devon knows how they make them sooo stupid

Today what’s irritated Mark today award goes to EMIS
https://patient.emisaccess.co.uk

Today I booked an appointment with my Doctor online (5th November 2012), to discover that I was being asked to provide 5 answers to very commonly used pre-selected questions for future password resets on the system.

The questions are presently:

  • What was your childhood phone number including area code?
  • In what city or town did your Mother and Father meet?  †
  • What was the name of your primary school?
  • What was your favourite place to visit as a child?  †
  • What was the name of the Manager at your first job?  †
  • What was the make of your first car?  †
  • What is your Mother’s home town?
  • What is the first single/album you ever bought?  †
  • In what city and country do you want to retire?  †
  • What is your maternal Grandmother’s maiden name?

Out of the 10 questions, only 6 may only be considered as not derivable form the public domain / social engineering if you try hard enough. But if you are actually in the “FaceBook” social group of a target, some of these are actually derivable themselves.

I have a major problem with their approach:

  • If this data is breeched it’s open season to password reset heaven – á la the Sony Playstation network fiasco
  • I cannot understand why the user is not given the choice to set their own questions, that they can choose not to share with other systems?
  • The password reset system was obvious NOT planned in from the beginning. Disaster normally strikes system here: gate, shut, horse, bolted – bugger

As a BCS award winner, amongst many others organisations, it sort of worries me:

http://www.emis-online.com/award-wins

  • The system received awards for the initial design. For which they’ve changed the front end design three times in as many years. With no means to communicate to the users that this was happening in advance
  • Changed the home page URL
  • Changed the login system (credentials), and again Jan/Feb 2013

In the words of John McEnroe – Award winners? “You cannot be serious?”

Solution

1.
What is need is a system like CPD, but web sites would join as entities, run by a “NGO security organisation” – I’d like this to be called – CSD, Continuous Security Development.

2.
Hold on, infact under an Act of Parliament, if your data is graded by the Data Commissioner as “mission critical” to someone’s “life” and the Data Protection Commission could actually be granted some powers.

If the Data Protection Registrar had a compliant from a member of the public, the DPR could be forced to grade the data the organisation being complained about holds. And the organisations graded have to have their CSD record inspected, a bit like a gas safety ticket if you live in rented property in the UK. Safe for use…

3.
This then determines, access by the user, holding duration of all record elements, the user to be able to receive a report on who has seen what records for what purpose and when. And whether these reports can be demanded free of charge once per year.

I distinctly remember being at a security and identity conference in 2009 and one of the speakers referencing a Scandivian country where it’s citizens can opt to have a text or email whenever a clinician accesses their health records… (My ability to use Google to find the country has failed!)

Mark Cross
MBCS CITP

New Media and money hit hyper drive this week Feb 20th 2012

Well it’s not often the Daily Mail gets have a story half right….

P2P Real-time TV
http://www.dailymail.co.uk/sciencetech/article-2098759/Tribler-New-file-sharing-technology-IMMUNE-government-attacks.html
http://torrentfreak.com/p2p-next-introduces-live-bittorrent-streaming-080718/

Barclays launches pay by mobile – Pingit, nothing radical but with zero charges, Pingit to be available to non Barclays customers in the future. Note well – no Windows Mobile support.

Did somebody say in the back, reduce the budget deficit in ten years? Wow nice one George! On the ‘ead, it’s diamond Geezer.
And – so if you provide this transaction free banking for the proletariat scum, we won’t split commerical from retail banking…. Interestingly put there Mr Cross.
http://www.barclays.co.uk/pingit

Rashberry Pi meets the real world, an Android phone you can plug into your monitor, keyboard/mouse and use as a PC – using all you cloud data with a local copy in your phone. Due 2012. This leaves Microsoft and Apple eating dust. Linux could REALLY GO mainstream 2013. My old Nokia N73 had the processing power of my first work PC of 1993.
http://www.theregister.co.uk/2012/02/21/ubuntu_for_android/

WhatApp Messenger – disruptive technology ALERT, this KILLS Blackberry, as it removes it’s USP, it’s killing text by IM. Will they need to IPO and why?

