Kalimat al-Mutafalsif

Well, in case you can't guess from the title, it's been exactly a year since I started this blog. To be more specific, it was November 20th of last year that I registered the domain. This post also (totally not planned, I swear) happens to be my 100th. Again, to be more specific it's my 100th page... pages include things such as my warhammer picture pages and the others you find under "Pages" on the right. So, this'll be a fun past, five days in the making, about all kinds of things dealing with the past year. ((Published a second time, I apologize))

Some History
The domain was registered while taking one of my patented Long Thanksgiving Breaks. That was ThanksGaming 2005, and I grabbed the domain one night while talking to that coder I always mention, Malaprop of Cambrian House. Malaprop kindly put the domain on his site, installed WordPress, and away I went. My first actual post (I believe) was on the 20th of 2005, but it was accidentally deleted, so the first surviving post is from the 21st.
Read More »

Its been a long 7 days. This time last week a security researcher was being raided by the FBI for pointing out a flaw in the airline system I've been pointing out for a long time now. The difference? He did it in a way the government couldn't ignore.

My thoughts on the "increased security" in airports aside, the worst thing you can do is convince people they're safe, when they're not. I lie, the worst thing you can do is put well meaning citizens in jail for trying to help. Now Chris hasn't seen jail yet, and I pray he never will, however this is the mentality in the US nowadays. From the government and from corporations. If you find a flaw, you better not tell anyone. If you tell people, the public better not find out. So long as its contained, nobody has to fix it. THIS IS WRONG! THIS LEADS TO SECURITY HOLES.

The absolute BEST systems in the world are vetted by many, many Smart People who Know Their Stuff and once they finally say it'll take too long to subvert the system (rather, it'll take longer to subvert the system than makes subversion worthwhile) the system is published so Everyone Else can have their crack at it. Don't believe me? Go read up on RSA, to name one. It's patented, and a de facto standard right now. It is published, so you, yes you, can go implement it yourself. This means every citizen out there can go implement it and have "secure comms". Of course, they may not implement it correctly, they'd probably hire some professional to check. This is how good systems work.

If you want a better example for those that don't speak crypto (I sure can't) check out Linux versus Microsoft. Microsoft hides their source code, and as such has bugs pop up in the wild. Granted, Liux is not perfect, and the first worm targetted it, but it does a lot better. WIth ALL the source code OPEN TO THE PUBLIC, it has a patch time way shorter than microsoft's, less security holes, and the ability for users to find bugs without having to be the target of an exploit first.

I've avoided publishing on this topic so far because I've been too close to the action, and quite frankly this could have been me. -------------------------------------------------------------------------------------------- I'd love to think that in this country of freedom I could speak my mind and not be worried. But this past week probably scared me more than Chris for some odd reason. Though he's the one that got screwed, I'm now seconded guessing everything I'll put in public. This post was censored as I wrote it, because I don't want to misspeak. This doesn't mean I'm at all involved with the case, I know Chris through research, its merely the thought that posting a security hole would have this reaction.

I'm in a foul mood, I'll leave you with this question. Is this the freedom you want? Or would you rather see an environment that fosters questions of security to makes itself better?

I'm not advocating overthrowing the government, subverting any of their systems, or supporting terrorism. Nor am I in any way saying I have ever done anything illegal, nor comtemplated it.

Those of you that know me know I'm not the type to hurt innocent people, nor put that ability in anyone's hands. I only point things out so they may be fixed and our kids will grow up in a better world than we did.

Well, some of you have heard me rant about Social Networks, Facebook being an example, already, but here's a new one.

I had the great opportunity to have both a really informal breakfast (only 5 students, and the speaker) with a CMU professor who is looking at Social networks and privacy issues. Before I go further I should stress there's no such thing as privacy online. At least, not for the average user.

Facebook, after I started using it, really bugged me. There is no way to turn off displaying your email at all. Yes, it's displayed as an image, but it's not CAPCHA text, so can be "decrypted" on the fly in Perl. Using a Perl module called WWW::Mechanize, you can mine whatever you want from any profile. You can even do batches of profiles. Here's my findings so far.
Read More »

Ok, it has come to light that one settlement with Sony/BMG would allow for the users to get some compensation. A whole $7.50 in music downloads, and one extra album download. I don't have time right now (flying out rather soon) to go into details of how crappy a settlement this is, but it does allow for the cost of fixing the computer. As in, if I were to clean your system of this rootkit, and charged for it, Sony would be liable in small claims court.
Read More »

Well, I've had a few friends ask me about Linux over break, so how 'bout a post on that?

For those of you living in Microsoft's America, along with about 50-75% of Americans, there ARE other operating systems out there, believe it or not. yes, you have a choice. Other, even better, news. A lot of the time, these operating systems are much more secure, better maintained, and free. Yes, free. As in, downloading the torrent for them does not get a lawsuit!
Read More »

Taken from a post on slashdot in response to one of the many Sony theads.
Read More »

Ok then. Back by popular demand, my take on the Sony Fiasco, translated into human-ese.
Read on for more.
Read More »

This is my response to an article on slashdot today. It's about Symamtec wanting to make their virus service available online for banks and what not to scan customer's computers.

*Edit* That article had been slashdotted when I last looked, so you might have to try later on.

Do I have problems with this. Lets begin:
Read More »

And it only gets better!

Apparently, Sony knew about the security flaws (they call 'em features *wink*) since the beginning of October. The flaws weren't told to the public (by an outsider) until the END of October. Now, what would happen to, say, a car company that hid a flaw for a month in the hopes it'd go unnoticed? It's called willful neglect. I hope they get strung up for this all the more.

First I thought they were stupid, just couldn't write good software.
Then I thought they were incompetant, for not checking what they put in (GPL code).
Now I think they're evil and should all burn for knowingly and willingly letting this stay out for a month as vulnerable as it is!

But luckily for us, the consumer, Sony-BMG had this to say:
"We're very, very sorry for the disruption and inconvenience that this has caused to music consumers," (Thomas Hesse, president of Sony BMG's Global Digital Business).

That guy is a grade A joker, with everything he's said. Seriously guys, making fun of Bush's speeches is so 2003, lets jump on Hesse instead. This is the same guy who said that rootkits are OK, because the average user doesn't know what it is.... *blank stare*

Very sorry? Very SORRY?! If I infected millions of computers with a virus, I wouldn't be very sorry, I'd be in jail!! For anyone who thinks that is an unfair assumption, notice that the Sony rootkit has been found on computers in most major corporations (Fortune 500, the works) as well as DoD and foreign government systems.

Sorry doesn't cut it anymore, and these guy MUST pay. I don't care if First4Internet wrote it, Sony must take responsibility for this, just as a car company would have to if they didn't issue a recall for bad brakes they didn't make.

And this whole rant isn't even on DRM itself, merely Sony's raping of people's rights (colorful? yes. appropriate? definatly).

Think again. For those of you who have not been following the Sony-BMG fiasco, please read on.
Read More »