When will the feds learn that raising penalties isn't going to deter this type of crime?
Increasing penalties will NOT deter script kiddies. If the Feds arrested some teenager, the juvi courts wouldn't have a CLUE what to do with him. He wasn't shooting up, spraypainting a bridge, shoplifting or commiting murder - where's the crime? Case Dismissed, NEXT!
This law is geared towards ADULTS that know better. Adults that write worms, viruses and launch malicious attacks that target a specific company.
More specifically, this law is created to punish the hacking elite who compromise protected systems and retrieve credit card numbers and the like.
Even as an adult, if I unleash a script kiddie attack on some random target, who the hell is even going to bother investigating it anyway.
Symantec now owns the Bugtraq list. Therefore the list is now moderated, Symantec will delay any posting information that they deem profitable. This has made the information on the Bugtraq list questionable. It is no longer an unbiased source for information security.
With the termination of Geer, @Stake has shouted from the rooftops that they are NOT an unbiased source for information security.
When I write a security paper, I write it from the perspective of an independant auditor, which I am. Someone from the outside looking in. I don't CARE what someones intention was when they created an insecure system. If I found it to be insecure, I let them have it.
I just lambasted a luddite CEO of a major corporation for not making information security HIS #1 priority. I told him that the insecurity of his network was his problem, a management problem, not an IT problem. I railed on him for two hours in a meeting last monday... and he appreciated it. Was my report one-sided? Your damn right! I don't care what his intentions/perceptions are or were. What I told him was the pure, unadulterated and unvarnished truth. As painful as it was - it was true.
He's a good CEO and changes are being made. Now, if this same info were coming from an @Stake consultant: The information would now be suspect as being slanted in M$ favor, because 'they help pay our paychecks' and we can't speak out too strongly against them. @Stake now takes the side of Microsoft.
Was there any lies in what Geer wrote? No... Was it the painful truth, backed up by facts? Yes... Did the truth hurt? You bet. And it needed to be said.
I think that the political ramifications taken out on Geer has just signed the death warrant for @Stake.
And I'm sure if you accidently select the wrong candidate, or mistakenly select multiple candidates; rather than get an error message, Verisign will redirect your vote to a candidate of their choice at candidatefinder.verisign.com.
Re:Privacy advocates are going overboard...
on
NYT on RFID
·
· Score: 1
Jim,
Explain to me just how this is luddite nonsense? What do you mean "Who is really doing this with barcode scanners?"
I work as a computer security consultant. One of my customers is a national retailer that started noticing staggering inventory discrepancies to the tune of $8 million dollars. And that is a conservative estimate.
What was happening is their inventory system showed they should have zero $10 widgets on the shelf, yet a check of the shelf showed 20 shiny new widgets. Conversely, the computer stated they should have twenty $100 super-widgets on the shelf, but they have zero.
Was this human error? No... These losses were happening nationwide. We suspected barcode scamming was the culprit, and then it was confirmed.
In Utah, an individual purchased $14,925 worth of flat screen monitors for $3,675. This was done by printing up his own barcodes. He purchased 7 monitors, then returned for 8 more. the employee that handled the transaction realized what a great 'deal' they had on monitors. When the employee went to buy one, it rang up for $995. They tracked down the individual and got the monitors back. He was never charged. There was no way to prove that HE was the one that put the labels on it. He could have just stumbled upon the steal of a deal on the monitors.
Didja hear that?
Put that in your pipe and smoke it, Billy Boy...
Re:Privacy advocates are going overboard...
on
NYT on RFID
·
· Score: 1
Thanks for the feedback Jerf.
I became aware of the Barcode Scamming because someone got caught doing it. Then I found out that it is happening all over the place. If the cashier notices that a product is mis-priced, they think its a computer error. The don't even question the bar code.
The solution that I am proposing is not that RFID tags are a panacea. I just want to bring to light the fact that barcodes are easy to forge, people are doing it, and 99% of it is passing right underneath the radar.
Barcode scamming is akin to printing your own currency - except the Secret Service doesn't get involved. The United States goes to great lengths to insure the integrity of its bank notes. Similarly, we need to move away from barcodes and onto a medium that is more dificult to forge.
One item to keep in mind is that RFID tags can be as small as a grain of sand. This means they can be integrated into a plastic bottle, or into the paper label.
I am 100% in favor of passing legislation that makes it illegal to use RFID info to track consumers. Just like it is illegal to use census data to find people.
Re:Contrived argument, doesn't stand up to analysi
on
NYT on RFID
·
· Score: 1
But it does hold up.
