Stop SOPA, Stop PIPA, Stop Censorship
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
This is my favorite anti-SOPA song so far:
A Quick Introduction to Lockpicking and Useful Resources for Beginners
I’ve been into lockpicking for a few years now, and I’m surprised I’ve never posted more about it (maybe I will). Suffice it to say that lockpicking is great fun, you learn a lot, and one day it may come in handy (legally of course). One thing I’ve noticed whenever I talk about lockpicking, is that most people -including techies – have very little clue about how locks themselves actually work. It’s no surprise then that lockpicking feels like a bit of mystery to many. In reality the majority of locks are very simple devices, and many can be picked or bypassed using fairly simple tools.
I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.
Simpler Stronger Passwords
The complexity of passwords is indeed something that has recently flipped into the realm of impossibility for us humans. In order to get any kind of decent cracking-resistant password these days you’re probably looking at having a password of at least 15 characters, making heavy use of uppercase, lowercase, symbols, etc. Very few people will be willing to commit that to memory, and if they do, they’ll be even less likely to change it on a regular basis.
The XKCD comic below shows that point pretty simply. It’s not actually that bad to use dictionary words, as long as they’re unrelated and you chain many of them together. The reason this works is because instead of picking from a character set of 26 letters, 10 digits and 20 symbols (total=56), you’re now selecting from a character set that is as large as the dictionary (~150,000 words). If you select four words of about 5 characters or more, the potential keyspace an attacker has to guess will be enormous – especially if you throw in a few symbols for good measure ;)
Advisory: NAB Credit Card Envelope Information Disclosure Vulnerability
I recently ordered some new credit cards, two sets of two (makin’ it rain baby), and they arrived in the post today in two separate envelopes. National Australia Bank (NAB) send out their cards in unmarked white envelopes, which is good, what’s not so good is that the embossed number on the card gets permanently imprinted into the plastic window of the envelope – presumably due to the pressure of having other envelopes on top of it. As a result, with the right lighting, I was able to read the full card number before I even opened the envelope (blurry snapshot below). It’s probably worth noting that the number will still be legible after the recipient has disposed of the envelope in the trash.
One can argue that having just the card number on its own is not as useful. But remember you’re holding an addressed envelope, so you have the cardholder’s name and address, including post code. You also know the start date on the card, which will almost always be the current month (sometimes the following month), and due to the fact that most credit cards have a lifespan of three years, you can also deduce the year of expiry. The month of expiry may or may not be the same as the start month. The only thing missing is the CVV, but then again there are still plenty of places that don’t require those. With just the card number, an attacker could clone it onto a fake credit card, and start using it in shops with any random signature.
Although this post is intended to be tongue-in-cheek, it probably wouldn’t hurt for NAB (or their card printing company) to fix this ‘vulnerability’. What would PCI say? :D
BlackHat, Defcon and Vegas Baby!
The planets and stars have aligned, and it turns out I’ll be at BlackHat and Defcon this year! I’ve never gone, although I’ve been wanting to for many years, so it’s definitely an exciting first for me. My awesome gf pushed me to finally go ;) There are plenty of people from the security community that I know online, but I’m eager to finally meet them in person. Any of you guys (or gals) going? I’m currently on the hunt for some decent Defcon parties; hook me up if you know of any! Las Vegas baby, here we come.
1st Anniversary of Security Generation
Not a significant milestone, but I only just realised that it’s been already been a year since I started up the new Security Generation. One year, 164 posts, 1500-odd tweets, and much rambling later, I hope that you’ve found some of the content useful!
Many thanks to those of you who are regular visitors, and welcome to those of you who hopefully will be ;) Always happy to hear from readers either by email or in the comments.
I’m still adjusting the style of the content on this site, but you can probably look forward to more articles as well as tutorial-style posts. Any feedback is welcomed.
Things have been fairly busy recently, so haven’t had the time to post as much. But hoping to get a few articles on here very soon, so stay tuned!
Steve Jobs Presents New Apple Campus to Cupertino Council [Updated]
Just a day after his keynote at the World Wide Developer Conference, Steve was giving a different kind of presentation… to the Cupertino Council.
