Archive for the 'Security' Category

FOIA Hell at the Department of State

In the summer of 2008, I – and others, it appears – made a FOIA request to the Department of State for a couple of pages from “Diplopedia”, the department’s internal wiki.

At the same time, I made a request for pages on the same handful of topics to the ODNI, regarding the better-known “Intellipedia” system of wikis.

The plan was to do a compare-and-contrast thing, see what the DOS wiki had to say on certain subjects compared to the wikis of the intelligence community – and Wikipedia.

Fast forward two requests, several phone calls, one administrative appeal, and more than four years, and…
Read the rest of this entry »

Published in: Geekiness, Security | on January 7th, 2013 | 1 Comment »

ISBN Theft: A Crime Most Improbable

Can you steal a number?

Arguably, yes. A safe combination, a gift-card number… Those would, theoretically, get you access to something of value, and thus could be said to have worth of their own, in some senses.

But can a number have intrinsic value?

ISBNs can. $10 a pop, in the United States, in small quantities. More, possibly, in some other countries. (And, conversely, less or none in many others.)

As far as theft goes, it seems improbable, nearly pointless, at first glance. Why’d you want to steal an ISBN? Think about it for a few moments, and I suspect you’ll come up with a few reasons.

All of that ignores the big, obvious question – can you even steal an ISBN, in the first place?

Yep.
Read the rest of this entry »

Published in: Geekiness, General, Security | on January 26th, 2012 | 5 Comments »

Virtual Counterfeiting

Recently I had an interesting conversation, if you can call it that, on Twitter (hey, kids – follow me @mendacities, kthxbai) about how very few things have security designed in or sometimes even included, at least at the beginning. Essentially, there’s a kind of obvious trend for new technology to be exploitable in all kinds of interesting and sometimes alarming ways. Often you want to smack someone and ask what they were thinking.

My view is that visionaries – inventors, designers, the people who come up with new stuff – are, at heart, optimists. They think the best of people, and the idea that their products can be misused and abused and exploited never enters their minds – or if it does, it gets discounted immediately, because they’re, well, optimists.

I think that security-related fields – law enforcement, cyber-security, and so on – attract a lot of deeply bitter cynics who have no romantic ideas about human nature, and understand that there is almost nothing people will not exploit, just because they can.

I mean, consider phone phreaking. Leave aside the blue boxes and the red boxes and the beige boxes and the spotted mauve polkadot boxes with white racing stripes; in the mid 1990s, you could make free local calls on a lot of cellphones by shorting the mouthpiece element, I think it was, to earth ground of the chassis, with a straightened paperclip. The fix, if I recall correctly, was installation of a $0.01 diode. Why hadn’t it been there to begin with? Nobody on the technical side of things were cynical enough to think anyone would ever discover it…

Anyway, here’s a first-hand story of one of the most bone-headed moves ever made by a large American retailer…
Read the rest of this entry »

Published in: General, History, Security | on October 27th, 2011 | No Comments »

Navy Pseudo-random Noise Generator, 1986

Back in 1986, the United States Navy applied for and received U.S. Patent 4,617,530 for a pseudo-random noise generator, or PRNG.

It was a relatively simple electronic circuit, as shown below:

Two (by now long-obsolete) noise generator ICs, four opamp stages, and a transistor, plus some resistors, and that’s basically it. How it differs from what had come before is its “arbitrarily long repetition rate”… where “arbitrarily long” is apparently “on the order of minutes”.

If that sounds suspiciously vague to you, it’s because this PRNG was not intended for cryptographic use, but to drive a jet-noise simulator. Why?

“…to trigger anti-aircraft bombs planted on runways and for deception of sensors used for simulators.”

This immediately caught my attention, because I couldn’t think of a cold-war era (or any, really) anti-aircraft weapon that was triggered by jet noise. A couple hours of Google searches later… I still don’t know of any such weapon, made by any country.

That’s where I hope you, dear reader, come in. Does such a thing exist? It seems a relatively logical idea, when you think about it, but perhaps everyone dismissed it as too obvious? There are numerous patents for the audible detection of aircraft, but none (that I can find) anywhere around 1986, and none that (IMO) seem obviously adaptable to integration into a weapon. We may well never know…

Published in: Geekiness, General, Security | on June 29th, 2011 | No Comments »

Taking Privacy A Step Too Far?

Recently, a local hospital system announced it had fired more than two dozen employees, all of whom had committed the same offense – viewing patient records they didn’t have a need to.

It’s nice that they’re being proactive in protecting peoples’ privacy… but I have a really strong suspicion they jumped the gun a bit.

Here’s the thing – all the employees accessed patient records of some young men who were hospitalized after overdosing on synthetic cannibanoids they’d bought over the internet. It was, as the hospital notes, a very high-profile incident, locally; one man died from overdosing on what is, technically, thanks to loopholes, a perfectly legal substance.

The victims were not celebrities. They were not – are not – famous. There’s little to no opportunity for salacious gossip in their medical records.

If you’re a medical professional, however, and you (correctly) anticipated that you might be called on to treat such an overdose in the future, I’d think that their records would include some very valuable information that you’d have a professional interest in seeing – what treatments were administered, say, and how the kids responded to the treatment. What symptoms the victims presented. What bloodwork was done to identify the drug, and what the results were.

Maybe it’s just my analytic background, but I think that attempting to familiarize yourself, professionally, with an emerging medical issue is perfectly adequate reason to access medical records of “high-profile” nobodies. I’d certainly rather have medical professionals relying on (shock!) medical records for their information than, say, a newspaper. Or Wikipedia.

I’m sure that even as I type this the union(s) is/are preparing to appeal what seem to be pretty much summary dismissals, but I still find it sad that in this day and age a responsible employee can be fired (if only temporarily, one hopes) for giving a shit about their job…

Published in: General, Security | on May 9th, 2011 | No Comments »