Jeff’s Blog

Best damn fark comment ever.

“I like to eat a bowl of Kraft Dinner (a.k.a. “KD”) while watching some opera or ballet. There’s nothing better than a little arts & Kraft.”

In response to winy poor Canadians not wanting to eat free kraft mac and cheese.

Well my site is back after a little hiatus. I am now hosting with godaddy since I can pay month by month instead of a year at a time like blue host. So far they suck. You have to pay for stats, you have to upload your mysql dumps 2 megs at a time, and so far my .htaccess file to set up my permalinks hasn’t worked and I don’t want to go back to ugly default wich will break all the stuff in search engines. I will probably be moving back to bluehost when I get some $$$.

The University of Washington has released a free and open source system for tracking computers called Adeona.  I have installed it on my work laptop and it gets the job done.  This is a great solution for home users as it works on Linux, Mac, and PC and doesn’t require anything else from the user as far as a server or service fee to use it.  There are some defiant short comings though. 

• First as with all non BIOS tracking software this won’t work if a thief wipes the drive without booting up.
• Second it sends the location data pseudo randomly every half hour, so if a thief boots a laptop and sees a login screen and shuts it down, it probably won’t be recorded.
• Third would be a nightmare to mass deploy.  I have thousands of computers I would want to install this on.  To do this I would have to manually install it on everyone since it asks questions during the install and you have to copy a file to a central server that you have to have to check on the location data.
• Fourth it uses OpenDHT to store the location information.  I don’t trust the stability of an open source distributed storage system that anyone can use for distributed storage.  Its only a matter of time before this starts to be used to distribute illegal material or the popularity of it cripples it.  I am all for open access to things but time and time again a few people always ruin it.

For my purposes I think it would be better just to write a program that posts the computer name and IP address to web server that stores the information in a MySQL database.

There has been some buzz about the Roku netflix player releasing some of its source code. The thing is they have to release the code as its GPL open source code that they modified. The truth is the code should have been available since day 1. This is no different than the Tivo source code that has been released. They didn’t release any of their proprietary code. Now that I know that this is based on Linux though this should hopefully be pretty hackable. It would be great if Xvid and H.264 support can be added. Then I won’t have to use my noisey Xbox 360 to stream my movies off my computer.

I have seen the lowest of the low today. I live in Riverside where fireworks are illegal and went and bought fireworks in San Bernardino County where they are legal. I was followed into Riverside County and pulled over by Cal Fire and sited for possession of fire works. They did not care that I was going to my friends in Chino to light them off no its illegal to even be in possession. This is the most under handed slimy bullshit I have ever seen in my entire life. They are obviously only doing this for revenue as you know safe and sane fireworks used properly are not a hazard. What do they think they are accomplishing by doing this? Now I have a chip on my shoulder and have to pay a fine for possession of safe and sane fireworks. Do they really think this fosters good will within the community? No now ever time I see a Cal fire or Riverside PD officer I think what ass holes. I no longer feel good to live in Riverside County where they do everything to make upstanding law abiding citizen pay for technicalities so they can make money. I hope the county goes bankrupt and all the county supervisors are thrown the hell out of office. I will do everything possible to make up that money in BS from the county. I will get my 2 bulk pickups every year from the trash service even if I don’t need one and I only have a garbage bag of trash. I will put as many requests into code enforcement office as I can. I will do anything and everything I can to make Riverside County and City spend money and in general be a pain their ass without breaking any laws. Thanks for fostering good will to your citizens Riverside. If you treat everyone as a criminal you will have nothing but criminals left in your city. I for one will be moving as soon as possibly can so say good by to even more tax revenue, and hopefully I can sell my house to some dead beat drunk a hole that will bring the city even further down the tubes.

The Linux Cisco VPN client seems to try the first avalable interface to make a connection. In my case this was eth0 which is my wired port which isn’t connected to anything. In order to get it to work I had to down the interface with ifconfig eth- down then it would connect fine with my wireless interface eth1. I haven’t seen any documentation to see if there is a way to manually bind it to a specific interface, and there is no MAN page installed. At least –help gives some usage, which is heads and shoulders over the tsmc tivoli command line I was using today what a royal PITA. Just encase anyone needs it the command to restore a previous version of a file is “tsmc restore -todate=yyyy-mm-dd -inactive /path/to/file” the documentation gave the format for the date as mm/dd/yyyy and the command would just come back and say -todate not recognized. Not wrong date format no that would have saved Jeff an hour of goggling.

It is mind blowing how fast thing spread on the internet. Take this XKCD comic there were only 2 results in google when you searched for “died in a blogging accident” just yesterday. Now there are over 2,000 results and climbing every hour. “Died in a knitting accident isn’t so popular so only a rise to 107 results from 7. Also of note not many people read the title tag of the image since “Died in a snake charming accident” rose from 0 results to 10 and “Died in a haberdashery accident” also rose from 0 to 10 results. The sadist part of all of this is that when someone does die in a blogging accident we won’t be able to find it on google. Remember kids don’t walk around blogging on your iphone or you will end up dying in a blogging accident.

Finally the one feature I have been waiting for.  It looks like on Dec 4th the new dashboard update finally adds divx and xvid support to the 360.  No more trans coding!  Hopefully it will support full 5.1 sound.  I have a ton of movies that I ripped myself with no way of watching them on my big screen. I was looking at the sling catcher when it came out but this is free since I already have a 360.