In Utah, there was an individual that was taking barcodes from 15" flatscreen monitors - printing them out on labels then returning and purchasing 19" screens.
On the first go-around, the criminal bought 7 monitors without raising suspicion. The second time, he bought 8.
The second time, the cashier was a bit computer savvy. The cashier stated "WOW, thats a really good price on flat panel screens." and later that day went to purchase one of those screens for himself. It rang up for $999.
We always hear how criminals are stupid, well, this happened at a Costco warehouse. All they had to do is pull the member info and they got their merchandise back -- and Costco DIDN'T EVEN PRESS CHARGES! Because they couldn't PROVE that HE was the one that put the barcodes there.
With regard to the box of laundry detergent. The cashier would have to take notice of the barcode. I mean actually stop & look. Cashiers are trained to get the customer through the line as fast as possible. They don't have time to examine each & every barcode. - That, and go to your store and pay attention to the barcode. There are numerous products that have the barcode label stuck on OVER the printed label.
Trust me, it's happening and it's big. I wouldn't have written the article if I didn't have hard evidence to prove it.
I am 100% in favor of passing legislation that makes it illegal to use RFID info to track consumers. Just like it is illegal to use census data to find people.
Privacy advocates are going overboard...
on
NYT on RFID
·
· Score: 1
This is a snippet from my/. journal entry:
----- "Barcode Scamming" -- How RFID could save us all
The problem with barcodes is how easy they are to create, or more importantly how easy they are to forge. All one must do is download a standard UPC barcode font from the internet and install it on their home computer.
An individual could walk into a store and write down the UPC code off of - lets say a 15" flat screen monitor that costs $245. This would-be criminal then goes home and prints up a UPC code on a label from his home computer. Our criminal then returns to the store, places the label on a 21" flat screen computer monitor that retails for $995 and proceed to the checkout counter.
When the would-be thief passes through the checkout stand, the cashier scans the product, rings up the sale and the criminal passes right through the front door with his thousand dollar monitor that he just bought with a $750 "instant rebate".
You have just witnessed the latest technological innovation in shoplifting, a crime I have termed "Barcode Scamming". The amount of damage a single criminal could do is staggering.
It doesn't have to be a thousand dollar transaction. A barcode scammer could simply take the code from a small box of XYZ Laundry detergent and place it on the Jumbo box. The cash register still displays "XYZ Laundry detergent" but the price isn't right, and who's going to notice?
Businesses are already losing untold billions of dollars per year because of shoplifters, a cost that is then passed to the honest consumer. Right now, shoplifters get away with whatever they can hide on their person, or sneak out the front door. Now, with the use of technology, these five finger discounters can pass through any register, pay for the 'discounted' merchandise and walk right past the security guard on the way out the door.
We must replace the venerated 12 bit barcode with a technology that can insure the integrity of each retail transaction. Just like a nation must insure the integrity of its national currency, product manufacturers and retailers alike must insure the integrity of each retail transaction.
Consumer privacy advocates are concerned that the technology could be abused by retailers to track products from the store shelf to the individual's home.
I say that the concerns voiced by the privacy advocates are unwarranted. The benefits provided by the use of these new technologies are far outweighed by the economic threat posed by keeping with the obsolete UPC code. Consumers aren't stupid; they'll steer clear of retailers that keep track of too much of their personal information. Grocery stores learned this lesson when they began losing customers once they started tracking customer purchases through the use of store discount cards.
Retailers simply want to increase the efficiency of managing their inventory, while at the same time maintain the integrity of the products for sale in their store. RFID tags provide the necessary solution to this problem. In this case, the cost of not implementing the technology will soon far outweigh the costs associated with its implementation.
Ok, 2.4ghz is used in WiFi, as well as 5ghz. With clock speeds up this high, I know that even the EE's with PHD's are having a helluva time designing chips where the signal will actually stay ON THE TRACE and not leap off the 90nm wire and spread to another segment of the processor. When using processor speeds that are operating at radio frequencies, they are having to not only shield the chip from external radio interference, but also keep the signals they're generating from interfering with other parts of the chip.
I can see it now, the marketing department developed the slick brochures and issued press releases, the sales team has already sold it, and as usual - the engineers are shouting "You sold them WHAT?!! Christ, now we've got to design it!!!"
I often teach computer classes where I talk about how flexible the TCP/IP protocol is. I would say that you could make TCP/IP run over smoke signals if you wanted.
Looks like now I can use Bongo Drums and show them the article. This is great...
