uhoreg.ca

uhoreg.ca http://www.uhoreg.ca/ The insane ramblings of Hubert Chathi en-ca Copyright Hubert Chathi hubert@uhoreg.ca hubert@uhoreg.ca http://www.rssboard.org/rss-specification Hubert Chathi http://www.uhoreg.ca/hubertprop.jpg http://www.uhoreg.ca/ 90 150 January 22, 2010 http://www.uhoreg.ca/microblog/20100122-1237 Fri, 22 Jan 2010 12:37:00 -0500 http://www.uhoreg.ca/microblog/20100122-1237 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/paranoia" rel="tag">paranoia</a></div> <div class="blogtime">12:37 -0500</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> OK, now this is really getting ridiculous <a href="http://en.wikinews.org/wiki/Bomb_scare_aboard_plane_caused_by_harmless_prayer_box">http://en.wikinews.org/wiki/Bomb_scare_aboard_plane_caused_by_harmless_prayer_box</a> #<a href="/index/security" rel="tag">security</a> #<a href="/index/paranoia" rel="tag">paranoia</a></div> January 5, 2010 http://www.uhoreg.ca/microblog/20100105-1455 Tue, 05 Jan 2010 14:55:00 -0500 http://www.uhoreg.ca/microblog/20100105-1455 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">14:55 -0500</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> stupid paranoia wins again <a href="http://www.cbc.ca/canada/story/2010/01/05/security-canada-us-airport.html">http://www.cbc.ca/canada/story/2010/01/05/security-canada-us-airport.html</a> #<a href="/index/security" rel="tag">security</a></div> January 5, 2010 http://www.uhoreg.ca/microblog/20100105-1435 Tue, 05 Jan 2010 14:35:00 -0500 http://www.uhoreg.ca/microblog/20100105-1435 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">14:35 -0500</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> "secure" USB drives not-so-secure: <a href="http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html">http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html</a> #<a href="/index/security" rel="tag">security</a></div> December 17, 2009 http://www.uhoreg.ca/microblog/20091217-1807 Thu, 17 Dec 2009 18:07:00 -0500 http://www.uhoreg.ca/microblog/20091217-1807 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/vote" rel="tag">vote</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">18:07 -0500</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> Nearly 2/3 of Canadians would #<a href="/index/vote" rel="tag">vote</a> online <a href="http://www.cbc.ca/politics/story/2009/12/17/ekos-poll.html">http://www.cbc.ca/politics/story/2009/12/17/ekos-poll.html</a> In related news, nearly 2/3 of Canadians don't understand #<a href="/index/security" rel="tag">security</a></div> July 17, 2009 http://www.uhoreg.ca/microblog/20090717-1140 Fri, 17 Jul 2009 11:40:00 -0400 http://www.uhoreg.ca/microblog/20090717-1140 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">11:40 -0400</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> wants users to have passwords that are 20 characters long, with at least 8 upper-case letters, 9 lowercase letters, 4 digits, and 8 Unicode symbols above the normal ASCII range... #<a href="/index/security" rel="tag">security</a></div> June 18, 2009 http://www.uhoreg.ca/microblog/20090618-1444 Thu, 18 Jun 2009 14:44:00 -0400 http://www.uhoreg.ca/microblog/20090618-1444 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/privacy" rel="tag">privacy</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">14:44 -0400</div> <div class="entry-content"> <span class="microblog_name">Hubert Chathi:</span> doesn't like this: <a href="http://www.cbc.ca/technology/story/2009/06/18/tech-internet-police-bill-intercept-electronic-communications.html">http://www.cbc.ca/technology/story/2009/06/18/tech-internet-police-bill-intercept-electronic-communications.html</a> #<a href="/index/privacy" rel="tag">privacy</a> #<a href="/index/security" rel="tag">security</a></div> clipperz http://www.uhoreg.ca/blog/20081203-1740 Wed, 03 Dec 2008 17:40:00 -0500 http://www.uhoreg.ca/blog/20081203-1740 <div class="blogtopic"><a href="/index/bookmark" rel="tag">bookmark</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/privacy" rel="tag">privacy</a></div> <div class="blogtime">17:40 -0500</div> <div class="entry-content"> <a href="http://www.clipperz.com/" class="nositeicon"><img src="http://icons.uhoreg.ca/thumbnails/53a93c2ddbc39d792058a00c299d04785aa34782.png" alt="[thumbnail]"/></a> <dl class="profile"> <dt>URL:</dt><dd><a href="http://www.clipperz.com/" class="taggedlink" title="clipperz">http://www.clipperz.com/</a></dd> <dt>Tags:</dt><dd>security, privacy</dd> </dl> <div class="description"> <p>I used to pretty much only use my laptop, which was nice, because all my data was stored in one place. However, I now use a desktop computer at work. For the most part, it's OK, because I don't need to access much work stuff from home, and vice versa. However, occasionally it does happen, and so I'm thinking more about online services.