Industry analysts at Ovum reckon mobile network operators lost more than $13bn in 2011 as SMS finally gets replaced – a staggering estimate backed by stats from Allot.

But what’s most interesting is that among the free messaging services, such as Facebook and Yahoo!, 18 per cent of ‘net messaging traffic is now being generated by WhatsApp – a paid application that seeks to replicate the text experience, standing in stark contrast to the ad-supported services that hope to make money from advertising aimed though behavioural analysis.

This is 18% on a 250 million user survey.

http://www.theregister.co.uk/2012/02/21/over_the_top_sms/

Atos boss Thierry Breton defends his internal email ban by 2014

Mark’s CRUCIAL 2012 Trends

  • Internet Messenging – cross-platform, like WhatApp / Fring
  • Encryted P2P Email for Dummies – Zot protocol -> Friendika < - Most important for anonymous
  • Real Time P2P TV – Tribler & live.bitorrent < - Second most important for anonymous
  • Linux goes mainstream – Ubuntu on Android
  • Pingit – availble to any UK current account bank holder

alt-col2 GA-8SIMLNF Packard Bell Missing Multimedia Audio Controller SOLVED

There’s been a lot of talk about this renogade OEM Gigabyte mobo – maybe too much talk.
mobo GA-8SIMLNF R2

Ordinarily the Audio_Realtek_5.10.0.5628_XPx86_A.zip driver crashes out with this dialogue box:

updatedriverforplugandplaydevices failed
-536870397

Solution.
Get hold of the R111.zip from I cannot remember through the madness of it all!
Which essentially the same stuff

Google “sis drivers windows xp 7012”

Go to the XP directory
And edit the SIS7012.inf file

At the end of the [SIS] section
add to end:
%SiS7012.DeviceDesc%=SiS7012, PCI\VEN_1039&DEV_7012&SUBSYS_200B1631

The Hardware ID key was missing so the mobo motherboard sound chip is screwy.

Job sussed – DONe

email PDF->gmail address->QUE->”label” to “Print”


Gmail Attachment Downloader Script

sudo apt-get install git
git clone http://github.com/thekindofme/gmail_attachment_downloader
cd gmail_attachment_downloader/
sudo apt-get install ruby
sudo apt-get install rubygems1.8
sudo gem install tmail
sudo apt-get install vim
vi gmail_attachment_downloader.rb

And below based on hacks.
here and here


#!/bin/bash
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin
FILES=/home/wizard/printque/*.pdf

# Don’t path the rename directly – as the path may contain uppercase letters!
cd /home/wizard/printque
rename ‘y/A-Z/a-z/’ *

# shopt -s nullglob
# Took the above out on my Ubuntu – I got an error saying it was missing YMMV

for f in $FILES
do
echo “Processing $f file…”
lpr “$f”
rm “$f”
done

# Delete stray attachments which weren’t PDF files, but got downloaded anyway
rm /home/wizard/printque/*

#Make shutdown executable by any user for cron to be able to handle
sudo chmod u+s /sbin/shutdown

wizard@printer:~/gmail_attachment_downloader$ crontab -e

*/3 * * * * ruby ./gmail_attachment_downloader/gmail_attachment_downloader.rb 2>&1 > /dev/null # JOB_ID_1
01 19 * * * /sbin/shutdown -h now 2&1 > /dev/null # JOB_ID_2

A review of Amazon Deviant, oh – I mean Amazon Kindle

Where have we arrived in the course of human history?
Amazon Kindle is probably the start of the most insidious technologies ever created by man?

What is Amazon Kindle?

