[SecurityRatty] tag: episodes

Three years of Blue Box podcasts....

Fri, 24 Oct 2008 17:35:22 +0000

Today is a special day for me. It was three years ago on October 24, 2005, that Blue Box Podcast #1 was uploaded. It was an 11-minute episode where I talked about... Skype security, SIP security, IETF, VOIPSA and some other VoIP security news..... (Hmmm... sounds lot like our recent shows, too, eh?)

Jonathan Zar joined me a week later on Blue Box Podcast #2 and we've been going ever since. We've now produced over 112 episodes, had close to 245,000 downloads of our various shows, met some amazing people, learned a lot along the way... and hopefully helped you all learn a lot out there as well.

Thank you to all of you who have joined with us on this journey... whether you've listened to our show from the very beginning (and we know of a couple of you who have) or have only recently joined in... thank you!

And now... on to the next three years... :-)

Technorati Tags: blue box, bluebox, dan york, danyork, jonathan zar, security, voip, voip security, voipsa

Blue Box's 3-year anniversary coming up on Friday...

Mon, 20 Oct 2008 15:22:26 +0000

It was three years ago Friday, on October 24, 2005, that I uploaded Blue Box Podcast #1, an 11-minute show where I introduced the show, talked about VoIP security news (To no surprise, I was talking about Skype security!), some projects of VOIPSA and some other podcasts people might find interesting. A week later, on Halloween 2005, Jonathan joined me in Blue Box Podcast #2 and we were off and running...

Three years later... 84 main Blue Box episodes (with one more recorded) .... 26 Special Editions (with about 10 in the queue)... almost 250,000 downloads... we're still here and, with an admitted bit of a rough patch this summer, are still going along creating shows and enjoying what we do.

Jonathan and I are planning to record a 3-year show on this coming Friday, October 24th, and if you have any comments you would like us to include in that show, please do get them to us by the end of the day on Thursday, October 23rd. You can send them to us via:

Email to blueboxpodcast@gmail.com
Phone to +1-415-830-5439
Phone via SIP to sip:bluebox@voipuser.org

The show started out 3 years ago as really an experiment in seeing whether or not podcasting could be used to reach out to very specific audiences... and it's been both fun, amazing and interesting to see how well it's done.

Thank you to all of you who have continued to listen and contribute over the years!

Technorati Tags: blue box, bluebox, voip, voip security, security, dan york, jonathan zar, voipsa

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 02:35:43 +0000

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.
They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

Sorry, Qantas, No Unfettered Broadband

Thu, 18 Sep 2008 06:33:20 +0000

Qantas backs off from earlier plans, changes provider for in-flight broadband: The Sydney Morning Herald somewhat erratically and incompletely reports that Qantas has delayed and modified its in-flight broadband plans. Aeromobile was the provider when the service was tested in second quarter 2007, but OnAir is now described as the airline's partner. This was noted by colleague Fabio Zambelli, who emailed me the news, and has his own account at 7BIT (in Italian).

OnAir has so far tested their calling/texting-only service on two aircraft--one operated by Air France, one by TAP Portugal--even though RyanAir announced plans that its planes would started being unwired with the service by late 2007. Still no word on that fleet progress.

Qantas will apparently launch cached Web browsing and limited Web email (probably through a proxy) along with instant messaging, with full Internet service coming "later in 2009." This is clearly due to a lack of satellite coverage that was just remediated a few weeks ago (see below). The first plane with limited service, a new A380, should be in flight 20-October-2008.

I hate in-flight
broadband

To Qantas' credit, note that each seat on the plane will have a laptop opower socket, a USB port, and a multimedia system that can show 100 movies and 500 TV show episodes, play the contents of 1,000 CDs and 20 radio stations, and offer 80 games.

The Morning Herald seems to overstate the importance and scope of a complaint filed by the union representing American Airlines' flight attendants. The detailed coverage in the U.S. had more to do with the potential for issues, and likely attendants lack of interest in policing yet another media on the plane. Filtering doesn't work, the attendants probably already know, and this may just be a negotiating point with the airline.

On why Qantas is waiting until late 2009? This requires unwinding how OnAir gets its signal.

Aeromobile and OnAir both rely on Inmarsat satellites for their service. Both companies had several years ago staked their futures on the fourth-generation network Inmarsat was to inaugurate with three satellites that would use beamforming to allow precise delivery of nearly 500 Kbps per receiver, with hundreds or thousands of regions being able to be targeted from a single satellite. Inmarsat's third-gen network--don't confuse this with 3G cellular ground-based networks--can deliver about 64 Kbps per channel.

Now, unfortunately, Inmarsat was three years late on launching its trans-Pacific bird. While the company claims 85 percent coverage of the earth and 98 percent coverage of population, there's a big gap over the Pacific that also prevents them from having good overlap between the U.S. and Japan/China/Korea, as well as the southern Pacific, covering Australia. Since the biggest market for long-haul flights would likely be Australia, Japan, and China, traveling trans-Pacific or trans-hemispheric routes, that gap is rather large.

Aeromobile opted to build out a service, deployed only by Emirates airline as far as I can tell, that uses the 3G service since it was available, and most necessary equipment is already installed on most over-water planes. OnAir was waiting for 4G, which has necessitated a long wait, but allowed them to launch in Europe with a seemingly next-generation service. Given that OnAir is controlled by an airline-owned integration firm, SITA, and by Airbus, they're not going anywhere.

