000webhost

Web hosting

Monday, December 24, 2012

Abseiling Down the Fiscal Cliff

When you look at the magnitude of the problem it seems insurmountable. Nonetheless, let's have a look and see whether we can break this down and make a difference...

- Pass the bill in chunks (3-4 $500 Billion USD chunks) if you can't do it at the moment. Situation is manageable but not dire. There is still time.
- Seems as though both sides are attempting to for a 1-1 dollar debt cut/revenue raise ratio. Use this as the basis for what essentially amounts to a trade of what can be done now if we need to pass an intermediate/stop gap package.
- Think about negotiatons in another way. Focus on the big things that affect the largest number of people first or have the largest impact first or do the exact converse.
- Another option is to simply find finding those who are willing to cross and convincing to see whether they will do so.
- Think we may be looking at this too simplistically. It's not just cutting costs and revenue raising. One of the things that has always surprised me with the United States is the total number of agencies and the size of the government/administration. Many different agencies with overlapping responsibilities. Believe that their may be signifiant savings to be made if there were simply greater co-operation and a streamlining of many activities. Best way to achieve this without cutting required/critical programs would simply be to ask the heads of the relevant agencies (consult individual states as well. Look at programs that aren't producing results, look for alternatives, you'd be surprised what you can provided you have the right in people in the right position in place). Look at the big picture but try to see the smaller details as well. It's clear that there are loopholes everywhere if you spend enough time and consult enough people. If you pass the bill in chunks then you can spend more time dealing with these issues as well.
- Clear that there are generally limited options when it comes to elected officials and members of the administration/executive. Need a clearer vision of where the country is headed. Once this is done, use this as the basis of cuts (if they are required). Have seen a number of times where programs have been stopped and then restarted. In the end of the cost of this administration actually outweighed the cost of having the program running for that entire period.
- Continue 'economic stimulus' and using this money to restructure/reinvest in infrastructure and other projects that are likely to result in strong returns. Use it wisely though. If not, it basically amounts to a risky bet and if the investment doesn't produce the expected return or does not keep pace with inflation then you may be worse off then when you began. Reminds me of dogs chasing rabbit at the race track. Theoretically, if the growth curve runs ahead of the debt curve you could do this forever. Not recommended though. Best used in combination with other reforms.
- Not sure we should be looking at only 1/2 tiers for tax increases. Perhaps 3/4 so that the impact  is not as strongly felt. Need to factor in implementation and overheard issues though. Moreover, clear that there each state has different costs of living. By having a larger number of tiers we can increase flexibility and 'spread the load' better so to speak without pushing family budgets over the edge.
http://www.usmayors.org/pressreleases/uploads/2012/1219-report-HH.pdf
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/20/choose-your-own-fiscal-cliff-adventure/
https://docs.google.com/spreadsheet/ccc?key=0AkeTUNT8ZF3ldGNTU2g3Y2pTaFVabDNpaG5Ua2F6cEE#gid=3
http://viableopposition.blogspot.ca/2012/12/your-very-own-fiscal-cliff-tax.html
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/20/there-is-no-fiscal-crisis-what-that-means-for-the-us/
- Changing measure of inflation (CPI-U Vs chained CPI) difficult and possibly dangerous route to take. At the end of the day, it is just another metric/variable. By not changing this and focusing in on other issues you may actually save on administrative costs associated with the switch. Moreover, in practive, over time it may just push too many people over the edge. Need to realise that the theory/principle behind this is much like broad based taxation anyhow. If that's what you want why not use it? Moreover, other styles of taxes have greater flexibility naturally built into them. For instance, GST/VAT can be applied to whatever goods/services are relevant and changed when required if they are written well.
http://www.huffingtonpost.com/rep-alan-grayson/the-chained-cpi-cut-if-yo_b_2340095.html?utm_hp_ref=politics
- Let the cliff occur. Then start working backwards. Horrible option but an option nonetheless. Won't give markets much confidence. Temporary pain obviously. Need to put this into perspective though. United States economy is huge and should be able to absorb it.
http://www.smh.com.au/business/world-business/so-what-now-seven-fiscal-cliff-scenarios-20121222-2bs8d.html
- Focus in on cause and effect issues. Look at the number of healthcare programs that are currently  being considered to be cut. If you increase the tax on products/services (and it successfully leads to a reduction for these particular products/services) that are likely to cause them health issues then you ultimately reduce the burden on the healthcare system and also gain extra revenue from the product/service themselves. Question is of course, just exactly what is the level of taxation required to achieve this?
http://en.wikipedia.org/wiki/Medicare_%28United_States%29
http://en.wikipedia.org/wiki/Medicaid
http://en.wikipedia.org/wiki/Tricare
- Large number of healthcare problems/costs. Consider bringing in overseas healthcare specialists/staff to help relieve possible costs. Really need to be careful with screening though. Local experience has taught us that this can lead to medium/long term pain if insufficient checks regarding qualifications are made.
http://www.careerbuilder.com/Article/CB-1806-Healthcare-Why-Healthcare-is-Experiencing-Work-Shortages
http://www.njhealthjobs.org/sites/default/files/health_care_workforce.pdf
http://app1.kuhf.org/articles/1337207668-Legislators-Grappling-with-State-Wide-Shortage-of-Healthcare-Workers.html
- Link the increase in age for Social Security to occupation (labourer, office workers, etc...). Dig enough into your data and you'll figure out what is a fair age for the relevant occupation so that ultimately everyone averages out
- Economy is too dependent on gas/carbon at this stage. Larger carbon producers and transportation for both people in general as well as for goods may be too strongly impacted (If public transportation were safe, could handle extra load, and was cheap enough it may be a viable option though but this doesn't seem to the case in many cases. Have noticed that price of gas in the United States is significantly lower than elsewhere in the world.). Australian implementation of carbon tax to top producers of carbon have had limited impact on end consumers but there has still be an increase in price. May consider this further along the line or stagger it as Green technology uptake becomes stronger (in first year and increasing in 1% increments until reaching a chosen target?)
http://www.bbc.co.uk/news/world-us-canada-13338754
http://chartsbin.com/view/1115
- VAT/GST with exemptions for staples/necessities. This would allow people to budget better while maintaining a revenue stream. Need to be careful with implementation though. Overheads of changing it once in place is not easy as indicated by local experience. While there are critics with regards to transparency experience indicates that if you remove other complex, competing, tax schemes at the same time a lot of overhead can be reduced for businesses in the long time making business easier.
- Despite the obvious problems, need to be wise about this. Policy that is created hastily without thought of the medium/longer term effects can be damaging not only for your economy, but for morale, healthcare, and a large number of other issues as well.

