Update: Now that SOPA has been put on the back burner, the next thing to protest is the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty which could have massive repercussions on the freedom of the internet.
Update 2 (5 July 2012): ACTA rejected by EU :)
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
This is my favorite anti-SOPA song so far:
Marc Gurman at 9to5Mac has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s lockscreen. Anyone with an iPad Smart Cover (or fridge magnet) can gain access to the previously-open app (or the home screen if no app was open).
By holding the power button to bring up the ‘Power Off’ screen, closing the smart cover, re-opening it (or just sliding a fridge magnet along the right-hand side of the device), and clicking cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Mail (or any other app) was the open when the device was locked, then the attacker would have access to that app.
Unlike Siri being available from the lock screen, which is not a security flaw (an unintended behaviour), this one actually is; and although an attacker does not get full control of the iPad, the severity depends on whether a sensitive app was being used before the device was locked.
Luckily it is possible to protect yourself against this bug in the interim by disabling Smart Covers in Settings > General > iPad Cover Lock/Unlock > Off. Expect Apple to patch this in iOS 5.0.1. Check out 9to5′s video below for a demonstration:
[Update] Apple did indeed patch this bug in iOS 5.0.1. Those of you who disabled your Smart Covers for security purposes can now re-enable them!
I’ve been into lockpicking for a few years now, and I’m surprised I’ve never posted more about it (maybe I will). Suffice it to say that lockpicking is great fun, you learn a lot, and one day it may come in handy (legally of course). One thing I’ve noticed whenever I talk about lockpicking, is that most people -including techies – have very little clue about how locks themselves actually work. It’s no surprise then that lockpicking feels like a bit of mystery to many. In reality the majority of locks are very simple devices, and many can be picked or bypassed using fairly simple tools.
I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.
From BoingBoing: “42-year-old Michael Allison of Illinois could spend the rest of his life in prison for recording police in public. He faces five counts of eavesdropping, a class one felony”. That’s the equivalent of rape.
This is absolutely crazy. How law-abiding and tax-paying citizens (who pay for the police) can be harassed for wanting to make on-duty police officers accountable for their actions is beyond understanding. All one has to do is look at the sheer quantity of illegal police behaviour (and more), to see why the free recording of police officers is so absolutely necessary; both for the public’s protection and sometimes the police officers’.
The definition of eavesdropping is “to listen secretly to the private conversation of others”, in this case the police not only
knew they were being recorded (edit: allegedly, if recent reports are true, officers were NOT aware they were being recorded, which is what landed Allison in hot water), but it was a conversation between them and Michael Allison. If police officers are allowed to record audio or video of the public with impunity, the public should be allowed to record the police going about their official duties. 75 years for recording on-duty police officers doesn’t even pass the guffaw test for me, a sensible jury will never convict him, if this ever even goes to court – END OF STORY.
[Updated 7/9/11] If recent reports are true, Michael Allison may also have been stupid as well as unlucky. Apparently he covertly recorded court proceedings (which is definitely illegal), and then lied about it to the judge (also illegal), which is how he ended up with all the additional counts of eavesdropping.
Watch the video below for the full story, it’s a great summary.
I spent a week in Hawaii on the way back from Blackhat and Defcon in Las Vegas, and my hotel room had a Safekeeper key-lock safe that you had to pay $5 a day to use. Turns out the safe was perfectly usable without the key – which I guess nullifies the safe’s entire purpose. Although it had a Medeco lock, the lock wasn’t really necessary, I used a paperclip as my ‘key’. There must have been something really wrong with the way the plug was installed, I’d be horrified if this ‘attack’ worked on all of these safes. Unfortunately I only had the one in my room to play with.
Check out my demo video below for some facepalm-worthy safe bypass action!
[Updated] A guy called Brad found that his electronic hotel safe could be opened using an all-zero passcode.
I’m a fan of unusual or paraticularly functional knives, six months ago I got my first Leatherman Wave, which is an awesome tool. I just recently purchased the brand new Iain Sinclair CardSharp Utility Knife, and so far I think it’s pretty good! Its credit card form factor makes it easy to carry around, and its sharp blade makes it useful in a variety of situations. The only criticism I have is that the card/handle is plastic and feels quite flimsy. I was expecting the whole card to be made of thin aluminium, or maybe something more grippy. I’m also worried the little plastic bit that keeps the blade in place whilst closed may potentially wear down eventually. That said, it’s still a unique product, and the blade is excellent, so I definitely recommend it.
I made a quick video review of it (actually one of my first videos). Apologies for the bad quality, I used an old external iSight; turns out their resolution sucks ;)
Here is Iain Sinclair’s own video.
Just a day after his keynote at the World Wide Developer Conference, Steve was giving a different kind of presentation… to the Cupertino Council.
Five years ago Apple purchased a large chunk of land from HP, and have been planning on building a new campus to house 12,000 employees. As Steve explained (and this guy can sell anything), the new campus will feature a beautiful circular building, to be set in a massive landscaped park. The picture below shows how close it’ll be to Apple’s headquarters at 1 Infinite Loop, and a mock-up of what it will look like from space (likely the setting of Apple’s new campus in 2098).
The campus will even feature its own natural gas power station, because it seems like Steve doesn’t trust the electricity company. The entire project is pegged for completion by 2015.
Hit the jump for a video of Steve’s pitch to the council. Read more
Every year, representatives from the G20 (top 20 economic countries) get together to discuss issues pertaining to international finance. Every year, people from all political and sociological beliefs get together to protest (most of them peacefully) for their particular cause. Last year, at Toronto’s G20 summit in June 2010, it all went horribly wrong; and for the first time that I can remember, a developed and democratic western country revealed just how easily civil and human rights can be swept away, and police be used to control innocent civilians.
The video below, entitled Under Occupation, provides real and shocking accounts of the events that transpired that week. Watch it.
A ‘trojan’ targeting Mac OS X users, dubbed BlackHole RAT, appears to be in development. It’s a variant of a well-known series of malware called Remote Access Tools (RAT) that primarily targeted Windows. It should be noted that on its own, the trojan does not exploit OSX, instead relying on the user to unknowingly ‘install’ it. This is often done under the guise of pirated software, video plugins on porn sites, or from other non-reputable software sources. Although the details are not entirely clear, it appears like your computer needs to be directly accessible from the internet.
This ‘trojan’ (note the intended air quotes) has been blown out of proportion and does not pose a significant level of risk. Macs are not ‘less secure’ because of this tool, as it’s something that could be coded by any 14-year old with a relatively basic knowledge of programming. It’s essentially a normal application whose purpose is to accept connections from its owner, and allow them to perform actions on your computer, etc.
Hit the jump for the full details, a video and download link. Read more