Jon Ronson has found a way of writing a commedy about torture and warfare. Best thing about it – many of the ideas behind it like many of the non-lethal weapons are real. Funny, isn’t it? Here some of the ideas.
The Man Who Stare at Goats
October 25, 2009
Leave a Comment » | 
Angst, English, Forschung, Freundlich zum Nutzer, Fundbüro, Gadget, Stammtisch | 
Permalink
Posted by OK
In einem Wort
October 25, 2009
Leave a Comment » | 
English, In einem Wort | Tagged: CSS history hack | 
Permalink
Posted by Sven Türpe
The Cloud Computing Consultant
October 18, 2009
Leave a Comment » | 
English, Geschäft, IT | Tagged: Cloud Computing, consultant, video | 
Permalink
Posted by Sven Türpe
White Hat Hacker Man
October 14, 2009
(video link, lyrics)
Leave a Comment » | English, IT, Security, Testlabor | Tagged: Paco Hope, song, video | Permalink
Posted by Sven Türpe
Nerds …
October 13, 2009
Leave a Comment » | English, Forschung, Unterwegs | Tagged: NSPW, Oxford, P!=NP, Queens College | Permalink
Posted by Sven Türpe
In einem Wort
October 1, 2009
Leave a Comment » | English, In einem Wort | Tagged: video | Permalink
Posted by Sven Türpe
Misha Glenny investigates global crime networks
September 27, 2009
Leave a Comment » | English, Geschäft, Phishing | Tagged: criminal syndicates, cybercrime, eastern Europe, global, organized crime, shadow economy, underground networks | Permalink
Posted by Sven Türpe
Identity Theft
September 25, 2009
Leave a Comment » | Begriffe, English, Geschäft, ID, Security | Permalink
Posted by Sven Türpe
Internet security by numbers
September 23, 2009For the collectors and slide producers among you:
SANS Cyber Security Survey 2009
The survey found that Web server-side applications are the target of more than 60% of all Internet attacks and that “Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most Web site owners fail to scan effectively for the common flaw.” http://www.sans.org/top-cyber-security-risks/
(See Making Sense of the SANS “Top Cyber Security Risks” Report at The New School of Information Security for a critique of the report.)
X-Report von IBM 2009
According to the report, criminals are leveraging insecure Web applications to target users of legitimate Web sites. These attacks intended to steal and manipulate data and take command and control of infected computers. The report states that SQL injection attacks rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.
http://www-935.ibm.com/services/us/iss/xforce/trendreports/
Sophos Security Threat 2009
23,500 new infected webpages are discovered every day. That’s one every 3.6 seconds, four times worse than in 2007.
http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jul-2009-na-wpus.pdf
Leave a Comment » | English, Zahlenspiele | Permalink
Posted by OK
Digital Cold Reading: The CSS History Hack
September 20, 2009Cold reading is a technique used by mentalists to simulate psychic powers and impress people. Essentially, the cold reader is supplying words and the other person supplies their meaning as well as hints for the reader.
The CSS history hack, which seems to impress quite a few people, is nothing more than the Web’s version of cold reading. Your impression is that any Web site can read your browser history. Now there is indeed an information leak and no Web site should get access to history information. But this leak is very small. It doesn’t reveal the history altogether to anyone daring to ask. The CSS history issue only gives us an oracle. We can ask the oracle whether a particular URL is in the history or not. So to find out that you’ve read this blog post we would have to ask the oracle about the precise URL of this post.
Nonetheless demonstrations of the history hack impress people. The trick is simple and similar to the cold reading technique. History hack demos use a set of URLs that leads to a hit for almost every Internet user on the world: Google, YouTube, Microsoft, Wikipedia, Flickr, Apple, Slashdot, Amazon, and so on. A mentalist would guess and suggest these until you start giving feedback on which to hook. The CSS history hack replaces this interaction with asking the oracle to avoid wrong guesses. The trick is really to use a set of Web sites that guarantees a hit, and use a minor information leak to remove the wrong guesses from the set that would spoil the effect. This works well with the top 20/top 50/top 1000 sites on the Web, but it won’t scale to arbitrary URLs.
Leave a Comment » | English, IT, Phishing, Security, Wahrnehmung | Tagged: cold reading, CSS history hack, don't worry | Permalink
Posted by Sven Türpe
Swiss Cheese Security
September 8, 2009I’m off for the New Security Paradigms Workshop in Oxford, where I will present what I currently call the Swiss Cheese security policy model. My idea is to model security mechanisms as classifiers, and security problems in a separate world model as classification problems. In such a model we can (hopefully) analyze how well a mechanism or a combination of mechanisms solves the actual problem. NSPW is my first test-driving of the general idea. If it survives the workshop I’m going to work out the details. My paper isn’t available yet; final versions of NSPW papers are to be submitted a few weeks after the workshop.
