perjantai 11. joulukuuta 2009

Hak5’s Darren on Discovery: Hackers Versus Cyber Criminals

torstai 10. joulukuuta 2009

Want to watch HULU on your mac in europe??? then check out this video

Want to watch HULU on your mac in europe??? then check out this video

Hulu.com in Europe - For Mac Users from Kurt von Moos on Vimeo.

keskiviikko 9. joulukuuta 2009

RFID passport identity theft made simple

You’re confident your RFID passport is safe in its signal-blocking wallet as you pass through immigration. What you don’t know is that the man behind you is recording the data sent by your passport’s RFID chip as it is scanned.
Your name, nationality, gender, birthday, birthplace and a nicely digitized photo is in his hands. With that info he can photoshop up a passport, get a copy of your Social Security card and with that get credit cards and bank accounts in your name.
Rewarding individual enterprise
Thanks to bureaucratic confidence in RFID technology this is a real threat. An article in the Communications of the Association for Computing Machinery goes into the details:
For successful data retrieval the perpetrator’s antenna must catch two different interactions: the forward channel, which is the signal being sent from the RFID reader to the RFID token; and the backward channel, which is the data being sent back from the RFID token to the RFID reader. . . .
. . . the perpetrator would need only an antenna and an amplifier to boost the signal capture, a radio-frequency mixer and filter, and a computer to store the data. The amplifier itself would not even need to be that powerful, since it would need to boost the signal over only a short distance of three to five meters. . . . These RFID “sniffers” can then be plugged into a laptop via a USB port.
They’ve got your data, now what?
The weak 52-bit key encryption is easily broken. Then just counterfeit the passport, get a social security card and start shopping!
As the article notes, forging a passport can be expensive. It might be easier just to steal it.
The Storage Bits take
The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon earlier this year.
But these are just the risks we know about today. What new technologies will appear in the next 15 years to make both eavesdropping and forgery easier?
The RFID passport is a technological sitting duck for bad guys of all kinds - criminals and terrorists - courtesy of the US State Department.
As I noted in previous post:
The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.
We can do better. And we must.

tiistai 8. joulukuuta 2009

Metalab 's open support letter regarding the recent hackerspace raid


On November 28th, the police conducted a raid on a suspected illegal nightclub in Malmö. The official reason for the operation was that they suspected the club, which arranged a punk concert that evening, to sell alcoholic beverages without permission. And the police did indeed find and seize some beer, wine, and booze there, as well as a few other personal belongings that are not too surprising at a punk concert (firecrackers, pepper spray, etc.) Details can be found in the police's official press release.
So far, so unexciting.
What the press release fails to mention is that the police also raided the premises of another organisation that had nothing to do with the nightclub, other than being located in the same building: the hackerspace Forskningsavdelningen.
Forskningsavdelningen is a hackerspace - a place for people with in an interest in technology to share knowledge and work together. What does this organisation, located on a different floor, have to do with a suspected illegal club organised by a different organisation? Not much, it would seem.
Okay, so maybe it was bad luck that they were raided. Less than perfect intelligence on behalf of the police. Embarrassing, but no big deal.
Except that the police actually confiscated six computers, a WiFi router, and other valuable technical equipment from Forskningsavdelningen - and now want to raise charges of "preparation for Grand Theft" and "IT intrusion".
The grounds for the charge of preparation for Grand Theft is that the equipment in the hackerspace included two key copying machines and a collection of lock picking tools. According to the police, this indicates that a burglary was planned. Similarly, the presence of a "special antenna to receive wireless signals over long distance" is used to justify the suspicion of IT intrusion.
All of these tools are perfectly legal to own and operate - unless of course they are actually used for illegal purposes. A knife can be used to cut a steak or to stab somebody. If I own a knife, does that indicate that I am planning an assault?
Owning an antenna - even a "special", modified antenna - does not indicate an intention to commit a crime. It indicates an interest in wireless transmission, and may in fact be the first prototype of tomorrow's technology.
What about lock picking? Same thing. Lock picking is a sport practised by official clubs all over Europe. In addition to the edification of their members, these clubs provide a valuable service to the public by demonstrating the security flaws in common locks. Participation in this sport is no more a preparation for burglary than sport shooting is a preparation for murder.
We are deeply concerned by this disregard of the most basic legal right - the presumption of innocence. We are worried by the fact that the open, critical study of technology is used as grounds for accusing innocent people.
As members of the Metalab, a hackerspace in Vienna, Austria, we express our solidarity with our friends in Sweden. We join them in demanding the return of all seized equipment and we sincerely hope that this whole affair will turn out to be a misunderstanding rather than an intentional interference with the rights of innocent citizens.
To restore the principle of legal certainty and avoid similar mistakes in the future, we strongly recommend a full investigation of the raid (its reasons and actual execution) as well as the legal grounds (or lack thereof) of raising charges based on the possession of legal equipment.
About the Metalab:
The Metalab is a hackerspace in Vienna, and as such a sister project of Forskningsavdelningen. Our organisation is privately financed by its members, as well as publicly subsidised and has been host to widely recognised talks, conferences, workshops, and social events. Moreover, the Metalab has given birth to various commercial, civic, philanthropic, and social ventures. These sorts of advances can only grow in certain environments - and hackerspaces, like the Metalab, strive to provide such an environment. An environment that may seem odd or ominous to outsiders. An environment that usually harbourstechnology that's not a common sight in just any home or office. But after all, this is the whole point of a hackerspace - to collectively extend the individuals' possibilities.
Hackerspaces enrich their region's cultural and technological scene. They are places of information, discussion, experimentation and openness. They are the real world manifestations of a new paradigm, originated in the free, border-less and undiscriminating nature of the internet and its communications structures. Hackerspaces are places where freedom of opinion meets creativity and spawns inspiration. They're the birth-place of start-up firms that employ cutting edge technology, of altruistic community projects and of art in new media.