</p> <p>Clipperz is an online password (or other textual data) manager. Now for most security-conscious people, “online” and “password manager” do not go together. However, Clipperz uses JavaScript to encrypt all your data before sending it to their servers. That means that none of your data can be accessed by Clipperz (or anyone else) unless they know your password.</p> <p>Even better, Clipperz is free/open-source software, which means that if you really don't trust them, you can audit their source code. Or run your own service.</p> <p>I had thought about implementing something similar, but Clipperz does more-or-less what I want it to, plus some things that I hadn't thought of. The only downside is that I wish it would have better organizational features (in particular, a hierarchical organization).</p> </div> </div> Government wants good hash http://www.uhoreg.ca/blog/20081107-1709 Fri, 07 Nov 2008 17:09:00 -0500 http://www.uhoreg.ca/blog/20081107-1709 <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">17:09 -0500</div> <div class="entry-content"> <p>No, not <em>that</em> kind of hash. The NIST is holding a contest for a <a href="http://csrc.nist.gov/groups/ST/hash/sha-3/index.html">new cryptographic hash function</a>. Vulnerabilities have been found in the most commonly used hash functions, MD5 and SHA-1, and the contest is for the new SHA-3 standard. The deadline for submissions was last Friday, so if you missed it, too bad.</p> <p>Schneier et al. have submitted their algorithm, called <a href="http://www.schneier.com/skein.html">skein</a>, and Rivest et al. have submitted <a href="http://groups.csail.mit.edu/cis/md6/">MD6</a>.</p> <p>The NIST held a similar contest several years back for encryption algorithms, which resulted in Rijndael being officially named as the Advanced Encryption Standard. That contest took 5 years. We'll see how long this one takes. Hashing is generally less well-understood, and harder to do, than encryption.</p> </div> Data mining can't identify terrorists http://www.uhoreg.ca/blog/20081007-2011 Tue, 07 Oct 2008 20:11:00 -0400 http://www.uhoreg.ca/blog/20081007-2011 <div class="blogtopic"><a href="/index/bookmark" rel="tag">bookmark</a>, <a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/privacy" rel="tag">privacy</a></div> <div class="blogtime">20:11 -0400</div> <div class="entry-content"> <a href="http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20" class="nositeicon"><img src="http://icons.uhoreg.ca/thumbnails/e3f66795584b34c63b0a104c85e2481093dcd9b3.png" alt="[thumbnail]"/></a> <dl class="profile"> <dt>URL:</dt><dd><a href="http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20" class="taggedlink" title="Data mining can't identify terrorists">http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20</a></dd> <dt>Tags:</dt><dd>news, security, privacy</dd> </dl> <div class="description"> <p>(see also: <a href="http://it.slashdot.org/it/08/10/07/1827229.shtml">/.</a>)</p> <p>The National Research Council has released a 352-page report that tells us what most of us knew already: trying to use data mining to find bad guys doesn't work very well. The problem being that there are too many false positives.</p> <p>Whether or not this will actually stop anyone from trying to do it anyways remains to be seen.