dc0de’s & friends notes…

Help find this stolen motorcycle.

A friend of mine had his motorcycle stolen between 11/4/11 19:30 and 11/5/11 10:00 near 25th and Gaffey, San Pedro CA. Please be on the look out for it, it’s a 1977/76 Motoguzzi 850 t3, with the following distinguishing features.

• Clutch lever is original Motoguzzi aluminum (as seen in photo)
• Rear brake lever is newer, black, very diff from clutch lever
• The pipes you see in that picture are specific. They aren’t unique but you probably won’t see another Motoguzzi with them
• The tank has a ‘scar’ on the right side just below the Motoguzzi logo
• Seat is new marine vinyl except for the rear section which still has the original material, with a crack, and the original MotoGuzzi silk screened on it
• Has non-stock, aftermarket spoke wheels
• Front tire has a groove in it, just right of center (as your facing it)

If you have any information at all regarding this motorcycle, please contact  flea23b at gmail dot com, or me at mr.dc0de at gmail dot com.  (note that there is a ZERO in my username)

I just read this article on computerworld.com, and was happily surprised for the first time in 10 years.

Finally, someone get’s “it”.

The FFIEC is planning on requiring stronger dual authentication methods for online transactions, which is a very good thing.  PCI, Sarbanes-Oxley, HIPAA, GLBA, and a myriad of other regulations and requirements are not keeping pace with the ever shifting threat landscape.  In fact, most of them are so committee driven, it simply takes YEARS to get a new requirement instituted in the standard, and then there are YEARS allowed to implement the new standard.  The FFIEC is a bit different however.  I’ve worked in the financial sector for many years, (12+), and have respected the FFIEC’s direction with information security.  I feel that they set the strongest set of standards today, with the exception of Top Secret Government networks.

The greatest part of the FFIEC, is that their governance has teeth.  If a financial institution fails the audit, and fails to remediate the failings, the FFIEC’s Regulatory Agencies can go so far as to close that financial institution.  This is different from most every other regulation or requirement, as the business is simply closed.  Not fined, not shamed on the front page of national news papers, it simply has it’s doors closed.  Ponder that for a moment, you fail, and you’re closed.  You can’t Risk Manage away the costs of LOSING THE ORGANIZATION, unlike a fine for non-compliance, … so, IMHO, those are REAL TEETH.  I’ve added a link to the FFIEC’s Standards and Regulations at the bottom of this post.

My two favorite comments in the article are  below:

“Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication,” Litan said.

“What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do.”

via Banks may soon require new online authentication steps – Computerworld.

Related articles

• Govt May Soon Force Banks to Impose New Online Authentication Steps (pcworld.com)
• FFIEC Guidelines – Update Imminent? (silvertailsystems.wordpress.com)
• SC Magazine on whether or not authentication is sufficient (silvertailsystems.wordpress.com)
• Incite 1/25/2011: The Real-Time Peanut Gallery (securosis.com)
• Hurricane Beacon 2011-01-26 (hurricanelabs.com)
• Experi-Metal vs. Comerica Case Heads to Trial (krebsonsecurity.com)
• Escrow Co. Sues Bank Over $440K Cyber Theft (krebsonsecurity.com)
• Silver Tail Systems webinar with Brian Krebs (silvertailsystems.wordpress.com)

It’s the Latency, Stupid.

I was reminded again today of the above rant penned by Stuart Chesire, in May of 1996.  I overheard someone from our “offshore” (see India) team who was having latency issues with their connections from India, to the United States.

Regardless that there are reports that India is far ahead of the United States with regards to Information Technology education, it seems that these SIMPLE things are often overlooked.  Sadly, it’s not just the Indian education system that is overlooking this.  I see this is a VERY common occurrence in my line of work.

Look people, if the road is slow, no amount of lanes across is going to make it faster.  You’re stuck with latency.

