[x]Blackmoor Vituperative

Tuesday, 2009-12-08

Presumption of guilt: Your rights when it comes to data encryption

Filed under: Privacy,Security — bblackmoor @ 14:28

Chad Perrin has a short article on TechRepublic giving a back-of-the-napkin overview on encryption as it is viewed by the courts. It is worth checking out and clicking the relevant links.

Monday, 2009-12-07

Free public OpenID server

Filed under: Security — bblackmoor @ 19:17

I have set up a free, public OpenID provider at http://www.blackgate.net/openid/, using software from Community-ID.

Monday, 2009-11-30

Passwords need to go away

Filed under: Security — bblackmoor @ 19:54

I was just creating an account on a new web site. It has freaking ridiculous password rules.

Your password must have 2 upper case letters, 2 lower case letters, 2 numbers, 2 special characters, and be a minimum of 9 characters and a maximum of 12 characters in length.

Why don’t they just generate a random string that they’ll accept and save me the bother? It’s not like I will be able to remember this monstrosity.

When I was at… Philip Morris, I think it was… there were two systems that had complex password requirements, and they were mutually exclusive. Like, one required two numbers, and the other forbade more than one number. Something like that. So ridiculous. The whole “password” thing needs to die.

I wish more places would clue into OpenID. After exams, I think I will set up an OpenID server on mortshire.org.

Tuesday, 2009-09-08

Guns can keep computers in your luggage safe

Filed under: Security,Society,Travel — bblackmoor @ 10:43

As a computer guy and a gun owner, I thought this idea was brilliant: packing your laptop with a pistol in order to keep your laptop safe while traveling via airplane.

Of course, it is vital to know all of the rules and laws when one is transporting a firearm, on an airplane or anywhere else. So do your homework first.

Then again, gun ownership in the USA is rather like an intelligence test: if you own one (or more), and stay out of jail, you pass.

Tuesday, 2009-08-25

Ex-Pirate Bay ISP sabotaged, calls in police

Filed under: Intellectual Property,Security — bblackmoor @ 19:59

According to the site TorrentFreak:

The ISP that supplied much of The Pirate Bay’s bandwidth before cutting them off yesterday, is reporting that it has been sabotaged. Calling in experts and the police, Black Internet says the attack on them is intentional and has caused substantial damage.

This makes me sad. It certainly does not reflect well on those who would see our current cartel-controlled copyright system reformed. Why attack Black Internet? They’re a victim of these thugs just as much as The Pirate Bay.

Monday, 2009-08-24

Spam from Facebook

Filed under: Security — bblackmoor @ 14:40

An amusing anecdote from the department head of the Computer Science department of Purdue University, one of the world’s experts on network security:

Bottom line: providing Facebook any access to email addresses at all is like Roach Motel — they go in, but there is no way to get them out. And Facebook’s customer service and interfaces leave a whole lot to be desired. Coupled with other complaints people have had about viruses, spamming, questionable uses of personal images and data, changes to the privacy policy, and the lack of any useful customer service, and I really have to wonder if the organization is run by people with any clue at all.

I certainly won’t be inviting anyone else to join Facebook, and I am now recommending that no one else does, either.

(from More customer disservice—This time, Facebook, CERIAS)

Makes me glad that I do not have a Facebook account.

Tuesday, 2009-07-07

Micromanagement in the name of “security”

Filed under: Security — bblackmoor @ 10:43

I am so tired of seeing IT professionals who have to plead to have access to web sites they need to do their jobs. I am so tired of someone responsible for completing a multi-million dollar project not even able to change the screen resolution on their desktop because the people in charge of “IT security” have locked it down. And heavens forbid that you install any utility not on the “approved software” list, whether or not you actually need it to do your job.

The one thing no one seems to get, and one thing which causes many of the headaches for IT professionals, is that a skilled professional should be responsible for her tools.

When you take your car to a garage, do you demand that they use a specific brand of wrench? When an electrician comes to your house, do you demand they have a specific brand of voltmeter? Do you search their toolbox, and chastise them if they have a MP3 player or a DVD in there?

Of course you don’t.

The current way security is managed in every organization I have seen in the past 15 years is based on the flawed premise that the professional whom we trust to administer and manage multimillion dollar projects can’t be trusted to select and maintain her own workstation.

This is ridiculous.

IT professionals should not have their software selection restricted (or worse, chosen for them). IT professionals should not have their Internet access filtered or obstructed (for many IT professionals, Internet access is the #1 tool in their toolbox).

“Does she get the job done safely, legally, on time, and under budget?” That is the question that should be asked of any IT professional. That question has a yes or no answer, and it has nothing to do with web filtering or “nailing down” her workstation so she can’t install “unapproved” software.

Hold IT professionals accountable, by all means, but do not pre-emptively cripple their ability to do their jobs. You hired them to be experts: let the expert choose and care for her tools, like any other skilled expert does.

Saturday, 2009-07-04

Preventing anonymous editing on MediaWiki

Filed under: Security,The Internet — bblackmoor @ 12:02

I use MediaWiki for a few web sites (Warlords of NUM and WestGuard, for example). Unfortunately, some lowlife scum like to post spam about luxury watches or viagra or whatnot on these sites, so I need to lock them down to prevent this.