</p> </div> </div> Elvis sighted in Netherlands http://www.uhoreg.ca/blog/20081002-1252 Thu, 02 Oct 2008 12:52:00 -0400 http://www.uhoreg.ca/blog/20081002-1252 <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/technical" rel="tag">technical</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">12:52 -0400</div> <div class="entry-content"> <a href="http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html" class="nositeicon"><img src="http://icons.uhoreg.ca/thumbnails/48ba6c0d0a5c1197ae0df3149cc5b9e25972ec93.png" alt="[thumbnail]"/></a> <dl class="profile"> <dt>URL:</dt><dd><a href="http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html" class="taggedlink" title="Elvis sighted in Netherlands">http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html</a></dd> <dt>Tags:</dt><dd>news, technical, security</dd> </dl> <div class="description"> <p>(see also: <a href="http://www.pcpro.co.uk/news/227754/hackers-clone-elvis-passport.html">PC Pro</a>, <a href="http://it.slashdot.org/it/08/10/02/0242214.shtml">/.</a>)</p> <p>At least, Elvis’ passport was sighted. And despite being dead, Elvis managed to get a new “un-forgeable” RFID passport.</p> <p>Security researchers managed to modify an RFID-based passport so that it seems to belong to “Elvis Aaron Presley,” complete with photo.</p> <p>The problem is not so much with the ability to forge passports, but rather with the claims that they are un-forgeable, and the false sense of security. If security personnel <em>believe</em> that the passports are un-forgeable, then we actually become <em>less</em> secure because of it.</p> </div> </div> One step closer to flying naked http://www.uhoreg.ca/blog/20080608-1426 Sun, 08 Jun 2008 14:26:00 -0400 http://www.uhoreg.ca/blog/20080608-1426 <div class="blogtopic"><a href="/index/bookmark" rel="tag">bookmark</a>, <a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/privacy" rel="tag">privacy</a></div> <div class="blogtime">14:26 -0400</div> <div class="entry-content"> <a href="http://www.usatoday.com/travel/flights/2008-06-05-bodyscan_N.htm" class="nositeicon"><img src="http://icons.uhoreg.ca/thumbnails/a42ad0e7594c17559d4f1b2e2ff68313ef9598b5.png" alt="[thumbnail]"/></a> <dl class="profile"> <dt>URL:</dt><dd><a href="http://www.usatoday.com/travel/flights/2008-06-05-bodyscan_N.htm" class="taggedlink" title="One step closer to flying naked">http://www.usatoday.com/travel/flights/2008-06-05-bodyscan_N.htm</a></dd> <dt>Tags:</dt><dd>news, security, privacy</dd> </dl> <div class="description"> <p>(see also: <a href="http://yro.slashdot.org/article.pl?sid=08/06/07/0042248">/.</a>)</p> <p>As we all know, the only way to make sure that terrorists don't sneak weapons onto planes is to require that all airline passengers fly naked, without any carry-on luggage. Well, it looks like we're one step closer to that. Several American airports have installed new scanners that can see under peoples’ clothing.</p> <p>And, like most recent airport security measures, the security scanners are not only completely unnecessary and useless, they also seem to be completely ineffective too.</p> <blockquote><p>The scanners do a good job seeing under clothing but cannot see through plastic or rubber materials that resemble skin, said Peter Siegel, a senior scientist at the California Institute of Technology. "You probably could find very common materials that you could wrap around you that would effectively obscure things," Siegel said.</p> </blockquote> <p>Yes, apparently you can find some certain materials, wrap them around your body, and hide weapons there.</p> </div> </div> Spam killing (reprise) http://www.uhoreg.ca/blog/20080513-2354 Tue, 13 May 2008 23:54:00 -0400 http://www.uhoreg.ca/blog/20080513-2354 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/technical" rel="tag">technical</a>, <a href="/index/spam" rel="tag">spam</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">23:54 -0400</div> <div class="entry-content"> <p>I blogged about a year an a half ago about <a href="/blog/20061206-1539">spam killing statistics</a> on my server. I thought I'd post an update since then. These are the spam rejections from the past 10 days.</p> <ul> <li>viruses rejected by <a href="http://www.clamav.net/">ClamAV</a>: 14 (all phishing attempts — no actual viruses)</li> <li>spam rejected by <a href="http://spamassassin.apache.org/">SpamAssassin</a>: 194 (this doesn't count spam eliminated by <a href="http://www.greylisting.org/">greylisting</a>, since there's no easy way for me to get those stats)</li> <li>rejected by the DNSBL at <a href="http://zen.spamhaus.org/">zen.spamhaus.org</a>: 4,603</li> <li>rejected by the DNSBLs at <a href="http://rfc-ignorant.org/">rfc-ignorant.org</a> (dsn and bogusmx): 16</li> <li>sent to a nonexisting user: 451</li> <li>relay attempts: 37</li> <li>failed sender verification: 48</li> <li>bogus bounce messages (<a href="http://backscatterer.org/">backscatter</a> from spam): 7</li> <li>mail delivered to my inbox: 873</li> </ul> <p>Obviously, these numbers don't show the whole picture — they're only based on 10 days of activity. For example, the backscatter that I get seems to happen in waves, so it's low now, but some times, it's huge.