kottke.org posts about security
We've spent the two dozen years putting computers in everything from our bodies to our cars. Now those devices increasingly have wireless connections to the outside world. Throw in a little lax security and the whole world becomes hackable.
Hospital equipment like external defibrillators and fetal monitors can at least be picked up, taken apart, or carted away. Implanted devices -- equipment surgically implanted into the body -- are vastly more difficult to remove but not all that much harder to attack.
You don't even have to know anything about medical devices' software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries-a medical version of the online "denial of service" attack, in which botnets overwhelm Web sites with millions of phony messages. On a more complex level, pacemaker-subverter Barnaby Jack has been developing Electric Feel, software that scans for medical devices in crowds, compromising all within range. Although Jack emphasizes that Electric Feel "was created for research purposes, in the wrong hands it could have deadly consequences." (A General Accounting Office report noted in August that Uncle Sam had never systematically analyzed medical devices for their hackability, and recommended that the F.D.A. take action.)
"You have a secret that can ruin your life." That's according to Mat Honan, and he should know. Several months ago he saw much of his online life hacked and deleted in an instant. In this Wired cover story (that includes some valuable tips for protecting yourself online), Honan breaks the news that "no matter how complex, no matter how unique, your passwords can no longer protect you."
Fairy wrens have a cuckoo problem. Specifically, cuckoos lay their eggs in the nest of the fairy wrens and, if undetected, they would end up raising the baby cuckoos to the potential detriment of their own children. But what the fairy wren mother does is after laying her eggs, she sings a unique song to the eggs until they hatch. Having learned the song while in-egg, the hatched baby wrens sing back part of the song to get fed.
She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the 9th day of incubation and carrying on for a week until the eggs hatch.
When Colombelli-Negrel recorded the chicks after they hatched, she heard that their begging call included a single unique note lifted from mum's incubation call. This note varies a lot between different fairy-wren broods. It's their version of a surname, a signature of identity that unites a family. The females even teach these calls to their partners, by using them in their own begging calls when the males return to the nest with food.
These signature calls aren't innate. The chicks' calls more precisely matched those of their mother if she sang more frequently while she was incubating. And when Colombelli-Negrel swapped some eggs between different clutches, she found that the chicks made signature calls that matches those of their foster parents rather than those of their biological ones. It's something they learn while still in their eggs.
(via bruce schneier)
I cannot believe these are some of the passwords people actually use:
1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
I feel more secure than ever with my "password2" password.
I tweeted about this but wanted to document it here for posterity. The Attorney General of Texas Child Support website has the worst set of password requirements I've ever seen.
Exactly eight characters? No consecutive repeating characters? This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for "security". Makes you wonder how non-user-friendly the state's actual child support process is.
Update: Here's another bad password policy, courtesy of TechRepublic:
Can't contain two separated numbers? I don't even. If you've run across other examples like these, tweet at me.
Update: Troy Hunt has a list of bad password practices...for example, here's ING's 4-digit PIN login:
Four digits, numbers only...FOR A BANK! He also has a screenshot of American Express' case insensitive password rule.
Update: Jonathan Cogley signed up to access the web site of a "major credit card company" (AmEx?) and ran into the case insensitivity as well.
Update: BTW, there are many resources out there about choosing good passwords, but I found this one particularly helpful.
Update: This one from the US Citizenship and Immigration Services site is very similar to the Texas one.
Is there a consultant somewhere telling state and federal governments how not to do passwords? (via @kelseyfrost)
Update: I've gotten several notes about ING...their PINs are 6+ digits but still only numbers, which seems trivial to hack, even with their ever-shifting numeric keypad (readily OCR-able) and image verification (isn't foolproof).
Update: Suncorp Bank requires that passwords be 6-8 characters and can't contain consecutive numbers or special characters.
Chase requires a password for your password so you can log in while you log in. Or something.
But the best one so far might be for Sabre Red, a booking system used by travel agents.
7-8 characters in length, no special characters, no more than two repeating characters, and you cannot use the letters Z or Q (presumably a holdover from the days when phone keypads didn't have Qs or Zs). Wow. (via @SteveD503, @albedoa & @TheLoneCuber)
Charles Mann visits the airport with security expert Bruce Schneier and a fake boarding pass. What he finds is a lot of security theater and not much security.
