The First Post is an online daily web newspaper, and I’m quite taken with it. And this made me laugh.
Archive for the ‘on-line’ Category
Car crime solution
Saturday, March 10th, 2007AVG Free is *not* discontinued
Friday, March 2nd, 2007A lot of people might have been confused by this, I know I was. If you are using Grisoft’s AVGFree version 7.1, you’ll have seen various pop-ups telling you that it was being stopped. However, what that meant was that the product support for 7.1 was being stopped, and that you should upgrade to the 7.5 version, which is the same, but better, and still supported.
http://free.grisoft.com/doc/downloads-free75cnv/lng/us/tpl/v5 is the main downloads page. Get updated! And thanks Grisoft, for keeping us safe(r) on the internet.
WaveBubble – an automatic wireless jammer
Saturday, February 24th, 2007With the rather amusing title How Jews celebrate christmas, LadyADA announced to the world her latest creation. It is a simple and cheap automatic radio frequency jammer.
For not very much money, this pocket sized device will knock out cellphone calls and GPS within a 10 to 30 metre radius of itself. This has some important conotations, from avoiding parking tickets and police pursuit, to the disabling of wireless video cameras and alarm systems.
Unlike like most systems, you see, this one automatically tunes to jam anything in range within milliseconds. So it doesn’t have to use a high power transmitter broadcasting all the time across a whole range of the radio spectrum, and it can work unattended. Ideal for stopping un-democratic “voting computers” that offer no proof that you pressed a button, let alone that your vote was actually counted any place. Also ideal for jamming wireless video cameras in public places, or, less civic-mindedly, private places.
Note that a wireless burglar alarm would simply sound forever, as this would keep track of the frequency hops it carried out to try to avoid the interference, and wipe it out, triggering a tamper alarm. Of course, with nothing visible, it would be silenced by law after the neighbours complained, leaving the clever criminal free to enter.
A more positive use would be a way to track down bugs in a security sweep. If the PLL locked to anything, it’s a transmitter, and those formerly listening in wouldn’t know to cut and run, or even turn off the transmitter, as it would be effectively jammed until it was located. Covert cameras could then be used to ensure that when the bug was retrieved, those monitoring would be caught in the act.
Like all technology, this has both a light and dark side.
Go Technorati
Wednesday, February 14th, 2007This will list me on Technorati, so the world can read it, or at least find it, more easily.
Add this blog to your Technorati profile by clicking here->
Two videos by Barry Wels
Tuesday, January 23rd, 2007http://video.google.com/videoplay?docid=-5898960163463189740 should be enough to make you wonder if there are still any secrets out there!
Watch as Barry Wels and Paul Crouwel show off a shiny Russian embassy lock. These are very, very hard to come by, as they are only used in Russian embassies. I’m sure someone in the GRU/KGB/internal security department will be asking a lot of questions when they find out about this!
Also, if you are still using a Kensington lock to protect your laptop from anything other than snatch-and-run, http://video.google.com/videoplay?docid=6560787668346205814 shows that you shouldn’t be. After watching this, you will realise one of the truths about security, that if you use a combination lock it can be broken after at most x amount of time, but at least x can be roughly guessed at. A key lock is either almost un-openable, or, with the right knowledge, it is very quickly opened (even if, in the extreme, that knowledge is the shape of the key!)
Hacking around in Google Maps
Saturday, January 20th, 2007A brilliant feature of the already brilliant Google Maps system is that you can now place multiple markers, and get directions. Forget your old route finding tricks with a paper map, or even your GPS or a site like the AA’s. This is so fast and easy.
You are going out for the day to do a warrant run. You obviously don’t know the area like the back of your hand, and there are, in our example, 6 jobs.
Grab the postcodes, and do the following in a text editor, or even right there in the google maps page at http://maps.google.co.uk
from:BB5 7DD to:BB5 0EE to:BB5 5HH to:BB5 3JJ to:BB5 3QQ to:BB5 3EE (Don’t click this link)
First, it validates the postcodes (useful when making up examples like this!) It really should be
from:BB5 6DD to:BB5 5HH to:BB5 3QQ to:BB5 0EE to:BB5 3EE to:BB5 3JJ
Press go again, and the amazing Maps API at maps.google.co.uk will show you a neatly zoomed map with route directions (hidden by the little [x] until you click on each leg to expand it)
Now, that isn’t the best route. So you could re-type the string as
from:BB5 6DD to:BB5 5HH to:BB5 0EE to:BB5 3EE to:BB5 3JJ to:BB5 3QQ
and see if that makes things better. However, because Google programmers know their javascript, and how it should be used, you can do this instead. Go to the left side, where the postcodes are, then click and drag one. This will rearrange the map for you within moments. Visually, you will see the markers change if you tweak the first and last ones, and the mileage between each stop will also be recalculated in a few moments! After all of 30 seconds, you can optimise your route for the day. Brilliant.
