I used to use a L0pthcrack (LC4 by @Stake) proof password on my w2k box. It contained a non-printable ascii character (alt + keypad combination), that LC4 doesn't scan for, and you can't enter it in the custom search range field.
I stopped using it because I suspect it caused problems with authentication over a network (w2k + xp prof). I don't know if LC5 (just noticed a new version is out) is able to find it.
Actually, it isn't really all that stupid. It's a perfectly valid combination from a 5 digit set.
If you were to exclude this, and many other "stupid" combinations, there would be very few left, which, therefor, would be stupid combinations, because you would only be using a small subset of the whole set of possible combinations.
There is, for example, not a single 4 digit code (like a PIN number) that isn't somehow easy to remember when entering it into a keypad. There is always some clear pattern to remember.
The technique measures the skew in the clock, NOT the variance in the clock.
Indeed, one would only need to average the difference between the target and the host time to calculate the time skew, which would (nearly) completely eliminate any random factor, as the sum of a large number of randomly generated number will be (approximately) half the range of the number, by nature.
On the other hand, what's the use? There is no point in changing the skew during a connection, as the host will still have the same IP address, it isn't exactly hard to track. It would be usefull, however, to alter the skew (by a little or a whole lot) between different connections, making it impossible to link the connections to a single machine.
A firewall or NAT device could ofcourse, calculate the difference between the time in a packet and it's internal clock, overwrite the time in the outgoing packet to masquerade the machine on the protected network, and overwrite the timestamp again in the respective incoming packet. That should keep anyone from detecting and identifying devices behind a firewall.
There is good reason I don't say "I'll meet you there in 2700 seconds". When you specify a time interval in seconds, you imply a certain degree of accuracy. 2700 has 4 significant digits, whereas 45 minutes only has 2. When you say 45 minutes, you implicitly have a larger margin for error than when you say 2700 seconds.
major disasters like these tend to knock out communications for several days
That doesn't really have to be a problem. For this purpose, a fairly low-bandwidth connection, like a satellite uplink, could provide a reliable connection. I think it would help the various organisations and agencies in the distaster area, by providing a way to enter en query information about missing persons and casualties across a larger area. Also, it would be fairly easy to make this information available to others over the internet, because now, several days later, many people outside the disaster areas still don't know if there relatives / friends / loved ones are still alive.
I do think, however, that there would have to be some sort of system to indicate the reliability of the information in the system. Exacly where did this information come from, who reported it (was it a coroner, or someone who thinks they saw someone they know?), how many people reported it, exacly when and where it was reported, what method of identification was used?
Also, I'm not sure about the usefulness of a missing persons tracking system; I think a reported persons (any status, okay, injured or dead) would be more useful, because if someone is not on the missing persons list, it does not necesarily mean that they're accounted for. On the other hand, in this case, the remains of many missing persons will probably never be recovered, and therefor, a missing persons register may be useful. I guess it would be best to make "missing" a possible status for an individual. If someone is reported missing, and they turn up, they know the person who has reported them missing is okay. At the same time, it would enable people outside the disaster area to report people as missing. At this time, it is still unclear how many tourists were in the disaster areas other than those traveling with a tour operator. Anyone who just bought plane tickets is much more difficult to track. Also, officials could import local citizens records and hotel reservations into the system as missing persons, whose status could be changed when they report in.
You jest, but there are architectures that have their bits numbered the *other* way around (where bit 0 is the most significant bit, while bit n (n=15, 31, etc) is the least significant bit). (If you really must know, it appears PowerPC is numbered this way).
That's simply not true. What you are referring to is called "endianess", which is the way the bytes are arranged in 16 or more bit words. There are two possible ways to store the bytes of a 16 bit word: least significant byte first (called little endian), and most significant byte first (called big endian).
The bits in a byte are always numbered from 0 to 7, with 0 being the least significant and 7 being the most significant bit.
Also, bits on physical lines (like address or data busses) are always numbered sequentially, and it therefore impossible to wire things up backwards because of endianness (it is, however, still possible with pure stupidity).
Endianness can be a problem, however, in computer networks; for example when transmitting a 32 bit word from an Intel machine to a PowerPC. The two machines differ in endianess (the Intel being little endian and the PowerPC being big endian), which means the byteorder is different, which can lead to incorrect values for the word after transmission, if the programmers don't take care to convert every word to network endianess before transmitting and from network to machine endianess after receiving.
