Biometric fingerprint data's not as secure as you might hope. Not only can it be foiled by a gelatin cast of your finger, or even a digital photo of your fingerprint turned into a geletin cast of your finger, but apparently the numeric conversion of your finger's data, stored in the biometric database, or on your ID card, or what have you, can be translated back into your fingerprint according to a paper by mathematicians at MSU. Check that link for details- and a MythBusters episode where they make a gelatin fingerprint and go around foiling locks with it.

(As it happens, my cousin Simon is a sociologist who writes about the unreliability of forensic fingerprinting. It's a neat topic!)

Thanks to [ profile] rhythmaning for pointing to the article and reminding me about Ben Goldacre's blog / Guardian column, [ profile] bad_science. I used to read his column, back before RSS feeds. :)

Speaking of awful security, I can't imagine how angry I would be if my data (or my children's) were on those lost CDs in the UK post. Angry and scared, most likely.

Indeed, I wonder who's stupid enough to send around unencrypted CDs by the non-registerd postal service here in North America.
da: (bit)
I received a phishing email at work from my bank (TD) which used a url-redirector at THE REAL BANK'S WEBSITE to get to the fake site.

That is: www.tdcanadatrust·com/servlet/infosite.servlet.OutBoundServlet?RequestedPage=phishing·url/urgent_verifying/update.inf

Thunderbird didn't think it was phishing. The destination URL originally went to a copy of the bank's site; two hours later, it was deactivated by the host, and Firefox warns it is a phishing attempt.

The bank hasn't deactivated the redirector. I'm curious how long it will stay active. They should be pretty embarrassed; this isn't rocket-science, and there's no reason you should be able to pull crap like this.
Things I've decided:

A flash drive is a stupid way to move 500mb of data from one machine to another, if the source computer only has USB1 and it's transmitting MUCH slower than that (something like 1mb per minute, tops). ..But, given that putting the second computer on the fixed network was too much of a pain, it's the only reasonable answer I had in this situation. Ah well.

A Greyhound bus to Toronto is a stupid way to get a signature authenticated, but since the only allowable authentication agents are US Notary Publics, and it couldn't wait until the next time I was in the US, I did it. Ah well. It certainly wasn't cheap- $23 ticket, $30 US notary public at the US Consulate, and it'll be something like $10 to mail the piece of riveted-and-embossed papers back. You want a story? Ok, here's a story.

The US Consulate is a strange place. It's so secure you can't bring in a backpack, briefcase, or anything electronic into the building. My morning went like this:

Go to the bus station at 8, queue for a ticket, queue for the bus, get on 8:30 bus, take a short nap, discover we're taking highways I don't recognize, decide they're the 407, go back to my book, get into Toronto at 10:20, put my briefcase/cell-phone/ipod into a locker, walk a few blocks to the back door of the consulate, tell them I need something notarized, go through the metal-detector, watch them radio ahead that someone (me) is going to the third floor, pass through no less than three security checkpoints, pass a large room with mostly-nonwhite people getting visas, have people with guns open doors for me, press my own elevator-up button, not see any security cameras in the elevator, get off at the third floor, get totally confused because I'm in a room full of Mennonite families, find the reception desk at the far end of the room (no signs), spend a while watching Mennonites watch the weird city folk, get my paperwork paid for and notarized and signed (she had a nice pen), go out the door at 10:50 only passing one security guard, waste an hour of the morning because of the 2-hour gap in busses back home, not buy clothes, not buy DVDs, buy an Alfred Bester book I've been looking for, buy a veggie dog and fries in front of City Hall, eat lunch, get on the 12:30 bus, not nap even though I really wanted to, and get home at 2.

Then, half a day of work, which fortunately seems to be finishing up right about now. :)

Monster Problems

Friday, 31 August 2007 08:07 pm
Security breach at Monster likely involves sophisticated personalized attacks on hundreds of thousands of customers, now likely millions. (Yesterday's Reuters article). The scary part of this is that the Ukranian thieves of Monster user data apparently weren't performing identity theft using that data; they were grabbing user info in order to custom-craft recruiter emails, which, if the job-seeker clicked on the links, would install malware on their computer (which would then perform identity theft).

So- if you've ever been associated with Monster, be very careful about any recruiter emails, even if they don't say they're from Monster; make sure your email reader won't run executable programs from links in the email.

I'm grumpy about how stupid this is, that thieves were able to get all this information; and expect they could go and do more fishy things with the data, besides sending these fake recruiter emails.

Of course I'm also grumpy about this since I do have a Monster account, but the particular scam seems less likely to cause problems for me since I did use a unique email address for Monster, and I also read Monster email in a non-GUI non-windows mail-reader.


Phonographic Industry?!?
Originally uploaded by da_.
Came across this in today's Globe and Mail business section. is the International Federation of the Phonographic Industry. So don't copy your phonographs, kids, or they'll sue.


