Slashdot informs us of an entertaining “hack”…

“….pulled off when Randall Munroe, author of the popular webcomic XKCD, spoke at MIT by invitation of the Lab for Computer Science. MIT hackers dropped hundreds of labelled playpen balls onto the audience from hatches in the ceiling. The labels bore XKCD’s logo as well as the recently discovered 16-byte AACS processing key. At another point in Munroe’s talk he was stalked by remote-controlled mechanical velociraptors; but fortunately he had been supplied with a squirt gun full of grape juice.”

It would appear that Microsoft haven’t learnt from its previous experiences. Working as a consumer IT technician during the release of Windows XP, we found it trivial to load up an XP Upgrade pack onto any system. This was possible as the upgrades to XP were merely full editions with a number of checking systems in place. Buy an upgrade, bypass the checks and install your new version of windows at half the cost.

Vista has been released for about two weeks now and guess what? Its happened again.
The Register reports on Marc Liron of www.instantvista.com and his technique to apply the same strategy to Windows Vista.

From the article.

“In short, all you need to do is delay entering your product key and delay validating your copy of Vista online until the setup is complete. For some reason, Microsoft has decided to allow users to install first and deal with the paperwork later. Simple in theory, although the details of exactly how to do this are a bit lengthy, and we strongly recommend following Liron’s step-by-step instructions linked above. But, in a nutshell, all you are doing is avoiding the traps that MS has set up to cancel the upgrade installation if an authorised version of Windows isn’t already present. If you dodge those traps, you can install a Vista upgrade on any machine, and later enter your product key and validate your copy normally.”

More Information:

The Register – How to install a Vista upgrade on any PC
Marc Liron Article, Step by step guide.

From Slashdot:

“Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called ‘Protected Media Path’ (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though.”

From the BBC:

Motorists who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities.

A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints which police say they will save time because people will no longer have to go to the station to prove their identity. Whilst officers promise prints will not be kept on file but concerns have been raised about civil liberties.

Bedfordshire are the first force to use the equipment, which is being distributed among the forces in Essex, Hertfordshire, Lancashire, North Wales, Northamptonshire, West Midlands and West Yorkshire, as well as to British Transport Police and the Metropolitan Police, over the next two months.

It is primarily aimed at motorists because banned or uninsured drivers often give false names, although pedestrians could also be asked to give prints if they are suspected to have committed an offence.

Police Minister Tony McNulty said:”The new technology will speed up the time it takes for police to identify individuals at the roadside, enabling them to spend more time on the frontline and reducing any inconvenience for innocent members of the public.”

Under the pilot, codenamed Lantern, police officers will be able to check the fingerprints from both index fingers of the suspect – with their permission – against a central computer database, with a response within a few minutes.

“The handheld, capture device is little bigger than a PDA,” said Chris Wheeler, head of fingerprint identification at the Police Information Technology Organisation PITO. “Screening on the street means they [police] can check an identity and verify it.”

Currently an officer has to arrest a person and take them to a custody suite to fingerprint them.

Electronic safeguards

The device will be used with the Automatic Number Plate Recognition team, who identify vehicles of interest.

If a vehicle is stopped, police will be able to identify the driver and passengers. At present about 60% of drivers stopped do not give their true identity.

Inspector Steve Rawlings, based in Luton, said it takes two sets of fingerprints and the fingerprints are not retained.

“The encounter can be 15 minutes on the roadside rather than three hours in the police station,he said.

The device has an accuracy of 94-95% and will be used for identification purposes only, say police, and there are electronic safeguards to prevent misuse.

It sends encrypted data to the national ID system using GPRS – a wireless system used by many mobile phones.

More than 6.5 million fingerprints are cross-referenced and sent back to the officer.

Mark Wallace, who represents the civil liberties group the Freedom Association, told BBC Radio Five Live that he had concerns about the scheme.

“I don’t think we should be reassured by the fact that at the moment it’s voluntary and at the moment they won’t be recorded”, he said.

“Both of those things are actually only happening in the trial because the laws haven’t been passed to do this on a national basis compulsorily and with recording.”

Original Article : BBC News – Police to fingerprint on streets
Help fight for your privacy and freedom at www.no2id.net

zbuffered at Slashdot writes,

“Today, Mozilla made public bug #360493, which exposes Firefox’s Password Manager on many public sites. The flaw derives from Firefox’s willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user’s site will be unhelpfully propagated with the visitor’s Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug’s original author.”

More Information: Bugzilla Bug 360493

The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme.

But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for remote privacy invasion. As of course they are.

