CAPTCHA Strippers

Interesting twist to CAPTCHA attacks against Yahoo!:

The novel system for getting round Captchas uses images of a woman called “melissa” who invites victims to decipher the scrambled text. Entering the correct text produces another image and another chunk of scrambled text.

If you can recognize a scramble of characters and enter them properly, you can get an image of a person on the screen to disrobe.

Trend Micro has a complete description of the Melissa attack, called TROJ_CAPTCHAR.A, including pictures of the model in various states of undress.

May I propose, as a counter-offensive (no pun intended), that images of naked or scantily clad people be unrestricted on the Internet, thus reducing this incentive system? What? Don’t like the trade-off? We aren’t safer if everyone is naked?

Gatwick Airport Fails to Mind the (Time) Gap

A fine example of modern engineering:

Gatwick airport was in chaos yesterday when computers failed to recognise the end of British summer time. Arrival and departure times for hundreds of flights were advertised an hour late after the UK’s second biggest airport ignored the return to Greenwich mean time. Flight times were also published incorrectly on Teletext, Ceefax and the Gatwick website. Airport spokesman Stuart McDonald said: “It should have been automated. I have never heard of this before.” The error was noticed at 6am, but technicians were not able to reset the airport’s clocks until late in the afternoon.

Chaos? There is no mention of it on the official GAA website. Would you trust your identity, let alone your life, to systems that can not keep time accurately? If this can happen at the busiest single runway airport in the world…

I love the “never happened before” argument, as if the positive spin of hopeful expectations should somehow be equal to the science of predictability. It makes the “solutions-oriented” tone of the GAA Corporate Responsibility report even sweeter.

Nimrod Security

I used to know a guy named Nimrod. I always assumed he was teased a lot as a child because the word carries a negative connotation in American english. No one wanted to be called a nimrod. It was a bit like being called a dimwit. I quick search uncovered that Nimrod could also be a biblical reference for some, but right next to the term “hunter” is the informal definition of “person regarded as silly…” attributed to Bugs Bunny teasing Elmer Fudd. That explains it.

Anyway, the RAF has a plane unfortunately with the same moniker as Elmer Fudd that is under investigation for safety flaws.

Chief of the Air Staff Air Chief Marshal Sir Glenn Torpy said a routine air-to-air refuelling had taken place just before a mayday call was received.

Indications are a technical problem was linked to a blaze, he told Channel 4.

“We have definitely got an early report that the pilot reported a technical problem connected with fire,” he said.

One could probably assume that intelligence officers in a plane have a good idea of how to report a problem accurately.

However, aside from the name, the thing that caught my attention was the weak logic used in a statement by the Ministry of Defense (MoD) to play down safety concerns:

The MoD said in response: “RAF Nimrod aircraft are designed and certified to strict airworthiness and safety standards.

“If we didn’t have confidence in the aircraft, we would not continue to fly them.

“Nimrod has a good safety record and remains a potent and respected aircraft.

Note the second sentence. Confidence = safety. See anything wrong? Things should not be said to be safe because we are confident that they are safe, we should be confident because they are safe by an independent measure that we can explain. The question remains, is there a risk of fire and if so is it an acceptable one?

The prior sentence is probably meant to address this somewhat by pointing out that planes are “certified to strict…safety standards”. Fair enough, but do those standards require fire suppression? Things are not safe because of confidence in prior certifications, but because they are actually safe by the latest certification standards.

The question is really whether a fuel leak is cause for concern on the Nimrod. Satements by the MoD that they are confident in the current aircraft does not directly answered whether a fuel leak is cause for concern for others.

The father of one of the service men killed in a Nimrod accident has tried to uncover the gap:

“BAE Systems also did a safety report in 2004 saying there were areas of concern.

“If there was a fire there would be no way to extinguish it, the report said.”

Strange. Why would a fire suppression be opposed by the RAF and how could it have been omitted from certification? Is there a weight concern? Complexity? Cost? Or maybe there is just no practical way to stop a fire once it has ignited. This reminds me of the TWA flight 800 disaster and how it must have impacted military review of aircraft:

Of the 11 TWA 800-related recommendations issued by the Board, four of them are in an open, “un-acceptable response” category. These four center on the issue of explosive ullage and potential ignition sources in the tanks. “We have not been satisfied with the responses received on the (recommendations) concerning the center fuel tank,” [Safety Board Chairman Jim] Hall said flatly.

“The bottom line in this whole area of fuel tank flammability is that the problem has been solved in the military,” Hall observed. “I mean, we fly our jets over Kosovo, we fly them over Iraq, and the military has addressed this problem,” he said.

On a complete tangent, Nimrod turns out to be a company that makes accessories for firefighters.

GPU used for password cracking

The graphics processing unit, or video card processor, has been unleashed on the lowly password:

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

Exciting news for the the key management and cryptography industry. Gaming consoles are even more powerful than the high-end graphics and since they are increasingly capable of sharing information over the network with each other the power increases further. The positive angle on this should be that passwords may be so hopelessly irrelevant to security that they will usher in a new generation of authentication. The negative angle is the brewing fight and power-struggle for control of identity and privacy infromation. Secrets have a nice level of anonymity that stronger authentication could diminish.