Ansible: Langford and LeGuin, take note

this is a forwarded message from a mailing list i am on. i wrote on my fun blog, but figured it is cool enough to be sent here as ot:.

from: rick moen

the ansible has been patented.

—– forwarded message from dan fingerman —–

date: thu, 12 jul 2007 18:04:18 -0700 (pdt)
from: dan fingerman
subject: patent for hyper-light-speed antenna

u.s. patent no. 6,025,810 is titled “hyper-light-speed antenna”. it
claims an antenna that can send and receive information faster than
the speed of light.
the background of the invention is described:

all known radio transmissions use known models of time
and space dimensions for sending the rf signal.

the present invention has discovered the apparent existence
of a new dimension capable of acting as a medium for re
signals. initial benefits of penetrating this new dimension
include sending rf signals faster than the speed of light,
extending the effective distance of rf transmitters at the
same power radiated, penetrating known rf shielding devices,
and accelerating plant growth exposed to the by-product
energy of the rf transmissions.

the patent is available at:
http://www.google.com/patents?vid=uspat6025810
http://patft.uspto.gov/netacgi/nph-parser?patentnumber=6025810

Ecards and email filtering

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,
ge@beyondsecurity.com

Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. 😉

you can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_botnet_03.pdf

for the full book, you would need to spend the cash.

enjoy!

gadi evron,
ge@beyondsecurity.com.

Mythbusters beat biometric finger print security

i really like this video, which you can watch on youtube

http://www.youtube.com/watch?v=oxyfmiezjie

[update] apparently the link above has been removed, but exists in 20 other uploads:
http://www.youtube.com/watch?v=xq_1-bjmw9q

mythbusters is a cool british show that tries to scientifically attack myths. they even use guns. :p
[update] apparently it’s an american show with different voiceovers all around the world.

to be honest, the way they conduct experiments and reach conclusions is somewhat flawed, to say the least, but they are cool, serious and professional (aside for the occasional safety boo-boo). they invest time and resources in building monstrosities to prove points. :)

this time, it was about breaking biometric systems with gummy bears! (see bottom of post for references)

i have seen this over at xavier ashe’s the lazy genius a longg time ago, but just made a search to find it again and post it here. in the past, i have studied biometrics extensively and how the systems can be beat. but there is nothing like a short video to make your point for you.

original link is from: http://blogs.technet.com/steriley/archive/2006/09/20/457845.aspx

the original public paper discussing this particular technique of $10 worth materials for breaking these systems using gummy bears is from tsutomu matsumoto, a japanese cryptographer, from around 2002.
i don’t think his paper was ever online, but his slides were. they seem gone now at a casual search, but i found some other slides by him:
http://web.mit.edu/6.857/oldstuff/fall03/ref/gummy-slides.pdf

gadi evron,
ge@beyondsecurity.com.

iPhone default passwd: Won’t people ever learn?

i’d expect this from new software companies, maybe. but the big ones seem to keep doing this.

default passwords, especially in widely distributed devices, are bad. no, really. enough with these already.

iphone root password cracked
we managed to obtain and crack the hashs of the user passwords for the iphone os. more information could be found at our development wiki here (link removed).

edit: cause you digg people broke the poor wiki:

the password for root is “alpine”
the “mobile” user accounts password is “dottie”

is it sick to have root pasword to all iphones worldwide? well not really, there is no terminal yet to login :p

http://www.hackint0sh.org/forum/showthread.php?t=1323

gadi evron,
ge@beyondsecurity.com.

Botnets != Terrorism, or is it? :)

just last week we were throwing jokes on funsec@, of calling botnets terrorism to get some action going. of course, we decided that’s an extremely bad idea as people are already starting to discount issues when “terrorism” or “2.0” are attached.

no, i am not going to say it, you are going to put these two together on your own! :)

today, fergie (paul ferguson) sent this to funsec:

brian krebs writes in the washington post:

[snip]

the global jihad landed in linda spence’s e-mail inbox during the summer of 2003, in the form of a message urging her to verify her ebay account information. the 35-year-old new jersey resident clicked on the link included in the message, which took her to a counterfeit ebay site where she unwittingly entered in personal financial information.

ultimately, spence’s information wound up in the hands of a young man in the united kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the united states, europe and the middle east.

investigators say spence’s stolen data made its way via the internet black market for stolen identities to 21-year-old biochemistry student tariq al-daour, one of three u.k. residents who pleaded guilty

http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/ar2007070501153.html

enjoy. funny, i just had fun with online forums and terrorism with this a few days ago.

buzzwords for fud are generally a bad idea. botnets are not terrorism. :p but of course, like most malicious activity, they are used.

sunshine.

Two years old!

it’s been a long two years, and blogs has under-gone many changes. heck, we now have 15k unique readers a day (not including rss) !!
the main point behind blogs is that although we aim to provide with high-quality content, our content-generation is done mostly by our fellow site visitors. sometimes it’s busy, sometime’s it’s better. it’s always done in the same spirit and open to peer criticism. more importantly, it’s fun. :)

sometimes we speak of news, other times of concepts and then again on low-level assembly. it is what interests our visitors which they (us) write about

one of my personal favorite posts of all time was the one by dmitry, speaking in a very funny tone about our industry. :)
how to get a job with pen-testing team.

truly, a must read! the comments on that post are especially good.

before i wish us all a happy birthday and an even more productive future which we can use all we learned so far to get better in… here’s what i learned first when i started blogging, and it isn’t about security or writing…

i like mailing lists, and i participate on some, depending on time and interest concerns. before i started blogging with securiteam, i used to be more active, and felt these different discussion forums were a home. i had a problem.
i’d start talking about something there and say to myself “hey, why not write about it in blogs?” and i would. or the other way around, i’d blog something and say “hey, wouldn’t this interest community home #21?” :p

i went through several phases before settling down on what was best:
1. email in that i wrote about something in my blog.
2. email in just a bit or a summary, as i don’t want to write twice, and send a link to my blog.
3. copy the entire blog post, and add a link (which was useful when updates to the text were made).
4. include a link to your blog in your signature.
5. email in a copy, and unless i have a specific reason, don’t mention the blog.

i keep seeing other people repeating the above process (more or less), with minor changes as to which step comes first, and what is considered acceptable. some people call them spammers, others just smile or pout. one thing is for sure, it is something many new bloggers who were part of at least one community before their blogging days, go through.

my problem is that i am my own worst critic, and had to feel comfortable with posting. my solution ended up being #5 (althought #4 is also okay, as critics of that one are just nit-picking flamers). more specifically, i decided:

“stop worrying. post what you want where you want, and try to avoid duplication. do not mention the blog. mention url to the blog only when you have a reason to, such as *necessary* updates that will follow.”

so, even if i did like the idea of people hearing of my blog (obviously), marketing was far from my main intent. i didn’t like the fact it ended up appearing like spam, in their eyes or in mine.

i learned how to participate in these communities while having a topical blog, which for some reason was not as straight-forward for me originally.

i enjoyed these past two years on blogs, and invite you all to start blogging with us.

what was your favorite moment on blogs? :)

happy birthday!

sunshine.