Category Archives: Security

Bush appoints anti-consumerist to head consumer safety

According to the Stop Baroody site, another questionable decision about security in America is on the table:

President Bush has nominated Michael Baroody – one of Corporate America’s leading anti-consumer henchmen – to head the Consumer Products Safety Commission (CPSC) – our top government agency protecting millions of Americans from injury and death from unsafe products.

Some examples they provide are alarming:

During his tenure at NAM, Michael Baroody:

Fought to allow a higher level of arsenic in drinking water: NAM claimed that negligent manufacturers would feel a pinch in their profits if forced to prevent their waste products from poisoning local communities.
Arsenic is often found downstream from negligent chemical producers and users that knowingly try to bypass EPA Regulations – thus endangering all communities downstream. A deadly poison, even in the smallest amounts, it causes shock, vascular disease and a plethora of cancers in the body.

[…]

Worked to immunize corporate CEOs from criminal liability for marketing deadly products to the public, maintaining such actions might slow “productivity.”
As an example, knowingly marketing clearly defective bulletproof vests – leading to deaths of soldiers, police and elected officials – would not be a criminal act.

The consumerist has this to say on the subject:

Baroody’s professional career consists mainly of PR work for major Republican candidates. Recently, he served as chief spokesman for the National Association of Manufacturers, a group the San Francisco Chronicle described as “an industry group that opposes aggressive product-safety regulation and punitive fines.”

The Wall Street Journal points out that he has been working against consumer security and safety since 1990, when he left the Reagan administration:

Mr. Baroody currently serves as Executive Vice President of the National Association of Manufacturers. He has been at the trade group since 1990. Mr. Baroody worked in the Reagan White House and served as assistant secretary for policy at the United States Department of Labor from 1985 to 1990.

I haven’t looked into it much yet, but I bet Baroody also was instrumental in trying to strategize against airbags in automobiles.

Reagan apparently fought along-side the automobile manufacturers and against the safety of consumers. His administration argued that airbag requirements were not going to help prevent deaths, but even more importantly (to them) they would prevent Chrysler and Ford from competing with import vehicles. Who can forget the date in history when Reagan was rebuffed and the security of Americans was upheld by a unanimous court:

1983: The Supreme Court rules against the Reagan administration and directs NHTSA to review the case for air bags.

[…]

1981: Under the anti-regulatory Reagan administration, NHTSA announces one-year delay of passive-restraint rule, proposes that it be rescinded altogether. [Transportation Secy: Elizabeth Dole]

Bush appears again to be using the spoils system to head backwards in time, at the expense of national security. This is like Bolton at the UN, Brown at FEMA, Wolf at the World Bank, Paige in education, etc.

Why is it that the Helen Petrauskas of the world rarely, if ever, get these types of appointments?

Her daughter, Laura Petrauskas of Troy, Mich., said her mother was committed to safety and to air bags and often talked about her work.

“A car is an awfully big purchase for most people,” the daughter said. “You’re producing something that is intrinsically dangerous, and you have a real responsibility to make it as safe as you can in those circumstances.”

Now that’s the kind of consumer safety champion who should earn the appointment, not just another republican party campaign manager and corporate lobbyist.

Quicktime/Java remote exploit announced

This is still in the early phases of discussion, but it seems Apple QuickTime has a vulnerability that may be remotely exploited to take complete control of an affected system. The flaw is related to Java processing and is exploitable by attackers to execute arbitrary commands on a vulnerable Apple OS X or Microsoft Windows system. Safari and Firefox have been confirmed on MacIntel. The attack vector simply requires a user to visit a malicious HTML page via a web-browser.

The only known workaround at this time is to disable Java.

This may be the Zero-Day that 3Com is promising to announce.

ZDI-CAN-190 Apple (CanSecWest Mac Hack) High 2007.04.23, 1 days ago

When We Two Parted

Yet another look at confidentiality and trust by George Gordon Byron, 6th Baron Byron (1788-1824)

When we two parted
In silence and tears,
Half broken-hearted
To sever the years,
Pale grew thy cheek and cold,
Colder, thy kiss;
Truly that hour foretold
Sorrow to this.

The dew of the morning
Sunk, chill on my brow–
It felt like the warning
Of what I feel now.
Thy vows are all broken,
And light is thy fame;
I hear thy name spoken,
And share in its shame.

They name thee before me,
A knell to mine ear;
A shudder comes o’er me–
Why wert thou so dear?
They know not I knew thee,
Who knew thee too well..
Long, long shall I rue thee,
Too deeply to tell.

In secret we met–
In silence I grieve,
That thy heart could forget,
Thy spirit deceive.
If I should meet thee
After long years,
How should I greet thee?
With silence and tears.

Cleverly worded thoughts about the controls and countermeasures of his relationships.

Fax hack frees prisoner

This story is so sad it is almost funny.

A prisoner in the US state of Kentucky was mistakenly freed after a phoney fax ordering his release was sent from a nearby grocery store.

One would think that all the money and time being spent on the prison system in America would have anticipated this sort of attack vector.

The fax ordering his release claimed to be from the state supreme court, but was riddled with spelling errors and had no letterhead.

Hard to argue that spelling should be the litmus unless someone can confirm that the court is religious about spelling, let alone grammar. Likewise, checking the source of the fax is useful if it is consistent enough to check and verify. Yet it is not terribly hard for someone to spoof the ID. What kind of grocery store has a fax available anyway?

The prison’s director said their policies do not require them to check the source of faxes.

“It’s not part of a routine check,” said Greg Taylor, “but certainly, in hindsight, that would perhaps have caused somebody to ask a question.”

Mr Taylor said spelling mistakes are common on court documents.

Well, exactly. If the normal routine is just noise, hard to tell someone to look for an attack signal. You generally want things to operate the other way around.

I think the real kicker of the whole story is the fact that the prisoner was just sitting at home, practically waiting for someone to find him:

Police found Rouse two weeks later at his mother’s house after prison authorities realised their mistake.

It took them two weeks to realize it was a mistake or to find the 19 year old sitting at home?