Kevin Mitnick’s Memoirs

Posted on 5/15/2013 by Tim

Ghost in the Wires: My Adventures as the World's Most Wanted HackerGhost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin D. Mitnick

My rating: 4 of 5 stars

This is a fascinating book. The first fascination is his way with technology. The second was his way of bypassing the technology by deceit. What he did seemed like magic to people and scared the crap out of them. Scared them to the point targeting him, I felt, out of proportion to his crimes.

The book portrays a kid burdened with some kind of compulsive disorder. I felt genuine concern for him because he was clearly a vulnerable kid in many ways. Am I being manipulated to have sympathy for him? Possibly.

Sometimes it seemed like he wanted to get caught. I kept thinking, “how can the great Kevin Mitnick be so careless?”
He is constantly getting busted because he left evidence lying around. He did his hacking from phone lines that could be linked to him. He left piles of incriminating disks and printouts in his car while he engaged in unauthorized visits to phone company facilities. He showed off to people that he should not have trusted.

How did a guy with such a knack for hacking social systems as well as computer systems fail at hacking our legal system? A good lawyer could have protected him from some of the abuse that seems to have happened to him at the hands of the justice system. This was not fully explored in the book, but if Mitnick’s claims about outlandish accusations and court proceedings are true, then there are questions about the fairness of his early trials.
Finally, he had a knack for enraging his friends and fellow hackers to the point of them wanting to help the authorities bust him.



View all my reviews

Posted in books, security | Leave a comment

thank you, John Stewart

Posted on 4/22/2013 by Tim

This perfectly sums up the logical fallacies of the gun lobby.

Posted in guns | 1 Comment

Tip O’Neill’s memoirs still hold up 25 years later

Posted on 2/21/2013 by Tim

Man of the House: The Life and Political Memoirs of Speaker Tip O'Neill .Man of the House: The Life and Political Memoirs of Speaker Tip O’Neill . by Tip O’Neill

My rating: 4 of 5 stars

This book was helpful in learning more about the U.S. House of Representatives.
It was very instructive to learn about the Speaker’s frustrations in dealing with various white houses. It sounds like Carter’s staff was extremely aloof and hard to work with, while Reagan’s staff was very diligent.

The book is strong on stories and light on analysis. Tip looks back on the highlights of his career but doesn’t get very deep. It certainly paints O’Neill as a saint. There are a lot of insightful observations and funny anecdotes. The conversational tone makes his garrulous Irish uncle voice come through.

In spite of the breezy tone, this book is able to bring across the essences of political characters and events. Tip’s own experiences help colorize well-known historical events and people (Michael Curly, ABSCAM, Watergate, Iran Hostage crisis). There are some passages, though, that are third hand stories presented as fact. For instance, he talks about a meeting between Einstein and Roosevelt about the atom bomb. None of Einstein’s biographers think that such a meeting ever took place.

It was interesting to read about the early days of C-Span in doing so learn that Gingrich has always been a rat:

I happened to be watching in my office one afternoon as Newt Gingrich was taking advantage of special orders to attack Eddie Boland’s voting record and to cast aspersions on his patriotism. The camera focused on Gingrich, and anybody watching at home would have thought that Eddie was sitting there, listening to all of this. Periodically, Gingrich would challenge Boland on some point, and then would step back, as if waiting for Eddie to answer. But Boland had left hours ago, along with everybody else in the place.

The next day, when Robert Walker of Pennsylvania tried something similar, I called Charlie Rose, the member in charge of television in the House, and told him I thought the cameras should pan the entire chamber. Charlie informed the camera crew, and when they showed the empty hall, Walker looked like a fool.




View all my reviews

Posted in books, history | Comments Off

They Exist: Crime Novels with Excellent Writing

Posted on 2/15/2013 by Tim

The Four Stages of Cruelty: A NovelThe Four Stages of Cruelty: A Novel by Keith Hollihan

My rating: 4 of 5 stars

I was reluctant to read this book because I thought it was going to be a sad story without much action about a young convict that I was supposed to feel sorry for. Why did I think this? I dunno, the cover? Once I began, though, the plot just took right off and I barely gave a shit about the kid. Graphic and fast paced, this book would make a great movie.