Friday, December 21, 2012

Politics, Weapons/Gun Control and the Fiscal Cliff

Let's face it, a number of countries around the world are currently in financial difficulty. I've written about this previously in the 'Convergence' document (some of the theories mentioned have actually been used). Whilst these policies have helped to stabilise a number countries, I haven't necessarily agreed with the way in which they've been been implemented. In the case of the European Union several of the countries involved have had policies imposed on them which weren't pertinent to their particular situation and may actually cause them some medium range harm at the cost of immediate relief (Admittedly, we have come a long way back from the precipice.)(I'll outline what I mean shortly.).

So I guess this is 'Take Two'. The reasons how the United States has achieved it's tenuous situation are well known but the means that it has sought to extricate herself from her present circumstace diverge (sometimes alarmingly so considering a compromise needs to be achieved very soon in the near future). I think one of the key questions that should be asked is how quickly does she wish to pay down her debts and what is the likely direction of successive administrations? Another that should be asked is just exactly how far are they willing to push their citizens.

In France, taxes on wealthy individuals have reached levels so high that many high profile/wealthy citizens have changed (or are considering) changing their place of residence. Clearly, there are two schools of thought. One is that we require high wealth individuals/organisations to create jobs for others. However, I recall a Wall Street Journal article that suggests that this is not always or entirely the case.

In Spain and Greece drastic cuts have had such significant negative impacts on the living conditions of the general population/middle class. Wide spread cuts to the middle class may possibly push those on the 'edge' over it which may lead to a cascade of other societal issues (increase of crime to support oneself, health insurance, poverty and so on).

I think two things that should be absolutely critical to these negotiations are a rough figure of what cost of living is (basics such as food and water to things like healthcare and utlity bills)(I recall strange welfare oddities which have meant that people were often better off staying at home rather than going to work. Further thought is required here!) and exactly how much are the wealthy willing to pay before they say enough is enough and begin undertaking non-trivial tax avoidance schemes.

From this point we can begin to work backwards. If we can figure out the spread of income/assets across the population we can begin to understand exactly how far we can push before the cuts begin to make too significant an impact on those affected. It's at this point I wish to digress to game theory. If you've ever played a game which has a production as well as a consumption aspect to it (such as Poker) then you'll realise that large bets (spending) are much more rare when you have little to spend. Extrapolate this across an entire population. If not enough people have enough to spend then economies which are dependent on consumption are suddenly in trouble. Balance is key but for this accurate numbers (monitoring on top of projections) are absolutely critical.