</p> <p>So in all, in the past 10 days, my mail server rejected 5,370 messages (compared to 3,281 from my last blog) and accepted 873 (compared to 564 from my last blog) messages. I also have another layer of spam filtering when I fetch the mail from my server.</p> <p>So, spam volumes are up by about 1.6 times. General mail volume is also up — I'm subscribed to a few more mailing lists.</p> <p>Changes to my filtering setup since last time include:</p> <ul> <li>using DNSBLs: this drops a lot of spam, as you can see, and reduces the load on my server (since they only require a DNS lookup, and don't need to be content scanned</li> <li>lowering the threshold for SpamAssassin</li> <li><a href="http://slett.net/spam-filtering-for-mx/exim-sign.html">signing my outgoing envelope sender</a>, so that I can reject bogus bounces</li> <li>enabling sender verification</li> <li>enabling <a href="http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforgery/csa.html">client SMTP authorization</a>: it doesn't make a showing in these stats, but it drops a few spam here and there. I wish more people would publish CSA records. It's an easy check for spoofing, and a dead giveaway if it fails. It just isn't very well known.</li> </ul> <p>I've also started reporting some spam via <a href="http://www.spamcop.net/">spamcop</a>.</p> </div> Back in Waterloo. And I brought back some snow. http://www.uhoreg.ca/blog/20070122-1448 Mon, 22 Jan 2007 14:48:00 -0500 http://www.uhoreg.ca/blog/20070122-1448 <div class="blogtopic"><a href="/index/personal" rel="tag">personal</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">14:48 -0500</div> <div class="entry-content"> <p><a href="http://jessechan.ca/">Jes</a> complained that I haven't blogged recently, so here it goes. I'm back in Waterloo, after a nice break in Edmonton. I got back on the 8th. Southern Ontario has had a lack of snow this winter ... until I got back. It started snowing the night I got back, and since then, we had one or two days without snow on the ground. We even had a snowstorm that shut down the school last Monday.</p> <p>On my flight back, I was randomly selected at security for a patdown, I guess to make sure that I wasn't hiding a plastic gun in my pants that would evade detection by the metal detectors. The guard who searched me was professional an courteous. Random searches are a good thing for security, as long as they are truly random, and not based on things like racial profiling. Because once you start trying to profile, the terrorists will recruit people who don't fit the profile.</p> <p>Thumbs up to cashiers in Alberta (at least the ones that I met at Best Buy and MEC). The signature on my credit card is worn off. The cashiers in Alberta actually checked that it was me by asking for my driver's license. Nobody in Ontario ever checked my license.</p> <p>Thumbs down to the Vancouver airport. They had to <a href="http://www.cbc.ca/canada/british-columbia/story/2007/01/05/airport-breach.html">shut down the international terminal</a> and re-screen everyone because of a security mess-up. I don't know the exact details, but it seems like somebody failed to do their job.</p> </div> security news dump: voting, airports, wiretaps, passports, DRM, and children http://www.uhoreg.ca/blog/20061215-1552 Fri, 15 Dec 2006 15:52:00 -0500 http://www.uhoreg.ca/blog/20061215-1552 <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/voting" rel="tag">voting</a></div> <div class="blogtime">15:52 -0500</div> <div class="entry-content"> <p>As usual, my news pile is backing up (but not bad as my photo pile — I still have my summer photos to put up). So here's a dump of some of the articles.</p> <p>First of all, <a href="http://www.nbc10.com/news/9574663/detail.html">don't take pictures of the police</a>, or you might get arrested. (<a href="http://yro.slashdot.org/article.pl?sid=06/07/30/0557216">/.