Every so often, I hear someone on NPR rave about a “crime fiction” author. Lee Child and Carl Hiaasen come to mind. I go and read the authors and I’m utterly disappointed because the writing sucks even in the best of them and they aren’t very creative. I feel like I can hear the authors brain scraping an empty plastic bucket looking for fantastic plot devices.

This book, though, is the one I was searching for. It is well written (by a St. Paul author!) and delivers the grit and adventure of the crime genre without the baggage of that genre. I enjoyed the feeling of not knowing what would happen next. I enjoyed the author’s clever turns of phrase and I did care about the main character, a female corrections officer.
The prison had this magical realism quality to it. This made me not able to completely trust the world it was set in. For example, I couldn’t trust that the inmates wouldn’t wake up one morning with the ability to fly because so many unlikely privileges were delivered to them.

I heartily recommend it and my copy is already in the hands of one of my co-workers.



View all my reviews

Posted in General, Minnesota, books | Comments Off

how many inaccuracies can we fit in a book summary?

Posted on 2/13/2013 by Tim

It caused real physical pain to read this. But also some pleasure at the pure fly-in-the-face-of-facts attitude and pulling in Nazis and Soviets as the ones smart enough to figure out that oil comes by magic. If I could choose one book to mail back in time to Albert Speer, it would be this one.

At the end of World War II, U.S. intelligence agents confiscated thousands of Nazi documents on what was known as the “Fischer-Tropsch Process”, a series of equations developed by German chemists unlocking the secrets of how oil is formed. When the Nazis took power, Germany had resolved to develop enough synthetic oil to wage war successfully, even without abundant national oil reserves. For decades, these confiscated German documents remained largely ignored in a United States where petro-geologists and petro-chemists were convinced that oil was a “fossil fuel” created by ancient decaying biological debris.

Clearly, big U.S. oil companies had no financial interest in explaining to the American people that oil was a natural product made on a continual basis deep within the earth. If there were only so many fossils in geological time, there could only be so much oil. Big oil could then charge more for a finite, rapidly disappearing resource than for a natural, renewable, and probably inexhaustible one.

The Great Oil Conspiracy explains how Stalin at the end of World War II demanded his petro-geologists “dig deeper”; when petro-scientists in the United States had determined that the Soviet Union, like Germany, lacked national oil reserves. Russia today has challenged Saudi Arabia for the lead in oil production and exportation. Once oil is understood as an abundantly available resource, there is no reason hydro-carbon fuels cannot indefinitely propel the development and production of cheap energy reserves the United States needs to maintain its dominant position in the emerging global economy.

Posted in history | Comments Off

Wandervogel at Wolf Ridge

Posted on 10/21/2012 by Tim

I was fortunate to be able to chaperon a weeklong field trip to Wolf Ridge environmental learning center with my son’s sixth grade class. I was in charge of a dorm room full of eleven year old boys and accompanied outdoor classes during the day. I got to know and appreciate Frank’s classmates, his teachers and some other parents. One of the perks was that a fellow parent brought a case of home-brewed beer.

Being physically and socially “on” most of the time instead of slouching front of a computer monitor slinging code meant that I really needed breaks to sit quietly and read. The book I had along was The Coming of the Third Reich by Richard Evans. It is a very powerful book that I will post separately about. I mention it because it led to some interesting conversations with fellow adults and also some dark thinking about the private school that we shared our dormitory building with. If you were chaperoning at wolf ridge this month and someone said, “Gregor Strasser over there won’t let our kids use their bathroom”, then I apologize. I also apologize for referring to the spilled food incident as “your little Reichstag fire”.

The ropes course was the most intense experience up there. As a chaperon, I got to man one of the towers and ensure that kids were transferring their safety harnesses correctly and give them encouragement and advice ( and also crawl out to the middle if someone froze out there, which I did not have to do). That meant I went first with the entire class watching me. I almost shit my britches up there while crossing a wire. I was on the edge of panic and the only thing that kept me going was that it wouldn’t be very helpful to the program if they first had to put up a ladder and remove a 220 pound sack of flesh that had adhered itself to the burma bridge. I kept thinking that the equipment was made for children and would break apart if I fell. It didn’t.