I'm sure we've all heard about recent gun tragedy in the United States... It really puts into perspective the cultural differences between the United States and many other countries but for the first time in a long time it's become clear that gun control reform is at the forefront of everyone's mind.

There is an avalanche of opinion but one thing remains clear the so called, "right to arms" plays a far greater role in the United States than in other nations. For instance, Australia is lucky in that it was populated in rather unusual circumstances and is essentially a isolated giant island which has meant that it has been relatively free from war. Other countries used conflict (and continue to use) as a means of forming national boundaries/borders and land locked countries are of course always at stronger risk of invasion owing to relatively greater ease of movement over ground rather than sea or air. Some things that are of interest include:

- storage (store only at clubs, police stations, etc... Many possible problems here including those that require guns as part of their livelihood such as those living in rural areas or on farms)
- culture (television, films)(freedom of expression problems here)
- size of catridges (large scale shooting more difficult with smaller catridges)
- stopping power (ammunition that causes less damage)(exemptions created where required)
- mental health (history indicates that some intigators often suffer from mental difficulties)
- stronger surveillance (law enforcement/intelligence difficult as is. How far do we go? Some automated detection systems won't work against alternative material weapons)
- buyback scheme (logistics/tracing the location of every weapon mightn't be realistic or possible though)
- whitelist as opposed to blacklist methodology (focus on what is needed/desired by people in the general public rather than on what should be banned. Allow these and then ban everything else with obvious exceptions for law enforcement/defense)
- increased law enforcement numbers/rounds around high population areas (these services likely streched as is)
- designated safe areas (in Israel many buildings have safe areas/bunkers where people can hide from rocket threats until they dissippate. What about those between safe areas though?)
- education (not sure about the impact of this?)
- make private sales illegal by only allowing sales through licensed brokers (hard to police/check) which helps to ensure proper/adequate checks are made (logistics?)
- background checks (problem is whether there are adequate resources in place or can be allocated. Enforcement is a major problem as indicated by FBI)
- trigger locks on guns (careful thought required here, if there are flaws in these mechanisms 'class breaks' are a distinct and dangerous possibility)
- provide people with alternatives to guns. Minimise gun distribution as much as possible.
- stronger gun controls/laws (need to be careful with the actual implementation as discussed further on)
- politics (we'll discuss further on)

If you've been reasonably observant of late then you'd realise that recently there has been an extremely close margins of victory in several democratic nations around the globe which has ultimately resulted in 'compromised' decision making. Based on what's been reported in the media it often feels as though we're not satisfied with the options that we currently have. A local journalist recently indicated that we may quite simply be creating undesirable environments for people who have the characteristics/skills to work in.

http://www.smh.com.au/executive-style/culture/blogs/all-men-are-liars/governed-by-inferiors-20121120-29ne5.html

From a personal perspective, I think that a lot of the 'romance' of politics has sort of disappeared. Political parties are increasingly funded by major private entities and if your particular 'cause' is not cogniscent with that of these entities then the likelihood of your campaign being funded and succeeding is miniscule. Moreover, campaigning is often no longer about results or superior policies. It's a combination of personal attacks, highly formulaic/scientific/mathematically based campaigning that often detracts from the actual job of running a state/nation.

Ultimately, this often attracts a strange group of folk who sometimes lack the competency or moral capacity (if you read the previous American attempt at gun law reform there were clearly significant flaws in their contruction which may lead a cynic to question whether or not they were left in deliberately, whether there were issues of competancy, or whether it was simply a half hearted effort) that I desire of someone who is running a state or nation (I don't expect them to know everything but I do expect them to have an internal moral compass that points in roughly the same direction that most normal people do.).

Some have argued that we should perhaps consider changing funding models to reduce the impact of third parties on politics. However, this will clearly require bipartisan support and risk the existing staus quo. Unlikely to happen.

Others have argued that we should simply increase the wages of politicians and other public servants in an attempt to compete directly against the private sector to attract the 'best and brightest'. That's fine.

One thing I'd like others to think about though is that if one can put up with all of the other 'external issues' pertaining to the job (media, personal attacks, and so on) I ask you what possible greater honour can there possibly be? You are an 'elected offical' of a community that more than likely has a population of several million at the worse. Moreover, you have an opportunity that few others have.

You have the change to do something that will have a long lasting and wide spread impact on an innumerable number of others around you. Unlike a scientist, you're not attempting to decipher problems of possibly infinite complexity. Unlike a doctor, you need not deal with one patient at a time. Unlike a lawyer, you need not defend people of questionable morals.

