dc0de’s & friends notes…

A great article for the lock picking newbie…. (by Jon Wellborn @ jonwellborn.com)

I’m assuming this newbie has already spent some time with basic lock concepts the LSI Guide to Lockpicking and the MIT Guide to Lockpicking are both sufficient for this introduction and has attempted to pick a few locks, with some success, and wants to establish a good practice base to build from. Hopefully the following will serve that purpose in a general way:

via Lockpicking – practice locks and starter picks « Never a dull moment.

Related articles by Zemanta

• Competitive lockpicking growing in US popularity (makezine.com)
• The Growing Sport of Competitive Lockpicking (neatorama.com)
• Professional Lock-Picking Competition Showcases the Superior Pick Resistance of Kwikset SmartKey Deadbolts (prweb.com)
• Locksport: Competitive Lockpicking Growing In U.S. Popularity (huffingtonpost.com)

If the US Government, Department of Homeland Security (our KGB), has their way, Airports are going to be one day fitted with Future Attribute Screening Technology (FAST) systems, that will be a “walk through” polygraph system.  This system will supposedly tell a screener that you’re hiding something, not on your persons, but in your mind… and that’ll give them reason to take you aside for questioning.  The technology is based on today’s polygraph systems, and will not require you to wear any devices to pick up your heart rate, or other vital signs, but will instead use “touchless” technology to watch your facial expressions, blink rate, LIDAR to read your heart rate, and thermal cameras to detect temperature changes inside and outside your body…

“In the laboratory now, we have a success detection rate [percentage] of malintent or not malintent, in the mid-70s,” says Robert Burns, the DHS programme manager for FAST. “That’s significantly better than chance or what the trained people can do.”

Sorry, but just because I may be hiding something, or keeping secrets, and being nervous about my travel situation, isn’t quite enough for anyone to take me aside for questioning.
These systems would strip our 4th amendment rights, when traveling.   Of course, it’s all for our own good, so what’s the harm?

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

On what grounds does the government have to go into my mind, body, and make decisions based on how my body reacts to the stresses of what I know, and cannot disclose?

We all have secrets, we all have anxiousness to some level… what is “normal”?  The sad part is, it’s our tax money being frittered away to the tune of $10,000,000 per year on this project, according to the article in Nature News.

Could we spend that money more wisely? I think so…

Airport security: Intent to deceive? : Nature News.

Lieberman Bill Gives Feds ‘Emergency’ Powers to Secure Civilian Nets | Danger Room | Wired.com.

I wonder if this is going to effect his already abysmal approval rating?

Lieberman’s approval rating in a poll taken January 4–5, 2010, was 25% approve versus 67% who disapprove, making him one of the least popular Senators currently in office.^[8]

http://en.wikipedia.org/wiki/Joe_Lieberman

Really, this isn’t new, it’s just another reach into the civil world.   The government doesn’t pay for the critical infrastructure, it just wants to control it.  Something here stinks…

This is why I'm not getting one...

The iPad may be “cool” but I fail to see the point.  It’s not going to be the “next big thing”, tablets have been out for YEARS people, and they are relegated to minimalistic roles in the computing industry.  Would I use a tablet? Sure, if I had a way to input information as fast as I can type, which at last test was in the 55/wpm range.  Voice recognition isn’t there, handwriting analysis isn’t there, so what is the purpose of a “tablet” based computer?  Here’s what I can see as a viable use for such a product:

• reading documentation (similar to a kindle & other ebook readers)
• drawing and sketching
• surfing the web with a mouse only, as typing is cripplingly slow on any tablet interface
• performing tasks that currently have specialized equipment, such as retail inventory systems and bar code scanning
• a new pretty interface for McDonalds(tm) POS terminals

Aside from those, this is just another pretty toy.  When you couple it’s fixed configuration and limited battery life, you’re going to be sending it to the scrap pile in 3 years, adding to the pile of trash that we as Americans produce.  I’m still not giving up my laptop or my netbook, as they are both upgradeable (to a point), and provide all of the same functionality that I could get with the iPad.  Until there is a fully upgradeable tablet computer with a full keyboard that has the battery life of my netbook, I really don’t need this toy.