"The only useful airport security measures since 9/11," he says, "were locking and reinforcing the cockpit doors, so terrorists can't break in, positive baggage matching" -- ensuring that people can't put luggage on planes, and then not board them -- "and teaching the passengers to fight back. The rest is security theater."
(via df)
While assisting the Secret Service in bringing down a cybercrime ring called Shadowcrew, Albert Gonzalez was, unbeknowst to the agents he was working with, involved with a much larger scheme to steal credit card information on a massive scale. Despite making millions of dollars hacking into the databases of large companies, Gonzalez preferred living at home with his parents for three reasons:
1. he loved his mother's cooking
2. he loved playing with his nephew
3. he could more easily launder money through his parents' home-equity line of credit
When they pieced together how Gonzalez organized these heists later, federal prosecutors had to admire his ingenuity. "It's like driving to the building next to the bank to tunnel into the bank," Seth Kosto, an assistant U.S. attorney in New Jersey who worked on the case, told me. When I asked how Gonzalez rated among criminal hackers, he replied: "As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn't just get a hack done -- he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player."
Jeffrey Goldberg on the TSA's new security theater measures, including pat-downs that are so humiliating and uncomfortable that people won't mind using the scanning machine that shows them naked.
I asked him if he was looking forward to conducting the full-on pat-downs. "Nobody's going to do it," he said, "once they find out that we're going to do."
In other words, people, when faced with a choice, will inevitably choose the Dick-Measuring Device over molestation? "That's what we're hoping for. We're trying to get everyone into the machine." He called over a colleague. "Tell him what you call the back-scatter," he said. "The Dick-Measuring Device," I said. "That's the truth," the other officer responded.
The pat-down at BWI was fairly vigorous, by the usual tame standards of the TSA, but it was nothing like the one I received the next day at T.F. Green in Providence. Apparently, I was the very first passenger to ask to opt-out of back-scatter imaging. Several TSA officers heard me choose the pat-down, and they reacted in a way meant to make the ordinary passenger feel very badly about his decision. One officer said to a colleague who was obviously going to be assigned to me, "Get new gloves, man, you're going to need them where you're going."
The agent snapped on his blue gloves, and patiently explained exactly where he was going to touch me. I felt like a sophomore at Oberlin.
From November 2007 but still relevant: Odds of Dying in a Terrorist Attack.
You are six times more likely to die from hot weather than from a terrorist attack
You are 87 times more likely to drown than die in a terrorist attack
You are 1048 times more likely to die from a car accident than from a terrorist attack
You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack
You are eight times more likely to be killed by a police officer than by a terrorist
I guess when you're the President, it's just not that impressive to say that you protected the nation's populace from accidental suffocation in bed.
Along the lines of "what's your mother's maiden name?", here are some even more secure user authentication questions.
What time was it when, in a drunken rage, you threw your novel into the fire?
If you could do it all over again, what would you do differently?
House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos.
I don't know if this is sadly hilarious or hilariously sad. Jeffrey Goldberg took all sorts of crazy stuff through airport security -- "al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, inflatable Yasir Arafat dolls (really), pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters" -- and almost nothing was ever taken away from him or was a source of concern for airport security personnel.
We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled "saline solution."
"It's allowed," he said. Medical supplies, such as saline solution for contact-lens cleaning, don't fall under the TSA's three-ounce rule.
"What's allowed?" I asked. "Saline solution, or bottles labeled saline solution?"
"Bottles labeled saline solution. They won't check what's in it, trust me."
They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, "This is okay, right?" "Yep," the officer said. "Just have to put it in the tray."
"Maybe if you lit it on fire, he'd pay attention," I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution-24 ounces in total-through security. An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles.)
So hard to pick just one excerpt from this one...it's full of ridiculousness. I don't care how many blogs the TSA launches, this is a farce. (thx, anthony)
Evan Roth has been putting metal plates with messages and symbols cut into them into his carry-on luggage when he goes through security at the airport.
Here's Roth's idea, which he calls "TSA Communication" and tells me has already made it through three trial airport runs: Take a metal plate, stencil and cut out a message -- words or an image -- place the plate at the bottom of your carry-on bag, and watch what happens as the TSA employee operating the airport X-ray machine notices ... or doesn't notice.
So far, he's used plates with outlines of the American flag, a "NOTHING TO SEE HERE" message, and something he calls The Exact Opposite Of A Box Cutter, a plate with a box cutter shape cut out of it.