A remarkable thing I noticed is that these kids were largely kind to one another, at least on the surface. When I was in school, the pecking order and the ostracism of socially inept kids was more overt, I think. It is possible that these kids are under more stringent social management (bullying is definitely out of fashion these days and the definition of bullying is very open ended) and so the unkindness could be more underground and more subtle.

This trip made me realize that as parents, we continue the same social drama we had as elementary school kids.

I ate a lot of wheat up there. I indulged in pasta, pancakes, pie, sloppy joes. I ate way more wheat than I’ve been eating for more than a year and I experienced interesting side effects. Most noticeably, my joints started aching. I’ve had a years-long stretch free of back pain and this morning my back is achy like I remember it being often before I started riding to work every day. My knees, hips and ankles are also stiff, especially in the morning. My ankles take a good half hour to “warm up” every morning. This little (very enjoyable) foray into the wheat life will provide a great experiment to see if these symptoms go away when I cut it out again right after I finish this here muffin.

Posted in General, Minnesota, outdoors, parenting | 1 Comment

Charlie is my Darling

Posted on 10/20/2012 by Tim

learning to relax with a camera around

Charlie is my Darling is a documentary film of the 1965 Rolling Stones tour in Ireland. I saw it last night at Pepito’s Parkway Theatre. I think portions of it are available online, but this version features unreleased material and cleaned up audio. It was great to watch Keith Richards in motion after reading his autobiography. It becomes clear that he is a scion of some genius minstrel who survived the black plague by being especially entertaining. There are a lot of sequences of the group without their media masks on. For example, the group is trying to act cool and sip tea in public when a girl walks up behind Keith and pulls one of his hairs out. Kieth goes “yowwww!”.

They really tore it up on stage. After a Chuck Berry cover, which was awesome enough, they broke into an almost speed-metal version of Satisfaction that gave me chills. While the shows were great and featured the group running for their lives from fans, the best part for me was having a fly on the wall view of them as they hung around their hotel room working on new songs and singing some Elvis and Beatles songs and even some Dion. The songwriting parts where previously unreleased because they “gave away some of the magic.” Fortunately, that reasoning has expired and now we get to see the magic. Brian Jones seems very affected and maybe in the early stages of some mental illness.

Before the film, the theater played an obnoxiously loud video of the Stone’s recent release Doom and Gloom. It was great fun to see it with an theatre full of people. It is playing again on Sunday as part of a weekend-long “Stones Fest”.

Posted in General, Minneapolis, music | 2 Comments

Train by Pete Dexter

Posted on 8/26/2012 by Tim

Train: A NovelTrain: A Novel by Pete Dexter

My rating: 4 of 5 stars

I liked this book because it has great characters and allows them to build little worlds for themselves. In addition to the main character, Train, there is a hard-boiled L.A. police Sergeant that reminds me of Don Draper. It is a very dark book. Pete Dexter must live in some kind of hell-world if he can imagine people thinking and acting this way well enough to make it come alive like this in a novel. Thank God he can work it out by sharing it with the world. Like Paris Trout, this book is about race and class in America. There is more slapstick violence in this book than in Paris Trout. Some segments made me laugh until I was undone. Dexter really knows how to capture American males, their pecking order in any given group, and their berserk anger.



View all my reviews

Posted in books | Comments Off

A Roadace

Posted on 8/22/2012 by Tim

I bought a beat-up old Marushi Roadace 505 bicycle at a yard sale. $50.00 It is equipped with a mish-mash of parts including a bmx handlebars, a gigantic sofa of a seat, one shifter on the handlebar and one really low on the frame, a great basket, and a well-maintained drive train. I bought it, rode it home and immediately snapped one of the crank arms. Upon inspection, I should have checked for and noticed cracks in the arm. Of course, it was the right side one with all the gears and it sucks because the gears were in good shape and the crank set was a nice, lightweight good looking thing.

I really wanted to get this bike back on the road, so I went to Sunrise Cyclery on Lake street and found a replacement that is a bit heavier but in good condition for $10.00. I replaced the crankset without stripping the threads or breaking my bike tools!
“Success is counted sweetest by those who never succeed.”

