Thursday, August 24, 2006

Windows: Vulnerable by Design

I'm coming around one of my (and probably your) favorite subjects, Windows and Their Evil Nature. Talking about this OS and how it is so insecure is one hot topic. It's just I've never sat down to write a few pointers on the subject. And guess what! Tom Yager in InfoWorld has done it for me. Oh boy!! Anyway :P

Just a few quotes from the article...
  • All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.
  • By default, Windows launches all services with SYSTEM-level privileges.
What this means is that if an attacker finds a flaw in a Windows process and manages to inject code, it will be executed with SYSTEM privileges. Bad bad thing! Btw, do you know the average number of flaws/bugs per line of code? Google it and you'll be surprised with the answer.
Another thing I'd like to add is that all these high-priviledged services are running by default in any system. What this means? That all of us have more that a dozen running services which we will never need but at the same time pose a great security risk because of a potential exploit in them!
  • Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.
This is so common that most of you think of it as standard. No! Using your computer with an administrator account is also a bad bad thing. Why? Because if malicious code is executed somehow in your account it will have admin rights and believe me a large (maybe the largest) portion of malcode needs these rights. You think you are smart enough? Think again. I am not talking about clicking .exe files sent to you over IRC. I am talking about XSS running javascript, remote code execution exploits and many more. Even a simple .bat written by some brat with cp and rm commands aiming to mess up your system. Unfortunately if you switch to a user-level account you will feel disabled most of the time. Well you shouldn't be.

I could talk about these things for days but I guess it's a good time to stop now, just for today. If you find these interesting go on and read the article.

Oh, Slackware >> Windows :P

Wednesday, August 23, 2006

Public Web Surfing

The New York Times has an article on safely using public networks (e.g. Wi-Fi hotspots) or public computers (e.g. at an internet cafe or airport). The author points out that most users leave too many traces behind them after using their computer in a public network or using a public computer. These traces may be from browser cookies to passwords and work documents.

It is true that most people are just computer users meaning they don't know and don't care about technical issues, including security. So someone is on the move, wants to check his/her e-mail or contact a friend, connects to a hot spot or visits an Internet cafe. In any case, malicious people could "snif" what he/she does and steal almost anything this user sends or receives.

Of course there are many things one can do to protect him/her self. Everything has to do with attitude: First of all more and more people have laptops so using a public computer is rare. Yet, if you ever need one, keep in mind that it's like talking on a public phone in the middle of a square. Would you yell your ATM PIN over the phone or your e-mail password? No! Hell, No! The same rule applies here. When typing in passwords *always* make sure you are using SSL. If not, just quit. The problem is someone could plant a keylogger in that public PC and collect tons of information. For that reason these PCs are restarted between different users and any specific user-specific programs or data are wipped out. But you can never be too safe so consider public PCs the last possible solution. When using your own laptop you are at least safe from malicious programs. Eavesdroppers do exist though. Check here too for SSL and don't even think about logging in otherwise.

Go ahead, check the article. The author tries to ring the bell to those who are totally unsuspected of the potential dangers but may end up scaring them into ineffective techniques which only offer the illusion of safety. Another point I disagree with is the listing of "security tips" like encryption software and VPN. As I've just said users who don't know how to deal with this stuff are likely to a) lock themselves out of important files b) use a VPN in such way that no protection is provided c) get tricked too easily.

To sum up, public web surfing is certainly a great service allowing you to talk, work, have fun while on the move but, as any public means of communication, should not carry sensitive information. If that is absolutely necessary, there are ways to ensure privacy. The thing is that Security Policies and Techniques for "Private Public Web Surfing" should be applied by trained professionals and not layed upon the hands of ignorant users.

P.S.: To read the article you'll be prompted for a username and a password. Since registration is free I don't see any point in this. I mean they restrict access to registered users but then again, anyone can register! So why not leave the access totally public? Anyway, use goaway147:goaway as username:password (thanks to bugmenot.com).

Tuesday, August 22, 2006

Google Redirection Hole used for Phishing

It's official. Google's redirection hole, formerly used for spam, is currently an excellent tool in the hands of phishers.

