Yesterday LEGO announced that they had picked their 100 beta testers. They represent a broad cross section of blah, blah, blah. I’m not sure if I should be annoyed that I didn’t get picked or feel sorry for our buddy Jason Striegel who seems to be the only person that was officially denied. Oh well, time to go spend this extra $150 on Mega Bloks.
[via the excellent Nextbrick]
Continue reading “LEGO Announces NXT Beta Testers… Officially”
Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.
[thanks Sith from Midnight Research Labs]
[fix: I had originally stated they bought a new card at the kiosk]
[photo: caribb]
Here are some security podcasts from the last week. Feel free to suggest additional ones. There is never a shortage of podcasts on the internet, about the internet.
Security Catalyst 19 The Secrets of Risk Management (With Ron Woerner) 25:33 SC was suggested last week by sometimes co-host [matt yoder]. It’s a nice interview with Woerner about his experience implementing a risk management program at a large company. I was happy to hear about several upcoming security conventions in Omaha (i.e. ones I don’t have to fly to). Michael Santarcangelo does a great job hosting too.
Security Now! #28 Listener Feedback Q&A #4 40:24 [sentinel] corrected me last week; the ARP spoofing show is next week. This episode does maintain some interest because it is structured by listener questions. Leo mentions that he might make his OPML file public since he tracks about 50 sites. I was thinking about doing this. I’ve currently got about 160 sites in Bloglines (I trim the fat from time to time). It’s certainly no comparison to the 500+ monster that the Engadget writers maintain.
PaulDotCom Security Weekly – Episode 16 51:18 was suggested by co-host [Larry Pesce]. This is a pretty fun group podcast. They mentioned a favorite quote by Geer at ShmooCon, “We need security because at any moment the bad guys are only 150ms away; just ping China”. They also pointed out that there is a GPL version of the Spinning Cube of Potential Doom.
CyberSpeak Feb 25 72:08 Lots of interesting stuff coming from the feds. It starts with Mike Younger discussing some of the problems in validating email since Outlook and Lotus Notes both let you edit messages you’ve already received and ones you’ve already sent. They point out a nice deny hosts script to prevent brute force dictionary attacks. Check the entry’s comments for other solutions. They also mentioned that you should check for firmware updates for your firewire write-blocking devices if you want to read the HPA of a drive. The LiveAmmo podcast from last week specifically stated that you should avoid USB and Firewire write-block devices because they might not be able to access HPA.
LiveAmmo: Digital Forensics and Hacking Investigations, Part 3 46:12 is not nearly as dry as it was the previous weeks. It covers the data collection process and what sort of slip-ups might happen. They suggest reading NIST Special Publication 800-61: Computer Security Incident Handling Guide.
SploitCast #007 44:01 As promised last week, this is an interview with Lance James. This is my favorite podcast of the bunch this week. Lance covers many of the techniques that phishers are using. They’ve been going so far as do distributed hosting of their phishing websites on 0wned computers. Lance also talks about the server-side tools he has been developing to fight malware. The burden is being placed on the server since you can’t expect the users to keep themselves safe.
Blue Box #17 41:00 Another week, another excellent VoIP security podcast.
I promised my friends Cara and Brigitte that I would promote their podcast “Catty Girls Discuss” hosted by the local paper. I hadn’t heard it at that point, but the title kinda gives it away. Here are the highlights from the first show: 10:00 they realize they’ve run out of topics, 15:00 they realize they’ve run out of topics, 20:00 they realize they’ve run out of topics. No, it’s not really that bad and can be pretty funny. Direct links to episode one and two.
Just a quick note: I received my FON router today. It’s a brand new Linksys WRT54GL with DD-WRT installed. With shipping it only cost $33. If you want a WRT that is guaranteed to run Linux, this price can’t be beat (if you’re in the first 3000).
P.S. I also received a big order from Jameco. Their “100 asst. sockets” doesn’t seem to have a single straight pin in it.
Do you want to listen to four and a half hours of security podcasts? Well, you don’t have to because I did. Here are the highlights from podcasts released this last week:
Security Now! #27 How Local Area Networks Work, Part 1 37:09 If you don’t know the difference between DHCP and static IP, then this is the podcast for you! Next week promises to be a little more interesting when they get into the problems with ARP.
CyberSpeak Feb 18 76:36 has some pretty good news coverage, but the real highlight is the interview with Bruce Potter from The Shmoo Group that starts after 20:00. If you don’t know about the group and the work they’ve done, this is a good intro.
LiveAmmo: Digital Forensics and Hacking Investigations, Part 2 46:54 Woof. If you are persuing digital forensics as a career then this would be a great start. Otherwise, avoid, unless you want to know what particular subsection of a law you are violating.
SploitCast #006 36:26 probably has the best atmosphere of these podcasts (and it’s the shortest). The team covers the recent news of a phishing site using a valid SSL cert. You could probably wait till next week when they talk to Lance James to get all of the details. I will say that the Web 2.0 discussion is about as inane as arguing which year the millennium starts. They do earn some extra points since my mom doesn’t read Schneier.
Blue Box #16 69:00 is all about VoIP and naturally the best produced. I don’t follow VoIP very closely, so the news roundup for the first 20 minutes was really interesting. If you aren’t doing enterprise VoIP then this podcast isn’t for you.
Each of these had some high points (even LiveAmmo). They could all do better if they were shorter. I would say that CyberSpeak was my favorite this week, but I don’t want to encourage another 76 minute podcast. What podcasts do you recommend?
Vik Olliver gave a presentation on the RepRap project to the AuckLUG last week. You can download it from the Internet Archive in Ogg Theora format (which will keep us from trashing AuckLUG’s archive). If you’re interested in this project, you should be reading the RepRap blog, which is getting updated daily.
The tip line has been pretty dry lately. Not really a lack submissions, just a lot stuff I can’t use because it has been covered everywhere else, like the multi-touch display. I’m not going to dedicate an entire day to something that’s already been on Engadget, Make, or Slashdot because you guys would be seriously pissed off. Reader tips drive this site and I would like to thank everyone that sends them in. You’re the reason this site stays fresh and original.
The Team Hack-A-Day folding team is looking for ways to boost production (being #47 is pretty good though). If you don’t know what the team is about, [Billy the Impaler] has a Valentine for you: The New & Improved Illustrated Folding@home Guide.
The #hackaday channel is still alive and well on EFnet. More links after the break.
