TSA Gets Part of Their Brain Back

25 Sep 2006

According to a TSA press release, the existing ban on an entire state of matter (liquids) and gels is partially lifted, effective as of today. Many (including myself) have previously written about how this particular move was useless security theater.

It’s about time! Too bad they are trying to tiptoe their way back to sanity. Like we’re not going to notice? But, that’s OK. as long as they continue to move in the right direction. Keep it up.

P.S. Nice timing; I’m in Massachusetts this week, without my toothpaste. Don’t worry, I bought some here, but it would have been nice to travel with mine.

T-shirt Quote

19 Sep 2006

Clint Savage and I got lunch together today. While ordering, we saw a guy with a T-shirt that read:

Heck is where people go who don’t believe in Gosh

We’re still laughing.


15 Sep 2006

A few days ago, Peter Abilla published a post about TrackMeNot.

I had read about TrackMeNot a little more than a week before on Bruce Schneier’s blog, and so I already knew TrackMeNot was a flawed idea. Peter also makes some very good points in his post, but, unfortunately, it falls short of pointing out some of the more serious problems with TrackMeNot.

I’ll just summarize the problems here. For further explanation, read Bruce’s post:

  1. It does not hide your searches (they are still identifiable with you).
  2. It’s far too easy to spot (and therefore, far too easy for AOL and others to defeat) and it’s schedule is regular & fixed.
  3. Some of the generated searches are worse than what you would try to hide.
  4. It wastes lots of bandwidth, while returning absolutely no privacy or security benefit.

I like this quote from Bruce’s post:

Yes, data mining is a signal-to-noise problem. But artificial noise like this isn’t going to help much.

“Hacker” is a Good Word

14 Sep 2006

One thing that really irritates me to no end is how the mainstream media keeps demonizing the term “Hacker”. I often get questions about the term and sometimes end up spending time explaining that the term “Hacker” has been around since long before it came to be used in the world of computers.

As I’m sure most of my regular readers have already figured out, I agree with much (but not all) of what Bruce Schneier writes. His latest post, titled “\What is a Hacker?,” repeats some things he has said before about this and is an excellent description.

Well worth the read.

Nina Reiser Missing, Hans’ Home Searched

14 Sep 2006

This morning, this story was brought to my attention. When I read it, my first reaction was, “Wow.” and that was about it.

I hope and pray that those childrens’ mother will be found soon and that she is all right.

For those who may not be familiar with the Reiser’s, Hans runs Namesys and is a key figure behind the development of the reiserfs and Reiser4 (read about Reiser4 on WikiPedia) filesystems. Reiserfs was the first journaling filesystem for Linux.

In the story, the reporters point out that the police do not regard Hans Reiser as a suspect at this time.

This makes a lot of sense to me, since Nina dropped off the kids and they were with him, she went to the grocery store and never showed up at her friend’s, according to her plan for that day. Her vehicle was found with the groceries inside of it. Though the article doesn’t say anything about it, I have to assume that the police have already verified that she did make the purchase at the grocery store and I would, therefore, also have to assume that they have video of her shopping at the store and leaving it.

There also was no mention of a search warrant for Hans’ home, but I’m sure they had one. I think it was a very good idea of the police to take the precaution of searching his home early on and to use a cadaver sniffing dog.

Much of the investigative processes and police procedure is the process of elimination. They take each possibility one by one and seek to prove or disprove it and move on to the next. That’s the same proccess we computer folk use when troubleshooting a problem. Both investigation and troubleshooting follow this line because it works very well.

Quickest Microsoft Patch Ever

7 Sep 2006

I just read this story by Bruce Schneier on Wired.

You really should read the whole article,even though I summarize it here.

The folks at FairUse4WM cracked Microsoft’s PlaysForSure DRM software in Microsoft Windows Media Player.

If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.

It only took a couple of days for the FairUse4WM people to compensate. I’m sure it won’t be long before Microsoft tries to patch this again.

But the real moral of the story is that companies like Microsoft don’t actually care about security except when it embarrass them or directly threatens their strategic agreements (like with record labels).