How about we just turn everything running non-microsoft operating systems off for a day, and see how many e-mail still get delivered, and pages served? I doubt any packet would travel more than a kilometer.
-The energy sent BACK is very weak. So you really don't need much to block it. White noise around 125 Khz should be enough. Or, as I mentioned before, chewing gum wrapper. Take your pick.
Well, ofcourse, that's the idea. Just build a simple 125 kHz oscillator (say, run a schmitt trigger at 125 square wave and use a simple second order bandpassfilter to filter out some unwanted harmonics), and connect it to a simple, tuned antenna. That would be pretty effective at blocking all RFID tag readers using that frequency at a considerable distance.
-Random codes won't do it. Sorry, but there IS a check (pretty pitiful, but there is one) and if the checksum don't match, nothing goes through
That's right, a checksum is often used to prevent a bad read when a tag is only just in range. However, the way those checksums are calculated, is usually documented, and there are only a few different checksum algorithms in use. That would make it fairly easy to transmit random data with correct checksums.
-Pliers work real good at breaking them. Yes, but ofcourse, only if you can find the tag, which will become more difficult as they get smaller. You may not even be sure a tag is there. Other than that, they can be unreachable.
Easier than EMP (which might be noticed). Ofcourse it might be noticed. The question is: how can they tell it's me, and secondly, what do they plan to do about it?!?
Re:As someone who developed it into a product...
on
A Technical RFID Primer
·
· Score: 3, Interesting
I'm kinda surprised nobody (that i'm aware of, anyway) has started a little project to counter RFID. I don't think it would be very difficult.
For those that didn's bother the read the article, i'll quickly try to explain how it works.(yes, IAAEE, I Am An Electrical Engineer).
Basicly a RFID scanner works by transmitting a certain frequency (125Khz is very common). The tag has a L/C (coil-capacitor) ciruit tuned to this frequency. It uses energy from the circuit to power a tiny circuit (that's how it can work without a battery), which will then send it's stored code. It sends the information back to the scanner by effectively shorting out it's receiver circuit. Doing so drains more energy from the transmitter circuit on the scanner, which can be measured and so the code that the tag send can be decoded.
Now a couple of ideas on how to block it:
- block the scanner by transmitting the same frequency at a highly varying output level. This makes it effectively impossible to measure the tag shorting out it's receiver circuit, because of the heavy fluctuation in the field strength.
- use a microcontroller to send random codes. If enough people do this, the database will get stuffed with false information and will eventually be useless.
- fry the tags in your stuff, EMP-style. I think it would be possible to break the little circuit by placing the tag inside the transmitter coil of a powerfull (but very simple) oscillator running at 125kHz.
My pet peeve was the weirdly brain dead default string implementation
Although the string implementation could really get in your way, I really hated the fact that pascal didn't have sprinf / sscanf type functions. If you needed to read integers from an ascii file, you had to write loops to copy characters until you found a non-digit.
Also, pascal did have functions that would take a variable-length argument length (like write and writeln), but you couldn't make those yourself.
But the thing that really bugged me was that you couldn't allocate a 64k block of memory. The biggest block you could allocate was 64k - 8 bytes. When I was doing graphics and game programming in pascal, I often needed large blocks of memory, which was eventually the reason I switched to C.
If it does indeed work this way, it would have to impersonate every single network within range, otherwise you could easely get around it by manually selecting another network.
This, unfortunately, would also block incomming emergency calls (like the babysitter).
I think the best way would be to redirect incomming calls to a machine with a recording like "the owner of this cellphone is currently unreachable, press 0 for an operator in case of an emergency", in which case, the owner could still be reached in case of a real emergency.
The ignition can be either "on" or "off", and if you turn it off, the engine will stop running
Unless, ofcourse, your car happens to run on diesel fuel, in which case, it'll just keep running happily, because it doesn't actually have an ignition. Most trucks have a seperate "engine break", which is just a valve in the exhaust, to stop the engine.
However, I've never come across luxury car that had an engine break.
I don't know about france, but here in the Netherlands, quite a large percentage of the luxury cars run on diesel fuel.
Hung around a lot in the little kids park? you likely have small children, so we can market kids stuff to you.
Actually, they wouldn't need the RFID tags to find out you have small children, as they usually stand next to you when you pay (with your credit card). All they need to do is take a picture, and they would also know you gender, your kids gender, and their approximate age. They only real solution is not to use your credit card.
