Follow the news. Thursday (Fri?) the US Senate passed the "Combatting Terrorism Act of 2001" in a 97 to 0 vote. This bill allows both FBI Pen Register, AND Tap and Trace WITHOUT a warrant if used on any case involving Terrorism, or COMPUTER SECURITY (any crackers out there?). Still have to pass the House (AFAIK) but, THERE WAS NO OPPOSITION IN THE SENATE ABOUT THIS!
Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.
Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.
My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.
Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.
This Zepplin NT is a toy. The Hindenburg was _800_ feet long, and was used for transatlantic passenger service with lounges and smoking rooms and berths! This thing is like 210 ft long, and carries a dozen tourists in a cramped cabin. The Goodyear blimp is 192 feet long!
Using the Zepplin name is a marketing ploy, and apparently a good one since I'm wasting my time reading about a run-of-the-mill blimp on Slashdot.
Shesh, I keep waiting for cnn, abc, cbs, bbc, SOMEONE to report that the internet's security has just been turned to swiss cheese, but all of them are still headlining stories that their technology editor wrote before going home for the weekend about how "The Red Tide receeds", and "Code Red virus not so bad...kinda soft and cuddly".
Visions of thousands of password packet sniffers kicking in Monday morning on CR2 backdoored systems dance in my head....
So I have this log of about 100 CR2 hosts who have attacked my web server, and each of those infected hosts have probably got records of 100 other hosts that have tried to reinfect them in their logs. If I snarf all their logs, I'll have 10,000 compromised hosts that I've got root access on. Do it one more level, and I've got every compromised machine on the internet. How long until some kiddie scripts that up?
OR, one group could patch all those infected hosts...or at least notify the admins.
Worse than that...any looser has ALL hosts
on
Code Red Back For More
·
· Score: 2, Interesting
It's worse than that. I can use the backdoor on the few hosts I am being hit directly with, and get THEIR web logs. If I have 100 hosts that have attacked me, and each of THEM have 100 hosts that have tried to reinfect THEM, etc....
100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)
How to generate a list of ALL CRII infected hosts
on
Code Red Back For More
·
· Score: 2
This analysis at http://braddock.com/cr2.html describes a means through which a complete list of the thousands of CodeRed II infected and backdoor compromised hosts can be easily obtained by any individual who has been keeping a web server log of attempts on his machine, by using the backdoors on the machines that have attacked him to obtain the the web logs of the infected attacking IIS web servers to learn of new infected hosts.
Do NOT sign the patent. Get prior art together. Tell your ex-employer he either must narrow the patent, or you will not sign it, and file a letter of protest with the patent office.
Here is an excerpt from an interview that Tim O'Reilly did with the director of the Patent Office earlier this year:
Tim: I talked to one developer who said, "I have my name on nine patents, and I think they're all a joke."
Patent Office Director Dickinson: Well, then, he's committed a federal crime, because you have to execute a declaration that says you believe in the patentable invention. If he doesn't, then I urge him to commit them to the public domain and --
Tim: Effectively, you know, you've got people who are being compelled by their companies
to have their name on patents and, you know --
Dickinson: They're not compelled to work for anybody, are they? It's a free country.
The Internet Archive Project has Usenet archives from 1996-1998...it is a.5 terabyte collection, but it is currently all on tape. However, they STOPPED archiving Usenet in 1998. www.archive.org
The Internet Archive Project is the project attempting to archive the entire web and related internet contents as a matter of public record. They currently have around 15 terabytes in the archive.
Push them to resume archiving of Usenet, and to get their old stuff online from the tapes. This is HISTORY, people! Historians 50-100 years from now will be DIEING to look at this stuff, and won't be able to belive that we threw it all away, even though the cost of storing it was dropping exponentially.
I would kinda hope that my great-great-grandchildren could get to know me by reading some of my better usenet posts.
We are all using a site that makes extensive use of GIFs. Could/. take the lead? Then we could continue the compaign with all the Open Source sites (someone really needs to post an "LZW Free" button). The Mozilla folks will be quick enough to enhance their PNG support (they're probably unlicensed for LZW for the Free Mozilla product).
Worse comes to worse, we can start to threaten to "turn-in" the non-compliant sites...:)
Doesn't anyone remember Motorola's PReP/CHRP, PCI, ATX form, PPC Motherboard, YellowKnife, with full schematics, OrCAD & Gerber files, technical papers, etc all right online several years ago, back in the height of the PPC fanfare? Still there if anyone cares...supports up to PPC750: http://www.mot.com/SPS/PowerPC/teksupport/refdesig ns/yk.html
It never went anywhere. I hope this is different. -Braddock
Slashdot Mirror
Follow the news. Thursday (Fri?) the US Senate passed the "Combatting Terrorism Act of 2001" in a 97 to 0 vote. This bill allows both FBI Pen Register, AND Tap and Trace WITHOUT a warrant if used on any case involving Terrorism, or COMPUTER SECURITY (any crackers out there?). Still have to pass the House (AFAIK) but, THERE WAS NO OPPOSITION IN THE SENATE ABOUT THIS!
