This seems to be pretty basic and obvious, but a the first rule about keeping a secret is don’t tell people. Frankly, I think Dan should be pretty happy that the details about the DNS vulnerability he discovered took this long to emerge publicly. As he pointed out, 13 days are better then zero. Continue reading
So I was flying out of LaGuardia, NY (LGA) this morning on my way home to San Jose, Ca (SJC). After checking in, I was directed by the nice woman at American Airlines to take my checkin bags to the x-ray machine.
There were a lot of bags piling up at the machine and 2-4 TSA agents processing the bags thru the x-ray machine and loading them onto the conveyer belt to the plane. What struck me odd though was that none of the TSA agents actually sat at the x-ray machine console to examine the x-ray images of the bags!
I watched for about 10 minutes as the rest of my party went through the long lines to get their boarding passes. Every few minutes one of the TSA agents would press a button on the computer to restart the x-ray machine and/or check off a form on a piece of paper. He or she would sometimes look at the computer screens for a few seconds, but anywhere from 5-15 bags would be processed in between… hardly enough time for the TSA agent to be able to examine the bags for any dangerous items or contraband.
So just about every website/company I do business with that requires an email address, I use a unique email address. The email address takes a very simple form: <company name>@synfin.net. The most important rules is that these email address are never used anywhere. So when I noticed I started getting spam to the email address for www.mytreo.net (no I still won’t post it so that spam harvesters can get it, but you can probably guess what it is), it would appear one of two things have happend:
- The people behind www.mytreo.net sold my email address to someone and at some point it was given/sold to a spammer
- Someone hacked the www.mytreo.net servers and dumped all the email addresses for all the registered users
If someone has a 3rd idea why, I’d love to hear it.
So I just finished voting here in San Jose using one of those Sequoia machines (same as last year). My in person impression hasn’t improved any.
1. Having to check all your votes twice (once on the screen and again on the paper printer) is a pain in the ass. Between state, county and city offices, bonds and measures it’s not only tedious to check, but error prone- especially since I don’t memorize whom I’m going to vote for in each race.
Ironically, the sample ballot that they mailed me was much simpler to use (just connect the arrow next to what/who you want to vote for), easy to verify, count and recount. And it takes a lot less time to vote since you don’t need to double and triple check that the machine didn’t screw up.
2. More importantly though, while the poll workers try to be helpful, they’re just not trained well enough. I was appalled to over hear one worker tell another how she removed the security sticker to open up the machine to “fix it”. Now, while she probably is honest and didn’t tamper with the machine (no way for me to prove otherwise), she now has violated the trust model of the election for that machine. The issue is that by breaking the security sticker, nobody can detect if anyone else tampers with the machine.
Unsurprisingly, the poll worker thought it was perfectly OK for her to break the seal and put it back in service, because she didn’t tamper with the machine. Aren’t there enough voting machine irregularities without the poll workers contributing to the problem?
Let’s see, a guy walks into the DHS HQ with a fake Mexican ID which even if it was real wasn’t considered valid identification. So what do the rocket scientists for security do? Why they let him in of course!
Now of course, the fake ID was really good. You’d have to be a real expert to pick up on subtle mistakes like stating Tijuana is in Brittish Columbia (B.C.), claiming to live on “123 Fraud Blvd.” and misspelling “Staton Island, N.Y.”. Yep, I can really understand how the crack DHS security force could let such an well forged ID through the front door.
The good news? “DHS is following up on these allegations and will take necessary actions to ensure there is not another occurrence of this type”. I know I’ll sure sleep better knowing they’re on the case!
I dunno, I should be shocked (shocked I say!), but I’m not…
Every so often, the US Copyright Office takes comments regarding the DMCA (the law which makes it a crime to use products you paid for in ways other then the creator intended). Most recently, Sony-BMG (a member of the RIAA) added DRM technology to music CD’s (actually, technically, they’re not a real music CD because of the DRM, hence they don’t carry the CD logo) which ended up creating a security hole on people’s computers. This security hole was then abused by other people (criminals to be precise) to break into those computers.
In response, people like Ed Felton requested the the USCO grant an exception to the DMCA which would allow users to remove DRM software which caused harm for the end users. Others asked for an excemption which covered DRM which, “employ access control measures which threaten critical infrastructure and potentially endanger lives.”
Sounds pretty reasonable right? Apparently though the RIAA doesn’t think so.
I seriously doubt it. First, there are technical reasons for this, namely each exit node would need to have their own policy since some operators would want very strict polices and others more open policies. Pushing knowledge of that policy to the rest of the network to make routing decisions would be very complex and incurr high overhead on a system which is by it’s nature not very efficent.
Secondly, adding additional monitoring to an anonymity system is just ass-backwards. The whole point of Tor is to allow people to be untraceable and access content that they normally are unable to access (get around filters) or unwilling to access if it was known they were accessing it. Actively monitoring anonymity systems reduces the effectiveness of the primary purpose of the system.
Lastly, most attack monitoring systems are simply ineffective out of the box. They require extensive configuration and tuning, something that a Tor node operator either has no interest, time or expertise to do.
Well I finally got a real SSL certificate, signed by a trusted CA for www.synfin.net. For less then $20/yr no more annoying popups in webbrowsers, mail clients or my Treo. Anyways, overall I’ve got to say that GoDaddy made the process pretty painless and quick. So far I’ve tested Firefox and Safari and both seem to be happy with the cert. Two thumbs up.
One thing to note, if you’re grabbing the tcpreplay source from SVN the SSL Certificate has changed. If anyone knows how to pass in a certificate chain file for svn let me know.
Well I finally got sick of writing custom code/templates (I’ve used static files using templates/Makefiles as well as dynamic pages using Perl/HTML::Mason). While I’m quite proficent with Class::DBI and PostgreSQL, it just wasn’t worth the effort of writing all the administrator forms for managing content.
I had a few major requirements:
- Secure and actively maintained
- Themeable so I can make it look like I want to without too much work
- Decent admin forms for managing posts and comments
- Can be hosted on my personal server on synfin.net
Hence, I tried Blogger. But wtf? They support sftp (secure ftp over ssh) but their website doesn’t support SSL. So while they can login securely to my server, I have to send my username/password in clear text to them? You would think that now that Google has bought them, with all their PhD’s they could figure out how to purchase a SSL certificate and load it on their webserver…
Anyways, so then I started looking at code I could maintain myself. After much research, I ended up with WordPress. I’m not thrilled it’s written in PHP and uses MySQL; both of which I personally think suck from a developer perspective, but that doesn’t prevent people from writing decent apps it seems.