Why is this bad? Because 99% of Internet users trust google and when they see a link starting with "www.google.com" they think it's part of google or a site google knows about and has included it in its structure. WRONG!

What do I mean? Check this out...


This url (one line) starts with one of the most recognizable domains in the world but what comes next? An unverified IP address and after that the words "signin" and "ebay". Just for testing, try opening it with your browser. It's safe from javascript and stuff. It's just an example. Or try this: append a url of your choice next to "url?q=" and paste the entire thing in your browser. WoW.

This is a huge hole. Anyone can have google as his referrer to a malicious site. Just for the sake of it try entering the link from above (if you haven't done already). And open another tab in your browser with the real signin page from ebay.com. Can you tell the difference? An experienced (or suspicious) user might notice there is no SSL established in the fake page but that's something most victims don't even know about.

Oh and by the way this issue has been known for over six months :P

Sunday, August 20, 2006

How To Write Unmaintainable Code

Following BOFH guidelines demands a little bit more than writting code without comments. In this must-have guide you will learn essential tips in making a code maintainer's life a living hell. It will also guarantee you a life-time contract at your job since no reasonable man will kick you out and except their software to keep running.

Saturday, August 19, 2006

Next Gen Search: Photo ID Lookup

Every time you add a picture to your gmail contact's profile, you are asked to crop it to seperate the face from the body. So Google has, somewhere, a huge database with people's headshots tied with nicknames and other information. I wonder why...

Now hear this: Google was very close in acquiring Riya, a face recognition service which expanded into a visual search engine. The deal broke since Google decided to develop an in-house solution. This prooves their intentions in developing algorithms for processing and recognizing faces.

How about that? You enter google.com, search a name/nickname and download the guy's/gal's photo. Another scenario describes you taking a photo with your digital camera/cell phone, uploading it to the search engine and identify the displayed person. OMG. This is just huge. What's next? License plate identification?

Of course there are serious legal implications mainly from possible privacy violations.

To sum up, from a technological point of view this is very big (of course intelligence services have been using this thing for a decade now) but we should give it a good thought before launching it as it is. Besides, Google is already under suspicion because of its search engine (keeping user search entries) and its mailing service (filterning e-mail content to extract information). Finally, all this huge amount of data is becoming an invaluable source which is yet to be mined.

British Terror Alert by Hollywood Inc.

You must have already heard about the "terror alert" issued by British law enforcement authorities, followed by "imminent attack" countermeasures such as grounding all flights, strip searching all airport travellers and of course banning all liquids (including medicine, water and baby milk) from entering the flight cabin.

At that time, the brits claimed they had "intelligence" on a large-scale terrorist attack which involved mixing certain chemicals on board and causing explosions that could bring down an entire airplane.
Authorities were in true panic since the same "intel" stated that those chemicals could be found in every-day products such as cosmetics and cleaning products. So no liquids on board and if you absolutely had to, you were forced to taste them.

Since the beginning of this I trully believed they were at least overreacting if not playing some propaganda game. Now, The Register has an interesting, detailed article which prooves all these police claims wrong and concludes that this scenario could only be implemented by Hollywood producers in the land of fiction.

Friday, August 18, 2006

Cracking some, Securing others...

It seems that I am spending too much time and energy talking about stuff in other blogs that I don't take care of my own. Well, I'm not sure anyone else is reading this anyway so I guess it's cool :P


You VS Phishing

To begin with, here's an interesting post on managing security between producers and consumers. It is about Phishing and how it is certain that anything a user has to type in as authentication can be extracted from him/her one way or another. What security experts should be doing is stop trying to educate the users and start increasing security on the company's behalf. Social Engineering (that's what phishing really is) manipulates people and that is something we cannot deal with once and for all. And since we acknowledge that the weakest link is always the human, our efforts should focus on taking him out of the equation.


Yet Another XSS Issue

On the XSS frontier, according to this it is possible to enter specific ASCII characters in some web page which, when next to each other, form expressions or delimiters that can shape the code underneath. That way a user entry may place malicious code outside an tag but withing the realm of the HTML tag. This is so crazy my head is going to explode. No, it's not because I find it difficult to understand or anything. It's just that this stuff attack technologies like HyperText Media Language that are considered above suspicion and are widely used. Exploiting this automatically produces a number of victims equal to the Internet population.

