woensdag 30 april 2008

Avoiding speed traps, different

57 year old dude tries to avoid a speedtrap by applying the front break and sliding past below the radar:



Did not really work well. Broke his arm _and_ got a ticket.

zaterdag 26 april 2008

Locks, SKG, the chalange

Whenever I move in to a new appartement, a new office building or take on the responsibility of other property that is secured by a cylinder lock, I exchange it.

The old cylinder and all it's associated keys will be documented and stored for later retrieval.

The new cylinder will be bought by me, at a store I trust and with a security certificate I like and I pay attention that _nothing_ that can identify me or my location gets associated with the certificate for I would not like to have to worry about the where abouts of that data since it is not under my control [the certificate can be used to remake a key without having a copy of the key].

So I pay by cash and have a second lock smith do the installation.

The appartment I moved in recently is a newly build complex. About a 1.000 appartments have been build by 45 different subcontracters who dig holes, lay pipes, pull wires, connect walls, paint doors and insert locks. For whatever it is worth: I do not trust them. The change that one of the workers copies the cuts of my particular key is just something that makes me feel uncomfortable.

Personally I know too little about the inner workings of locks to be able make a valid judgement about the grade of the lock, so I will buy only stff that does comply with the toughest international standards, including ISO 9001/2000, UL, CEN, VDS, SKG, CPC and A2P. Or when in Holland, the SKG [Stichting Kwaliteit Gevelbouw].

It is amazing to see that the price difference between a SKG ** and *** is rather low in comparison to the added features. One of the features I find a must have is the bump key proofing of locks. But all of this is just to prevent the damage free opening of the door.

Other measures need to be taken to prevent the more common 'crowbar style' and the 'Bulgarian' method [drilling]. A good resource of more information on the topic is The Open Organisation Of Lockpickers' that is credited with spreading the word on the issue in Holland, but even more important the concept behind high security lock design by Ross Kinard.

vrijdag 25 april 2008

Googlology!

Never mind those old and dusty religions, for get the olt skool printed stuff, do not bother with the 10 rules, forget about diet stuff, reincarnation is of the past, after life is obsolete.

What rules now is Googlology. It's religion on steroids. No need for G*d in heaven, no need for spirits in the sky. Googlology designs and runs it's own heaven, and it's name is 'The Cloud'

The cloud will take care of your data, no matter where you need it, it will be there. The cloud will provide your services with more computing power then it needs, and the some. The cloud will harbour your applications, your email, your videostream, your rants, your pictures, your secrets and your dates, your world, your drawings, your finances, your money, and a whole lot more.

And I should know, since I drink all the Google Gulp from a hose.

But what if the cloud, errr, sort of not does what the EULA sort of makes you believe? What if the lawyer@TheCould p0wnzers you? And your data? What if, insert-your-personaly-favorite-upper-being-here, strikes back and lets some unknown entity take control over, well, you, basically?

How does one secure the absolute power of the cloud? There are some very smart people talking about it but lots of discussion is still about the definition, much less about the consequences, let alone what it actually means or how to do it.

Do you want to be the one who turns of the light now that everybody has left the old arena, or will you participate in shaping the future?

dinsdag 22 april 2008

Replace your MAC harddisk, easy


I should do stuff more often, at least it makes far hotter stuff come out.

Couple of days ago I decided that both MAC laptops in the house needed more storage. The G4 PowerBook and the MacBook. So I ordered a Western Digital Scorpio 250GB 5400RPM and a Western Digital Scorpio 320GB 5400RPM. The replacement of the MacBook one can do with a sharp kitchen knife, no problem. Just remove the batery [do not bother shutting the OS down, it's as stable as my weight] and take a sharp kitchen knife [I used the new Global one I gave my wife a couple of days ago]. Unscrew 3 little screws, pull out the harddisk, take a strong plyer, remove the 4 screws, take the plastic thingy, wrap it on the new disk, sort of re attach the 4 screws, stick the thing back in. Ram the old battery in and of you go [never mind about the 3 little screws and the metal strip, all just surplus weight].

Reinstall and do not mind about the updates that want you to reboot your DVD version of the OS 4 times!

Now the Powerbook, that is another story. About 23 philips screws [tiny fuckers!] and then 2 torx 6, that is SIX, not 8, but 6, the smallest possible tool made only in Switzerland and it will set you back about the same amount of euroos as the 320Gb disk.

