Liudvikas Bukys

Via Roland Piquepaille’s Technology Trends: iPod Imaging:

… several thousands of doctors are using the free OsiriX software to manage their medical images on their iPods and Macintoshes …

It’s an interesting route-around of the usual IT solutions (which offer not enough space and are less convenient). My cursory inspection of all the linked-to articles and software documentation shows zero discussion of privacy, security, and HIPAA — yet. Is sending a medical image via iChat secure enough?

Two hoary protocols get even more final nails driven into them:

• George Ou (ZDNet): PPTP VPN authentication protocol proven very susceptible to attack; LEAP and WPA are weak too.
  [via Wi-Fi Networking News]

• Michael Ossmann (SecurityFocus): WEP: Dead Again
  [via Wi-Fi Networking News]

Government Uses Color Laser Printer Technology to Track Documents:

Next time you make a printout from your color laser printer, shine an LED flashlight beam on it and examine it closely with a magnifying glass. You might be able to see the small, scattered yellow dots printer there that could be used to trace the document back to you.

According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters.

Peter Crean, a senior research fellow at Xerox, says his company’s laser printers, copiers and multifunction workstations, such as its WorkCentre Pro series, put the “serial number of each machine coded in little yellow dots” in every printout. The millimeter-sized dots appear about every inch on a page, nestled within the printed words and margins.

“It’s a trail back to you, like a license plate,” Crean says.

[via Alex Pang]

[see also Ed Felten]

Via Stanford Center for Internet and Society:

Magistrate Judge Arlander Keys rejected Polska’s assertion of hearsay, holding that the archived copies were not themselves statements susceptible to hearsay exclusion, since they merely showed what Polska had previously posted on its site. He also noted that, since Polska was seeking to suppress evidence of its own previous statements, the snapshots would not be barred even if they were hearsay. Over Polska’s objection, Judge Keys accepted an affidavit from an Internet Archive employee as sufficient to authenticate the snapshots for admissibility.

Maximillian Dornseif’s Red Team: FireWire round-up has several links on using Firewire (IEEE 1394, Sony i.Link) to access physical memory, without any software cooperation from the target host. He just presented at the PacSec/core04 conference. He publishes sample code. He points out that this could be very useful for forensic analysis of live systems. He demonstrates how the technique can be used for privilege escalation or spying. He points to several security advisories that arose out of this discussion.

Looking for needles in enormous bulky repetitive haystacks? Many logfile reduction programs require investment in tuning and tweaking. In contrast,
SLCT, the Simple Logfile Clustering Tool is useful right out of the box, with no tuning for specific logfile formats; it figures things out on its own. I was going write something just like it (a generalization of previous logfile reducers I have done), now I can instead plan on improving on something that’s already pretty darned good (and fast and memory-conserving too).

[via the handy site LogAnalysis.Org]

Paul Vixie shares his Thoughts About “Protection Against BIND”,
in which he reacts to the latest
SANS Top 20 Vulnerabilities List, pointing out that there
are no recent exploits, some of the configuration advice is lame or worse, and dDoS attacks on otherwise secure software is not a “vulnerability”.
While the SANS Top 10 and Top 20 lists have always been useful awareness tools and helpful basic guidance, there is always a tendency in a complex field for consensus guidance to turn to overgeneralized mush. Intelligent criticism like this is a good thing.

Computerworld (June 30, 2004):

When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government’s computerized waste management system.

Using software from his former employer, he released millions of gallons of raw sewage near the hotel grounds and into rivers and parks.

“He did this 46 times before he was caught,” notes Joe Weiss, a process-control cybersecurity expert and consultant at the Cupertino, Calif., office of Kema Consulting. “The first 20 [times], they didn’t even know it was cyber,” meaning an external attack launched using a computer, he says. “From 20 to 45, they finally figured it was cyber, but they didn’t catch him until 46.” Though this person never worked for the wastewater utility, he was still able to break into its supervisory control and data acquisition system, which was designed with a big security assumption in mind — that only insiders would want to access it.

More links to the same incident: The Register October 2001, ComputerWorld February 2006

Georgetown University sends spam and faces the wrath of one of its own students.

I’m also getting a little tired of “call for paper” spam sent by otherwise-legitimate conference organizers to lists of web-harvested email addresses. My most frequent offenders will remain nameless for now, but only because I’m busy.

Just because you’re not a fraudulent criminal enterprise doesn’t mean you’re not a spammer.
It would not be a bad thing if everyone started worrying about CAN-SPAM being enforced against them.

www.newslettercartoons.com
has a pretty good selection of cartoon suitable for business presentations. You can
browse by category; see, for example,
security cartoons.
The artist, Ted Goff, licenses his work at various rates that depend on whether the use is for a presentation, newsletter, magazine, etc.