So... let me get this straight, a problem so big that can affect the entire Internet but so obfuscated that cannot be seen and if seen cannot be realised. Everyday activites like opening HTML encoded e-mails or hitting a URL may expose the world to malicious attempts. And we are still sitting here?!


Smashing the Flash for Fun and Profit

Last night I was really bored so I decided to study a few flash games and find a way to cheat when submitting the score online. It really was easy. What most of these games do is send a POST to e.g. http://www.example.com/flashgames/game314/submit.asp?score=31400. If you manipulate that packet, changing score to 62800 and finally send it, you have successfully doubled your score! No verification, no nothing. Of course some games do a little checking to see if let's say 62800 is a plausible score (maybe it exceeds the maximum available points or sth). But that's also too easy to deal with.

You just have to decompile the file and take a good look at the source code which is ActionScript. To begin with, all flash games (.swf) are downloaded to your PC prior to execution so you have a copy of the title to look at. Secondly, since they are not compiled files but use an interpreted object-oriented language they contain bytecode (not machine code) which is executed at run time by your browser. That bytecode may be easily reversed using a decompiler (it actually doesn't de-compile but you get the picture). Finally ActionScript seems like pseudo-code, that is logical expressions describing the actual design of the game. These can be well-understood by humans, even non-programmers. To deal with these issues, protection methods are being used. These allow the game to be run but prevent a decompiler from taking it apart. But the truth is these protections aren't that good. They can be removed using freeware, google-found tools. Finally, ActionScript programmers use obfuscation techniques to protect their code (all other elements like graphics are left open to "borrow"). What they really do is piss somebody off since the code may be partly read using certain ways and ofcourse the code structure may always be studied using standard Hex Editors.

Since yesterday I've seen quite a few flash games with variable protection schemes. The hardest I've found used the hash of string containing the actual score plus some "secret" sequence of chars to make sure the submitted score had not been tampered with. This sequence was hard-coded in the game. I mean are they stupid or what? As I've already said, if someone is already skilled to discover the submitted values and crack the file, code obfuscation can do very little to him. So sooner or later the secret is revealed.

There's one golden rule in cryptography:
never rely on the secrecy of the algorithm
.

Once the algorithm is revealed, your cover is blown. I could think of and suggest ways to improve verification issues and protect copyrights but that's not my job and I have better things to do :P


e-Shops revised

Almost two weeks ago I ordered a digital camera from a popular, computer/technology store which also operates online. The same day I received an e-mailing informing me that the specified product was out of the stock and urging me to contact an employee by phone. So I did. He claimed that a "bug" in their website showed the camera as available "withing 24 hours" while they had already filled an order from the manufactor some days before. OMG. Do you say the words "bug" followed by "website" and expect someone to shop from you again? Anyway, I made clear that no charges would be made until the product had been shipped to my location. Standard thing I guess, nothing to get excited about. Today, I called the store asking for a status on the order. "We received the items yesterday and they'll be shipped to you tomorrow". Am I missing something here? What happened to "today"? What are they going to do today? Or maybe my call was a wake-up for them to check on my account? So weekend is coming up and I'll get my package on Monday (hopefully).

Come on people! Is this the best you can do? It's the summer time and I'm a bit lazy. Had it been otherwise, I would have already canceled the order and bought the camera from somewhere else.

What these people don't seem to understand is that when you go online you are competing with the world. Thousands of e-Shops are available online providing low prices, high availability and excellent service.

Had it been otherwise, I would have already bought the camera from a country "next-door" like Germany or France. Using today's courier services I could have the product here in two days and at a price possibly lower that the one I get here.

In an open market my shopping mall extends around the world and those who stick to "standard" services won't make it through the year.

Monday, August 14, 2006

RRAS bug: How can they be so stupid?

If you are reading this then two things are happening: you're running a patched Windows system or you are not running a Windows system at all. Just in case you are not patched yet, get out of here! Now! Go update!