So now I have this fully functional weirdo bike that is relaxing to ride because there is no way anyone would think they were supposed to get somewhere quickly while riding it. It is the kind of bike you would ride wearing a football helmet and listening to talk radio from a transistor radio hanging off the handlebars and maybe a huge blinking construction light wired into the basket in back.

Posted in bicycle, cycling | Comments Off

Life by Kieth Richards

Posted on 7/9/2012 by Tim

Purely by accident I picked up LIFE by Kieth Richards and was instantly, irredeemably hooked. Looking at it on the shelf, it had to be some kind of joke, but this book is amazingly well written and thoughtful. Keith Richards has a gift for slapstick comedy. The stories didn’t just make me laugh out loud, they incapacitated me.

I was never more in fear for my life than I was from teenage girls. The cops are running away, and you’re faced with this savagery of unleashed emotions. I think it was Middlesbrough. And I couldn’t get in the car. It was an Austin Princess, and I’m trying to get in the car and these bitches are ripping me apart. The problem is if they get their hands on you, they don’t know what to do with you. They nearly strangled me with a necklace, one grabbed one side of it, the other grabbed the other and they’re going, “Keith, Keith,” and meanwhile they’re choking me. I get hold of the handle and it comes off in my hand, and the car goes zooming off, and I’m left with this goddamn handle in my hand. I got left in the lurch that day. The driver panicked. The rest of the guys had gotten in the car, and he just wasn’t going to stick around any longer. So I was left in this pack of female hyenas. Next thing, I woke up in this back alley stage door entrance, because the cops had obviously moved everyone on. I’d passed out, I’d suffocated, they were all over me. What are you going to do with me now you’ve got me?

It was interesting and fun to read this biography knowing that it might be told by an “unreliable” narrator who was possibly under the same spell he accuses Mick Jagger of being under, the 40 years of abject flattery and worship, and also under the influence of heroin, cocaine, and drugs I’ve never heard of before. However unreliable he may be, he gave a good history of his years of struggle with heroin addiction and of painful family events. He recounts losses of friends like Gram Parsons and of course the various accidents and run-ins with the law. He also has a very generous nature and spent a lot of the book appreciating the great friendships he has built over the years. I enjoyed the stories of Kieth’s childhood, his early years of poverty, playing music and knotting his guitar strings together when they broke, of the inside jokes he shared with the other Rolling Stones.

We were cynical, sarcastic and rude where necessary. We used to go to the local caff, which we called the “Ernie” because everyone in there was named Ernie, or so it seemed. “Ernie” became everybody else. “What a fucking Ernie, Christ.” Anybody that insisted on doing his job without doing you a favor was a fuckin’ Ernie. Ernie was the working man. Only got one thing on his mind, making another extra shilling.

There may be some revelations for guitar players as he delves into technical descriptions of how he hacked his guitar to replicate the licks of the blues greats that he worshiped. He writes a lot about his devotion to the craft. He worked tirelessly to turn out some of the Rolling Stone’s most famous albums: Beggars Banquet, Let it Bleed, Exile on Main Street, and Goats Head Soup. He does a great job of telling the story of how that sound came to be realized. Pages and pages devoted to the layout of the studios, who was there, where the inspiration came from. I can’t find anything to refute what he claims about his character, his hard work, and his musical innovations, so I’m leaning towards his being a reliable witness. This was only just completed in 2010. I kind of bought the media image of him being an absolute gonner, but he is much still here. It reminded me again of how hard people work to have some success in their lives. I felt grief when I finished it because I enjoyed his company. Just a really warm, amused guy.

Besides wondering if he was an unreliable narrator, I had a suspicion that this book was just another sensational Rolling Stones album in book form, but I couldn’t put it into words until I found this quote in the New Yorker: “Half book, half brand extension”. Exactly. He (and his co-author) knew that part of their job was to deliver a bit more of the Rolling Stones and give you a thrill and a peek into the band’s inner circle. They certainly achieved this.