He could cross over to the dark side, hack MS and prove his point...
Top 5 reasons to become a hacker: 5 -- Easier than getting a real CS degree 4 -- On top of 15 minutes of fame, you may also get 15 years of jailtime at no extra cost if you act now! 3 -- Opportunity to be featured in Jon Katz's new book about "Hacking in America: The Paradigm Shift Toward Increased Justice After 9/11" 2 -- Something to do while you're busy not trying to find a job 1 -- j00 c4n 7yp3 31gh7y w0rd5 4 m1nu7e 1n h4x0r-5p34k
This goes hand in hand with the COO of Symantec John Schwarz is trying to accomplish. MS is claiming that security is their #1 priority, and Symantec is trying to stop the full disclosure of vulnerabilities. They hope to achieve security by keeping everyone else in the dark.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the
exploits secret, or keeping the information reserved for the security elite.
M$ must start writing secure code. They haven't in the past because there's no money in it. I have said it many times; Requiring patches to
achieve security is fundamentally flawed. Coders need to write secure code.
The onus is on them to keep the net secure. Don't blame the hackers/crackers for airing their dirty laundry / wiping their collective
arses with the M$ flag. If M$ loses market share because they consistantly
release insecure code that is repeatedly being compromised then that is
their fault.
If it weren't for FD, we'd have more 0day exploits because companies would
not feel the pressure to release timely updates. It chews up development
cycles to go back and put an emergency fix in place for insecure code, test
it, and release it. Do you think companies would do this voluntarily? I
think not. Too expensive. They'll include it with their next major update
and charge for the upgrade or some crap like that. Meanwhile, the news of
the exploit gets into the wrong hands where some 1337 h4x0r develops code
and releases it to a world of completely unpatched machines...
[WOW! 110 Kilometers! What is that, like 500 feet?]
I cannot believe the number of people who modded this parent up, then back down... All I'm saying is that most Americans have no concept of a kolometer, or a liter. We think in miles & gallons.
I've been using this old serial bus PS/2 mouse for well over 10 years. It's connected to my 486dx2 66. All I need to do is clean out the ball every so often.
Oh wait, nevermind. They want lab mice. My basement is nowhere near lab conditions.. Oh well.
This is the dumbest thing I've heard. It ranks right up there with SCO's claims against IBM and Linux. Where do they come up with these delusions?
He's stating that "Only the information security elite should ever have access to information security issues."
Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network.
Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
The Defense Advanced Research Projects Agency (DARPA) has announced that they intend to make a national network of computers whereby they can converse secretly regarding issues of national defense. Specifically, the research and development of nuclear weapons.
DARPA officials are calling this top secret project ARPAnet and they believe that it could possibly grow into a world wide network of interconnected computers, whereby they can use a central search engine to cull information about every single person that participates on this 'internet'.
Privacy advocates are in an uproar stating that the government officials could access online journals written by American citizens and that all this information could be indexed by 'search engines' and could be viewed not only by the government but by Joe Sixpack sitting in his La-Z-Boy.
----
I've given up a certain level of anonymity just by getting on the net. If you plug my name into Google, you can find articles I've written, and find out pretty quickly where I work. Plug that info into an online phone book and you've got my home phone number and my home address. Stop by sometime and we'll have some coffee, but please call first.
Banks already keep an audit trail of every single purchase I make on my credit card. They have to, they're banks. So, what is the big deal if they index that information to discover that I've gone and purchased five tons of ammonium nitrate fertilizer, in discrete 500 pound increments, and then I went and purchased 1,000 gallons of diesel fuel in 100 gallon increments... Should I be investigated? You bet!
If my office building gets blown up by some muslim extremist and we later find out that these terrorists left a clear documentation trail showing the gradual purchase of the supplies, I would hope and pray that my wife would use my entire life insurance policy to sue the holy piss out of the government that didn't do every single thing possible to prevent such a preventable attack.
Q Ari, how much does the President know about Mr. Poindexter's total information awareness program, and does he fully support it?
MR. FLEISCHER: Well, I think that the President supports his efforts to prevent terrorists from engaging in any attacks against the United States, while making certain that the constitutional rights and liberties of the American people are protected. That's what the President is going to make certain what is done.
Q Specifically on that program, that's been a bit controversial, much like TIPS became controversial, has he waited at all on --
MR. FLEISCHER: You'd really have to talk to Department of Defense to get a clear understanding of what that program is. I think there's been some misrepresentations of what it is. The President knows the importance of working carefully and respectfully to honor the rights of individual Americans while at the same time remain concerned that terrorists are stopped from attacking us again.