Then you get to pull of two, well, 'connectors' that are actually used open ended flatcables: class construction. Putting the whole thing back is a joy. Takes the precision of a live-bomb-defuser, nice enginering.

Installing the OS of course requieres the PPC version. Inserting the iMac Intel version yields a nice panic message. Never mind about the I-do-not-know-how-many updates and reboots [even for the so called 3.1.x SAFARY update one gets a reboot!], for they slow down the secure OS X anyway.

Right after finishing something flashy caught my eye: the MHZ2 CJ.

A 2.5 inch Serial-ATA Revision 2.6 (Gen1i and Gen2i) hard disk with embedded AES 256-bit hardware-based encryption, high-speed rotational speed of 7200rpm, it supports SATA 3.0Gbit/s and the capacities go up to 320GB with a 16MB buffer... How is that for cool?

You know what that means as soon as you see it: dumping the current disk for no reason on ebay, including all the private data it has accumelated in a months time and over pay for the new disk since it is new and hot.

vrijdag 18 april 2008

Searching & Finding, part II

So there is Maltego, the coolest tool for finding information and there are machines that find lots of data. Of course Google uses some very smart alogrithims and Udi Manber really knows what he's talking about. On April 16, 2008 he answered the question "When I come to a Google in the future the context of my social network could be folded into the search?" with "I can imagine if you give us permission to do that, and we find that that’s useful for some queries. The question is, what percentage of queries and what kind of queries? When should you use it and when should you not use it?"

This had me completly baffeld. WHAT? I was saying to myself WHAT IS WRONG WITH THIS DUDE? I mean, after one look at the concept of Maltego I knew that that is the only way forward. Maybe he drank a little too much Google Gulp? Maybe he was trying to hide something since Google does not do pre-annoucements? Or maybe, he'd seen Maltego of Delver too and was just trying to surpress their market value so the goog's could snatch it up for little money in a little time?

"We have no intention of competing with the Googles of the world, because Google is doing a very good job of indexing the Web and bringing you the Wikipedia page of every search query you're looking for," says Liad Agmon, CEO of Delver. But we've been there, seen it, and even do it ourselfs now.

But that does not satisfy anymore. You know the procedure yourself: go to google.com, type a couple of keywords, check the first listing, alter the keywords [order even], check the listing and on and on. Most of the listings you get will be actively manipulated by crooks and link spammers.

So we need something else. As Anand Rajaraman puts it: if you have limited resources, add more data rather than fine-tuning the weights on your fancy machine-learning algorithm. Of course, you have to be judicious in your choice of the data to add to your data set. And this is exactly the point I am trying to drive home. More data sources [and some very decent post processing] enhances the results in amazing ways. [he works on his own SE too, called kosmix].

Some say, it is a terrible idea, like KublaiKhan. "This sort of searching will result in information from 'opposingsides' of controversies or arguments being deprecated, resulting inskewed information being available--because people tend to associatethemselves with other people of the same opinion."He goes on: "This new search engine will be wildly popular amongst thetype of person who enjoys violent flamewars, and will be useless forany person who wishes to consider both sides of a situation beforeforming an opinion... so it's going to be an enormous success and if I had the cash I'd invest in it. :-/"

Personally I would like to quote merreborn in reply to that remark:
"Sorry, I can't friend you, you'll screw up my search results"

Update:
Seems there is much much more going on and wrong between google and social websites...

vrijdag 11 april 2008

Everything you ever wanted to know about the Enigma


As great a machine the Enigma was, it too could not prevent users from messing it up. Examples:

Part of the first class encryption of the Enigma was the possibility for the clerk to make up his own six-letter settings. This let to the Polish cryptanalysts occasionally being able to guess the settings. The military did not allow an obvious setting such as ABC. However, cipher clerks sometimes chose settings like QWE (the first three letters on the keyboard) or names. In the example above, if the first three letters were HIT, the cryptanalysts could guess that KOS and RLB were the ciphers to LER, spelling out HITLER. BER was usually followed by the ciphers of LIN. One particular German code clerk continually used his girlfriend’s name, Cillie, for his messages, and so these easy-to-guess indicators became known as "Cillies."

After the English had boarded the U-110 [thanks Fritz-Julius Lemp for being a pussy!] and got their hands on a working Enigma [with all dials in the correct setting for the whole month], they where able to destroy lots of U boats that where decimating the US-UK ships. Admiral Doenitz just knew something was wrong and made a change by added a thin fourth rotor between the leftmost rotor and the reflecting plate.