Well... to begin with let me tell you that this is also a big one. Maybe not as big as MS06-40 but it's big. It has to do with rasmans.dll, a library used by the Routing and Remote Access Service in Windows (2000, 2003, XP). Yet another stack overflow exploit due to the ability to write arbitary values in a registry key.

In detail: every time you call a certain function (RPC) from withing that library, which uses registry keys to store information, a new registry key replaces the current (old) one. The problem starts with the value of the key being unlimited. So you can put as much data as you want resulting in a stack overflow exploit. The exploit works by just calling once to set the key to a huge value, then calling the function again to have our huge value deleted, thus triggering the overflow.

How stupid can they be?

What is it with these people?

When releasing such services with a broad range of use it is unforgiving to overlook bugs like this. Or maybe they didn't check their code? I mean Remote Procedure Call, Dynamic Host Control Protocol, Routing and Remote Access, Server Service? These things are automatically deployed in a fresh Windows Intallation. The user is never asked whether to enable these modules or not. "Windows knows best". Also, one uses them because they make his life easier so what happens? Microsoft gives absolutely no control or knowledge over these issues leaving huge back doors (they couldn't do it better even if it was intentional).

If I don't know a certain service is active how could I take it into consideration when securing my system? And if Microsoft keeps that service hidden from me, should it take care of the security too?

Btw, Microsoft has released patch MS06-36 to address this issue but, as I'm told, the patched code still contains part of the vulnerability. Nice going guys :P

Windows Users: Switching to Defcon 1

Defcon stands for DEFence readiness CONditions and is a model reflecting the current state of alert. Defcon1 is the highest state indicating an imminent attack.

Security Experts all over the world expect a large scale attack against a Windows vulnerability at any moment. Microsoft has released a patch codenamed MS06-40 but there are too many users out there who don't care to download such security updates. This is so serious that the U.S. Department of Homeland Security issued an official warning. The DHS usually worries about terrorist attacks or extreme weather conditions (hurricanes, etc.). So if *they* are worried about this then *you* should be worried too. People compare the possible side effects of this to the MSBlast worm in 2003.

In detail, there's a stack overflow exploit in NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. The Server Service is a Windows NT 4.0, 2000 and XP service allowing users to share resources (files, printers etc. aka File and Printer Sharing) over a network. Using that exploit an attacker could successfuly write 370 bytes of code (payload).

Do you realise how big this is?

Do you know how many unpatched systems are out there?

Exploit code is already out taking advantage of this and causing a DoS attack to a system. Even a failed exploit attempt could result in a system restart.

It is a matter of time before someone turns the exploit code into a worm. This could be the next big thing to shock the Internet. If you still can't understand the potentials of this, shut down your PC - right now!

P.S.: As I've already mentioned a patch is available from Microsoft Windows Update. I suggest you update, if you haven't already done so.

Update: It's seems that I was left behind. Actually the first mass-exploit wave is happening right now. Attackers hijack unpatched Windows machines and use them in irc-controlled botnets. The attacks started on Sat 12 Aug 2006 and involve executing malicious code, using this exploit, install a trojan, modify security settings and connect to an irc server ready to receive commands. You will find here a detailed analysis of this tactic.

(VBS) Shutting Down Windows...

Here's some vbs code I wrote:
Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -s -t 120", 1, true
Set WSHShell = Nothing
WScript.Quit(0)

As you can see, it executes "shutdown -s -t 120" which tells Windows to terminate in 120 seconds.

To counter the effect (abort the shutdown) you may use:
Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -a", 1, true
Set WSHShell = Nothing
WScript.Quit(0)


Homework: Copy each of these pieces into a .txt file naming it exploit.vbs and csexploit.vbs (do NOT leave a trailing .txt and make sure .txt is not hidden from you by the OS). Now, double click on exploit.vbs and you will a window informing you that your system will shut down in less than 120 seconds. Quickly, double click on csexpoit.vbs to make that window disappear and ofcourse abort the process. Cool huh?