A mom let her 9-year-old son take the NYC subway and bus home from Sunday shopping.
For weeks my boy had been begging for me to please leave him somewhere, anywhere, and let him try to figure out how to get home on his own. So on that sunny Sunday I gave him a subway map, a MetroCard, a $20 bill, and several quarters, just in case he had to make a call.
No, I did not give him a cell phone. Didn't want to lose it. And no, I didn't trail him, like a mommy private eye. I trusted him to figure out that he should take the Lexington Avenue subway down, and the 34th Street crosstown bus home. If he couldn't do that, I trusted him to ask a stranger. And then I even trusted that stranger not to think, "Gee, I was about to catch my train home, but now I think I'll abduct this adorable child instead."
Upon telling the story to others, she encountered some resistance:
Half the people I've told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It's not. It's debilitating -- for us and for them.
A chronological list of fears, from childhood through parenthood. (via lone gunman)
Salon had an interview with Pamela Paul the other day, author of Parenting, Inc., a book about the business of parenting. Paul starts out by disparging the $800 stroller phenomenon. Ollie's stroller was somewhat expensive (not $800 but not $100 either) but it's well built, flexible in use, nicely designed (functionally speaking), and was far and away the best one for our needs. We didn't feel good about spending so much money, but the eventual cost-per-use will be in the range of cents, so we're really happy with our choice so far. Some parents buy expensive strollers more as a fashion statement, so I can see where Paul is coming from on this one.
I thought the rest of the interview was quite good. We're still new to this parenting thing, but Paul seems to be on the right track. Here's her take on the best toys for kids:
When you think back to the '60s and '70s, all the right-thinking progressive parents thought toys should be natural and open-ended. Crayola and Kinder Blocks and Lego were considered raise-your-kid-smart toys. Then, all this data that came out which said that kids need to be stimulated. They need sound! They need multi-sensory experiences! Now, the more bells and whistles a toy has, the supposedly better it is.
Our parents' generation actually had it right. The less the toy does, the better. Everyone thinks: "Toys need to be interactive." No, toys don't need to be interactive. Children need to interact with toys. The best toys are 90 percent kid, 10 percent toy, the kind of thing that you can use 20 different ways, not because it has 20 different buttons to press, but because the kid, when they're 6 months old is going to chew on it, and toss it, but when they're a year they're going to start stacking it.
And then later:
At the most basic level reuse, recycle, repurpose. The average American child gets 70 new toys a year. That is just so far beyond what is necessary. Most child gear, toys, books are a lot cheaper, relatively speaking, than they were decades ago. In the aggregate it ends up being a lot more expensive, because we're buying a lot more of it, but kids just don't need that many toys. Kids lose out when things become less special.
We've been avoiding toys that make noise and light up. Half of his toys are garbage -- old toilet paper rolls, bags that our coffee pods come in, 20oz soda bottles filled with colored water or split peas, scraps of fabric, etc. -- or not even toys at all -- pots and pans, measuring spoons, etc. It seems like the right approach for us; Paul's "90 percent kid, 10 percent toy" really resonates.
Paul also talks about not overstimulating kids. When I get up in the morning or come home from the office, it's hard not to scoop Ollie up and give him constant attention until he goes to bed or down for a nap. Instead, I've been trying to leave him alone to play and explore by himself. He's getting old enough that when he wants me involved, he'll come to me. In this way, parenting is like employee management; give people the resources they need and then let them do their jobs.
This last bit reminded me of our trip to Buy Buy Baby (subtle!!) to procure baby proofing supplies. They totally had a Wall of Death designed to entice parents to coat their entire house in cheap white plastic.
The baby-proofing industry completely preys on parents' worst anxieties and fears. It really doesn't take a brain surgeon to baby-proof a house, and every store has the "Wall of Death" with like 10,000 products in it that you can affix to any potentially sharp surface in your house, if you choose to go that route.
It's difficult not to feel incredibly manipulated by the Wall of Death. You know deep down that it's ridiculous; your parents didn't have any of this crap and you turned out fine. But then the what-ifs start gnawing away at your still-shaky confidence as a new parent. Our encounter with the Wall paralyzed us, and with the exception of those plastic wall outlet plugs, we've punted on baby proofing for now. We're letting Ollie show us where all the problem areas are before committing to any white plastic solutions.