For the next trick, switch to “Hybrid” mode in the top right of the map. This is my favourite view, and it pops up a road map overlayed on an aerial photgraph. Et voila! I’ve optimised my route. Now for a smart part 2. Zoom the map right in, then click on any of the markers. This will zoom to the destination. Now, using my leet locksmithing sense, I can tell that we are looking at a house, not a factory unit, and this tells me what sort of locks I can expect. The third one could be either, and the fourth looks like a garage, or at least somewhere without enough parking! And the last two are rows of houses again. 
Not that this part makes much odds. Were this a real run, the doors would be opened regardless. Also, we normally do commercial one day, and residential another. I just like to know! Gives me some idea of where to leave the van too – all those tools are heavy!
Small Claims Court online
Saturday, January 13th, 2007So, as in the life of most businesses, we come to the crunch point, where a person or company has had work done, but has then decided that, since the emergency they were having is now over, they don’t want to pay. Never mind that most locksmiths won’t do work on account for unknown companies for exactly that reason. I now always run a credit check on any company I get calling me, since I am subscribed to a checking service it takes only a minute before heading off.
Well, back in August last year, I got a call from a solicitor. Urgent, need you tomorrow, please, please. Never even asked the cost. So I go and do the job. The solicitor tells me what he wants on site, I do it. All finished, I invoice, and wait. And wait. Eventually it goes overdue, so a phone call goes out. No response. I leave it another two weeks, and send out the reminder notice with penalties. I now do this as a matter of course, and I include a letter that tells the late payer why. Basically, I offer a low priced, high value service, and if you get 14 or 30 days to pay, you are, in reality, lucky. If you were stood outside your door late at night without any way to pay, in the rain, most locksmiths would kind of insist that you go with them to the cash machine. And I would, too. If you have ever wondered why, this is why. It is less hassle.
So anyway, we hear nothing. More phone calls, more chasing. It all adds up. Lots of promises that he will call back when he is in, that messages will be passed on, that he will call when he is back from court. But, of course, nothing happens. A second invoice with a letter goes out recorded. So he definately got that one. But still nothing. So, today, I went to https://www.moneyclaim.gov.uk/csmco2/index.jsp and signed up.
This handy page is actually the latest court idea for small claims, and it allows you to file a Small Claims action via the internet. It’s a pretty naff interface, but I got through it without too many issues. So papers are filed.
But our man is a solicitor. Aside from knowing he could easily pay if he wanted to, this also means I can find him online at the Law Society. So I did. And I asked them what they thought of a solicitor who refuses to pay his debts. They said call back when I filed papers, please. In the meantime, I found he has also not paid another locksmith I know, for doing the same thing, a repossession lock change, a few months later. So today, I called the Law Society, and let them know about their deadbeat lawyer. I also let the other locksmith know, so he can do the same thing.
It really is sad that some people abuse their position. Some locksmiths do, and some lawyers do, just like everything else. But it is very silly for a lawyer who claims to specialise in bankruptcy law and repossession work to play such silly games. I wonder what the Law Society will say to him? Actually, I wonder more what he will say to them…
eBay security flaw
Monday, January 8th, 2007There is a security flaw in eBay. When two people are logged on to the account from different places, logging out doesn’t log the other party out, or even challenge them for the password. This may not sound like an issue, but when things go wrong, it is. Let’s say your account is hijacked. This is actually pretty common these days, even if you don’t click on dodgy links to spoof sites and avoid the emails that start “We include your name to show..” yet don’t. You see that first sale of a £400 laptop appear in your email, and you react fast.
When this happened to one of our accounts, we logged in, and killed the auctions (both of them) and quickly changed the password. Another auction appeared. We logged out, thinking that this would stop them. But more emails came in! Logging back in, we saw there were now 9 auctions, including a re-listing of one that we had cancelled! So we logged out again, thinking that the ebay computers must notice something weird. We logged in again, and there were even more!