Posted in books, music | Comments Off

eating like a mcguire

Posted on 7/2/2012 by Tim

This is from someone who was taking care of Frank:

My favorite Frank line:
Me to Frank: Are you sure you can eat that whole thing?
Frank: I can eat the whole anything.

Posted in General | Comments Off

Steve Gibson’s body is an amusement park

Posted on 7/2/2012 by Tim

As a long time Security Now listener, I find almost nothing stranger and funnier than Steve Gibson describing the day he achieved Ketosis as if it were his first orgasm.

Posted in health, science, security | Comments Off

Using the fires in Colorado for political points? I can do that too.

Posted on 6/27/2012 by Tim

I noticed that conservatives with nothing better to do are taking to the internet to blame Obama for the fires out west. In that spirit, I provide this:

State and federal officials have outlawed fires and fireworks on all public land and unincorporated private land. A long list of municipalities have also banned those activities. But officials can do nothing to prevent irresponsible hotshots from putting all Utahns at risk by firing guns out in the brush. Target shooters sparked a blaze near Saratoga Springs that has sent 2,500 residents fleeing from their homes and so far has scorched 5,600 acres. Five hundred firefighters are still battling that fire. It is the 20th this year caused by firearms use.

Conservative Utah legislators, in their usual frenzy to protect the all-important right to keep and shoot guns, have dictated that no state officials other than themselves can “enact or enforce any ordinance, regulation or rule pertaining to firearms.” Cities can, and should, limit shooting to approved ranges. Provo has limited shooting to indoor ranges.

Once again, guns are mystically excluded from public safety measures. This is because a small but vocal minority are emotionally fixated on the seeming power and control that guns bring. It is tough to live in a democracy with these folks. One cure I’ve found is watching videos of gun fetishists get hit in the face by the recoil of their own weapons. There are a lot of such videos because gun lovers love to take movies of themselves looking all bad-ass.
so here are some videos:

Posted in General, guns | Comments Off

Swimming Discouraged

Posted on 6/25/2012 by Tim

I took my kids and some others to the new pool on our side of town. I have to say it was fun and that the climbing wall and zip line were great for the novelty factor. We saw lots of people we knew and I have no doubt we’ll be back many times this summer.

After a while, though, I realized that the pool was carefully engineered to minimize actual swimming. I noticed this because I was initially very nervous about keeping track of the 5 kids I was with (there are various reasons for this including safety and fact that at least two think it is OK to fish food out of the garbage when feeling peckish). I soon realized that I could relax because kids visiting this pool spend most of their time either waiting in line for attractions like the zip line or lazy river (or cliff diving or wall climbing or water slide, or the snack bar) or actually floating in an inner tube on the “lazy river” which is 3 feet deep and forbidden to swim in. There is a small “lap” pool with no deep end that is OK to bob around in without a flotation device. No actual swimming was happening there either (to be fair, this was a crowded day and you could probably swim there on a weekday). A significant portion of the lap pool is devoted to a huge ramp so people don’t have to work too hard to haul their asses out to get back in line for nachos.

This new pool replaces the old Como Pool which was actually a “swimming” pool where people could actually swim. Yes, I’m bitching after others put a lot of planning and effort into making this new pool happen. No, I wasn’t involved during the public input phase. Yes, everything was better back in my day.

Highland Pool, which is on the other side of town has a huge Olympic-sized pool with a deep end that is over my head. You can actually play tag and swim more than 15 feet before you run into a wall. A kid might even start breathing hard at Highland. Highland pool was also recently rebuilt to have water park-ish features like a climbing wall. You can still see the rusty spots in the concrete where the high-dive once stood. You can’t see those spots at Como any more.

My payback for taking five kids to the pool turns out to be a multi-day bitch session for not putting sunscreen on the little snowflakes. There is a reason for this. We got to the pool after 3PM. I don’t apply sunscreen after 3PM. That’s one of my rules.

