Skip to main content

Posts

Showing posts from 2011

Card skimmers at a supermarket chain – Inside job?

From the Mercury News (via ars technica):“Further evaluation uncovered an extra computer board that had been placed inside the checkout machine, recording customers' financial information.”So…how did a skimmer get inside the checkout machine? I’ve never been in a Lucky Supermarket, but the places that I frequent that have self check-out lanes all have employees watching the lanes and presumably have security camera coverage.These aren’t unattended ATM machines or gas pumps monitored by a harried convenience store cashier who has five other customers waiting to check out, so one would think that adding electronics to the inside of the checkout machine would be a detectable event. The company CFO doesn’t think it’s an inside job though: “Although the skimmers at Lucky's stores were apparently installed inside the checkout units, Ackerman said the company doesn't suspect an inside job”Interesting.

How not to disburse financial aid.

Years Decades ago I worked for a small college with strong, forward looking leadership that firmly believed a significant fraction of our interactions with students should be computerized.  He believed that if we automated background bureaucracy we could better handle the budgets cuts and shift more resources into classrooms. He also believed that if students had a clear, consistent interface into our bureaucracy they’d be better, happier learners.My job was to make that happen. I networked all staff and student computers, computerized all student grading, registration, transcripts, fees; all college accounting, purchasing, invoicing, inventory, room scheduling and whatever else the president though was burrocratic. My toolkit was an ARCnet network, a Novell Netware 2.0a server, a few dozen 80286 computers and a database called Paradox. I turned off the IBM System/36. Their was no WWW. It took a couple years, but we got to the point where a student could walk up to a kiosk (a netboote…

Car goes over cliff, undetected

A car goes over the edge of a cliff on a narrow mountain road. The driver survives, but the accident goes undetected for six days. After five days, the family files a missing persons report. Law enforcement tells them that follow up will take days. The family doesn’t wait. They locate the car using their own means with the help of a detective and the phone company, including what appears to be one of the controversial warrantless cell phone locates that law enforcement does millions of times per year.When the family located their father at the bottom of a ravine, they also found a second car had gone over the edge. That accident was unrelated and also undetected. That driver died.Number of cars over the edge: Two. Number of cars detected and located by law enforcement/rescue workers: Zero.No doubt that there will be a call for guard rails. I don’t think it’s practical to put rails on every spot on every road, but I do think that one could devise an inexpensive tell-tale. This could be…

The sky is falling. Sirens are blaring. Ignore it.

That’s what I do.

I’m located at the intersection of three large counties in an area of the country that has moderately frequent severe weather & tornadoes. All three counties fire up the sirens any time they think there is severe weather any place in the county. I hear the emergency severe weather sirens of all three counties, and I can’t tell which siren is from what county.

Each time I hear a siren (as often as one a week in summer) I can either:
head immediately for shelter (basement) as officially recommendedwake up a computer and research the current weather and radarignore them Unfortunately many of the residents of Joplin, MO appear to have chosen options 2 or 3, some of whom died as a result of their choice.
In interviews with nearly 100 survivors of the tornado, NOAA officials found that the perceived frequency of warning sirens that night and in previous storms caused people to become "desensitized or complacent to sirens" and to not take shelter.
"Instead…

Comcast Internet Essentials - Low Cost Internet

Comcast is bringing their ‘Internet Essentials’ to our local service area. Under this program, families who qualify for free school lunches are eligible for $10/month internet from Comcast.Kudo’s to Comcast.I see programs like this as an important factor in reducing the number of “have nots” in the already wide disparity between those who have access to broadband and those who do not. Broadband today is as critical to rural and economically poor areas as electricity was in the 1930s and 1940s. Back then, a rural farmer that had electricity could dramatically improve their productivity versus farmers with no electricity.In the 1930s, my grandfathers sister moved from an electrified area of Wisconsin to a farm in Minnesota with no electricity. She had to pump water by hand, wash clothes by hand, heat the farmhouse with a wood stove, light kerosene lamps… Today in Minnesota we have rural area’s where there is no wired broadband coverage, and we have both rural and metro areas where peopl…

What do Linux.com & Kernel.org have in common?

