Archive for the 'Security' Category

The Double-Edged Sword

This Is How Easy It is For Thieves To Steal Everything In Your Wallet

Providence’s NBC 10 took an identity theft expert to the streets to show consumers how easy it is. He slipped an RFID card scanner (you can find them on eBay for as little as 50 bucks) into an iPad case and went to town.
The worst part is there’s virtually no way to protect yourself from scanners other than investing in a special wallet or credit card sleeves that block them. They can read straight through handbags and coat pockets.

Merchants probably love them because they speed up processing. However, the banks issuing the credit cards are still on the hook for fraud, so I have to wonder how much of a problem this really is in practice. As the report mentions, your name and the security code are not encoded.

Attention, Private Casper!

FUSAG: The Ghost Army of World War II

The Allied intelligence services created two fake armies to keep the Germans on their toes. One would be based in Scotland for a supposed invasion of Norway and the other headquartered in southeast England to threaten the Pas-de-Calais. The northern operation relied mainly on fake radio traffic and the feeding of false information to double agents to create the impression of a substantial army. Fortitude South, though, was well within the range of prying German ears and eyes, so fake chatter alone would be uncovered too quickly. The Allies would have to make it look and sound like a substantial army was building up in southeast England. They needed boots on the ground there, without actually using too much of their precious manpower.
When intelligence officers learned that the First U.S. Army Group (FUSAG) was to be redesignated the 12th Army Group, they knew they had their Pas-de-Calais invaders. The FUSAG was kept alive on paper, and the phantom army was given a few real soldiers and placed under the command of one of the era’s great military leaders.

It's Hammer Time, but I Can't Touch This

Enigma machine to go under the hammer

A version of the three rotor Enigma machine — used by the German military to encrypt messages, the code of which was subsequently cracked by a team at the legendary Bletchley Park complex — will be auctioned at Christie’s on September 29.

The last one sold for more than $100k, which is just a bit outside of my price range.

Having the Hot Hand is a Bad Thing

Researchers show ATM theft by thermal imaging

The research team from the University of California, San Diego, found that their cameras picked up a PIN entered on a keypad more than 80 percent of the time if used immediately. If used a minute later, it picked up the digits about half the time. After 90 seconds, the chance of extracting the digits dropped to about 20 percent. They tested the frequency using custom software that they wrote to automate their analysis.

Not sure how big of a threat this would be for someone who walks up to a machine. I haven’t had to use an ATM is a while, but in the transactions I’ve done it seems that there is a reasonable (from a security standpoint) delay between PIN entry and finishing your transaction. I expect the threat would be from a camera mounted along with a skimmer.

James Bond Never Needed This

But I could totally see Mission:Impossible doing it. Spy vs. Spy: Casinos Can’t See The Cameras Hidden Up Gamblers’ Sleeves

In January, at the newly opened $4-billion Cosmopolitan casino in Las Vegas, a gang called the Cutters cheated at baccarat. Before play began, the dealer offered one member of the group a stack of eight decks of cards for a pre-game cut. The player probably rubbed the stack for good luck, at the same instant riffling some of the corners of the cards underneath with his index finger. A small camera, hidden under his forearm, recorded the order.
After a few hands, the cutter left the floor and entered a bathroom stall, where he most likely passed the camera to a confederate in an adjoining stall. The runner carried the camera to a gaming analyst in a nearby hotel room, where the analyst transferred the video to a computer, watching it in slow motion to determine the order of the cards. Not quite half an hour had passed since the cut. Baccarat play averages less than six cards a minute, so there were still at least 160 cards left to play through. Back at the table, other members of the gang were delaying the action, glancing at their cellphones and waiting for the analyst to send them the card order.

Fluffy is Still Puffy

xkcd: Password Strength

Basically the same as what I had linked to a while back, but in cartoon form.

"Hi, I'm Randall, and I'm a MAN."

If you have yet to run across posts on elevatorgate/rebeccapocalypse (over 9,000 Google hits on the former term) then you probably don’t read many science/skeptic blogs. If you have and are sick of it, don’t worry, because I’m not going to add my quanta of coinage. I have come to loathe participating in internet discussions of this ilk — despite the community supposedly being held among the science/skeptic minded, they have a tendency to stray from rationality and civility far too quickly and too much in magnitude for my taste. In many cases, if you don’t present the right answer™ as determined by the owner of the dais, you are quickly dogpiled into oblivion, and that can extend to any kind of criticism. Point out someone has misquoted Evil Protagonist (or note that EP was actually correct in some statement) and all of the sudden you are a staunch supporter of Evil Protagonist in the eyes of some (many?) participants.

However, in case you want more of the same or are otherwise interested in a somewhat related topic, here is a post by xkcd’s Randall Monroe on Google+’s insistence on publicly disclosing your gender, which does not seem to have descended into the usual quagmire, though it does include the predictable “it doesn’t bother me so it shouldn’t bother anybody” responses.

The bottom line is that there are a lot of reasons Google+ would want to ask about your gender. But there’s no good reason to pointedly make it the only thing in your profile that can’t be private—and many reasons not to, starting with basic courtesy. It may be a small issue in the grand scheme of things, but I think it’s worth getting right.

That Little Bubble Holds Some Trouble

New Research Result: Bubble Forms Not So Anonymous

How you fill in the bubble has a personal touch.

If bubble marking patterns were completely random, a classifier could do no better than randomly guessing a test set’s creator, with an expected accuracy of 1/92 ≈ 1%. Our classifier achieves over 51% accuracy. The classifier is rarely far off: the correct answer falls in the classifier’s top three guesses 75% of the time (vs. 3% for random guessing) and its top ten guesses more than 92% of the time (vs. 11% for random guessing).

A Colossal Undertaking

Tunny code-breaker rebuilt at Bletchley Park

The entire machine was rebuilt using spares from BT telephone exchanges that were remodelled in the 1980s. All of the engineers that worked on the rebuild were ex-BT employees and had contacts at other museums, and so could lay their hands on the components, Whetter added.

More info on Colossus/Tunny

Hotels are Going All Hitchhiker

They want to know where their towel is. All of their towels.

RFID Tags Protecting Hotel Towels

A more recent system, still not widespread, is to embed washable RFID chips into the towels and track them that way. The one data point I have for this is an anonymous Hawaii hotel that claims they’ve reduced towel theft from 4,000 a month to 750, saving $16,000 in replacement costs monthly.

Don’t steal any more Beverly Palm Hotel robes, Axel Foley.

« Previous PageNext Page »