SpyPhone 3GS
If you own an iPhone, security researcher Charlie Miller can take control of it, and short of turning off the device, it appears there isn't much you can do to stop him. Not until Apple fixes the flaw, anyway.…
If you own an iPhone, security researcher Charlie Miller can take control of it, and short of turning off the device, it appears there isn't much you can do to stop him. Not until Apple fixes the flaw, anyway.…

[Jen Hui Liao] created a device that guides the user into drawing a portrait of themselves. Dubbed Self-Portrait Machine, it comments on how much in society is created by machines and we are dependent on them. Unlike previous drawing robots, the user is part of the sketching process. The machine holds the users hands and uses stepper motors and servos to move them around like a LOGO turtle. Liao promises to have more details available soon. Video of the machine after the jump.

This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.
Desktop Lockdown has failed.
But so has complete freedom.
So what do you do?
From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.
Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can't change the timezone or install a printer driver. Its not workable for the traveling user.
Locking down computers failed because new technologies bypass local controls. For example it doesn't prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn't even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.
Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.
Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.
Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.
So what do you do? The talk reviewed multiple alternatives.
Alternative 1De-Privilege Admins - UAC
UAC prompts to elevate rights when admin rights are needed.
As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.
Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.
One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn't install every random file he found on the Internet.
Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.
Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.
This scenario requires solid network connectivity. It also isn't clear how the network is protected from the unmanaged computer.
Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.
The major drawback to this approach is licensing cost, patching, and extra hardware cost.
In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.
Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.
Alternative 6 Hybrid
A few from column a and a few from column b.
Alternative 7Employee Owned PCs
I've read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn't going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).
The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.
Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?
For the longest time, vender's made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I'd love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.
I'm thrilled to announce that I have been selected to speak at the StarWest 2009 Quality Conference (SQE) October 5-9th 2009, hosted at the DisneyLand Hotel in Annaheim, CA! Link to the conference website is here (http://www.sqe.com/starwest/Schedule/Default.aspx) and there are a number of awesome speakers as well!
The StarEast conference was chock-full of great speakers, vendors and of course yours-truly... speaking on Security topics and why the quality assurance teams are so crucial to the web application security process. That's right, I've been talking about Q/A engineering and testing teams and why they're so crucial to the success of any enterprise web application security program - but now for the first time you'll get the truth that the IT Security guys probably won't tell you - YOU are the key! My talk on this topic promises to be riveting and will certainly have an impact on formal testing and security organizations...
As an added bonus - if you sign up you'll get money OFF the price of your admission!
Normal 0 false false false EN-US X-NONE X-NONE
Register using special promo code SKWS and save up to $300! Register by September 4th to add the Early Bird Discount for up to $600 in total savings! Call the client support group at 888.268.8770 or register online at: https://www.sqe.com/starwest/Register/SelectConference.aspx
I'll see you all there!
Lifehacker wrote a guide for cracking a WiFi network’s WEP password using BackTrack. BackTrack is a Linux live CD used for security testing and comes with the tools needed to break WEP. Not just any wireless card will work for this; you need one that supports packet injection. The crack works by collecting legitimate packets then replaying them several times in order to generate data. They point out that this method can be hit-or-miss, especially if there are few other users on the network, as the crack requires authenticated packets. We covered cracking WEP before, but using BackTrack should smooth out compatibility issues.

Scratchbot is designed as a rescue bot, going places where there is low visibility. It’s defining feature is the fact that it uses “whiskers” to feel for things. We feel like this is a little gimmicky. If it is a low visibility situation, wouldn’t IR or audio, possibly sonar be a more effective? How would it differentiate between different physical obstacles? Are the whiskers really new? Aren’t they really just bump sensors? Maybe they have something a little more complicated going on. There was another recent bot that utilized whiskers and compared different tactile profiles to determine what it was touching.


A probe cable makes it easy to connect the Bus Pirate to a circuit and get hacking. Good test clips make quick connections on cramped PCBs without causing short circuits. We made two cables for the Bus Pirate v2, keep reading for an overview of our designs and list of part suppliers.
Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.
Overview

We use these cables to connect the Bus Pirate’s I/O pins to a microchip or test circuit. A cable consists of a 2×5 connector, a cable, and some kind of attachable probe like an alligator clip or test hook.
The gray cable (top) is a ‘junk box’ cable, we recycled it from scrap parts and old computer hardware. The ‘expensive’ cable (bottom) uses high quality and special-order parts.
2×5pin female connector

The Bus Pirate’s I/O header is two rows of five 0.1″ spaced pins. We used a 2×5 arrangement because 2×5pin female ribbon cable connectors are common and cheap. We decided against a single row of 10 pins because the connector is an expensive specialty item.
The pin names are shown above, and are silk-screened on the bottom of the PCB. See the Bus Pirate page for detailed descriptions of each pin function.