Way to go Apple, another non-green product for our future.

Official Gmail Blog: Today’s vowel outage.

In yet another blow of outages and problems for the Cloud Computing proponents, it seems that Gmail has suffered yet another problem.  Over the past year, Cloud Computing supporters have raged over the features and benefits of computing “in the cloud”, yet outages like these continue to occur in massive numbers.

Google‘s Gmail blog today noted that they are suffering problems with their flagship free email service.  The blog post states that the problem was noted at 6:01am Pacific time, and that it began spreading to other data centers in an almost virulent fashion.  The gmail blog goes on to state that the letters a,e,i,o, and u, are missing from the alphabet on their web servers.  Google has yet to determine why this is happening, and recommends that you track their blog for ongoing details.  (linked here)

The Gmail staff and Google headquarters have refused to comment on this outage, stating, “We do not discuss ongoing technical support issues.”

Simply put,

“Using java to manage a security device is like putting a pedophile in charge of a day-care center.”

Gartner in two-factor authentication warning – V3.co.uk – formerly vnunet.com.

Apparently, Gartner has caught up with the rest of the Information Security world, and is now pressing for Two-Factor authentication everywhere.

(Gartner is a laugh a minute… really… )

Gee.  What was their first clue?

Let’s set the “wayback” machine to February 2000, when Wave Systems Corporation published their paper on Encrypting hard drives…

Let’s take a look at the landscape back then… just focusing on Access Controls…

Taking the data out of the table, and creating one here…

Now, here is the rub… the above table was published in February of 2000!!!

It is but ONE example of the discussions that Information Security Professionals have had with enterprises, banks, credit unions, and virtually every other business that has a web presence.

Ebay/Paypal got it right years ago, when they started the program to sell you a Vasco Security Token for login to your Paypal account.  Why banks and credit unions haven’t followed suit is beyond me.  Most large enterprises use them internally, but won’t provide them to their customers, even if requested.

So, now, we have Gartner, (the slowest on the uptake) to join in our chant… I guess I should be happy, at least the brain-dead zombies who listen to their diatribe will finally be spoon fed some COMMON SENSE!.

Oi… that was cathartic.

AT&T moves closer to usage-based fees for data.

Boy, I’m sure happy I fired ATT.

I may not have an iPhone (I really don’t want one)

I don’t have crazy pricing (I’m on Sprint’s Simply Everything plan)

I have internet, tethered modem, email, and one thing that the ATT / iPhone people don’t.  Security.

My Blackberry is secured, so that you can’t steal my data, nor can you use it without the passwords.  Hey, even steal my micro-SD card.  it’s encrypted too.

Oh, wait, can you use SD cards in an iPhone?

*meh*…

I’m waiting for the droid to hit Sprint’s network if I’m going to change from Blackberry, but I don’t see that happening for several years.  My Blackberry simply WORKS.  and coupled with Sprint’s Simply Everything plan, It works, and works, and works.

For those of you on ATT, check out Sprint.  They have amazing customer service, you’re greeted by a person who tells you their name, and where they are currently located.  Both of my last two calls to Customer Service were fielded out of North Carolina, and I had pleasant & positive experiences.  It’s truly a joy.  (unlike calling ATT).

Oh, and did I mention that Sprint’s customer service is open 24x7x365?  So you don’t have to wait the long weekend to call to make a change, or to get tech support, or any other reason you would want to contact your cellular carrier.

I could go on for days…

Lastly, I travel for work, and I have yet to find a location where I don’t have coverage to make a phone call, however, I’ve been standing in several locations recently, where my iPhone burdened brethren were not only without data connectivity, but also without the ability to get dial tone.  Sadly, they still think that ATT is a good provider.

Some people must enjoy being screwed and constantly frustrated.  I simply want things to work.

Thank you Sprint, and Thank You Blackberry.

Security Fix – Apple issues security updates for Mac OS X.

