Tag: Security

It’s a Good Idea, It’ll Never Pass

Here’s an interesting bill presented to the Senate. I posted previously about how many states are making it illegal to video tape police officers while they’re on duty. Well H. Con. Res. 298 seems to be a desire to establish a law barring federal and state governments from making it illegal for a citizen to record an on-duty police officer:

(3) members of the public have a right to observe, and if they choose, to make video or sound recordings of the police during the discharge of their public duties, as long as they do not physically or otherwise interfere with the officers’ discharge of their duties, or violate any other State or Federal law, intended to protect the safety of police officers, in the process of the recording.

It makes sense and therefore probably doesn’t have a chance in Hell of passing. After all it will go against national security… according to the abusive police.

So Much for Apple Being the Most Secure

Apple zealots always tout the “inherit security” of Mac OS 10. These mindless drones claim Apple’s operating system is the most secure in the world because it’s built on UNIX (even though they don’t actually know what UNIX is, nor FreeBSD which OS X is built upon). Well Secunia has released a report of the top 10 most vulnerable software vendors [PDF]. Guess who’s on top… Apple!

Of course this is not in regards to their operating system but software they release for Windows. Yup their Safari browser and iTunes media player really raped their rating because frankly it’s got enough holes to fly a squadron of fighter jets through. This is why I don’t use Safari (and why I use extensions in Firefox like NoScript and Certificate Patrol) on either Windows or Mac OS (Safari is a popular favorite at the Pwn2Own contest when attacking the Mac platform).

I want to note I’m surprised Adobe wasn’t higher on the list with all the recent problems they’ve had with Flash and Reader.

Ireland Wising Up

It appears Ireland is wising up:

THE new home defence bill has shifted the balance of rights back to the house owner “where it should always have been”, say gardaí.

The Association of Garda Sergeants (AGSI) and Inspectors also said it was ridiculous to suggest the bill provided a “have-a-go charter” to homeowners and said the current situation, which legally demands a house owner retreat from an intruder, was “intolerable”.

Assuming a criminal’s life is worth less than the rightful owner of a home? That’s just crazy! Now people are going to shoot their friends when they come over! It’ll be blood in the streets! Death will be everywhere! Dogs and cats will be sleeping together! At least that’s what the anti-gunners are going to say about this.

It’s nice to see Ireland is looking at making criminals a lower form of life than law-abiding citizens. If only Britain would figured that out.

Criminals Lie

A popular concept that seems to be completely ignored most of the time is the fact that criminals are dishonest and may in fact lie to you. What am I getting at here? Well a post over at Walls of the City brought up a case of a couple who was robbed by two thugs posing as police officers:

But Monday night, police cars surrounded a Woodycrest Avenue home. Earlier, at about midnight, two men yelling “police” pounded on the door, the family said. They were let inside.

The family said the two men wanted two things: drugs and guns.

The family said the whole thing lasted 10 or 15 minutes. They said they have every reason to believe the two crooks were, in fact, police.

OK we’re going to start today’s lesson in Gulliblity 101. Just because somebody says they are something doesn’t mean they actually are that thing. For instance when I was in college and attending college parties I would make up all sorts of stories about who I was and what I did to people I didn’t know. I wasn’t trying to impress them, instead I liked to amuse myself by seeing how outrageous of a story I had to make before the person I was conversing with finally caught on I was bullshitting them. Believe me I could get pretty far with some people. Did you know I’m actually a gun runner who is an exile from the former Soviet Union? Well I had two people believing that one night.

The point is people lie and we’re pre-programmer to assume that’s not the case. This of course presents a predicament. Let’s say somebody is pounding on your door yelling “police” what should you do? After all if you don’t answer the door and they are actually police officers you’re in for a world of hurt when they decide to bust in the door. On the other hand if they aren’t police you’re letting criminals into your home which is one layer of your defense strategy down the tubes already.

And the answer is… dial 911. This is advice usually given in driver’s ed to women who see a police car with lights on behind them while they’re cruising down a deserted road in the country at 0300. Real police call in any actions they’re taking which means if they are going to investigate your home somebody at the station knows about it. If people are at your door claiming to be police you should dial 911 and ask if the people at your door are actually police. If they’re not real police officers will be dispatched to come to your door.

If the people at the door actually are police then you can open the door and kindly inform them that they may no enter unless they have a warrant.

Flying with Guns

I’m sure you’ve heard enough people say you should pack a gun in with your luggage if you don’t want it to be riffled through without you present. Well here is a Defcon talk about doing exactly that.

