I'm going to go for the bargain and hack the State of Michigan and have some real fun. Ha! Try to find yourself on the hand now, Michiganders!

This is an interesting case on the FOIA frontier, the boundary between privacy and new security technologies.

EPIC, in its 2009 FOIA requests, sought among other things "all unfiltered or unobscured images captured using body scanning technologies." The Department of Homeland Security coughed up 1,766 pages of documents but withheld the 2,000 images apparently taken during training. The images, federal officials said, showed "various threat objects dispersed over the bodies."



Read more: http://blogs.mcclatchydc.com/law/2011/01/epic-tries-and-fails-to-see-secret-whole-body-scanning-images.html#ixzz1AsUHYqyU

Welcome to ZoneMinder.com, home of ZoneMinder the top Linux video camera security and surveillance solution. ZoneMinder is intended for use in single or multi-camera video security applications, including commercial or home CCTV, theft prevention and child, family member or home monitoring and other domestic care scenarios such as nanny cam installations. It supports capture, analysis, recording, and monitoring of video data coming from one or more video or network cameras attached to a Linux system. ZoneMinder also support web and semi-automatic control of Pan/Tilt/Zoom cameras using a variety of protocols. It is suitable for use as a DIY home video security system and for commercial or professional video security and surveillance. It can also be integrated into a home automation system via X.10 or other protocols. If you're looking for a low cost CCTV system or a more flexible alternative to cheap DVR systems then why not give ZoneMinder a try?

ARBSEC is the first Wednesday of every month. Unlike other meetups, you will not be expected to pay dues, "join up", or present a zero-day exploit to attend.

introducing the "medusa float", the number which when rounded crashes your debugger, providing a measure of copy protection.

2^63 - 0.5 = 111111111111111111111111111111111111111111111111111111111111111.1

I've sometimes quoted Lord Kelvin:

``If you can not measure it, you can not improve it.''

``When you can measure what you are speaking about, and
express it in numbers, you know something about it; but
when you cannot measure it, when you cannot express it in
numbers, your knowledge is of a meagre and unsatisfactory
kind; it may be the beginning of knowledge, but you have
scarcely in your thoughts advanced to the state of *Science*,
whatever the matter may be.''

But I've reluctantly concluded that current architectures are not
amenable to metrics of the sort I want. Here's why.

Hacking SCADA takes an evolutionary leap into Industrial Network Security by examining SCADA systems and networks from a hacker's point of view in an effort to help fix the root of the problem, and not just "treat the symptoms." It takes an in depth look at the vulnerabilities and solutions in a way that other standards and best practices guidelines fall short.

paper detailing collision attack on md5 + sequence number attack on ssl certs = complete man in the middle attack on https

The advent of 21st century personal communications devices and services, particularly camera phones with GPS capability, GPS devices in your car, P2P software such as mesh networking, or social networking services, mean that it’s now feasible to have two-way sharing of real-time, location-based information that could save your life in a crisis.You won’t find these tips about how to capitalize on those devices and applications on Ready.gov, or other federal, state, and/or local preparedness sites. In some cases it’s because the services described below are private sector ones that government agencies can’t endorse.

With cameras, GPS, mobile Internet come ever more dangerous surveillance possibilities, allowing an observer, once they have succeeded in gaining control of the phone, to turn it into a sophisticated recording device. However, even a simple phone can be tracked whenever it is on the network, and calls and text messages are far from private. Where surveillance is undertaken in collusion with the network operator, both the content of the communication and the identities of the parties involved is able to be discovered, sometimes even retrospectively. It is also possible to surreptitiously install software on phones on the network, potentially gaining access to any records stored on the phone.

Finally, the surveyed ISPs also said their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features. While most ISPs now have the infrastructure to detect bandwidth flood attacks, many still lack the ability to rapidly mitigate these attacks. Only a fraction of surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flood attack.

But, a blog buried within Network World’s community is hard to find so as of today I am re-launching threatchaos.com. With complete control over the technology I use and the features I develop this site will quickly become a valauble resource to the entire IT security industry. In addition to my daily blog posts I will be retaining people to help with news coverage. I am also embarking on several video ventures that will show up here.

good reliable security blog

The ridiculous thing about OpenID is that it has no value unless loads of people buy in, which I assume is why there have been so many "we will support OpenID mumble-mumble" announcements in recent months. If it gains any traction at all, it's going to be just like the consumer credit system without all that pesky government oversight getting you a free personal report once a year and going after abusers. It's a cute technical approach to a big, hairy social status quo, and I'm sitting here writing a big-ass diatribe about it because I don't want to find myself forced into signing up for a SomeBigCo account two years from now and getting all my shit stolen or sold, ChoicePoint-style.