A politician simply is. A politician can change laws as needed/required, can redefine history simply by showing up at their work place, and is in a position of privilege that quite simply does not exist in the private sector. A politician is a representative of the people and a fundamental reflection of who we value, what we value, and how we act on it at that particular point in time.

For these reasons, I wish to convey (it's most eloquently stated in French) a simple message to those few politicians who can still be considered faithful to the people's cause. Bonne Chance.

http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/14/nine-facts-about-guns-and-mass-shootings-in-the-united-states/
http://www.nytimes.com/2012/12/16/us/politics/justice-dept-studied-and-shelved-ideas-to-bolster-gun-database.html?hp&_r=1&
http://www.huffingtonpost.com/2012/12/16/gun-background-check_n_2312582.html
http://www.washingtonpost.com/politics/congress/ap-sources-new-obama-offer-moves-toward-boehner-with-400000-tax-hike-threshold-more-cuts/2012/12/17/666f2e06-48ab-11e2-8af9-9b50cb4605a7_story.html
http://www.theglobeandmail.com/news/world/expats-debate-does-a-mental-health-strategy-need-to-be-part-of-obamas-guns-task-force/article6553135/
http://www.washingtonpost.com/politics/obama-asks-cabinet-members-for-proposals-to-curb-gun-violence/2012/12/17/ac4a8dae-4869-11e2-ad54-580638ede391_story.html?hpid=z1
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/18/a-better-target-for-gun-control/
http://www.washingtonpost.com/blogs/thinktanked/wp/2012/12/19/battle-over-gun-control-fiscal-cliff-negotiations-and-boehners-shake-up/
http://www.washingtonpost.com/blogs/thinktanked/wp/2012/12/03/petraeus-fallout-shows-diminishing-separation-between-think-tanks-and-government/
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/17/everything-you-need-to-know-about-banning-assault-weapons-in-one-post/
http://thomas.loc.gov/cgi-bin/query/z?c103:H.R.3355.ENR:

Thursday, December 20, 2012

Thinking, Copyright/Security, and Bug Analysis

Someone recently remarked that we should be teaching students/children to think rather than learn by rote. That's fine. However, there's one significant issue here. Without a base level of knowledge there's not much that they can do of any significance. Imagine two students. One is taught nothing other than cheese appreciation/making and 'The Art of Thinking'. Another has a more balanced education with a balanced education that emphasises both thinking but with a broader educational base. Which is going to more useful in the long term? Unless, the child loves cheese and the cheese makes the world go round the latter makes more sense right?

Bugs of the Week

Microsoft's Windows Media Player 12
Optical drives are enumerated on startup of program which means hot plugged optical drives aren't picked up while the program is loaded in memory. A restart of the program is required.

Trading Website (further details not disclosed for security reasons)
Some websites are becoming overly dependent on certain technologies for one reason or another without factoring those who may not be support it. This one is highly dependent on JavaScript. In fact, you can't even move to another page without getting authentication errors when JavaScript is turned off in your browser. Needs a secondary option...

Service Provider (further details not disclosed for security reasons)
I first discovered this flaw in another service provider during the dial up era and amazingly it still exists now. Using generic credentials some providers allow you a fairly large amount of free time/access to the Internet prior to requiring authentication. Back then things weren't that bad since downloads were often dictated by bandwidth but given the speed of todays connections it seems fairly clear that this needs to be better thought out. I did a rough calculation and determined that this particular provider would allow several hundred MB in downloads prior to requiring authentication. A captive portal type is an option.

http://en.wikipedia.org/wiki/Captive_portal

Music Producer (further details not disclosed for security reasons. The media/music in question was produced about a decade ago, unpopular, and is almost impossible to find in retail music stores (I got this in a used music store). Moreover, much music is purchased digitally now and it's likely they've moved on to other systems.)
I recently had a problem ripping some music (could only rip 2/3's of the disc) for use on my smartphone. I thought it may be related to a scratched disc but cleaning it and using another drive (some drives have superior error detection and correction capabilities) didn't achieve anything. At a certain point disc reads/ripping would time out (in the first 20% of a track about 2/3's of the way through the disc). I had an inkling that there may have been some copy protection involved. Attempting an ISO copy of the disc in ImgBurn resulted in the following.