Bruce Schneier on the Portrait of the Modern Terrorist as an Idiot. "Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong."
I've used Bank of America to do my online banking in the past and their SiteKey "technology" always irritated the hell out of me because it led me to believe that Bank of America thought I was:
a) a criminal
and/or:
b) an idiot
instead of:
c) a customer
The basic idea behind SiteKey is that when you log in to your account, you're shown a photo of, say, an orange kitten before you enter your password so that you know you're not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question -- like "what's your favorite food?" -- before using the site from a new IP address, which means if you're on a cable or DSL connection, this happens every couple weeks when your current IP expires...or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don't fall for phishing scams -- by accessing sites directly through bookmarks or by typing URLs into the location bar -- SiteKey is nothing but an irritant and a deterrent and there's no way to switch it off.
On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey...that anyone who knows your account's login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher's machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person's password, all while presenting a nearly seamless Bank of America-like experience to the user.
Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it's not even security and they'll soon be rid of it.
Update: Here's an even easier SiteKey exploit.
I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned.
An anonymous author (they cannot legally reveal their identity) describes their National Security Letter gag order. Since the Patriot Act, the FBI has been sending out tens of thousands of these Letters, the recipients of which have no choice but to comply and keep absolutely quiet about it. "Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case -- including the mere fact that I received an NSL -- from my colleagues, my family and my friends."
The must-read item of the weekend: how a bunch of guys got themselves and two full van-loads of materials into the Super Bowl and distributed lights to fans to spell out a special message seen during the halftime show. This is in the hall of fame of pranks for sure. "Super Bowl XLI was a Level One national security event, usually reserved for Presidential inaugurations. We had to get two full vanloads of materials through federal marshals, Homeland Security agents, police, police dogs, bomb squads, ATF personnel, robots, and a five-ton state-of-the-art X-ray crane. It took four months and a dozen people to pull off the prank that ended up fooling the world. This is the Super Stunt." (via waxy)
TSA travel tip: cheesecake is not a gel. "So, as you're traveling for the holidays, if you should feel the urge to surprise a loved one with a piece of cheesecake or some other gelatinous food product and are questioned by the TSA, make sure you remind them about the 'LaGuardia Cheesecake Precedent of October 2006' and claim your right to bring that cheesecake on the plane with you." Consider this a companion piece to the security theater article from earlier in the week.
The inept security theater at the airport. "For theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration."
Even though the most popular password on MySpace is "password1" (the 5th most popular password is "blink182"), most users' passwords are pretty good...and better than corporate employees' passwords.
Bruce Schneier: "It's time we calm down and fight terror with antiterror. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership."
Faces are now being searched at US airports for suspicious microexpressions. Psychologist Paul Ekman helped set up the program and was previously one of Malcolm Gladwell's subjects in The Naked Face and Blink.
Q. Is it possible to use a wireless Internet connection on a plane?
A. Yes, if you happen to be flying on an airline that offers the service. International carriers like Korean Air, Lufthansa and Singapore Airlines already have wireless broadband service on many routes; fees for using it vary. Check with your airline to see if it offers in-flight Internet.
So says the NY Times. While it may not be possible to use wireless Internet connections on the plane, it is possible to use wireless connections. Apple laptops can create networks which other computers with wireless capability can join. Bluetooth capable devices like laptops and cellphones can communicate with each other over smaller distances.
Since 9/11, I've often thought that this would be an effective way for a group of people to coordinate some nefarious action on a plane without attracting any attention. Five or six people scattered about the plane on laptops, iChatting plans to one another, wouldn't be unusual at all. Of course, a properly trained group wouldn't need to communicate with each other at all after boarding the plane. Nor, says Bruce Schneier, should we ban things like cellphones and Internet access on airplanes for security reasons.
Nevermind...the video is fake. This is one of the most insane things I've ever seen....graffiti artist/entrepreneur Marc Ecko tagged Air Force One. The US govt can't even effectively guard the President's plane...how does Homeland Security expect to do it with all commercial passenger airplanes? (via airbag)
The Onion provides a list of new guidelines from the Transportation Security Administration. "Vermont and New York cheddars can be brought on board, but not Wisconsin cheddar -- by far the sharpest cheese in the cheddar family".
