in the mainstream. A good reminder that not everyone believes the same as you do, especially among the "christian" religions.

Penn Jillette wrote an excellent piece for NPR's "This I Believe" series on why he is "beyond Atheism". Many religious people don't understand or simply don't believe that you can have morals without god but I think that Penn has a very simple model that explains how there are even possible advantages to the atheist moral world view:

Believing there's no God means I can't really be forgiven except by kindness and faulty memories. That's good; it makes me want to be more thoughtful. I have to try to treat people right the first time around.

He also discusses many other advantages to a godless world that are well worth reading, especially if you are religious; not because it should convince you to not be religious but because it can help you understand that it is just as legitimate a position as your religious position. And hopefully soften some of the anti-atheist views held by most of America.

High-tech Safecracking

This link wasn't working at the time of posting, but it is interesting to see how you can use infrared to determine a combination from a recently-used keypad. There must be some equipment that would cost less than $5000 that could do this? I'll have to check the local spy shop.

Richard Stallman "foils" RFID "security"

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won't have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Serious flaws in wiretapping equipment

Signaling Vulnerabilities in Wiretapping Systems

Ahh, too bad I don't work for a telecom compnay anymore (actually, it is good). This might be fun to test out...

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. These countermeasures do not require cooperation with the called party, elaborate equipment, or special skill.

ISAKMP: The standard for incompatibility

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

>On Sat, 19 Nov 2005, Peter Gutmann wrote:
>>- The remaining user base replaced it with on-demand access to network
>> engineers who come in and set up their hardware and/or software for
them and
>> hand-carry the keys from one endpoint to the other.
>> I guess that's one key management model that the designers never
>> anticipated... I wonder what a good name for this would be,
something better
>> than the obvious "sneakernet keying"?
>Actually this is a good thing.

Unless you're the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic
>under those keys. Making key distribution require human

Somehow I suspect that this (making it so unworkable that you have to
carry configuration data from A to B) wasn't the intention of the IKE
designers :-). It's not just the keying data though, it's all
information. One networking guy spent some time over dinner recently
describing how, when he has to set up an IPsec tunnel where the
aren't using completely identical hardware, he uses a hacked version of
OpenSWAN with extra diagnostics enabled to see what side A is sending in
IKE handshake, then configures side B to match what A wants. Once
done, he calls A and has a password/key read out over the phone to set
up for


"cybercrime" treaty is criminal

Fuzzy logic behind Bush's cybercrime treaty | Perspectives | CNET

the Convention on Cybercrime will endanger Americans' privacy and civil liberties--and place the FBI's massive surveillance apparatus at the disposal of nations with much less respect for individual liberties.

Well, it has "cyber" in its name so it must be good... This legislation sounds like a really bad idea without the fix to ensure that requests are only allowed under "dual criminality" situations.

It's really puzzling how the Bush administration would be backing this after they put up such a stink about the US not being dictated to by other countries in environmental laws or by international courts. But since when have they been consistent?

Wednesday, November 23, 2005

Xmas nostalgia

Someone is scanning in the entire Sears 1979 wishbook.

More geeky sex-related content

Just to continue the geeky sex-related Internet content update, you can now get daily doses of customized porn via your RSS reader. Enter Sex By RSS

Two geeky takes on the Kama Sutra

The "Comma Sutra"

via Scrutiny Hooligans

Which reminds me of a related amusing and geeky version:

Linux Sex Positions - The Open Source Kama Sutra

They even have a security-related one: "Position 12 - Piercing the Firewall"

Lawyers gone wild

When Legal Strikes—Chaos Theory Meets DRM

Sadly, as management gets more cautious about legal repercussions, lawyers get a voice in decisions in which they not only have no expertise (such as IT), but in customer-facing initiatives, as well.

Sony's aggressive spyware approach to DRM smells to high hell of the kind of good-intentions-turned-cognitive-dirty-bomb so many Legal-inspired projects descend into.

This is an interesting opinion that I think is only potentially applicable to situations where the lawyer in question is representing the company's explicit interest. I haven't seen this happen in general though--particularly where the corporate lawyers are addressing issues that are _not_ in regards to the company interest (e.g. privacy law).

For the most part, I have seen these lawyers define a very low bar for a company to meet. The same tendency for lawyers "tend to wield power disproportionate to their duties" (I would use the word "influence" instead of power) leads to these proclamations to be interpreted to mean that the company should only meet the minimum bar. These lawyers are not in the business of suggesting what the company _should_ do, only a minimum of what it _has_ to do. Laws aren't necessarily sufficient or detailed enough to ensure that they are complied with, however. I have had several situations where lawyers have undone good security work because they proliferated the fact that the law didn't require the proscribed procedures, even though those procedures were in place to uphold that law. Lawyers seem to wield more influence than security folks though so who do you think was listened to?

Common writing mistakes

This post about Grammar Nerds reminded me that I've long wanted to write about some common mistakes I see over and over on the Internet and in emails.