OpenID is on tenterhooks as it is, and cannot withstand any more efforts to splinter its adoption. Never mind the fact that almost all the big names adopting OpenID are joining only as providers and not as relying parties (rendering the whole basis of OpenID useless) – now even the provider side of things is chaos.

I first remember making this suggestion (somewhat in jest) to Andreas Zeller during a conversation at ISSTA 2000: my response to yet another outbreak of the "math vs. physics" debate was "we don't want to admit it, but we should really be debating whether we're more like sociologists or economists". He noted that he sees himself more as a 19th century 'naturalist" -- in particular, observational as well as experimental, a view that I tend to think of as compatible. A visit by across-disciplinary group from CMU to Microsoft Research sometime in 2002 was a key step towards making me believe that maybe I wasn't joking. Since then, discussions with many people helped refine these ideas and led me to conclude that they are ready toair; I would especially like to thank Jeannette Wing, Jeff Wallace, Mike Howard, Window Snyder, Pierre de Vries for the "consilient" viewpoint, Tony Hoare, Butler Lampson, Mary Shaw, Dan Gillmor, Cornell West

1. send SYN 2. victim sends SYN-ACK 3. filter out SYN-ACK from your machine's TCP stack 4. send ACK from userland 5. ??? 6. PROFIT!@!@!

Everything was all well and good until I had to figure out how to use OpenID. I've been watching the development of this shit from the sidelines for a while (well, if reading something about OpenID blah blah blah on TechCrunch and saying, aw, that's cute, then getting back to work counts). I understand the problem that OpenID is trying to solve, but the approach is way too, uh, how to put this, San Francisco.

ST. PAUL, MN—Democracy Now! host Amy Goodman was unlawfully arrested in downtown St. Paul, Minnesota at approximately 5 p.m. local time. Police violently manhandled Goodman, yanking her arm, as they arrested her. Video of her arrest can be seen here: http://www.youtube.com/watch?v=oYjyvkR0bGQ Goodman was arrested while attempting to free two Democracy Now! producers who were being unlawfuly detained. They are Sharif Abdel Kouddous and Nicole Salazar. Kouddous and Salazar were arrested while they carried out their journalistic duties in covering street demonstrations at the Republican National Convention. Goodman’s crime appears to have been defending her colleagues and the freedom of the press.

If the user chooses to subscribe to a command from an untrusted source, they will get a security warning message before they can install the command. (And in Ubiquity 0.1, ALL sources are considered untrusted, so don't take it personally!) Because Ubiquity commands can execute arbitrary javascript with chrome privileges, subscribing to a command from a website means allowing that site full access to do whatever it wants to your browser. We want to make sure people understand the dangers before subscribing to commands, so we made the warning page pretty scary.

When it comes to elections, California Secretary of State Debra Bowen opts for blander, more traditional technologies, and that preference is helping her sleep better at night.
Speaking Wednesday at the Usenix Security Symposium in San Jose, California, the state's top elections official laid out a decidedly low-tech approach for ensuring that each voter's ballot is recorded as cast. It involves the use of ink pens to record votes on old-fashioned paper. An optical scanner records the information, and to make sure votes are counted correctly, ballots are randomly selected and compared with what's been tallied.

Which is why CSE 484, an undergraduate computer-security course taught this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach a security mindset.
You can see the results in the blog the students are keeping. They're encouraged to post security reviews about random things: smart pill boxes, Quiet Care Elder Care monitors, Apple's Time Capsule, GM's OnStar, traffic lights, safe deposit boxes, and dorm -room security.

The U.S. Department of Homeland Security has concocted a remarkable new policy: It reserves the right to seize for an indefinite period of time laptops taken across the border.
A pair of DHS policies from last month say that customs agents can routinely--as a matter of course--seize, make copies of, and "analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States." (See policy No. 1 and No. 2.)