At this point we started to mass-kill the auctions that were fake, then everything stopped as ebay woke up and disabled the account until we confirmed from a link sent to the registered email address. It was a frantic half hour, though.
We find it interesting that this account got hijacked, too. It was dormant, nothing having been listed in about 10 months, and like all our accounts, it had a reasonably secure password. We can only guess how it was breached.
One possible way is that a scammer picked a password, and then tested that password once against a million or so ebay account usernames, to avoid the time-out feature. Doesn’t make sense, though, since it was a pretty random word/number combination. However, if you have several million usernames and you pick a (say) 6 character password, you probably have a fiarly good chance of getting a hit. 36^6 or something to 1. 2.1 billion to 1 against. Base it on a dictonary word, and think about how people tend to change them into more secure passwords, and you can see a far, far higher likelyhood of getting a hit. Still, it seems like a heck of a lot of work, even with a botnet of thousands of different IPs.
Any thoughts?
Too much security, re-visited
Monday, February 26th, 2007Well, yet again, we see spam coming in on a weekly basis, asking us to “Clcik here, and verify your online bank details” and other humorously low grade spoof attempts. A lot of this is for banks, as well as the usual PayPal and eBay stuff.
Today, we got a phonecall, purporting to be from the bank. So how do you tell? Your bank phones you, asks you to go through the security questions, and since they ask them, and they haven’t given you anything beyond “it’s a personal banking matter” you have no idea if it really is the bank. So, try asking them anything at all, and they say “Sorry, until you have gone through the security questions, we can’t tell you that.” We tried to get a reference number off them, so we could call them back, and were told “Not until you have been through security”!
Imagine our lack of suprise when the number they gave us to call didn’t tally with anything on Google search, and when called, it simply said “Thank-you for calling Card Services” and giving us another phone number to call!
So, was this a cunning scammer? No, amazingly enough, it wasn’t. It was actually the bank calling to confirm our contact telephone number. Which surely they did, when they were passed to the person they requested by name?
Not all companies are this stupidly insecure through too much security. Two days ago, I challenged a caller in the same way. His inspired response was to say “The last two digits of xyz added together are nn” which is a hash function which is non-reversible, and gives away nothing unless you hold the shared key and the secret numbers. Since this was correct, the odds of a correct guess was pretty small. Not tiny, but about 1 in 12. (Should I do the maths? 19 possible answers from 0 to 18, and the most likely ones being at best 9 in 91, and the worst being 1 in 91) For the purposes of the call, that was enough.
The best example of this one-way hash is the credit card companies. They sat for a long time, trying to find ways to avoid data protection issues, whilst still ensuring that the high levels of card fraud were reduced. They came up with a few different ideas, to solve different parts of the issue. To prevent electronically skimmed cards from being used without the card being present, they started using the “security number” on the back of the card, which isn’t recorded in the strip or the chip. As far as I know this is simply a reference for the card print run, but it does the job. Guessing it right would be 1 in 1000.
That wasn’t enough, though, since a stolen card being used via internet or phone would still work. So they decided they wanted address details. Uh oh! That’s an issue! Despite the merchant having the address, and the card company having it too, there was room for an attack by a corrupt merchant, or a cracker, who could simply try many, many card details until getting the address, or trying many addresses until getting the card number, or whatever.
The solution they came up with was to use only a part of the postcode and address. The number parts. This keeps it compatible with existing card terminals (as they already have numbers!) and, it is a one way hash. From the letters, you could determine where someone lived, and that would be bad. From the number part, however, you still have a good set of odds against a guess, and it is totally non-reversible. The entry 35, 2 cannot find a person, as they could be in any one of hundreds of major postcode areas, and hundreds of thousands of streets. Problem solved.
Large and small companies need to think a little about these issues. It is all well and good telling us to never respond to unexpected emails asking for details, but unexpected phone calls are surely just as big a worry today, as VoiP allows international calls for pennies, and voice recognition software can carry out basic phone conversations. It wouldn’t take much for a system to be built to specifically target this area, to socially engineer important data from targets by phone, without a human presence. This needs to be looked at now, not later.
Posted in Commentary, Crime, on-line | No Comments »