Category Archives: Security

History, Security

US education sites make Chinese network security look good

Leave a comment

While reading about proxy abuse I noticed someone on Digg pointing out some disturbing security issues at a “liberal arts” college in the US:

Using proxies and other methods to bypass firewall restrictions, etc, aren’t just useful for viewing Myspace. I’m about to graduate from a liberal arts college with Baptist affiliations. When I started school here, it was a well-regarded school in the South, and the religious convention was only loosely associated with it Then the fundamentalist cultists came along, and that all changed. Now, the school uses its IT dept. not to set up decent Internet access or upgrade computers, but to block methods of reaching the anti-administration forum that was set up by students.

Over 80 faculty and staff have been terminated, forced into retirement, or have resigned because they couldn’t stand to see the school turned into a Southern Baptist madrassa. Guess I’m venting, but when college administrators lie, violate SACS policies with impunity, and destroy academic freedom, even a dinky little proxy is a satisfying (but small) way to speak out.

What’s the matter with education in the US? Here is another example:

While students in campus owned housing are living with mold, rats, and other dangerous conditions (due to a lack of funds, according to res-life) — our tuition money is now being spent on appliances to actively support the RIAA and MPAA, two private entities which have no legal authority. Additional money is being spent on hardware to actively block Access Points on campus, which unfortunately blocks AP’s for off-campus residents in the surrounding neighborhood as well. Due to a lack of response from [the VP of IS], this situation is now being reported by the victim to the FCC and other state and federal agencies as we speak, as this is completely illegal per Title 18 of the COMPUTER FRAUD AND ABUSE ACT and referenced multiple times in the USA PATRIOT ACT.

I also keep hearing about translation tricks, both language and format (e.g. mobile devices). I’m not talking about residents in Communist countries learning English, I’m talking about Americans using foreign languages to evade corporate controlled information feeds to read the news. Even an attorney I met at a social the other day told me s/he was using it to bypass a firm’s overly harsh restrictions on browsing.

Security

Kittens and security

Leave a comment

I’ve mentioned before how information security folks seem to always prefer cats to dogs. Now Microsoft has announced an authentication system that relies on human ability to differentiate the two better than computers:

But the truth about cats and dogs is that humans are much better than computer programs at telling them apart. Scientists at Microsoft Research developed a program that capitalizes on this ability. Twelve photographs of cats and dogs pop up on the screen, and users have to identify the cats (“You’re a human!”) or they won’t be allowed to proceed. On the Cal Poly site, this takes about 10 seconds.

This does not seem immune from farming attacks. In other words, attackers can forward the images to human “mules” and pay them a nominal fee to guess the correct answer and send back the results. So instead of using computer automation to reduce the cost of the attack, they find cheap human laborers, often unwitting ones — the next time you have to answer a authentication test, ask yourself if you really know where the results are going.

The free program was rolled out two months ago, and several institutions are experimenting with it. A bonus for animal lovers: The photos come from a database of more than 2 million animals held by the adoption service Petfinder.com, and each one comes with a link that can lead you to adopt the pet.

It really does not seem new to me at all, especially given that there are already (relay) attacks in the wild that can defeat it. Perhaps the novelty is in this mix of advertising/public message and authentication.

I couldn’t help but notice that Microsoft attempts to side-steps this vulnerability by simply re-defining security terms to their liking.

A HIP is considered insecure if there is a way for an automated script to collect a large number of tickets without the commensurate human effort. Note that this definition also disqualifies attacks against a HIP that require computational effort as expensive as a paying a human to solve the HIP manually.

Wow. You are no longer insecure if you just change the definition of the word. Perhaps Vista is secure now too because the definition of insecurity disqualifies “expensive” (as determined by Microsoft) attacks against it?

If they meant to say that human relay attacks are unable to defeat the system because of cost, then that is what they should have said and then they should have been able to test/prove the point (or at least defend it).

For example, let’s say I setup a fake adoption agency and advertise to unwitting folks who want to see the cute pets and maybe look for one to adopt from my web-site. You look for cats for free, I get authentication data. The good-intentioned “moral imperative” of the concept suddenly becomes its Achilles heel — reduces the cost of attack, right?

Ooops.

More suspect information is hidden in the code. If you go to the Microsoft demo site and read the page source, you will find this warning:

// Note to anyone reading this code — this page, of course, is doing
// client-side validation, which is not secure. To implement a secure
// service, a server-side validation component is required. For an example,
// see http://www.asirra.com/examples/ExampleService.html.

Sounds like “Warning, this is not secure, but we’re hiding the warning because we want to give the impression of something secure to generate interest.”

Wonder if Microsoft is planning to track use through their web service and/or take a cut of the adoption fees. I smell a rat.

Sailing, Security

2007 Melges 24 Worlds

Leave a comment

I wandered around the yacht club this Sunday, chatting with some of the local sailors in the Melges 24 World Championship. Sadly, I am unable to participate due to work obligations but some friends are doing very well. I would have been out sailing the A-Cat in yesterday’s absolutely ideal conditions but the organizers of the event had threatened me that they would “grind up” my boat if I did not move it out of the harbor (although I will still be charged the regular slip fees). Shame that people must act so hostile and primitive to feel that they are in control.

eric

Energy, Security

Coconuts mandatory for Philippine diesel

Leave a comment

Another example, this time from Reuters, of a country forging ahead with clean-fuel legislation that includes biodiesel:

The Philippines’ biofuels law came into effect on Sunday with little fanfare or information and only a partial rollout of the much-vaunted 1 percent coconut blend diesel.

Motorists were surprised to hear use of the cleaner fuel was now mandatory.

The government seems to have confidence in the ability of the private industry to handle the education of consumers, once the laws have corrected the market forces back to a more neutral position and less dominated by petroleum-based interests.

Chemrez, the largest bio-diesel producer in the country, has some interesting data on their site:

The firm’s premium coco-bio-diesel brand, BioActiv, has been tested in various government and public laboratories worldwide and has been found compliant with accepted national and international standards for bio-diesel.

ChemrezTech’s successful completion and passing of the IMS certification requirements consolidated three aspects of manufacturing excellence– adherence to global quality standards, complying with environmental laws, regulations, and promotion of a safe and healthy working environment.

ChemrezTech is the first bio-diesel plant to get all three certifications and within the shortest time for all IMS-certified firms.

It should not take long for results, including new market opportunities, to come to fruition. I suppose many people had no idea how they could improve things on their own but now they see a better path ahead, as the Reuters article points out:

Motorists said they would be willing to shell out extra if it meant less pollution.

“If it will serve the environment, why not?” said Jimmy Gochang, 70. “The air here is really terrible.”

Shell out extra? Funny. Not only will prices decrease, given the ubiquity of natural oils (the Philippines can also produce diesel fuel from sugar, jathropa, palm oil, soybeans and fishing industries), but local and global competition for transportation fuels are already fundamentally altered. For example, Chemrez benefits from the largest supply of coconut oil in the world as it now exports their diesel fuel to Germany.