####Start ImgBurn Quote####
As Yoda would say, "Hmm. Failed in your attempt to outsmart me, you have."
ISO is not an appropiate container format for the current disc.
Reason. The disc contains multiple tracks.
Regardless of what you select for the file extension, I will not create a true (MODE1/2048) ISO image!
The file will be created with a '.bin' extension instead.
####End ImgBurn Quote####

Letting ImgBurn run with a '.bin' copy resulted unsurprising in a freeze/timeout.

Using CDBurnerXP resulted in the following errors (whole disc copy using .MDS format).

####Start CDBurnerXP Quote####
Unreadable area detected on disc at position ??????

I/0 Error!
Device: ?
ScisciStaus: 0x02
Interpretation: Check Condition
CDB: ?
Interpretation: Read CD - Sector ?
Sense Area: ?
Interpretation: Timeout on Logical Unit
####End CDBurnerXP Quote####

There are obvious clues though. There were indications that the disc itself was partitioned into multiple tracks/sessions. This technique itself is ancient (think the early floppy disc era/decades ago) and is similar to another scheme that was recently used by another music producer that involved blanking out the first track of a music disc to make it readable to music players but not to computers (you could circumvent it by literally carefully running a texta over that first track). In this case, I got around it by loading it up, ripping the first 2/3's of the disc (partition is set at about 2/3's of the disc capacity), stopping the process, connecting an external optical drive and then ripping the final 1/3 from there (stopping/restarting doesn't seem to work. There seems to be measures to calculate a continuous read around the disc.)(I tried both lossy MP3 as well as a lossless WAV rips which were successful).

The purpose of this is not to prime you on how to break copy right protection systems! It gives you an idea that a lot of the work out there is often derivative and often not enough thought is put into the theory or implementation of such technology. Many of the implementations out there indicate an understanding of one side of the equation but not another which often leads to a gaping hole (read up on the history of breaking DVD, PDF, and PayTV encryption).

http://en.wikipedia.org/wiki/Analog_hole
http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
http://en.wikipedia.org/wiki/Portable_Document_Format
http://en.wikipedia.org/wiki/DVD
http://en.wikipedia.org/wiki/Content_Scramble_System
http://en.wikipedia.org/wiki/Smart_card

Tuesday, December 18, 2012

More Security Analysis and Bugs

Seems as though the vast majority of traffic on the Internet is actually automated. One of the greatest ironies of what I've discovered is that those who are launching attacks are also among the most likely to be attacked as well.

http://www.akamai.com/dl/whitepapers/akamai_soti_q212.pdf

There is a theory which says that due to the nature of Western society and its strong private/public split that this will compromise national security (mainly owing to the problem of oversight and resources). There may be a case for this argument but it's becoming clearer that there is a strong desire/push among Western nations for greater oversight of private enterprises (particularly, those who own or operate critical infrastructure). This may have resulted in former law enforcement/intelligence staff being increasingly involved in vendor development/manufacturing as well as recruitment (as part of their staff) as well.

An example of the apparent stronger co-operation in the attacking as opposed to the defensive side. It may actually be easier to simply go out and attempt to purchase/rent control over an existing 'botnet' then to get co-operation/help with regards to taking one down based on some of the examples that I've seen. Clearly, though you have to take the good with the bad though. I've seen cases of botnet's being sold several times over to a group of people. They offensive side seems to suffer from a stronger 'skills gaps' and though their knowledge/maturity does seem to be more 'gappy' than that of many people on the defensive side. For instance, naming conventions, mix of complex/simple, and occasional flaws in their software (I've come across some extremely primitive infections) suggests that many of them may not entirely understand what they are being involved in (offensive side has many at the lower rung, few at the middle rung, and a tiny minority at the top. This is reflected in both normal society as well as those who work in the security industry (depending on your locality).).

https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit

For those who are at the top of the offensive side, it's clear that they can often be extremely professional. They are extremely focused, efficient, takes steps to cover their tracks (diversion and anti-forensics becoming increasingly more common), have strong knowledge of the underlying platforms required/protocols and are often extremely thorough with regards to background knowledge of their target. A lot of it sometimes feels as though it may have come from insider knowledge.

http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf
http://www.mcafee.com/us/resources/white-papers/wp-analyzing-project-blitzkrieg.pdf
http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html
http://www.recurity-labs.com/content/pub/papers.shtml
http://www.sourcefire.com/resources/white-papers
http://www.militaryaerospace.com/articles/2012/11/darpa-plan-x.html
http://www.militaryaerospace.com/blogs/aerospace-defense-blog/2012/10/stealing-a-drone-by-spoofing-is-it-that-easy.html
http://www.coverity.com/library/pdf/coverity-managing-risk-wp.pdf

