Planet Security

May 25, 2013

NYC Resistor — Minitel/Tumblr Time Tunnel

Some technologies are so direct and intuitive that they feel classic even when they’re new. Some technologies are so ahead of their time that they only find their true purpose years after they’ve been put out to pasture.

In the early 80′s, France Telecom rolled out the Minitel, a videotex system offering various online services to users across France. Subscribers were given small, semi-portable CRT-based terminals. The service was a success, and at its peak boasted 25 million users. But eventually, well, you know. The internet. In June 2012, France Telecom finally pulled the plug on the Minitel. Screens across the country went dark. Millions of little, boxy terminals, suddenly cast adrift. Widespread technology, lost and alone, in search of purpose. Purpose now, suddenly, found.

The Minitel/Tumblr Time Tunnel is a Minitel 1B US (yes, there was a QWERTY version) backed by a Raspberry Pi. Enter a few tags at the prompt, and the mighty firehose of Tumblr will be unleashed upon your tiny, 3-bit*, 80×72 pixel black and white CRT display. By cranking the serial port up to 4800 blazin’ bits per second and reducing the number of color swaps, you can view the genius of the internet at such blinding speeds that you’ll think that you’ve suddenly been transported to a Jetsonian future of videophones and cars that collapse into briefcases. It’s just that advanced. See for yourself:

(The asterisk after “3-bit” is due to the fact that each 2×3 block of “pixels” is actually a single character with foreground and background color attributes, so each 2×3 block only has one bit of color data, selected from a palette of 8 colors.)

As is de rigueur, all the code is available on github.

The Minitel/Tumblr Time Tunnels will be on display at this year’s NYCR Interactive Party. Be sure to come by and see the internet the way it positively demands to be seen!

by phooky at May 25, 2013 01:08 AM

May 24, 2013

The Register - Security Experts: Network security deteriorating, privacy a lost cause

One suggestion: 'Don't armor the sheep, hunt the wolves'

Ethernet Summit Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants.…

SANS Internet Storm Center — UDP port 1434 directed attack to AS13489 IP ranges, (Fri, May 24th)

We have seen today a big rise of incoming packets of what appears to be a SQL Slammer attacks. Some of the detected packets are:

Suspect packet #1

Malicious packet 3

We have seen a sustained rate in many nodes inside AS13489 and AS27989 nodes of about 25 Mbps. Some very old SQL servers have been compromised, but the Internet speed has been compromised and navigation it's very slow.

Have you seen something like this today on your AS? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Light Blue Touchpaper — Revisiting secure introduction via hyperlinks

Today at W2SP I presented a new paper making the case for distributing security policy in hyperlinks. The basic idea is old, but I think the time is right to re-examine it. After the DigiNotar debacle, the community is getting serious about fixing PKI on the web. It was hot topic at this week’s IEEE Security & Privacy (Oakland), highlighted by Jeremy Clark and Paul van Oorschot’s excellent survey paper. There are a slew of protocols under development like key pinning (HPKP), Certificate Transparency, TACK, and others. To these I add s-links, a complementary mechanism to declare support for new proposals in HTML links.

Though it’s unclear which proposals will take hold, deployment will probably be fragmented: some servers will require HTTPS (using HSTS), some may pin keys or use another new protocol, and many will continue to not support HTTPS at all. Clients must know what the server supports prior to initially connecting, or else a middleperson attacker can simulate a server which only supports insecure HTTP (often called a stripping attack). Thus hardening HTTPS includes an enormous policy distribution problem.

The consensus is that querying a new out-of-band trusted server to learn security policy is a non-starter. OCSP, a protocol to check if certificates are revoked, provides a painful example. It was never reliable enough for browsers to fail closed if OCSP servers couldn’t be reached, so it provided negligible security and Chrome eventually disabled it. This leaves very few channels to distribute security policy prior to initial connections. Browser preloads are great, but can’t scale indefinitely. DNSSEC (via extensions like DANE) is a promising approach, but many deployment issues remain.

This leaves secure introduction: if a user agent is referred to a new domain by an already-trusted domain, the referring domain can indicate a minimum security policy required for the initial connection. S-links are a proposal to enable secure introduction in HTML. A stricter HTTPS policy (such as key pins) can be declared in a new “link-security” attribute, which will apply only to requests caused by that element itself (for example, clicks on a link or loading a JavaScript library).

S-links aren’t a panacea: they can’t protect users who manually type a new URL. Still, compared to the alternatives s-links are an efficient and easy-to-deploy channel for security policy. An important lesson from past PKI failures is to build for robustness: multiple protocols will have to be supported and we should build multiple ways of advertising security upgrades. S-links is still a very early-stage project with important details to get right about the user experience and some subtle interactions with the browser’s same-origin policy. I would greatly appreciate feedback.

by Joseph Bonneau at May 24, 2013 10:31 PM

Schneier on Security — Friday Squid Blogging: Eating Giant Squid

How does he know this?

Chris Cosentino, the Bay Area’s "Offal Chef" at Incanto in San Francisco and PIGG at Umamicatessen in Los Angeles, opted for the most intimidating choice of all -- giant squid. "When it comes to underutilized fish, I wish the public wasn't so afraid of different shapes and sizes outside of the standard fillet," he said.
"I think the giant squid is a perfect example of an undervalued ocean creature. Everyone isn't afraid of squid but the size and flavor of the giant squid scares people because it has a very intense flavor but it is quite delicious."

I am surprised he has tasted giant squid?

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Yahoo! News: Computer Security and Viruses — Senator urges 'extreme caution' on SoftBank -Sprint deal

By Doug Palmer and Liana B. Baker WASHINGTON (Reuters) - An influential senator expressed strong concerns on Friday about Japanese company SoftBank Corp's plan to buy 70 percent of Sprint Nextel , warning it could expose the United States to Chinese cyber attacks. "I have real concerns that this deal, if approved, could make American industry and government agencies far more susceptible to cyber attacks from China and the People's Liberation Army," Senator Charles Schumer of New York said in a statement. ...

Yahoo! News: Computer Security and Viruses — Schumer urges look at security in Sprint deal

NEW YORK (AP) — Sen. Charles Schumer urged regulators to "use extreme caution" when reviewing the proposed acquisition of No. 3 cell carrier Sprint Nextel by Japan's Softbank, saying the Japanese company's use of Chinese networking equipment could open up U.S. networks to snooping and hacking.

hackaday — RPi control your server PSU over the Internet

remote-server-psu-control-via-RPi

Here’s an interesting use of a Raspberry Pi to control the PSU on a server. [Martin Peres] is going to be away for a few months and still wants access to his PC. This isn’t really all that tough… it’s what SSH is made for. But he also wants lower-level access to the hardware. Specifically he needs to control and get feedback on what the PSU is doing, and even wanted to have access to the serial console without having to go through the computer’s NIC.

The image above shows one part of his solution. This is a custom Ethernet port that connects to his Rasberry Pi header breakout board. Inside the computer the jack is wired to the motherboard power LED to give feedback about the current state of the power supply. It also patches into the green wire on the PSU, which lets him turn on the power by pulling it to ground. After working out the cable routing he developed a web interface that makes it easy to interact with the setup.

As with other hacks along these lines letting an embedded computer run 24/7 is a lot less wasteful than leaving a PC on. That’s a concept we can really get behind.

Filed under: Network Hacks, Raspberry Pi

by Mike Szczys at May 24, 2013 09:01 PM

hackaday — 3W handheld laser raises hope for a real Lightsaber someday

3W-handheld-laser

That banner image may seem a little bit theatric, but it’s a good representation of what this 3W handheld laser can really do. Turn the thing on in a slightly smoky room and it looks exactly like a thin beam Lightsaber.