The TSA makes another stupid move


When the TSA make mistakes this egregious it really isn’t all that hard to pick on them.
The latest is that their Screening Management Standard Operating Procedure is published on the internet.  I actually like that.  I don’t think that security through obscurity is a good idea.  Of course the document is marked SSI and includes this footnote on every page:


SENSITIVE SECURITY INFORMATION 
WARNING: THIS RECORD CONTAINS SENSITIVE SECURITY INFORMATION THAT IS CONTROLLED UNDER 49 CFR PARTS 15 AND 1520. NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A “NEED TO KNOW,” AS DEFINED IN 49 CFR PARTS 15 AND 1520, EXCEPT WITH THE WRITTEN PERMISSION OF THE ADMINISTRATOR OF THE TRANSPORTATION SECURITY ADMINISTRATION OR THE SECRETARY OF TRANSPORTATION. UNAUTHORIZED RELEASE MAY RESULT IN CIVIL PENALTIES OR OTHER ACTION. FOR U.S. GOVERNMENT AGENCIES, PUBLIC DISCLOSURE GOVERNED BY 5 U.S.C. 552 AND 49 CFR PARTS 15 AND 1520.

So the decision to publish it on the Internet is probably a questionable one.  On top of that, however, is where the real idiocy shines.  They chose to publish a redacted version of the document, hiding all the super-important stuff from the public.  But they apparently don’t understand how redaction works in the electronic document world.  See, rather than actually removing the offending text from the document they just drew a black box on top of it.  Turns out that PDF documents don’t really care about the black box like that and the actual content of the document is still in the file.
Yup, their crack legal staff managed to screw this one up pretty badly.  Want to know which twelve passports will instantly get you shunted over for secondary screening, simply by showing them to the ID-checking agent?  Check out Section 2A-2 (C) (1) (b) (iv).  Want to know the procedure for CIA-escorted passengers to be processed through the checkpoint?  That’s in the document, too.  Details on the calibration process of the metal detectors is in there.  So is the procedure for screening foreign dignitaries.
It is pretty pathetic that the folks supposedly responsible for administering this “security” program cannot even be bothered to do the simplest parts of their job correctly.  Then again, passing through the checkpoint every time I fly it is pretty clear that they do a lot of things incorrectly.  Just chalk this one up to more of the same idiocy.  More done badly.
Want to read it for yourself?  Grab a copy here.  Who knows how long they’ll keep it online.
Once you’ve downloaded the PDF you’ll see the black boxes.  Simply highlight the text (start above and drag down to below the redaction area) so that you’re selecting all of the stuff in the “redacted” area.  Copy the selection and paste it into the word processing client of your choice.

maanantai 7. joulukuuta 2009

Nokia to halve smartphone offerings in 2010


Nokia, the world's largest mobile phone maker, has announced it will be cutting its smartphone offering in half next year, despite losing market share to rivals RIM and Apple.

"We see ... really fierce competition certainly in the high end, but we also see it in the mid to low end of smartphones increasing," said Jo Harlow, chief of Nokia's smartphone unit, via Reuters. "We will defend our position, but we believe we also have tools to play offense as well as defense."