Down for maintenance. Hacked…pwned…rooted…Can you imagine the holy shitstorm that the Linux fanboys would be flinging out the door if this had happened to Microsoft?The root cause analysis on these will be interesting reads.

HP Drops State of the Art Tablet, Re-Introduces Antique Calculator

HP’s Touchpad Tablets are dead. HP’s RPN calculators are back. What’s next, single pen flatbed plotters? BTW- I must be old. I still have an HP 11C……and I remember when we upgraded our single pen flatbed plotter to a state of the art 6 pen moving paper plotter complete with automatic pen selection. Instead of the plotter stopping and waiting for you to switch from the black pen to the red pen, the plotter would automagically put the black pen back into the carousel and pick up the red pen.We were impressed.

Oracle 11.2.0.n - Sev 1, Sev 1, Sev 1, and Sev 1

One database, four SR’s at Sev one. The oldest one has been a one for 16 days. Nice, eh?We’re pretty sure that Oracle 11.2.0.wtf doesn’t play anywhere near as nice with our workload as 10.2.0.[45].FWIW - The ‘SUN box stuck’ SR is open because a diagnostic script that Oracle had us run deadlocked a DB writer on libaio bug in Solaris 10 (Bug 6994922).

Deprovisioning as a Security Practice II

In Service Deprovisioning as a Security Practice, I asserted that using a structured process for shutting down unused applications, servers & firewall rules was good security practice.On the more traditional employee/contractor deprovisioning process, I often run into managers who view employee deprovisioning as something that protects the organization from the rogue former employee who creates chaos after they leave. If they feel that the former employee is leaving on good terms and unlikely to ‘go rogue’, they treat account deprovisioning as a background, low priority activity. There is obviously an interest in protecting the organization from the actions of the former employee, but something that is just as important to me is to  protect the employee/contractor from events that happen after they leave. I’d really hate to see someone get blamed for an event that happened after they left our employment. That’d be really unfair to them. For employees who are leaving on good terms,…

Have all big government internet projects

According to a UK ePetition by Harel Malka, we should:
Have all big government internet projects pass the approval of a technical panel made of professionals from the tech statup[sic] sector. This is an interesting idea – and one that I could buy into (under the right conditions…)
I’m a government employee that manages systems and projects that run into the millions of dollars. Would advice from the private sector help me?

Maybe.

Caveats:

Private sector consultants are in it for the money. I can pay them for advice, but in all honesty, it’s not a sure thing that I’ll get advice that is worth more than what I paid. I’ve seen plenty of cases where ‘Those who can, do; those who can’t teachconsult.’

Free advice from the private sector IT might fall under a different umbrella though. Presumably one could find skilled private sector IT practitioners who have an altruistic motive rather than a profit motive, and presumably one could find skilled persons who can donate sufficient personal tim…

Gig.U, Gigabit to the Home

Gig.U is on track. That’s cool. I’ll be very interested if Gigabit Ethernet to the home makes a difference to the ordinary home user. I’ll go on record and say that I don’t think it will. The Gig.U experiment might come up with novel and interesting uses that can’t be met by a 10 or 100Mbps home connection, but if the interesting & novel new uses for high bandwidth to the home show up, they will not radically change ordinary home users lives.Once you get above about 6Mbps to the home, what makes a difference to the home user isn’t bandwidth, it’s data caps & quotas. If I have a 6Mbps internet connection with a high data cap (like Comcast’s 250GB cap), I can radically change how I consume information. If I have higher bandwidth connection but a low data cap (like a 2GB cap on a 3G/4G phone or the 50GB caps imposed by other ISP’s), I can’t fundamentally change how I consume information/media. That’s why I don’t care if my phone is 3G or 4G. In either case it’s still a 2GB cap, s…