What kind of tricks would you expect this thing to perform? Perhaps it’ll pop some black balloons? Prepare to be shocked because it’s orders of magnitude more powerful than that. The video below shows it burning and igniting a collection of items almost instantly. [Styropyro] tested his creation by igniting paper, cardboard, flash paper, flash powder, burning through a stick of wood, and igniting an undisclosed substance at the end of the video. But one of our favorites is when he drives a solar powered toy car with the intense beam.

He pulled the diode from a DLP projector, and drives it with a pair of 18650 Lithium Ion batteries which are commonly found in laptops. He made the enclosure himself. It looks great but we can’t help but wonder if the components would fit in a painstakingly made replica.

Filed under: laser hacks

by Mike Szczys at May 24, 2013 07:01 PM

Freedom To Tinker — Arlington v. FCC: What it Means for Net Neutrality

[Cross-posted on my blog, Managing Miracles]

On Monday, the Supreme Court handed down a decision in Arlington v. FCC. At issue was a very abstract legal question: whether the FCC has the right to interpret the scope of its own authority in cases in which congress has left the contours of their jurisdiction ambiguous. In short, can the FCC decide to regulate a specific activity if the statute could reasonably be read to give them that authority? The so-called Chevron doctrine gives deference to administrative agencies’ interpretation of of their statutory powers, and the court decided that this deference extends to interpretations of their own jurisdiction. It’s all very meta, but it turns out that it could be a very big deal indeed for one of those hot-button tech policy issues: net neutrality.

Scalia wrote the majority opinion, which is significant for reasons I will describe below. The opinion demonstrated a general skepticism of the telecom industry claims, and with classic Scalia snark, he couldn’t resist this footnote about the petitioners, “CTIA—The Wireless Association”:

This is not a typographical error. CTIA—The Wireless Association was the name of the petitioner. CTIA is presumably an (unpronounceable) acronym, but even the organization’s website does not say what it stands for. That secret, known only to wireless-service-provider insiders, we will not disclose here.

Ha. Ok, on to the merits of the case and why this matters for net neutrality.

Verizon v. FCC is a long-running case currently in DC Circuit court, arising out of Verizon’s challenge to the FCC’s “Open Internet Order.” It all started in 2010, but for a variety of reasons it has moved at a snail’s pace. They haven’t even scheduled oral arguments yet. On one side, Verizon claims that the FCC does not have the authority to implement the non-discrimination rules contained in the order, and that they as a company have a First Amendment right to discriminate. On the other side, the FCC has asserted a patchwork of statutory theories for why they can enforce the order. The Commission also claims that the free speech arguments by Verizon are bogus because the company is merely a carrier of speech and, if anything, the free speech obligations should counsel in favor of non-discrimination.

These arguments are largely untested ground for both sides. Although Verizon’s free speech argument may seem rather dubious, it might nevertheless turn out to be a legal winner in light of cases like Citizens United. The FCC’s “carrier of speech” argument fits a common-sense notion of what telecommunications companies do. Unfortunately for the Commission, it has already chosen to “deregulate” internet communications by stating that they are not “common carriers” — that is, entities that are traditionally obliged to deliver communications without discrimination. Instead, they articulated the patchwork of other statutory theories — the so-called “ancillary jurisdiction” approach.

As others have observed, the decision in Arlington gives the FCC a much better shot at winning the ancillary jurisdiction argument in the Verizon case. Tim Lee thinks that on balance this is a bad thing for public policy, because it contributes to regulatory jurisdiction creep. I can appreciate his position.

Let’s assume for a moment that the FCC loses the Verizon case in the DC Circuit. If the Supreme Court hears the case, it would be quite entertaining indeed. That’s because Scalia has some strong views on how broadband should be classified and what jurisdiction the FCC should have. This takes us back to a case in 2005, NCTA v. Brand X. In that case, a company named Brand X Internet Services claimed that cable-based broadband internet service was indeed a “common carrier” service. The FCC was at the time proceeding with its novel approach to “deregulating” broadband internet by stating that it was not a common carrier but instead subject to ancillary jurisdiction. The logical and legal acrobatics of this approach were quite impressive. The Supreme court, in a 6 to 3 vote applied Chevron deference to the FCC’s interpretation of the statute, and let it stand. Scalia dissented vociferously. He simply didn’t think that the statute was ambiguous. Broadband internet was a a common carrier service, rather than some new “information service” under the FCC’s “deregulated” scheme (see his extended pizzeria metaphor). He also noted that the Court’s decision (and the other dissenting opinions) would permit the FCC to change its mind and reclassify broadband as a common carrier under the Chevron doctrine. As he said:

“In other words, what the Commission hath given, the Commission may well take away–unless it doesn’t.”

The FCC actually considered relying on this so-called “Title II” reclassification approach initially, but rejected it at the time because it was too politically sensitive (telcos/cablecos have friends in Congress). So, even if Verizon wins the case at the DC Circuit, and even if the Supreme Court does not reverse the DC Circuit, the FCC could take the significant (and, logical, to Scalia) approach of common-carrier classification.

Arlington supports this approach, and the FCC filed a letter with the court yesterday noting this fact. Verizon, for what it’s worth, filed a letter citing a recent DC Circuit opinion upholding the free speech rights of corporate conveyors of speech against control by others.

For Verizon, there is no going back now. They have staked out their position and will defend it to the hilt. Many other broadband internet providers (including the cable companies) decided not to take part in this battle. MetroPCS, the other appellant, pulled out last week. Intervenor “CTIA—The Wireless Association”, represented by Jonathan Nuechterlein of WilmerHale, pulled out last summer. I, for one, am looking forward to oral arguments.

by Steve Schultze at May 24, 2013 05:34 PM

Schneier on Security — Training Baggage Screeners

The research in G. Giguère and B.C. Love, "Limits in decision making arise from limits in memory retrieval," Proceedings of the National Academy of Sciences v. 19 (2013) has applications in training airport baggage screeners.

Abstract: Some decisions, such as predicting the winner of a baseball game, are challenging in part because outcomes are probabilistic. When making such decisions, one view is that humans stochastically and selectively retrieve a small set of relevant memories that provides evidence for competing options. We show that optimal performance at test is impossible when retrieving information in this fashion, no matter how extensive training is, because limited retrieval introduces noise into the decision process that cannot be overcome. One implication is that people should be more accurate in predicting future events when trained on idealized rather than on the actual distributions of items. In other words, we predict the best way to convey information to people is to present it in a distorted, idealized form. Idealization of training distributions is predicted to reduce the harmful noise induced by immutable bottlenecks in people’s memory retrieval processes. In contrast, machine learning systems that selectively weight (i.e., retrieve) all training examples at test should not benefit from idealization. These conjectures are strongly supported by several studies and supporting analyses. Unlike machine systems, people’s test performance on a target distribution is higher when they are trained on an idealized version of the distribution rather than on the actual target distribution. Optimal machine classifiers modified to selectively and stochastically sample from memory match the pattern of human performance. These results suggest firm limits on human rationality and have broad implications for how to train humans tasked with important classification decisions, such as radiologists, baggage screeners, intelligence analysts, and gamblers.

DigitalBond — Friday News & Notes

Want to learn how Ruben Santamarta found the TURCK backdoor disclosed last week by ICS-CERT? Read his article on Identify Back Doors in Firmware By Using Automatic String Analysis. He pulls out the strings from firmware and then uses a tool he wrote called Stringfighter to identify likely hard coded credentials. Ruben we want you at S4x14.

A research report from Zpryme breaks down the $8 billion the US Government allocated to smart grid projects as part of the 2009 recovery act. $5.1B has been spent so far and $3.2B (63%) was spent on smart meters. The industry won’t see this market stimulating money again. The smart grid budget for 2014 looks to be $450M with most going to R&D rather than subsidizing meter purchases.

