Erich sieht

To make your holidays safer, the German Research Centre for Geosciences (GFZ) has published information on earthquakes and tsunamis, comprising:

• a global seismic hazards map
• an earthquake leaflet (PDF) and
• a tsunami leaflet (PDF).

Most of their recommendations may seem like common sense, but even simple measures are easily forgotten if one is used to living in low-risk areas.

What is the purpose of antivirus companies? They produce tools to detect and remove malicious software on a large number of computers. Their basic process is pretty simple. They collect samples of new malicious software from various sources, including the general public. You, too can send a piece of software to antivirus companies if you suspect it might be malicious. Each sample will be analyzed by the antivirus company. If it really is malicious, a signature will be produced and disseminated to all users of the company’s products through an automated mechanism. After receiving the new signature, antivirus software is capable of detecting the new malicious software and often also stopping it from working in one way or the other.

Sounds innocent, but the bad guys discovered this might be a suitable infrastructure to enforce end-user license agreements. If you rent a botnet and fail to comply with its operators’ terms, they threaten to forward your bot to antivirus companies. I really like that idea, although I see a couple of pitfalls here, as do the guys who originally reported this.

Why don’t we simply shut down terrorists?

(via Δfoxtrot)

Update: Shocking, but False, comments a TSA spokesman.

Looks like they really care about their wireless security at the Radisson SAS in Lillehammer. This D-Link something box is secured by not just one but two surveillance cameras, so you can feel really safe and secure while using the network. And no, I did not scan the network for Webcams, although I should have. Shame on me!

The Sectest08 workshop, which I attended today, was of typical workshop size, so my plan to use the flipchart rather than PowerPoint did work out well.

The Keynote speaker, David Litchfield, gave a pretty good introduction into the kind of security testing that he is doing—bug-hunting of various kinds. He included a live presentation of format string vulnerabilities, presented the notion of surety for what might be missed by the too formal approaches to security and described security testing as exploring interesting avenues and evaluating implications. His talk pretty much covered the issues and topics of my own world of security testing. He embraced the idea that (this type of) security testing might be an art, claiming that the bug-hunting type of security testers were often also into artistic activities such as painting or photography and that teams of testers would work best if they included scientific and artistic types of persons. Read the rest of this entry »

Looks like I was wrong. (via Fefes Blog)

[Notice for our international readers]

I knew the TSA blog would yield something for me right when they started it. I didn’t expect this to happen so soon, though. Today they proudly present their 20 layers of security. Twenty! The TSA has twice as many layers of security as the average U.S. worker gets paid vacation days. This is impressive. Look at their diagram for a while (slightly larger version here). Impressive, marvelous, rainbow-colored, magnificent, fantastic. Read the rest of this entry »

(direct link)

[Notice for our international readers]

Yesterday I received this phishing mail:

To: ****@********
Date: Wed, 19 Mar 2008 10:49:50 +0000
From: Wachovia Connection banking Consumer support <news@wachovia.com>
Subject: Wachovia Connection Web application security

Dear Wachovia Connection Bank Customer:
Due to the emergency situation with our server room and the closing of
the New Orleans Branch of the Federal Reserve, Wachovia Connection
Bank is presently unable to process wire transfers. Therefore we are
asking that customers please refrain from initiating wire transfer
requests through Wachovia Connection until further notice. All wires
initiated before 12:30 PM CDT will be processed; however, there may be significant delays in doing so.

IMPORTANT: All customers must validate personal information.

(...)

and today, a followup message reminding me: Read the rest of this entry »

(direct link)

(direct link)

Not quite, but with a 1-in -300 chance the end of certain lifeforms on the surface of this planet:

»You may want to put this date in your diary: April 13, 2029. It’s a Friday. Friday the 13th. This is the day, Nasa announced four years ago, on which the Earth is most likely to be struck by a civilisation-destroying asteroid.«

(The threat to Earth from space is minimal - Times Online, via)

Time to un-quit smoking?

»If animals could talk, they would spend most of their time calling us dicks and telling us to get off their land. The traits we think of as “cute” are often simply tricks animals have developed to get tourists to throw them food.

Here are six animals that you’ll probably want to steer clear of, no matter how adorable they look on that wall calendars. (…)«

(The 6 Cutest Animals That Can Still Destroy You)

The Rolling Stone has an article on homegrown terrorism in the U.S., grown by task forces that are supposed to fight terrorism:

»The FBI now has more than 100 task forces devoted exclusively to fighting terrorism. But is the government manufacturing ghosts?«

Manufacturing ghosts makes a lot of sense, marketing-wise, if you are an officially appointed ghostbuster.

(via Telepolis)

»I believe smoking bans are doing great damage, and not only economic damage. They promote intolerance, social tension and a ‘stool pigeon’ culture. They ostracise a large and law-abiding segment of the population. They set a worrying precedent for all kinds of other social engineering. And they bring Nanny into Nightlife: the last place she belongs.«

Over at Plazeboalarm they celebrate (in German) an essay by Joe Jackson, Smoking, Lies and The Nanny State (PDF), and rightly so. He perfectly demonstrates a rationalist approach to risk assessment, which is based on fact rather than opinion and hidden agendas. He also demonstrates how real and unreal health risks can be abused politically and possibly lead to much worse an outcome even if the original risk fought was real.

