* Posts by Jan

12 publicly visible posts • joined 2 Sep 2007

No mile-high pr0n for Delta passengers


filtering vs. control

I don't like the direction our society is taking/has taken. The first answer to any indecency these days seems to be: lets make it impossible.

Individual responsibility? Individual restraint? Where did that go? Surely it must be clear to most folks that porn is not something to be watched in public, not because it's legal/illegal, but because it's, well, not something the majority of us want to see in public spaces.

Cinemas are not burdened with mobile phones continously ringing anymore? And that without doing GSM blocking fields. "This is a non-smoking flight and please refrain from accessing inappropriate content during this flight" Must be good ways to impose an interesting fine given existing laws on inappropriate behaviour in public.

Lets say I am just amazed by the total lack of awareness some people have of their surroundings. Luckily I'd know how to take care of jackasses.

Mine's the one with the hammer inside.

Mission Impossible: Restoring Exchange in 30 Seconds


does anyone have *positive* experiences with NetVault these days then?

Just wondering.

I used Netvault for about 3 years up to some 2 years ago. Version 7.1-7.3 if I recall correctly, on FreeBSD, various Windows servers, Linux, Solarisx86 and SolarisSPARC, all clients with the encryption plugin. It had many many issues. Plugins that worked on some platforms but not on others. Backups that didn't work for mysterious reasons. Installs that failed for equally mysterious reasons. Inadequate support. Reporting was a pain, and the stability of the product left much to be desired. You think it might have been me being totally inept at using the software but...there were others like me. The common opinion was that BakBone typically used us as bughunters.....

To up the joy they used normal server-based licensing for normal functions but client side modules like the encryption module required a specific client-bound license. Based on a machine_id which was based on a combination of host-id, ip address, mac address and some other stuff. Meaning that every time you changed an IP address of a host you'd have to change the license key. Rather....unpleasant as you'd have to wait for the BakBone license guys to give it to you.

Maybe that has changed these days but for some reason I'd only believe this 30 second restore when I see it, not when I read it. Especially the client-side licensing was a pain and as this feature requires a specific client-side plugin.....

Google taunts 'losers' with secret Android code


Re: Google's pets

"Google has evangelized its openness and intentions to be transparent". Google is a multi-billion operation. Intentions from an organization playing at that level exactly what the word says: intentions. What was that English saying again? Ah, yes. The road to hell is paved with good intentions. Now if they *had* released everything in a proper open source fashion you'd have something to work with but please, a big big big multi billion operation asks you to invest a lot of free time because it *intends* to do the right thing? Proof, pudding, eating. Maybe engineers should get a mandatory anti-gullible mindset training.

NXP sues to silence Oyster researchers


ample time, money likely the excuse

If I read the statement of Nijmegen University (which btw is on http://www.ru.nl/home/nieuws/icis/radboud_universiteit/, the URL in the article is invalid) the researchers had completed their research to a stage where they could safely sound the alarm in March. "Because of her responsibility to society the university has immediately and confidentially notified the national government and NXP of the results of the independent investigation to the Mifare Classic Chip. Upon which the minister of interior affairs made the problems with the chip known and indicated the university would, in due time, publish the results." is a rough translation. The statement continues that the researchers very consciously didn't reveal any details about the flaws in the chip to give stakeholders, among which NXP, the change to do something.

So that's one thing: responsible disclosure would seem to have taken place.

Another thing is I recall reading about the national outcry over the chip issue (mind you, this whole chippifying of Dutch public transport tickets has already cost an amazing EUR. Yes, that's 9 zeros) that after the tendering procedure the Dutch government deliberately chose the flaky chip on the ground of it being cheapest. Duh. The articles appearing at that time clearly indicated NXP has a good replacement.

What I guess is happening here is NXP desperately trying to put off the moment at which they really need to end-of-life their Mifare Classic chip. My assumption is that they are still making an interesting amount of money from it. Sudden EOL is not really a cheap way to phase out that product, I can imagine. Now if I am *not* cynical about corporate human reasoning capability I am tempted to think they carefully weighed the PR risk of the trial against the financial risk they're running and went ahead with sueing the researchers.

I don't believe this to be true however. I'd guess it will be a combination of seeing the prospect of a nice revenue stream evaporating at great cost, not understanding how the academic world functions (publish or perish anyone?) and not understanding what motivates academic researchers to begin with (there is definately a strong desire to simply do what is right for the greater good) and probably a nice dosage of corporate ignorance and arrogance ('s not fair!) that really motivates them.

To conclude my comments: I've worked with Mr. Jakobs and his team on several occasions and have experienced them as security researchers and academics with a very high degree of integrity and a thorough understanding of the sharp edges of security research, like disclosure. Kudos to him and his team and kudos to the university for supporting him in doing the Right Thing. And lovely publicity of course for all of them, academic freedom, furthering society etc. This is a really nice example of the benefits of having institutions like universities.