For those of you who aren’t aware the idea behind this is simple. In order to fly with a firearm said gun must be placed in checked luggage. The luggage must be a hard sided case that is locked. But here is the real kicker, it must be locked in such a way that only you have the key. TSA approved locks (locks that can be opened by a TSA master key) aren’t approved for luggage containing firearms. This means anytime the luggage is to be opened you must be present to unlock and relock the case.

About Time

Adobe has been receiving a ton of flack form the security community recently due to all the holes being exploited in their Reader and Flash applications. Well it appears Adobe is finally sandboxing Reader in the hopes of preventing malicious exploitation of the software.

I’m sure not many people think too much about receiving a PDF. I mean it’s a document that is read-only. Well except for the fact that PDF’s can include JavaScript which is executable by Reader because… it was bad idea gets included into the product day I guess. Hopefully Adobe gets their sandbox working correctly although I’m skeptical looking back at their previous security practices (quarterly update cycles anybody?).

Security is Only as Strong as Its Weakest Link

And that weakest link always proves to be people. Bruce Schneier points out that the recently arrested Russian “spies” used stenography to secure their messages but they had one flaw:

“Law-enforcement agents observed and forensically copied a set of computer disks” when searching some of the defendants’ residences, according to a statement from FBI agent Maria Ricci. “Based on subsequent investigation as described below, I believe that the password-protected disks contain a steganography program employed by the SVR and the Illegals.” SVR stands for Sluzhba Vneshney Razvedki, Russia’s foreign intelligence agency and the successor to the foreign operations arm of the KGB.

Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches.

Sounds like a strong password. It’s a good thing they wrote it down… oh wait.

PSA Fail

Another great post was thrown up over at Every Day, No Days Off. It’s a link to a video of a public service announcement (PSA) for the Amber Alert e-mail notification system. The video is trying to convince you that you do not need a gun to protect your children. Unfortunately for the people who made the video they totally failed at that. Watch is and then ask yourself, would I fuck with these mothers’ kids?

[youtube=http://www.youtube.com/watch?v=oi13LczGlsE]

I certainly would not.

Also is that lady holding a RPD that is both belt fed and has an attached drum magazine at the same time? Can that even work?

HTTPS Everywhere

I like this idea a lot. The Electronic Frontier Foundation (EFF) has released a new plug-in for Firefox that attempts to encrypt every web page you visit via HTTPS. This prevents people from being able to sniff your web traffic when you’re browsing sites. Obviously I’m going to install it and give it a spin then let you know how well it works.

Hiring Hackers

I found another good post by Bruce Schneier. This one deals with hiring people with previous criminal histories. More or less Mr. Schneier brings up the fact stating your won’t hire people with a previous criminal history is short sighted and rather ignorant:

The answer, of course, is “it depends.” It depends on the specifics of the crime. It depends on the ethics involved. It depends on the recidivism rate of the type of criminal. It depends a whole lot on the individual.

Then he goes further into the idea of hiring convicted malicious hackers:

Admittedly, there’s a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain. But there is a huge variability in computer crime convictions, and — at least in the early days — many hacking convictions were unjust and unfair. And there’s also a difference between someone’s behavior as a teenager and his behavior later in life. Additionally, there might very well be a difference between someone’s behavior before and after a hacking conviction. It all depends on the person.

This is ultimately the key when hiring anybody. Having a criminal history shouldn’t be an instant disqualifies for a job. It all depends on such variables as what the crime was, when the crime was done, what has changed about the person since they committed the crime, etc. Many people with previous criminal backgrounds have very useful skills. It makes sense to hire a person who was convicted of bank robbery to review your bank’s security. The person obviously understands bank security and how to bypass it. Of course it still depends on his character and whether or not he’ll try to rob your bank later. Still he’ll have the hands on experience which is more valuable than theory and book knowledge.

There is also another paragraph that I found very interesting due to previous posts I’ve made about felons on the right to keep and bear arms:

Last winter, a Minneapolis attorney who works to get felons a fair shake after they served their time told of a sign he saw: “Snow shovelers wanted. Felons need not apply.” It’s not good for society if felons who have served their time can’t even get jobs shoveling snow.

The ostracization of people with felonies is out of hand in this country. Somebody who served their time shouldn’t have a problem getting a job again. As I’ve mentioned before if a criminal is still considered a danger to society that person shouldn’t be free to roam the streets. Likewise whether you hire a felon should be based on what the felony was. As I’ve mentioned before just because somebody has a felony doesn’t mean they were a violent criminal.

So having a blanket statement saying you will not hire people with criminal histories puts you and your company at a disadvantage. Sure you will run a slightly smaller risk of having a potential offender in your company but you’ll also not be able to hire some of the best people out there.