I can tell you now that any time you swipe your card - that information goes first to the credit card processor where a few pennies go to the card issuer. Not the bank but Visa, Mastercard, Amex or Discover.
Then the data are sent to the bank. OF COURSE they track all this info. THEY HAVE TO! THEY'RE BANKS!!! There is a money trail/information trail that is left behind any time you ever do ANYTHING with electronic banking.
If the FBI or local police get a subpoena, they have access to all this information NOW. STOP THE PRESSES!!!
What blows my fuse is that people think that this is NEW, and it is being put in place by the Dept of Homeland Security. Can you say FUD?
If the data is already out there, and its already retrieveable once they get a warrant/subpoena. What is wrong here?
Well, I'm sorry if you think that my tone is imperious, but there are such things as computer security experts. I am not some Joe Sixpack sitting back and doing some armchair quarterbacking. It has taken me numerous years of hard work and research to attain this level. I did not label myself as a security expert, it was a moniker bestowed upon me by others as they came to rely on my experience. Trust me, I didn't explicitly seek the title.
I have written numerous articles on the manifold subtopics of information security. Whenever I speak up, it is in an attempt to clarify a murky subject, and the distinction of Virus vs Worm is one that certainly needs clarification. This will be the subject of my next article.
Put in its most simple terms:
To protect yourself from a virus, do nothing. To become infected by a worm, do nothing.
Allow me to explain.
Viruses require user interaction to spread. A virus can infect a file, being parasitic in nature, or it can be a free standing application. If it is a free standing application it is most commonly referred to as a trojan horse - a malicious application whose true purpose is disguised until the user has been tricked into launching the applicaiton. Trojan horses are often used to install backdoors on machines. All of these are clearly viruses.
The way to defend yourself from viruses is to either use an anti-virus program, or remain alert to the various malicious programs that exist out there and DON'T CLICK ON THEM.
I currently have several hundred viruses, trojan horses and backdoors on my computer. They're all there for research purposes. I know they're there, I don't click on them, and I am not infected by any of them. Similar to the researchers at the CDC in Atlanta. They work with the Ebola virus every day, does that mean they're infected with it? Of course not. They know the danger of the substances with which they work on a daily basis, and so do I.
A worm is a much different animal. The way you protect yourself from a worm is to patch the holes in your operating system. If you do nothing, and you remain connected to other computers on a network, you will become infected. Worms spread through vulnerabilities that exist in operating systems. If you patch your system, you have essentially become innoculated against the worm.
There is a very clear and simple distinction between the two, and it astonishes me that these 'industry experts' continually confuse the two.
I did RTFA! I also Wrote TFA on Swen alerting our customers to the Swen VIRUS. Would you like to see Swen's source code?
Swen runs as a program, a malicious program.
That is what makes it a virus.
Swen does not rely on a vulnerability to spread. It does not require Microsoft Outlook to spread, (although outlook certainly helps), as it spreads just as well if you're using Outlook, Eudora, Netscape, Hotmail, Yahoo, WHATEVER!
All you must be doing is running an MS operating system.
There is no patch for stupidity.
Swen is a virus that relies on user stupidity to spread. The fact that this virus spreads to network shares is typical virus activity. If it copies itself to a startup folder, or modifies a registry string to launch the virus when a computer reboots, it is launching as an APPLICATION, a malicious application - which means virus to the slo folk and reporters that are reading this.
If Swen were to make a direct connection to a persons IP on port whatever, performs a buffer overflow which injects code into a running application thereby opening up a backdoor by which the worm can then infect the machine - THEN it would be a worm.
From the article: "Classified as a worm because of its ability to copy itself without infecting host files..."
What a bunch of morons!
Lets look at what distinguishes a Virus from a Worm:
A virus requires user interaction to spread. A virus can be a self standing executable (such as Swen) or it can infect other files such as.exe and.doc files so that when they are launched or opened the virus will then spread further.
A Worm is self propagating and does not require any user interaction to spread. Worms rely on holes that exist in the underlying operating system to inject their code into applications already running in memory. Once they have infected the target machine, the worm will then self propagate to other similarly unpatched machines.
With this simple definition, where do they get off calling swen a worm, when the swen virus clearly requires some dumb schmoe to click on the executable file that is included as an attachment in an email? Once the genius launches the bogus.exe file, it then searches the newly infected machine to harvest email addresses to send itself to. There is no 'automatic execution' of code here.
VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned.com and.net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators.
"There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction."
VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service.
O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."
VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions.