--Braddock Gaskill
Newer Smart Cards are capable of public key cryptography. They are not just an information store, like a magnetic stripe, but actually perform public key crypto on an embedded processor on the card which is powered by the reader. This way your public key never leaves the card.
Some of the better manufacturers of Smart Cards add all sorts of physical security to the chips as well...to the point where you can't even take the chip apart and scan the die with a electron microsope or special probes to try to read or trick the bits out of memory.
My guess is that the current Visa cards do NOT use onboard cryptography yet...that these are general purpose cards which for now store your credit card number and address for convenience because the infrastructure is not yet in place AFAIK to support public key credit card transactions. They may or may not already have crypto software onboard that could be used with a PKCS#11 driver, but the credit card companies just want to get them and the readers deployed, and then will provide a software update or something to actually add crypto features in your transaction in the next couple years. See the PKCS#11 standard written by RSA (on their web site) for the standard crypto API which has been adopted for smartcards.
Note that smart cards have been around for a while in europe, although they were typically not used in a cryptographically sophistically way.
See www.pki-page.org and http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/
Braddock Gaskill
Security Consultant
braddock@braddock.com
This Zepplin NT is a toy. The Hindenburg was _800_ feet long, and was used for transatlantic passenger service with lounges and smoking rooms and berths! This thing is like 210 ft long, and carries a dozen tourists in a cramped cabin. The Goodyear blimp is 192 feet long!
Using the Zepplin name is a marketing ploy, and apparently a good one since I'm wasting my time reading about a run-of-the-mill blimp on Slashdot.
-Braddock
Shesh, I keep waiting for cnn, abc, cbs, bbc, SOMEONE to report that the internet's security has just been turned to swiss cheese, but all of them are still headlining stories that their technology editor wrote before going home for the weekend about how "The Red Tide receeds", and "Code Red virus not so bad...kinda soft and cuddly".
Visions of thousands of password packet sniffers kicking in Monday morning on CR2 backdoored systems dance in my head....
OR, one group could patch all those infected hosts...or at least notify the admins.
I've got a full analysis of this at http://braddock.com/cr2.html
100*100 = 10,000
100*100*100 = 1,000,000 (250,000 is probably the total number of hosts that will be infected, so you'll start getting diminishing returns as you get duplicates)
Do NOT sign the patent. Get prior art together. Tell your ex-employer he either must narrow the patent, or you will not sign it, and file a letter of protest with the patent office.
/ 24/PizzoFiles2.html
Here is an excerpt from an interview that Tim O'Reilly did with the director of the Patent Office earlier this year:
Tim: I talked to one developer who said, "I have my name on nine patents, and I think they're all a joke."
Patent Office Director Dickinson: Well, then, he's committed a federal crime, because you have to execute a declaration that says you believe in the patentable invention. If he doesn't, then I urge him to commit them to the public domain and --
Tim: Effectively, you know, you've got people who are being compelled by their companies
to have their name on patents and, you know --
Dickinson: They're not compelled to work for anybody, are they? It's a free country.
(This Dickinson guy is a asshole, BTW)
http://www.oreillynet.com/pub/a/patents/2000/05
-Braddock
The Internet Archive Project has Usenet archives from 1996-1998...it is a .5 terabyte collection, but it is currently all on tape. However, they STOPPED archiving Usenet in 1998. www.archive.org
The Internet Archive Project is the project attempting to archive the entire web and related internet contents as a matter of public record. They currently have around 15 terabytes in the archive.
Push them to resume archiving of Usenet, and to get their old stuff online from the tapes. This is HISTORY, people! Historians 50-100 years from now will be DIEING to look at this stuff, and won't be able to belive that we threw it all away, even though the cost of storing it was dropping exponentially.
I would kinda hope that my great-great-grandchildren could get to know me by reading some of my better usenet posts.
--Braddock Gaskill
We are all using a site that makes extensive use of GIFs. Could /. take the lead? Then we could continue the compaign with all the Open Source sites (someone really needs to post an "LZW Free" button). The Mozilla folks will be quick enough to enhance their PNG support (they're probably unlicensed for LZW for the Free Mozilla product).
:)
Worse comes to worse, we can start to threaten to "turn-in" the non-compliant sites...
Doesn't anyone remember Motorola's PReP/CHRP, PCI, ATX form, PPC Motherboard, YellowKnife, with full schematics, OrCAD & Gerber files, technical papers, etc all right online several years ago, back in the height of the PPC fanfare? Still there if anyone cares...supports up to PPC750: http://www.mot.com/SPS/PowerPC/teksupport/refdesig ns/yk.html
It never went anywhere. I hope this is different.
-Braddock