Wednesday, December 29, 2010

This is why we can't have nice and secure things...

I recently received an invite for "".   If you never heard about it, you are in good company, as it can best be described as "Myspace's retarded cousin".

So when I got the request from a family member to look at her pictures on there, I reluctantly started the sign-up process, making sure to only use throw-away info....  until this screen stopped me dead in my tracks.

Some facts about this screen that may to seem obvious at first glance:

  • It's a mandatory part of the sign up process
  • It promises a free virtual teddy bear! 
  • It requires you to fill in the credential of a real email account.
  • It validates the credentials, and throws an error if you give it fake information
  • The information is submitted and transmitted in the clear, over http, without any encryption (although the page seems to include an unused JavaScript implementation of RSA for some reason)
  • The page has (at least) a XSS vulnerability: Enter "+alert(1)+" in the email box (with quotes) and see what happens.
  • In case a connection is successfully made, the application will sift through your inbox for email addresses of your friends and send them personal invites in your name
Are we scared yet?   No?  Neither seems to be the thousands of happy users on that site.

The security professional in me gets the shills, but the social human in me appreciates the service provided here.  It provides a different view on your friends and acquaintances:

If you are somebody who gives up your credentials to anybody who asks, than that indicates how reliable you are.  Don't count on borrowing my car keys.
If you consciously sell out all your friends for the promise of a virtual teddy bear,... I think that says something about your moral value system.

Thursday, September 23, 2010

Facebook Down!

Just a quick lunch-time check-in to facebook.  And what do I see?  It's down due to an internal misconfiguration.

Just imagine how much it costs a minute for a site valued at $35 billion to be down.

OMG got to post this on Facebook.... oh wait...

Tuesday, September 21, 2010


Most important part of the workout :  looking good!

Saturday, July 31, 2010

Defcon 2010 badge

My colleague Ryan geeking out with the infamous "ninja badge".

Look how happy he looks!

Anybody want to place a bid?  I can get it while he is asleep....

Sunday, July 11, 2010

DHS Anti-terrorism technology examined

Together with my (second) erroneous ID card, I got this cool envelope from the "Department of Homeland security".

It mentions:
"We recommend use of this envelope to protect your new card and to prevent wireless communication with it."
And the same message in Spanish.  Because, of course, every "alien" speaks Spanish.

I have a few questions surrounding this:

  1.  Why on earth is my card even capable of "wireless communication"?  Do I really want my personally information to be read remotely? Who thought this was a good idea?  The rest of the US burocracy is stuck in the stone age, but somebody thought that contact-read card with RSA encoded chips would not have been fancy enough. 
  2. Tinfoil.  Seriously?  Billions of dollars in funding and the technology that keeps us safe from terrorists stealing our identity is the same that your parents packed your sandwiches in?

We're all gonna die.

Sunday, June 20, 2010

Your mandatory guide to being a profitable citizen

The article "Pitfalls of credit reports" touches on many points that everybody suspected for while:

"While this does punish profligate spending on credit, it also discourages full payment of debts. The FICO score increases if a cardholder keeps spending on credit, paying the minimum balance and taking as long as possible to pay off the full amount."

It is your duty to maintain maximal profitability. You are to be in a constant state of debt, not so much that you can't repay it, but enough so you keep on paying until you die.

Failure to comply will result in harsh punishments: Existing loans and mortgages will jump in costs. Getting a job will be a lot harder.

Thank you for complying.

Should you have any complaint, feel free to call the automated help system, where you can leave a message. It's extremely unlikely that a human will ever take the time to listen to it, and nearly impossible to get action taken on it.

"There is, however, one way to ensure that a complaint is viewed in detail: According to the TransUnion employee handbook, politicians, legal workers, professional athletes and entertainment celebrities are to be given special treatment."

If you are important enough, we might listen you. Or if we really think you may sue us.

Personally, I think I am going to try telling them that I am a lawyer.

Saturday, June 12, 2010

Apple needs a new porn filter!

Not so long a The Steve himself declared that all porn applications are banished from the app store.
You know, it's a moral "OMG THINK OF THE CHILDREN" thing.   We wouldn't want Apple to be thought of as peddling porn!

Then there is this:

Yes, good old playboy still has their app.  There is no way this is by accident:
  • Playboy is the "eircar test" of porn blocking.  IT geeks type "" in a browser whenever they want to test if the "nannyware" system that HR made them install, is actually working.  what Coca-cola is to soda, Playboy is to porn.
  • It has a 7+ rating
  • It warns for "Frequent/Intense Sexual Content or Nudity".  
  • There's "feed Africa"-sized cleavage on the main screenshot

Shame on you Steve.  You tricked me.  You told me that the appstore was safe!  Now my innocence is lost forever.

While on the subject, can anybody explain to me why looking at mammary glands on my iPhone is bad when those pixels are generated by an application, while they are perfectly OK when watched in full motion video:


Thursday, June 3, 2010

The futility of data analysis

Just saw this on one of my favorite sites:

How to Encrypt and Hide Your Entire Operating System from Prying Eyes:

Over the years, we've written about loads of different ways to hide and encrypt your private data from others, but if you're really serious about protecting your data, you can actually hide your entire operating system. Here's exactly how to do it.

To accomplish this task, we'll be using TrueCrypt, our favorite free and open-source disk encryption software that runs on all platforms, supports hidden volumes, and can even encrypt your entire hard drive."

In short, these are easy to follow instructions on getting a fully hidden OS on your system, protected by industrial grade encryption. And it includes a fully functional"decoy OS", so when somebody puts a (legal) gun to your head, you can give them a second password, and have a totally believable alternative to your real installation.

This has been possible for quite a while now, but seeing it explained in easy-to-follow steps on a mainstream site is another tipping point passed.

Game, set, match.

Can somebody explain to me why we still have laptop inspections in airports?  Does anybody believe that any TSA agent is going to be able to discover this system?

Tuesday, April 13, 2010

Directv tells me I'm not to be trused!

I just discovered "DirecTv2Pc", an application that is supposed to let you display your DVR'd content on your PC. After and exciting download, I ran the installer.

Note that the installer doesn't install, it "verifies and assists" the poor hapless user in making sure his systems is blessed enough to receive the holiest of holy, (a.k.a. last nights episode of "dancing with the stars").

Can you guess what the result was? Both my high-end gaming laptop and my shiny new Windows 7 systems where deemed unworthy.

But no worries, there was a link to fix the problem! Let's see, I only need to  "upgrade" my graphics driver... and graphics card... and monitor.  And while I am at it, also the cable and connectors.

The "Joe User" in me thinks immediately: Wait a second, this is the exact same machine which smoothly runs Hulu. And Netflix.  And DVDs. And games.  Oh! And high-def movies rented from iTunes.

In short, the real reason that Directv wants me to burn several hundreds of dollars on new hardware is not to increase performance for me.  It's to add copy-protection (user restrictions) features for them!

This is a great example of the fallacy of DRM:  I can download and view a pirated copy of any blockbuster movie in a blink, but I can't watch legitimate content that I paid for.  Wonder what the moral lesson here is?

Oh.... I just noticed that my Directv contract is almost up for renewal...  Maybe that dish can be a nice bird bath for the garden?