  • It is a universally affordable $400 ebook reader
  • Which uses Philips E-ink display
  • Books or audio are delivered using EVDO, without a monthly contract

It’s creation will allow man to acquire what most people understand to be God like powers, why? Because the network will:

  • Know who you are
  • Where you are (via the mobile network)
  • What you are reading, viewing and listening to, store and record it for you
  • Suggest what you might read, view and listen to

The future editions and competitor products will be:

  • Colour
  • Play and distribute real time video
  • Have touch screens
  • Provide digital wallets

What makes the subsequent product types more evil that Amazon Kindle?

  • They will come the new “mass media” delivery and recording devices on a global basis providing a one to many medium to replace television
  • Each individual will have education individually tailored to their IQ and learning style and everything they have ever learnt via this will be stored in their profile, along with every book they have ever read, film and their movement on the planet
  • Each human being will be monitored and profiled, in some way crimes will be predicted as portrayed in the Minority Report because AI will be run on people’s profiles to spot society’s deviants

Software and Community in the Early 21st Century – keynote by Eben Moglen at Plone 2006

http://slashdot.org/article.pl?sid=06/12/10/1553242 

“What does Firefox have to do with social justice? How will the one laptop per child project discourage genocide? How soon will Microsoft collapse? Watch Eben Moglen’s inspiring keynote from the 2006 Plone Conference (Archive.org: mp3 or qt; or YouTube). The video presentation is ordinary, so the mp3 is an equally good format. ‘If we know that what we are trying to accomplish is the spread of justice and social equality through the universalization of access to knowledge; If we know that what we are trying to do is build an economy of sharing which will rival the economies of ownership at every point where they directly compete; If we know that we are doing this as an alternative to coercive redistribution, that we have a third way in our hands for dealing with long and deep problems of human injustice; If we are conscious of what we have and know what we are trying to accomplish, when this is the moment for the first time in lifetimes, we can get it done.'”

IR: …”Second reaction is the link with Mk1. Marxism which identified the condition of people as a consequence of their relationship to the ‘Means of production’.”

ZDNet: Government to force handover of encryption keys

Businesses and individuals may soon have to release their encryption keys to the police or face imprisonment, when Part 3 of the RIP Act comes into effect
 
The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts.

The powers are contained within Part 3 of the Regulation of Investigatory Powers Act (RIPA). RIPA was introduced in 2000, but the government has held back from bringing Part 3 into effect. Now, more than five years after the original act was passed, the Home Office is seeking to exercise the powers within Part Three of RIPA.

Full article here.

Three men in a boat

OpenID & Microsoft Messenger v8 & a Telco

MX says 2006 = OpenID

Microsoft putting SIP support back into Messenger with the right telco transit agreements lined up to cope with the traffic against Google & Skype and FOAF goes massive – destination unknown!

openid.co.uk 🙂

And Microsoft go SIP in MSN Messenger – probably with Vodafone for transit breakouts.
Teleo

Linux screensaver for Windows

LiveCDs demonstrate that, yes, Linux can run under Windows

Chris Ward (tjcw@uk.ibm.com), Advisory Software Engineer, IBM

20 Dec 2005

Construct and package a Linux® LiveCD so that it will install using the standard Microsoft® Windows® install process and will operate as a standard Windows screensaver. Answering the most common concern about open source software, this article shows that, yes, Linux will run under Windows.
So why should you read this article? Why, indeed, should I write it? My motive is to help remove two obstacles to the wider adoption of free and open source software. Those obstacles are:

The perceived difficulty and disruptive effects of installing Linux
The uncertainty of hardware support for Linux
Most computer users are familiar with a Microsoft Windows environment and with the variety of screensavers available to prevent unauthorized access to the data on the computer when unattended.

There is sufficient free and open source software available nowadays to enable Linux to install and run as a Windows screensaver. This article shows you how to construct an appropriate CD or DVD, and in doing so, demonstrates that the “free” and “non-free” sides of the software Grand Canyon are not so far apart after all.