For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about.

passive web application security assessment tool

WordPress 2.3.3 is an urgent security release.

bruce schneier notes that birthdate + zip code + gender is probably enough to identify you. (ed43 + 48104)

Phage List: archive, by date. 3/11/88 - Morris Internet Worm - 20th anniversary coming up

The foundation was one of 92 clients of the vendor, Convio, affected by the breach, Sponauer said.

umich central campus bomb scare

no user authentication! Any user can forge anybody else’s identity when interacting with any OpenSocial application. As it currently stands, it is not possible to write secure social applications on the platform

I’m really starting to wonder about the overall security of the OpenSocial platform’s design. Not to say that I know more than Google, but I am surprised these issues weren’t noticed prior to launch.

a significant problem with OpenID I've brought this up before and had assumed that most of these schemes would not get off the ground because of the severity and obviousness of the problem -- but I was wrong.

Hackers have hijacked a server operated by Internet advertising company 24/7 Real Media Inc. and are using it to seed legitimate Web sites with ads carrying attack code, Symantec Corp. said Friday.

3 classes of attacks on openid. (looks like a worse and worse system every time I read one of these articles)

security, usability, and privacy issues with openid.

The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that the

OpenID announced the release of a new draft of OpenID Authentication 2.0 today. I’m reluctantly forced to come to the conclusion that the OpenID people don’t care about phishing, since they’ve defined a standard that has to be the worst I’ve ever

Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing

When we put our OpenID provider through the security review wringer (many thanks to Glenn Brunette and his team for their work on this!), some nitsy OpenID protocol questions came out, along with issues of provider and consumer behavior in the wild. Some

Some of you might have seen this message while searching on Google, and wondered what the reason behind it might be. Instead of search results, Google displays the "We're sorry" message when we detect anomalous queries from your network.

google video of ross anderson (introduced by hal varian) talking about the intersection of economics and computer security.

At this point Mike Shaver threw down the gauntlet. He gave me his business card with a hand written note on it, laying his claim on the line. The claim being - with responsible disclosure Mozilla can patch and deploy any critical severity holes within “

From the Pwnie Awards website, the Mass 0wnage Pwnie Award is Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as the Pwnie for Breaking the Internet.

VeriSign is giving me a check a month, and the National Security Agency is paying my travel costs. Vigil Security is my own business. It’s just me, and my wife pays the bills.

a plugin to hide your wordpress blog, e.g. when you are developing it before it's launched.

For those who host with Dreamhost: I received a confirmation email from them at 8:27pm PST on June 5th that yes indeed, something in the neighbourhood of 3,500 FTP accounts have been compromised. If you’re on Dreamhost, time to change all your passwords

Google Calendar gives users the choice of keeping calendar entries private or publishing them for the world to see, but some Google Calendar users appear to be sharing their calendar information without realizing it.

some details emerging of dreamhost hack problems. black hat seo spam appears to be the nature of the exploit.

While installing firewalls and antivirus software on your computer may keep it safe from conventional threats such as worms and viruses, these security tools do not inspect data downloaded through browsers - a loophole that attackers can exploit. "The fir

Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.

We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions that we believe resulted in the theft of customer data. We do not know who took this action and whether there w

RFID: "Et tu, Brute?" -- Killing Some RFID "Truths"

infosec dashboard of global threats and attacks

malicious javascript installs keystroke logger.

South Korea as a Windows only, no Mac, no firefox software monoculture. & the dangers thereof.

papers please (not in Maine)

reddit's user base has been stolen - user names, email addresses, passwords. passwords are like underwear, change yours frequently. via it harvest.

python-based toolkit to manipulate RFID tags. no experimenting with library rfid in this collection, but perhaps it would be where to start

good old fashioned identity theft, notes Richard Stiennon

when i fight the bots the bots always win

dory leifer on the solution space for providing guest access to the net, wired or wireless.

one report, apparently a targeted attack, on a zero-day vulnerability in excel

Today four Connecticut librarians spoke publicly for the first time about their experience as recipients of a National Security Letter (NSL) demanding library records.

George Hotelling recommends securing your email.

download new version now!

CardSystems

security update

break by a chinese crypto team - not in theory, but for real

note well open security issues

e-passports readable from many feet away with the right antenna and some patience

As indicated in the source code, the software authors were aware that the way they worked around Perl's taint check is insecure. Users of TWiki should reconsider if the software can meet their security requirements, given such gross negligence.