Saturday, 17 June 2006 06:34 pm
I had an odd thought recently; how people my age often rely on their parents and other older relatives to not be net-savvey. What would happen if that crazy aunt of yours [1] started commenting in your LJ?

Teens today: how do they feel about their parents being internet savvey? I expect they have much less of the luxury of assumed anonymity. And it works both ways- how many teens have googled their families? Old usenet posts? Growing up with google is an odd thing. Imagine finding your 50-year-old uncle's angst-ridden poetry from when he was a teenager... (I mean, that's always happened, especially in close families or in smaller towns when everyone was in everyone else's business... but the potential seems much greater now). Weirdness.

At the same time, what about the relatives you get along with, but you're just not friends? The internet is a great leveler; after all. What about relatives who would probably be interested in your life to the extent you shared it with them; but there's this barrier. Partly due to the age difference; partly family dynamics, partly any number of other things.

On the positive side, I wonder how many people became better friends with family members via the internet. It's so great at joining people who are looking for friends/relationships/whatever. I wonder if it could make families have better connections too. Or it could be intensely awkward.

I'm also thinking about the families where there are fewer of the standard barriers; parents socializing with their kids at parties, talking about anything they'd talk about with friends... How that feels... inspiring, yet odd to me. I've got this strong default-assumption that people will want their privacy; it makes me less open than I might otherwise be. How do these families negotiate what feels appropriate or inappropriate to talk about? I suppose the same way any friends do..

Anyway, a few thoughts on this lazy Saturday afternoon. Whoop, evening.

[1] because everyone has a crazy aunt. Or uncle. Ask [ profile] melted_snowball about the story; it's a really good one. :)

Also: unpacking: I found an unlabeled DVD in my bags from NYC and it took me a few minutes to realize it was made by my uncle Leon; it's an hour of my grandmother and her three elder sisters talking with each other about the old days. It's a real treasure, and I'm very happy he transferred the interview from video. (and it's really fun to watch my grandmother interact with her sisters as siblings; they bickered like teenagers, even though they were all well over 85 years old. :)
This morning, driving to work, I caught part of an interview with Jim Loney on The Current, along with his partner, Dan Hunt. He spoke eloquently about the need for continued peace work, though he was firm that he would not be going back to Iraq himself. It was a fairly good interview. [I've gone back and listened to the beginning; he talks about more of the captivity; will probably be in tomorrow's paper.]

Tonight, I went to the monthly Prayer Vigil for Peace, held at the Working Centre. I showed up early; people were working on a banner to carry in an upcoming march in Ottawa (June 13-15) to call for justice for five Muslem men who have been held by Canadian Security for between four and six years without charges. They are being held on Security Certificates, which suspend the right to trial and allow indefinite detention of non-citizens and permanant residents. Amnesty International has a good writeup on them and the Security Certificate process.

Now, I have no idea whether these men are at all connected to terrorist activities; but it seems clear that they are in a position remarkably similar to the hundreds in Guantanamo Bay, in a weird legal limbo with no recourse, and it isn't clear whether the Canadian Government plans to deport them to countries where they face torture, as Amnesty says they might.

It's not a simple situation, and I wish I had more clarity on what should be done. At least I can say in principle I don't think people should be held indefinitely with no contact with families or lawyers, for five years.

Back to tonight: the man in charge of putting together this banner, Andy Macpherson, lives around the corner from the Quaker Meeting House. I believe he's come to Meeting a while back. He's involved with Catholic Worker as well as local Menonnite groups. The reason I bring him up is that I discovered that he was responsible for the design of a beautiful poster ) which I saw at the Working Centre five years ago, when I first moved here. The other designer was Jim Loney. It's a small world.

The prayer vigil was... oddly relaxing. It was a small group; I knew most of them (at least by face); and the prayers were tremendously similar to the ones you might hear in a Quaker Meeting (if one happened to be in a Meeting where prayers were read from the Bible).

I say "oddly relaxing" because there was a band playing electric bass upstairs, people cleaning kitchen equipment in the same room, and a stream of fire-sirens over the course of the first 30 minutes. Also, the ritualized prayers still felt weird to me as a Quaker; though I felt the sentiment behind the words was familiar.

We also sang; particularly pretty and simple was "Ubilate Deo" (not Jubilate; I would like to find out the origin of Ubilate, whether it's the same latin word with a different spelling; google doesn't seem to help much).

Hm. I learned a few other things; one's neat but not public knowledge, so I'll keep my lips buttoned for now.

On obsolescence

Thursday, 13 January 2005 07:16 am
Life is Change, and woe to those who can't deal with that.

I ran across this philosophy stated in stronger terms, that God is Change, but I won't go so far as to suggest that right now. Maybe later when I'm in an Octavia Butler mood. That post will probably have a lot to do with Internal versus External Locus of Control. But this entry is instead about obsolescence.