In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before.
When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services."
Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over.com and.net, has responded to repeated requests for comment since Tuesday.
O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet.
Slashdot Mirror
Increasing penalties will NOT deter script kiddies. If the Feds arrested some teenager, the juvi courts wouldn't have a CLUE what to do with him. He wasn't shooting up, spraypainting a bridge, shoplifting or commiting murder - where's the crime? Case Dismissed, NEXT!
This law is geared towards ADULTS that know better. Adults that write worms, viruses and launch malicious attacks that target a specific company.
More specifically, this law is created to punish the hacking elite who compromise protected systems and retrieve credit card numbers and the like.
Even as an adult, if I unleash a script kiddie attack on some random target, who the hell is even going to bother investigating it anyway.
With the termination of Geer, @Stake has shouted from the rooftops that they are NOT an unbiased source for information security.
When I write a security paper, I write it from the perspective of an independant auditor, which I am. Someone from the outside looking in. I don't CARE what someones intention was when they created an insecure system. If I found it to be insecure, I let them have it.
I just lambasted a luddite CEO of a major corporation for not making information security HIS #1 priority. I told him that the insecurity of his network was his problem, a management problem, not an IT problem. I railed on him for two hours in a meeting last monday... and he appreciated it. Was my report one-sided? Your damn right! I don't care what his intentions/perceptions are or were. What I told him was the pure, unadulterated and unvarnished truth. As painful as it was - it was true.
He's a good CEO and changes are being made. Now, if this same info were coming from an @Stake consultant: The information would now be suspect as being slanted in M$ favor, because 'they help pay our paychecks' and we can't speak out too strongly against them. @Stake now takes the side of Microsoft.
Was there any lies in what Geer wrote? No... Was it the painful truth, backed up by facts? Yes... Did the truth hurt? You bet. And it needed to be said.
I think that the political ramifications taken out on Geer has just signed the death warrant for @Stake.
And I'm sure if you accidently select the wrong candidate, or mistakenly select multiple candidates; rather than get an error message, Verisign will redirect your vote to a candidate of their choice at candidatefinder.verisign.com.
Explain to me just how this is luddite nonsense? What do you mean "Who is really doing this with barcode scanners?"
I work as a computer security consultant. One of my customers is a national retailer that started noticing staggering inventory discrepancies to the tune of $8 million dollars. And that is a conservative estimate.
What was happening is their inventory system showed they should have zero $10 widgets on the shelf, yet a check of the shelf showed 20 shiny new widgets. Conversely, the computer stated they should have twenty $100 super-widgets on the shelf, but they have zero.
Was this human error? No... These losses were happening nationwide. We suspected barcode scamming was the culprit, and then it was confirmed.
In Utah, an individual purchased $14,925 worth of flat screen monitors for $3,675. This was done by printing up his own barcodes. He purchased 7 monitors, then returned for 8 more. the employee that handled the transaction realized what a great 'deal' they had on monitors. When the employee went to buy one, it rang up for $995. They tracked down the individual and got the monitors back. He was never charged. There was no way to prove that HE was the one that put the labels on it. He could have just stumbled upon the steal of a deal on the monitors.
Didja hear that?
Put that in your pipe and smoke it, Billy Boy...
I became aware of the Barcode Scamming because someone got caught doing it. Then I found out that it is happening all over the place. If the cashier notices that a product is mis-priced, they think its a computer error. The don't even question the bar code.
The solution that I am proposing is not that RFID tags are a panacea. I just want to bring to light the fact that barcodes are easy to forge, people are doing it, and 99% of it is passing right underneath the radar.
Barcode scamming is akin to printing your own currency - except the Secret Service doesn't get involved. The United States goes to great lengths to insure the integrity of its bank notes. Similarly, we need to move away from barcodes and onto a medium that is more dificult to forge.
One item to keep in mind is that RFID tags can be as small as a grain of sand. This means they can be integrated into a plastic bottle, or into the paper label.
I am 100% in favor of passing legislation that makes it illegal to use RFID info to track consumers. Just like it is illegal to use census data to find people.
In Utah, there was an individual that was taking barcodes from 15" flatscreen monitors - printing them out on labels then returning and purchasing 19" screens.
On the first go-around, the criminal bought 7 monitors without raising suspicion. The second time, he bought 8.
The second time, the cashier was a bit computer savvy. The cashier stated "WOW, thats a really good price on flat panel screens." and later that day went to purchase one of those screens for himself. It rang up for $999.
