NIF : First, Yes - I am still alive and well. Thanks.
I know I have been away for a nearly inexcusable amount of time.
Real life has totally been kicking me around the block ... and still is. Sorry!
Does it help excuse my absence if I were to pass along that I just put in my two week's notice?
... from my employer of almost 8 years! (over half of my career)
... ... and that this actually means LESS time to blog?
... ... ... In all honesty, I am not sure I will be able to pick it back up anytime soon
... ... ... ... atleast not with the level of attention it (and you) deserve.
Illegal Immigration (or any other important topic!) :No man will assert seriously, that when people are of a turbulent spirit, the best way to--thanks Edmund Burke, 1792 ... viaWashington Times
keep them in order is to furnish them with something substantial to complain of
Today : Happy "International Eat an Animal Day"!!Since I am such a blog-slacker lately (read : too damned busy with work, family, etc.) - here, a quickie ...Q: Is it wrong to kill a baby seal?...Thanks IMAO
A: Of course it is. With the allotted amount set at 320,000 dead seals there’s no excuse for bagging just one.
ME : I am in class all thislast week, which induce sd an even-worse-than-normal commute == limited NIF ... and when I say limited, what I really mean is I might get to post one or two things this week
UPDATE : Didn't get a single post up and now I am swamped, playing "catch up" :(
Quick Thoughts * News * Interesting * Funny * Quote(s) of the Day * Closing
Riley : Did you see these pitcures?? NIF : A little limited this AM, more later! (and sorry about yesterday) Wed PM : Blogger = down? ... I wish they would quit breaking :( Thursday, Friday : Limited updates, more tonight (silly work; cutting into my "free" time) ... I know, I am teh sux0r
Quick Thoughts News * Interesting * Funny * Quote(s) of the Day * Closing
Avian Flu : H5N1 in the Bahamas? ... getting closer to home :(
... Cat in Germany dies
Katrina : Can't let recovery efforts stop a good party! ... Show Me Your ... busted levees?
... Criminals to walk free? ... injury, meet insult
Volcano : Magma on the move in Yellowstone ... hey, they just did a Super Volcano on SGA! SCOTUS : Anna Nicole Smith goes to Washington ... ruling not expected until June, tramp status already known Crime : Watch the video of your rape or go to jail ... Inconceivable, and atrocious!
... Duke-stir gets an 8y4m "vacation" ... in a Federal PMITA Prison, that is
Afghanistan : W makes a visit GITMO : Names released ... for better or worse History : 8000 year old milling site found in Cali
Quick Thoughts * News Interesting * Funny * Quote(s) of the Day * Closing
Islamofascism : Taliban styuding @ Harvard? ... found via NEIN
... UAE : DPW's COO defends port assumption to Congress
... Iraq - "Civil War Averted: NY Times Hardest Hit"
... A manifesto against militant Islamism
... repost : Compare and Contrast : Mulsim reactions to Juedo-Christian reactions
Illegal Immigration : Wet foot, dry foot ... blech Energy Source(s) : Soy Bean fuleed car - 0-60 in 4s, 50mpg Patriotism : "A Nation Adrift" ... "where and how the greatest nation on earth has gone astray, as well as the way back"
... PATRIOT Act, renewed
Military : MilTracker ... GOOD military news! ... found via MPJ
... Send cookies, doesn't matter what type!
... Meet BigDog, the 4-legged robotic pack mule
... Soldiers' Angels - from there to here
Free Jack : Firefight wrap-up Speed Limit : Stupid laws or stupid enforcement, you pick Computing : MS giving away free USB drives ... "loaded with valuable information", here
... A mere ~$610M puts RIM's BlackBerry in the clear
... "Music phones" cutting into iPod growth ... my Treo700w fits my need :)
... Your laptop wants 160GB HDD
... Vista won't suck, will be a must-have?
... Vista to feature "Anytime Upgrade"
... Vista and Virtual PC ... and how the licensing works
... Want WinXPsp2 on CD?
... VMWare, $100k "Ultimate Virtual Appliance Challenge"
... 5k free eBooks
... Smallest Win* Phone ever, debuts next month ... +4-band GSM, GPRS EDGE, Bluetooth, WiFi ... my Treo700w is jealous
... Recycled PCs to the rescue
... Comparing vulnerability counts is always specious
... More on E&Y's lost laptops (and clients' data), contradicting own statements
... Nano-skins to yield bendy screens?
... Pope + iPod
... Free data recovey tools
... Music pirates busted ... Apocalypse Crew, Chromance = PWN3D!
... Oracle's 10g XE (eXpress Edition) = free
Internet : ICANN gives .COM to VeriSign, forever! ... US Congress is hte last chance to stop this
... The search for botnet C&C infrastructure
... Congress to outlaw hyperllinking ... WTF? Do they even read their bills?
... Why Phish when you can just record keystrokes?
... Google fuels success by feeding their employees ... feeding htem well, that is!
... Google shares take (another) hit ... market overreacts
... Google going AMD ... Bye Xeon, 'ello Opteron
... VPNs for the masses, Hamachi style ... or Google Secure?
... Opens a whole, new, terrible world of Pr0n?
Gaming : XBOX360 to hit 10-12M sales by year's end ... hopefully one of those will be me :)
... A peek at XBOX360s Camera
... PS3 to be a little better than XBOX360? ... but a year later
Misc Tech : Rotating wall outlet!
