Ramblings & ephemera

Computer security people try to solve problems with technology

From Bruce Schneier in The Evolution of a Cryptographer: Computer security folks are always trying to solve problems with technology, which explains why so many computer solutions fail so miserably.

Eavesdropping with your cell phone

From David S. Bennahum’s “Hope You Like Jamming, Too” (Slate): …innovative industrial spies, who have several neat new tricks. These days, a boardroom Mata Hari can purchase a specially designed cell phone that will answer incoming calls while appearing to be switched off. In a business meeting, she could casually leave her phone on the […]

How an email account without passwords can be good for security

From Robert X. Cringely’s “Stream On“: Mailinator is ad hoc e-mail for those times when just maybe you don’t want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone—anyone—that your e-mail address is fatman@mailinator.com or skinnykid@mailinator.com, or clueless@mailinator.com or […]

Better security = reduced efficiency

From Robert X. Cringely’s “Stream On“: Yet nearly everything we do to combat crime or enhance safety comes at the expense of reduced efficiency. So we build airports to make possible efficient air transportation, then set up metal detectors to slow down the flow of passengers. We build highways to make car travel faster, then […]

The email dead drop

From the L.A. Times‘ “Cyberspace Gives Al Qaeda Refuge“: Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop. Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or […]

American Express’ security policies made things more insecure

From Bruce Schneier’s Crypto-Gram of 15 August 2003: When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother’s birthday as […]

Getting past security on planes

From Bruce Schneier’s Crypto-Gram of 15 August 2003: It’s actually easy to fly on someone else’s ticket. Here’s how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone’s identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer […]

Laundering a car’s VIN

From Bruce Schneier’s Crypto-Gram of 15 October 2003: Precision stripping: criminal steals car, chop shop strips car completely down to chassis, chassis dumped on street, cops tow chassis away, chassis sold at auction, criminal buys chassis, chop shop reattaches parts. Result: legitimate car that can be legally sold used. The VIN has been ‘laundered’.

What seems obvious in security often is not

From Russell Nelson’s comment to Bruce Schneier’s Crypto-Gram of 15 November 2003: > A New York detective was once asked whether pickpockets in > Manhattan dressed in suits and ties to facilitate their crimes > subsequent escape. He responded by saying that in twenty years > he had never arrested even one pickpocket in a […]

A nanny’s man-in-the-middle attack

From Bruce Schneier’s Crypto-Gram of 15 April 2004: Here’s a story of a woman who posts an ad requesting a nanny. When a potential nanny responds, she asks for references for a background check. Then she places another ad, using the reference material as a fake identity. She gets a job with the good references—they’re […]

Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004: My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails. It doesn’t really matter how well an ID card works when used by […]

Security decisions are often made for non-security reasons

From Bruce Schneier’s Crypto-Gram of 15 July 2004: There was a single guard watching the X-ray machine’s monitor, and a line of people putting their bags onto the machine. The people themselves weren’t searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just […]

Some great gross parasites

Parasitoid Wasps From Charles Q. Choi’s “Web-manipulating wasps” (Live Science: 2 March 2011): Although parasites harm their hosts, they don’t usually kill them, if only to keep themselves alive. Not so with parasitoids, which ultimately destroy and often consume their hosts. Parasitoid wasps, which inspired the monster in the movie “Alien,” lay their eggs inside […]

Evaluating software features

When developing software, it’s important to rank your features, as you can’t do everything, & not everything is worth doing. One way to rank features is to categorize them in order of importance using the following three categories: Required/Essential/Necessary: Mission critical features that must be present Preferred/Conditional: Important features & enhancements that bring better experience […]

My response to the news that “Reader, Acrobat Patches Plug 23 Security Holes”

I sent this email out earlier today to friends & students: For the love of Pete, people, if you use Adobe Acrobat Reader, update it. http://krebsonsecurity.com/2010/10/reader-acrobat-patches-plug-23-security-holes/ But here’s a better question: why are you using Adobe Reader in the first place? It’s one of the WORST programs for security you can have on your computer. […]

The Irish Church lies in creative – and evil – ways

From Patsy McGarry’s “Church ‘lied without lying’” (Irish Times: 26 November 2009): One of the most fascinating discoveries in the Dublin Archdiocese report was that of the concept of “mental reservation” which allows clerics mislead people without believing they are lying. According to the Commission of Investigation report, “mental reservation is a concept developed and […]

Big security problems with the current way Firefox handles extensions

From Help Net Security’s “Zero-day vulnerabilities in Firefox extensions discovered” (20 November 2009): At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman, security consultants with security-assessment.com, offered insight into the substantial danger posed by Firefox extensions. Mozilla doesn’t have a security model for extensions and Firefox fully trusts the […]

The Kraken botnet

From Kelly Jackson Higgins’s “New Massive Botnet Twice the Size of Storm” (DarkReading: 7 April 2008): A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World’s Biggest Botnets and MayDay! Sneakier, More Powerful […]

Australian police: don’t bank online with Windows

From Munir Kotadia’s “NSW Police: Don’t use Windows for internet banking” (ITnews: 9 October 2009): Consumers wanting to safely connect to their internet banking service should use Linux or the Apple iPhone, according to a detective inspector from the NSW Police, who was giving evidence on behalf of the NSW Government at the public hearing […]

Malware forges online bank statements to hide fraud

From Kim Zetter’s “New Malware Re-Writes Online Bank Statements to Cover Fraud” (Wired: 30 September 2009): New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report. The sophisticated hack […]