| All | Electronics | Software | Security | Personal | Scouting |
Tue, 19 Sep 2006
 |
|
I have just encountered an interesting article on Diebold voting machines. For the Australian's that don't know, Diebold make an electronic voting machine that is used across the USA to count elections. If we are *really* lucky, here in the ACT, we will get them soon as well, as we know that Electronic Voting is the only way to go (tm).. There are unfortunately a couple of *minor* problems, most of them are too technical for non-technical readers to understand, but one problem that has just surfaced is that the locking mechanism that is used on the machine to keep it closed uses *exactly* the same key as come computers, and vending machines. Even the same key number. One researcher remembered seeing a key just like it in a previous job, and sure enough, it was the same. It turns out that these keys are extremely common!!!! Here is the Article All I hope is that when the Australian Government decides to rattle down the Diebold voting path, that they employ some people with a clue to perform the security analysis of the solution. Until then, stick to the good old Pencil and Paper! |
|
|
Wow Earth shattering information found: " Federal employees pose a bigger threat to private data than the computer hackers most security systems are designed to thwart, privacy officials and lawmakers said. Many agencies are vulnerable to the same type of security breach that occurred most recently at the Veterans Affairs Department, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit group concerned with technology.s impact on privacy. In the VA case, which was announced publicly May 22, a laptop containing names, Social Security numbers and birthdates of 26.5 million veterans was stolen from the home of an employee who was working on a project. " It is about time somebody actually write that down... Here is the link to the entire article: |
|
|
I have just read a slashdot thread that indicates that Microsoft employees are likely to loose ADMINISTRATIVE RIGHTS! The simple tradition of each employee being responsible for their own desktop software set, and having admin rights, seems to run deep for Microsoft employees.
Now I understand why windows is so unmanageable without admin rights. None of the people who design the systems are subjected to the same controls that hundreds of millions of users have to put up with. Why on earth did they design a product, and then fail to use it in the way that they designed it? Here is the link: http://rss.slashdot.org/Slashdot/slashdot?m=5621 |
|
|
I have encountered a good article on 'Reputational Risk" at it-analytics.com.
http://www.it-analysis.com/business/content.php?cid=8503
In the past, I have worked for some companies that would have benefited from having a read of this article. Chris T - I strongy recommend you have a read.
|
|
|
The call for papers for the 2006 e-crime and computer evidence conference has been extended to 22 May. From their web site, it appears as though they are yet to choose a theme, but they are interested in any of the following; * Technical aspects of data recovery and analysis * Technical aspects of network and/or internet investigation * Legal apsects of investigation, prosecution or defence * Criminological studies, theories and issues * Use of computers in court * Use of computers to support other investigations Looks like it would be a worthwhile conference to attend. Here is the link: http://www.ecce-conference.com/ |
|
|
Today, I came across an interesting variant of 'Yet another linux boot disk' (YALBD) This one is aimed at forensic investigations, in environments where the players have corporate credit cards, and limited time in their lives. http://www.forensicbootcd.com/ It looks like a nice product from the supplied advertising, but I suspect that unless I part with some cash, I am unlikely to get to play with it. |
|
|
Hmmm, I just read a story on the register http://www.theregister.co.uk/2006/03/21/dmca_exemptions_controversy/ that indicated that copyright owners demand Digital Rights Management even if it causes "security and privacy harm" or "potentially endangers lives" I have been thinking about this, and now, I offer my $0.02 worth... To avoid any DRM on any Audio: Go to Dick Smith, and purchase a clable that will allow you to connect your CD player output to your PC soundcard mic socket. Place the CD into your CD player, and use some audio recording software on your PC. Hit play on the CD, and Record on the PC, and Bob's your uncle, instant unprotected mp3 content. Yes, you will receive second generation audio, but it will be *much* greater quality than the good old days of holding the tape recorder beside the TV speaker. To avoid DRM on any publication: Print your publication, and scan it in with your scanner. Convert the scanned pages to PDF and your'e done. Video: Hmmm, I'm thinking about that one. Does this mean when I next enter the USA, I will be arrested at the entry airport for providing the world with the secret information that is needed to break any DRM system..... Hmmmm... |
|
|
An interesting article appeared e-week.com about IT certification. We first saw the high quality CNE from Novell that your average bricklayer could pass (I know, because the owner of one of the companies I worked for didi it...) Possibly, after almost 20 years, companies have figured it out!!! http://www.eweek.com/article2/0,1895,1954198,00.asp?kc=ewnws042706dtx1k0000599 |
|
|
I have recently purchased some new reference books in the general field of Information Security from Amazon.com. One of the books I finished last night was 'Buffer Overflow Attacks - Foster, Osipov, Bhalla, and Heinen - ISBN 1-932266-67-04' It was well written, and easy to read. It starts off describing how Shellcode operates, including the various methods available to inject it, then it moves on to stack exploits and heap exploits. There are tons of usefull examples (Some of which I recognise from my early programming days!! - Who says gets() is bad...) which made the content even easier to understand. I was especially interested in the discussion of how to exploit heap overflows. Finally, it shows a few techniques for detecting potential exploits in source code. In all, well worth the money I paid. |
|
|
