demonstration

Pogue’s attitude is unfortunately far too common

Dave Farquhar security , , ,

According to David Pogue, since hacking a car is “nearly impossible,” we shouldn’t talk about it anymore.

That, my friends, is precisely what’s wrong with security and security awareness today. Flying to the moon is nearly impossible, after all, and you could easily kill yourself trying. David Pogue has never done it. But Neil Armstrong and Buzz Aldrin did.

Read more

Droidpocalypse? Josh Drake says no.

Dave Farquhar Android, security , , , , , , , ,

Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.

Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.

So why do we see so many more Android bugs? Drake had an answer.

Read more

Cross site scripting explained

Dave Farquhar security ,

In many security job interviews, the interviewer will ask about cross-site scripting, also known as XSS. Most descriptions of it are overly complex, however. The best description of it that I’ve ever heard is just five words long: Code execution in the browser. That’s cross site scripting explained as succinctly as possible.

That succinctly sums up the problem: You don’t want someone to be able to inject their code into your site.

Read more

How to use the lock in your web browser’s location bar

Dave Farquhar security , , , , , , , , ,
How to use the lock in your web browser’s location bar

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Read more

Rob O’Hara on phreaking, Tesla coils and modems

Dave Farquhar Retro Computing, security , , , , , , , ,

Rob O’Hara posted a podcast about phreaking today. He explains in layperson’s terms how the phone system was controlled by tones, cites it as an example of security through obscurity, and he talks about his own first-person experience subverting the phone system. He was far from the only one who did that.

Read more

The lines between white hat/gray hat/black hat hacking and moral laws

Dave Farquhar security , , , , , ,

Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?

The first question is easier than the second. So I’ll tackle that one first. Read more

Open-source licenses, the CISSP, and the real world

Dave Farquhar Copyright, security , , , , , , , ,

You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.

And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.

Read more

And this is why I don’t drink

Dave Farquhar Baseball , ,

Early in the morning of April 9, 2008, just hours after pitching six shutout innings, 22-year-old Nick Adenhart was killed when a repeat-offender drunk driver ran a red light and plowed his minivan into the Mitsubishi sports car Adenhart was riding in. He died in emergency surgery a while later. Two other passengers died at the scene.This kind of bullcrap happens all the time, pretty much every weekend, in at least one major city. Usually it doesn’t even merit more than a couple of paragraphs in the newspaper because we’re so used to it. It made national headlines this time because one of the victims happens to be one of the California Angels’ best pitching prospects.

It’s a symptom of a macho culture where the measure of a man is how many six-packs he can put away, and what he can manage to do afterward. I saw this in college all the time, where the role models we were supposed to emulate were the losers who would stay up until 4 or 5 in the morning drinking, then sleep for two hours and get up, shower so they didn’t smell like a brewery, put on a suit, and go to the 7:45 church service.

At least my story doesn’t get any worse. Church was right next door, so they didn’t have to drive and put anyone else in danger. Of course, if they’re still playing the same game today and driving to church two hours later, that’s reprehensible.

But in some circles, driving 45 minutes to get home is part of the culture. Down a case of beer, make a lot of noise, then drive home without killing anyone, and somehow, that makes you a man.

Bull puckey.

Real men consider the potential consequences of their actions. Real men set out to do as little damage to the people around them as possible. Real men try to make the world around them better, not worse, as a result of their actions. There are even some men who manage to deal with high stress jobs with lots of responsibility, deal with that and with all of their other problems, and manage to deal with it all without ever turning to alcohol.

Now that’s a man.

I don’t care what the myths say. Supposedly if you weigh 400 pounds, you can drink about three times as much alcohol as I can, because you weigh almost three times as much as I do. And indeed, you may be able to drink larger quantities than me without passing out. But a beer or two still affects your judgment, whether you weigh 98 pounds or 400. I once saw a demonstration where a professional race car driver drove an obstacle course. He drove it effortlessly when he was completely sober. Then he drank a beer and got back behind the wheel. He still did fine. After two beers, he still did OK on the course, but he said he could feel a difference. After three beers, he could no longer drive the course.