A while ago I completed/submitted/published my 'Convergence' report. Since then several other studies have been conducted/completed/published. One of them was the Australian Government's 'Asian Century' whitepaper, another was from the Asian Society while another was from the United States's National Intelligence Council.

http://asiancentury.dpmc.gov.au/
http://asiasociety.org/policy/united-states-and-south-asia-after-afghanistan
http://globaltrends2030.files.wordpress.com/2012/11/global-trends-2030-november2012.pdf
http://www.ianslive.in/index.php?param=news/South_Asia_faces_several_shocks_US_report-391175/INTERNATIONAL/13
http://globalpublicsquare.blogs.cnn.com/2012/12/10/what-a-u-s-asia-policy-should-look-like/
http://en.wikipedia.org/wiki/Asian_Century
http://en.wikipedia.org/wiki/Middle_Income_Trap

Another concept that I've been toying around with since the 'Cloud' document.

http://www.zdnet.com/linux-based-qubes-os-sandboxes-vms-for-added-security-7000003892/
http://qubes-os.org/trac
http://freebsdfoundation.org/documents/FBSDF_3-fold_2012102201.pdf

Namely, application sandboxing all the way throughout an Operating System. It will be interesting to see how it will actually play out in the real world and their implementation of the concept.

Bugs of the Week

Sega's/Sports Interactive's Football Manager Series (most of these apply to 2009 but some apply to only earlier versions)
- max age for a manager is 100 years
- taking over opposing clubs and deliberately spending complete transfer budget, increasing salary of mediocre players and selling best players to relegate/bankrupt them continues to work as a strategy against clubs you don't like
- some clubs hardcoded to be taken over to come back up? In earlier version a major club could get into trouble and then basically fall out of the game/system altogether. Some now come back up even though they seem to be in severe trouble through a buyout/takeover
- trophies, points freeze up with regards to Hall of Fame after a certain number. Number is accurately tracked in manager history though
- job offer for Assistant Manager still maintained in Transfer section even though job offer has been taken up by someone else
- had one instance of not well formed XML with regards to news creation. Have had a number of other occasions where I could not reload a saved file due to an unrelated system crash as well. More needs to be done with recovery/robustness.

Iceweasel Web Browser
Hit the pause button at the correct time/under certain circumstances during a download and you can achieve nonsensical values. For instance, I recently got 1.3 out of 1.2MB download. Investigate when I have more time.

Un-named Recruitment Website (company/more details undisclosed for security reasons)
If password mismatch error message showing up as unfilled section rather than password mismatch. CV upload race condition.

HTC Cha Cha Phone
Has a number of bugs/problems which relate to power consumption.
http://androidforums.com/htc-chacha/535164-fix-battery-drainage-issue-make-battery-last-longer.html
http://androidadvices.com/increase-htc-chacha-battery-life/

Generic Dynamo Powered Torch
Interesting that a rechargeable battery drained at a rate of about 0.01V/s once recharged (Opened the device and used a multimeter to track. Interesting how simple/complex some devices are once you see them disassembled.). Always knew that once Lithium based batteries hit a certain point they begin to lose storage capacity but this is the first time I've really understood just how drastic the change is.

Monday, December 10, 2012

More Security Analysis

Obviously still working on my 'Cloud and Internet Security' report (780+ pages/207K+ words now). Has been incredibly englightening and interesting.

A few data mining projects (law enforcement/intelligence) have really getting in the way of themselves really. So much data is being classified that doesn't need to be that it's resulting in a huge number of false positives, redundant data, and just plain waste. It's clear that there are some programs to fix this problem and to clean up a lot inaccurately marked data. Ironically, some material that I came across during research for this document clearly had unfriendly embedded content (I often just switch formats to one that doesn't allow for 'embedded/rich' content to reduce the chances of having to deal a potential security risk. If you understand how most existing AV/IDS/IPS systems work then you'll realise how trivial it can be to bypass them.).

http://cryptome.org

Seems clear that we are trudging over the same material over and over again. Declassified Walsh report from about a decade ago seems to cover a lot of the same ground that we are now covering in regards to surveillance/intelligence collection by law enforcement/intelligence.

https://www.efa.org.au/Issues/Crypto/Walsh/walsh.htm

Nice resource on biometrics. Seems clear that a lot more work research needs to be done though.

http://www.cse.msu.edu/~cse891/Sect601/textbook/

Nice introduction to reverse engineering.

http://hackingthexbox.com/
http://archive.org/details/HackingTheXboxAnIntroductionToReverseEngineering

A lot of work is being done with regards to cyberwarfare rules of engagement/playbooks at the moment. The 'Tallinn Report' is one attempt by NATO at covering these issues.

http://www.ccdcoe.org/

Is it possible to convert an Arduino device into an automated password cracking device? Believe it may be possible since it all it need do is send a stream of characters right? Will leave this experiment for when I have more spare time.