</a>, <a href="http://backslash.slashdot.org/article.pl?sid=06/07/31/195248">/. followup</a>) (Even if you are fully within your rights to do so.)</p> <p>Also, <a href="http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=397240&in_page_id=1766&in_page_id=1766&expand=true">don't play in trees</a> if you are a 12-year old child. You'll get arrested, and put your DNA on record. (<a href="http://ask.slashdot.org/article.pl?sid=06/08/01/2352220">/.</a>)</p> <p>If you're in an American airport, don't say that the TSA Director <a href="http://www.flyertalk.com/forums/showthread.php?t=606142">Kip Hawley is an idiot</a>, even if he really is an idiot. (<a href="http://www.kiphawleyisanidiot.com/">KHIAI</a>, <a href="http://yro.slashdot.org/article.pl?sid=06/09/28/0355208">/.</a>) If you do that, you may get detained. Because apparently freedom of speech doesn't apply inside an airport.</p> <p>OK, enough sarcasm. (What? Hubert being sarcastic? Never...)</p> <p>Electronic voting machines are becoming more commonly used in the US. But it seems like every month, there's a new problem that's found with them. The <a href="http://openvotingfoundation.org/">Open Voting Foundation</a> took apart a Diebold machine, and found that it just takes flipping a single switch, and you can <a href="http://openvotingfoundation.org/tiki-read_article.php?articleId=1">make the machine load your own software</a>, instead of the (supposedly) certified software. (<a href="http://politics.slashdot.org/article.pl?sid=06/07/31/1646246">/.</a>) The electronic voting machines also wreaked <a href="http://politics.slashdot.org/article.pl?sid=06/09/12/1912236">havoc in Maryland elections</a>. Ed Felten et al. have shown how to infect a Diebold voting machine with a virus and <a href="http://itpolicy.princeton.edu/voting/">change election results</a>. (<a href="http://www.ddj.com/dept/security/193000399">Dr. Dobbs</a>, <a href="http://yro.slashdot.org/article.pl?sid=06/09/14/212257&threshold=1">/.</a>)</p> <p>As Canada considers implementing their own version of the <a href="http://en.wikipedia.org/wiki/DMCA">DMCA</a> legislation, Professor Michael Geist, ran a series called <a href="http://www.michaelgeist.ca/daysofdrm">30 Days of DRM</a>, which outlined 30 issues that need to be considered in anti-circumvention legislation. (A brief background: DRM, or “Digital Rights Management”, also called “Digital Restrictions Management”, is a term that refers to technologies used to limit access to digital media, such as music and movies. Anti-circumvention legislation makes it illegal to bypass DRM, aimed at preventing unauthorized duplication, but which also prevents legitimate use of the media.)</p> <p>Despite claims of security, the new <a href="http://www.wired.com/news/technology/0,71521-0.html?tw=rss.index">e-passports have been cloned</a>. (<a href="http://it.slashdot.org/article.pl?sid=06/08/03/1314207">/.</a>) While this is not the same as creating a new, fake passport, it is still a significant hole. Some security is gained by embedding a chip inside a passport, but the new passports are generally viewed as unforgeable, giving people a false sense of security.</p> <p>And the Senate Judiciary Committee has voted to <a href="http://www.wired.com/news/technology/0,71778-0.html?tw=wn_index_1">extend the US's warrantless wiretapping</a>. (<a href="http://yro.slashdot.org/article.pl?sid=06/09/14/1240233">/.</a>) Because who needs judicial oversight? (Whoops. There I go with the sarcasm again.)</p> </div> Terror charges dropped against key ‘liquid explosive’ suspect http://www.uhoreg.ca/blog/20061213-1750 Wed, 13 Dec 2006 17:50:00 -0500 http://www.uhoreg.ca/blog/20061213-1750 <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">17:50 -0500</div> <div class="entry-content"> <p>Remember the big scare back in August, that caused airline passengers to not be allowed to bring liquids (with a few exceptions) on board an airplane? Well, a Pakistani judge has ruled that there is not enough evidence against one of the key suspects to link him to any terrorist activities. (<a href="http://news.bbc.co.uk/2/hi/south_asia/6175427.stm">BBC</a>, <a href="http://english.aljazeera.net/NR/exeres/BC702841-FC2E-4594-B8A6-F4278201F630.htm">Al Jazeera</a>, <a href="http://yro.slashdot.org/article.pl?sid=06/12/13/1827212">/.