So after three or four beers, you really don’t have any business behind the wheel. Your ability to react to emergencies is diminished enough that at that point, you’re putting yourself and others in danger.

I don’t know what the answer is. We can lock Adenhart’s killer up in jail, and that’ll keep him away from beer and out from behind the wheel of a car for a while, but eventually he’ll get out. Will he do it again? One thing I learned living with an alcoholic for 18 years is that alcoholics never really learn a lesson from their addiction, regardless of the consequences. At least not until it costs them something that they want more than the bottle, which is rare. I don’t know if he’s an alcoholic or not. If he is, you can make him go to treatment, but once again, if he’s not ready, it won’t take, and he’ll be drinking again shortly.

Taking his driver’s license away didn’t keep him from driving this time. Can you take his car away and prevent him from being able to purchase another one? That sounds good to me, but I don’t know if that’s legal.

Ultimately the solution is cultural, but I don’t know how you get rid of that. For some reason, a sizable portion of the United States is fascinated with people who can put away gutbusting quantities of alcohol. We don’t have the same admiration for people who can smoke a pack of cigarettes in one setting. We’re morbidly curious about people who can eat half their weight in hot dogs, but I’m not sure that we really look up to them.

And I don’t know why that is. Because frankly, all you have to do to be able to drink huge quantities of beer is to sit around and drink on Friday and Saturday nights. Do it long enough, and you get enough weight and tolerance to be able to drink a six pack or two without passing out. Some people see that as an achievement. I see it as someone desperately needing something better to do on Friday and Saturday nights.

Seriously. Get a hobby. It’s no cheaper than beer, but it doesn’t hurt anybody, and on Sunday morning you have something to show for it other than a bunch of empty cans or bottles and a headache.

Or in this case, a bunch of empty cans or bottles, a splitting headache, a wrecked minivan, and three dead victims. Not to mention a much-deserved new address, behind bars.

So what do we do now?

Dave Farquhar Society

The somber first anniversary of the invasion has come and gone.
I tried not to think about it but I failed; there was a mood at work that indicated without words that everyone was aware of it. One of my friends basically watched TV with her boss all day at work. One of my favorite radio stations seemed to be completely off the air during the morning drive.

I visited a couple of Web sites. Questions. Lots of questions. What do we do with the site? Charlie pointed out that turning the former WTC site into a park is like making a scar that will never heal. As much as anything, the WTC represented the American way of life. That’s why bin Laden and his thugs wanted it down.

There needs to be a memorial, yes. Rebuild the WTC. Put a plaque on the outside. That’s the memorial. A defiant demonstration of the American way of life. Inside, put plaques in appropriate places telling stories of acts of bravery that happened on that site.

But when we remember this act of cowardice, we need to remember even more loudly the act of bravery that a handful of people on board Flight 93 committed. The largest Sept. 11 memorial needs to be in the field in Shanksville, Penn., where Flight 93 crashed after the passengers and crew took the plane back from the hands of the hijackers. President Bush made the painful decision to take lives in the air to preserve lives on the ground, but the passengers made those orders unnecessary.

They need to be remembered with something along the lines of the Iwo Jima memorial.

And we need to start wrapping things up. Every time we take away more freedoms in the name of safety, we help bin Laden to erode our way of life, which is exactly what he wanted to do in the first place.

The ten-minute guide to oppressing women

Dave Farquhar Christianity , , , ,

“Promise Keepers is here in St. Louis, but not without controversy…”
I’m surprised Promise Keepers doesn’t get more attention from the media, because you can always count on protesters. The biggest demonstration was a throng of militant abortion activists playing off this year’s “Storm the Gates” theme urging PKs to storm a local abortion clinic.

Strangely absent was Fred Phelps. He’s always good for a news story, although I would be afraid to interview him directly. I saw him at PK last year in Kansas City.

A half-dozen feminists were also protesting.