Posted in General, St. Paul, health, parenting, swimming | 2 Comments

I’m sick of being treated like a criminal

Posted on 5/8/2012 by Tim

I want to record the shit I put up with around here. Four times yesterday, I was treated like a criminal:

  1. At 9:00 AM, I got notice that my dependents will lose their health insurance in 9 days if I don’t document that they are in fact my dependents. The state has launched an audit to hold down costs. Because I might be a cheater out to get health insurance for a bunch of children that don’t deserve it, I have to spend a bunch of time bowing and scraping before the auditor kings and hope they accept my papers. They set up a site where I can upload scanned images of the birth certificates, my marriage certificate, and my tax return. I hope they’ll enjoy looking at the extra images. How much are we paying for this audit?
  2. At 11:00 AM I got a reminder about harassment training. The state has mandated that every single state employee undergo harassment training. 30,000 people will sit in conference rooms across the state to be told that it is NOT OK to move their fist back in forth in front of their mouths while pressing out against their cheek with their tongues. I don’t need to be told not to slowly circle my lips with my tongue while looking over my cube wall at my co-worker or make suggestive motions with grocery items. If I DID, a two hour meeting would not cure me! I skipped the training. Because I have work to do. I expect dire consequences.
  3. When I got home after this long day of being bad, I was accused of eating a chocolate Gelato (whatever the THAT is) that someone gave my daughter for her birthday. This is fake drama about living with a male who can’t control his urges.
  4. Finally, that same evening, the clerk at Target took my $20.00 and held it up to the light. Because I might be trying to pass funny money. I was like, “I’m outta here. Keep your Archer farms Smoked Ham”. How big of a problem is counterfeiting, really? Big enough to train all cashiers to spot bad bills? Big enough to make it worth while to subject all customers to this kind of treatment? Well, if the cost of insulting your customers is zero, then maybe it is worth while. I’d like to raise this cost.

One: Do I get bent when I walk by a bike that is locked up? Isn’t that treating me like I might steal a bike? No. I’m not having a transaction with that bike owner. It also addresses a real problem. I know from personal experience that all unlocked bicycles will be immediately stolen by a supernaturally efficient bike theft underworld.

Two: Don’t all those measures help keep crime at bay and benefit society? I don’t think so. We, as a society, have smashed the living shit out of crime, relatively speaking. New crime prevention measures are reaching the point where cost exceeds benefit. These measures are not going to solve some kind of huge costly problem. Kind of like a runaway train of virtue, well meaning bureaucrats are trying to engineer all slack out of the system and make sure nobody is ever ripped off, injured or even upset. The ultimate effect is to control and harass ordinary citizens to the point where we can’t think of anything else except how not to look suspicious.

Posted in General | 1 Comment

claymation hospital

Posted on 2/13/2012 by Tim

this was a group project with some clay and a webcam

Posted in General | Comments Off

Locking Down Facebook

Posted on 1/11/2012 by Tim

I get a lot of pleasure out of Facebook. While I’m happy to use it and even be advertised at, this free application needs to be watched. A lot of security and privacy folks have quit Facebook for their security and privacy lapses. The lapses will continue. As someone who will use Facebook anyway, I wanted to make it as secure and private as possible. So, for this blog post, I made note of the things I was surprised by. The things listed here are really only pointers or teasers for the Exhaustive Guide (updated September of 2011).

That guide goes deep and shows some new features, some of which allow for more privacy. For example,

  • Make sublists of friends so you can control which groups of friends see which posts.
  • Keep an eye on those Apps. With Application Access Logs, you can see a history of which Apps requested which personal information from you.
  • Test your security settings by viewing your Facebook page as it would be seen by another user. To do this, go to privacy settings –> edit profile –> view as. Now type someone’s name in the box and you will see if that person sees only what you want them to see.

There was a good set of instructions going around more than a year ago. I followed those recommendations and like many people, I just assumed those would stick. Well, enough has changed in the account and privacy settings that that old “lockdown” is no longer complete. So, the first step to locking down Facebook is : Pay attention to changes. The graphic at the end of this article shows the changes over time to default Facebook privacy settings and they trend towards more exposure, not less. A good source of Facebook info is the ZDNet friending Facebook blog.