US Congressmen Markey and Waxman release a report they ‘wrote’ entitled Electric Grid Vulnerability – Industry Responses Reveal Security Gaps. The best part of the report is Table 1 on page 14. Key findings, such as utilities are under cyber attack, like every other company connected to the Internet, aren’t helpful. This mainly is a document to support past legislation that is being reintroduced.

May 28th is a big day in Japanese ICS Security as the government’s Control System Security Center (CSSC) will celebrate the opening of the ICS testbed in Tagajo. I haven’t visited the site yet, which is located close to Sendai and where the deadly tsunami hit, but the pictures show a truly first class facility for research and training.

ISA99 has released a draft of TR62443-2-2 Patch Management in the IACS Environment to help owner/operators develop a patch management program. They are looking for comments.

I generally avoid commenting on industry quotes in articles, but the Register article on respected expert Mark Fabro’s AUSCERT presentation is disturbing. It is not difficult to cause serious damage to the critical infrastructure by attacking an ICS. In fact, we had too many presentations at S4x13 showing how in simple ways that we are going to likely reject the simple attack sessions for S4x14. It certainly doesn’t require clearing 143K hurdles, and small team of 1-3 people with moderate skills and motive and a willingness to suffer the consequences of retribution can do significant damage. Perhaps the author didn’t accurately capture Mark’s viewpoint or maybe he was only talking about the difficulty of causing a nationwide blackout rather than just damage to a portion of the bulk electric system or other critical infrastructure.

Tweet of the Week

Turnabout is fair play? WSJ says Iran has 0wned US utilities http://t.co/gjOlMxr13O #blowback

about 4 hours ago via webReplyRetweetFavorite

@WeldPond
Chris Wysopal

Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.

Worth Reading Articles

IOActive’s Identify Back Doors in Firmware By Using Automated String Analysis

Critical Intelligence’s ICS Security Event Calendar Updates

DHS/INL Advanced ICS Security Training (Red/Blue), Aug 12-16 in Idaho Falls, Idaho

DHS/INL Advanced ICS Security Training (Red/Blue), Oct 7-11 in Idaho Falls, Idaho

Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by ChrisInPlymouth

Network World on Security — Layered defenses largely fail to block exploits, says NSS

Security experts have long touted a layered approach to cyber security as the most effective way to thwart network intruders, and the strategy is most effective when companies use a mix of vendors and security products, NSS Labs found.

© John P. Mello Jr. at May 24, 2013 04:14 PM

Yahoo! News: Computer Security and Viruses — ITV News Twitter account hacked by Syrian Electronic Army

LONDON (Reuters) - British broadcaster ITV on Friday became the latest media outlet to have one of its Twitter feeds hacked by anonymous supporters of Syria's President Bashar al-Assad, just days after Twitter beefed up security to prevent such attacks. Twitter Inc said on Wednesday that it had started rolling out an optional two-step authentication regime for its users to thwart hackers. The Associated Press, Britain's Financial Times and Daily Telegraph newspapers have all previously succumbed to attacks from the self-styled Syrian Electronic Army. ...

© Yahoo! News: Computer Security and Viruses at May 24, 2013 04:04 PM

Zero in Bit — Medical Data Privacy with Wysopal and the Willis Report

Last night our CTO and Co-Founder Chris Wysopal joined Fox Business’ The Willis Report to chat about medical record privacy in a segment titled “Digital Records Putting Your Health Information at Risk?”

In the six minute segment Chris talks about “the dark side” of putting medical data online in cloud servers. Among the stats thrown around;

50% of doctors offices put customer data online,

80% of hospitals put customer data online,

21 million people had electronic records stolen in last 3 years,

94% of healthcare companies report data breaches.

Staggering numbers no doubt, you might be asking exactly how dangerous is this information? Health insurance fraud, financial identity theft, credit risk and even personal endangerment. If a someone undergoes a medical procedure under your identity, your medical records become flawed. In a scenario where you’re undergoing emergency procedures your records could say you’ve had your appendix out when in fact you haven’t.

Beyond personal data privacy concerns are medical device security concerns, a topic we’ve previously touched upon. Wysopal on the subject says, “The medical device problem is particularly scary because you have these devices which were standalone and now you’re adding wireless functionality to them…so you can monitor these devices and connect to them. A lot of them weren’t designed with security in mind.” All of a sudden these devices that were designed to only be accessed physically in person are now being exposed to attackers online, Wysopal also adds to the commentary, “It’s also hard to fix these medical devices and update them because there’s such a long certification process..they aren’t like typical IT systems that you can patch in a few hours.”

So what can you do to protect yourself?

Ask your health insurance company for a copy of your medical record and activities.

Pull your credit report at least once a year and verify all accounts and activity.

If you don’t recognize something on one of these two reports, raise a red flag immediately starting with your healthcare provider. Check out the full video here for more great information.

by Neil DuPaul at May 24, 2013 03:58 PM

The Register - Security Wikileaks leaks documentary script about Wikileaks

Simply no teddies left in this pram

Wikileaks has released a transcript of a documentary about its history so it can add notes to each section saying "Wrong!", a day before the film debuts.…

© Brid-Aine Parnell at May 24, 2013 03:53 PM

Heise Security — Google to replace SSL certificates

Starting in August, Google will issue new certificates for its services. The company especially plans to scrap certificates with old 1024-bit RSA keys and replace them with 2048-bit ones


by Heise Security at May 24, 2013 03:52 PM

Inforworld — Google's Penguin update lets you squeal on spammy websites

The latest version of Google's sophisticated anti-spam algorithm, dubbed Penguin 2.0, was announced yesterday in an official blog post from the company's well-known webspam czar, Mike Cutts.

The 2.0 label was applied, according to Cutts, because the update is a major one -- it includes changes to the underlying algorithms used to evaluate whether a website is spammy or not, not just the dataset Google uses. About 2.3 percent of queries in U.S. English will be visibly affected by the changes.

by admin at May 24, 2013 03:34 PM

Network World on Security — Researchers find unusual malware targeting Tibetan users in cyberespionage operation

Security researchers from antivirus vendor ESET discovered a piece of cyberespionage malware targeting Tibetan activists that uses unusual techniques to evade detection and achieve persistency on infected systems.

© Lucian Constantin at May 24, 2013 02:41 PM

F-Secure - News from the Lab — Twitter's 2FA: SMS Double-Duty

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.

We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".

Then the attacker can enable the account's 2FA.

Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)

And then click "Yes".

That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.

The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so.
On 24/05/13 At 12:40 PM

© F-Secure Antivirus Research Team (mailto:weblog\@PLEASE-REMOVE-THIS.f-secure.com) at May 24, 2013 02:37 PM

The Register - Security Security Twitteratti: Twitter's 2FA does sweet FA for biz

Shared accounts? #FacebookIsBetter

Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service.…

© John Leyden at May 24, 2013 02:28 PM

Heise Security — Lost+Found: SSH key primer, Wireshark, toxic SSL certificates

On The H's radar over the last seven days: how to store and protect SSH keys, Wireshark 1.8.7 and 1.6.15, game engine vulnerabilities, Volatility plugins, irrevocable SSL certificates, and historical parallels to the internet


by Heise Security at May 24, 2013 02:27 PM

Heise Security — News service served with cease and desist after server access

Reporters investigating a leak of personal information from two phone companies found themselves facing a cease-and-desist letter from the companies who accused them of hacking their systems, a claim the news service denies


by Heise Security at May 24, 2013 02:17 PM

Heise Security — Worth Reading: Hacking the Blackberry Z10

An introduction to analysing the Blackberry Z10 and the new Blackberry OS


by Heise Security at May 24, 2013 02:13 PM

Schneier on Security — New Report on Teens, Social Media, and Privacy

Interesting report from the From the Pew Internet and American Life Project:

Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006:
91% post a photo of themselves, up from 79% in 2006.
71% post their school name, up from 49%.
71% post the city or town where they live, up from 61%.
53% post their email address, up from 29%.
20% post their cell phone number, up from 2%.