This is a duplicate of what I have posted on the family web log. It has a techo bent, so it probably belongs here. Those of you who know me know that our family is spending Christmas in France, followed by a couple of weeks in Canada. We are currently on the France-Swiss border and PPaul has rented a Renault to help move the tribe around. It is a very modern car with a couple of interesting features; 1) it doesn't have a key as such. There is a contactless proximity sensitive card that gets placed in the dash. 2) You dont turn anything to start the car. Once you slide the card in the slot, the dash lights up. There is a very friendly "start" button on the dash (Kind of like what I did with Megans 62 falcon when the ingition switch died - Except this probably has more smarts and the one for Megs was simply connected directly across the starter..) 3) The park brake is intellegient. When you stop the car and turn it off, the brake activates. When you start the car and go to drive off, the brake turns off. 4) You dont unlock the car... You simply walk up to it. It reads the ID from the proximity card, and opens the car for you. The next step is to implant the prox technology, then you cant loose your key. Hmmm, then you don't need an eftpos card... You probably don't even need a drivers licence... Wow, you can also drop the passport. Wow, a world where everything knows you are there.. Cool, Makes callerID look like a walk in the park... |
|
|
I was looking at http://www.theregister.co.uk the other day, and came across the story about the UK techo who caused a train station to be evacuated by "wearing a coat, and carrying a bag" see http://www3.indymedia.org.uk/en/2005/09/324024.html
Reading his story actually quite frightened me. Especially the bit about the search of his flat... During my life, I have had jobs in various electronics and computing fields. I am a security professional, and have spent many years in data centres owned by various telco's. I am interested in many fields, including crypto, access control technologies, physical security technologies, radio and the like. Let.s have a think about what you could find if you visited my garage (Translated: Male cave...) Ex WA Police UHF handhelds - currently waiting to be converted from 490 MHz down to 430 MHz for the UHF HAM band. Purchased at auction. EX Defence Handhelds - Ditto. Credit card swipe reader - So I can examine security data stored in swipe cards. Purchased at auction. Smart Card Reader / Writer - Silicon chip kit for working with Gold PIC cards. Old Security passes - RFID tags for door access, legitimately obtained by talking to the security guys at an old employer. Waiting for me to write a white paper to prove that access control on most commercial swipe card doors is not as effective as it could be. Never under estimate the effectiveness of the old fashioned brass key. I am working on a PIC based PS/2 key logger. I have lots of reference information, including items like the CIA World fact book, and just like thousands of other Internet users, I have downloaded the "Hackers Handbook", and the "Anarchists Cookbook". You will also find books titled "The problem of Chemical and Bioloical warfare (vols 1, 2, and 3)" and "Propellants and exothermic reactions in solids" - I used to work at the department of chemistry at ADFA, and they were being thrown out. I have a milling machine, various machine tools, and stocks of metals. I pride myself in being able to make and repair most things (Including my loveable EF Falcon station wagon.) I have many chemicals in my garage. Many flamable, and *lots* of chlorine, and I fertilise my garden twice a year. I have worked for universities and served in the defence force. I have camping gear, and if you looked in my cupboard, you might even find the camo gear I was issued with when I served in the RAAF. So, what is this rant about? Where are the lines? What defines a Terrorist? I suspect that the Terrorists may be getting close to winning; they are causing Governments to limit personal freedoms, and to issue laws without the necessary protections, in the name of "Terrorism". If you use the measure of wearing a backpack, wearing a coat, talking on the phone, and failing to make eye contact as a test for .Are you are Terrorist?., then you may make a mistake. How about us amateur radio operators who use VHF handhelds, clearly, we are co-ordinating something big. The actual tragedy happens when you start to forensically analyse hard disks, and discover that your terrorist googled for .Neck, Snap, Break. (Because it was slash-dotted as a story, and you just had to..) If you go to make up a story, then, gosh, there is tons of material you can find. What protections are the Government putting in place to protect people like me who use their garage as a workshop, not for putting a car into? In reality if I were in England, and my house was searched, I would be in exactly the same pile of poo that David Mery is in, perhaps even deeper. My biggest issue is that it appears as though the UK police have not quashed the arrest, they have simply labeled it as "NFA", No Further Action, citing "Insufficient Evidence" -- Well, we arrested you, possibly incorrectly, and could not gather enough evidence to make a case.... Makes you think, doesn't it? The people we have to look out for probably look just like us, and the really nasty ones probably wear overalls, have a lot of gear to deliver and carry a clipboard. I have posted a blog entry with my name and the word terrorist....That's probably enough to set off a couple of alarms somewhere. Am I an activist now? |
|
|
Well, It has hapened. I suggested that Sony's little rootkit DRM thing could be used by malicious software: The World of Warcraft cheating system cant find cheats hidden using Sony's software. http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/ Gosh, isn't that predictable. |
|
|
I have just had a great thought... There will be many people who have had systems 'value added' by Sony et all in the new quest for DRM that ensures that your Pee Cee is only suitable for playing media from them (not for use as a general purpose platform) There's money to be made from fixing the problems that they cause. Hmm $80 per time? Mikal.... Is this the step between stealing underpants and profit that you have been missing? |
|
|
I was having a look at another blog: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html Looks like Sony has added a new trick to their DRM war, modifying your PC silently to install their DRM software, and hiding the installation in the process. Looks like we can all releaseviruses that hide under their all to heavy handed cover. I think that I might re connect the old analog CD player connected to the PeeCee via an analog cable into the sound card. DRM that one guys! |
| Site Links |
|
Projects - Some of my projects
DRJ-Consulting - A site focused on saving energy. Dougs Word Clocks - I make my own clock that tells the time using words. we Just Dont Talk About That - A site for sharing funny family stories. Megan's weblog Email me at doug@stillhq.com |
| Archives |
| XML Feeds | |
|
|