Try e-mailing this (actually the exploit.vbs file as an attachment) to your friends titled "check this out" or sth and you'll be surprised to find out how many of them actually clicked the file and faced the penalty :P
Your chances will greatly increase if the receiver of this is some bored, I-dont-know-computers secretary. How do you think so many worms have spread? Did you know that the majority of them was written in vbs?

Now... I should inform you that I could just as easily find code that let's say collects passwords from IE history or copies MSN Messenger identities and logs and have all this info mailed to me as soon as you click the file. Or maybe automatically e-mail the code to everyone in your address book. You should also fear that there have been cases in which you don't have to double click on the file. I could have it executed using a buffer overlow exploit in your Windows system. How about that?

Goodnight everyone!

Sunday, August 13, 2006

TSF Deployed at Lebanon

A humanitarian group called Telecoms Sans Frontieres (TSF) is currently heading for Lebanon to establish emergency telecommunication infrastructure using satellite links, 802.11 nodes, laptops, faxes and mobile phones.

Deploying such wireless networks has been already tested and proved the best solution in such cases. The army and emergency response teams have been among the first to acquire such technology.

Who could argue now that WiFi is not reliable? In a country at war where all wired power and communication grids have been bombed, it seems that wireless communications will do the job.

I've already talked about this at Net Phones Services: Are We There Yet where I stressed out that Computer Network Phone Services could fully take over current wired models.

Tuesday, August 08, 2006

(debugging) XSS Locator

XSS, as in Cross Site Scripting, is one hot topic. I've already talked about it in Slow Down! I'm gettin' Dizzy. It has to do with Javascript exploits allowing a malicious user to direct orders to the webserver hosting a site and using it to hide exploit code that will be downloaded by unsuspected visitors. If that sounds too much and impossible to happen, let me inform you that the exploited server may be hosting amazon or ebay or paypal or any other online store/service managing user information.

This is the code (I've replaced '<' and '>' with '#' as my WYSIWYG kept interpreting it. LOL. You shouldn't feel safe even while reading this blog.):
';alert(String.fromCharCode(88,83,83))//\';
alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//>#/SCRIPT#
!--#SCRIPT#alert(String.fromCharCode(88,83,83))#/SCRIPT#=&{}


What it does is show an alert box on your browser with the message "XSS". Of course if that shows up while you are trying this code in a third-party website, well... it shouldn't have and you've just discovered a vulnerable location!

If you watch carefully you'll see that it puts itself outside any quotes used to store it as a string. E.g. a script that prompts you with "What is your name?" and expects an answer is a good candidate for testing.

In Detail, let's say you have:
var a = prompt("What is your name?","");


After the user entry, variable 'a' will be (using only the first part of the code to make it easy for someone to notice):
var a = '';alert(String.fromCharCode(88,83,83))//';


As you can see the second quote (right before the first semicolon) closes the string and puts the entire code (after alert) outside the script (so it is runnable). Next, there are some more tricks to fool techniques like using a slash to init variable 'a' so that a single quote won't damage the string etc. Finally the #script#code#/script# does the trick :P

This is just a small demonstration. Imagive that this is too simple compared to other exploit codes. Also, imagive that the code doesn't just pop up an alert box but commands the browser running the script to dump passwords to an e-mail address or send a POST/GET command somewhere else (therefore acting as a bot) or ... or ... the possibilities are endless.


P.S.: The exploit code is presented as four lines while it really is just one. I've split them for indentation reasons only. If you want to try it, put it back together. No spaces.

Sunday, August 06, 2006

(blogiseverything) The Story Behind These Company Names

blogiseverything.com has a great article on the name origin for some of the top IT companies.

Did you know that Apache got its name from "A PAtCHy" due to the number of patches written and applied for NCSA's http daemon?

Or did you know that Hotmail was initialy written as "HoTMaiL" to promote the letters HTML, the scripted language used to write web pages?

Or even did you know that Oracle was the codename of a CIA (yes, spy stuff) project carried out by the company's founders?

