Skip to content

Posts tagged ‘fail’

5
Feb

Pic of the Week: Total Security Epic Fail Theater

Don’t lie, you’d want to pick the lock anyway ;)

25
Nov

TSA Body Scanner Missed 12-inch Razor Blades

Mythbusters’ Adam Savage recently went through a TSA checkpoint and body scanner, and once on the plane realized he had two 12″ razor blades in his jacket pocket. I’ll let the man tell you himself, but I love his quote: “WTF TSA?”. Clearly the screening agent was focusing on Adam’s myth-busting junk.

Privacy fail and security fail two-in-one. Security theater++

13
Oct

Warrantless and Unwarranted FBI Tracking of Egyptian Student

Twenty year-old US-born half-Egyptian marketing student from California, Yasir Afifi, recently found an FBI tracking device attached to the underside of his car. Apparently he wasn’t even the primary focus of the surveillance, but happens to be the friend of someone who’s of interest to the FBI. It’s believed the friend (Khaled) is of interest due to a post he made on his blog/reddit.

Here’s one of his posts:

bombing a mall seems so easy to do. i mean all you really need is a bomb, a regular outfit so you arent the crazy guy in a trench coat trying to blow up a mall and a shopping bag. i mean if terrorism were actually a legitimate threat, think about how many fucking malls would have blown up already.. you can put a bag in a million different places, there would be no way to foresee the next target, and really no way to prevent it unless CTU gets some intel at the last minute in which case every city but LA is fucked…so…yea…now i’m surely bugged : /

To be honest, sounds like a post I could’ve written. I definitely agree with the guy. I guess the only reason I’m not being watched is because I’m not dark skinned, or from an Eastern country, or whatever other profile they rely on these days. Or maybe I am being watched and just haven’t found the tracking device yet.

About 9 days ago, they found the device (pictured below), and originally thought it was either a tracking device – or a bomb. From his description of the events, however, it sounds like they may also have been stoned at the time. A recent ruling by the Ninth Circuit in California (and 8 other states) states there is no requirement for a warrant to be obtained in order to perform this kind of tracking. They are allowed to come onto your property and plant a tracking device on your car, as you have no reasonable expectation of privacy on your driveway. Good morning Orwell.

The American Civil Liberties Union in Washington are considering using these events to challenge the Ninth Circuit’s ruling.

Now why they chose to use what looks like a Soviet-era tracker is beyond me. Maybe they ran out of the smaller non-battery-powered models that they make in this century. According to a commenter on reddit, the device is a Guardian ST820, manufactured by Cobham. Apparently these things are meant to be hard to find (despite the size), when installed properly. Surveillance Fail? The FBI have since asked for their tracker back.

Check out this Wired article for more details.

If you want to build your own affordable GPS tracker, check out this project!

[Update 8/3/2011] Yasir Afifi files lawsuit over FBI’s GPS tracking

24
Sep

Can You Enhance It? No, You Can’t!

This kind of shit pisses… me… off…

Every time.

And I piss off my girlfriend by always bitching about it whenever it happens in a movie. She then bitches at me for always bitching about it. It’s counter-productive really ;)

“lock on and enlarge the Z-axis” lolwut?

Completely implausible hacking scenes in movies comes in a very close second mind you. Check out this article for more examples of how Hollywood fails at using technology in movies.

</rant>

2
Jul

When SQL injection becomes too easy

Monkey FacepalmWhen surfing around the net I recently came across a website that appeared to use some kind of simplified database query as part of the GET request. This got me thinking about what would’ve been possible if the developers had been stupid enough to pass an actual SQL query in the URL.

Turns out that some websites actually do this!  See Monkey Facepalm picture.

A quick Google search with the following terms will bring back a number of pages that use SQL queries as GET parameters:

inurl:select inurl:where inurl:%20

One of the results, from Washington State University:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php? sqlQuery=SELECT%20author%2C%20title%2C%20year %2C%20publication%2C%20volume%2C%20pages%20 FROM%20refs%20WHERE%20serial%20RLIKE%20%22. %2B%22%20ORDER%20BY%20author%2C%20year%20 DESC%2C%20publication&submit=List&citeStyle=APA& citeOrder=&orderBy=author%2C%20year%20DESC

decodes to:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php?sqlQuery=SELECT author, title, year, publication, volume, pages FROM refs WHERE serial RLIKE “.+” ORDER BY author, year DESC, publication&submit=List&citeStyle=APA&citeOrder=&orderBy=author, year DESC

Now, how many databases with with full admin privileges? I think I also spotted some ecommerce sites doing this too… passwords and credit card numbers anyone?

css.php