Leave a Comment » | English, Forschung, IT, Security, Unterwegs | Tagged: 2009, NSPW, Oxford, paradigm, security policy, Swiss Cheese | Permalink
Posted by Sven Türpe
Crime by numbers
September 5, 2009
3 Comments | English, Geschäft, Studien, Zahlenspiele | Permalink
Posted by OK
Production-safe Testing
September 1, 2009Software testers increasingly have to deal with production systems. Some tests make sense only with production systems, such as Nessus-style vulnerability scanning. And an increasing number of systems is hard to reproduce in a test bed as the system is really a mashup of services, sharing infrastructure with other systems on various levels of abstraction.
Testing production systems imposes an additional requirement upon the tester, production safety. Testing is production-safe if it does not cause undesired side-effects for the users of the tested or any other system. Potential side effects are manifold: denial of service, information disclosure, real-world effects caused by test inputs, or alteration of production data, to name just a few. Testers of production systems therefore must take precautions to limit the risks of their testing.
Unfortunately it is not yet very clear what this means in practice. Jeremiah Grossman unwittingly started a discussion when he made production-saftey a criterion in his comparison of Website vulnerability assessment vendors. Yesterday he followed up on this matter with a questionnaire, which is supposed to help vendors and their clients to discuss production-safety.
The time is just right to point to our own contribution to this discussion. We felt a lack of documented best practice for production-safe testing, so we documented what we learned over a few years of security testing. The result is a short paper, which my colleague and co-author Jörn is going to present this weekend at the TAIC PART 2009 conference: Testing Production Systems Safely: Common Precautions in Penetration Testing. In this paper we tried to generalize our solutions to the safety problems we encountered.
The issue is also being discussed in the cloud computing community, but their starting point is slightly different. Service providers might want to ban activities such as automated scanning, and deploy technical and legal measures to enforce such a ban. They have good reason to do so, but their users may have equally good reason to do security testing. One proposal being discussed is a ScanAuth API to separate legitimate from rogue scans. Such an API will, however, only solve the formal part of the problem. Legitimate testing still needs to be production-safe.
Leave a Comment » | English, IT, Safety, Security, Testlabor | Tagged: 2009, precautions, production, ScanAuth, Software, TAIC-PART, Test | Permalink
Posted by Sven Türpe
Computer & Cars
August 28, 2009
Just wondered what the present world is like, here some answers.
Leave a Comment » | English, Fundbüro, Gadget, Hackmeck, Security, Stammtisch | Permalink
Posted by OK
Car-Security
August 28, 2009Yesterday I visited the CAST-Workshop on mobile security for intelligent cars, which ended with a very interesting discussion that illustrated the complexity of the problem and raised many interesting questions. First the speakers gave a good overview over the main research areas and important projects like Evita or SIM-TD, which is said to be the biggest field test world wide, that focusses on car-2-x-communication. Everybody agreed on the main distinctions (Safety vs. Security; in-car communication, car2car communication, etc.) and privacy issues were the main topic. As Frank Kargl from the University of Ulm pointed out, the car has a strong connection to its owner and its movements might tell a lot about the individual. Already privacy concerns have entered the car world, because navigation tools send home gps information and companies like Tom Tom generate a large data collection.
Leave a Comment » | English, Erich fragt, Forschung, Freundlich zum Nutzer, Safety, Security, Vertrauen | Permalink
Posted by OK
How to Become a Cult Leader
August 6, 2009
Leave a Comment » | English, Propaganda | Tagged: DIY, HOWTO, manipulation, video | Permalink
Posted by Sven Türpe
In einem Wort
August 4, 2009
Leave a Comment » | English, IT, In einem Wort, Risiko, Security | Tagged: Cloud Computing | Permalink
Posted by Sven Türpe
Internet helpdesk
July 31, 2009
Leave a Comment » | English, Freundlich zum Nutzer, IT | Tagged: video, Internet, helpdesk, sysadmin | Permalink
Posted by Sven Türpe
In einem Wort
July 25, 2009
Leave a Comment » | English, In einem Wort | Tagged: offshoring, outsourcing, writing | Permalink
Posted by Sven Türpe
How Effective Are Child Car Seats?
July 16, 2009Steven Levitt, after looking at a vast amount of accident data, is convinced that child car seats are pretty useless for children of ages >2. His TED talk teaches important lessons on how we think about safety equipment.
Many thanks to reader Doppelfish for digging this video out.
Leave a Comment » | English, Forschung, Safety, Wahrnehmung | Tagged: accident, car crash, car seat, certification, children, Helmdiskussion, Standards, TED, video | Permalink
Posted by Sven Türpe
Don’t worry!
July 10, 2009
Leave a Comment » | English, Safety | Tagged: 777, aircraft, Test, video, wing load test | Permalink
Posted by Sven Türpe
50 Ways to Inject Your SQL
July 5, 2009
(direct link, found here)
Leave a Comment » | English, Hackmeck, IT, Security | Tagged: SQL injection, video | Permalink
Posted by Sven Türpe
Anti-social
August 30, 2009