60% of teen Facebook users set their Facebook profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings.

danah boyd points out something interesting in the data:

My favorite finding of Pew's is that 58% of teens cloak their messages either through inside jokes or other obscure references, with more older teens (62%) engaging in this practice than younger teens (46%)....
While adults are often anxious about shared data that might be used by government agencies, advertisers, or evil older men, teens are much more attentive to those who hold immediate power over them -- parents, teachers, college admissions officers, army recruiters, etc. To adults, services like Facebook that may seem "private" because you can use privacy tools, but they don't feel that way to youth who feel like their privacy is invaded on a daily basis. (This, btw, is part of why teens feel like Twitter is more intimate than Facebook. And why you see data like Pew's that show that teens on Facebook have, on average 300 friends while, on Twitter, they have 79 friends.) Most teens aren't worried about strangers; they're worried about getting in trouble.

Over the last few years, I've watched as teens have given up on controlling access to content. It's too hard, too frustrating, and technology simply can't fix the power issues. Instead, what they've been doing is focusing on controlling access to meaning. A comment might look like it means one thing, when in fact it means something quite different. By cloaking their accessible content, teens reclaim power over those who they know who are surveilling them. This practice is still only really emerging en masse, so I was delighted that Pew could put numbers to it. I should note that, as Instagram grows, I'm seeing more and more of this. A picture of a donut may not be about a donut. While adults worry about how teens' demographic data might be used, teens are becoming much more savvy at finding ways to encode their content and achieve privacy in public.

© schneier at May 24, 2013 01:40 PM

hackaday — Tamagotchi ROM dump and reverse engineering

Often the true key to success is persistence and that holds true for this project which dumped the ROM from the current generation of Tamagotchi toys. If you’re a fan of learning the secrets built into consumer electronics — and you know we are — you’ll want to go back and watch the 24-minute lecture on Tamagotchi hacking which [Natalie Silvanovich] gave a 29C3 last year. She had made quite a bit of headway hacking the playable pods, but wasn’t able to get her hands on a full ROM dump from the General Plus chip on board processor. This update heralds her success and shares the details of how it was done.

As we learned form the video lecture it was a huge chore just to figure out what processor this uses. It turned out to be a 6502 core with a few other things built in. After prowling the manufacturer’s website she found example code for writing to Port A. She was then able to execute her own code which was designed to dump one byte of ROM at a time using the SPI protocol.

[Natalie] posted her code dump if you’re interested in digging through it. But as usual we think the journey is the most interesting part.

[Thanks Itay]

Filed under: classic hacks, Microcontrollers, toy hacks

by Mike Szczys at May 24, 2013 01:01 PM

Yahoo! News: Computer Security and Viruses — Jon Stewart Says the DOJ Should Go After Wall Street Instead of Potheads

Last night on The Daily Show, Jon Stewart explained that the Department of Justice is going after people whose crimes seem minor—especially when you look at them in comparison to what Wall Street executives did to create the financial crisis. To which Stewart asked: "What, none of them bought pot?"

© Yahoo! News: Computer Security and Viruses at May 24, 2013 12:40 PM

The Register - Security Feds slam hacker-friendly backdoors in jalopy, grub factories

Kit easily violated by miscreants with 'minimal skill'

Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world.…

© John Leyden at May 24, 2013 11:04 AM

The Register - Security Microsoft exposes green users' privates in web quiz snafu

Web design 101 guys, this is basic stuff

Microsoft has plugged a flaw in its Greener IT Challenge website that leaked the names and email addresses of users who took a quiz on the site.…

© John Leyden at May 24, 2013 10:26 AM

Heise Security — Samsung Galaxy S4 already hacked

Less than a month after the smartphone's commercial launch, Dan Rosenberg found a design flaw in Samsung's secured bootloader that allows arbitrary kernels to be booted even on a locked phone


by Heise Security at May 24, 2013 09:43 AM

SANS Information Security Reading Room — Securing BYOD With Network Access Control, a Case Study

Category: Network Access Control
Paper Added: May 23, 2013

© SANS Information Security Reading Room at May 24, 2013 09:27 AM

The Register - Security Did Kim Dotcom invent 2-factor authentication? Er, not exactly...

Pull out your pagers and your Hammer pants, we're going back to the '90s

Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach - and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the '90s.…

© Ken Tindell at May 24, 2013 09:04 AM

LinuxSecurity.com - Articles — WikiLeaks Donations Down to a Trickle

LinuxSecurity.com: As WikiLeaks founder Julian Assange approaches the one-year anniversary of his confinement in the Ecuadorian embassy in London, a report released Wednesday reveals that donations to the secret-spilling site have dwindled to a trickle.

by LinuxSecurity.com - Articles at May 24, 2013 08:42 AM

LinuxSecurity.com - Articles — Samsung Galaxy S4 already hacked

LinuxSecurity.com: The Samsung Galaxy S4 has been commercially available for about a month. In this time, 10 million devices have been sold - and at least one hack has been discovered. Security expert Dan Rosenberg identified a trivial design flaw in Samsung's secure bootloader concept that allows arbitrary operating systems to be booted.

by LinuxSecurity.com - Articles at May 24, 2013 08:39 AM

The Guardin - Hacking RSS — Why is Anonymous helping teenage lesbians? | James Ball

Anonymous may not be known for its gay rights credentials, but this loose collective of libertarians loves an underdog
Any experienced internet denizen might feel wary on seeing the words "teenage lesbians" and "hacker collective Anonymous" in close proximity. And, quite probably, with good reason, especially if they're using a work computer.
But the situation isn't what they might fear: members of Anonymous have vowed to take action in the case of Kaitlyn Hunt, an 18-year-old women from the US who is facing prosecution over her relationship with her 15-year-old girlfriend.
Shortly after her 18th birthday, the parents of Hunt's girlfriend secretly recorded the duo discussing a make-out session in the school bathroom – and used this to go to the police. She is facing charges of "lewd and lascivious battery" on a minor.
Generously, prosecutors are offering her a deal in which she'll face a mere two years in prison for having a younger girlfriend. Naturally, prosecutors and the girlfriend's parents alike claim the case is nothing to do with Hunt's sexual orientation.
For many members of Anonymous – Anons – lesbianism has, for now, begun and ended with what we might politely refer to as, ah, "adult entertainment" videos.
The collective is not traditionally known for having fantastic gender politics or gay rights credentials. The word "fag" as a jest, an insult and virtually punctuation across the group's chats.
But this case has all the right ingredients to provoke Anonymous's ire. Young people facing criminal prosecution for typical teenage acts. Parents apparently allowed to surveil the conversations of teenage girls (creepy, no?) with impunity. And sentences which, as seems so common in the US, seem to bear no proportion to the "crime" concerned.
So their pledge to step in should really come as no surprise. The reason that it does, for some, is that Anonymous seems entirely inconsistent on alleged sex offences, treatment of women and attitude towards gay people.
Anonymous is often, but not always, among the core defenders of Julian Assange against the accusations of sex crimes he faces in Sweden. And shamefully, many Anons have played a large part in the demonisation of his accusers, chronicled in Alex Gibney's "We Steal Secrets" WikiLeaks biopic, out in the US this week.
But Anons have also been at the forefront of trying to seek justice for alleged rapists of women elsewhere – to the point of bordering on vigilantism.
Viewed in isolation, the three separate operations seem entirely contradictory. But they're partly explained by Anonymous's underlying politics and attitudes: Anons are libertarian. They mistrust the state, and don't like interference. And they will pick the underdog every day of the week.
Anons will join whichever side of the fight seems to be losing, or seems to be facing an injustice (real or imagined). They're not about to start discussing intersectionality at length.
This also accounts for a lot of Anons' perceived homophobia to outsiders: they are not, and will never be, delicate with language. Anonymous grew out of 4chan, one of the bluntest, rudest, trolls' nests on the internet. Just because the language is homophobic doesn't mean their intentions are – or at least, not always.
Anonymous is widely misunderstood. It's thought of as a group, or a membership organisation, maybe the online version of a political party. Even members of political parties can have widely divergent groups – just ask David Cameron – but Anonymous is far less coherent even than that.
Want to be a member of Anonymous? Say you're a member of Anonymous. And you're done. The unifying idea, if there is one, is a sense of injustice, belief in free speech bordering on the fundamentalist, and a libertarian streak. Everything else is optional. So, when it comes to gender and LGBT politics, Anonymous can be a crowd of misogynistic asshats with bigoted opinions. Or they can be progressives who either couldn't care less about sexuality, or actively support LGBT rights, and fight against injustices. Or anywhere in between.
In other words, there are as many attitudes towards LGBT within Anonymous as there are Anons. Just like everyone else, really.
Anonymous
Hacking
Gay rights
Sexuality
United States
Surveillance
James Ball

