Tuesday, January 31, 2006

Dutch Biometric Passport Cracked

Schneier on Security: Dutch Biometric Passport Cracked

There's a good write-up from The Register.

Two points stand out. One, the RFID chip in the passport can be read from ten meters. Two, lots of predictability in the encryption key -- sloppy, sloppy -- makes the brute-force attack much easier.

But the references are from last summer. Why is this being reported now?

(Dutch Biometric Passport Cracked via Schneier on Security.)

Technorati Tags: , ,

Friday, January 27, 2006

I don't know..

I often hear people say I don't know. I realize that not everybody knows everything, that's impossible. Therefore, like the proverbial stupid question, there' no shame in admitting that you don't know.

Or is there?

My good friend Tom pointed out to me today that there are two places in a sentence where I don't know can be placed, and it makes a big difference:

I don't know is totally acceptable in the first half of a sentence, but never at the end Here's a classic example:

I don't know, but I'll look into it is a fine answer, as would "I don't know yet, thanks for calling it to my attention.

Implied, of course, is that I don't know as the answer to a question, say:

Why are we getting errors?

I don't know.

As was given to me is not appropriate, at least, when the question is addressed to a person who should know the answer.

Technorati Tags:

Thursday, January 26, 2006

How to Survive a Robot Uprising

Schneier on Security: How to Survive a Robot Uprising

It's Friday, so why not somthing a little silly?

This is a good start:

i'm reading about how to survive a robot uprising. i'm not gonna give away all the secrets, but i'll share a few...
  • choose a complex environment. waterfalls, street traffic, and places with lots of ambient noise confuse the robots.
  • lose your heat signature. smear yourself with mud and leaves and sit real still.
  • use uncommon words to suss out robots on the phone. robots do not know how pronounce supercalifragilisticexpealidocious.
  • find a blunt weapon. serrated edges won't work on robo exo-skeletons. nope.
  • alter your stride. robots can judge gait and injury, even height and intention, by stride, so put some rocks in your shoes and mix things up a bit. doing some ministry of silly walks stuff goes even further towards confusing them.
  • pretend that everything is normal. to forstall a mechanized killing spree, you must pretend that nothing is amiss.

Surely we can do better. Any other suggestions?

(How to Survive a Robot Uprising via Schneier on Security.)

Technorati Tags: ,

The Doghouse: Super Cipher P2P Messenger

Schneier on Security: The Doghouse: Super Cipher P2P Messenger

Super Cipher P2P Messenger uses "unbreakable Infinity bit Triple Layer Socket Encryption for completely secure communication."

Wow. That sure sounds secure.

(The Doghouse: Super Cipher P2P Messenger via Schneier on Security.)

Technorati Tags: ,

Wednesday, January 25, 2006

Nothing

Just a Test

Technorati Tags:

Tuesday, January 24, 2006

Using Attributes Appropriately

A week ago, I started hearing complaints that people with Thunderbird 1.5 were having problems searching our LDAP directory. I ignored it at first, as I was busy, and figured it was a configuration problem, and I'm not responsible for mail client configurations.

In the last few days, it's turned in to a torrent of complaints, and it definitely isn't a configuration problem. So, what could it be?

It seems that the Thunderbird folks decided that the perfectly legitimate search filter

(|(cn=first*last*)(mail=first*last*)(sn=first*last*))
used by previous version was far too, uhm, correct. They changed it to:
(|(mail=*first last*)(displayname=*first last*)(givenname=*first last*)(sn=*first last*))
because searching on DisplayName seems like a good use of an attribute meant for the display version of a name.

This may seem innocuous enough, but it isn't. CN is Common Name, which we (and other people, I'm sure) specially handle to provide nickname searching. So, searching for cn=john miner will find me, whereas displayname=john miner doesn't (even though my first name is misspeeled..

In this case, I was able to fix it using the same custom plugin I wrote to do the nickname lookups to translate searches on displayname in to searches on cn. If not for this, it would be up to us to change user.js on every Thunderbird client, because Michael Layde found that

user_pref("ldap_2.servers.default.attrmap.DisplayName", "cn,commonname");
changes what Thunderbird uses for DisplayName. Boy, that would be fun.

Please, people, use attributes the way they are intended!

Technorati Tags: ,

Thursday, January 19, 2006

Foiling Counterfeiting Countermeasures

Schneier on Security:

Great story illustrating how criminals adapt to security measures.

The notes were all $5 bills that had been bleached and altered to look like $100 bills, sheriff's investigators said. They passed muster with the pen because it determines only whether the paper used to manufacture the currency is legitimate, Bandy said.

As a security measure, the merchants use a chemical pen that determines if the bills are counterfeit. But that's not exactly what the pen does. The pen only verifies that the paper is legitimate. The criminals successfully exploited this security hole.

Technorati Tags: ,

Wednesday, January 18, 2006

Wine: Barefoot Cabernet Sauvignon

WineryBarefoot Cellars
TypeCabernet Sauvignon
YearUnknown. No date on label.
LocationModesto, California

Overall: A bit fruity for me. Not a strong Cabernet Sauvignon, seems almost a bit watery. I'm a fan of an ass-kicking Cab, which this isn't.

This wine was actually recommended to me by a friend, and came highly rated. Unfortunately, it falls way short of expectations. The lack of a vintage date on the label should have been a clue, perhaps. The label itself is ©2003, so maybe it's a recent vintage. (Then again, it isn't too recent, is it? 2003 is now three years ago.)

