UK CCTV used to create a music video

UK CCTV used to create a music video [risks].

Unable to hire a production crew for a standard 1980′s era MTV music video, they performed their music in front of 80 of the 13 million CCTV “security” cameras available in England, including one on a bus.

Also good, from the same RISKS digest: How not to use SSL, viz SSL-encrypt the page data, but send the credit card details in cleartext in the URL — win!

Oyster cracked

Oyster (and others) cracked [smallcool] — another lovely example of “don’t invent your own crypto algorithm”, it seems.

… We argue that this is a gross over-estimate and present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA. Our attack exploits statistical weaknesses of the cipher.

Not actually funny

Not actually funny.

One way not to conduct Internet voting

USA Democratic Party “global primary” for Democrats Abroad badly run, insecure, untrustworthy — just like almost all (all?) electronic voting systems in use today.

There are well-known risks at every stage of the episode, so I repeat: that whole process was neither secure nor well-run; moreover, its collection of personal information using unsecured Web pages exposed participants to the risk of information theft, and delivering notionally secure information by email is painfully bad judgment. The episode proves nothing except that well-intentioned people continue to make elementary but serious errors in designing and setting up processes that must be safe at every step if they are to be meaningful.

Don’t like getting to sleep at night? Read the RISKS digest avidly.

Boy falsely jailed for bomb threat for 12 days due to DST changeover

Boy falsely jailed for bomb threat for 12 days due to DST changeover. (URL in RISKS story doesn’t seem to work? Lots of google hits though, many of which have the same content and no attribution, sadly.)

Webb gave an insight into the school’s impressive investigative techniques, saying that he was ushered in to see the principal, Kathy Charlton. She asked him what his phone number was, and, according to Webb, when he replied ‘she started waving her hands in the air and saying “we got him, we got him.”’

‘They just started flipping out, saying I made a bomb threat to the school,’ he told local television station KDKA. After he protested his innocence, Webb says that the principal said: ‘Well, why should we believe you? You’re a criminal. Criminals lie all the time.’

Dorks. Dorks in positions of authority, more to the point.

Frob it!!!

Surely this is what molly guards are for?

Brazil collision: Too much precision a bad thing?

Insightful and non-intuitive – just the way I like it: increased precision in avionics arguably increases the risk of mid-air collision.

The Daily WTF

In the spirit of the RISKS Digest, with which regular Gimbolanders will be familiar, The Daily WTF looks like it’s worth reading to remind oneself of the crazy and unexpected stuff that can go wrong, and the stupid stupid STUPID!!! things our beloved colleagues sometimes force us to endure [raganwald].

The other reason to read WTF right now is that picture of Boomer in their sidebar – miaow.

Fake IDs save lives in Iraq

Fake IDs save lives in Iraq [schneier].

… Iraqis are using fake IDs in light of the recent growth in sectarian killings. The major groups in Iraq are not distinguishable by physical traits, but they are by name. To avoid being killed, people are getting false identification cards: Surnames refer to tribe and clan, while first names are often chosen to honor historical figures revered by one sect but sometimes despised by the other. For about $35, someone with a common Sunni name like Omar could become Abdul-Mahdi, a Shiite name that might provide safe passage through dangerous areas.

Of course, I’m not suggesting this is an argument against having ID cards here in the UK, at least unless Welsh-English tensions get seriously worse. I did once pretend to be Welsh in the face of some extreme hostility, mind – but the drunk Welsh rugby wanker in question didn’t demand my ID card at gunpoint, so…

The Politics of Paranoia and Intimidation

Great stuff. Bayes’ Theory applied to explain why one key “common sense” facet of the USA’s “war on terror” is a waste of time and money, at least for its stated purpose. [schneier]

If the following paragraph doesn’t cause you to nod knowingly, you really should read the whole article. (BTW, I’ve changed the figures to percentages, for enhanced legibility by non mathematicians).