Looking at issues related to export control and cybersecurity it seems clear that there is quite a bit of flawed logic/hypocrisy out there at times. Countries/people clearly want stronger security/the ability to withstand any attack and yet they still want to maintain the ability to be able to attack others. One example of this is that depending on the nations involved even export of defensive capabilities/services is tightly controlled/restricted to neutrals and sometimes even allies. The irony is that the Internet already provides people/states with enough knowledge already to be able to acquire the knowledge themselves from both the defensive and offensive perspective. Take a look at the current Syrian crisis as an example with regards to their makeshift weapons, rockets, and even a hybrid car/tank. Where there is a will there is often a way (though it may be more difficult). Another thing that needs to be thought of is that human thought is often iterative. Inductive leaps in theory and implementation are far more rare than one may think. Many things can be inferrered or reversed. Critical sectors such as law enforcement, intelligence, defence, and advanced research and development have all been caught out (undercover agents, sources, and scientists literally blown via Facebook, Google, and so on).

http://www.bbc.co.uk/news/world-middle-east-20522585
http://www.networkworld.com/community/blog/famous-patriot-hacktivist-jester-shares-battle-chest-osint-tools

Confirmation of some of my earlier work in the 'Convergence' report.

http://www.ukmediacentre.pwc.com/News-Releases/UK-companies-leaving-the-security-of-their-data-on-cloud-to-chance-shows-research-by-PwC-Infosecurity-Europe-122c.aspx

Changing signatures of your network/system architecture is something I've been playing around with as indicated in my 'Convergence' report.

http://www.militaryaerospace.com/articles/2012/07/raytheon-cyber-maneuver-technology-to-help-safeguard-army-networks-from-information-attacks.html

The more you dig the more you figure out that there is no single company that has a really 'pure history' when it comes to best security practice and even business process. The larger the firm is the more likely it will have a long history, have gone through a break up, merger, or acquisition which means that standards may often drop for a small period of time. Moreover, based on personal experience/observation vendor communication/co-operation can often be disengenuous. Patches are often delayed, a severe bug report can often be 'spun', or you can often be ignored completely... Communication is no guarantor and neither are legal frameworks as well depending on the people/states involved.

http://www.h-online.com/security/news/item/Huawei-sends-team-to-visit-critical-researcher-1741575.html
http://www.h-online.com/security/news/item/Huawei-s-routers-of-vulnerability-1657620.html

Interesting...

http://www.h-online.com/security/features/Detecting-CSRF-vulnerabilities-1743836.html

Soldering tips

http://www.fixup.net/tips/soldering/index.htm

On a finishing note, if you run out of (or prefer not to buy) disc scratch fixing fluid try toothpaste or bicarbonate soda. They are both light/mild abrasives and I've used them successfully.

Network Traffic Analysis, Laptop Power Charger Replacements, and More Bugs

If you've ever worked on a network of any reasonable size or have had to deal with network administration management in any form of capacity then you would have realised that two things that you'll need to deal with are bandwidth and quotas. Recently, I've been experimenting with various proxying technologies as a means of dealing with these particular problems. Some of the cloud based variants include Opera Turbo and FasTun (basically your browser is setup to reference these particular servers instead of going direct to the Internet). Accounts by others seem to indicate that performance improved for others but personally I haven't seen much of a benefit (I believe that this may be due to the nature of the content that I work with and the fact that I already optimise many network settings already. I experienced similar results when using a local proxy.).

http://fastun.com/
http://www.slideshare.net/sefc/using-opera-for-slow-connections
http://www.opera.com/browser/turbo/
http://www.ghacks.net/2012/03/02/4-options-to-save-bandwidth-speed-up-web-browsing/
http://superuser.com/questions/270455/any-add-onservice-for-firefox-to-compress-incoming-data-like-opera

What I have found to be of significant benefit has been proxying or completely blocking advertising, system updates (browser updates are a particular nuisance), multimedia, and various other unrequired services/network applications. Use an application like ntop, iptraf, wireshark and you'll be shocked to realise just how much traffic gets through. On one network I've managed to slash traffic to a third of its original usage.