guardian.co.uk © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved. | Use of this content is subject to our Terms & Conditions | More Feeds

© James Ball at May 24, 2013 08:00 AM

The Register - Security INSIDE GCHQ: Welcome to Cheltenham's cottage industry

'If this nerve centre didn't exist, neither would I' says Reg man

Geek's Guide to Britain For staff at the Government Communications Headquarters (GCHQ) in Cheltenham, there’s an air of Fight Club about the place. The first rule about GCHQ is you don’t talk about GCHQ.…

© Bob Dormon at May 24, 2013 07:05 AM

Network World on Security — Google to lengthen SSL encryption keys from August

Google plans to upgrade the security of its SSL (Secure Sockets Layer) certificates, an important component of secure communications.

© Jeremy Kirk at May 24, 2013 07:00 AM

Network World on Security — Researchers warn of increased Zeus malware activity this year

The amount of cybercriminal activity associated with the Zeus family of financial Trojan programs has increased during the past few months, according to security researchers from antivirus vendor Trend Micro.

© Lucian Constantin at May 24, 2013 05:01 AM

Errata Security — Video geeking: Revolution and biometrics

Watching TV/movies is becoming increasingly hard for us geeks. Each time they dramatize stuff on the screen, with hex dumps or code, we feel compelled to pause them, take a screen shot, and analyze what we see. I occasionally do this and blog out it. In this installment, I take a look at a screenshot from the TV show Revolution, season 1, episode 18, at around the 17:40 mark.

In this scene, a character attempts to enter a building with a handprint. What's the code to the left? A quick google search using unique keywords in that code sample finds the answer: https://github.com/biometrics/openbr. This is a project called "Open Biometrics".

At least this code is related to what's onscreen. Usually, the code chosen for dramatization is fairly random. The Ironman movie chose Lego Mindstorm code to power the first suit. A Charlie's Angle TV show used Obfuscated C contest code for a safe. At least this biometrics code relates to the biometrics security scanner in the show.

On the other hand, if you look at the "Open Biometrics" project, you'll see that it's designed for facial recognition, and related topics like gender/age determination. Hand print analysis isn't one of the options..

Anyway, I didn't know that there was an open-source facial recognition project. That's kinda cool, maybe something I can hook up with my Google Glass, should they ever start shipping.

by Robert Graham at May 24, 2013 03:38 AM

Yahoo! News: Computer Security and Viruses — Venezuela prosecutor to open probe over leaked recording

CARACAS (Reuters) - Venezuela's prosecutor's office said on Thursday it would open an investigation into in a recording the opposition says features a top government ally accusing the deputy head of the ruling Socialist Party of corruption and conspiring against the new president. Opposition deputies on Monday broadcast the recording of a conversation they said was between powerful state television commentator Mario Silva and a Cuban intelligence agent and later requested an investigation of it. ...

© Yahoo! News: Computer Security and Viruses at May 24, 2013 02:53 AM

Errata Security — Don't drone me, bro

Today President Obama gave a speech taking credit for assassinating an American citizen. His justification was:
And as President, I would have been derelict in my duty had I not authorized the strike that took out Awlaki
So what, precisely, is the president's duty? The following is the entire oath of office he took as president:
I do solemnly swear (or affirm) that I will faithfully execute the Office of President of the United States, and will to the best of my Ability, preserve, protect and defend the Constitution of the United States.
Note that the oath isn't to "defend the country", but to "defend the constitution". The constitution lists a number of additional duties, such as sign bills into laws, give a "State of the Union" speech, and so forth. But none of his constitutional duties include ordering terrorists killed.

The constitution guarantees for every citizen the right to due process and equal protection. President Obama ignored these rights. By targeting Awlaki, an American citizen, President Obama was upholding no enumerated duty in the constitution, but was derelict in his most sacred one, to defend the constitution.

I have no doubt Awlaki was a really bad guy who deserved to be killed. I'm sure had Awlaki not been killed, his actions would have led to more American deaths in the future. None of that matters. Nothing in the constitution allows that as an exception. Awlaki was a citizen, he had rights.

This country has hundreds of cybersec/hacking experts who are more of a "threat" than Awlaki. Sure, we all work for the "good" side, but at the same time, we have the skill to conduct the worst cyberterrorism scenarios. We can cause mass blackouts. We can cause refineries to blow up. We can cause the automated drug delivery systems in hospitals to dispense the wrong drugs. We can cause a financial network to collapse. The only thing stopping us is because we don't want to. The moment the government suspects we might be up to something evil, we can expect a drone strike taking us out.

According to leaks, this policy of targeting American citizens started under the Republican President George Bush, and was simply continued by the Democrat President Barrack Obama. This isn't a political argument, but a principled one. Both deserve to be impeached for this policy.

by Robert Graham at May 24, 2013 02:39 AM

Hack in the box — Microsoft says new Kinect for Windows sensor coming in 2014

Microsoft will make available a new Kinect sensor for Windows in 2014, officials said on May 23.

The new Kinect for Windows sensor will include many of the technologies that Microsoft showed off in the Kinect for Xbox One product earlier this week. Microsoft is promising the Kinect for Windows sensor also will include higher fidelity, an expanded field of view, skeletal tracking and new active infrared -- all features of the Kinect for Xbox One.
Tags:
Microsoft
Kinect
Hardware

by l33tdawg at May 24, 2013 01:25 AM

Hack in the box — Google Said to Consider Buying Waze Presaging Bidding War

Google Inc. (GOOG), maker of the Android operating system, is considering buying map-software provider Waze Inc., setting up a possible bidding war with Facebook Inc., people familiar with the matter said.