If you like a fruity, less dry Cab, this is for you. It's a cheap buy, and definitely beats many others in it's price-class.

Technorati Tags:

Tuesday, January 17, 2006

If You're Going To Read The News in English, Speak English

I'm all for diversity. I'm all for different voices reading the news. But, if you're reading the news in english, please be able to understandably speak english.

It's one thing if the person is a source, or the only person available, but just because you're looking for diversity, don't put unqualified people on the air. Adding a disabled person or a speaker who is not understandable* simply makes the news less accessible, especially to non-native english speakers who may have problems understanding other thick accents and/or difficult speech patterns.

All this does is make me change the channel. Even when it's my favorite station, one I happen to volunteer my time to.

So, how do we help people get better at speaking? Good question, and I don't have an answer. Hopefully there are smarter people out there who do.

*OK, well, what standard do we use? That's a good question that I don't know the answer to. I use the standard of what I can understand while not paying complete attention (driving, working, writing this blog entry).

Technorati Tags:

Getting Away with Punching

I used to be incensed over the fact that celebrities could literally kill people, then go to court and get away with murder. Then I became a minor celebrity and my opinion started to change.

I’m not famous enough to get away with premeditated murder, but it’s my ultimate goal. At my current level of fame I figure the most I could get away with is maybe a vigorous bludgeoning, or perhaps some high spirited groping. Those free passes could come in handy someday, but it’s not the same as knowing you can whack someone if you feel like it.

I once considered getting a teardrop tattoo so I’d look like an ex con and people would fear me. But with the Three Strikes law, being an ex con isn’t the panacea it used to be. Celebrities are the new bullies. That’s why I carry around my magazine covers just in case I get in a “situation.” When the shoving starts, I just whip out the January issue of Fortune magazine – the one with Dilbert on the cover – and say something like, “Do you know who drew that? Well DO you, punk?”

Then I go into my cage fighting stance and hope no one notices that my entire body is made of peanut brittle.

(Getting Away with Punching via The Dilbert Blog.)

Technorati Tags: ,

Wednesday, January 11, 2006

Copyright: Ownership?

The media giants have been very clear in their position. You don't own your content, you have a license to view/use it from them. In their eyes, you're not allowed to make a backup copy, install it on your iPod, watch it on a device built for a foreign region, etc., because the license they set all the terms for doesn't cover that.

This isn't fair in any eyes but theirs, of course, but let's say, for the purposes of argument, that it's all true.

Now, take one of those shiny discs, with the content you've licensed. Gaze at it warmly. Fondle its smooth digital surface. Hold it up to the light and marvel at the way the light refracts. Take out a key, and put a big scratch across it. Try to play it in your device. Go ahead, I'll wait.

Doesn't work anymore, right? But you paid good money for the license to view that content. Call the content owner up, and ask for a replacement. Patiently explain that since you already paid your $25 for a license to use the content, and they said you couldn't back it up, that you should be entitled to a new copy for the $1 or $2 cost of the media alone.

Did they say no? Fancy that. Where is all the convoluted language about licensing and right-to-view now? Is it possible that when the media is intact, you license the content, but as soon as it's scratched, you own it? Looks like it to me.

Could it be, in the end, that the huge quest to control your ability to copy content you buy, all in the name of preventing piracy, is really all about selling you the same thing over and over again?

(Copyright: Ownership? via Glenn's Junk Chest.)

Technorati Tags: ,

Monday, January 09, 2006

Open Letter to Those Who Call Me for Help:

It doesn't matter if it's via email or a voice mail, when you ask me a long, detailed question, include an example.

I don't want to reply to your long email with "can you give me an example?" Even more so, if you insist that I call, I don't want to call you up and say "can you give me an example?" and then spend the next few minutes figuring out what is happened, while you are on the line. I can do it more efficiently when I'm not cradling the phone, and you're not breathing in my ear.

That is all.

Technorati Tags:

Friday, January 06, 2006

Stupid Band Names

Be careful what you write in your journal:

An airline passenger with the words "suicide bomber" written in his journal was arrested when his plane arrived in San Jose, California, on Wednesday, but the words appeared to refer to music and he was later released, officials said.

..."Preliminary, what we believe is that that was the name of either a band or a song," Quy said.

I'm not sure I want "Suicide Bombers" displayed on my iPod. I certainly wouldn't want to be in a band with that name, flying around the country with crates of gear marked "Suicide Bombers." That would be asking for trouble.

On the other hand, it's pretty sad what is enough to get you arrested these days:

"A male was observed by his fellow passengers as having a journal and handwritten on the journal were the words 'suicide bomber,'" FBI spokeswoman LaRae Quy said.

"That, combined with the fact that he was clutching a backpack, and then finally he was acting a little suspiciously" prompted law enforcement to act.

My guess is that it wouldn't matter how he held his backpack; once the jittery passenger saw the words everything else was interpreted suspiciously.

(Stupid Band Names via Schneier on Security.)

Wednesday, January 04, 2006

ID Cards and ID Fraud

Unforeseen security effects of weak ID cards:

It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like 'photo ID', it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.

During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This "quasi-identity card... I think—had a converse effect to that which the Government sought... anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended."

Effectively - as security experts frequently point out - apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.

(ID Cards and ID Fraud via Schneier on Security.)