</a>) Can we please have our water bottles back, now?</p> </div> Fart brings down plane http://www.uhoreg.ca/blog/20061213-1712 Wed, 13 Dec 2006 17:12:00 -0500 http://www.uhoreg.ca/blog/20061213-1712 <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a>, <a href="/index/humour" rel="tag">humour</a></div> <div class="blogtime">17:12 -0500</div> <div class="entry-content"> <p>You know things are bad when you <a href="http://www.cbc.ca/world/story/2006/12/06/airline-fart.html">can't even fart without causing security concerns</a>.</p> </div> If I lived in the US, I would be arrested by now http://www.uhoreg.ca/blog/20061101-2231.blog Wed, 01 Nov 2006 22:31:00 -0500 http://www.uhoreg.ca/blog/20061101-2231.blog <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">22:31 -0500</div> <div class="entry-content"> <P> OK, maybe not. But apparently Congressman Markey has <A HREF="http://abcnews.go.com/Technology/story?id=2611432&page=1">called for the arrest of a security researcher</A>, and his house was <A HREF="http://slightparanoia.blogspot.com/2006/10/fbi-visit-2.html">raided by the FBI</A>. (<A HREF="http://it.slashdot.org/article.pl?sid=06/10/27/2124231">/.</A>, <A HREF="http://yro.slashdot.org/article.pl?sid=06/10/28/2358202">/.</A>) The reason for this was that the researcher, Christopher Soghoian, a Ph.D. student at Indiana University put up a website to let people print out a fake NWA boarding pass, and pointing out a vulnerability in the security measures of the TSA. Mind you, Senator Charles Schumer <A HREF="http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/2005/PR4123.aviationsecurity021305.html">pointed out the vulnerability earlier</A> (on an official government website, no less), and anyone who knows anything about security already knows how to print out their own boarding pass – most airlines will let you print out your boarding pass at home, and it’s a simple task to modify it to say anything you want. </P> <P> Was Soghoian helping terrorists by putting up his website to easily let anyone print out their own boarding pass with no effort? Well, any terrorist who can’t figure out how to print out their own pass isn’t going to be smart enough to go through with the rest of his attack, so I don’t think we really need to worry about those people. </P> <P> I’m frequently making fun of airline security, and pointing out flaws, so let me say that I’m glad I don’t live in the US. </P> </div> Security news http://www.uhoreg.ca/blog/20060827-1714.blog Sun, 27 Aug 2006 17:14:00 -0600 http://www.uhoreg.ca/blog/20060827-1714.blog <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/society" rel="tag">society</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">17:14 -0600</div> <div class="entry-content"> <P> It’s summer, so more people are flying. And after the terrorism-related arrests a few weeks ago, more people are paranoid. And so, I suppose, it’s inevitable that we have more people overreacting to normal incidents. </P> <P> Here’s one man’s story of what happened when his <A HREF="http://forums.worldofwarcraft.com/thread.html;jsessionid=32DA4C09BEB07855088A6F20EBB8C4DE?topicId=11211166&sid=1">iPod accidentally fell in the airplane toilet</A>. (<A HREF="http://www.schneier.com/blog/archives/2006/08/dropped_ipod_le.html">Schneier</A>, <A HREF="http://slashdot.org/article.pl?sid=06/08/27/1338238">/.</A>, <A HREF="http://www.canada.com/ottawacitizen/news/story.html?id=6a11bd67-f717-4aa3-80a9-840c07949730&k=28503">Ottawa Citizen</A>) While the details of his story aren’t independently verified, it has at least been confirmed that someone’s iPod did in fact fall in the toilet, causing security to evacuate the plane and question all the passengers. </P> <P> 12 passengers, all Indian men, were removed from a flight after the <A HREF="http://www.cbc.ca/story/world/national/2006/08/24/dutch-incident.html">crew noticed some passengers fiddling with cell phones</A>. The 12 were later cleared and released without charges. </P> <P> And when they’re not overreacting, they’re giving strange advice. The “[TSA] [encourages] everyone to <A HREF="http://www.tsa.gov/travelers/airtravel/prohibited/new-items.shtm">pack gel-filled bras in their checked baggage</A>.” (<A HREF="http://www.schneier.com/blog/archives/2006/08/gelfilled_bras.html">Schneier</A>) So if