Five years ago Apple purchased a large chunk of land from HP, and have been planning on building a new campus to house 12,000 employees. As Steve explained (and this guy can sell anything), the new campus will feature a beautiful circular building, to be set in a massive landscaped park. The picture below shows how close it’ll be to Apple’s headquarters at 1 Infinite Loop, and a mock-up of what it will look like from space (likely the setting of Apple’s new campus in 2098).
The campus will even feature its own natural gas power station, because it seems like Steve doesn’t trust the electricity company. The entire project is pegged for completion by 2015.
[Updated 9/06/2011] Steve has made his coucil presentation slides available (PDF). Details have emerged that the architect will probably be Norman Foster.
Hit the jump for a video of Steve’s pitch to the council. Read more
My Favorite Top 10 Best #Protolol Jokes
No idea where it came from, but today the techno-geek community of Twitter woke up and decided en-masse that it was a good day to make pun-esque jokes about protocols and other computer technology. You probably need to be a geek to understand these, let alone find them funny. The following is a compilation of my favourite #protolols:
@yoz: order best is tell that The you thing can about jokes BitTorrent them in any
@eigenrick: The problem with TCP jokes is that people keep retelling them slower until you get them
@RichGibson: DHCP jokes only work when there is only one person telling them
@rickasaurus: The problem with token ring jokes is you need to wait your turn to laugh
@dasfiregod: The worst part about token ring jokes is that if someone starts telling one while you are telling yours, all joking stops
@KippiHax: I was promised a three way and all I got was a TCP handshake
@xntrik: The problem with git jokes is everyone has their own version
@thornmaker: I would tweet a joke about CSRF if you hadn’t just done so yourself
@zhov: I tried to come up with an IPv4 joke, but the good ones were all already exhausted
@akujobi: My HEAD hurts because I don’t GET all the HTTP jokes y’all PUT on my timeline. I have to DELETE some of them POST-haste
@securitygen: I received a Tor joke from someone… have no idea who they are though…
@securitygen: I’d make a joke about UDP, but I don’t know if anyone’s actually listening…
@securitygen: Let me speak out in the open: Telnet IS a joke!
The Slippery Slope of Civil and Human Rights at Toronto’s G20 Protests
Every year, representatives from the G20 (top 20 economic countries) get together to discuss issues pertaining to international finance. Every year, people from all political and sociological beliefs get together to protest (most of them peacefully) for their particular cause. Last year, at Toronto’s G20 summit in June 2010, it all went horribly wrong; and for the first time that I can remember, a developed and democratic western country revealed just how easily civil and human rights can be swept away, and police be used to control innocent civilians.
The video below, entitled Under Occupation, provides real and shocking accounts of the events that transpired that week. Watch it.
Anonymous Deface Westboro Baptist Church Site Live On Air
Anonymous recently found themselves entangled with the Westboro Baptist Church (WBC) after the homophobic religious zealots published a taunt where they dared the hacktivist group to ‘bring it’. Anonymous quickly announced that they had never threatened the church in any way. I’m inclined to believe them because, as lame and hateful the church and their members are, Anonymous are busier fighting for freedom in North Africa and the Middle East than they are exposing ridiculous religious groups in Kansas. Instead, another hacktivist known as th3j35t3r (@th3j34t3r) joined in the fight, bringing down five of WBC’s hate-spewing websites.
Not happy to leave the matter alone, or rather perfectly happy for some more media whoring, Westboro decided to go on air and pour some fuel on the fire. In the interview Shirley Phelps-Roper, a ridiculously immature and inarticulate representative of WBC, faced off against a comparatively calm and bemused representative of Anonymous. Anon reiterated that they did not initially threaten WBC, and during the interview proceeded to deface one of the church’s sites with a message from the group. Excerpt:
Your continued biting of the Anonymous hand… has earned you a swift and emotionless bitchslap, in the form of this very message. [...] For this unremitting display of overzealousness, we award you no points. Take this defacement as a simple warning: go away. The world (including Anonymous) disagrees with your hateful messages, but you have the right to voice them. This does not mean you can jump onto Anonymous for attention.
These WBC idiots really make me rage, and they make honest Christians look bad. Anonymous, th3j35t3r, I tip my hat to you on this one. Check out the video of the interview below.
Loading ...