Some great examples of latent connections:

1. India to the United States (Pacific Ocean fiber crossings)
2. Any “broadband – satellite” connection.  (a single packet path of 44,462 mi, more than twice the earth’s circumference)
3. Dial up

Get with it folks, we haven’t beat the speed of light yet, so until we do, deal with the latency… kthnxbye

Conversation with thiflannigan3452
(06:53:40) Thi Flannigan: hey cutie
(07:18:49) me: cutie?
(07:19:04) Thi Flannigan: Yay someone to talk to !! how are u?
(07:19:17) me: not too bad, have we met?
(07:19:32) Thi Flannigan: I’m great thanks for chattin with me I found your name in the online members search whatcha up to?
(07:20:24) me: getting ready for work.
(07:20:40) Thi Flannigan: I’m not too into exchanging pics .. are you?
(07:21:00) me: no.
(07:21:17) Thi Flannigan: i’d rather see each other u can see the real thing on my cam… u want to?
(07:21:26) me: no thanks.
(07:21:40) Thi Flannigan: no worries..thouhght u wanted to see me naked ..:)
(07:21:59) me: ummm, no. not into watching cams… more into doing the real thing.
(07:22:16) Thi Flannigan: Click http://www.acceptinvite.com/xxxxx it’s a more secure place with my cam u will have to verify your age so I’m not showing my pussy to a minor , i had to do it too but dont worry its 100% FREE and its alot of fun once u get in
(07:22:26) me: nope, don’t do that.
(07:22:41) Thi Flannigan: make sure you click join free in orange at the top,click it k?
(07:22:46) me: no.
(07:22:56) me: I have frogs in my shoes
(07:23:01) Thi Flannigan: ok, fill out your info,first and last name, make sure you put your correct b-day k?
(07:23:10) Thi Flannigan: Credit card, debit card, or atm is just to verify your age hun, your card will NOT be charged just validated see where it says that? like i said it’s FREE… cant show tits and pussy to minors..you know?
(07:23:27) me: have you ever put peanut butter in your pants pockets?
(07:23:43) Thi Flannigan: I’m inside waiting for you.
(07:24:05) me: oh, inside my computer? or inside my car?
(07:24:49) me: Are you there?
(07:27:20) me: oh no, are you trapped in my computer?

New regulations would give law enforcement a “back door” to monitor online communications, threatening civil liberties and stifling innovation in the process.

Taking a cue from the authoritarian regimes of Saudi Arabia and the United Arab Emirates, American law-enforcement and intelligence agencies are seeking to re-engineer the Internet and other digital communications networks to make them easier to spy on.

…

It’s hard to blame harried law-enforcement officials for wishing they could freeze time or control disruptive technological changes. They can’t, of course, but they could do a great deal of damage to both the high-tech economy and the security of global communications before they figure that out.

via Wiretapping the Internet | The American Prospect.

Related articles by Zemanta

• I pledge… (noblesouth.com)

The sin of techno lust

In the business space it’s easy to get seduced by sexy security technologies but implementing too many security technologies will increase operational risk of information security instead of achieving defense in depth.

via When defense in depth fails – two deadly sins | Israeli Software.

Great article by Israeli Software on why Defense in Depth fails…

Related articles by Zemanta

• Security weaknesses in airport internet kiosks (securityninja.co.uk)
• Benlog: defending against your own stupidity (boxofmeat.net)
• Learned Lessons Are Not the Whole Picture (bloginfosec.com)
• The Two Most Important Questions in Cybersecurity (blogs.forbes.com)
• Changing User Behavior is Key to the Malware Protection Process (insight.accuvant.com)
• TechnoDyne Hosts Certified Information Systems Security Professional (CISSP) Certification Exam Training Class in Tysons Corner, Virginia (eon.businesswire.com)
• Updates to NIST SP 800-53 (flyingpenguin.com)

A great article for the lock picking newbie…. (by Jon Wellborn @ jonwellborn.com)

I’m assuming this newbie has already spent some time with basic lock concepts the LSI Guide to Lockpicking and the MIT Guide to Lockpicking are both sufficient for this introduction and has attempted to pick a few locks, with some success, and wants to establish a good practice base to build from. Hopefully the following will serve that purpose in a general way:

via Lockpicking – practice locks and starter picks « Never a dull moment.