Suppose that NSA’s system is really, really, really good, really, really good, with an accuracy rate of 90%, and a misidentification rate of .001%, which means that only 3,000 innocent people are misidentified as terrorists. With these suppositions, then the probability that people are terrorists given that NSA’s system of surveillance identifies them as terrorists is only 23%, which is far from 100% and well below flipping a coin. NSA’s domestic monitoring of everyone’s email and phone calls is useless for finding terrorists.

This kind of result is often very suprising and non-intuitive, and hence important. When reality diverges from “common sense”, we need to understand why, so we can explain it to people who like to trust “common sense” in their decision making processes (eg Daily Mail readers ;-) ). This kind of result crops up all over the place… I first came across it in the context of medical diagnosis, where it basically explains why misdiagnosis happens so often. Quite simply, the numbers are just stacked against us. There’s nothing we can do about it – we just have to understand what’s happening and get on with it.

Windows Vista shaping up to be a user _and_ security nightmare!

Microsoft Vista’s Endless Security Warnings

The feature is called User Account Protection (UAP) and, as you might expect, it prevents even administrative users from performing potentially dangerous tasks without first providing security credentials, thus ensuring that the user understands what they’re doing before making a critical mistake. It sounds like a good system. But this is Microsoft, we’re talking about here. They completely botched UAP.


Bugs in embedded systems can be naaaasty

In 2003, the pacemaker of a woman in Japan was accidentally reprogrammed by her rice cooker.

Computers are getter smaller and smaller; embedded systems are getting more and more powerful. That means two things. First, what you can do on a computer of given size n is increasing over time: maybe five years ago it was just a microprocessor with 4KB of RAM running custom-built assembly code, whereas maybe in five years it’ll have a gig of RAM and be running OpenBSD or (shudder) Windows. It’ll have more features, more complexity, more failure modes, less security, and in essence, we won’t understand it any more. Second, the smallest systems producable are getting smaller all the time: today you can put that custom-built system with 4KB of RAM into a smaller space than you could five years ago, and in five years time it’ll be smaller yet. That means computers are appearing in more and more places, and more invisible.

The interesting part is when you put these trends together, so you end up with millions of systems flowing through your bloodstream, all running Windows 2020 (or whatever). Yay.

Students: if you ever do this, you are compelled to commit seppuku

Lesson one in security: deny by default, allow with care. It is entirely brain dead for your login logic to be “if the logged_in cookie is false, they’re not logged in, otherwise they are”, rather than “if the logged_in cookie is true, they’re logged in, otherwise they’re not”.

Video eavesdropping demo at CeBIT 2006

Video eavesdropping demo at CeBIT 2006 – 25 metres, no wires: sweet.

Lessons from the Sony CD DRM Episode

Lessons from the Sony CD DRM Episode, (PDF, 154KB, 27 pages) [schneier].

Abstract: In the fall of 2005, problems discovered in two Sony-BMG compact disc copy protection systems, XCP and MediaMax, triggered a public uproar that ultimately led to class-action litigation and the recall of millions of discs. We present an in-depth analysis of these technologies, including their design, implementation, and deployment. The systems are surprisingly complex and suffer from a diverse array of flaws that weaken their content protection and expose users to serious security and privacy risks. Their complexity, and their failure, makes them an interesting case study of digital rights management that carries valuable lessons for content companies, DRM vendors, policymakers, end users, and the security community.

That’s “Sony” DRM technology actually brought to you by a company with offices near here, who came to the department and did a presentation at an event organised by IT Wales las year. They certainly did seem very impressive, and IIRC their CTO spoke highly of his programmers’ abilities. Only goes to show, I guess. (Some retrospectively amusing quotes in this article, I thought.)

Bottled water not just ‘no better’, it’s also unethical

Most bottled water is no better than tap water, and all of it is unethical, according to this article.

More than 50 Indian villages have complained of water shortages after bottlers began extracting water for sale under Coca-Cola Co.’s Dasani label, EPI said.

According to the Container Recycling Institute, 86 percent of plastic water bottles used in the United States become garbage or litter. Incinerating used bottles produces toxic byproducts such as chlorine gas and ash containing heavy metals tied to a host of human and animal health problems. Buried water bottles can take up to 1,000 years to biodegrade.