Unfortunately, DRI has taken that a step further, fretting in a recent interview with the Sunday Times that the unprotected passports could leave Irish travelers “open to targeting by terrorists”.

Read More : The Register – Irish passports go RFID, and naked

The Bureau of Industry and Security (BIS) is the US gov department that accepts paperwork on dual use tech for export approval. Basicly, anything crypto that isn’t mass marketed goes through them.

As part of the process they receive detailed plans of how devices work which they keep on computer.

It is these computers that were hacked from src ips in China. Whether the actual hackers were in china or whether that was just an intemediate node is anyones guess. Its also not known what information was taken. However, the US has took it seriously enough to take all the department’s systems offline pending a reinstall rather than attempt to clean the rootkits that were used. This is the second breach the gov have admitted to since July.

Source: Bureau of Industry and Security Hacked and Chinese Hackers Hit Commerce Department
And for anyone that knows me… ‘Hi!’
This is the first of hopefully many regular posts…

Recently I’ve had a sudden influx of porn related spam. Given that I dont usually get much spam, this was quite a surprise. Of particular interest, the influx started after applying, online, for a Barclay card.

Each email is a couple of lines packed with sexual related words, and includes a link which, when clicked, submits a GET variable to a script at the target URL, thusly validating the email address.

Example:

sexy blonde sucking and fucking
Hardcored and cummed
http://redheadteen.info/prime/siper.html?fMjXUYf.gVXjbW,hVX
Busty blonde oiled up
Amateur sex hardcore couple


The URL and .html file are variable. Obviously a little regex could filter out these emails due to the number of obscene words. But for anyone a little less tech savvy, a simpler solution is available.

The encoded variable at the end doesnt stand out to be of any particular type (base64, rot13 etc). However, cracking the code is extremely simplistic. The spammer uses a basic character substitution algorithm. Below are two tables, the first is what we know to be true, the second is the most likely completion of the conversion. Clear text is in bold, cipher text is in red

Verified Conversion Table

Most Obvious Completion

What becomes apparent is that the encoded GET variable is the receipients email address. As we know the variable content will be fixed (as apposed to random and matched in a database when processing) we can then use this to create a filter.

Option one would be to create a filter on the whole string. This is fine if you only have one email address, if you have multiple email addresses using only one domain, you could specifiy the filter to run after the @, or in the case of the cipher text, the “.”

If you have numerous email addresses across a number of domains, the obvious option would be to set to filter the encoded top level domains: ,WfQ(.net) ,hVX(.com) ,VSd(.org) etc

You can find details on how to set email filters on a number of mail clients at HideMyEmail – Spam FAQ as well as methods to help prevent spam

The good people over at Hackivismo have conjured up a new browser that allows users to surf the internet completely anonymously.

The open source program, named Torpark, utilises The Onion Router(TOR) network to constantly change where the user appears to be coming from. Along with an encryption method, Torpark provides end users with the means to scour the internet free of nosey ISPs.

“We live in a time where acquisition technologies are cherry picking and collating every aspect of our online lives – so it seems that it’s a browser attempting to redress that supposed imbalance.”
- said Oxblood Ruffin, founder of Hackivismo

Torpark is availabe as a free download from torpark.nfshost.com, and can be run from removable media, such as USB sticks, potentially turning any computer into an anonymous terminal.

An event to honor the inventions, inventors, historical milestones and the future of Public-Key Cryptography.

WHERE
Computer History Museum
Hahn Auditorium
1401 North Shoreline Boulevard
Mountain View, CA 94043

PROGRAM
6:00 to 7:00 PM Networking reception
7:00 to 7:30 PM Welcome and PKC Overview
7:30 to 8:30 PM Panel presentation discussing the past, present,and future of PKC moderated by Steven Levy.
8:30 to 9:00 PM Audience question and answer session

Panel Includes:

• Moderator: Steven Levy, Author of Crypto and Senior Editor, Newsweek Magazine
• Introduction: John Markoff, Author and Senior Writer, New York Times
• Mr. Ray Ozzie, Chief Software Architect, Microsoft Corporation
• Dr. Whitfield Diffie, Chief Security Officer, Sun Microsystems
• Dr. Martin Hellman, Professor Emeritus of Electrical Engineering, Stanford University
• Mr. Jim Bidzos, Former CEO, RSA and Founder, Verisign
• Mr. Brian Snow, Former Technical Director for the Information Assurance Directorate, NSA, Retired
• Dr. Dan Boneh, Professor Computer Science, Stanford University

For more information check out: ComputerHistory.org.