The simplest way to do this is to 1) disable anonymous editing, and 2) disable account creation by anyone other than a sysop (which is to say, me). The MediaWiki manual explains how to do this (and a great many other things), but I thought it might be help for folks if I posted just those specific instructions here, since I think this is a common request for those using MediaWiki.

Simply add the following lines to the end of LocalSettings.php with a text editor such as Notepad++ (do not use Windows Notepad — use a real text editor):

## Customized settings begin here

# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;

# Hide user tools for anonymous (IP) visitors
$wgShowIPinHeader = false;

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

And that’s that. You will probably also want to add a custom “wiki.png” logo. If so, you should add the path to it, like so (you will, of course, need to upload it to your site first):

## Customized settings begin here

# Custom logo
$wgLogo = ‘http://www.mymediawikiwebsite.org/skins/mycustomskin/wiki.png’;

# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;

# Hide user tools for anonymous (IP) visitors
$wgShowIPinHeader = false;

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

And there you go.

Thursday, 2009-07-02

Scam warning: “Computer Repairer & Installer Needed”

Filed under: Security — bblackmoor @ 10:13

I own an IT consulting company in Richmond, VA. This morning I received the following email from someone who claimed to want us to service several laptops:

Hello ,

How you doing,I read your description and i am highly impressed in your services,I have some Hp PCs(Intel Pentium IV) since we currently have a major breakdown on most of our systems and I thought it was best to have a general upgrade and maintenance.(I will be providing the software needed).Below are the things needed to be done one on each laptops:

1 Format Hard Drive
2 Install Win Xp with Service Pack 2
3 Microsoft Office Package
4 AVG Virus Software (Free Lifetime Updates)
5 Adobe Acrobat
6 Laptop Cleaning of the keyboard, screen and other case.
7 Diagnostics of the entire system after to check hard, CD Rom, floppy, etc.

I will like you to know that my mode of payment is by US certified check mailed and address to you from my employer company since I am presently on a business workshop in Panama city,South American and i want you to know that i will handle the shipment myself since i have a shipper from the state here that will bring the laptops to your place,and will come pick them up as soon as you are done with them.

I should have make this a phone order but i have a network problem of where i am and my shipper will be coming with the necessary Software for the installations of the Computers with both the Operating System,Microsoft Office and the Anti-virus for each computers .

However,get back to me with your last asking price for the 8 laptops. I await your urgent response so that i can put the arrangement in order.

Thanks and hope to read from you soon.

The warning flag here is the “US certified check”. I did a quick search, and discovered that this is a typical “Western Union scam” (not that Western Union is in any way at fault: they are simply being used by the scammers). Here is what the scam looks like in operation:

  1. First email

  2. from    Nicole Bagwell <karenww1@live.com>
  3. reply-to        nicoleww1@hotmail.com
  4. to      nicoleww1@hotmail.com
  5. date    Sat, Mar 28, 2009 at 5:00 PM
  6. subject PC needs repair and installations !
  7. mailed-by       craigslist.org
  8.        
  9. hide details Mar 28 (10 days ago)
  10.        
  11.        
  12. Reply
  13.        
  14.        
  15. ** CRAIGSLIST ADVISORY — AVOID SCAMS BY DEALING LOCALLY
  16. ** Avoid: wiring money, cross-border deals, work-at-home
  17. ** Beware: cashier checks, money orders, escrow, shipping
  18. ** More Info: http://www.craigslist.org/about/scams.html
  19.  
  20.  
  21. Hello,
  22.  
  23. I got your resume on  www.craigslist.org and i was just checking if you will be available to repair and install some applications on 12(Twelve) PC .
  24.  
  25. Get back to me for details if you’ll be available.
  26.  
  27. Nicole.
  28. Hotmail® is up to 70% faster. Now good news travels really fast. Find out more.
  29.  
  30. this message was remailed to you via: serv-xtstn-1063755610@craigslist.org

  31.  
  32. Second email
  33.  

  34.  
  35. Hello ,
  36.  
  37. How you doing? and thanks for getting back to me.
  38.  
  39. I read your description and i am highly impressed in your services,I have some Hp PCs(Intel Pentium IV) since we currently have a major breakdown on most of our systems and I thought it was best to have a general upgrade and maintenance.(I will be providing the software needed).Below are the things needed to be done one on each laptops:
  40.  
  41. 1 Format Hard Drive
  42. 2 Install Win Xp with Service Pack 2
  43. 3 Microsoft Office Package
  44. 4 AVG Virus Software (Free Lifetime Updates)
  45. 5 Adobe Acrobat
  46. 6 Laptop Cleaning of the keyboard, screen and other case.
  47. 7 Diagnostics of the entire system after to check hard, CD Rom, floppy, etc.
  48.  
  49. I will like You to know that my mode of payment is by US certified check mailed and address to you from my employer company since I am presently on a business workshop in Panama city,South American and i want you to know that i will handle the shipment myself since i have a shipper from the state here that will bring the laptops to your place,and will come pick them up as soon as you are done with them.
  50.  
  51. My shipper will be coming with the necessary Software for the installations of the Computers with both the Operating System,Microsoft Office and the Anti-virus for each computers and i should have make this a phone order but i have a network problem of where i am.
  52.  
  53. However,get back to me with your last asking price for the 12 laptops. I await your urgent response so that i can put the arrangement in order.
  54.  
  55. Thanks and hope to read from you soon.
  56.  
  57. Nicole.
  58.  