Here are notable facts from the article:

  • Especially if you use Facebook with public wi-fi, you need to force HTTPS. It took a long time, much longer than it should have, but FB now allows you to use exclusively HTTPS. This means that your communication between your browser and Facebook will be scrambled so that nobody can read your traffic or hijack your session. HTTPS is not on by default, though. You have to turn it on. If you have any doubt about the need for this, watch this video.
  • Customization for Apps has been upgraded. Facebook apps are things like Scrabble, Wordtwist, Mob wars, and whatever else you are adding into Facebook . These third-party applications are often poorly and insecurely written and can even be malicious. Note that the list of apps you see on your front page when you click “apps” is much shorter than the actual list of apps that are installed and silently monitoring your life. To view the full list go to Privacy Settings –> Apps –> Edit Settings. I was surprised to see several apps that I had forgotten about, silently working.
  • I missed this in my first pass at checking account settings, but Facebook can also use your “Like” vote about a product or business as endorsement when they show an ad for that product to your friends. You can turn this off Account Settings –> Facebook Ads –> Edit Social Ads Settings.

Two things I would add to that guide:

  1. If you haven’t changed your password recently (or ever), do that now. Breaches in the past year make it somewhat likely that your password has leaked out somewhere.
  2. This might be more paranoid than you wanna be, but photographs uploaded to Facebook may leak personal information. This information may include the make and model of your camera, time of day and location. If you do not want this information known, consider scrubbing the photograph’s exif data before posting

This is from Facebook itself (link):

Applications your friends use can also access information from your profile

Not much has been written this, but your friends’ poor security choices could affect you. It happens when they post on your wall advertising a funny video that is really a virus.

Posted in General | Comments Off

My Sexy Shoes

Posted on 1/9/2012 by Tim

As requested, here are the shoes I mentioned in a recent post:

best goodwill find ever

Cole-Haan Nike Air Shoes found at Goodwill for $14.99

Posted in General | 1 Comment

6 recent attacks that could have been prevented by NoScript

Posted on 1/6/2012 by Tim

Scripting should be disabled in your browser by default. I know this partially breaks the internet experience, but it can no longer be justified to be surfing around allowing all web sites to run code on your computer when so many attacks come this way. Reading of these security problems, it occurs to me that they can ALL be absolutely protected against with Firefox add-on NoScript. Here are some recent examples:

  1. Seeing more ads while wondering where Laura Frisian went? A current Facebook clickjacking attack will fill your browser with ads and infect your wall after you click on a bogus video posted by an infected friend. NoScript makes this impossible. In NoScript, you can still allow facebook to run scripts but deny attempts from other domains to run scripts. NoScript will totally shut this one down
  2. Mac Defender. Recently some Mac Users have been falling for a ruse that Windows users have become enured to: The popups that warn us that our system is infected and then proceed to infect when installed. Recently, a group of Google Images were crafted to run the “Mac Defender” or “Mac Protector” warnings and infect users. The Mac Defender popups look like Mac system messages. A user of NoScript would never see them.
  3. Cross Tab attacks. A new kind of attack that uses javascript to modify open tabs to resemble web sites you trust. Totally shut down by NoScript.
  4. Scripting in the browser is not limited to javascript. CNET describes an attack that uses Scalable Vector Graphics libraries act as a keylogger. NoScript stops this as well. This vulnerability is patched in the latest browsers, but if you run NoScript, you don’t have to wait for the software to get fixed.
  5. Banker Rootkit. The Banker Rootkit exploited a hole in Java that has since been fixed. A user gets infected by navigating to a malicious website which then loads java and through the hole in java, installs a program on your computer that changes your hosts file and installs fake certificates in your browser. The attackers can then gather your bank credentials and empty your account. NoScript turns off Java as well by default and protects against this attack.
  6. Oh, you never go to malicious sites? Perfectly legitimate sites might be infected with either malicious ads or SQL injected files that in turn attempt to run malicious scripts when you visit. A recent SQL Injection campaign infected tens of thousands of sites with javascript based malware that NoScript handily prevented from running.

The author posts ongoing NoScript development news on his excellent blog.

I think I’ve been made much safer by NoScript and I’ve grown used to the extra step of allowing scripting at sites I trust. But don’t trust me. Even the National Security Agency recommends NoScript in their recent security Best Practices datasheet.

