 |
|
|
|
|
|
|
|
|
|
...and encrypting+hiding data too large to store online. Now that US customs agents have unfettered access to laptops and other electronic devices at borders, a coalition of travel groups, civil liberties advocates and technologists is calling on Congress to rein in the Department of Homeland Security's search and seizure practices. They're also providing practical advice on how to prevent trade secrets and other sensitive data from being breached.
In a letter dated Thursday, the group, which includes the Electronic Frontier Foundation (EFF), the American Civil Liberties Union and the Business Travel Coalition, called on the House Committee on Homeland Security to ensure searches aren't arbitrary or overly invasive. They also urged the passage of legislation outlawing abusive searches.
The letter comes 10 days after a US appeals court ruled Customs and Border Protection (CBP) agents have the right to rummage through electronic devices even if they have no reason to suspect the hardware holds illegal contents. Not only are they free to view the files during passage; they are also permitted to copy the entire contents of a device. There are no stated policies about what can and can't be done with the data. - http://www.theregister.co.uk/2008/05/01/electronic_searches_at_us_borders/I need to get TrueCrypt working. But I've heard some questionable, "things will crash and data will get lost" things about the initial mac release. TrueCrypt, from what I've read, is supposed to let you encrypt things as well as hide them in harmless looking files. Pain in the ass though... At least I don't think I'm crossing the border anytime soon... Tags: privacy, security, tech
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
First: IT Security Warfare. A rather interesting read, at least for me. http://mcwresearch.com/archives/496Second: a presentation at the AAAS. Someday, I'll have the self-esteem and guys to stand up in front of a crowd and do that. http://www.youtube.com/watch?v=yL_-1d9OSdk (via ![[info]](http://l-stat.livejournal.com/img/userinfo.gif) porsupah) Third, from the interesting Geeketiquette blog, comes the Dresscodes: Geek vs. Non-Geek. Some of it is true, I suppose. http://geeketiquette.com/archives/2007/06/27/dresscodes-geek-vs-non-geek/(but potentially worth noting, if you're a geek like I am, and fail to pick up on normal social cues...) Lastly, via metaquotes (and porsupah): the interaction between Christianity and Islam, if they're both kids.... http://community.livejournal.com/metaquotes/6156094.html?thread=113259582And an odd mishmash of links that I need to visit/do/screw/whatnot: OpenVPN, when on public, unsecured Wifi (project temporarily on hold; uiuc provides vpn that covers everything I need): http://blog.2blocksaway.com/2006/12/11/building-a-cheap-secure-wireless-wlan-infrastructure-with-openvpn-and-linux-an-advanced-tutorial-of-openvpn/3/http://openvpn.net/download_action.php?openvpn-2.0.9.ziphttp://wiki.cacert.org/wiki/openVPNRails! Ruby! Arrrr?: http://summerofrails.org/Security: http://www.priamos-project.com/http://www.remote-exploit.org/backtrack.htmlhttp://garrett.reid.org/backtrack/ (and why I need a MacBook /Pro) http://insecurewebapp.sourceforge.net/main/index.html (download and try) Wifi cracking: http://kismac.de/_trac/wiki/DWL-G122 (need to locate and buy...?) Japanese: http://lrnj.com/ (learning japanese with RPG... something?) Origami (via... kimoi): http://www.geocities.com/foldingca/butterflyball.htmlTags: humor, links, security, video
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http://darwin.servehttp.com/cgi-bin/hash.plAbout this:
The original concept that spawned this can be found at http://www.nth-dimension.org.uk/utils/ghash.php. I wrote this up to see if it would actually work... And it would be more convenient than having to download a 50+ GB rainbow table from here (or here).
