Security – Page 36 – A Geek With Guns

Defcon 18 Talks Available

All the Defcon 18 talks are now available via their website. I recommend browsing through them and seeing if there is anything that sounds interesting. There were some top notch presentations this year, that’s for sure.

What’s My Excuse

I’m sure everybody who reads this site regularly is wondering what my excuse is for having no real updates for three days. My excuse is simple, my company sent me down to the ASIS International security trade who in Dallas, TX. Let me tell you there was some cool stuff there as well. I talked to representatives from Shot Spotter, Insight, Secure Shield, several bullet-resistant armor manufacturers, and a couple of firearms training companies.

I’m not going to go into detail on everything I learned but I will say the who is very interesting and certainly an authoritarian’s wet dream come true (I’d bet there were more cameras on display there than setup on the streets of London).

Since the Shot Spotter technology interested me most (as that system is setup in Minneapolis) I’ll post what I learned there. First and foremost all this talk about the system being able to tell the difference between a 9mm, .40, and .45 is malarkey. The system can tell the difference between a handgun and rifle but it can’t tell you what caliber was used.

The system also don’t work by detecting sound as I originally thought. The Shot Spotter system detects shock waves emanating from firearms and explosives. When a shock wave is detected the system used 16 criteria (which the company representative wouldn’t go into detail on) to determine what the source of the disturbance was. Shot Spotter also has an API which can be used to tie things such as cameras into. This was recently used in Minneapolis when the system picked up gunfire several cameras in the area were turned automatically towards the source via the Shot Spotter API.

I was surprised at how few sensors were needed to cover Minneapolis. Only 16 (seems to be a popular number with this system) sensors are spread throughout Minneapolis and seem to have good coverage. From what I’ve learned it seems firearms with a lesser shock wave would be more difficult to detect. I’m wondering about rounds that don’t surpass the sound barrier or firearms equipped with suppressors would be detected correctly.

Either way it was an interesting show.

Facebook Fraud

A strange thing is happening on Facebook. Out of nowhere all these attractive women with profile pictures of themselves scantily clad want to be my friend. Obviously I’ve become a hot commodity all of the sudden which I can understand being awesome and all.

Of course I’m a big believer in, “If you’re going to do fraud do it right.” I’m sorry I can’t bring myself to believe that the girl in the profile picture graduated college in 1978. If that’s the truth then plastic surgery has really advanced in the last couple of years.

The question is raised why the sudden surge of random people trying to add themselves to my friends list? Well the Occam’s Razor stated that the simplest explanation is usually the best one and that holds true here. These fake friend requests are most likely attempts at identity theft. Many people put a lot of personal information on their profiles such as their home address, phone number, and place of work. All of these pieces of information can be useful in stealing a person’s identity.

If you’re going to use these types of social networking sites be careful. Remember not to post any important personal information such as you home address and don’t add people to your friends list unless you know them. The weakest link in any security system are the people. Social engineering can be used with far better results than physical hacking as people are generally very gullible. Having a healthy dose of paranoia isn’t a bad thing.

Herp Derp

Seriously whenever I hear somebody go on an anti-gun rant anymore all I really hear coming out of their mouths is, “Herp, derp, duuuhhhrrrr, I… like… turtles.”

A college student tries to make an argument against campus carry and ends up sounding a little… special:

The students and faculty on any campus should strictly focus on academic pursuits. Security teams hired by the college should likewise focus on the constant protection of those students and faculty. We all have a role in the big picture.

Yes students and faculty should strictly focus on academic pursuits and not even venture into developing a social life, exercising, working a job to pay rent, etc. The remark about the security team is where I felt this student went a little retarded. By that very logic nobody would need to carry a gun because the police will protect you! Of course the police can’t be everywhere and neither can a campus security team which is why the phrase, “When seconds count the police are only minutes away” was coined. In a situation involving a crazy asshole shooting up a campus you don’t have time to wait for a security team if the crazy asshole happens to be in the same classroom as you.

It isn’t logical to deploy a security force on a college campus whose mission is to provide a safe environment only to minimize their ability by disarming them.

Who in the fuck said anything about disarming the security teams on campus? Allowing concealed carry on campus means students and faculty can carry firearms, it doesn’t require the on campus security teams be disarmed in the process.

There are college campuses of various sizes all across the country that have professionally-trained and properly armed officers on their security teams.

And there are campus in the country that allow students and faculty to carry their firearms on the premises. How many school shootings have you heard of occurring in Utah?

The Students for Concealed Carry on Campus is a grass-roots organization that supports concealed carry. Their website lists a number of “common arguments” for allowing licensed adults to carry on campus. They attempt to answer each argument with a very rational explanation. It really is just rationalization. That’s what I mean when I say there are two sides to the issue.