Well, you'll find a lot of these including Intel, Adobe, Cisco, Google, Microsoft, Motorola, Red Hat, Xerox and Yahoo. You're just one click away :P

No Room Today

Baltimore Sun has an exclusive story titled "NSA risking electrical overload". It basically says that the NSA HeadQuarters has problems when installing a new computer grid because of its needs in power. Baltimore's power grid is dangerously becoming insufficient for NSA's needs. The situation is fragile. As a result, they have elevated the building's temperature by two degrees in order to save electricity. I bet they also monitor big projects in the city like a new mall to make sure the grid doesn't fail under high demand. The implications of a power failure may be worse that those expected by the Y2K bug, according to a slashdot columnist. So what then? Build a Nuclear Plant? And in another 5 years? Build another one? And another one?

This has reminded me a talk with a collegue of mine about Google. He had said to me that the Google main facility was to its limits in terms of space. "They can't add any more computers in their grid". Of course there are Farms all around the globe caching and splitting the total load of requests but what these farms do is mirror the original grid in California. "They isn't any room left even for a tech guy to walk in there and change a burned CPU". It was amazing. He also claimed Google had an overheating problem. Too many machines in a limited space produce so much heat that the equipment itself is a risk. According to him, they had brought experts on air flow and cooling to come up with a solution. Bottomline, it is a deadlock. All computers must be in one place, one building, one room and there isn't any room left. They could start building a second huge facility but how whould they move out the computers? And how much would that take?

As you can see both NSA and Google face similar problems. Too many computers in one place. The first has power shortage problems, the second heat emission ones. This kind of facility has no future.

I am currently studying Distributed Computer Systems, that is having many computers working as one, sharing big loads of data and/or processing demands over a network. The systems don't have to be physicaly next to each other or in the same room, city, country or continent :P

You may have heard some big DCS projects like @Home (SETI, Folding, etc). These projects put to use the idle CPU time from millions of computers around the globe to examine data that would otherwise take years to produce results. They form huge supercomputers that will never fail (even if a computer or group of computers is down the grid will go on) and won't be limited by physical resources (space, power, air). A computer may be added to this grid at run time and may be as easily removed.

DCS is a thought out of the box. Maybe too smart for those corporate suites?

Anyhow, it's about time they change strategy and start planning right now and then, maybe in a decade or so, they'll make the transition. Else, they won't be able to stay on the feet.

Slow Down! I'm gettin' dizzy

I was just reading some guy's blog on security. He was talking about JavaScript Malware and how one could not only collect so much info from a website visitor, running a malicious script, but also launch entire attacks entering DMZs and exploiting vulnerabilities deep inside a secure network.

I'm just beginning to learn javascript but I am able to understand that what this guy is talking about is possible. Like let's do it today possible. And it occured to me: forget the security experts, forget the guys in dirty jeans attending BlackHat or Defcon. How many internet users are aware of malicious javascripts? Or Cross Site Scritping? How many super-duper administrators?

Here's a simple example based on a scenario from the above blog. Some guy works as a low level programmer or tech support or sth. Nobody pays much attention to him. His job is as simple as writting Installers or changing backup tapes and ink cartridges. The company's network is secure with super firewalls, VLANs etc. That guy, while bored, enters a CSS vulnerable site let's say MySpace. The attacker has put there a script which is downloaded once the website loads. That's it! The employee didn't see anything strange happening. He continues surfing around while that malicious script is running in the background collecting information about his computer, the network topology, previous network destinations, cached information, passwords etc. That same script may contain exploit code targeting well protected, private network equipment. Boom! How about that?

It may have already happened. Even to you. Homework: Download noScript Extension for Firefox. And surf your favorite sites. Every time a javascript is about to run, noScript blocks it and informs you about it. You'll be surprised to find out how many scripts are running while you are casually visiting a forum or a news site.

All this has a point. 90% of the people I know feel threated by viruses on floppy disks or kidz trying to steal their credit card info. Such an illusion. Somebody may already have hijacked their PC to assemble a botnet and they'll still be running their Antivirus once a week scanning for boot sector viruses :P

Right now technology is a big vector. The majority of people are stuck at the tail and few are shapping things at the head. Unfortunately there's a huge gap in the middle.

This very moment vulnerabilities are being found, exploits are designed and by tomorrow these people will own the world. Can YOU keep up?