Ideally, you'd be using this to recover a forgotten password. But it could also be used for less ethical/illegal purposes. Knowledge is power. With power comes responsibility. Use this tool wisely. What you do with knowledge is up to you; I take no responsibility for your actions. The list of characters that I support: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'><,.?/(configuration 6 of the antsight.com rainbowcrack tables) Here's the hash for password: http://darwin.servehttp.com/cgi-bin/hash.pl?show=md5&word=password (=> 5f4dcc3b5aa765d61d8327deb882cf99 =^.^=) Now here's the question: How long will it take Google before they crawl the entire thing? :D Currently, it's set to 16 max characters, although I probably should have set it to 8. Here's to hoping Google doesn't crawl depth-first... Other MD5 tools: http://us.md5.crysm.net/ (MD5 reverse lookup: I think they run their own database...) [edit] Here's the source code, for anyone who might be interested. It's licensed under GPL, although quote honestly, I don't think I fully grasp the concept of GPL. They need an easier-to-understand license XP Or provide a "common language" equivalent, similar to the nice Creative Commons license. But if you decide to run the code elsewhere, do drop me a line - I'd be interested. [edit 2] Looks like here's another one with a similar idea. Except they hash all of the options and don't cover as many letters as I do. I wonder if it's more effective...? Ah, it looks like while Google has crawled them, there's a limit to how much Google will crawl. Like the reverse.me.uk site only retrieves 49 search results. While a site like apple.com will retrieve 45K results. Why is that? Does Google check for unique looking pages? o.O I wish I knew what algorithm Google was using, and how to maybe get past that. Maybe I should add random password generators at the bottom of the script, so Google will randomly jump to deeper hashes? Maybe? o.O [edit 3] And here's another one. Again, Google doesn't find anything after the first few letters. Interesting.. Tags: hacking, security
Current Mood:  productive
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Instead of downloading a bigass rainbow table, now, maybe if this works, you can just google your MD5 hash. http://www.nth-dimension.org.uk/utils/ghash.php(they should add SHA-1! maybe? o.O And the other ways of encrypting passwords...) Although it'd be more interesting if they actually created a wordlist with configuration 6*. And put that online. Looks like they're just doing a wordlist. *see: http://www.antsight.com/zsl/rainbowcrack/ (rainbow tables - 64 GB XD) They do note that it would take several years for just one computer to calculate that entire table... but for the Google Hash site, they calculate the number on the fly... so they would only have to generate (and store?) the original keys... not too bad? (Hmmm.. I wonder if there's some way to trick Google into calculating the MD5 hases for us...) [edit] No, there's another way to do this. Essentially, provide a list of characters - clicking on a character will add that to the current string that we hash. So it's kinda recursive... I'll build an example this afternoon, when I finish lunch. This should be interesting. The only limit now, is how deep Google will crawl? And if Google crawls depth-first or breadth-first? And how much data would Google be willing to store from a simple site? Hashes I want to do: maybe we'll start with MD5 first. Then SHA? And the windows password hashing method? And a final question: Is this unethical? Because technically, the only real use for the last one would be to crack passwords... And I can't really think of any reason why you might need the other ones. Although I must say, I'm rather fond of the idea of creating information and making it searchable. I am a creature of information. Hear me roar? o.O Mew. Tags: security
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you know the password because you've changed it from the default, you're fine. Otherwise, there's a new attack - Attackers use Javascript in your browser to change your router settings, so trying to access the banks online will redirect you to their site. There, they can steal your information when you enter it. The well written analogy is: I’ll start with a high-level real-world analogy of this attack. Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. When you do business with this fake bank, you’ll give up all your sensitive bank account information. However, you’ll never realize that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book. http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html(they also have a nice flash video that provides a graphical idea of how it works.) No clue what I'm talking about? If you connect to the internet by way of a router (regardless of wired or wireless), you can check by following the following steps: 1. Access your router. Chances are, one of the following links will work:http://192.168.0.1http://192.168.1.12. If a username/password thing pops up, good. Try the following:Netgear:Username: admin Password: password Username: admin Password: 1234 (username may be "Admin") D-link:Username: admin Password: emptyLinksys:Username: emptyPassword: admin 3. Now change the password.Netgear:Navigate to Maintenance > Set Password. ( Netgear support page) D-link:Navigate to Tools, then Admin ( D-link support page) Linksys:Either click on "Administration", or "Password" ( Linksys support page) -- Other username/password combinations I've run across are: admin/admin admin/setup admin/pass admin/none If step 2 fails, follow the instructions here to figure out where you need to go. Tags: security