World+dog ignores Sweden's Draconian wiretap bill


Green IT

Well, it's one way of ensuring a zero carbon footprint of your nation's IT resources, force companies to host them anywhere but in your own country out of fear of violating EU privacy regulations. I at least most certainly would hope that no-one is of the illusion that any commercial enterprise would move its servers elsewhere because it actually believes in privacy....

DHS ponders microwave raygun missile defences at airports



There is a nice device that might be quite effective to protect airfields. And has been tested....http://en.wikipedia.org/wiki/Goalkeeper_CIWS

Dutch MP releases anti-Islam movie


not turned down by *all* Dutch broadcasters

"Wilders was also turned down by all Dutch broadcasters.". Nope. The Dutch muslim broadcasting organization volunteered to show it, in its entirety, uncut, the whole thing. They did want to see it in advance to verify the film did not contain anything that would land *them* in front of a court of law (Dutch freedom of speech legislation is a little bit more complicated then 'you can say anything'). Wilders didn't accept the offer. As was to be expected, it doesn't fit in his profile of creating ever more FUD.

Dutch tax office deletes 730,000 tax returns


Staff circulation

I remember reading a long article on the rather disastrous effects of implementing a certain way of organizing staff. One of the things involved was a forced staff rotation with roughly a 3 year frequency on various management levels. So once someone has has become adequately experienced in a complex subject he/she is rotated away. Guess what stuff like that does to the continuity of your organization or IT.

My best guess is that we're now seeing in the Netherlands the interesting after effects of some rather disastrous decisions implemented roughly 2 to 3 years ago resulting in the knowledgeable people moving out. 2-3 years is how long it usually takes for systems to crumble and die without proper supervision.

Dutch pull the plug on e-voting


Counting with paper didn't take long

I have worked both with counting the paper ballots and with an electronic machine at a Dutch parliament election (mind you, with 24 participating parties there *is* something to count).

With the paper ballots we were done (with 3 verifying counts, just to make sure!) in 1.5 hours. With the voting machine it took 1.5 hours longer due to a malfunction in the GPRS upload channel.

The whole black box principle of the current implementation of electronic voting machines, where essentially a for-profit entity together with the sitting government are entrusted with our democracy, *that* has to go.

I for one would not be against an electronic voting system that is well understood by enough technical people, ran by an open but centralized not-for-profit organization manned by people drawn at random and very closely watched by a good sample of that group of technically competent people.

Bring on the argument that it is harder to do election fraud when you have to subvert 10.000 polling stations. Please. I will point you to countless elections in essentially dictator run countries that were ran this way and were nicely subverted.

No, try to subvert one heavily monitored glass house.

EDS shows one in four staff the door



Well, I agree with it challenging the value for money customers getting but not because of non-native English speaking IT people: if you can't understand what they're saying then obviously the *wrong* non-native English speakers have been hired as I know plenty of non-native English speakers who's English is better then that of several native speakers I know ;).

It always strikes me as odd that an organization fires, in this case, 1/4 of their staff and apparently expects customers to just take the collateral damage that will be caused as internal informal networks where 'things get done' disappear overnight, where you can expect an increase in sickness (overloaded people). Such a bloodletting will inevitably cause a major disruption in day-to-day operations and it's the customer who will suffer.

'All-in' DNA database plan hinges on human rights case


Find me now :)

If I were a criminal I would welcome the idea of having everyone in the database. Given that it should be easy to acquire random DNA material I predict a prospering future for random DNA sample gatherers (used condoms anyone?). Do a crime, empty your random DNA sample box and presto, you have just given the police an interesting amount of extra work detaining and questioning innocent people.

Not to mention the interesting possibilities I as a criminal would have to frame specific individuals because hey, the DNA is not lying, now is it. The (public) opinion on DNA as the holy grail for identifying the guilty certainly seems to stimulate such a mindset.

Freedom also means ones government has to put in a fair amount of effort to prove you're guilty. Lets not forget governments have been responsible for more killings in the last century then any other human mayhem so I see a clear need for reasonable checks and balances. One of those would be to be very, very restrictive with the amount of information we voluntarily hand over to our government: you just *know* they will use it for things neither they nor you ever intended. But it is *you* who will bear the resulting consequences.

Mystery SNAFU exposes email logins for 100 foreign embassies (and counting)


Due dilligence....

As someone already pointed out, disclosing a security hole and disclosing information that can be gathered using that security hole are two different things.

What the security consultant SHOULD have done with the information he stumbled upon is to have gone to the Swedish national CERT, SITIC (http://www.first.org/members/teams/sitic/ and http://www.sitic.se/). *They* would have understood the problem *and* would have taken care of warning all those involved in the incident. Contacting the right people at other governments is what these government CERTs are there for.