The examples in this article correspond to three current IBM objectives:

Concluding the OS/2 business
Reinventing education
Encouraging people to learn science

http://www-128.ibm.com/developerworks/linux/library/l-scrnsave/

The Microsoft Killer

WinFS – I reckon it’ll kill ’em or it will never get rolled out in corporates.
Microsoft will have imploded before it’s successfully rolled out in corporates or quietly abandoned.

Microsoft anounces new virtualization friendly licensing

New virtualization use rights for Windows Server™ 2003 R2 Enterprise Edition and Windows Server “Longhorn” Datacenter Edition enable cost-effective consolidation. Licenses for the upcoming Windows Server 2003 R2 Enterprise Edition will allow customers to run up to four virtual instances on one physical server at no additional cost. Licenses for the Datacenter Edition of the version of Windows Server, code-named “Longhorn,” will give customers the right to run an unlimited number of virtual instances on one physical server.

Licensing by running instance improves the value and flexibility of Windows Server System products. Customers will no longer license every inactive or stored instance of a Windows Server System product. Customers can now create and store unlimited numbers of instances, including those for backup and recovery, and pay only for the maximum number of running instances at any given time.

Portable licensing for the dynamic enterprise allows customers to easily deploy and run Windows Server System products on any physical server licensed for the software. Customers can move active instances from one licensed server box to another without limitation, as long as the physical server is licensed for the Windows Server System product.

Per-processor licensing better aligns with resources used. With Windows Server System products that are licensed per processor, such as Microsoft SQL Server™, BizTalk® Server, and Internet Security & Acceleration Server, customers will have greater flexibility to stack multiple instances on a machine by licensing for the number of virtual processors being used.
For more details checkout:

http://www.microsoft.com/presspass/features/2005/oct05/10-10virtualizationlicensing.mspx
http://www.microsoft.com/presspass/press/2005/oct05/10-10VirtualizationStrategyPR.mspx

You should note that these changes only apply to our server software. Licensing for desktop software remains unchanged at the moment.

from Ben’s blog

The Register » Security » Identity »

Original URL: http://www.theregister.co.uk/2005/06/16/secfocus_prints/

Your fingerprints are everywhere
By Scott Granneman, SecurityFocus (scott at granneman.com)
Published Thursday 16th June 2005 09:37 GMT
Comment How much do you trust your government? That’s a question that all of us have to ask, perhaps the more often the better. In 1787, Thomas Jefferson, one of the founders of the United States and its third President, wrote to Abigail Adams sentences that may seem incredible to many people today:

“The spirit of resistance to government is so valuable on certain occasions, that I wish it to be always kept alive. It will often be exercised when wrong, but better so than not to be exercised at all. I like a little rebellion now and then. It is like a storm in the atmosphere.”

One way to define a government is by whom it controls; in other words, governments serve to provide necessary services to their citizens, like roads and armies, but governments can also legally restrict your physical movements, your property, and your rights. That’s why someone can sue you in civil court for money, but losing a civil suit cannot lead to your imprisonment or the loss of your civil rights. If you have the misfortune of being tried in criminal court, however, the state is your opponent, not an individual, and losing that trial can result in the loss of your freedoms of movement, property ownership, and civil rights.

There are many actions taken in the name of security by governments – local, state, and national, and their agencies and representatives – that are rightfully troubling to those of us who think about security. An item was recently in the news (and believe me, it’s but one of gazillions and I could fill a book with examples like this) that left me shaking my head and wondering just how much the people who think they’re protecting us really understand about computer security.

The Naperville Public Library in Naperville, Illinois (the board of which is appointed by the Mayor and approved by the City Council) is now going to ask patrons to submit fingerprints in order to verify the identities of patrons wishing to use the Internet terminals. Currently, parents can ask the library to filter the Internet access of their kids; according to the library, “filtered” kids are swapping library cards with kids whose parents have not asked for filters, so the little shavers are able to use the network without restrictions.

