news
Doomsday Shelters
Selling fear:
The Vivos network, which offers partial ownerships similar to a timeshare in underground shelter communities, is one of several ventures touting escape from a surface-level calamity.Radius Engineering in Terrell, Texas, has built underground shelters for more than three decades, and business has never been better, says Walton McCarthy, company president.
The company sells fiberglass shelters that can accommodate 10 to 2,000 adults to live underground for one to five years with power, food, water and filtered air, McCarthy says.
The shelters range from $400,000 to a $41 million facility Radius built and installed underground that is suitable for 750 people, McCarthy says. He declined to disclose the client or location of the shelter.
"We've doubled sales every year for five years," he says.Other shelter manufacturers include Hardened Structures of Colorado and Utah Shelter Systems, which also report increased sales.
[...]
The Vivos website features a clock counting down to Dec. 21, 2012, the date when the ancient Mayan "Long Count" calendar marks the end of a 5,126-year era, at which time some people expect an unknown apocalypse.
Vicino, whose terravivos.com website lists 11 global catastrophes ranging from nuclear war to solar flares to comets, bristles at the notion he's profiting from people's fears.
"You don't think of the person who sells you a fire extinguisher as taking advantage of your fear," he says. "The fact that you may never use that fire extinguisher doesn't make it a waste or bad.
"We're not creating the fear; the fear is already out there. We're creating a solution.
Yip Harburg commented on the subject about half a century ago, and the Chad Mitchell Trio recited it. It's at about 0:40 on the recording, though the rest is worth listening to as well.
Hammacher Schlemmer is selling a shelter,worthy of Kubla Khan's Xanadu dome;
Plushy and swanky, with posh hanky panky
that affluent Yankees can really call home.
Hammacher Schlemmer is selling a shelter,
a push-button palace, fluorescent repose;
Electric devices for facing a crisis
with frozen fruit ices and cinema shows.
Hammacher Schlemmer is selling a shelter
all chromium kitchens and rubber-tiled dorms;
With waterproof portals to echo the chortles
of weatherproof mortals in hydrogen storms.
What a great come-to-glory emporium!
To enjoy a deluxe moratorium,
Where nuclear heat can beguile the elite
in a creme-de-la-creme crematorium.
Hacking ATMs
Hacking ATMs to spit out money, demonstrated at the Black Hat conference:
The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.Tranax's remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.
To conduct the remote hack, an attacker would need to know an ATM's Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine's proprietary protocol.
The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.
Both the Triton and Tranax ATMs run on Windows CE.
Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax's remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.
EDITED TO ADD (7/30): Another two articles.
Security Vulnerabilities of Smart Electricity Meters
"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria.
Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage.The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker -- whether a hostile government agency, a terrorist organisation or even a militant environmental group -- the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.
Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.
The two have another paper on the economics of smart meters. Blog post here.
GNOME 3.0 Delayed Until March 2011
Read more of this story at Slashdot.
DNSSEC Root Key Split Among Seven People
The DNSSEC root key has been divided among seven people:
Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC, as it's known, and during a major international attack, the system might sever connections between important servers to contain the damage.A minimum of five of the seven keyholders -- one each from Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic -- would have to converge at a U.S. base with their keys to restart the system and connect everything once again.
That's a secret sharing scheme they're using, most likely Shamir's Secret Sharing.
We know the names of some of them.
Dan Kaminsky is another.
I don't know how they picked those countries.
Free Software, a Matter of Life and Death
Read more of this story at Slashdot.
Pork-Filled Counter-Islamic Bomb Device
Okay, this is just weird:
Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to warn and deter potential fanatical religious suicide bomb-wielding terrorists from otherwise detonating an explosive charge within close proximity of said device, to the intended end of successfully accomplishing its namesake purpose of Suicide Bomb Deterrent and the protecting and preserving of all life and property otherwise in mortal and destructive danger.Reading the partial patent application on their minimal website, it appears to be a packet of pork product, combined with a big sign saying something like: "Warning. If you blow up a bomb right here, you'll get pork stuff all over you before you die -- which might be suboptimal from a religious point of view."
This appears to not be a joke.
WPA Cracking in the Cloud
It's a service:
The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.[...]
It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.
FAQ here.
In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet.
Technology is Making Life Harder for Spies
An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a false identity, ubiquitous eavesdropping makes it harder to communicate securely, the prevalence of cameras makes it harder to not be seen, and so on.
I think this an example of the general tendency of modern information and communications technology to increase power in proportion to existing power. So while technology makes the lone spy more effective, it makes an institutional counterspy organization much more powerful.
Building a $200 Linux PC
Read more of this story at Slashdot.
Dell Drops Ubuntu PCs From Its Website
Read more of this story at Slashdot.
What To Do With an Old G5 Tower?
Read more of this story at Slashdot.
Friday Squid Blogging: Squidbillies
Where do these TV shows come from?
Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia.Open Source Participation Gains Support In China
Read more of this story at Slashdot.
<i>The Washington Post</i> on the U.S. Intelligence Industry
The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on).
It's a truly excellent piece of investigative journalism. Pity people don't care much about investigative journalism -- or facts in politics, really -- anymore.
EDITED TO ADD (7/25): More commentary.
EDITED TO ADD (7/26): Jay Rosen writes:
Last week, it was the Washington Post's big series, Top Secret America, two years in the making. It reported on the massive security shadowland that has arisen since 09/11. The Post basically showed that there is no accountability, no knowledge at the center of what the system as a whole is doing, and too much "product" to make intelligent use of. We're wasting billions upon billions of dollars on an intelligence system that does not work. It's an explosive finding but the explosive reactions haven't followed, not because the series didn't do its job, but rather: the job of fixing what is broken would break the system responsible for such fixes.The mental model on which most investigative journalism is based states that explosive revelations lead to public outcry; elites get the message and reform the system. But what if elites believe that reform is impossible because the problems are too big, the sacrifices too great, the public too distractible? What if cognitive dissonance has been insufficiently accounted for in our theories of how great journalism works...and often fails to work?
EDITED TO ADD (7/27): More.
India's $35 Tablet Computer
Read more of this story at Slashdot.
Internet Worm Targets SCADA
Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.
The Scalability of Linus
Read more of this story at Slashdot.