The most common thing that I notice is confusing words that sound somewhat alike but have very different meanings and spellings:

  • conscious/conscience

  • If your conscience is bothering you, you are conscious.
  • effect/affect

  • Will poor grammer affect your chances of getting that next job?

    Missing out on that next job may be the likely effect (outcome) of being sloppy with grammar.
  • console/consul

  • You can change administrative settings via an application or server console.
  • bare/bear

  • Bear in mind these grammar rules for next time.
  • there/their/they're

  • They're = They are

    There = refers to a location (e.g. over there)

    Their = a possessive pronoun; used when referring to group possession of a thing or quality
  • your/you're

  • You're = You are

    Your = possessive pronoun; used when referring to someone possessing a thing or quality
  • e.g./i.e.

  • e.g. = exempli gratia (for example); use when providing an example for clarification

    i.e. = id est (that is... or "in effect"); use when providing additional clarifying information, not through the use of an example
  • lose/loose

  • I always see this one when someone misspells lose as "loose". Playing fast and loose with spelling!
  • mute/moot

  • When using the phrase, "a moot point" or similar, "this may become moot", moot is the right spelling. Mute refers to remaining or being unable to speak.
  • to/two/too

  • Too = also

    two = the number 2

    to = a preposition meaning a variety of things, such as "toward"

There are a ton of sites that go into more detail than this. A simple google search will find most all of them. Or just check your favorite dictionary.

Sunday, November 20, 2005

Internet security tips,1759,1883072,00.asp?kc=EWRSS03129TX1K0000614

MD4 and MD5 collision generators

There are still not known attacks against encryption schemes that make use of these, but certainly anything relying on these hashes for integrity protection should switch to alternate mechanisms.

Sent: Monday, November 14, 2005 10:48 AM
To: [email protected]
Subject: MD4 and MD5 collision generators

I am releasing my collision generators for MD4 and MD5. They have
significant time improvements over the ones described in the papers by Wang, et al.

MD4 collisions can be generated almost instantly, MD5 can be generated
in approximately 45 minutes on my p4 1.6ghz (on average).

-Patrick Stach

Scientists re-invent nature?

BBC NEWS | Science/Nature | Butterfly wings work like LEDs

When scientists developed an efficient device for emitting light, they hadn't realised butterflies have been using the same method for 30 million years.

Oh, the irony

Wired News: Tainted Sony CDs Used Open Source

In short: Sony's ill-conceived, ill-executed, and ill-handled copy protected CDs that inserted a rootkit on your Windows computer that were designed to supposedly protect artist's rights by preventing unauthorized copying of music ironically appear to have violated the copyrights of several open source software tools.

Friday, November 11, 2005

"Deep Thoughts" on topics of the day

Daily Kos: Cheers and Jeers: Rum and Coke FRIDAY!

Last weekend we picked up three of Jack Handy's Deep Thoughts books. While he avoids the political (after all, the thoughts are deep), we found some striking parallels to certain people and issues of the day...

More 'Christians' persecuting others who are supposedly persecuting Christians

Pandagon: 'Tis the season to 'persecute' Christians

A couple more years of this hysteria and the use of "Merry Christmas" as shorthand for, "I hate you and everything you stand for because you didn't pass my Christian sniff test, hellbound motherfucker,"

Now that sounds consistent with the loving Christian attitude fostered by Pat Robertson. - Robertson warns Pennsylvania�voters of God's wrath - Nov 10, 2005

WASHINGTON (Reuters) -- Conservative Christian broadcaster Pat Robertson told citizens of a Pennsylvania town that they had rejected God by voting their school board out of office for supporting "intelligent design" and warned them Thursday not to be surprised if disaster struck.

Don't you just enjoy how much love and inclusiveness there is at the Holidays? Sheesh.

Alito response to Vanguard conflict of interest shows true character


Alito: "he's an I'm gonna do what I want and fuck you if you think otherwise kind of guy" Nice.

O'Reilly unpacks dead horse from his holiday nick-nacks; begins 2005 flogging

O'Reilly opens new front in "war" on Christmas ... [Media Matters]

O'Reilly is ridiculous and a hypocrite. He is trying to create a controversy where one does not exist and then beat that dead horse senseless. And his issue? "Season's Greetings" and "Happy Holidays" used by businesses around this time of year "absolutely does [offend Christians]. And I know that for a fact."

Here's how he is a hypocrite (one of many ways). It's okay for him to be offended when the Christian aspect is _not_ specifically mentioned, but non-Christians do not get this same right. But this is okay because O'Reilly says, "I don't believe most people who aren't Christian are offended by the words "Merry Christmas." Nevermind this is a baseless position to take. And the possibility that non-Christians could be just as incensed as he is is not only discounted, but he resorts to ad-hominim attacks against those non-Christians, "I think those people are nuts. I think you're crazy if you're offended by the words "Merry Christmas."