Three signs of change that prolly ought to piss me off but don't this morning, in order of increasing amusement value:

On a personal level, the Internet just got more complicated for both me and my brother Zack. Our mother started reading my journal. Long story short, I talked with her and we worked out that it was awkward enough that I didn't want her reading it, but I'd email her more instead. Then, she found [ profile] cyanpill my brother and the results weren't pretty. Objectively, I think, there are some mom-alarm-worthy moments in his journal, but hell, the guy's 22, of course there will be (if they're going to be posted in a public journal). So he's gone friends-only posts. Mom hasn't told him she won't read his. So it's rather messy. It's leading to all kinds of interesting talks in my family at least, but it's definitely an off-kilter way to have them. So far, neither of us in my household are switching to friends-only posts, but I now have reason to consider it.

On a more interpersonal level, in the last 12 hours, my personal email address got 111 spam messages that got through spamassassin (version 2.64). I'm a patient guy, but ~175 a day aren't worth wading through. I considered killing the address completely, but I like the domain, and I was there first. So I'm going to lower my spam threshold and consider killing the address completely if that and similar fixes don't work. It's surprising to me, since taking a "regular job", the number of previously unquestionable assumptions I can now question, since I don't have to put so much work energy into finding and keeping clients myself. (Can I move my server in-house and save $100US/month? Do I need to answer email at so many addresses? Do I need a cell-phone? Do I need a PO box in Ithaca for business mail? and so on.) Every change I've made has felt freeing, and simplification is good.

On a not-at-all connected to me level, seems to me that Microsoft's security model has got to be in trouble. It appears that any windows program that uses MSHTML is an attack vector, according to those who report such things.
So, if you run Windows (up through XP/Server 2003 including SP 2) better patch or unplug from the network. I think I no longer trust any argument that security works better in a closed company than in an open-source project. How many thousands of engineers, how many levels of security audits did their latest OSes go through? This looks like a pretty wide hole, at least to a relatively naive non-windows-programmer like me.

On plane trips

Sunday, 12 December 2004 02:30 pm
31 hours after we left Ontario, we're back. It's beautiful out, huge snowflakes are falling, and both d. and I are exhausted. d's currently singing his 2nd of two concerts of this weekend; I'm doing a few errands like picking up the dog and making dinner, and we'll probably crash pretty early tonight.

In addition to discovering that the only substantially good thing about the city of Baltimore is the food, both d. and I have discovered that our names are on security Do Not Fly lists. So far, it's turned out to mean no more than 20 extra minutes at the start of each trip, as they called in our names and verified- I don't know what exactly, but they let us get on the planes both times. There's some sort of process we can follow to get... onto the Do Not Do Not Fly list? Fly List? I don't really care, so long as it works.

As far as I know, we're flagged by full name, and nothing else, though it's being difficult for me to find out for certain. The list seems riddled with errors, from what I've read online previously.

I did do an interesting experiment just now, which you can repeat.

Go to and put in your name and any state. For my first and last name, and state of birth, it tops out at 100 responses, two with my same age and middle initial. There are at least one close match for most of the friends' names I've tried.

Why, oh why, didn't my parents name me Bartholomew?
hee hee hee.
Simon Cozens blogged about, a commercial search engine specifically for CVs. It will auto-generate a person's past work history.

If you give it a name and a company, it seems to do surprisingly well... for some results. It found a few friends who I'd not expect, and gave a reasonable history, with a few errors.

My profile includes somebody else's company under past employment, because he's got the same name as me and a company with the same initials. Perfectly reasonable AI mistake based on not enough information.

However, if you search for my dearly beloved at his place of employment, it looks fairly good at first glance, then becomes completely wrong. Only one reference to the author of the same name, which is good; current employer is accurate, good... Then there's the obituary... then you realize he's switched genders!

Apparently he, ahem, she was the owner of a rare coin shop in Toledo Ohio until she moved to Denver in '99 and died in 2001.

She "enjoyed travel, Mardi Gras, fine dining and attending musicals with friends."

That's partly right...
I wouldn't believe this if it hadn't been verified by one of my co-workers this afternoon.

Kryptonite U locks can be opened with a ballpoint pen. Complete with instructions and pictures.

Neither of the two kryptonite locks in my house are the right size to fit a bic pen barrel, but I'm not convinced a larger pen barrel wouldn't break the lock. *sigh* Kryptonite's official response is "we are working on a new lock design which should be out in a few months". How.... not useful.

My favourite response I've heard is "damn. Now I don't have a lock, and I don't have a pen to write a complaint letter".

September has not been a good month for security. Newspapers report a Perdue researcher claimed proof of the Riemann hypothesis, which in theory could result in a Bic Pen to break public-key encryption.

It would be, however, a great month for math, if both the Reinman Hypothesis and Poincaré conjecture have been solved.

August 2013

4 5678910


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sunday, 24 September 2017 03:10 am
Powered by Dreamwidth Studios