(Other examples of governmental and non-governmental organizations asking for your fingerprints today: the Statue of Liberty, Disneyland, the US Border Patrol, plus even some tanning salons, and gyms.) . The Library claims that “[i]t is only the number, not the image of the fingerprint, that is stored in the system.” On the face of it, it would be foolish for the library to lie about this, and it’s true that many, if not most, fingerprint biometric systems work this way. But they don’t have to. Couple that with the Library’s rather disingenuous assurance that “… this information is borrower registration information and can only be revealed if required by court order.” Under the terms of the USA PATRIOT Act, however, the FBI and other government agencies can ask libraries to reveal information about patrons at any time, without a warrant, and the libraries cannot reveal this snooping to their patrons.

Putting aside the fact that it’s really easy to fool fingerprint biometric schemes, Naperville’s actions brings up some big questions: How much should you know about the public library? Do you know who runs the library? Do you trust them? Will the library really only keep a hashed number of your fingerprint and not your fingerprint itself? What is to prevent the FBI and other law enforcement organizations from getting that information by using the PATRIOT Act? What about when other governmental services, agencies, and organizations will soon start asking for fingerprints?

It gets worse. Future passports are going to use biometrics and may have RFID chips embedded in them (thus broadcasting American’s identities to anyone with a powerful enough RFID scanner). Do you use encryption software on your computer to keep it secure? A Minnesota appeals court has recently ruled that encryption software may be used as evidence of criminal intent (putting aside the fact that every computer out there has encryption software of some kind on it). It seems a regular occurrance that cops hassle photographers based on unconstitutional and, even worse, non-existent bans on photography in public places. A 57-year-old grandma and middle school principal forgets about the sandwich knife she put in her carry-on luggage; a TSA employee informs her upon finding it that she is now “considered a terrorist” and that “you don’t have any” constitutional rights.

And on and on.

This is approaching madness. Money is mis-spent, impossible promises are made, laws and decisions are rushed into being without thinking through the consequences, and freedoms and liberties are constricted, all in the name of security and safety. And the worst thing of all is that most people – John and Jane Q. Citizen – have no idea at all that their government agencies are wasting time, money, and valuable manpower in largely futile efforts. Citizens are told by their governments that they are safer, but in far too many ways they are really not.

What can people who know something about security do about this? It seems overwhelming and impossible; ignorance is a powerful force, especially when wielded by a government. Couple that with the natural tendency of too many people to believe those in authority – unthinkingly! – and we’ve got real trouble.

Let’s start small: talk to your family, your friends, your acquaintances. Educate the folks with whom you work. When something in the news provides you with what educators term a “teachable moment,” take advantage of that to help people understand the proper use, and more importantly, mis-use of technology for security.

Then move outward. We can write letters to the mass media. We can try to get interviewed by our local radio and TV stations. We can talk to everyone we know. We can contact our representatives, at all levels of government, and try to help them understand the difference between real security and a false, wasteful sense of false safety. I’m not saying it’s going to be easy. It’s not. Ignorance and fear have a way of constantly subverting knowledge and bravery. But that doesn’t mean we can’t rebel against them – and in this case, a little rebellion isn’t just a good idea. It’s a requirement.

What are you going to do to make sure that your government really protects you, your family, those you love and care about, and your nation?

Copyright © 2005, (http://www.securityfocus.com/)

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.
© Copyright 2005

Is Rodi BitTorrent’s Replacement?

Rodi or Rodia (Ρόδι or Ροδιά) means pomegranate in Greek. The Rodi program is a tiny P2P client/host (under 300K of binary code) implemented in pure Java. It’s network use is similar to the bitTorrent concept. The program will serve the filesharing community with fast data delivery and serve the Open Source community by facilitating faster software deployment.

/.