At the risk (ha!) of missing it, I waited until this late in the game to check out Safe: Design Takes On Risk at the MoMA. Great show. Two of my favorite items:
- Safe Bedside Table by James McAdam. If the need should arise in the middle of the night, the top of the table separates from the leg and can be worn on the arm as a shield while you use the leg to beat the crap out of a surprised burglar.
- Suited for Subversion by Ralph Borland. Don this highly visable suit before heading out for a day of protesting. It's padded to protect against police brutality, an optional wireless camera acts as a witness to the day's events, and a speaker amplifies the wearer's heatbeat, letting those around him know that's he's scared, anxious, exhilarated, or simply human.
For you armchair museum goers, what looks to be the entire exhibition is available online.
Also, the MoMA around holiday time, not so crowded. (Well, relatively so. There were still a fair number of people there, just not so many as in the Build-A-Bear store on 5th Avenue.)
Stephanie Hendrick has tracked down the identity of an anonymous blogger (she matched them to a non-anonymous blog) using linguistic identity markers. See also secret sites. (via j/t)
Table of the odds of dying from various injuries. Looking at statistics like these, I'm always amazed at how worried people are about things that don't often result in death (fireworks, sharks) and how relatively dangerous automobiles are (see, for example, this list of people on MySpace who have died...many of the deaths on the first two pages involve cars).
One of the most interesting things to come out of the secret sites discussion is that people are keeping their private journals on the web instead of in a paper journal under their mattress or in a Word document on their computer. This sounds surprising, but there's a couple of good reasons for it:
- The tools for writing, organizing, and searching an online journal written with Typepad or LiveJournal are superior to those for writing a paper journal or an electronic diary (in Word or text format) stored locally. Hyperlinks, entries organized by date, mood, category, if you're used to using these things writing a public site, you might have trouble going back to just text in a Word document for your important innermost thoughts.
- Your diary may actually be more private and secure on the web. A password protected online journal is more difficult for a parent, significant other, or parole officer to stumble upon and read than a document sitting on a hard drive of a shared computer or hidden on the top shelf of a closet, especially if you're careful with your cookies, browser history, choose a good password, and are more computer savvy than said parent/S.O./P.O.
I bet few would have predicted keeping personal diaries secret as a use of the public internet several years ago.
There's nothing good about the shooting of airline passenger Rigoberto Alpizar by air marshals. Guns on airplanes -- I don't care who's wielding them under what authority -- is a bad idea; some alternative thinking is needed.
The decompression from my trip to Asia continues. I have read through ~8000 items in my newsreader and discarded almost all of them (despite much interest in solving the problem, no one has built a machine that has any idea about what content needles I want out of the media haystack).
However, one item caught my interest (although I can't remember where I saw it): someone asked their readers how many secret sites/blogs they maintained. That is, sites that no one knows you're the author of (written anonymously or with a nom de plume) or sites to which the general public does not have access. If I remember correctly, a large number of the respondents not only maintained a secret site, but had several. I have one secret blog, published under my own name, that only a small group of friends can read. I just started it recently (after learning that several friends have been doing this for awhile) and don't update it very often. How about you...any secret sites? Why keep them on the down-low?
Bruce Schneier on the sorry state of airport security. "Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else...is security theater."
WSJ tech columnist Walt Mossberg on DRM: "media companies go too far in curbing comsumers' activities".
With AJAX MAssive Storage System (AMASS) a web page can store large amounts of data on a computer using hidden Flash applets. Brilliant hack, but seems like a potential security concern (an AMASS-like app could just fill up a hard drive without prompting, no?). I just looked at this briefly...would this allow one to run something like GMail offline? (I'm thinking not.) (via waxy)
Witold Rybczynski on perimeter security around prominent public and government buildings. "The problem is that huge hunks of reinforced concrete in city streets are not only an eyesore and an impediment to movement, they're a blatant and unsightly expression of a siege mentality."
A citizen's guide to refusing NYC subway searches. "As innocent citizens become increasingly accustomed to being searched by the police, politicians and police agencies are empowered to further expand the number of places where all are considered guilty until proven innocent."
Ugh, riders on the NYC subway are going to have their bags randomly searched by the NYPD. "People who do not submit to a search will be allowed to leave, but will not be permitted into the subway station." What the fuck?!?
Bruce Schneier on how to mitigate identity theft. "If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions."
