Darwin's Theories - Security category

Web Site Fail du jour

Tue, 24 Jul 2012 15:32:00 GMT

So Vizio has this real nice Google TV set-top box called the Co-Star, that they are now taking pre-orders for. But the web site is a total fail from the human factors point of view. It has fields for allowing you to enter different shipping and billing addresses, but when you do, it tells you they have to be the same! This was confirmed by their support person as having been reported to those responsible.

Not only that, the Billing Address has to be in the good ole' USA. The list of countries that they know about, in fact only includes the United States. "There are no other countries on the planet. Wahoo! We won! Oh, wait, that means we can't sell to most of the world's population. Boohoo!"

Given the variety of Amurrican dot-coms that can't figure out how to ship to Canada, I have of course invested the time in setting up an account with a re-shipping company appropriately enough called reship.com. So entering a US shipping address is no problem. But the billing address has to be the same for this fool web site, but I have to list my home address in Canada for the bank to believe that it's me placing the order. And that I cannot do. Site fail.

And not only that, but when we tried to buy using their combined "buy and sign up" form, we got this classic cheesy SQL fail about a foriegn constraint violation. Nice message: it gave out the names of both affected tables and some of the columns. Sorry script kiddies but I'm not reproducing that here, you'll have to offer a valid credit card to see it in action.

Oh, and one more thing? The logout page gave a 500 server error trying to display the "log out success" page. This one we can probably blame on first-day sales load. The others are site fail.

Security Theatre, Part n

Thu, 31 Dec 2009 20:35:00 GMT

According to a BBC report on the latest security theatre, airline customers are now to be subject to the following indignities for in-flight entertainment:

Customers to remain seated during final hour of flight;
No access to hand luggage and a ban on leaving possessions or blankets on laps during this hour.

Now I don't know about you, but I don't find this very comforting. The thought of being forced to sit still is inculcated in obedient citizens from kindergarten (a German word meaning roughly "vegetable garden to grow kids"). But at a certain point things like bladder pressure will win out. And what happens if you're in mid-whiz at the one-hour mark? Do you get shot by the air marshall while trying to return to your seat? (Watch the news for this one, folks). The entire process is utterly ridiculous. If the bomber had tried to light his fuse at the 45 minute mark into the flight, who can doubt that they'd ban visiting the toilet between 37 and 52 minutes after takeoff?

Remember the shoe bomber and how airport security made everybody take their shoes off before flight? Didn't stop the next religious fanatic with a fuse to light, did it?

The notion of an allegedly civilized nation dancing its "security" policies in the wind every time there's a real or perceived threat, to so vastly inconvenience its population while at the same time making no difference to the actual terrorists, is so laughable it's earned the term "security theater" - putting on a big show, but doing nothing for actual security.

It's not just me saying so. See Bruce Schnier's many writings on this topic, and his essay The Psychology of Security. Bruce is a well-known cryptology and security researcher; he knows whereof he speaks. TSA, not so much.

Protecting Your Castle

Sun, 21 Dec 2008 16:35:00 GMT

SANS.org has a nice white paper showing how to protect your home network using OpenBSD and other free software. According to the abstract:

"It is possible to clean up the back yard with Free Open Source Software and a little design. Using off the shelf components and Open Source software the family geek can deploy a more multilayered security stance that will provide far more visibility and control over the network. This is not to say that large swaths of the Internet can be cleaned up just by plugging in a box, but to say that if anything should be a safe haven on the internet, it should be the family network, the backyard. It makes sense to clean up the backyard before taking on the world’s trash."

Presumably the same techniques would apply to the average small business. Check it out at http://www.sans.org/reading_room/whitepapers/firewalls/32933.php [PDF].

P.S. According to Bartleby, the quotation in my subtitle, while commonly attributed to William Pitt, comes to us in its present wording from a précis done by Lord Henry Peter Brougham some sixty years later.

It's true what they say about airport security

Sat, 18 Oct 2008 20:41:00 GMT

"Airport security in America is a sham—“security theater” designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease..."

There's nothing I can add to this. While you're there, check the other security-related articles on the site.

Ian's Top Ten Today, #2

Fri, 18 Jul 2008 02:34:00 GMT

Here's a few more tidbits. As I said last time, "This is not a monthly or even a regular listing; I'll repeat this when I have another ten.".

The Demise of Conscience, Part 1
The Man Who Would Murder Death
Free (legal) MP3 music downloads
Tyranny begins with ~~lawmakers~~ lawbreakers
Aug. 8, 1974 vs. July 9, 2008
Strangebedfellows! | BREAK THE MATRIX
And three on 9/11 Conspiracies: "Third Tower Mystery Solved" (a better view shows the facts)
Simulation shows building damage by jet
How 9/11 Conspiracy Theorists were defeated