A new means of releasing software

From a recent conversation with a colleague, I learned that worms have been around a lot longer than I imagined:

. JOHN WALKER JANUARY 1975 . . . THIS PROGRAM IS A TOTALLY NEW WAY OF DISTRIBUTING VERSIONS OF . SOFTWARE THROUGHOUT THE 1100 SERIES USER COMMUNITY. PREVIOUS . METHODS REQUIRED THE DELIBERATE AND PLANNED INTERCHANGE OF . TAPES, CARD DECKS, OR OTHER TRANSFER MEDIA. THE ADVENT OF . 'PERVADE' PERMITS SOFTWARE TO BE RELEASED IN SUCH A MANNER THAT . IF SOMEONE CALLS YOU UP AND ASKS FOR A VERSION OF A PROCESSOR, . VERY LIKELY YOU CAN TELL THEM THAT THEY ALREADY HAVE IT, MUCH . TO THEIR OWN SURPRISE.
Self replicating software a decade before the Morris worm.

Cool.

One thing that I keep in the back of my mind is that even with nearly 30 years of computing experience, I’m still a newbie. There is a vast body of knowledge and experience that precedes me, and much of that is locked away in the archives of the minds of the brilliant people who invented t…

Government Remotely Disables Software on Personal Computers

The FBI remotely disabled software installed on privately owned personal computers located in the United States.If this isn’t controversial, it should be.The software is presumed to be malicious, having been accused of stealing account information and passwords from hundreds of thousands of people. Does that make it less controversial?Hundreds of thousands of computers have one less bot on them. That’s certainly a good thing. Hundreds of thousands of computer owners had their computers remotely manipulated by law enforcement. Is that a good thing? A dangerous precedent?Interesting, for sure. Update: Gary Warner has an excellent write-up.

Your package has arrived.

I'm impressed by this scam e-mail:
Return-path: <tracking@ups.com>
Reply-To: <tracking@ups.com>
From: UPS Shipments <tracking@ups.com>
Subject: Your package has arrived!
Date: Thu, 2 Dec 2010 14:31:34 +0000
To: Undisclosed recipients:;
Dear client<br />
Your package has arrived.<br />
The tracking# is : 1Z45AR990*****749 and can be used at : <br />
<a href="http://www.ups.com/tracking/tracking.html">http://www.ups.com/tracking/tracking.html</a><br />
The shipping invoice can be downloaded from :<br />
<a href="http://thpguild.net84.net/e107_files/cache/invoice.scr">http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273</a> <br />
<br />
Thank you,<br />
United Parcel Service<br />
<p>*** This is an automatically generated email, please do not reply ***</p>

UUCLJNFYSDMJENHSLBIXJFGSUGKCVUTDYVBOGM
I’ve snipped the delivery related headers (not interesting) and …

Add Robert Half to the Epsilon Breech Fiasco

On my work e-mail:

Today we were informed by Epsilon Interactive, our national email service provider, that your email address was exposed due to unauthorized access of their system. Robert Half uses Epsilon to send marketing and service emails on our behalf. We deeply regret this has taken place and any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. We were advised by Epsilon that the information that was obtained was limited to email addresses only. Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We ask that you remain alert to any unusual or suspicious emails. As always, if you have any questions, or need any additional information, please do not hesitate to contact us customersecurity@rhi.com. Sincerely, Robert Half Customer Care …

OS X Adaptive Firewall Automated Blacklisting

OS X Mini Server comes with an incarnation of 'ipfw' as its built in kernel firewall. Configuration of ipfw in an IPv4-only world is pretty simple. The Server Admin GUI covers the basics. The details are in /etc/ipfilter.