... Keys are old, let's talk Knock Codes
... Coffee cup survivability, physics ... "ceramic mug that can fall 15 feet onto concrete pavement and still hold a full cup"
... Laser projectged sky ads? ... or distress beacons, or the bat signal
Abortion : Gross exageration by the MSM ... good find! Education : "Federal judge has prohibited students from opting out of pro-homosexual diversity training" ... what exactly does this have to do with Reading, wRiting & aRithmetic? Free Speech : Religion vs Education, revisited ... who can say what, when and why do others not have this restriciton? Feminism : Why it has turnedquite destructive ... not the "Sex Out Loud" that comes to my mind! Health : Stem cells no help for heart?
... AF267B might help fight Alzheimer's?
... Marital spats yield heart attacks
... Weight lifting also slims the belly
Space : Hubble, et al, take peek at pinwheel galaxy (M101)
... Jupiter is growing a new Red Spot
... Our trip to Pluto ... data expected July 14, 2015
Employment : Silicon Valley finally hiring again? Celebrity(ies) : Jessica Alba = hot, even when not naked ... suing Playboy
Quick Thoughts * News * Interesting Funny * Quote(s) of the Day * Closing
OOTS : #288 ... charades! RVB : #74 ... available now, booyah! Illegal Immigration : 'Specter bill creates Guest Slacker Program' Computing : Vista to have 33 variations ... "Vista Server My Other Edition Is Premium Edition Edition" Mentos : The FreshVolcano maker! ... who knew, just add diet coke? ... True!? Sewage : Colon family having toilet problems ... true! Religion : Pope planning a Bible II ... "likely to be a "prequel"" Colbert : Join the Colbert Nation! Islamofascism : ... Secret Weapon - PCDs! ... GWOT victory assured ... "Durka! Durka!"
... 'Iraq government bans Muslims'
... Riots caused by sweet tooth?
UAE : OBL to run USPS ... "For one thing, he’s already disgruntled"
... Oprah endoress UAE port deal
... Dubai to run US
... 'Bush denies knowing of Iraq War'
Happy Fun Ball : Not as good as the original S&L skit, but it's a disclaimer ... real script here? Left : Hopelessness is the plan! ... found via IMAO Iraq : Saddam sentenced, will be FORCED to be President ... he demands a retrial Katrina : Nagin miffed ... "They watched the hurricane coverage on CNN and waited for a federal official" Driving : Autibahn racer (flash) ... thanks Clint! Celebrity(ies) : 'Golddiggers, gigolos rally in support of Anna Nicole' Relationships : Ho-Jack
Quick Thoughts * News * Interesting * Funny Quote(s) of the Day * Closing
The ExpressPay stored-value card system used by FedEx Kinko's is vulnerable to attack:Abstract:--thanks to Secure Science Corporation's Strom Carlson (posted with permission)
An attacker who gains the ability to alter the data stored on the card can use FedEx Kinko's services fraudulently and anonymously, and can even obtain cash from the store.
The FedEx Kinko's ExpressPay system, developed by enTrac Technologies of Toronto, Ontario, is based on a Siemens / Infineon SLE4442 memory chip card. The data stored on this card is freely rewritable once a three-byte security code has been presented to the card's security logic. Neither this security code nor the data stored on the card is encrypted; anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer.
The first thirty-two bytes of the memory chip card are writable and subsequently permanently write-protectable (in this application, these bytes are write-protected), and contain a header which identifies the card as an ExpressPay stored-value card. Bytes 0x20 through 0x27 contain the value stored on the card, represented in IEEE 754 double-precision floating point format. Bytes 0x60 through 0x6A contain the card's eleven-digit serial number stored as unsigned zoned-decimal ASCII; digits 0x60 through 0x63 are the store number the card was initially issued at, and the remaining seven digits are assigned sequentially at the moment of first issue. A timestamp indicating date and time of issue are located from 0x30 through 0x37, and is repeated from 0xC7 through 0xCE.
In order to write to the card, a three-byte security code must be presented in a specific sequence of commands as outlined by the SLE4442's white paper. By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the three-byte code as the kiosk or a card terminal prepares to write data to the card. This security code appears to be the same across all FedEx Kinko's ExpressPay cards currently in circulation.
Once the three-byte code is known to the attacker, the card's stored value and serial number can be changed to any value. The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what that value actually is. The system will also accept cards with obviously fake serial numbers (e.g. a non-existent store number followed by all nines). Using these altered cards, xeroxes can be made from any machine with a card reader, and computers can be rented anonymously and indefinitely. Most disturbing, however, is that since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost. If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable.
- FedEx Kinko's
- Any client of enTrac Technologies who uses the ExpressPay stored-value card system.
- Any company which uses a stored-value card system based on the SLE4442
Vendor and Patch Information:
Proof-of-concept of the initial security vulnerability was achieved on
8 February 2006, with research into the ramifications continuing through 12 February. Copies of this report were sent to both FedEx Kinko's and enTrac Technologies on 15 February; a read receipt was returned from enTrac on 19 February, while no receipt has yet been received from FedEx Kinko's.
- Encrypt data before storing it on the SLE4442 card, or migrate to a system which uses cards which have built-in encryption functionality.
- Verify that the stored value on the card does not significantly differ from a reference value stored in a database.
- Do not allow the use of cards with invalid serial numbers.
- Invalidate serial numbers of cards that are cashed out.
PS - See FK's denial, and the rebuttal to the denial
PPS - Video!
Portable Media :bLank:I was just watching Swordfish and the senators assistant hands him a floppy disc and says "Sir, we have a problem" ... I'm sorry, but nothing important has ever been able to fit on a floppy disc, there's no way the senator is going to have his fly-fishing disturbed for 1.4 mb--thanks BASH! Life Lesson :In real life, and contrary to Hollywood’s naïve view of a fair fight, victory is better than chivalry--thanks DL! ... other good lessons there as well! ... Oh, and my dad loves sharing Navy Stories too! Sources / Bloggie Linkfests: Basil, JC, OTB, TMG, SugarButtons