To summarize:

Christians: Have a right to be offended when Christian-specific language is _not_ used at the holidays and can be offended when inclusive language is used, such as "Happy Holidays".

non-Christians: If they are offended by exclusive language such as "Merry Christmas", they are "nuts" or "nutty customers". Further, businesses should ask, "why do you want them [as customers] anyway?" Not only should exclusive _language_ be used, but business should actually think hard about _actually excluding_ them from the customer base.

He wants to see businesses only address the Christian aspect of the holiday season specifically.

But he then contradicts himself when he says, "the smart way to do it is "Merry Christmas, Happy Hanukah, Season's Greetings, Happy Kwanzaa." So it's okay to say "Season's Greetings" now or isn't it? Clear as mud, but what do you expect?

Wednesday, November 9, 2005

Password Hash Dash

Rainbow Crack is a time/memory tradeoff tool that can break passwords knowing just the password hash. So, those people who still think that disclosing password hashes is not a big deal...

SANS documented and proved, using a modified version of Rainbow Crack, something that I have suspected for a while. That Oracle's proprietary password hashes are weak There are plenty of good ways to do this that it's a wonder these days that people still roll-their-own crypto. The SANS team is releasing an update to Rainbow Crack that can crack Oracle passwords.

New photos of Wonders of the universe

Hubble & Spitzer Space Telescopes on Yahoo! News Photos

Beautiful, wonderous, cool stuff.

This undated infrared image captured by NASA's Spitzer Space Telescope, released by NASA on Wednesday, Nov. 9, 2005, shows colossal pillars of cool gas and dust that provide scientists with an intimate look at the star-forming process. The image reflects a region in space known as W5, in the constellation Cassiopeia 7,000 light years away, which is dominated by a single massive star. (AP Photo/NASA, JPL, CalTech)


Congress may curtail some PATRIOT Act powers

Congress May Curb Some Patriot Act Powers - Yahoo! News

Now that congress has apparently taken the time to read the PATRIOT Act, they are more likely to do the right thing before voting for it a second time:

WASHINGTON - Congress is moving to curb some of the police powers it gave the Bush administration after the Sept. 11 terrorist attacks, including imposing new restrictions on the
FBI's access to private phone and financial records.

A budding House-Senate deal on the expiring USA Patriot Act includes new limits on federal law enforcement powers and rejects the Bush administration's request to grant the FBI authority to get administrative subpoenas for wiretaps and other covert devices without a judge's approval.

"Religious Right" confirms they are Hypocrites

AMERICAblog: Religious right bigots upset that a US Senator called them on their religious bigotry

Yet another reason to love Vermont Senator Pat Leahy.

Primer on Root Causes of the Violence in France - Why Paris Is Burning

Attend or host a Wal*Mart movie screening

WAL-MART Movie Screenings

Attend or host a movie screening of the new film Wal*Mart: The High Cost of Low Price. I'll be attending one in Seattle next Wednesday. Hope to see you there!

Another FEMA and Bush Administration SNAFU

Think Progress � Another Titanic Mistake

The Federal Emergency Management Agency has given the defense contracting agency Titan more than a half million dollars in brand-new contracts for Hurricane Katrina. Here are the top five reasons this was a very bad idea

Read the article for the sickening details about Titan. If Republicans want to do something about the moral climate of America, forget the annoying shit that the FCC is doing and clean house in your own party. Ahh, the ones who throw stones should not live in glass houses...

Democrats, now Press find their cajones

Pandagon: Another painful Scott McClellan ass-whooping

White House press briefings are fun again!

Especially when the White House attempts to revise history again.

The press is starting to do its job for once, but it is often discounting and ignoring their role in marketing misinformation about the Iraq war

The complete toll of the Iraq War

It really miffs me to hear media focus entirely on the number of death-specific casualties of the Iraq war but completely ignore the other horrible casualties. From the McLaughlin Group, 11/4/05:

MR. MCLAUGHLIN: Okay, the human toll: The U.S. military dead in Iraq, including suicides, 2,035; U.S. military amputeed, wounded, injured, mentally ill, 48,100; Iraqi civilians dead, 117,700.

Note to the media: Why don't you ask yourselves why it is only the number of _dead_ servicemen who you choose to highlight? Isn't 48,100 WOUNDED US CITIZENS an even more horrific number? Yes, 2035 dead US Citizens is tragic, but death is not the only tragic consequence for the soldiers.

And what about the Iraqi _deaths_ of 117,700? That's not their wounded count. That's the number of body bags needed or graves to be dug.

Na na na na, na na na na, hey hey hey...

BBC NEWS | Americas | CIA leak probe reporter resigns

Judith Miller resigns. Good riddance.

Tuesday, November 8, 2005

Proof against Intelligent Design: The Kansas school board

In a 6-4 vote, the Kansas school board voted in favor of teaching Intelligent Design in Schools.

Two words: F*cking idiots.

There is some good news in the realm of the New New Creationism though:

Intelligent Design Candidates Voted Out in Penn. Hooray! To show how huge htis was, 8 out of the 9 members who voted in favor of ID as an "alternative" to evolution were up for election; all 8 were voted out.

Science & Theology News also has a list of the ID players