Category Archives: Security

Security

Save the Library

Leave a comment

Once again libraries are under threat of closure. It seems strange that a place of privacy protection and learning could lose support at a time when they are more relevant than ever.

Take the Netflix model of paying a nominal monthly fee in order to check out a movie, for example. Who wants a Netflix account when they could give the same amount to their local library and get far more in return? Libraries do information dissemination without the burden of trying to make a profit for their investors, which has come to mean they don’t have any incentive to track, collect and sell your identity information. They also end up allowing people to share access to a single license but, unlike Netflix, the license is technically owned by the viewers who share access.

Even more interesting is an idea that the notion of a library, as an exchange of information for public access, could be protected by law.

The Act says a local authority which is a library authority must “provide a comprehensive and efficient library service for all persons . . . whose residence or place of work is within the library area of the authority or who are undergoing full-time education within that area”. Its stock of “books and other printed matter, and pictures, gramophone records, films and other materials”, must be “sufficient in number, range and quality to meet the general requirements and any special requirements both of adults and children”.

That sounds like the library is the school. It might seem crazy to try and legislate the quality of information until you read how Isaac Asmiov described the library in a letter to new patrons of one in Troy, Michigan:

Libararies are your best friend

An updated version is on YouTube from Piers Cawley, who wrote and performed a song called “Child of the Library” at OSCON 2011 and then received a standing ovation:

Security

Free exploit automation: Pmcma released

Leave a comment

Funny intro in the README

Is this tool for me ?
———————

[…]

As a script kiddie, you may have found a piece of code you don’t understand on the internet, but are nonetheless decided to go to jail.

In all those cases, and surely many others, Pmcma was probably made for you.

I think they mean that if you run Pmcma on code without authorization and get caught you will go to jail. The decision to go to jail? That sounds like a protest. I don’t think that fits with the motive of someone who wants to run scripts in the sense of a “kiddie”. Perhaps it could be translated into French like this:

En tant que pirate adolescent vous voulez tester le logiciel sur Internet et ne se soucient pas d’aller en prison.

Ok, that’s my attempt at Canadian French, but still…I put the emphasis on being unaware of consequences rather than making it a decision to go to jail.

Anyway, Pmcma offers to automatically write exploits for flaws it finds in software (given it has root privilege) without the need for sourcecode.

Food, Security

Restaurants That Stalk Online Commenters

Leave a comment

Interesting quote from the owner of a San Francisco restaurant.

Weinberg says in her blog that: “With a bazillion places online to tell us how badly we sucked, we do take it very personally”. “We scour the sites, cyber-stalking our customers.” She isn’t joking about the cyber-stalking.

When they see a negative comment, Weinberg and her team will track the customer through cyber-space to see what other restaurants they frequent and how they have rated them, before determining whether the complaint should be taken seriously. If they get the feeling that something should change, they change it. “Both online comments and in-house feedback usually reflect if the menu needs tweaking,” she says.

It sounds like they take the comment seriously because they take the trouble to track the customer. Then they determine whether it is a false positive. What restaurants need like a behavioral index tool. In other words they could save a lot of time if they had a simple reputation engine that gave them a score for an identity based on a list of other restaurants with comments from the same identity. Then they wouldn’t have to take every negative comment seriously, only the ones from identities they “respect”.

Then again this indicates a serious logical fallacy as a filter. It begs the question of how they respond to comments from identities they can recognize even without tracking them. Do they think it’s wise to judge the person before they listen to the message?

What if they designed a filter instead to be based on details of an event? When a commenter gives specific feedback about a taste, a detail that only a real patron could know, then they would know to take the comment seriously. A generic comment would be ignored. The flip side of this is that the restaurant would have to accommodate change in their menu and/or service to allow comments to be unique.

If they serve up a hot dish of key management, so to speak, then they can easily track the day and time the customer ate, and they can focus on the facts of the comment rather than the person writing a comment. A win-win; valuable feedback for restaurants and freedom (from stalkers) for their customers.

And just for reference, here is the restaurant owner’s FAQ, which might give you some insight into what she really thinks when people comment…

Q. Wow, Anna did you notice how big this space is? That’s a ton of seats to fill…

A. Yes a#$%##e I noticed how big it is.

Q: It really doesn’t look like you will be done by September. Or even this year.

A. Yes a###%^^e I noticed we are a little behind.

Q: Isn’t it like, impossible to find this many good staff?

A. Yes a$%$&&hole. It’s very hard to find good staff these days.

Q: Is that where the bar is going?

A. Yes a$$%%@e, that’s where the obviously brand spanking new bar is going. It’s right there in front of you.

Security

Cisco Sued for Aiding Chinese Authorities

Leave a comment

The New York Times reports that a human rights advocacy group has filed a complaint in reference to Cisco network surveillance product marketing material.

The group’s evidence includes documents that the group says were part of Cisco’s marketing pitch to Chinese organizations and government agencies, including a page from a PowerPoint presentation boasting that Cisco’s technology can “recognize over 90% of Falun Gong pictures” in e-mail traffic. Another document, which the group says was used by Cisco’s sales teams, described a broad public security database that would contain information on Chinese citizens, including “key personnel of ‘Falun Gong’ evil cult organization.” That database would in turn be connected to a system of firewalls and monitoring systems that could be used to filter content that the Chinese government considers to be sensitive.

There are many odd details in this case. Why would Cisco make a direct reference to Falun Gong instead of an indirect reference, for example. Did they have to say Falun Gong pictures could be recognized? That seems unusually tailored for a customer pitch. And why would Cisco be headed into this market/sales pitch when they are at the end-of-life for their entire security product line (MARS, ASA, etc) everywhere else? But the much larger question this case raises, beyond any specific presentation or sales pitch, is whether any tech company could be sued on the same basis for selling to the Chinese.