I don't think it'll be a good marketing tool. I can't think of any information they could collect that would be useful for targeting ads, but i do see the potential to evaluate the park; which rides are the most popular, where do people get lost in the park and how do people use the walkways, and thus find out where the signs or walkways need improvement, and about a billion other things, which don't invade your privacy and does give them information to improve the service.
i'll just kick your door in to show you how much you need a deadbolt.
There are a few big differences here:
First of all, after you've kicked in my door, it'll be damaged. You've done damage to physical object which I must pay for to get repaired, dispite your best intentions.
Secondly, you've intruded my house without my concent. You have violated my privacy in the real world. This is totally different from from breaking into a computer, because you shouldn't have expected any privacy anyway, if you hooked it up to the outside world.
Thirdly, you have nothing to lose if someone breaks into my house and steals everything I own. You do, on the other hand, have something to lose when some company leaves a database with customer information, yours included, unsecured. The spymac users, in this case, have something to lose because they're email addresses and personal information are not properly secured.
This is a Final Year Project?!?
I have a development board with a ATMEGA32 (the microcontroller they used) right next to me, with a ethernet card wired to it. I wrote the network card driver and TCP/IP stack in during a second year EE project. I'm currently writing a bit of code to receive HTTP requests and move a webcam with 2 stepper motors with a HTML web form.
It seems a little bit to simple for a FYP to me.
The LED display in the air thingy is what I build and wrote as my very first project!
But the article doesn't mention anything new he invented. Making an invention means designing and building something that hasn't been build before. Solar-powered cars are nothing new (heck, our (the dutch) team won the last solar challenge). Water boilers that automaticly turn off when the water is boiling aren't exactly new either. None of the other things mentioned in the article are new inventions, although ofcourse, some of his inventions are now 40 years old, and may or may not have existed at that time.
Besided that, I don't think his so-called inventions even compare remotely to what Tesla invented. He's basicly just tying two or more existing devices together to make something "new", while Tesla was a scientist, and he discovered things that are still being tought to EE and physics students now.
Maybe a formal education might have saved him a lot of time re-inventing things that have existed for a long time, and spend this time inventing something new.
What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
Until, ofcourse, somebody exploits yet another IE hole to display a nicely formatted page telling the clueless user what is going on, that hackers can damage their computer, read their email and steal their money if they use IE, and offers links to firefox / opera / mozilla / whatever your favorite browser is.
custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
I think one could figure out which movies and tv shows get repeated over and over in a certain country just by listening to these samples. I don't think it would be very hard to find out someone is a big fan of Steve the Corcodile Hunter...
For people living in non-english speaking countries, TV and music are probably the only sources of spoken english, so they tend to copy the accents.
Slashdot Mirror
I used to use a L0pthcrack (LC4 by @Stake) proof password on my w2k box. It contained a non-printable ascii character (alt + keypad combination), that LC4 doesn't scan for, and you can't enter it in the custom search range field.
I stopped using it because I suspect it caused problems with authentication over a network (w2k + xp prof).
I don't know if LC5 (just noticed a new version is out) is able to find it.
Actually, it isn't really all that stupid. It's a perfectly valid combination from a 5 digit set.
If you were to exclude this, and many other "stupid" combinations, there would be very few left, which, therefor, would be stupid combinations, because you would only be using a small subset of the whole set of possible combinations.
There is, for example, not a single 4 digit code (like a PIN number) that isn't somehow easy to remember when entering it into a keypad. There is always some clear pattern to remember.
Indeed, one would only need to average the difference between the target and the host time to calculate the time skew, which would (nearly) completely eliminate any random factor, as the sum of a large number of randomly generated number will be (approximately) half the range of the number, by nature.
On the other hand, what's the use? There is no point in changing the skew during a connection, as the host will still have the same IP address, it isn't exactly hard to track. It would be usefull, however, to alter the skew (by a little or a whole lot) between different connections, making it impossible to link the connections to a single machine.
A firewall or NAT device could ofcourse, calculate the difference between the time in a packet and it's internal clock, overwrite the time in the outgoing packet to masquerade the machine on the protected network, and overwrite the timestamp again in the respective incoming packet. That should keep anyone from detecting and identifying devices behind a firewall.
There is good reason I don't say "I'll meet you there in 2700 seconds".
When you specify a time interval in seconds, you imply a certain degree of accuracy.
2700 has 4 significant digits, whereas 45 minutes only has 2.