  59.  
  60. Third Email
  61.  

  62. Thanks for the mail .
  63.  
  64. I must confess I’m comfortable with the cost and its quite reasonable and affordable and also,i hope i can trust you that to do a good job.
  65.  
  66. I will be sending you the payment inform of US certified cashier check mailed and addressed to you and regards to this kindly get back to me with your full information (in the format below)to receive the payment so it can be made out on-time.
  67.  
  68. NAME:
  69. ADDRESS(NOT P O BOX):
  70. CONTACT PHONE NUMBER:
  71. DIRECT PHONE NUMBER.
  72.  
  73. For clarity,all the softwares will be coming with the various license and key.
  74.  
  75. Will be waiting to read your mail soon.
  76.  
  77. Best Regards!
  78.  
  79. Nicole.

  80.  
  81. Fourth email

  82.  
  83. Hello Jonathan,
  84.  
  85. Sorry for my slow response to your mail,I was busy making a call to my employer company in the state as regards your payment.My Employer company just called from the state few hours ago informing me that there is no exact check for your payment.
  86.  
  87. Mind you, a payment of $2850.00 [which happen to be my salary and  travel allowance  for this month of March] has been issue out in your name from my company and  mail to your contact address in which upon receipt ,you just need deduct your own payment  out of the money and help us to send the remaining amount to my shipper who will be bringing the PCs to you for the installations and repairs.
  88.  
  89. Sorry for not informing you about this before,I guess things will workout as  well.
  90.  
  91. Hope we can count on you about the payment and your service.
  92.  
  93. Hope  to read  from you soon .
  94.  
  95. Nicole.

  96.  
  97. Fifth Email

  98.  
  99. Hello Jonathan,
  100.  
  101. Sorry for not getting back to you since.It’s just that am However,the payment has been delivered to you few minutes ago via United State Postal Service( u.p.s) and here is the Ups  tracking# of the payment….1Z95V97V2210004613,you can go to  www.ups.com/us to track the package movement.
  102.  
  103. I want you to proceed to your bank immediately you get the payment to get the payment deposited and withdrawn immediately you get it deposited.
  104.  
  105. As soon as you get the payment withdrawn ,i will want you to proceed to the nearest western union outlet and get the Balance sent when you deduct your own payment from the total payment sent to you by my employer company and get the rest money sent to my shipper that will be bringing the PCs over to you.
  106.  
  107. Below is my shipper information that you are to get the balance sent to.
  108.  
  109. Name  :  Christina  Lynch
  110. Address: 4207 Park Avenue
  111. City  : Hot Springs
  112. State : Arkansas
  113. Zip code :71901
  114.  
  115.  
  116. Please do that immediately so that my shipper can come over to you with the PCs and also to sign/receive the necessary document .
  117.  
  118. As soon as you get the money sent i will want you to get back to me with the Western Union control Number( MTCN),full sender’s name and the actual amount in USD when you deduct the western union charges.
  119.  
  120.  
  121. Moreover,you can go to any of the below  western union outlet in your area today to get the payment sent and for easy transaction :
  122.  
  123. VALLEY DRUG
  124. 208 EAST MAIN STREET
  125. Everson, WA 98247
  126.  
  127.  
  128. LYNDEN FOOD PAVILLION #441
  129. 8130 GUIDE MERIDIAN
  130. Lynden, WA 98264
  131.  
  132.  
  133. Hope to read from you Soon.
  134.  
  135. Cheers !
  136.  
  137. Nicole.
  138.  
  139. PS…Do get the money sent today because my shipper call me to inform me that she will not be bringing the laptops over if she did not received the money today since she will be needing the money today to settle some bills,for documentation and booking the  hotel room she will be staying prior to the completion of the repair and installations.

I hope this information saves someone from an expensive mistake.

Monday, 2009-06-22

Kerckhoffs’ Principles

Filed under: Privacy,Security — bblackmoor @ 16:03

Many cryptographers and other security experts are familiar with what has come to be known as Kerckhoffs’ Principle. Many, however, do not know that there are actually six such principles. The core ideas of these principles are still relevant today, more than 125 years after he first articulated them.

  1. The system should be, if not theoretically unbreakable, unbreakable in practice.
  2. The design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents (Kerckhoffs’ principle).
  3. The key should be memorable without notes and should be easily changeable.
  4. The cryptograms should be transmittable by telegraph.
  5. The apparatus or documents should be portable and operable by a single person.
  6. The system should be easy, neither requiring knowledge of a long list of rules nor involving mental strain.

(from Six principles of practical ciphers, TechRepublic)

« Previous PageNext Page »