Related articles by Zemanta

• Competitive lockpicking growing in US popularity (makezine.com)
• The Growing Sport of Competitive Lockpicking (neatorama.com)
• Professional Lock-Picking Competition Showcases the Superior Pick Resistance of Kwikset SmartKey Deadbolts (prweb.com)
• Locksport: Competitive Lockpicking Growing In U.S. Popularity (huffingtonpost.com)

If the US Government, Department of Homeland Security (our KGB), has their way, Airports are going to be one day fitted with Future Attribute Screening Technology (FAST) systems, that will be a “walk through” polygraph system.  This system will supposedly tell a screener that you’re hiding something, not on your persons, but in your mind… and that’ll give them reason to take you aside for questioning.  The technology is based on today’s polygraph systems, and will not require you to wear any devices to pick up your heart rate, or other vital signs, but will instead use “touchless” technology to watch your facial expressions, blink rate, LIDAR to read your heart rate, and thermal cameras to detect temperature changes inside and outside your body…

“In the laboratory now, we have a success detection rate [percentage] of malintent or not malintent, in the mid-70s,” says Robert Burns, the DHS programme manager for FAST. “That’s significantly better than chance or what the trained people can do.”

Sorry, but just because I may be hiding something, or keeping secrets, and being nervous about my travel situation, isn’t quite enough for anyone to take me aside for questioning.
These systems would strip our 4th amendment rights, when traveling.   Of course, it’s all for our own good, so what’s the harm?

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

On what grounds does the government have to go into my mind, body, and make decisions based on how my body reacts to the stresses of what I know, and cannot disclose?

We all have secrets, we all have anxiousness to some level… what is “normal”?  The sad part is, it’s our tax money being frittered away to the tune of $10,000,000 per year on this project, according to the article in Nature News.

Could we spend that money more wisely? I think so…

Airport security: Intent to deceive? : Nature News.

Lieberman Bill Gives Feds ‘Emergency’ Powers to Secure Civilian Nets | Danger Room | Wired.com.

I wonder if this is going to effect his already abysmal approval rating?

Lieberman’s approval rating in a poll taken January 4–5, 2010, was 25% approve versus 67% who disapprove, making him one of the least popular Senators currently in office.^[8]

http://en.wikipedia.org/wiki/Joe_Lieberman

Really, this isn’t new, it’s just another reach into the civil world.   The government doesn’t pay for the critical infrastructure, it just wants to control it.  Something here stinks…

This is why I'm not getting one...

The iPad may be “cool” but I fail to see the point.  It’s not going to be the “next big thing”, tablets have been out for YEARS people, and they are relegated to minimalistic roles in the computing industry.  Would I use a tablet? Sure, if I had a way to input information as fast as I can type, which at last test was in the 55/wpm range.  Voice recognition isn’t there, handwriting analysis isn’t there, so what is the purpose of a “tablet” based computer?  Here’s what I can see as a viable use for such a product:

• reading documentation (similar to a kindle & other ebook readers)
• drawing and sketching
• surfing the web with a mouse only, as typing is cripplingly slow on any tablet interface
• performing tasks that currently have specialized equipment, such as retail inventory systems and bar code scanning
• a new pretty interface for McDonalds(tm) POS terminals

Aside from those, this is just another pretty toy.  When you couple it’s fixed configuration and limited battery life, you’re going to be sending it to the scrap pile in 3 years, adding to the pile of trash that we as Americans produce.  I’m still not giving up my laptop or my netbook, as they are both upgradeable (to a point), and provide all of the same functionality that I could get with the iPad.  Until there is a fully upgradeable tablet computer with a full keyboard that has the battery life of my netbook, I really don’t need this toy.

Way to go Apple, another non-green product for our future.