When you say 45 minutes, you implicitly have a larger margin for error than when you say 2700 seconds.
You may be unaware that "lol" actually is a correct word in the dutch language, meaning (having) fun.
lol (de ~) 1 [inf.] plezier
(taken from, www.vandale.nl, an authoritive dutch dictionary)
That doesn't really have to be a problem. For this purpose, a fairly low-bandwidth connection, like a satellite uplink, could provide a reliable connection. I think it would help the various organisations and agencies in the distaster area, by providing a way to enter en query information about missing persons and casualties across a larger area. Also, it would be fairly easy to make this information available to others over the internet, because now, several days later, many people outside the disaster areas still don't know if there relatives / friends / loved ones are still alive.
I do think, however, that there would have to be some sort of system to indicate the reliability of the information in the system. Exacly where did this information come from, who reported it (was it a coroner, or someone who thinks they saw someone they know?), how many people reported it, exacly when and where it was reported, what method of identification was used?
Also, I'm not sure about the usefulness of a missing persons tracking system; I think a reported persons (any status, okay, injured or dead) would be more useful, because if someone is not on the missing persons list, it does not necesarily mean that they're accounted for. On the other hand, in this case, the remains of many missing persons will probably never be recovered, and therefor, a missing persons register may be useful. I guess it would be best to make "missing" a possible status for an individual. If someone is reported missing, and they turn up, they know the person who has reported them missing is okay. At the same time, it would enable people outside the disaster area to report people as missing. At this time, it is still unclear how many tourists were in the disaster areas other than those traveling with a tour operator. Anyone who just bought plane tickets is much more difficult to track. Also, officials could import local citizens records and hotel reservations into the system as missing persons, whose status could be changed when they report in.
Here, in The Netherlands, coffeeshops serve a different purpose. Most of them don't even have coffee...
(If you really must know, it appears PowerPC is numbered this way).
That's simply not true. What you are referring to is called "endianess", which is the way the bytes are arranged in 16 or more bit words. There are two possible ways to store the bytes of a 16 bit word: least significant byte first (called little endian), and most significant byte first (called big endian).
The bits in a byte are always numbered from 0 to 7, with 0 being the least significant and 7 being the most significant bit.
Also, bits on physical lines (like address or data busses) are always numbered sequentially, and it therefore impossible to wire things up backwards because of endianness (it is, however, still possible with pure stupidity).
Endianness can be a problem, however, in computer networks; for example when transmitting a 32 bit word from an Intel machine to a PowerPC. The two machines differ in endianess (the Intel being little endian and the PowerPC being big endian), which means the byteorder is different, which can lead to incorrect values for the word after transmission, if the programmers don't take care to convert every word to network endianess before transmitting and from network to machine endianess after receiving.
For more information: http://www.cs.umass.edu/~verts/cs32/endian.html
How about we just turn everything running non-microsoft operating systems off for a day, and see how many e-mail still get delivered, and pages served?
I doubt any packet would travel more than a kilometer.
Well, ofcourse, that's the idea. Just build a simple 125 kHz oscillator (say, run a schmitt trigger at 125 square wave and use a simple second order bandpassfilter to filter out some unwanted harmonics), and connect it to a simple, tuned antenna. That would be pretty effective at blocking all RFID tag readers using that frequency at a considerable distance.
-Random codes won't do it. Sorry, but there IS a check (pretty pitiful, but there is one) and if the checksum don't match, nothing goes through
That's right, a checksum is often used to prevent a bad read when a tag is only just in range. However, the way those checksums are calculated, is usually documented, and there are only a few different checksum algorithms in use. That would make it fairly easy to transmit random data with correct checksums.
-Pliers work real good at breaking them.
Yes, but ofcourse, only if you can find the tag, which will become more difficult as they get smaller. You may not even be sure a tag is there. Other than that, they can be unreachable.
Easier than EMP (which might be noticed).
Ofcourse it might be noticed. The question is: how can they tell it's me, and secondly, what do they plan to do about it?!?
For those that didn's bother the read the article, i'll quickly try to explain how it works.(yes, IAAEE, I Am An Electrical Engineer).
Basicly a RFID scanner works by transmitting a certain frequency (125Khz is very common). The tag has a L/C (coil-capacitor) ciruit tuned to this frequency. It uses energy from the circuit to power a tiny circuit (that's how it can work without a battery), which will then send it's stored code. It sends the information back to the scanner by effectively shorting out it's receiver circuit. Doing so drains more energy from the transmitter circuit on the scanner, which can be measured and so the code that the tag send can be decoded.