Even though not everyone may agree with him, even if the factual basis of his essay were wrong (I didn’t verify his numbers yet), he reminds us of the virtue of skepticism. Even experts can be wrong. Terribly wrong, sometimes:

»It is has become ‘common knowledge’ that smoking is one of the worst things you can possibly do to yourself; ‘all the experts agree’. Of course, ‘all the experts’ once agreed that masturbation caused blindness, that homosexuality was a disease, and that marijuana turned people into homicidal maniacs. In the 1970s and 80s British doctors told mothers to put their babies to sleep face-down. Cot deaths soared, until a campaign by one nurse succeeded in changing this policy, which we now know to have claimed something like 15,000 lives.«

No matter how you feel about smoking, read his essay and try to grasp the many points he makes that are not immediately related to cigarettes and tobbacco but rather to rationalism and workable ways of running a society. A must-read for everyone. Conspiracy theories about the tobacco industry are not an acceptable excuse.

»Having been involved for years with free speech activism, I run into a lot of people in the same circles who are strong Linux advocates, apparently because the concept of “freedom of speech” is closely aligned with “making every file search as simple and stress-free as a Hamas hostage negotiation”.«

(Bennett Haselton)

[Notice for our international readers]

A few days ago the W3C published the first draft of HTML 5. One of the many new features struck me as a possible amplifier for insecure programming: HTML 5 extends the type attribute of the input element to support URLs, e-mail addresses, date, time, and other types. The rationale for the new types reads (emphasis by me):

»The idea of these new types is that the user agent can provide the user interface, such as a calendar date picker or integration with the user’s address book and submit a defined format to the server. It gives the user a better experience as his input is checked before sending it to the server meaning there is less time to wait for feedback.«

Now this is a really old theme in Web (in)security. The Web as a platform for programming invites errors in input validation and sanitation by giving the programmer equally powerful tools for two different domains of trust, the client and the server. Furthermore, client-side input validation does make sense and is desirable under usability considerations but cannot replace server-side enforcement.

Consequently, one all too common mistake in Web application programming is to validate or sanitize data on the client side but not on the server side where one must not rely on any assumptions regarding client behavior. At the first glance abovementioned extensions seem to provoke even more of these mistakes by improving on the client-side features, thus making them more attractive.

The new feature makes generating code easier, though, which means it may become easier to develop and use frameworks instead of hand-coding. This would be good, security-wise, as one framework usually makes fewer errors than hundreds or thousands of programmers.

At this time, both theories seem equally plausible to me. Empirical studies, anyone?

»Gever Tulley, founder of the Tinkering School, talks about our new wave of overprotected kids — and spells out 5 (and really, he’s got 6) dangerous things you should let your kids do. Allowing kids the freedom to explore, he says, will make them stronger and smarter and actually safer.«

5 dangerous things you should let your kids do (video, 9:20)

Found there: Terrorist Threat Levels around the World

[Notice for our international readers]

I have no idea what went wrong today when a British Airways jet crashed short of the runway in London Heathrow. Nobody does at this point, we’ll have to wait for the results of a thorough investigation as will undoubtedly be carried out for this crash like for any other. This is the way the aviation community learns from mistakes all around the world.

So there would be not much to say about this accident, hadn’t I tripped over a statement that BBC News quotes prominently in their online coverage of the events, attributed to David Learmount, Air transport expert:

»BA pilots don’t make error of judgements of that type, especially not at the home base, let alone anywhere else«

This is not the appropriate attitude towards safety and the causes of accidents. In reality, pilot or flight crew error is the primary cause of accidents in aviation. At this point, let me repeat myself, we don’t have the slightest idea what caused this crash, but we know for sure that even BA pilots make errors of judgement, perhaps even of this particular type.

To be fair, according to my experience with the media, this sentence is one short snippet selected by a journalist out of a longer conversation. It may not entirely represent what had been said and our air transport expert may be innocent. However, in the particular way in which it appears on the BBC page, emphasized through page layout and ripped out of its possible context, it is just plain wrong.

Update:

• The Man in a Shed points out: »It is worth speculating as to why all BA 777’s and other airline 777s haven’t been grounded given the reported total electrical failure of the aircraft. Perhaps something is known about the cause after all.« I’m afraid he might have wrong expectations about aircraft being grounded. This is not the common reaction to any incident or accident unless it is obvious that there would be a high, immediate danger in not doing so.
• Kevin Anderson criticizes the Times’ coverage of the events.
• Holly of PlaneBuzz discusses the many ways in which this accident is perplexing. This is exactly why it needs to be investigated.
• Juan Antonio Giner of Innovations in Newspapers noticed a BA ad in the middle of a news report on the accident, and has further comments on the reporting.
• Jon, too, complains about the style of reporting and recommends that we wait for the results of the investigation.

»Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. To keep our faces toward change and behave like free spirits in the presence of fate is strength undefeatable.«

– Helen Keller, deafblind American author, activist, and lecturer. Quote found here.