I didn’t see any incognito women this year, although I’m pretty sure I did last year. I saw some “guys” wearing really baggy clothes and sporting short but very feminine haircuts. Officially, PK is a male-only event. But I can’t imagine a woman in disguise getting kicked out if she’s recognized. PK really doesn’t have anything to hide.

Before I get into explaining what PK does and why, let me give my standard disclaimer: I’ve been to two PK events. I occasionally wear a PK t-shirt. There are some PK books on my bookshelf. I don’t know if I’ve read them. When asked if I’m a Promise Keeper, I answer yes. But I don’t agree with everything PK teaches. Since PK is inter-denominational, its theology is a very mixed bag. It’s heavy on decision theology, which bothers me a little. It’s very heavy on the Calvinist/Reform do-it-yourself attitude on grace, works, confession and absolution. There is confession, sort of, but no absolution. That bothers me. When you confess your sins, when you’re done, someone needs to reassure everyone of God’s forgiveness. Too often in Reform circles, there’s an unspoken “try harder next time” attitude. That’s present in PK. That’s spinning your wheels. But we already talked about that.

But I don’t agree with LCMS all the time either, and I’m on the board of directors of an LCMS church. So be it.

So I have some disagreement, but it doesn’t stop me from paying my 70 bucks to go and it doesn’t stop me from encouraging my friends to go.

So, how’s about some straight talk on PK?

Why no women? Mostly because they wouldn’t be interested. Last year, a one-time football coach named Joe White walked in carrying what looked like a telephone pole. Then he carried it up to the stage, put it down, grabbed an axe, and made a cross, right there onstage. Then he set it up. When he was finished with it, it took three people to hold up what he held up himself.

That’ll get a guy’s attention. And when a guy who can carry telephone poles around isn’t afraid to cry… That sends another message.

And then we found out he was dying of leukemia. This is what he was spending the rest of his life doing. So it must be pretty important to him.

This year, Joe White did almost the same thing, carrying an oversized cross around the perimeter of the Savvis Center rink in St. Louis. And at one point, later in the conference, he rode in on a motorcycle, rode up the stage, hopped off, and gave a 10-minute sermon on the power of God, in the style of professional wrestler bravado. It was the end of a combination video/skit that portrayed Jesus and the 12 disciples as a biker gang.

It’s not uncommon for a former football or basketball coach to come in and use sports metaphors to explain Christianity. It’s the language some men understand best.

Most women wouldn’t like it.

The other reason is that a lot of men act differently when women are around. Since getting right with God is a big focus of the events, it’s helpful if you help the men get over the act and be themselves before God.

What’s this take back your household thing? This is where the controversy arises. PK advocates that men take back the responsibility they’ve shoved off on their wives. Wanna know what form that took this year? A big, bald, burly black preacher telling us men to wash the dishes and take out the garbage. This isn’t about taking away a woman’s humanity. It’s about getting your butt off the couch, turning off the football game, and paying attention to your family.

Leaders give. Leaders serve. A real man serves. A real man gives, he said. Then he went on to say if you’re a man and you’re receiving all the time, he questioned their manhood. In more ways than one.

Both times I’ve gone, one of the speakers has advocated that the men take a basin and wash their wife’s feet (the way Jesus washed His disciples’ feet before the Last Supper) while confessing their shortcomings and asking forgiveness. Where’s the oppression in that? PK advocates humility and responsibility. Who wouldn’t want her husband or boyfriend to be more humble and responsible?

Above all else, PK advocates men taking the role of spiritual leader in their house. Many men are passive or apathetic about God. PK advocates that men pray for their wives and their kids. “My wife comes to me when she has a problem,” that same preacher said. “She doesn’t come to me because I’m a pastor, she comes to me because I’m her husband and she trusts my prayer life. Does your wife trust your prayer life, or must she turn to another?”

I’ll let you in on a little secret. I’ve prayed for girls on a few occasions, with them present. There hasn’t been a one of ’em that didn’t like it. Women like it when a man prays for them.

Most of the women opposed to PK probably don’t understand that this is what PK teaches. Or they may be opposed to any conservative Christian movement.