Well it has been a while since I have posted anything.  I have been really busy this past month.  I was promoted to the  IT security  manager  at my current employer.   I am now dealing with IT security almost full time, they still need to fill my vacant position.  So I am much happier now not having to deal with a lot of the boring mundane task, and now instead get to do what I love, security. 

I was reading another blog security blog entry and it got me thinking.  Why do POS systems have to store credit card numbers?  There really is no rational reason that I can think of.  I have had quite a bit of experience with a POS POS system (note that isn’t a mistake only 1 POS means Point of Sales).   The way credit card transactions work is that the stores POS system calls a card processing system.  The stores computer then asks the card processors computer if this credit card has enough money to cover this purchase.  If it does then it “reserves” these funds for the store for some time period and gives the store a magic approval number, no actual money is taken at that time.  I don’t know exactly why they do this, my guess is that they reserve a slightly higher amount of money than is actually needed so that it can be adjusted down if the transaction needs to be modified, IE you give the waiter a tip or you decide you really don’t want to buy that Iphone.

The store will then within a day or two do a batch settlement transaction where the store goes back to the card processor and says yes all these transactions really did happen so send us money.

So the only point in that process where the store actually needs the credit card number is the first transaction to the card processor.  After that the store could just use the unique authorization number to identify the transaction.  So now a hacker could still get credit card numbers but only in real time sniffing all the transactions as they go instead of the cue de gra 18 months or more that they currently can get if they hack into a POS system.

I live in California where the Secretary of State Debra Bowen has allowed The University of California to test the E-Voting systems used in here in California.  What they found was that all of them are hackable. I find the preliminary findings very scary but not at all surprising.  The legislature of California are not Computer Security Experts but they should have consulted with and let Security Professionals verify that they were secure before Certifying the systems.  It is inexcusable to allow what is arguably the most important Computer System in the country to be so insecure.  These machines are what decide our election.  If you could modify the election results you could execute a bloodless coup and no one would be the wiser.   No one could prove that an election had been stolen if there is no paper trail.

I will give you one scenario.  All the electronic voting machines are stored in some medium security warehouse with a few guards and 1 or 2 cameras.  A disgruntled technician from company XYZ that makes $20,000 a year maintains voting machines is payed some large sum to hack the companies voting machines.  He is admitted entry into the facility do do “maintenance” He turns them all on and one by one inserts a USB thumb drive that installs a virus on each machine.  He also updates the BIOS and changes the checksum check that is used to verify that the operating system is certified, just like he has to do when he installs any patch.  This virus will change the vote on 41% of the votes in the favor of candidate FOO.  Thus virtually insuring victory.  This virus then removes all traces of itself and restores the correct checksum back into the BIOS at 7:55PM on election day.  With the current systems that have no paper trail and no one would find out unless someone starts looking at the technicians large bank account.

I am not saying to go back to all paper ballets, to me this is even more error prone and hackable than E-voting.  Just make up some ballet boxes and switch them in transit to the registrars office.  No to me the problem is fairly trivial technologically speaking.  The solution is 3 fold.  First and most simple a paper copy must be printed out and verified correct by the voter.  Thus ensuring a backup in case the electronic version is lost or tampered with.

The second part of my proposed solution is PKI (Public Key Infrastructure).  Each voter should be assigned a private key, a 3D bar code would work nicely.  This key should be assigned completely at random and only good for 1 election so that voting patterns couldn’t be data mined and somehow connect to an individual, there should also be no record kept of the voters private key only their public key should be kept.  This private key should be encrypted with a master public key so that there is no way a voters private key and identity could be obtained by coping it in transit unless the person also had the master private key.  The voter then would then scan their bar code and the voting machine would verify that it is a legitimate key by decrypting the key with the master private key.  The voter would then vote and the results would be signed with the users private key, and also be printed out.  If the results were tampered with the signature would not match and it would be obvious that the results were tampered with.  If two different votes were signed with the same private key you would also know that the user voted twice and to trow out all other votes signed with the same signature.   The  public keys and paper copies should be escrowed so that recounts could be done for some defined time.

The last and most important is both the physical security and openness of the system.  The inputs should be protected with 3DES encryption so that only certified devices could be plugged in.  No uncertified devices should be allowed on the system.  No one should be able to plug a key board in.  The case should be wielded shut and painted with a heat sensitive paint so any attempted tampering would be apparent.  The system should be completely open source from the OS to the voting software so that all code can be freely audited.  It someone did manage to hack the system the paper backup should throw up the red flag that the system was compromised.  The system should also be on an encrypted EEPROM so that even if you get into the case you can’t modify the EEPROM with out the key.  The key should be on a physically separate  dongle that is  locked up  separate from the voting machine and must be present when booting the machine and removed thereafter.  If any dongle is lost then all the dongles will have to be replaced and the EEPROM reprogrammed so it is very important that they don’t go missing.  The systems should never be plugged into an open network.  The system that collects the votes should also have a certificate assigned to it and stored on the voting machines so that the voting machines don’t disclose voting results to an unauthorized system.

All of this technology is common and in use today.  We need to reform the voting system so that we implement this as soon as possible.  If we don’t we may soon find our country not in our control anymore.  I don’t go into all the details about the system but I would love feedback, what are the weaknesses in the system I described.  If done correct E-Voting is both more efficient and more secure than paper based voting alone.