Along with the 'ipfw' firewall comes something called 'Adaptive Firewall'.  OS X's "Network Services Administration" indicates that this adaptive firewall 'just works':
Adaptive Firewall

Mac OS X v10.6 uses an adaptive firewall that dynamically generates a firewall rule if a user has 10 consecutive failed login attempts. The generated rule blocks the user’s computer for 15 minutes, preventing the user from attempting to log in.

The adaptive firewall helps to prevent your computer from being attacked by unauthorized users. The adaptive firewall does not require configuration and is active when you turn on your firewall.
Apparently my Mac Air is doing something to annoy the Adaptive Firewall on my mini. After a day of running…

Square & VeriFone, My phone accepts payment cards

Square allows you to turn your phone into a payment card terminal. Cool. For a mere 2.75% overhead, a merchant can accept credit cards using a free magnetic card reader attached to your phone headset jack. Your customers swipe their card and scribble their signature on your iSplat’s screen, your bank account gets a credit. The obvious questions: How do you secure a mobile application such that it can safely handle payments? Is your Square enabled phone now covered under some sort of compliance regime?Square says they are secure, but they’ve loaded lots of weasel language into their User Agreement and Commercial Entity Agreement. (I don’t make a habit of reading merchant agreements though, so their language may be typical for the trade, but the part where they exempt themselves from any liability or damages caused by 3rd party trojans would concern me.)VeriFone disagrees, claiming that the Square system is vulnerable to rogue mobile apps, and claiming to have (in an hour) written an ap…

Temporal Juxtaposition - The future of mobile banking

E-mail from a colleague: So, within minutes of one another:Roundtable's Pitts: Mobile Will Connect Channels, Improve Security"Mobile and banking fit together like chocolate and peanut butter," says Jim Pitts, project manager of the Financial Services Technology Consortium, the technology solutions division within The Financial Services Roundtable.
[ ... ]Google Kicks Rogue Apps Out of the Android Market"[ ... ] Before their removal, the apps garnered between 50,000 and 200,000 downloads. The apps caused the phone to perform functions without the owner's consent. The Trojan embedded in them used a root exploit to access all of the phone's data and download malicious code.The publisher has been removed from the Android Market completely, and its apps reportedly have been deleted from phones, but this won't remove code that has been back-doored into a phone's program. Google reportedly is working on that problem.
[ ... ]Awesome. We are going to bet our f…

Somewhere in the OraBorg, an RSS feed is being updated

It’s Tuesday. My pre-OraBorg Google reader subscription shows a stream of security updates. Looks pretty bad:Wow – there are security vulnerabilities Mozilla 1.4, ImageMagick, a2ps, umount & a slew of other apps. I’d better kick our patch management process into high gear. It’s time to dig into these and see which ones need escalation. Clicking on the links leads to sunsolve, the go-to place for all things Solaris. Sunsolve redirects to support.oracle.com. support.oracle.com has no clue what to do with the re-direct.Bummer… I’d better do some serious research. GoogleResearch, of course:2004, 2005, 2006…WTF??? Conclusion: Oracle is asking us sysadmins to patch five year old vulnerabilities. They must think that this will keep us from whining about their current pile of sh!t. Diversion. Good plan. The borg would be proud. One last (amusing) remnant of the absorption of Sun into to OraBorg.

Backup Performance or Recovery Performance?

“There is not a guaranteed 1:1 mapping between backup and recovery performance…” Preston de Guise, “The Networker Blog”Prestons post reminded me of one of our attempts to build a sane disaster recovery plan. The attempt went something like this:Hire consultantsConsultants interview key staffConsultants draft recovery planConsultants present recovery plan to executivesIn the general case, consultants may or may not add value to a process like this. Consultants are in it for the money. The distinguishing factor (in my eyes) is whether consultants are attempting to perform good, cost effect work such that they maintain a long term relationship with the organization, or whether  the consultants are attempting to extract maximum income from a particular engagement. There is a difference. On this particular attempt, the consultants did a reasonably good job of building a process and documentation for declaring and event, notifying executives, decision makers and technical staff; and managin…

Tipping Point Vulnerability Disclosures–IBM Incompetence?