you’re flying, and don’t have a gel-filled bra, make sure you go out and buy one, and pack it in your checked baggage. Because the TSA says so. </P> <P> Here’s a <A HREF="http://angryflower.com/gapsin.html">Bob the Angry Flower comic</A> on security. Which sounds a lot like the Department of Homeland Security’s list of <A HREF="http://seattletimes.nwsource.com/html/localnews/2003123566_danny13.html">top terrorist targets</A>. (<A HREF="http://www.schneier.com/blog/archives/2006/07/top_terrorist_t.html">Schneier</A>) </P> <P> This is camping season as well, Schneier has a short posting on <A HREF="http://www.schneier.com/blog/archives/2006/08/security_is_a_t.html">security tradeoffs in bear-proof garbage bins</A>. </P> <P> An old post: Schneier announced the <A HREF="http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html">movie-plot threat contest winner</A>. </P> <P> Moving on to computer security, <A HREF="http://www.heise.de/newsticker/meldung/73396">123456 is the most common password</A>. (<A HREF="http://www.schneier.com/blog/archives/2006/05/common_password.html">Schneier</A>) That’s the kind of thing an <A HREF="http://www.imdb.com/title/tt0094012/quotes">idiot</A> would have on his luggage. </P> <P> And Stephen Colbert gives his computer security tips (<A HREF="http://www.comedycentral.com/shows/the_colbert_report/videos/season_2/index.jhtml?playVideo=72869&rsspartner=rssfofReduxx">part 1</A>, <A HREF="http://www.comedycentral.com/shows/the_colbert_report/videos/season_2/index.jhtml?playVideo=72870&rsspartner=rssfofReduxx">part 2</A>) (<A HREF="http://www.schneier.com/blog/archives/2006/08/stephen_colbert.html">Schneier</A>) </P> <P> A new <A HREF="http://www.heise-security.co.uk/news/77244">attack against SHA-1</A> has been developed. (<A HREF="http://it.slashdot.org/article.pl?sid=06/08/27/1324241">/.</A>) This is a collision attack (not a preimage attack), and allows part of the text to be chosen. It’s still not practical, but it’s still a further weakness in SHA-1. </P> <P> And finally, here are some <A HREF="http://geekz.co.uk/schneierfacts/">facts about Bruce Schneier</A> (<A HREF="http://www.schneier.com/blog/archives/2006/08/bruce_schneier.html">Schneier</A>) </P> </div> Refuse to be Terrorised http://www.uhoreg.ca/blog/20060824-1624.blog Thu, 24 Aug 2006 16:24:00 -0600 http://www.uhoreg.ca/blog/20060824-1624.blog <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">16:24 -0600</div> <div class="entry-content"> <P> Bruce Schneier has an excellent <A HREF="http://www.wired.com/news/columns/0,71642-0.html">essay on terrorism and security</A> on Wired.com. (See also the reprint in <A HREF="http://www.schneier.com/blog/archives/2006/08/what_the_terror.html">his blog</A>.) Everyone who is concerned about flying, or about terrorism should read it. </P> </div> institutionalized discrimination http://www.uhoreg.ca/blog/20060823-1549.blog Wed, 23 Aug 2006 15:49:00 -0600 http://www.uhoreg.ca/blog/20060823-1549.blog <div class="blogtopic"><a href="/index/news" rel="tag">news</a>, <a href="/index/society" rel="tag">society</a>, <a href="/index/security" rel="tag">security</a></div> <div class="blogtime">15:49 -0600</div> <div class="entry-content"> <P> Last week, a Winnipeg doctor and two colleagues were <A HREF="http://www.cbc.ca/story/canada/national/2006/08/18/doctor-winnipeg.html">kicked off a plane for saying their evening prayers</A>. The prayers were interpreted by another passenger as suspicious behaviour, and the passenger alerted the flight crew, the three people were taken off their flight. A United Airlines spokesperson said that they have an obligation to take allegations of threatening situations seriously, especially after the recent arrests in Britain. </P> <P> “Whenever these types of claims are made we have a duty to investigate,” Borrman said. “Our flight crews are trained to make safety the No. 1 priority.” </P> <P> Yeah, you have a duty to investigate, and the flight crew obviously didn’t do that. Otherwise, they would have realized that the accusation was unfounded. Security doesn’t mean that you start kicking people off whenever someone points a finger and says, “terrorist!” </P> <P> In my opinion, if anyone should have been kicked off the flight, it should have been the passenger who made the false accusation. </P> </div>