Ah yes the argument of an anti-gunners, “The other side is just trying to rationalize their side of the argument by using stupid facts and logic and other stuff that hurts my brain. I, being anti-gun of course, don’t rationalize my beliefs and just tell you you’re wrong if you disagree with me because seeing guns makes me lose control of my bowels.” Let’s look up rationalize in the dictionary:

apologize: defend, explain, clear away, or make excuses for by reasoning; “rationalize the child’s seemingly crazy behavior”; “he rationalized his lack of success”

cut: weed out unwanted or unnecessary things; “We had to lose weight, so we cut the sugar from our diet”

structure and run according to rational or scientific principles in order to achieve desired results; “We rationalized the factory’s production and raised profits”

think rationally; employ logic or reason; “When one wonders why one is doing certain things, one should rationalize”</li
remove irrational quantities from; “This function can be rationalized”

Looking at the various definitions it seems rationalization is what you want to do. At least I prefer to remove irrational quantities and think rationally by employing logic and reason.

Regardless of any rationalization by the SCCC, allowing more guns on campus will logically result in a higher probability that a gun will be used against the campus population.

Utah… look it up. After you do tell me how many mass shootings have occurred on their campuses since they enacted their law allowing students and faculty to carry firearms on campus.

According to SCCC data, about 10 percent of adults are licensed and carry concealed guns nationwide. If I knew one out of every 10 people on campus was packing heat, I would be distracted—period.

That’s your problem—period. If you’re distracted by the thought of law-abiding citizens carrying firearms you should be distracted by the potential people currently carrying guns on campus illegally.

It’s one thing for someone to take the state’s course to become licensed. It is something else entirely to predict how a student with four hours of safety training will react under fire.

They’ll react a damned side better than a student under fire without any means of self-defense that’s for sure (and by that I mean they’ll have a chance at staying alive).

Students and faculty carrying concealed guns would be no less vulnerable to the crazy, armed madman who comes on campus bent on destruction than they are now. There would just be more guns involved, more bullets flying and a greater probability that someone is unintentionally injured or killed.

Actually they are less vulnerable because they have the means of stopping the crazy, armed madman. Having a concealed weapon doesn’t mean you are impervious to bullets, it means you have a chance to fight and win. That tipping of the scales further into your favor does make you less vulnerable.

Honestly, no one would expect a 22-year-old accounting major to suddenly transform into a commando and make all the right decisions in a “kill or be killed” situation that could easily be over in less than a minute.

No one does expect a 22-year-old accounting major to suddenly transform into a commando. You don’t need to be an elite commando to put two rounds into another man’s chest. I also love his optimism that the campus security teams will be able to end the situation easily in under a minute. Are they always geared up and do they have teleportation devices on their persons?

I can’t buy the concept that someone with no experience of defending himself against violent crime can suddenly protect himself and others, just because he is the one with the concealed gun.

Strangely enough many people with concealed carry permits also take additional training in self-defense. Even if they don’t having a firearm at least evens the odds of survival which is the whole fucking point.

I don’t want that pressure on me, and I don’t want to put it on my friends and professors.

Maybe you should stop to consider the fact that your friends and faculty may want that “pressure” (pressure to have a means of fighting back that is). If you don’t want that pressure that’s fine, nobody is making you carry a firearm. It’s not called mandatory carry, it’s a choice you can make and those who advocate for campus carry simply want that choice.

I am a big fan of the U.S. Constitution.

You can’t go on an anti-gun tear and then say you’re a fan of the United States Constitution. That’s an oxymoron if there ever was one.

There is not a more civilized place to be than on a college campus. That said—I like to think we have a better chance of remaining civilized and safe, if we don’t get used to the “wild west” approach to campus security.

Yeah, because we know gun-free zones have never been locations of shootings… oh wait.

Be Careful What You Post Online

I’m sure some of you reading this enjoy the use of Facebook Places and Foursquare. I’m sure you also enjoy posting about future upcoming vacations and whatnot so your friends will be jealous of your sweet week in Hawaii. You’ve probably noticed by now that I don’t really post when I’ll be away. If there is some reason I’m unable to create new posts on here I’m vague as Hell as to why (maybe it’s a heavy work load, maybe it’s a vacation, who knows). This is the same reason I disable the ability for others on Facebook to check me into locations via Places and it’s because of smart assholes like these:

Nashua police are crediting an alert off-duty police officer who heard fireworks with cracking a burglary ring that targeted homes known to be empty because of Facebook postings.

Criminals being ever vigilant have been using peoples’ postings online to figure out when they were away from home so said criminals could break in and rob the domiciles. Granted most criminals are smart enough to watch a place to determine when a person goes to work or otherwise leaves home on a schedule but generally they can’t tell when somebody is leaving for an extended period of time. It’s information such as this that you never want to hand to the enemy.

DHS Network Security Failure

The Department of Homeland Security (DHS) apparently doesn’t practice what they preach. The DHS is tasked with securing the computers and networks of other government agencies but are unable to security their own network. The United States Computer Emergency Readiness Team (US-CERT) found 1,085 instances of security holes.

I guess good enough for government work has an all new meaning now.