Part of that "defense" will be to push smartphone prices lower while at the same time increasing margins. Recent figures showed that Nokia had lost smartphone market share for the most recent quarter, from 41 percent to 35 percent.

"Reducing the number of smartphone models makes a lot of sense ... but Nokia has to be very careful in finding the right balance: its large product portfolio has been one of its strong competitive advantages in the past," concludes Bernstein analyst Pierre Ferragu.

Woman arrested for taping minutes of 'Twilight' film with camera


A 22-year old woman was arrested in Chicago this week for recording three minutes of the newest "Twilight" film with a digital camera at the movie theater, and spent two days in jail.

Additionally, Samantha Tumpach now faces up to three years in jail after being charged with count of criminal use of a motion picture exhibition.

However, Tumpach says that she wasn't filming the movie and was instead taping parts of her sister's birthday party, which was in part at the movie theater. Although the movie is in the background in clips, there are longer clips of family and friends singing happy birthday to Tumpach's sister at the theater.

“It was a big thing over nothing,” Tumpach added of her arrest. “We were just messing around. Everyone is so surprised it got this far.”

After being nabbed by an employee, managers called the police which checked the camera and found about three minutes of footage.

“It was never my intention to record the movie,” concluded Tumpach.

Apple acquires Lala









Apple has confirmed that it will be purchasing music streaming service Lala although financial details have not been released as of yet.

Lala had been struggling and the CEO recently announced that prospects of turning a profit in the near future were slim to none. Lala has an 8 million deep song library and allows users to stream unlimited for 10 cents a track or purchase the track for $0.79.

The new purchase will allow for Apple to add full-length streaming to iTunes instead of the current 30-second clips and could even lead to a streaming radio service for the platform.

Lala and similar service iLike currently partner with Google to allow for quick discovery of music via the search engine.

Apple has $31.1 billion in cash and likely could purchase Lala for under $500 million.

Macs retake reliability ranking top spot



Apple reclaimed the top spot in the computer-reliability ranking of Rescuecom, a Syracuse, N.Y.-based technical support franchise, as netbook maker Asus' rating plummeted, Rescuecom's CEO said Saturday.

Apple's Macs, which led all rivals in Rescuecom's rankings during 2007 and 2008, ceded first place to PCs sold by Asustek Computer (better known as Asus) in the first half of 2009, falling as low as third in the first quarter, behind both Asus and Lenovo.

But Apple recaptured the top ranking for the third quarter with a reliability score of 374. Behind Apple were Lenovo and Asus with 320 and 166, respectively, followed by Toshiba and Hewlett-Packard in fourth and fifth place.

Rescuecom produces its scores by comparing the percentage of support calls represented by each vendor with each computer maker's U.S. market share. The greater the difference between the two, the higher the score. For example, although Apple's U.S. market share was 9% -- according to research firm IDC, whose data Rescuecom used to calculate its ratings -- Macs accounted for just 2.4% of the calls to Rescuecom. According to Rescuecom's reasoning, the higher scores indicate more reliable hardware and better support from the computer makers.

Apple's third-quarter rating was actually 5% lower than the 394 Rescuecom gave the company's computers for 2009's second quarter.

But Asus' decline was the big story. The Asian computer maker, which led Rescuecom's rankings for the first six months of the year, has seen its reliability rating plunge from a first-quarter high of 972 to 166 in the third quarter.

Asus' nose-dive was hardly a surprise, said David Milman, Rescuecom's CEO. "This is what we were waiting for on Asus, whether or not their reliability score would be maintained," said Milman in an e-mail. "Now that many of the netbooks by Asus have been out for a while, there is obviously a higher need for service."

Last March, when Asus first jumped to the top spot on Rescuecom's list, company president Josh Kaplan said Asus' ranking should be taken with a grain of salt, since it was based on a huge bump in sales during the last few months of 2008, when Asus' netbook sales took off. That, in turn, meant that Asus machines had been in users' hands for just several months, which could translate into fewer support calls.

"It will be interesting to see in the coming quarters if Asus will start coming down to the level of the other vendors, or can sustain it," Kaplan said at the time.

Apparently, it couldn't sustain its record rating, which in the first quarter Rescuecom measured as 972, nearly six times higher than its score in the third quarter. Asus' second-quarter rating was 416.

Toshiba's and HP's scores also fell from the second quarter, although less dramatically than Asus. Toshiba's reliability score was 165 in the third quarter, down 24%, while HP's third-quarter score of 134 was off 6% from the previous quarter.