November 14th, 2011
"In theory" is one of the scariest phrases in the world of computing. Take this story about vulnerabilities in the computer systems used to run some federal prisons in the USA:
While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.
[Via Bruce Schneier]
Comments Off on Open prisons
November 4th, 2011
From the Department of What Could Go Wrong:
Police in Montgomery County, Texas reportedly plan to deploy drones capable of carrying "less lethal" weapons:
[Michael Buscher, CEO of Vanguard Defense Industries said that their drones …] are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems," he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a "stun baton."
From the Department of Cargo Cults:
The One Laptop Per Child (OLPC) project has devised a bizarre plan for deploying its new XO-3 tablet. The organization plans to drop the touchscreen computers from helicopters near remote villages in developing countries. The devices will then be abandoned and left for the villagers to find, distribute, support, and use on their own.
OLPC founder Nicholas Negroponte is optimistic that the portable devices – which will be stocked with electronic books – will empower children to learn to read without any external support or instruction.
Comments Off on Watch the skies
October 8th, 2011
File under 'Famous last words': Computer Virus Hits U.S. Drone Fleet:
A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones.
The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. […]
"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." […]
Retaliation for Stuxnet, or someone too high up the chain of command to be told what to do getting a bit careless with their USB drive and bringing in some malware they picked up on their home PC?
Comments Off on Skynet? Is that you?
August 22nd, 2011
August 15th, 2011
Prompted by xkcd's take on creating passwords, Troy Hunt reminds us that the problem isn't coming up with a good password, it's remembering it – and the three dozen or more passwords for other accounts that you created using the same method – afterwards:
The issue is simply this: you can't apply [the xkcd-endorsed approach of stringing together four random common words together to make a password] consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. In fact you're really back at the conclusion in the first part of the strip with the character substitution password where Randall concludes "Difficulty to remember: hard".
[Via The Tao of Mac]
- Which is to say, 'supported by everyone who does online commerce, including the banks, credit card companies, PayPal, Amazon and the iTunes Store.' ↩
- I've been using SplashID on my various PalmOS devices for a few years now, and happily it also works nicely on the iPod Touch that I now use as my PDA. It's far safer than relying on my memory. ↩
Comments Off on correct horse battery staple
August 4th, 2011
Possibly the Stupidest Bank in the World?
Essentially, my bank is asking me to install is a keylogger. Just so they can warn me not to use the same password on suntrust.com and playboy.com.
[Via The Tao of Mac]
Comments Off on Utter Idiocy.
June 16th, 2011
Cinemas are getting into the habit of projecting 2D films using lenses designed for 3D films, even though this can render the onscreen image unacceptably dim. Part of the reason for this is that projectionists may not have the technical skills required to swap out a 3D lens. Partly, it's that cinemas imagine that not running the bulb at full power will prolong the bulb's operating life. And partly it's because of security measures built into many modern projectors that require passwords and logins and can shut the projector down if you screw up. Wendy M Grossman sees two threat models colliding:
Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. So they don't, and the long-term consequence will be the alienation of customers and loss of revenues.
[Via Bruce Schneier]
Comments Off on Threat Model II: When Threats Collide
June 13th, 2011
The largest data breaches of all time, compared.
I feel quite fortunate that as far as I can tell not a single one of those incidents would have involved my personal details.1 I shouldn't get too complacent: I have a horrible feeling that if you extended the chart to cover the next 20 or 30 incidents then I'd see a familiar name or two.
Between the effects of governmental incompetence, corporate laxity and plain old malware, I wonder how many of us don't have our personal details up for sale, on a list alongside 99,999 other poor saps, on some dodgy bulletin board somewhere.
- Unless one of the organisations involved was holding/processing data on behalf of a company I've had dealings with. ↩
Comments Off on A million here, a million there – before you know it you're talking about serious numbers of users
June 7th, 2011
Troy Hunt undertook a brief Sony password analysis, using email address and password information from some 37,000 registered users of Sony Pictures that is now freely available to download, thanks to the efforts of LulzSec. His most interesting findings relate to password re-use:
- 92% of users with multiple accounts recorded in various Sony databases across their different services and locations used the same password for more than one account.
- Comparing the Sony data with the account details released during the Gawker data loss last year, 67% of users who had registered with Sony and Gawker using the same email address also used the same password for both accounts.1
There are lots of other fascinating scary statistics in Hunt's post. I'd love to write more about this, but I have to go and update some account details on some web sites. Now!
[Via Waxy.org Links]
- Admittedly, there were only 88 instances of the same email address being used at Sony and Gawker, so the small sample size may mean that this isn't representative of the wider picture. In a world where passwords still end up jotted down on Post-It™ notes, it feels believable, though. ↩