Now a couple of ideas on how to block it:
- block the scanner by transmitting the same frequency at a highly varying output level. This makes it effectively impossible to measure the tag shorting out it's receiver circuit, because of the heavy fluctuation in the field strength.
- use a microcontroller to send random codes. If enough people do this, the database will get stuffed with false information and will eventually be useless.
- fry the tags in your stuff, EMP-style. I think it would be possible to break the little circuit by placing the tag inside the transmitter coil of a powerfull (but very simple) oscillator running at 125kHz.
My pet peeve was the weirdly brain dead default string implementation
Although the string implementation could really get in your way, I really hated the fact that pascal didn't have sprinf / sscanf type functions. If you needed to read integers from an ascii file, you had to write loops to copy characters until you found a non-digit.
Also, pascal did have functions that would take a variable-length argument length (like write and writeln), but you couldn't make those yourself.
But the thing that really bugged me was that you couldn't allocate a 64k block of memory. The biggest block you could allocate was 64k - 8 bytes. When I was doing graphics and game programming in pascal, I often needed large blocks of memory, which was eventually the reason I switched to C.
This, unfortunately, would also block incomming emergency calls (like the babysitter).
I think the best way would be to redirect incomming calls to a machine with a recording like "the owner of this cellphone is currently unreachable, press 0 for an operator in case of an emergency", in which case, the owner could still be reached in case of a real emergency.
Unless, ofcourse, your car happens to run on diesel fuel, in which case, it'll just keep running happily, because it doesn't actually have an ignition.
Most trucks have a seperate "engine break", which is just a valve in the exhaust, to stop the engine.
However, I've never come across luxury car that had an engine break. I don't know about france, but here in the Netherlands, quite a large percentage of the luxury cars run on diesel fuel.
Hung around a lot in the little kids park? you likely have small children, so we can market kids stuff to you.
Actually, they wouldn't need the RFID tags to find out you have small children, as they usually stand next to you when you pay (with your credit card). All they need to do is take a picture, and they would also know you gender, your kids gender, and their approximate age. They only real solution is not to use your credit card.
I don't think it'll be a good marketing tool. I can't think of any information they could collect that would be useful for targeting ads, but i do see the potential to evaluate the park; which rides are the most popular, where do people get lost in the park and how do people use the walkways, and thus find out where the signs or walkways need improvement, and about a billion other things, which don't invade your privacy and does give them information to improve the service.
This thing is so freaking powerful you could watch a streaming dvd on it.
So, what's that TV for?
There are a few big differences here:
First of all, after you've kicked in my door, it'll be damaged. You've done damage to physical object which I must pay for to get repaired, dispite your best intentions.
Secondly, you've intruded my house without my concent. You have violated my privacy in the real world. This is totally different from from breaking into a computer, because you shouldn't have expected any privacy anyway, if you hooked it up to the outside world.
Thirdly, you have nothing to lose if someone breaks into my house and steals everything I own. You do, on the other hand, have something to lose when some company leaves a database with customer information, yours included, unsecured. The spymac users, in this case, have something to lose because they're email addresses and personal information are not properly secured.
It seems a little bit to simple for a FYP to me.
The LED display in the air thingy is what I build and wrote as my very first project!
Besided that, I don't think his so-called inventions even compare remotely to what Tesla invented. He's basicly just tying two or more existing devices together to make something "new", while Tesla was a scientist, and he discovered things that are still being tought to EE and physics students now.
Maybe a formal education might have saved him a lot of time re-inventing things that have existed for a long time, and spend this time inventing something new.
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
Until, ofcourse, somebody exploits yet another IE hole to display a nicely formatted page telling the clueless user what is going on, that hackers can damage their computer, read their email and steal their money if they use IE, and offers links to firefox / opera / mozilla / whatever your favorite browser is.
2) exacly why is this news? just because it's in the US? (not sure, just assuming).
People do live outside the US, you know.
He didn't actually say grandparents are incompetent, he just said grandmother is.
It's easy to be offended if you want to be.
Better make that a rewritable...
For people living in non-english speaking countries, TV and music are probably the only sources of spoken english, so they tend to copy the accents.
Now that is the problem: something called a "trial" doesn't actually exist in the US, it's just a formality.