Category Archives: Vulnerabilities

news.com.au polls rigged

3 Replies

A news.com.au poll over whether “football” or “soccer” was a better name for the world game resulted in 2006 votes for each.

IT’S OFFICIAL. Australia is completely split down the middle on the issue of whether to call the world’s most popular sport “soccer” or “football”.

A News.com.au reader poll which has attracted 4,012 votes at the latest count reveals that exactly 2006 people voted for football, and 2006 for soccer.

What they apparently didn’t realise was that the poll was rigged. A user posted to Reddit that he had hacked the system and ensured this and other polls came out equal.

I actually wrote a program where for each option someone voted, my program would vote once for every other option, thus maintaining a deadlock.

Every now and then, they reported on poll results as if it were actual news. After emailing them alerting them to this, they are yet to retract any of their articles.

The whole saga was blogged here.

Just in case News remove the story above, here’s a screendump. — update Wednesday 8:50pm: it has now been removed.

news.com.au poll

PIN no longer required: Costs externalized as personal endangerment

5 Replies

Australian consumers can now use their Visa cards to pay for small value transactions of $35 or less without entering a PIN or signing a receipt, Visa announced today.

This requires the retailer to actively persue this strategy, but the payment network no longer demands identification for these “low value” transactions. They claim that security isn’t compromised by this. Their logic goes like this:

  1. $35 isn’t much.
  2. If someone steals your card, they can only obtain $35 worth of goods and services per transaction until the card is shut down.
  3. Your card issuer will eventually notice all of these transactions and phone you to make sure everything is okay.
  4. The retailer wears the risk of these unauthorised transactions

So what’s to stop your teenager borrowing your card to go buy snacks at McDonalds (one of the early adoptors of this security-flexibility) whenever they’re hungry? The card company’s logic goes like this:

  1. $35 isn’t much.
  2. If someone borrows your card without your knowledge, they can only obtain $35 worth of goods and services per transaction.
  3. The retailer wears the risk of these unauthorised transactions

So why would a retailer run the risk of a month’s worth of Coles supermarket purchases (another early adopter) – which could easily exceed $1000 with one or two purchases a day – being fraudently run up? Because when you compain to your card issuer, they require a police report. The police, being a diligent lot, will follow up these $35 thefts, go to the stores, look at the video footage, realise they don’t know what you look like, come around to your house and compare the picture against you and decide it’s not you. Then they’ll think “How did this person who isn’t the cardholder get hold of the card and the cardholder didn’t notice until they got the bill?” and they’ll suspect an inside job, and ask you if you recognise the person in the video footage. If you want your teenager to have a crimal record with 30+ theft convictions you’ll scream “Sarah! Come here!” and that will be that; otherwise you might stay quiet.

Of course, it might not be your teenage daughter with the munchies; somebody at work might borrow the card from the wallet on your desk to buy lunch when they’ve run out of cash, or friends when you’re out “dining” at McDonalds.

Worse yet is the organised criminals who can easily prove their expenditure is not their own – it was in another state!  Because there’s no motivation to Express Post your card to an interstate confederate for them to have a quick run around with it before Express Posting it back. In short order it can become quite a bill too – at Apple Stores it’s up to $150 without a signature being needed.  These expenditures can be book-ended by legit local purchases, leading the card holder to say “well, I never authorized that, I’ve still got the card, so you figure it out”.  The costs of these thefts, which all the video footage in the world isn’t going to connect to the cardholder, and with some precautions the confederate either, goes onto the general costs of running the retail operation, pushing up prices.

Retailers always had the option of skipping the need to sign for a transaction – be it on their own heads.  So presumably they think that the video footage will reduce the level of experienced loss.

Now, presumably this fraud will cost less than the expenditure saved – assuming a check-out chick costs $25/hour to employ it implies at least 1.4 person-hours are saved per fraud, and assuming a saving of four seconds per transaction, they’re expecting no more than 1 fraud in 1280 transactions.  But I ask: isn’t it better to pay $35 to Aussie Battlersworking Aussie families… our most valuable assets rather than hand over, say $30, to criminals through lax security?

With contactless payments finally with us, there’s even more reason to fear unauthorized transactions, per this video of a guy stealing the identifying information off a smart card:

It appears that in addition to annual fees, international conversion fees, interest charges and so forth, the price of a credit card is the same as freedom: eternal vigilance.

All of this is lovely and academic, but the activity by retailers and card issuers has the effect of turning every card in my wallet into many unchallenged $35 purchases. This acts as a motivator to steal my cards from me.  If my wallet is stolen, I can immediately cancel the cards, so no risk there. So to get at the lovely $35 goodness, the thief needs to stop me doing that – clonking the victim on the head is a good way of preventing reporting. I like my head. I don’t mind spending 4 seconds a transaction to prevent a increase in people getting brained.

The worst part is there’s no way to opt out of this reduced security; I can’t say to Visa: “No, for my card, only pay money when a PIN is supplied.”  It’s forced on everyone. I remember when these PIN things came out, and I was repeatedly assured that they were more secure than a signature, and I could assure them that it wasn’t – the damn PIN is encoded on the mag strip of the card (precisely copied in seconds!), and any fool can see you keying your PIN in. Now another layer of security has been whittled away, leaving… video investigation.

I feel so safe!

The logo doesn't make it secure

http://www.greatreads.com.au/the7deadlysins/competition1.htm

See the protocol on the front? On the page, net to the big verisign logo:

We guarantee that every transaction you make on our website will be safe. Our secure server software (SSL) is the best software available today for secure commerce transactions. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read as the information travels over the Internet. When an order is received, SSL is again used to unscramble the message, check that it came from the correct sender, and verify that it has

Has what? It's a mystery.

What is it with these half-baked web pages?

zp8497586rq

Microsoft: please stop using Word

1 Reply

There’s a Zero-Day attack targeting MS-Word. This is the work-around:

Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Don’t open Word files, not even in the Word viewer.

Nice.

I think I’ll just keep using Open Office.

Releases and recalls

3 Replies

Another major release of iTunes, another batch of complaints about glitches and poor performance. I’ll wait for an x.02 or x.03 release.

Mind you it could be worse… a recall of Segways cites random reversing. At least if iTunes skips a track you’re not risking your life.

Common Passwords

7 Replies

A UK mob has collected Top 10 Most Common Passwords; soccer teams rate highly. German passwords are just as lame, with the f-word, hello and digits strings starting with 1234 rating very highly, as does treasure and, for some odd reason, Daniel (care to explain, mister?).

Dictionary based searching works – if you aren’t going through something that monitors that sort of thing. Ophcrack will break into a Windows system, by running through very large dictionaries, some of which are available only by purchase.

Perhaps to read the advice on Choosing a Pretty Good Password. Myself, most of my passwords are highly insecure. But that’s only because they’re on systems I don’t give a tinker’s cuss about. The ones I do are pretty tight.

Does anyone out there use multiple, changing, strong passwords? If so, how do you keep them straight? If not, why are you toying with your security like that?

Protecting yourself against the BitTorrent bandits!

Leave a reply

Yet again the internet works around corruption. With the anti-P2P crowd attempting to poison the BitTorrent well, here’s today’s workaround to Wasted BitTorrent data.

Basically, it’s a list of IPs known to host fake/posion BitTorrent peers that can be loaded into µTorrent.

Nuke it from orbit

Leave a reply

Microsoft Says Recovery from Malware Becoming Impossible

Ripley: I say we take off and nuke the site from orbit. It's the only way to be sure. “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,” Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference.

It’s the only way to be sure.

Vaccination and Hippies

8 Replies

Owen turned four (months) recently, and he was taken to the doctor for that round of inoculations. That reminded me that when Cathy and I were doing childbirth classes we discovered that the lunatic fringe is alive and well in Melbourne. The subject was “Sleeping Soundly”, the opening minutes of which were about vaccination for no reason I could discern.

The World Health Organisation, whom the Choices for Childbirth speakers quote when lamenting (quite rightly, in my opinion) the high medical intervention rate during childbirth, is studiously ignored when talking about how one ought to explore both sides of the “debate” over immunization. The WHO says “No child should be denied immunization without serious thought about the consequences, both to the child and the community”.

Humans are terrible at estimating risk (also known as probabilities). They happily play lotteries (one in millions chance of winning), but then drive their kids to school (running a pronounced risk of a car crash and injuries vs a vanishingly small risk of a perverted old man snatching their kid and having his way with them). Humans are prejudiced machines – they decide things without knowing all the information (pre-justice, or pre-judge). They make decisions based on what they can recall on the subject. And this counterpointed by the news media, which reports news. They don’t report that millions of Aussies got out of bed, went to work and came home again, without incident. That’s not news. Someone being bitten (or better yet, taken) by a shark, that’s news – because it hardly ever happens. Things that are unusual, different, out of the ordinary and notable are part of every night’s TV viewing. A viewing night of four hours – 240 minutes – includes 30 minutes of really unusual stuff, so odd and weird that the TV station sent a film crew out to take pictures of it (ever woken to find a camera crew filming you getting out of bed? “This morning, Josh got out of bed…” No, didn’t think so). And humans think “I better be careful when I go swimming, a shark could get me. I’ve seen that happen a couple of times in the last few months. In fact, just to be safe, I won’t go swimming”. We have crime shows on every night, leading viewers to think “there’s a lot of crime out and about. I’ll drive to the shops”. The news loves a good kidnapping “little girl snatched from her bedroom”, and happily ignores the fact that almost all child abductions are performed by relatives. But we’ll drive them to school, to keep them safe (and fat). So when the Tabloid TV shows announce that a child has reacted poorly to an inoculation, immunization rates plummet, in the same way breast cancer screening rates jumped right after Kylie got it. More often than not, they use their power for evil rather than good.

These same TV shows give equal time to minority and majority opinions, in the interests of fairness. Which would be fine, except humans will go “hmmm, it seems that professional opinion on this seems to be divided down the middle, I’ll just be safe and not vaccinate my child (besides, needles hurt).” It’s dangerous and irresponsible, scaremongering amongst the vaccination decision makers – parents. And they’re being affected by it. Infectious diseases the developed world thought it had eradicated (think whooping cough, which was almost wiped out – ) are resurfacing as a result of the crazy hippies who reckon that this vaccination thing is all a money making scam by the multinational pharmaceutical companies.

Vaccines don’t always work. They are not 100% effective. You can get a disease after being vaccinated against it – the vaccine may not provoke an immune response. And that doesn’t have to matter.

Needles hurt. Vaccines have an inherent level of danger. Injecting pathogens into your body isn’t something it’s really designed for, and keeping vaccines viable for an acceptable time means there’s stuff in them that some bodies will not react well to. Some immune systems go ape shit when they see the disease. Some people die. I’d like to point out how badly the bodies of these people will react when they get the real, live, unattenuated, unadulterated, honest-to-God virulent form of the disease – exceptionally poorly. But none the less, there is a potential cost associated with being vaccinated.

I’m going to talk about Herd immunity and the free loader effect. A certain level of non-vaccinated members of the population is acceptable, but varies from disease to disease – the immunization you’re given may not invoke an immune response in you, but at the same time, if about 90% of the population is immune, generally an infectious disease is not going to become pandemic. Which is fine, and everyone’s happy. Until God damn hippies start running around not getting immunised, becoming free loaders on those of the population who have run the risk of reacting horribly. With enough people unimmunised, eventually the herd immunity effect breaks down, and the kids of the hippies end up getting diseases that we thought no one got anymore. And, no doubt, the hippies whinge about it, but refuse to take the blame for the kids of responsible parents who got the disease despite being vaccinated against it – because their bodies failed to produce an immune response. And those responsible parents will be too grief stricken to blame the hippies for killing their child.

The Australian federal government’s Immunisation Myths and Realities booklet talks about the complaints that hippies put forward. Myths such as the MMR vaccination causing autism.

The adverse reactions a vaccination may produce are mild compared to what would happen if they actually got the disease. The only elevated risk is to those intolerant of egg products.

Let’s have a look at what these diseases do. Because, if you were against immunizing against them, they can’t be that bad, insofar as diseases go, right? Because you’re happy to run the risk of your child catching and living with (and dying from) these diseases, verus the risk of your child having “something happen to them” as a result of being vaccinated.

From the Australian National immunisation program schedule of immunisations, things that you’re innoculated against:

  • At the moment of birth: hemorrhaging. Normally Vitamin K is produced by bacteria in the intestines, and dietary deficiency is extremely rare unless the intestines are heavily damaged. But newborns are nearly sterile – if the embryonic sack is intact, they are sterile. Thus, no bacteria, and no Vitamin K, which is needed for the posttranslational modification of certain proteins, mostly required for blood coagulation.
  • Polio, check out photos of polio victims. The virus invades the nervous system, and the onset of paralysis can occur in a matter of hours. Polio can spread widely before physicians detect the first signs of a polio outbreak – so forget pulling your child from school when someone is noticed with polio, this is not a prophylactic method with any level of success.
  • Diphtheria, check out photos of children with Diptheria, a bacterial infection. Long-term effects include cardiomyopathy (the heart wastes away) and peripheral neuropathy (ie, paralysis).

  • i

  • Pertussis or whooping cough. Doesn’t sound so bad, a bit of a cough. Check out the photos of babies with a bit of a cough. Complications of the disease include pneumonia, encephalitis, pulmonary hypertension, and secondary bacterial superinfection.
  • Rubella, a relatively mild disease (photos) unless it’s caught by a developing fetus. Lifelong disability results. But I guess that’s the fetus’ problem, not yours.
  • Mumps usually causes painful enlargement of the salivary or parotid glands. Orchitis (swelling of the testes) occurs in 10-20% of infected males, but sterility only rarely ensues; a viral meningitis occurs in about 5% of those infected. In older people, other organs may become involved including the central nervous system, the pancreas, the prostate, the breasts, and other organs. The incubation period is usually 12 to 24 days (again, don’t bother pulling your kids from school – they’ve already got it). Mumps is generally a mild illness in children in developed countries. So your child should get it.
  • Hepatitis B – Over one-third of the world’s population has been or is actively infected by hepatitis B virus, so it can’t be all that bad. Hepatitis B infection may lead to a chronic inflammation of the liver, leading to cirrhosis. This type of infection dramatically increases the incidence of liver cancer. Only 5% of neonates that acquire the infection from their mother at birth will clear the infection. Seventy percent of those infected between the age of one to six will clear the infection. When the infection is not cleared, one becomes a chronic carrier of the virus.

There are other diseases, but I’ve only got so much time. Read the Australian federal government’s Immunisation Myths and Realities booklet. And for the love of all that’s right in the world, get your children immunised.

Just because you don’t understand statistics, science or even simple logical reasoning, doesn’t make vaccinating your children a bad thing. Perhaps, if you don’t understand any of these things, you should leave the decision making on vaccination to the professionals?