Last August, Tipping Point decided to publically disclose vulnerabilities six months after vendor notification. The six months is up. Take a look at the IBM’s vulnerability list and actions taken to resolve the vulnerabilities. If you don’t feel like reading the whole list, the snip below pretty much sums it up:Timeline:
[08/26/2008] ZDI reports vulnerability to IBM
[08/26/2008] IBM acknowledges receipt
[08/27/2008] IBM requests proof of concept
[08/27/2008] ZDI provides proof of concept .c files
[07/12/2010] IBM requests proof of concept again and inquires as to version affected
[07/13/2010] ZDI acknowledges request
[07/14/2010] ZDI re-sends proof of concept .c files
[07/14/2010] IBM inquires regarding version affected
[07/19/2010] IBM states they are unable to reproduce and asks how to compile the proof of concept
[07/19/2010] ZDI replies with instructions for compiling C and command line usage
[01/10/2011] IBM states they are unable to reproduce and requests proprietary crash dump logsTippin…

Well formed Comcast phishing attempt - “Update Your Account Information”

A well formed e-mail:No obvious spelling errors, reasonably good grammar, etc. One red flag is the URL to the Comcast logo, but I wouldn’t bet on users catching that. The embedded link is another red flag:http://login.comcast.net.billings.bulkemail4sale.com/update/l0gin.htm[s/0/o/]But one that would fool many. Users will not see that URL unless their e-mail client has the ability to ‘hover’ a link destination. The ‘login page’ is well formed & indistinguishable from Comcast’s Xfinity login page:All the links in the bogus login page (except the form submit) go to real Comcast URL’s, the images are real, the page layout is nearly identical. The only hint is that the form submit doesn’t post to Comcast, but rather  to[snip].bulkemail4sale.com/Zola.php:Zola.php? Hmmm…Filling out the bogus login page with a random user and password leads to a “Comcast Billing Verification” form requesting last, middle & first names, billing address, credit card details including PIN number, card is…

The benevolent dictator has determined…

…that you are not qualified to decide what content you read on the device you’ve purchased.If the New York Times story is true, Apple is rejecting an application because the application allows access to purchased documents outside the walled garden of the iTunes app store.“Apple told Sony that from now on, all in-app purchases would have to go through Apple, said Steve Haber, president of Sony’s digital reading division.”I keep thinking that there’d have been an outcry if Microsoft, at the height of their monopoly, had exercised complete control over the documents that you were allowed to purchase and read on your Windows PC’s.

$100 million dollars per mile and no redundancy?

“Light-rail service throughout downtown Minneapolis was halted Thursday for about four hours because of a downed wire that powers the trains from overhead…”Apparently there is no redundancy. I’m not thinking about this because I care about the commuters who were stranded, but rather because of how it relates to network and server redundancy and availability. My group delivers state wide networking, firewalling, ERP and eLearning applications to a couple hundred thousand students and tens of thousands of employees.Availability is expensiveWe hear about it when our systems suckWe have no data that can tell us how much an outage costs. We are an .edu. Our students don’t switch vendors if they can’t access our systems for a few hours.In that environment, how do you make a cost vs. availability decision?Anecdote: Years ago (cira 2001) we found a carrier that would offer us OC-3 (150mbps) for what was essentially the same price as the incumbent telco (Qwest) would charge us for two T1’s (3m…

LeanEssays: A Tale of Two Terminals

Mary Poppendieck's LeanEssays: A Tale of Two Terminals compares the smooth opening of Terminal 3 at Beijing Capital Airport with the rough opening of Heathrow Terminal 5. 

A great read for those who've been at the tail end of a long, complex, schedule slipping scope creeping IT project (or for those who have been at the head end of a long, complex IT train wreck).

Via: Tom Limoncelli, Testing is a waste of time.