We always hear how criminals are stupid, well, this happened at a Costco warehouse. All they had to do is pull the member info and they got their merchandise back -- and Costco DIDN'T EVEN PRESS CHARGES! Because they couldn't PROVE that HE was the one that put the barcodes there.
With regard to the box of laundry detergent. The cashier would have to take notice of the barcode. I mean actually stop & look. Cashiers are trained to get the customer through the line as fast as possible. They don't have time to examine each & every barcode. - That, and go to your store and pay attention to the barcode. There are numerous products that have the barcode label stuck on OVER the printed label.
Trust me, it's happening and it's big. I wouldn't have written the article if I didn't have hard evidence to prove it.
I am 100% in favor of passing legislation that makes it illegal to use RFID info to track consumers. Just like it is illegal to use census data to find people.
-----
"Barcode Scamming" -- How RFID could save us all
The problem with barcodes is how easy they are to create, or more importantly how easy they are to forge. All one must do is download a standard UPC barcode font from the internet and install it on their home computer.
An individual could walk into a store and write down the UPC code off of - lets say a 15" flat screen monitor that costs $245. This would-be criminal then goes home and prints up a UPC code on a label from his home computer. Our criminal then returns to the store, places the label on a 21" flat screen computer monitor that retails for $995 and proceed to the checkout counter.
When the would-be thief passes through the checkout stand, the cashier scans the product, rings up the sale and the criminal passes right through the front door with his thousand dollar monitor that he just bought with a $750 "instant rebate".
You have just witnessed the latest technological innovation in shoplifting, a crime I have termed "Barcode Scamming". The amount of damage a single criminal could do is staggering.
It doesn't have to be a thousand dollar transaction. A barcode scammer could simply take the code from a small box of XYZ Laundry detergent and place it on the Jumbo box. The cash register still displays "XYZ Laundry detergent" but the price isn't right, and who's going to notice?
Businesses are already losing untold billions of dollars per year because of shoplifters, a cost that is then passed to the honest consumer. Right now, shoplifters get away with whatever they can hide on their person, or sneak out the front door. Now, with the use of technology, these five finger discounters can pass through any register, pay for the 'discounted' merchandise and walk right past the security guard on the way out the door.
We must replace the venerated 12 bit barcode with a technology that can insure the integrity of each retail transaction. Just like a nation must insure the integrity of its national currency, product manufacturers and retailers alike must insure the integrity of each retail transaction.
Consumer privacy advocates are concerned that the technology could be abused by retailers to track products from the store shelf to the individual's home.
I say that the concerns voiced by the privacy advocates are unwarranted. The benefits provided by the use of these new technologies are far outweighed by the economic threat posed by keeping with the obsolete UPC code. Consumers aren't stupid; they'll steer clear of retailers that keep track of too much of their personal information. Grocery stores learned this lesson when they began losing customers once they started tracking customer purchases through the use of store discount cards.
Retailers simply want to increase the efficiency of managing their inventory, while at the same time maintain the integrity of the products for sale in their store. RFID tags provide the necessary solution to this problem. In this case, the cost of not implementing the technology will soon far outweigh the costs associated with its implementation.
I can see it now, the marketing department developed the slick brochures and issued press releases, the sales team has already sold it, and as usual - the engineers are shouting "You sold them WHAT?!! Christ, now we've got to design it!!!"
This happens all the time in my company.
Looks like now I can use Bongo Drums and show them the article. This is great...
He could cross over to the dark side, hack MS and prove his point...
Top 5 reasons to become a hacker:
5 -- Easier than getting a real CS degree
4 -- On top of 15 minutes of fame, you may also get 15 years of jailtime at no extra cost if you act now!
3 -- Opportunity to be featured in Jon Katz's new book about "Hacking in America: The Paradigm Shift Toward Increased Justice After 9/11"
2 -- Something to do while you're busy not trying to find a job
1 -- j00 c4n 7yp3 31gh7y w0rd5 4 m1nu7e 1n h4x0r-5p34k
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
M$ must start writing secure code. They haven't in the past because there's no money in it. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them to keep the net secure. Don't blame the hackers/crackers for airing their dirty laundry / wiping their collective arses with the M$ flag. If M$ loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that. Meanwhile, the news of the exploit gets into the wrong hands where some 1337 h4x0r develops code and releases it to a world of completely unpatched machines...
I cannot believe the number of people who modded this parent up, then back down... All I'm saying is that most Americans have no concept of a kolometer, or a liter. We think in miles & gallons.
It's an obvious joke people! Laugh!