What Parents Should Actually Worry About

Bruce Schneier’s blog has a link to an interesting article. Based on surveys parents were asked what their top concerns were involving their children. The top five were:

1. Kidnapping
2. School snipers
3. Terrorists
4. Dangerous strangers
5. Drugs

School snipers? It’s nice to know mass shootings are no longer the concern but individual snipers take patient shots and individual targets. That’s certainly a relief. Oh, and terrorists made the list. This isn’t surprising but it should be. So what are the top five methods of children dying? Well nothing on the above list made the second list:

1. Car accidents
2. Homicide (usually committed by a person who knows the child, not a stranger)
3. Abuse
4. Suicide
5. Drowning

Funny that. Maybe parents need to learn some perspective.

It’s Not an Anti-Jailbreaking Patch

I don’t get the iPhone and anti-iPhone communities. Seriously what the fuck do either of these groups of zealots think? Oh that’s right they don’t. One side is rabidly for the iPhone and can find no ill-will in anything Apple does. The other side of the fence has the rabid dogs that can find no good in the iPhone. Personally I’m between the two (with a gun so I don’t get bitten of course) as I’m logical enough to find both pros and cons to the platform (although my main problem is with Apple’s draconian practices I fully admit it’s a very nice device).

Recently an exploit was found that allowed people to jailbreak their phone via visiting a website. A day or two ago Apple finally released a patch that fixed that vulnerability and now the anti-iPhone zealots are claiming they only patched it to stop jailbreaking. That’s bull shit.

The reason they patched it is because of how the vulnerability allowed jailbreaking. Due to a flaw in the PDF reading software included with the iPhone malicious code was able to elevate to root privileges. One on hand this allowed jailbreak. There is of course the other hand which is the vulnerability allowed the running on any arbitrary code as a root user. That means a root kit could be uploaded and installed onto an iPhone by just getting the user to visit a web page.

I’m all for jailbreaking and believe if you buy a device you can do whatever you want with it. I also think Apple are complete assholes for how restrictive they are with the phone (but it is their device and they can make it however they want, I just won’t buy it in this case). But this hole they’re fixing is a major security issue and needs to be fixed. Ironically if you went to the jailbreak website and jailbroke your phone there was a patch already available to correct the vulnerability but could only be installed via jailbreaking. Now that’s irony you just can’t buy!

Your “No Duh” Security Story of the Week

Apparently PC Pro likes to be late to the game. They are reporting that modern smart phones are vulnerable to “smudge attacks.” So what is a “smudge attack?” It’s a fancy term for saying you can look at the finger prints on the touchscreen of a phone to determine the password or unlock pattern for the phone.

Of course the simple and free solution; just wipe your phone’s screen off on your shirt periodically. Hell I do this naturally already because the finger prints make the screen hard to read.

Defcon 18 News Roundup

If you pay attention to any technology news websites you’ve probably heard all sorts of horrible news involving four horsemen and a valley in the Middle East. Let me reassure you that all the news you’re hearing is overblown but with some kernels of truth. So here is your official Defcon news roundup.

First Wired has a nice assortment of pictures from the event. The first one you see are a sample of some of the badges. Unlike most lamer conferences Defcon doesn’t use paper badges (for those who get there early). For the last five years they’ve used electronic badges that were custom made and have all sorts of nice built in features. This year’s was no exception. If you look at that first picture the silver badge that says Defcon on the screen was the one given to most attendees. There were quite a few neat little features packed into that thing. First the screen is a new technology similar to e-paper in that it doesn’t require power to maintain the image. Of course its refresh rate is 1.7 seconds making it painfully slow. The badge also has a USB connector and a place to solder on a JTAG interface for debugging. A good overview of everything dealing with that badge can be found here.

GSM “security” is dead. One of the demonstration at Defcon 18 was a device that can intercept phone calls made from GSM phones. It’s not quite as apocalyptic as it sounds since the device only works for outgoing phone calls (at this point). The device also doesn’t work for phone using 3G but with a little ingenuity a device can be used to overpower the 3G towers in the area causing the phone to drop to 2G again.

A rootkit was released for phones running Android. From what everybody has been reporting you would thing this vulnerability was in the wild. Truth be told the only way to get it installed onto phones at this point is to trick the user into downloading and installing the rootkit. In other words it’s the same “vulnerability” that exists on all PCs, you can install software. Either way this will become a big deal when it’s tied with an actual vulnerability in the Android operating system allowing for remote installation of said rootkit.

At the conference I also learned that people are still stupid in regards to security. One of the competitions at Defcon 18 was the Social Engineering contest where contestants contacted people working for companies and attempted to gleam information that would be valuable in a attack against said company. A surprising amount of information was obtained through simple phone calls simply because people don’t realize how important seemingly meaningless information is.

No security conference would be complete without tutorials on lock picking. The Lock pick Village was the place to go to learn how to pick locks and obtain tools to practice your new found skill. The staff there held seminars ranging from introduction to lock picking to the inner workings of high security locks. Anybody was free to attend (for free) any of the seminars and sit down with staff and learn how to turn those picks into lock bypassing devices. A competition was also held titled Gringo Warrior where contestants had to pick through a series of locks as quickly as possible. I was not allowed to partake in the competition as my lock pick is a .45 auto.

These are just some of the highlights from Defcon. Much more information was presented and made available to attendees. I learned quite a bit in my short few days there. Of course everything I learned didn’t make me feel much better about the current state of security as a whole.