Waze is fielding expressions of interest from multiple parties and is seeking more than $1 billion, said one of the people, who asked not to be identified because the talks are private. The Palo Alto, California-based startup might also remain independent, instead seeking to raise a round of venture capital financing, the people said.
Tags:
Google
Waze
Industry News

by l33tdawg at May 24, 2013 01:22 AM

Hack in the box — FiOS customer discovers the limits of "unlimited" data: 77TB a month

Yes, Virginia, there is a limit to what Verizon will let you do with FiOS' "unlimited" data plan. And a California man discovered that limit when he got a phone call from a Verizon representative wanting to know what, exactly, he was doing to create more than 50 terabytes of traffic on average per month—hitting a peak of 77TB in March alone.
Tags:
Networking
Fiber
Industry News

by l33tdawg at May 24, 2013 01:19 AM

Hack in the box — Meet the Man Who Sold a Month-Old App to Dropbox for $100M

When Mailbox sold itself to Dropbox for a reported $100 million or so this March, the month-old iPhone app wasn’t even available to the public. People could download the email organizer, but using it required joining a mailing list that stretched to nearly 800,000 names at one point.
Tags:
Dropbox
Industry News

by l33tdawg at May 24, 2013 01:17 AM

SecuriTeam Blogs — REVIEW: “Cloud Crash”, Phil Edwards

BKCLDCRS.RVW   20101009

“Cloud Crash”, Phil Edwards, 2011, 978-1466408425, U$9.99
%A   Phil Edwards PhilEdwardsInc.com philipjedwards@gmail.com
%C   Seattle, WA
%D   2011
%G   978-1466408425 1466408421
%I   CreateSpace Independent Publishing Platform/Amazon
%O   U$9.99
%O http://www.amazon.com/exec/obidos/ASIN/1466408421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1466408421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1466408421/robsladesin03-20
%O   Audience n Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   386 p.
%T   “Cloud Crash”

To a background of the Internet crashing, and opposed by a conspiracy that has penetrated the highest levels of government, two (no, make that three … err … four … better say five …) groups of individuals race to save the world from … a stock market fraud? hostile takeover? aliens? (No, I’m pretty sure the aliens were a red
herring.)

The story and inconsistent characterizations could use some work, and the plot twists don’t make it very easy to follow what is going on. It’s fairly easy to tell who the good and bad guys are: the politics and philosophy of the book are fairly simple, and one is reminded of the scifi and comics of the 30s and 40s, with heavily anti-fascist and (ironically) right-wing rhetoric.

It would be tempting to dismiss the work as a simple “jump on the latest buzzword” potboiler, were it not for the fact that the technology is fairly realistic. Yes, right now everyone is jumping on the cloud bandwagon without much regard for real security. Yes, if you wanted to make a big (and public) splash on the Internet, without doing too much permanent damage, taking down power supplies would still leave the data intact. (Of course, an axe would do just as good a job as bombs …)

So, while the story isn’t great, at least the technology is less annoying than is normally the case …

copyright, Robert M. Slade   2012     BKCLDCRS.RVW   20101009

by p1 at May 24, 2013 01:03 AM

Zero in Bit — Twitter Two-Steps Harder Than a Skrillex Show on Ice

Nothing’s free in this world, especially not when it comes to security. With Twitter officially cramping your style, you are now forced you to waste precious seconds you could be tweeting, by instead waiting for a verification code to be delivered to your phone just so you can login.

The thing about options is that you have them…and options tend to let people remain lazy. Options also carry consequences which never make sense until they actually happen to you. That being said, Twitter gives you the option to activate two-factor authentication, but first…you are going to have to link a phone-number to your account.

As the plot thickens, it also doesn’t yet scale for those with the biggest targets on their backs. Media outlets cannot afford to sacrifice the coverage they get with multiple users on staff for a little bit of security….but this is only the first round from Twitter, as they have informed us all to “Stay tuned”. So maybe it is less likely we will be seeing tweets announcing Justin Bieber’s birth to Siamese monkey twins at the Anne Frank House in the coming weeks, but knowing your Twitter account is (more) secure is worth it, right?

I know we all love the instant gratification that comes from the massive amount of irrelevant nonsense Twitter delivers around the world; the very concept of a tweet is that thoughts and opinions (assuming they are <140 characters) are available to all of your loyal followers just as quickly as you can get them out.

Keep fighting the good fight my friends. Until next time, “help us, help you”.

by Caitlin Johanson at May 24, 2013 12:42 AM

CNET News.com - Security — Two-factor authentication: What you need to know (FAQ)

Twitter just got it. Apple recently got it, too. Google, Microsoft, Facebook, and Amazon have had it for a while. But why's two-factor authentication important, and will it keep you safe?

© CNET News.com - Security at May 24, 2013 12:29 AM

NYC Resistor — Introducing “Future Crew”

Do you enjoy playing Space Team, but find that you want tactile controls? Or like the Artemis Bridge Simulator, but think it is too serious? Do you love pushing buttons, turning knobs and shouting at each other? Then you’ll really have fun playing Future Crew at the NYCR Interactive Party!

Since the theme of the party is “Digital Archeology”, all of the control stations are being built from repurposed dead hardware. There’s a patch panel, push buttons, strobe lights, more push buttons, quadrature knobs, oscilloscopes, and maybe even a teletype to keep score.

Each console will have a Raspberry Pi with Wifi to talk to the other consoles, some number of Teensys to talk to the real world, and some sort of glitchy way to communicate to the operator (like an NTSC TV or a Minitel). If things don’t work right, that’s part of the fun. And, of course the source code will be available for you to build your own Future Crew Consoles.

Tickets for the party are on sale now!

by hudson at May 24, 2013 12:12 AM

May 23, 2013

The Register - Security Google to double encryption key lengths for SSL certs by year's end

2048-bit keys will be the norm

Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1.…

© Iain Thomson at May 23, 2013 11:23 PM

EFF deeplinks — Even Attorney General Eric Holder Supports ECPA Reform

In a hearing last week in front of the House Judiciary Committee, Attorney General Eric Holder announced his support for updating the Electronic Communications Privacy Act (ECPA). ECPA, which was written in 1986, is the main privacy law protecting private electronic messages like email, private Facebook messages, and Twitter direct messages. The law has been used by the government to argue that emails older than 180 days can be obtained without a probable cause warrant.

The current bills moving to reform ECPA focus on clarifying that the government must obtain a warrant before looking at email and other private online messages. In 2010, the Sixth circuit ruled that, as written, this so-called "180-day rule" was unconstitutional. It's taken the Department of Justice (DOJ) years, but it's finally changing its tune. Attorney General Eric Holder is now the most senior official in the Administration to publicly support the so called "warrant for content" aspect of ECPA reform.

Attorney General Holder's comments follow a March hearing where the Director of the DOJ's Office of Legal policy declared: "there is no principled basis to treat e-mail less than 180 days old differently than e-mail more than 180 days old.” At the hearing last week, Attorney General Holder unequivocally stated his support for ECPA reform noting all email should be protected by a warrant. Attorney General Holder's statement finally confirms the DOJ's support of a statutory requirement for a warrant to access all email.

This is the second year in a row where ECPA reform bills have been introduced in both the House and the Senate. Bills that focus on protecting a user's geolocation with a warrant requirement were introduced by Senator Wyden and Rep. Chaffetz, while another three different bills ensure a warrant requirement for private messages. In the House, Reps. DelBane and Lofgren have proposed HR 983 and Rep. Yoder has introduced HR 1852, while in the Senate, Senators Lee and Leahy have proposed S 607. Unfortunately, the latter group of bills are missing one key component: real teeth in the form of a suppression remedy.

In the current drafts, if law enforcement obtained your email without a warrant, in violation of the revised law, nothing would prevent that illegally obtained evidence from being admitted in a criminal trial. A suppression remedy is a common sense addition to the bill ensuring that its impact is equal to its intent: ensuring all private virtual messages—just like any other private physical message—are available to the government only with a warrant based on probable cause.