Other anonymous filesharing systems currently avaliable/in development

MUTE [sourceforge.net]
ANTS p2p [sourceforge.net]
GNUNet [gnunet.org]
I2P [i2p.net]

Rodi in depth
p2pnet.net

Zen and the Art of bye bye Microsoft’s domination of computing

Intel
Vanderpool and Silverdale

AMD
Pacifica

Microsoft
Scared

The people
Choice

Zen Freeware VMware with higher performance
The Xen virtual machine monitor
XenSource was founded by the creators of the Open Source Xen hypervisor

Grid Computing
Xeno

Net remote install
XenoBoot

Now we just need univeral SDSL or perhaps some wireless ISPs

Empires rise and fall:

Howard Hughes
John D Rockefeller

Currently:

Microsoft produces flakey desktop and server software
Google can cluster lots of cheap computers
Akamai has most widely used on-demand distributed computing platform, with more than 14,000 servers in 1,100 networks in 65+ countries, providing streaming and caching for major companies.

In the future:

Users may choose recreate the Internet for themselves with their own software at near zero cost or fund it by donationware

Netcraft Releases Anti-Phishing Toolbar

Netcraft Releases Anti-Phishing Toolbar
Posted by michael on Thursday December 30, @10:40AM
from the safety-first dept.

AgainstHate writes “Netcraft has released an Anti-Phishing Toolbar that provides detailed information about the website you are visiting (sites’ hosting location, country, longevity and popularity) at all times to help users to validate fraudulent URLs. It also natively traps cross site scripting and other suspicious URLs. The toolbar also enables users to report phishing attacks to Netcraft, thus blocking any other unsuspecting users from being harmed (Netcraft supervisor validation is used to contain the impact of any false reporting). Currently the toolbar is only available for IE but a Firefox version is under development.”

Slashdot article
Netcraf Toolbar

The Definitive Guide to Plone

A company without a Web site is unthinkable — and most companies and organizations have more than one site. Whether it’s an external site for communicating with clients, an intranet for employees to use, or a site for direct client communication and feedback, all Web sites have a common problem — how to manage the content on them. This is a challenge that can often cost organizations large amounts of time and effort. Producing a powerful yet flexible system for these sites that meets ever-changing requirements while growing to meet your company’s emerging needs isn’t easy.

The Definitive Guide to Plone by Andy McKay

SuprNova dead – long live SuprNova

http://www.theregister.co.uk/2004/12/19/suprnova_stops_torrents/

but

http://www.slyck.com/news.php?story=616

The BitTorrent tracker, similar to a central server, has been the great weakness of any P2P network. Although BitTorrent trackers do not operate identically to indexing servers, they still act like traffic cops – directing traffic to their intended destination. SuprNova.org, while not a tracker per se, still operates as a impromptu tracker as it points traffic to the actual tracker. Regardless, the bandwidth consumption remains enormous. This equates to prolonged searches, lengthy load times and other typical slow downs associated with the World Wide Web.
Continue reading

RSSCalendar

RSSCalendar is an exciting new way for individuals and organizations to share their calendars with family, friends, and co-workers – utilizing the latest in “Really Simple Syndication” (RSS) technology, including RSS channel creation and aggregation. Not only is RSSCalendar easy to use but it is also easy to administer, and setup is a snap. RSSCalendar is well-suited for a variety of uses.

http://www.rsscalendar.com/

Well spotted Simon.

another fine mess…

IT: New Spoofing Vulnerability in IE

Posted by CowboyNeal on Thursday December 16, @07:57PM
from the url-b-gone dept. (slashdot.org)

Jimmy M. writes “A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the ‘%00’ vulnerability, which also was widely exploited by phishers. A demonstration is also available.”

http://secunia.com/

Web Tools Freeware

In our Webmaster Stuff section you will find free online tools and webmaster articles and tips. Also, we have, Freeware for webmasters and a recently added section which gives details and examples of the Free content such as games, cartoons and articles which you can add to your web site.

http://janim.net/

A CD based on Cygwin for X Windows forwarding via ssh

XLiveCD allows users of Microsoft Windows to connect to remote Unix computers, run graphical applications and have the graphics displayed on their desktops. The software runs from the CD without being installed. XLiveCD was prepared by University Technology Services to facilitate use of research Unix systems at Indiana University by Windows users on campus.

http://xlivecd.indiana.edu/