Oh wait, nevermind. They want lab mice. My basement is nowhere near lab conditions.. Oh well.
Anyone got a Polish->English translator?
I checked Google, Babblefish & Dictionary.com with no luck.
WOW! 110 Kilometers! What is that, like 500 feet?
He's stating that "Only the information security elite should ever have access to information security issues." Or if Bill Gates stated: "Only large enterprises should write operating system software. Linux should be outlawed." This means we'd all be forced to eat Microsoft's or Symantec's 'dog food'.
I ask you this: When was the last time Symantec wrote a signature for Snort? How about a nessus plugin? They want to get rid of the open source security model because they can't profit from it!
As an information security professional, I don't even listen to Symantec as their information is generally 2-3 weeks too late. Its like waiting for the Sunday paper to read about the double homicide that's taking place right now on your front lawn. All their info is being published after the fact! If they successfully cut off all access to information that is happening in the security community, then they make everyone reactive rather than proactive.
It doesn't matter how much detail Symantec offers about a virus or bug. I want to be able to take an exploit, compile it and run it against a test server on a test network. Capture the packets transmitted and analyze them. I want to dissect the 'worm' or 'virus' and develop an IDS signature as well as produce a Nessus plugin to scan other servers. If I use other tools, I want to have enough knowledge to look into their signature files to realize that they're looking for the wrong stuff and thereby giving false positives (or false negatives).
It's called FULL DISCLOSURE
Symantec is trying to tell us that I can do all this with a really descriptive set of documentation? Or maybe I should just turn my entire enterprise security model over to Symantec. Uh huh, sure... I don't think so. Gimme the code for the exploit.
Allow me to digress for a moment, stick with me though -- it's not too OT...
Lets talk for a moment about the MS03-039 exploit; the brother to MS Blaster. It's a really nasty bugger. Once it exploits a machine, it creates a user account of "e" with a password of "abc#321". Oh yeah, and the new user has admin rights.
This means the worm could use the newly created account to create other accounts, escalate privileges on existing accounts or just change everyone's password to a random string of garbage.
The price we could pay by not patching every single server and workstation this time around could exceed the damage done by blaster by a thousandfold. All it has to do is successfully nail just one Active Directory controller. Imagine if every single user on your entire network had their password changed on them, at the same time.
When blaster hit, it crashed the RPC service which forced the machine to reboot 60 seconds after the RPC service came crashing down. Imagine now that in the infection process changes admin and user passwords, revokes privileges, then reboots the machine... Your network is now down, and you can't even get back in. You are screwed.
So, how do I know this info? Well, it just so happens that I've got the source code to the worm sitting on my machine right now! I'm not contributing to the project, but I'm sure as hell monitoring what is going on, and I sure as hell didn't get ANY of this information from Symantec.
The only info I'll get from Symantec is the day after the worm's release when they announce that blaster.b is in the wild and that I should have patched my boxes, and they're very sorry but there is no cleanup file available if it compromised your AD controller and changed all the admin passwords. Symantec also recommends you have current tape backups. That's like telling the car accident victim to buckle up. Just a little late there, Jack.
We are going to continue down the road of Full Disclosure debate until M$ et al. starts writing secure code.
DARPA officials are calling this top secret project ARPAnet and they believe that it could possibly grow into a world wide network of interconnected computers, whereby they can use a central search engine to cull information about every single person that participates on this 'internet'.
Privacy advocates are in an uproar stating that the government officials could access online journals written by American citizens and that all this information could be indexed by 'search engines' and could be viewed not only by the government but by Joe Sixpack sitting in his La-Z-Boy.
----
I've given up a certain level of anonymity just by getting on the net. If you plug my name into Google, you can find articles I've written, and find out pretty quickly where I work. Plug that info into an online phone book and you've got my home phone number and my home address. Stop by sometime and we'll have some coffee, but please call first.
Banks already keep an audit trail of every single purchase I make on my credit card. They have to, they're banks. So, what is the big deal if they index that information to discover that I've gone and purchased five tons of ammonium nitrate fertilizer, in discrete 500 pound increments, and then I went and purchased 1,000 gallons of diesel fuel in 100 gallon increments... Should I be investigated? You bet!
If my office building gets blown up by some muslim extremist and we later find out that these terrorists left a clear documentation trail showing the gradual purchase of the supplies, I would hope and pray that my wife would use my entire life insurance policy to sue the holy piss out of the government that didn't do every single thing possible to prevent such a preventable attack.
MR. FLEISCHER: Well, I think that the President supports his efforts to prevent terrorists from engaging in any attacks against the United States, while making certain that the constitutional rights and liberties of the American people are protected. That's what the President is going to make certain what is done.