It's great to see ECPA reform advancing. The Digital Due Process coalition, a diverse coalition of privacy advocates (including EFF) and major technology companies, has worked hard to advance ECPA reform and should be commended for its work. But a supression remedy should be in any ECPA reform bill. Regardless, Attorney General Holder's statement is an encouraging sign by the White House that the DOJ believes in ECPA reform and will not impede its progress.

Share this:   ||  Join EFF

by Mark M. Jaycox and Nate Cardozo and Nate Cardozo at May 23, 2013 10:33 PM

EFF deeplinks — Don't Believe the Publishers' Hype: Support Open Access

Once again, we are seeing entrenched interests try to fight the future with scare tactics and misinformation. This time, it's major journal publishers, and their target is open access to taxpayer-funded research.

First things first: The reason the publishers are on the warpath is that state and federal legislators are looking to expand open access. One of the leading bills is California's open access bill (AB 609). This legislation is being discussed in the Assembly's Appropriations Committee tomorrow. If you're a California resident, now is the time to contact your Assembly member and ask that they support public access to taxpayer-funded research.

Now for a dose of reality. As a nation, we've already seen successful public access policies—most notably the NIH public access policy, which requires research funded by one of the nation's largest funding bodies to be put in a free repository within a year of first publication. A bill now pending in Congress, the Fair Access to Science and Technology Research Act (FASTR) would expand the NIH policy to a dozen other funding bodies while also reducing the embargo period to six months. Over the last several years, the academic medical community has embraced open access, and publishers that adapted to this policy are still making record profits.

But they aren't happy about it and they certainly don't want expansion. Now that the open access train appears to be leaving the station, their message is simple: we don't need a mandate, just trust us to handle open access. The trouble is they think open access means nothing more than providing publicly accessible links to their own publications.

Most recently, the Association of American Publishers (AAP) sent a letter to the California Assembly's Appropriations Committee full of numbers and allegations that would scare anyone—if only they were based in fact. Similar language was used to challenge FASTR last February, when the bill was introduced into the House and Senate. U.C. Berkeley professor and PLoS-co-founder Michael Eisen has done a thorough takedown of the AAP's letter. We'll focus here on a few major points:

Claim: The policies would add significant costs to agencies' and states' budgets

The AAP's California letter claims that "state universities could be faced with open access publishing charges estimated at more than $1 million annually." In truth, the law leads to nothing of the sort. Rather, it simply requires recipients of state funding to put their final manuscripts in a public repository. These repositories already exist: for example, the University of California system has already offered their robust, scalable eScholarship repository for this task. Moreover, the world of open access publishing is new, it's burgeoning, and it's fostering competitive and cost-effective new options like PeerJ.

The AAP also says that in 2008 an NIH director "indicated the agency spends $100 million a year for page fees and open access charges" and then proceed to use fuzzy math to assume California's costs to be $1.1 million for a public access policy. As Professor Eisen points out, not only did this number come out before the NIH policy was implemented, but the estimate carefully avoids mentioning that a majority of page fees went towards publishers, not open access costs.

Claim: The policies would "undermine publishers' efforts to provide access to high-quality peer-review research publications in a sustainable way"

It's unclear how a policy that mandates final, peer-reviewed manuscripts to be put in a repository undercuts access to peer-reviewed works. The NIH policy features similar language, and last we checked publishers and journals were still able to carry out comprehensive peer review processes—most of which, by the way, are done for free by other scholars.

The AAP simultaneously claims that universities would not actually be able to cancel subscriptions if there were an open access policy, and therefore not actually save money. Eisen puts it best: "The bill will not save California any money because libraries will not cancel any subscriptions, but will undermine publishers' ability to carry out peer review because they will lose revenue from canceled subscriptions. Huh? They can not have it both ways." The fact is, AB 609 most likely will not affect journals at all. Here's what will: the growth of open-access journal models. And that trend will continue with or without the law.

Claim: These bills will negatively impact jobs and force journals to go the way of newspapers

This is the familiar we-can't-compete-with-free argument. The claim that existing businesses cannot adapt to new technologies and new cultures of sharing has been disproven repeatedly, and we predict the same outcome here. First of all, open access legislation does not prevent publishers from offering subscription or fee-based models. Right now, the crisis in the current knowledge-space centers on the fact that information cannot be accessed, shared, or built upon. If anything, more access to knowledge will lead to further scientific progress, more uses of collected information, and downstream innovation—all of which sounds like more jobs and a strengthened economy.

Also worth noting with respect to the California bill: the majority of journal publishing jobs are not located in this state at all. And as a recent study highlighted, 90 percent of the revenue of the five largest science, technical, and medical publishers was generated by foreign-owned firms.

Claim: The policies require agencies and states to "undertake extensive, open-ended work already being performed successfully by the private sector," including the fact that "publishers are devoted to providing access to research and invest in the dissemination of research in a variety of ways"

Major publishers have made some effort to improve access to portions of their research, but they have consistently been followers, not leaders. Indeed, their efforts gained momentum only after the leading open access journals—such as PLoS or BioMed Central—showed that they could publish works, have impact, and make money. If the major publishers are "devoted" to providing access to research, they sure aren't showing it. The bulk of research is still locked down behind paywalls, time barriers, and strict licensing regimes. That means we don't have robust access to the work we helped fund, like the latest medical and scientific research.

Publishers and their lobbying groups float these arguments—and even more absurd ones—every time a similar bill is proposed. It's time to put these falsities and fears aside and support strong open access policies. Contact your Congressmen about supporting FASTR. And Californians, contact your Assembly Member today about supporting AB 609, the California public access bill.

Related Issues:
Innovation
Intellectual Property
Transparency

Share this:   ||  Join EFF

by Adi Kamdar and Adi Kamdar at May 23, 2013 10:22 PM

Carnal0wnage Blog — Funky Juniper URLs

If you've ever tested any clients that have Juniper VPNs you've probable seen the ol:

http://[target]/dana-na/auth/url_default/welcome.cgi URL.

@infosecmafia and I mentioned in our DerbyCon talk on how you can sometimes find extra or test URLs that are also valid URLs for the Juniper VPN. The example we used was where the url_default required secret questions but url_8 or whatever did not because it was a test URL the admins had set up.

Soooooooo, its worth running a quick check if you come across one. I wrote a Metasploit auxiliary module to do this. Pretty simple, it just runs thru url_0 through url_100 and prints out the 200 replies. looks like so:

–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_0/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_1/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_2/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_3/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_4/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_5/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_6/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_8/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_9/welcome.cgi
–[+] 192.168.1.1:443 Received a HTTP 200 with bytes for /dana-na/auth/url_12/welcome.cgi

Seeing these doesn't ALWAYS mean you have a multi-factor bypass but its worth checking out if the main site is multi-factor.

Random example:
url_default

url_3

url_8

url_10

Available on my github repo until I get around to doing a pull request.

-CG

by CG at May 23, 2013 10:12 PM

SANS Internet Storm Center — ISC StormCast for Thursday, May 23rd 2013 http://isc.sans.edu/podcastdetail.html?id=3326, (Thu, May 23rd)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

© SANS Internet Storm Center at May 23, 2013 09:59 PM

hackaday — Tweaking designs for [Theo Jansen] walking machines

We love the look, and most especially the gait, of [Theo Jansen's] walker designs. We don’t fully understand them or the math behind them. But that could change if we spend enough time studying [Aaron Birenboim's] body of work. He wants to incorporate the legs in a project so he’s been trying to optimize the Jansen leg design.

The calculations are delivered in a source code package available from his site. To make heads or trails out of the numbers you need a way to visualize them. He has provided that as well in the form of a MATLAB script which shows leg piece design and can even spit out an animated .gif file of the virtual legs in motion.

If you have no idea what we’re talking about make sure to check out [Jansen's] original creations. We’re also excited to read more about the Klann and Ghassaei linkage designs which [Aaron] talks about in his post.

Filed under: 3d Printer hacks

by Mike Szczys at May 23, 2013 09:01 PM

DigitalBond — Spread The FUD, Swiftly, Swiftly

There is a tactic in sales and marketed called ‘FUD’. Many of us are familiar with it, most of us have encountered it. It stands for “Fear, Uncertainty, and Doubt”, and the tactic involves influencing perceptions with overwhelming amounts of…. “Fear, Uncertainty, and Doubt”.

FUD is a constant issue in the ICS Security arena, for we deal with things that do more than go bump in the night, they can explode, spin themselves apart, electrify everything, and spread chemical nastiness into the air. So, are you suitably impressed now? Scared? Uncertain about your safety, and the safety of your family? Have an overriding need to call your representative, and vent that feeling? That’s FUD.

And like this recent article that quotes Joe Weiss and Walt Boyes. First, some respect: Joe bangs the drum harder and stronger than many in ICS, and his efforts in D.C. provide pressure for change. And Walt’s reputation precedes him as well, as a Fellow in ISA and former designer of industrial automation equipment. And it’s important to note that no article, no quote, can fully represent the totality of someone’s opinion. However, I’ve read enough from both of them over the years to know where they stand on IT and ICS.

But HONESTLY fellas .. Why all the FUD?

Yes, we need to be careful when we add security controls to industrial control systems, maybe not adding them at all if the age and capability of the system won’t support it. Yes, there are significant differences in how ICS works from the normal IT model, such as the need for reliable, on-time, and accurate data and control capability. And yes, well intentioned but ICS-inexperienced IT personnel have interrupted critical processes (of course, so have engineers, there is no monopoly on oops).

But, instead of following those statements up with tangible actions that IT and security vendors can take to become more aware and compete in this space, Joe and Walt criticize an entire establishment, basically because that establishment aren’t engineers, and don’t know how the plant operates. Fundamentally, not every ICS security project that employs IT personnel is doomed to failure, just as not every engineering effort is fated for success. What makes a project successful is the people, and how they work together toward a common goal, and all this division and suspicion just isn’t healthy. Good people build better tools, learn faster, and provide better risk reduction, regardless of where they are in the engineer/technician/professional hierarchy.

I understand where Joe and Walt are coming from, they don’t want unqualified individuals and companies working in the ICS space, and even talking (testifying?) about ICS related issues. They are concerned about unintended effects, especially effects that cause the exact problem the security is attempting to prevent and detect. But going about it in this way, spreading FUD around that is directed specifically at IT and Security companies may have an unintended effect itself: The truly competent hang back to ensure that they are competent, while the grossly incompetent blunder on into RFPs and site visits.

The fact is this: ICS owners hire those that put themselves forward for the work, not the ones that are hanging back. The space is getting a lot hotter, we need to get the best qualified at the front, and fast.

Readers, I’m here to tell you this: It’s ok if your role in a project is security, threats, and the tools used to mitigate against cyber intrusion, but not knowledge of the process. Security knowledge is necessary, it’s valuable, and it’s in short supply in the ICS community. But, know your limitations, and be open honest and transparent about those limitations, because you are not a process expert. There must be others at the table with the process knowledge, the operational knowledge to contribute. If those individuals aren’t there, I suggest you walk, because you are in a risky situation.

What is not ok is assuming you have that experience. What is not ok is doing work on ICS systems without proper guidance and discussion with those who do have a knowledge of the control system and the process. What is not ok is assuming the behavior of a control system based on an entirely different IT system. Ideally, the responsibility for ensuring that contractors are competent rests on the owner, but without standards of excellence in ICS and IT to measure individuals and corporations by, there is a lot of room for the incompetent to dodge.

In his blog post, Joe asks the question “What does it take for ICS cyber security to become mainstream..”?

My answer: We need security, management, and operations to sit down and discuss the real rewards and risks associated with putting security into ICS, and stop trying to scare each other off. This will not be a painless process, but with discussion and transparency we can make ICS security more mainstream, and develop practices to ensure reliability and availability of critical processes. Many of these practices exist, such as the NIST SP800-82 and ISA 99, but others will need to be found out the painful way, and communicated to industry. And, we need to stop the criticism, and make with the actions.

Or, we can continue to point and criticize and opine from the opposite sides of the table. Your choice.

title image by opensourceway

© Michael Toecker at May 23, 2013 08:38 PM

hackaday — Laptop vs Thermite: Slow motion destruction

Years ago we covered using thermite to destroy a hard drive. The idea is that if you melt through the platters, the data is completely unrecoverable. There are tons of videos of people doing this, but they all have a similar format. There’s a hard drive, with a flower pot or soda can sitting on top full of thermite. They then light this with a strip of magnesium and a torch.

I wanted to do something a little different. I wanted to implement thermite as a self destruct mechanism inside the device. To do this, I had to come up with a way to ignite the thermite. This stuff is very difficult to light. You have to get it really really hot. The easiest way is to use magnesium, which itself isn’t the easiest thing to light.

What I finally landed on was an ignition system that uses model rocket igniters, gun powder, and magnesium to light the thermite. The model rocket igniter can be set off from the 12v line inside your computer. However, it isn’t hot enough to light magnesium shavings, much less thermite. To get it to work, I needed to add some gunpowder. A small amount of gun powder would get hot enough to light the magnesium shavings, which in turn were hot enough to light the thermite. I had to be careful though, because too much gunpowder would cause a rapid expansion, blowing the thermite everywhere instead of lighting it. You can actually see some red thermite being blown out of the external hard drive and the laptop as the gunpowder ignites.

Effectiveness of external hard drive self destruction:

I wasn’t sure about this one. There isn’t a whole lot of space for thermite and the ignition system inside the box. On top of that, the only space was at the side of the hard drive, where the walls are the thickest. I had no idea if the small amount of thermite I used would penetrate the drive. It did, just barely as you can see in these pictures. It looks as if it pooled in the screw holes and made it inside. The platters are damaged.

Effectiveness of laptop destruction:

I decided to completely replace the cd rom with thermite. This gave me a ton of space to put things. I was pretty positive this would work. The hard drive is in the center of this laptop, which meant I had to place it on its side for this to be effective. You can see the thermite work its way down toward the drive in the video. As you can see in the pictures below, the drive cover is completely gone and the platters are destroyed. Success!

Since this system can be powered by batteries or the internal power of your computer, it can be put inside a working device only to be used when needed. Obviously it is a ridiculous fire hazard that no one should bother with. It was a fun experiment though and I really feel like it is something that would fit in well in the world of [James Bond]

Filed under: chemistry hacks, computer hacks, Featured

by Caleb Kraft at May 23, 2013 08:01 PM

CNET News.com - Security — Is protecting intellectual property from cyberthieves futile?

Experts gathering to discuss intellectual-property theft say that a fix will require the application of economic sanctions, not just more technology.

© CNET News.com - Security at May 23, 2013 07:30 PM

CNET News.com - Security — Is protecting intellectual property from cyber thieves futile?

Experts gathering to discuss intellectual property theft say that a fix will require the application of conomic sanctions, not just more technology.

© CNET News.com - Security at May 23, 2013 07:30 PM

Robert Penz — Microsoft Remote Connectivity Analyzer

By pure luck I found the Microsoft Remote Connectivity Analyzer as I’m not into the Microsoft world. Anyway this web site lets you test easily if the Groupware server you’re using is configured correctly. For example if you’ve problems connecting/syncing with your mobile or tablet to a server via ActiveSync. This protocol is not just used by Exchange but also by some OpenSource Groupware applications. Anyway its a nice link to know.

by robert at May 23, 2013 07:06 PM