The junk box cable uses a 2×5pin female connector from an old PC ISA card.
The expensive cable uses a black connector with a reinforced cable holder. Mouser has gray connectors ($0.69) and black connectors ($1.15).

Ribbon cable connectors have internal pins that pierce the cable when the top part is pressed onto the bottom part.
Ribbon cable

Standard 2×5pin female connectors attach to 0.05″ 10-strand ribbon cable. The wire thickness is usually 22, 24, or 26 AWG. We think 12inches (30cm) is a useful length that doesn’t get in the way.
Grey ribbon cable is pretty common. We salvaged a piece from an old computer connector, you might get lucky and find one with a 2×5 connector already attached.
A color coded cable makes it easy to identify each connection. DigiKey has 5 foot sections ($3.03), Mouser has it by the foot ($1.16, $1.19).
Ribbon cable is cheap and readily available, but it tends to tangle and kink. A really nice probe could use a ribbon cable stub attached to thicker test leads.
Test clips
Test clips are the most important part of the cable. They have to be easy to position, and maintain contact with the circuit. Alligator clips work, but there’s a lot of exposed metal that can create short circuits. Professional test clips have a grabber that retracts into the probe leaving less metal exposed.
Alligator clips

The junk box cable has alligator clip probes, we pulled them off test leads like these (40 leads for $12). You could also use loose red and black clips (20 for $2.30).
Remember to put the rubber housing on the cable before soldering the wire to the alligator clip, it won’t go on later. In the photos you can see that some of our covers are cut to fit over the front of the clip because we forgot.
Round test hooks

This is the classic, round-bodied test hook. These are great for grabbing onto 0.1″ pin headers, wires, and the leads of through-hole components. The hooks are usually too big to use with surface mount components, and the round body makes it hard to fit more than a few in a small space.

Test hooks are easy to position. Squeeze the probe to extend a single metal hook, grab something, then release. The hook retracts into the body of the probe, securing it in place and preventing short circuits.

Most hooks come apart by pulling the top away from the body. Put the test lead through the hole in the cap and solder it to the metal tab. Push the halves together when the joint is cool.
DigiKey ($17.26) and Fry’s ($14.95) have multi-colored hooks in sets of 10. Deal Extreme has dirt-cheap 10 packs of yellow ($2.30) and black ($2.33) hooks, but the reviews say the quality matches the price so buy extra (via [haku]).
Flat test tweezers

Tweezer-probes are great for clipping onto the legs of through-hole, surface mount, and many smaller chips. They usually have a flat body so they fit better in tight spaces than round hook probes.

This type of probe has tiny tweezers instead of a hook. Accidental short circuits are rare because there’s so little exposed metal when the tweezers retract.

Most tweezer-probes pull apart and have a metal solder tab inside. Run a cable strand through the hole in the cap, solder it to the metal tab, and then press the halves back together.
Tweezer quality varies dramatically among brands, we’ve used no-name probes that bend easily or don’t grip well. The X- series micro-hooks from E-Z-Hook are the Cadillac of tweezer-probes, we first used the XKM version that comes with the Saleae Logic. They’re intended to fit specialty test leads, but it’s easy to solder a wire to them instead. About $2 each, available directly from the E-Z-Hook website.
Conclusion
We highly recommend a cable with hook or tweezer-probes for secure connections without causing shorts. The right probe depends on the parts you use. Round test hooks work best with through-hole parts and wires. Flat test tweezers attach well to small, surface mount chips.
Please share any additional part sources in the comments. We did our best to provide a variety of sources, but there’s going to be some great places we’ve missed.
Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.



On 02/07/09 At 06:30 PM
Stairs are one of the most commonly faced mobility challenges for a robot. This robot’s design eliminates the need for a complex drive train or computer, and instead uses a clever mechanical design to climb stairs. Version three of the robot uses five servos modified for continuous rotation, a Picaxe28, sharp IR sensors, and bump sensors.
[via BotJunkie]

Out of business, Clear may sell customer data: Via computerworld.
It would go to a similar provider authorized by the TSA
Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.
Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear's security checkpoints instead of the TSA's. Clear was run by New York's Verified Identity Pass, which also shut down on Monday.
Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors -- it has not yet declared bankruptcy -- some worried that this data could fall into the wrong hands. read more »
TSA asked to ensure safety of customer data after Clear closing: Via computerworld.
The chairman of the House Committee on Homeland Security has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of private data collected by a recently shuttered company that offered a registered traveler program.
In a letter to the TSA's acting assistant secretary, committee Chairman Bennie Thompson (D-Miss.) expressed his concern over the abrupt closure of Verified Identity Pass Inc.
For a $199 annual fee, New York-based VIP offered a service called Clear that was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance. read more »
AVG bosses aren't saying much, but there's new evidence the anti-virus maker is seriously considering building an application for the Mac.…