Another Fair Weekend

6 Sep 2006

For the past 20+ years, Charlotte’s family have traveled to Blackfoot, Idaho for the annual East Idaho State Fair. The fair “officially” begins on Labor day, but all the judging and setup is done by the end of the Friday before, so they have always gone up for the weekend as it’s less crowded. Still, each year I’ve been up there with them, it’s been fairly (no pun intended) crowded.

This year, Charlotte and I were the only family that went. As I needed to spend monday getting some work on NeverBlock done, we planned our trip for Saturday & Sunday.

The weather was very nice on Saturday and I bit warmer on Sunday. we enjoyed some of the usual foodstuffs and tried a couple of new things, too. We decided not to buy Ginsu knives this time and saw that this year there were far fewer crossstitches entered than usual. Of course, we had to see some of the animals, too:

[Ed. originally, I placed a <!--more--> tag here, but WordPress didn't build the feed properly. My apologies to those who read the Utah Open Source Planet and ended up with the outrageous images. I decided to take the images out of the story and just provide links to the image files, instead.]

We found this guy at the petting zoo.

Dachshund up close.

A little Dachshund kiss for me.

Yup! I’m tasty.

He kept climbing higher to make sure he could taste my cheeks, chin, nose, eyes, ears and even my tongue (I didn’t let that happen on purpose). :)

Ah, a nice little portrait shot.

Although, we really liked this dog, we just couldn’t see ourselves shelling out $600 to take him home. Apparently, they did sell most of the dogs they had brought with them over the weekend. I guess that’s how the petting zoo stays free each year.

We also found some piglets:
Mama’s tired of you guys; take a break.

One of the babies was even a little curious:
Curious pig.

We even saw some rather curly tails:
Now, that’s a curl.

I’m looking forward to next year.

Web Browsers and Encryption

1 Sep 2006

While we’re on the subject of browser safety, please, everyone follow this advice: turn off SSL v2 support in every web browser you use. The default configurations of almost all web browsers still leave SSL2 support on for backwards compatibility. There is no such thing as a legitimate encrypted website that uses SSL2, which is completely insecure. Since there is a small flaw in SSL3 that can let an attacker trick any program using SSL3 into “falling back” to SSL2, if you don’t take my advice, you could be using SSL2 and not even know it.

I also disable all SSL3/TLS encryption suites that provide less than 128 bits of key and all 3DES (a.k.a. triple-DES, DES EDE mode or TDES) sets. This is not just because 3DES is insecure, but also because 3DES is so slow. It consumes significantly more processing time and doesn’t really provide much better security than standard CBC mode DES. It’s just not worth the overhead. In addition, there are several vulnerabilities in both 3-key & 2-key 3DES that significantly reduce the complexity to brute-force them. 3DES is not considered a safe protocol.

In their paper titled, “Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES“, John Kelsey, Bruce Schneier and David Wagner describe one weakness found in 3-key 3DES that isn’t present in 2-key 3DES (among other interesting things).

From what I’ve read in the past about browser 3DES support, although nearly all browsers say they use 168 bit 3DES keys (3-key 3DES), many actually use(d) 2-key 3DES (112 bit). I’m not sure how true or false this is in modern browsers, I’ll have to do further research to find out.

New Anonymous Browser is Unsafe

1 Sep 2006

You might have heard of the new Browzar web browser. Their website claims: “With Browzar you can search and surf the web without leaving any visible trace on the computer you are using.

Well, it’s just not true.

It’s only a thin wrapper around Microsoft’s Internet Explorer version 5.5 (or later). Since IE stores all sorts of stuff in places on your system without telling you, Browzar can’t deal with all of it. Scott Hanselman has actually shown that Browzar misses the mark on this point.

There are other problems with this, too. For example, this program will not affect any servers that you visit, or any caching proxy servers in between (like at work or a university).

Anonymity on the web is not just about the stuff that’s on your computer, though it’s an important part; it’s also about the things those servers you connect to keep track of and tell each other.

Web browsers such as KDE‘s Konqueror, Mozilla‘s Firefox, Apple‘s Safari (built on/from Konqueror, BTW) and others already support local privacy features. These include Konqueror’s excellent cookie management capabilities and Firefox’s support for auto deletion of cached data. All of these browsers sport these privacy enhancing features, though they have differing approaches and levels of control.