How can this be?  My father recently went to the Apple Store outside Chattanooga TN, and they told him, “Apple doesn’t need any anti-virus, or other security software.  It’s just secure.”

Apple’s Advertising program makes it out to be impervious to the threats that all of the other computers might also have

Even Brian Krebs (While I like and respect him), stated in his blog a few weeks back that to be secure on the internet, you should do your online transactions on a Mac.

Well… something seems to be amiss.

Let’s be clear here:

All Operating systems:

• Are flawed
• Will be attacked
• Need some sort of Anti-Virus
• Need a client based Firewall
• Need constant care and attention

The major issue with most operating systems is the User.  Most users, of any operating system, fiddle with the configuration.  This is similar to saying that “All drivers of a car, modify their car”.  This is somewhat true.  Let’s explore this for a minute:

Types of modifications drivers do to their cars:

• Seat Covers
• Floor Mats
• Rims / hub caps
• Exterior and Interior Trim
• Stereo System/GPS
• Tires
• Engine Modifications/Upgrades
• Suspension Modifications/Upgrades

Except for the last three items, most of these things, in moderation, are harmless to the driving safety of the vehicle.  However, if you don’t know what you’re doing, and you make some or all of the last three changes, you’re going to fall into one of the following categories:

• Outside your ability to drive the vehicle
• Creating an unsafe engine
• Creating an unstable vehicle to drive

Now, taking this analogy back to computers, if you make modifications on your computer system, like installing software un-proven software, or installing many of the gazillion web toys to play games online (for example, flash-based games), you’re inviting your system to be taken over.  When you add any of the other high risk behaviors that we’ve been asking people not to do for the past 12+ years on the internet, (e.g. surfing porn, downloading music and movies, file sharing, opening un-requested emails, not having a firewall, not having Anti-Virus & Anti-Spyware tools, etc…) you have a recipe for disaster.

I think that it is high time that we hold the software manufacturers accountable.  (Including Apple)  Software manufacturers have to OWN the risk, and share the risk with the general public.  After all, if you purchased an automobile that was prone to blowing up while you used it normally, wouldn’t it be recalled?  Couldn’t you sue the manufacturer?  It’s high time that companies get with the program, and start making software that is SECURE BY DEFAULT, instead of bolting on thousands of “patches”, “fixes”, and even stating, “We rely on third party companies to provide that functionality”.

Apple is the biggest failure in Truth in Advertising, and since there are so many Apple Fan Bois, (sic), it doesn’t seem to be happening.  Sorry, I’m not falling for the smoke screen.  Sadly, many of you are.

How about you “Man Up”, and ask your wonderful Apple manufacturer to be truthful?

That’s my 2¢, YMMV.

-

dc0de.

In Congress, a call to review internal cybersecurity policies – washingtonpost.com.

It’s not so nice when it happens to “Them”!!!

“The ethics committee operates in secrecy and has its own policy governing the handling of materials involving investigations. Under committee protocols, material generated by the panel is supposed to be stored in secure areas that are not accessible to anyone other than committee staff members. That goes for computer files and printouts of committee documents.”

The article goes on to describe how the members of Congress who were under investigation responded, and how shocked everyone was that the data was “at large”.

The laughable part, is that it was disclosed by a P2P application that was installed on a “Junior Member” of the Ethics committee.  I guess the Government doesn’t follow the same guidelines that the Commercial world does…

In the breach, the report was disclosed inadvertently by a junior committee staff member, who had apparently stored the file on a home computer with “peer-to-peer” software, congressional sources said. The popular software allows computer users to share music or other files and is easily available online. But it also allows anyone with the software on a computer to access documents of another user without permission, as long as the users are on a file-sharing network at the same time.

Now I have to question, how much more data was released?  What else was on this member’s shared folders?

It’s time that people wake up and smell the coffee… we’ve been PREACHING about these types of weaknesses, there are hundreds of products that can prevent these types of breaches, and what is being done about it?

Apparently, nothing.  Thanks everyone… it’s been fun… I’m going to bake some biscuits.