Bletchley Park learned of the impending change from decrypts and captured material, but until it was actually implemented there was little they could do to prepare. Fortunately, the Germans made an error. In December 1941, before the change had been made official, a U-boat sent a message using the four-rotor machine. To compound the mistake, the same message was retransmitted using only three rotors. From this seemingly innocuous error, the cryptanalysts at BP determined the wiring of the fourth rotor. :P

In order to set up the U.S. Navy Bombe, cryptanalysts first had to determine a "crib." A crib is the unenciphered text that is assumed, or known, to appear in the message.

Cribs could come through a variety of methods. Some of the best cribs came from errors made by the Germans themselves. On more than one occasion, a German signal clerk sent the same message twice in two different codes. If the code for one was known, it provided a crib for the unknown system.

Another frequent German mistake came in standardized messages. For example, a shore weather station in the Bay of Biscay sent out a message every day at 07:00 which began, "The weather in the Bay of Biscay will be. . . ." Knowing the exact wording of a message made a perfect crib for the Allies, so it became a high priority to intercept the daily message from this weather station.

A final example of a common German error involved the practice of submerged U-boats. When the submarines resurfaced after extended periods of time under water, they requested all the important messages they had missed while below the waves. The transmissions that followed inevitably involved communications previously sent and deciphered. Cryptanalysts merely checked the back files for messages with the same number of letter groups and used them as cribs for the new message. Since the resulting message would be identical to the previous one, it helped reveal the Enigma setting for the current day. With the daily setting, all the current day's messages could be read.

Other cribs came from knowing the current activities of the enemy. If, for example, a battle occurred, it could be assumed that messages following the attack reported on the battle. It was more difficult for the cryptanalysts to build cribs for these types of messages since it involved guesswork.

Because the Enigma rotors moved with each keystroke, a letter typed twice usually enciphered to two different letters. Also, the Enigma could not encrypt a letter to itself. Finally, the Germans indicated a space between words with the letter X and spelled out numbers.

Knowing these details played an important role in ultimately breaking the Enigma's daily settings.

Now why do we see these same weaknesses made over and over again?

Sometime ago there was one for sale too. Damn that would have been the hottest geek present ever. Prices have not been too extreme either...

dinsdag 8 april 2008

Improvised Explosive Device 2.0


As much harm as the improvised explosive devices (IED) do, now it is time for version 2.0

The interactive IED, the IED that will blow up the people of the nationality you want dead, not just a passerby. Till now it has been difficult at times to determine the timing to actually kill the guy you hate the most. Come to the resque:

E-Passports

Already in 2006 it was shown that the then 'new' RFID'ed passports where both hackable, and possed a security threat. Since a couple of weeks the Dutch have entered the arena and are being sold E-Passports too.

You gotta love it when goverment people do security.

Ross Anderson: Security Engineering 2.0

At BlackHat, I had some pretty interesting discussions with FX and others, about how 'olt skool' simply breaking stuff is after you've done your share of pentesting & reverse engineering. How much more interesting it is to _secure_ stuff, one way _and_ the other. Because no matter what you do: things will break.

As a matter of fact, since most of us are working for clients and we sell our services, they too are better of when we do not 'just' display how things break, but how we make things break safely.

In that light, the interview my good friend [and smart B to boot] Craig Balding did with Mr. Ross Anderson about security engineering comes right on time. Enjoy.

PS
It was brought to my attention that Amazon does some weird dating stuff. The book will be Released on April 14th, but they have one in stock now, if you order today you can have it delivered on the 9th of April... how's that for JIT!

zondag 6 april 2008

Burning down the house!


You know, today I bought a lighter, a Varaflame Ronson.
You know the brand?

I think everbodies father had one, so did mine.
I was about 6 or so and he got one. A nice shiny silver one.

I woke up early one day and took it from the living room into my room. We had some sort of 'grass' flooring, typical for hippies at that time [think early 70's]

Somehow I managed to set it alight.

Everybody is a sleep, my 4 year old sister, my parents: everybody in my whole wide world.
The room starts filling up with smoke, heat, flames and a one scared boy: moi.

I used the same trick as I still do:
“Dear Lord, let me survive this now and I know that in the future I will pay back humanity!”
Suddenly I moved to the hallway, my mother always left two glasses of water there for when we would wake up early. I took them and threw them in the fire. My feet and some other stuff took care of the remaining fire.

...