Posted in firefox, security | Comments Off

Firefox Certificate Patrol

Posted on 1/4/2012 by Tim

Several months ago in Syria, a Facebook user noticed that Facebook’s IP address resolved strangely. He was also getting an untrusted https certificate warning. A certificate is a piece of text that sits in your browser. You can view yours by going to Tools –> Options –> Advanced –> Encryption and clicking the “View Certificates” button. The server you connect to must verify that it is who it says it is by authenticating against that certificate. Apparently, the Syrian authorities tried to set themselves up to eavesdrop on citizens communications with Facebook and to fake the Facebook certificate. Here an image of the fake certificate next to the real one(on the right).

Syria did not do a very good job. While they were able to set up a Man in The Middle (MITM) they didn’t bother to issue a realistic fake certificate. A browser will warn the user that an unknown certificate is presented by a web server (the fake one wasn’t found in that user’s list of certificates). Unfortunately, many users just click past whatever warnings they need to click to get to the site they want.

Much more effective and scary is the recent attack by Iran doing almost the same thing but issuing a real certificate through an authority that browsers trust. In this case, the browser will NOT warn the user that the certificate is bogus.

A security company named psyced sought to address this problem. According to them:

Your web browser trusts a lot of certification authorities and chained sub-authority, and it does so blindly. Subordinate or intermediate certification authorities are a little known device: The root CAs in your browser can delegate permission to issue certificates to an unlimited amount of subordinate CAs just by signing their certificate, not by borrowing their precious private key to them. It is unclear how many intermediate certification authorities really exist, and yet each of them has God-like power to impersonate any https site.

Once a subordinate gains this trust, it can issue any “valid” certificate it can think of, even for a domain they have no business signing. This means that these subordinates can change the country of the cert and change the domain, becoming the trusted certificate authority for, say, Bank of America.

Firefox Certificate Patrol to the Rescue. This neat little add-on warns you when a certificate trusted by your browser changes. This extension would warn you if a subordinate certificate authority suddenly got delusions of grandeur and decided it was a major US bank. It keeps a database of all the https certificates it knows about, and if one changes, it warns you.

Installing this product into Firefox, I don’t find it very intrusive or confusing. When it finds a certificate it hasn’t encountered before, it positions a yellow notice in the top of your browser that disappears after a short time. Now that It has shown me one for Twitter, for example, it won’t show me one again until it changes, indicating that either Twitter has changed its provider (unlikely) or that a subordinate certificate authority has been compromised and made to look like Twitter.

Here is an academic-looking paper about such attacks. The paper does a nice job of describing the problem and plausible scenarios where a CA is “compelled” by a government to issue subordinate certificates that may be easily falsified. It promotes a way of warning users only when the country of the certificate authority changes. This is helpful because it can let the user know if their bank’s certificate authority suddenly switched to being issued in Russia. The paper’s promised product, CertLock seems to have never been released, though.

The paper says,

We also believe that there is little reason to warn users if a website switches CAs within the same country. As our threat model is focused on a government adversary with the power to compel any domestic CA into issuing certificates at will, we consider CAs within a country to be equals. That is, a government agency able to compel a new CA into issuing a certificate could just as easily compel the original CA into issuing a new certificate for the same site. Since we have already opted to not warn users in that scenario (described above), there is no need to warn users in the event of a same-country CA change.

Fortunately, Certificate Patrol has opted to warn users in that scenario and many others. Even if the government compels the same CA into issuing a new certificate, you will be warned. It may not be possible in all cases for you to figure out if something funny is going on, but you will be warned. You may wish to combine this warning with a search in the EFF’s SSL Observatory for further research.

While Security Patrol is a great product, it is kind of a band-aid. It seems like we need a new approach to the CA system and I don’t know what that is.

They say that Firefox security patrol is for users that will not be befuddled by more alerts in their browsers. They also say that “only by getting familiar with this will really help you get in control.” I say that our privacy and security depends on understanding this stuff.

A great real-life example how this works is related in this forum post. The browser in question there is Google Chrome and Google has a slightly different approach to this problem., but the warning would be similar.

Posted in General, firefox, security | Comments Off