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Yay, there's a newspaper article in the Washington Post suggesting that stupid cellphone companies shouldn't lock down their phones: http://www.washingtonpost.com/wp-dyn/content/article/2007/02/08/AR2007020802169.htmlThere's some (IMO) stupid counterarguements about competition and stuff. Granted, I just skimmed and haven't really read, so I may have skipped over something that I shouldn't have skipped. Remote-Exploit.org, the people who supply BackTrack, a Linux Live Distro focused on penetration testing, apparently has security courses online. I need to take those. http://www.remote-exploit.org/courses.htmlAnd via Mark R., pretty wallpapers! http://interfacelift.com/wallpaper/index.php?sort=dateSunsets are pretty... -- 5 page paper completed in 6-ish hours. Not... too bad? Proofread. Due in 5 hours. Whee. Time for bed. Tags: hacking, links, news, security
Current Mood:  tired
Current Music: Hate Me (Acoustic) - Blue October, Hate Me (Acoustic)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http://psiphon.civisec.org/ - the way to get through web blocking in other countries. http://ibneko.livejournal.com/582793.html - original post on the thing. Server is now up and running. Painless install, although router had to be configured, so it's still not exactly a user-friendly thing. (Todo: Write a script that will attempt to set up routers. That would be spiffy. Good javascript project?) Should be reachable at https://hikari.servehttp.com:440/hikari/ (Up and running. Certificate is selfgenerated, so uh, connection is secured in the idea that there's encryption. But there's no guarrentee that the server you're reaching is actually me.) Username and Password creation upon request. Currently friends and friends-of-friends only. As in, if I know you on LJ, comment with a desired username, and I'll make an account for you and send you the password. [edit] Ok, it works. There's no https support (aka, can't check gmail e-mail, can't visit sites that require secure http). But since I can't hide it so it only shows up in the system bar, I'm not going to be running it unless someone actually needs the thing. Tags: geeky, psiphon, security
Current Music: D I G I T A L L Y - I M P O R T E D - EuroDance & HiNRG - Finest imported cheese on the net! - ,
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Airport security chiefs and efficiency geeks will be able to keep close tabs on airport passengers by tagging them with a high powered radio chip developed at the University of Central London...
...People will be told to wear radio tags round their necks when they get to the airport. The tag would notify a computer system of their identity and whereabouts. The system would then track their activities in the airport using a network of high definition cameras...[source: http://www.theregister.com/2006/10/12/airport_rfid/] I'm not the only one disturbed by this, right? Right, so ways around this: -Swapping tags with other people in bathrooms -->can be countered by adding restrictions: you're supposed to be flying out of this gate, then you have to exit via this gate with your own tag. -Ditching your tag to do Bad Things™ like bombs, etc. -Making your tag broadcast someone else's signal. -Making your tag broadcast a scrambled or random signal. -->Object counting software - we see people in area, but there's a person missing a tag or /duplicate tags/unissued tag id being returned. Flag security and notify them. This is much harder, and requires a shitload of processing power, but it's doable. Tags: big brother, rfid, security
|
|
|
|
|
|
|
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
Name: Benjamin Juang
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| In Life's name, and for Life's sake, I assert that I will employ the Art which is its gift in Life's service alone. I will guard growth and ease pain. I will fight to preserve what grows and lives well in its own way; Nor will I change any creature unless its growth and Life, or that of the system of which it is part, are threatened. To these ends, in the practice of my Art, I will ever put aside fear for courage, and death for Life, when it is fitting to do so- looking always toward the Heart of Time, where all our sundered times are one, and all our myriad worlds lie whole, in that from which they proceeded... |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Previous
pleased