Obvious options for blocking include doing it at the gateway/firewall/router level but personal experience has taught me that SME/SOHO based implementations are rather limited so multiple layers may be required to deal with the problem. If your gateway/fireall/router can only handle a certain amount of DNS/IP based bogon lists than you may require a secondary option such as another device, server, or even local browser based addons and host (/etc/hosts under Linux/UNIX) file based modifications.

http://pgl.yoyo.org/as/serverlist.php?showintro=0;hostformat=hosts
http://pgl.yoyo.org/adservers/formats.php

Examination of 'updated_ad_blocker_for_firefox_11-0.7.7-fx.xpi' (a Firefox addon) indicates that it works along similar lines as the bogon list option. Basically, regex/pattern matching and then send queries to these particular servers back to the local loopback interface or else drop traffic from these particular sources entirely.

user@system:~$ mv updated_ad_blocker_for_firefox_11-0.7.7-fx.xpi updated_ad_blocker_for_firefox_11-0.7.7-fx.zip
user@system:~$ unzip updated_ad_blocker_for_firefox_11-0.7.7-fx.zip
user@system:~$ vim content/defs.js
####Start Quote####
 var adsUrls=[
        /(http|https):\/\/(www|ssl)\.google-analytics\.com\/(urchin|ga)\.js/,
        /http:\/\/[a-zA-Z0-9]*\.googlesyndication\.com/,
        /http:\/\/[a-zA-Z0-9]*\.googleadservices\.com/,
        /http:\/\/ad\.yieldmanager\.com/,
        /http:\/\/ad\.zanox\.com/,
        /http:\/\/ads1\.msn\.com/,
        /http:\/\/ads\.hulu\.com/,
        /http:\/\/a\.huluad\.com/,
        /http:\/\/ad\.auditude\.com/,
####End Quote####

Reasons why you should try to get a proper laptop power charger replacement whenever/ever possible.

http://electronics.stackexchange.com/questions/11355/would-a-laptop-charger-at-incorrect-voltage-fail-to-supply-power
http://www.badcaps.net/forum/showthread.php?t=6986
http://www.badcaps.net/forum/showthread.php?t=21931
http://superuser.com/questions/79818/using-a-20v-power-block-on-a-19v-notebook
http://www.techsupportforum.com/forums/f16/seagate-drive-over-voltage-damage-427100.html
http://www.fatwallet.com/forums/technology/1139374/
http://www.tim.id.au/blog/tims-laptop-service-manuals/

Bugs of the Week

Sega's/Sports Interactive's Football Manager Series (most of these apply to 2009 but some apply to only earlier versions)
- bugs with regards to dealing with finances. Once you go past certain point your finances wrap around that particular variables storage limit. In old versions this would lead to negative finances. In newer versions can lead to a management takeover
- every once in a while a scout "finishes assignment" in the news
- being able to loan a player for a fee that is more than the size of the available funds for another team which leads to instant bankruptcy (earlier versions)
- good player's (presently) names are often combined or re-used. For instance, I recently came across a great defender called believe it of not, 'Fernando Tevez'. Often technical good, creative, Brazilian players are called '[prefix]inho'
- every once in a while a wage negotiation for player results in silliness. For instance, 90 Euro as opposed to 90,000 Euro. Often this will make it impossible to purchase the player or else renegotiate the contract. The only way to deal with it is to re-bid for the player or sell and attempt to re-purchase him
- during negotiations of contract for GK coach stats/details for manager are provided rather than for a GK coach. Suspect that this may be related to a manager who has been hired as a GK coach and is early in his career though
- if you give a guy a job with higher seniority than the one that he is seeking he will reduce his wage demands rather than increase or maintain them

w3af (Windows port, may be a slightly older version)
Drop down list for target when it has only been first initiliased results in entire list being populated by first target. Believe that this may be some lazy programming that may be fixed over time?

sarg
Strictly speaking not a bug but when run as non-root user, error message is following. Not too helpful.
user@system:~$ sarg
SARG: File not found: /var/log/squid/access.log

Leadtek's WinFast PVR2
- "Fails to load decoders" or "Fails to load graph" when means it can not detect USB TV dongle. Better message would be helpful
- sometimes if you change channels quickly enough and it will eventually lead to a crash
- while previewing a new program the channel doesn't change properly to reflect what is occurring
- if you get into trouble advice is don't downgrade. You may get all sorts of strange errors about not being able to load decoders. Use the version that you installed the program with or else uninstall the program first and then re-install the version that you require

Some fun...
http://despicableme.wikia.com/wiki/Special:Videos

Online Android and iOS App Development, Random Stuff, and More

- if you're like me you've probably fiddled around with mobile application development before. One of the obvious frustrations is t...