Q Specifically on that program, that's been a bit controversial, much like TIPS became controversial, has he waited at all on --
MR. FLEISCHER: You'd really have to talk to Department of Defense to get a clear understanding of what that program is. I think there's been some misrepresentations of what it is. The President knows the importance of working carefully and respectfully to honor the rights of individual Americans while at the same time remain concerned that terrorists are stopped from attacking us again.
From the 11/22/2002 White House press confrence.
Then the data are sent to the bank. OF COURSE they track all this info. THEY HAVE TO! THEY'RE BANKS!!! There is a money trail/information trail that is left behind any time you ever do ANYTHING with electronic banking.
If the FBI or local police get a subpoena, they have access to all this information NOW. STOP THE PRESSES!!!
What blows my fuse is that people think that this is NEW, and it is being put in place by the Dept of Homeland Security. Can you say FUD?
If the data is already out there, and its already retrieveable once they get a warrant/subpoena. What is wrong here?
Kindly explain to me how I am off track here?
I have written numerous articles on the manifold subtopics of information security. Whenever I speak up, it is in an attempt to clarify a murky subject, and the distinction of Virus vs Worm is one that certainly needs clarification. This will be the subject of my next article.
Put in its most simple terms:
To protect yourself from a virus, do nothing. To become infected by a worm, do nothing.
Allow me to explain.
Viruses require user interaction to spread. A virus can infect a file, being parasitic in nature, or it can be a free standing application. If it is a free standing application it is most commonly referred to as a trojan horse - a malicious application whose true purpose is disguised until the user has been tricked into launching the applicaiton. Trojan horses are often used to install backdoors on machines. All of these are clearly viruses.
The way to defend yourself from viruses is to either use an anti-virus program, or remain alert to the various malicious programs that exist out there and DON'T CLICK ON THEM.
I currently have several hundred viruses, trojan horses and backdoors on my computer. They're all there for research purposes. I know they're there, I don't click on them, and I am not infected by any of them. Similar to the researchers at the CDC in Atlanta. They work with the Ebola virus every day, does that mean they're infected with it? Of course not. They know the danger of the substances with which they work on a daily basis, and so do I.
A worm is a much different animal. The way you protect yourself from a worm is to patch the holes in your operating system. If you do nothing, and you remain connected to other computers on a network, you will become infected. Worms spread through vulnerabilities that exist in operating systems. If you patch your system, you have essentially become innoculated against the worm.
There is a very clear and simple distinction between the two, and it astonishes me that these 'industry experts' continually confuse the two.
Swen runs as a program, a malicious program. That is what makes it a virus.
Swen does not rely on a vulnerability to spread. It does not require Microsoft Outlook to spread, (although outlook certainly helps), as it spreads just as well if you're using Outlook, Eudora, Netscape, Hotmail, Yahoo, WHATEVER!
All you must be doing is running an MS operating system.
There is no patch for stupidity.
Swen is a virus that relies on user stupidity to spread. The fact that this virus spreads to network shares is typical virus activity. If it copies itself to a startup folder, or modifies a registry string to launch the virus when a computer reboots, it is launching as an APPLICATION, a malicious application - which means virus to the slo folk and reporters that are reading this.
If Swen were to make a direct connection to a persons IP on port whatever, performs a buffer overflow which injects code into a running application thereby opening up a backdoor by which the worm can then infect the machine - THEN it would be a worm.
"Classified as a worm because of its ability to copy itself without infecting host files..."
What a bunch of morons!
Lets look at what distinguishes a Virus from a Worm: .exe and .doc files so that when they are launched or opened the virus will then spread further.
A virus requires user interaction to spread. A virus can be a self standing executable (such as Swen) or it can infect other files such as
A Worm is self propagating and does not require any user interaction to spread. Worms rely on holes that exist in the underlying operating system to inject their code into applications already running in memory. Once they have infected the target machine, the worm will then self propagate to other similarly unpatched machines.
With this simple definition, where do they get off calling swen a worm, when the swen virus clearly requires some dumb schmoe to click on the executable file that is included as an attachment in an email? Once the genius launches the bogus.exe file, it then searches the newly infected machine to harvest email addresses to send itself to. There is no 'automatic execution' of code here.
Original Article
VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned .com and .net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators.
"There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction."
VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service.
O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."
VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions.
In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before.
When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services."
Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over .com and .net, has responded to repeated requests for comment since Tuesday.
O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet.