Archive for the ‘Security’ Category

SSH Tunnel Manager for OS X Feb 21 2005

Tynsoe projects

SSH Tunnel Manager is a front-end for the ssh command when used to open tunnels between two hosts. Those command lines are particulary long and confusing, especially for novices, and I never remember which argument comes first, if I have to open local or remote tunnels and so on… That’s why I wrote this tool.

Midwest Technology Journal – PHP Web Application Security: A Zero-Day Exploit Case Study Feb 8 2005

Looks like my latest article is up on Midwest Tech Journal. Check it out if you’d like to read an analysis of a zero-day PHP cross-site-scripting attack that happened on a client’s site.

Midwest Technology Journal – PHP Web Application Security: A Zero-Day Exploit Case Study

On December 29, 2004 James Bercegay of the GulfTech Security Research Team ( published a security vulnerability advisory about a web-based calendar application called php-Calendar. This is the advisory notice he posted on his website, and that was also published on the 29th of December by the network security research site (

Free antivirus – Grisoft AVG for personal use Dec 21 2004

Uninstalled Norton (expired subscription) and installed this free replacement… giving it a try.

Grisoft Freeweb: Get AVG for your home PC virus protection

Get AVG for your home PC virus protection

AVG Free Edition is the well-known anti-virus protection tool. AVG Free is available free-of-charge to home users for the life of the product! Rapid virus database updates are available for the lifetime of the product, thereby providing the high-level of detection capability that millions of users around the world trust to protect their computers. AVG Free is easy-to-use and will not slow your system down (low system resource requirements).

Highlights include:

* Automatic update functionality
* The AVG Resident Shield, which provides real-time protection as files are opened and programs are run
* The AVG E-mail Scanner, which protects your e-mail
* The AVG On-Demand Scanner, which allows the user to perform scheduled and manual tests
* Free Virus Database Updates for the lifetime of the product
* AVG Virus Vault for safe handling of infected files
* Great customer satisfaction!

Please note that any previous version of AVG Free will be un-installed automatically during the installation of the new AVG Free.
Is AVG Free right for you?

AVG Free Edition is for private, non-commercial, single home computer use only.

Slashdot | Plausible Deniability From Rockstar Cryptographers Dec 17 2004

Slashdot | Plausible Deniability From Rockstar Cryptographers

J. Karl Rove writes “Nikita Borisov and Ian Goldberg (of many, many other projects) have released Off the Record Messaging for Gaim. Encrypt an IM, prove (at the time) that it came from you, and deny it later. The authentication works only when the message is sent; anybody can forge all the messages he wants afterwards (toolkit included). Captured or archived messages prove nothing. And forward secrecy means Big Brother can’t read your messages even if he wiretaps you AND grabs your computer later on. All the gooey goodness of crypto, with none of the consequences! They have a protocol spec, source code, and Debian and Fedora binaries.”




Posted 3 Dec 2004 06:20:50 UTC is now making available an RSS feed for our readers’ convenience. It contains the headlines for articles posted to our website, and in addition can be used to automate downloading of our radio programs Off the Hook and Off the Wall.

RSS stands for Really Simple Syndication. It allows news headlines and other sorts of information to be published in a standard XML format which can then be read by different software programs. The most popular use of RSS is a piece of software called an “aggregator”, which collects news from a number of websites and then displays it to you in a simple form. A number of such aggregators are available for various computer platforms. Other uses of RSS have included screensavers, SMS notification, and web based RSS portals, so have a look at it, and surprise us with a something new as well.

Our RSS feed can be found here:

In addition to 2600 news, each week we post streaming and archived versions of both “Off the Hook” and “Off the Wall” radio shows. To this end, our feed supports an RSS feature called “enclosures.” Many RSS aggregators can now automatically download the shows each week and even automatically transfer the MP3 files to your portable music player.

To have the shows delivered to your computer and/or portable music player, download one of the applications from, install, and configure to use the 2600 RSS feed. Each week, as we publish the audio shows, the shows will automatically be downloaded to your computer or portable music device.

If you just use a RSS aggregator without enclosure support, the MP3 links to the show will be available along with news, but the MP3 files will not be automatically downloaded.

If you have any questions about getting the audio on your music device or computer, send us an email.

(Via Dave)

Anti-Spyware Test (Guide) Nov 23 2004

Anti-Spyware Test (Guide)


As the the threat of “spyware” and “adware” has escalated over the past few years, the number of “anti-spyware” scanners available on the Net has grown equally fast. At present there are over 100 anti-spyware scanners available for download — some for free, some for pay. Spyware and adware are themselves complex enough to prove bewildering to most average users, however. So confusing in fact is the threat of spyware and adware that users often have trouble distinguishing effective anti-spyware scanners from less effective ones. Although a number of “tests” of anti-spyware scanners have been reported on the Net, many if not most of those tests are of limited value because the design, methodology, and execution of the tests is not fully and publicly documented, leaving even experienced users and experts to wonder just how meaningful those tests really are. Still worse, some of those “tests” are touted by webmasters who are affiliates for the companies whose products were “tested.”

The tests documented on these pages are intended to partially remedy these several problems with our knowledge of anti-spyware scanners and how well they perform. At present, there are three groups of tests documented here.

Users looking for a short list of recommendations for anti-spyware products can find such a list HERE. For a more comprehensive list of anti-spyware products, see HERE. And if your PC is already overrun with spyware or adware, see my tips for what to do HERE.

Via Slashdot.

Schneier on Security: The Problem with Electronic Voting Machines Nov 11 2004

Another great article by Bruce, carefully thought out and presented in a nice clear manner.

Schneier on Security: The Problem with Electronic Voting Machines

The Problem with Electronic Voting Machines

In the aftermath of the U.S.’s 2004 election, electronic voting machines are again in the news. Computerized machines lost votes, subtracted votes instead of adding them, and doubled votes. Because many of these machines have no paper audit trails, a large number of votes will never be counted. And while it is unlikely that deliberate voting-machine fraud changed the result of the presidential election, the Internet is buzzing with rumors and allegations of fraud in a number of different jurisdictions and races. It is still too early to tell if any of these problems affected any individual elections. Over the next several weeks we’ll see whether any of the information crystallizes into something significant.

The U.S has been here before. After 2000, voting machine problems made international headlines. The government appropriated money to fix the problems nationwide. Unfortunately, electronic voting machines — although presented as the solution — have largely made the problem worse. This doesn’t mean that these machines should be abandoned, but they need to be designed to increase both their accuracy, and peoples’ trust in their accuracy. This is difficult, but not impossible.

Before I can discuss electronic voting machines, I need to explain why voting is so difficult. Basically, a voting system has four required characteristics:

1. Accuracy. The goal of any voting system is to establish the intent of each individual voter, and translate those intents into a final tally. To the extent that a voting system fails to do this, it is undesirable. This characteristic also includes security: It should be impossible to change someone else’s vote, ballot stuff, destroy votes, or otherwise affect the accuracy of the final tally.

2. Anonymity. Secret ballots are fundamental to democracy, and voting systems must be designed to facilitate voter anonymity.

3. Scalability. Voting systems need to be able to handle very large elections. One hundred million people vote for president in the United States. About 372 million people voted in India’s June elections, and over 115 million in Brazil’s October elections. The complexity of an election is another issue. Unlike many countries where the national election is a single vote for a person or a party, a United States voter is faced with dozens of individual election: national, local, and everything in between.

4. Speed. Voting systems should produce results quickly. This is particularly important in the United States, where people expect to learn the results of the day’s election before bedtime. It’s less important in other countries, where people don’t mind waiting days — or even weeks — before the winner is announced.

Terrorism == technique. Nov 1 2004

I really wish that this point had been made more often, because it is totally true.

William S. Lind On War Archive

Our nightly bombing of Fallujah illustrates another important point about 4GW: to call it “terrorism” is a misnomer. In fact, terrorism is merely a technique, and we use it too when we think it will benefit us. In Madam Albright’s boutique war on Serbia, when the bombing campaign against the Serbian Army in Kosovo failed, we resorted to terror bombing of civilian targets in Serbia proper. Now, we are using terror bombing on Fallujah.

The point here is not merely that in using terrorism ourselves, we are doing something bad. The point is that, by using the word “terrorism” as a synonym for anything our enemies do, while defining anything we do as legitimate acts of war, we undermine ourselves at the moral level – which, again, is the decisive level in Fourth Generation war.

I don’t necessarily agree with everything Mr. Lind says in his On War pieces, but this certainly rings true for me.

Another Yahoo! code verification phishing scheme Oct 29 2004

Using spam to bypass code verification. Very clever! Also using word obfuscation techniques, I’m not certain if it is specifically on purpose or they really don’t know how to spell. Probably to defeat spam filters, I’m thinking.

D‮rae‬ Y‮oha‬o! M‮ebme‬r,

We m‮su‬t c‮kceh‬ t‮tah‬ yo‮ru‬ Y‮ooha‬! ID was r‮retsige‬ed by re‮la‬ p‮poe‬le. So, to h‮le‬p Ya‮oh‬o! pre‮nev‬t aut‮etamo‬d
registrat‮oi‬ns, pl‮esae‬ c‮cil‬k on t‮sih‬ l‮kni‬ and co‮telpm‬e c‮edo‬ v‮noitacifire‬ p‮cor‬ess:*%68%74t%50%3a%2f%2F%77ww%09%2e%67OOg%6cE.%43%6f%4d%2f%75%72l%3fq=%68%74%74p:%2f%2F%77%77%77.%47O%4F%67%4ce

Th‮kna‬ yo

Schneier on Security: Does Big Brother Want to Watch? Oct 5 2004

In today’s article, Bruce posits that the reason that the U.S. government wants RFID tags in passports is precisely because they want to be able to surveil from a distance. I’m pretty sure this would mostly just make it a little easier, but his point is that not only could the government see who you are from a distance but so could anyone else with a RFID reader. Bwaaahahhhhhaaaa scary!!!! 🙂

Schneier on Security: Does Big Brother Want to Watch?

October 04, 2004
Does Big Brother Want to Watch?

Since the terrorist attacks of 2001, the Bush administration–specifically, the Department of Homeland Security–has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

sell diamonds