A couple of minutes [or hours?] my parents woke up, smelled the smoke, saw the hole and realized very quickly what had happened and who started it all.

Never mind who stopped it, but they knew all right who started it.

The punishment I got for that was something that... I cherished. I loved it, for I was a live! And so where they. I knew I had something to make up to, but I also knew that there was nothing in the world what could kill me until I was ready.

And today I bumped into one of those lighters. And now I own one.

Getting old and knowing it...


There is moments in live, that somehow your surroundings, tells you more about you then about the actual artefacts that make it up. One of those moments just happened to me.

It was a fleemarket, like you see many of them, when you are into fleemarkets. Big, cold, and stuffed with... stuff. I have been to a my fare share of those. Sometimes by accident, sometimes because someone tells you there is something special to be had, sometimes with new [girl-]friends who take you places you do normally not go to.





This visit was inspired by new friends.

It is a big ass flee market, with over 3.000 parking spots, with admission fees, with people rubber stamping each other, with rules and regulations: the works.

Anyway, people try to sell all kinds of stuff, old & fake, polished & rotten. Basically whatever was unwanted at one point of it's existence.




So I am surrounded by stuff and suddenly it strikes me: lots of it might be old,_now_, some of it broken _new_ and some of it unwanted _now_ by OMG*d: this is stuff that I saw enriching the world... when I was growing up!



The stuff that once you thought "WTF?" about and later made it, the things with features that you young people that for granted now but where _new_ and unheard of before.












I found out that I can remember each and every single Matchbox car I had, and the ones I did not have too. I saw most of them tattered and brushed, like mine where after 'they had an accident' but at least mine where loved and owned. The ones on the market where love-less.













The worst thing was this car. I got it on a Monday, loved it to death because it was so advanced. It was a little bigger then the normal cars. It had stuff in it that you could get out from the back. I took it to school, played with it day and night. One day my [Thursday] teacher Boudy de Vries took it from me. He disliked us boys playing with cars instead of listening to the same old, some old.

On Monday I collected all my witt and guts and asked it back. The sucker simply said [and I remember the smuck smile on his bearded face up and till today!] "I do not have it and never took it!"

The son of a bitch never gave it back. Boudy de Vries, I hate that guy with a passion.

vrijdag 4 april 2008

But not without Manager 2.0

World 1.0 VS World 2.0
Knowledge sharing and learning is imposed additional work VS Knowledge sharing and social learning is a welcome natural part of people's everyday work

Work takes places behind closed doors VS Work takes place transparently where everyone can see it

IT Tools are imposed on people VS People select the tools that work best for them

People are controlled out of fear they will do wrong VS People are given freedom in return for accepting responsibility

Information is centralized, protected and controlled VS Information is distributed freely and uncontrolled

Publishing is centrally controlled VS Anyone can publish what they want

Context is stripped from information VS Context is retained in the form of stories

People think quietly alone VS People think out load together
People tend to write in the third person, in a professional voice VS People write in the first person in their own voice

People especially those in authority are closed to new ideas and new ways of working VS Everyone is open to new ideas

Information is pushed to people whether they have asked for it or not VS People decide the information they need and subscribe to it

The world is seen through a Newtonian cause and effect model VS The world is recognized to be complex and that different approaches are needed

Now all looks good and well in World 2.0. Everybody spimply changes from consumer to prosumer and takes an active role. Business as usual 2.0. Cool. But where does one find managers 2.0?

donderdag 3 april 2008

Do Know Evil!

So I got the sites:



DoKnowEvil.nl
DoKnowEvil.biz
DoKnowEvil.org
DoKnowEvil.de
DoKnowEvil.eu

Now all that is missing is the T-Shirt, Krassimir :P

Google searches best, Maltego finds

A couple of days ago I wrote kinda ecstatic about the possibilities of Maltego. Turns out, I am right [duh!].

Anand Rajaraman is the Consulting Assistant professor at the Computer Science Department at Stanford University, and he drives the point home much better in this article. To sum ot up, if you have limited resources, add more data rather than fine-tuning the weights on your fancy machine-learning algorithm. Of course, you have to be judicious in your choice of the data to add to your data set.

That is exactly what Maltego does and lets you do. It gives a plenitude of data sources and lets you, the human, decide what information weights most, considering your particular query.

dinsdag 1 april 2008

There is never enough time, thank you for yours...

Cybersecurity in a New Digital Age, by Dr. Dan Geer.