Thursday, August 03, 2006

(Black Hat) Cloning E-Passports Accomplished

A german computer security consultant has demonstrated the cloning of the electronic data from an E-Passport at the BlackHat convention, Las Vegas.

By the end of this year, many countries, including the U.S., Germany and Greece, will start issuing these Passports which contain an RFID (radio frequency ID) with the owners information on it. That way, they aim to make forgery a lot harder. Apparently they didn't do a great job planning this thing.

Wired News has published a very interesting article on the subject, which includes a demonstration by the guy who cracked it, Lukas Grunwald. In there, the reader will find out that the information on the chip is totally unencrypted (securely signed though) and therefore can be read and copied quite easily. Also, a worrying scenario states that an explosive device with an RFID sensor may identify a person by his E-Passport, while he is passing by, and activate. Finally, the author describes how a valid E-Passport could be overwritten so that let's say a known terrorist will go through border control uninterrupted.

You may also find an interesting video from Mahaffey and John Hering of Flexilis, security company, demonstrating the failure of the E-Passport's shielding system to prevent unauthorized scans of the RFID from malicious antennas.

I would like to quote something from the article:
Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?
Which reminds me of my own blog entry titled "Exclude illiterate supervisors from e-Hierarchy?"

P.S.: Happy 3/8/6 (x86 day!)

Wednesday, August 02, 2006

x86 Days

Somebody pointed out to me the obvious:
today, tomorrow and the day after will be 2/8/6, 3/8/6 and 4/8/6 like 286, 386 and 486. Cool!

Tuesday, August 01, 2006

Windows: Give up control for a little temporary utility?

Microsoft Windows came into our lives introducing a revolutionary, user-friendly graphical user interface with the PC. From the start, Microsoft's goal was for every house to have a Windows PC. And they have succeeded in that using agressive marketing, disputed monopoly tactics, etc.

Right now, they (Microsoft) hold a huge piece of the pie and therefore great power. At first, user-friendly ment a mouse, nice colors and a few tooltips. After that, users didn't want their OS to crash (randomly) causing them to lose their unsaved work. So system stability and reliability came into play. Up to that point (let's say Windows 2000) users and Microsoft agreed on what the one side needed and what the other side was offering.

By the time Windows XP was on the market, something changed. Security. What had happened was that the home-OS had made its way in corporate networks interconnected to the Internet. So a few skilled people (hackers) found out several flaws that allowed them to siege control of these networks. Effects? Denial of Service, Lost Information, Leaked Information, Millions of Dollars in loss. While the home user wanted a plug and play system, the company employee demanded an invulnerable system.

So the situation was like this: an operating system with insufficient design for today's standards, problematic to the advanced user and a security risk for who had something to insure. This enforced a change of policy (or if you prefer, took user-friendliness to the next level).

While, up to this point, the user had been the absolute administrator of his system, now, the operating system took the role of protecting the system even from the user's actions if those posed hazard.

Today we hear about various Vista features such us scalable user rights (no more admin accounts available), something Unix had since the beginning, global undelete, abstraction layers for system control etc. All these things may be well-intended but take the keyboard out the user's hands. That's ok if you're just a beginniner and, for that matter, find tooltips and wizards very smart and helpful. But if you know what you want to do and how you want to do it, there's a great change Windows won't let you. So the OS keeps the system secure, right? Wrong! What it does is preserve the system its own way. There may be an attempt to secure it but when the first flaw comes up (there'll always be flaws in the software) you'll be helpless waiting for Microsoft to release a patch. That's not the way I want to work. That's not the way you want to work either. Patching an OS again and again makes it less reliable and much slower. It's not a rare thing for a patch to create a new bug in the system. And all that is done "transparently" through "smart abstraction" which don't "worry" me with technical information. Well maybe I want to be worried when it comes to my own PC. Maybe I want to be kept on alert if there's a reason to.

Would you buy a house with an unknown, invisible, integrated alarm system? So why would you buy an OS which acts the same way? What is more, you have payed pretty expensively for that piece of software!

Bottomline is: Windows was a great idea. Something has gone wrong with the implementation and action must be taked so that we have another version five years from now.