Inmarsat finally lofted its third satellite on Baikonur Cosmodrome in Kazakhstan on 19-August-2008, and the launch and separation was reported as successful. Previously, the company has needed up to a year to verify and deploy its 4G satellites. (You can read extremely close coverage of the launch at a Web site devoted to space enthusiasm.)

However, the dirty little secret about Inmarsat's BGAN is that it costs a fortune to heft bandwidth across it. Thus, in-flight broadband over BGAN, if it's ever available, is going to be changed on an extremely high per-MB rate. None of the providers want to say this. This is in contrast to Row 44 (and, once, Connexion by Boeing), which relies on leased Ku-band transponders where they can fix costs and they require high volumes to keep per-bit costs efffectively low.

OnAir's launch of calling on Air France's service involves paying a few euros per minute for calls, which might help you understand what data costs could ultimately run.

Returning from the hiatus...

Tue, 26 Aug 2008 17:15:14 +0000

Blue Box listeners,

Well, it's been a while. A long while. This summer turned out to be a bit crazier than Jonathan or I ever expected. The good news is that the renovation at my home is finally done and I've moved into my home office. The box of podcasting gear has come up from the basement. I'm not traveling for several weeks... so everything looks good to finally get the huge queue of back episodes out the door.

My goal this week is to get some of the older main shows out first followed by some of the excellent Special Editions that our volunteer production team has put together. If things work out the way I hope I should be getting you a show a day for the rest of the week. (We'll see.)

Thanks for your patience and continued interest in the show. We have very definitely not "podfaded"... and we'll be back with more shows and interviews in the weeks and months ahead! Thanks for continuing to listen.

Dan & Jonathan

Returning from the hiatus...

Tue, 26 Aug 2008 16:15:37 +0000

Blue Box listeners,

Dan & Jonathan

Lost.....and Found

Fri, 15 Aug 2008 10:20:17 +0000

The practice of affiliates signing up with Zango then hiding pirated movies behind their installer prompt ([1], [2]) takes another twist, as we go hunting for TV episodes instead of movies and find....

Click to Enlarge

......TV shows (apparently ripped and streamed from Chinese Youtube-style websites), hidden behind Zango installer prompts. Obviously, this is something of a mini industry we have here but I'm faintly alarmed that so many of these affiliates are happily churning out these kinds of sites. I'm also pretty sure Zango doesn't want people seeing what effectively says "Free ripped off movies online sponsored by Zango" on their installer prompts, either.

As a side note, it's not just Zango affiliates doing this - here's another example, this time for something called "Cpalead.com" that wants you to fill in a survey in return for seeing "free" episodes of Lost:

Click to Enlarge

In case you were wondering, my monitor isn't broken, they just grey out the page when the popup appears. The Lost episodes appear to be ripped by end-users and uploaded to Megavideo.com.

The sites above are

lost-stream(dot)com
ietv(dot)co.uk/category/watch-lost-online
watchprisonbreakonlinefree(dot)com
watch-lost-online(dot)info
www.heroesstreaming(dot)com

I guess I ended up with a trilogy after all.

A Simple Situation Model for Complex Events

Tue, 15 Jul 2008 05:29:06 +0000

In an earlier post I explained why situation modelling, and preferable an object-oriented situation model, is one of the key attributes of CEP. Unfortunately, I have yet to find a situation model for complex events, so I offer a few simple baseline concepts here. Your comments and improvements are much appreciated.

1. A situation model of a complex event is an abstract representation of a described or experienced situation that we wish to detect in real-time.

2. Situation models are composed of four primary objects:

a. A spatial-temporal reference framework (spatial locations, time frames, window size)
b. Entities objects (people, objects, system)
c. Properties of entities objects (velocity, amount, size, price, direction)
d. Object relational information (spatial, temporal, causal, dependence, proximity, network, taxonomy, classification)

3. Situation models of complex events may have three levels of model representation:

a. Situation model (event-specific)
b. Episodic model (coherence sequences of events)
c. Comprehensive model (a comprehensive collection of episodes)

Hence, in a nutshell, it is imperative that we have a situation model for representing complex events if we are going to move CEP forward. The simple model in this post may or may not be the right one to develop, but at least we have something to talk about. Ideally, the model should be object-oriented, althought it does not have to be.

When we have a workable model for situations in the context of event processing, we will have a working model for complex events. Then, with a working model of complex events, we can build a working model for complex event processing.

References: The New Theory for Situation Models

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Don't use Clickcaster for podcast hosting

Mon, 07 Jul 2008 10:41:23 +0000

Image via Wikipedia

When I find a new product or service that I think is good I am only too happy to let the world know it on my blog. For the past almost 2 years in the notes of every episode of our podcast, I mention and thank ClickCaster for hosting our podcast.

I originally was turned on to ClickCaster by Scott Converse out in Boulder, Co who was the founder of ClickCaster. When Scott realized that a free model was not going to pay the bills, he instituted a pay model for podcast hosting. I was only too happy to pay for the great service and stats I was receiving. Well a few months ago Scott and team sold ClickCaster to focus on their new project, Medioh!.

The new owners, nexplore promised no changes and same great service. Since then the stats stopped working, it became harder and harder to post new content and the site was down more than it was up. Finally after getting no satisfaction from ClickCaster I had no choice but to look for another host. Mitchell and I have chosen Pod-o-matic to host the podcast going forward.

Of course we don't have all of the episodes moved over yet because ClickCaster isn't even up enough for us to grab all the episodes. But most of them are up at pod-o-matic and we have already repointed the feedburner/iTunes feed. So from here on you can hear us at pod-o-matic.

If you are looking to host your podcast, you don't have to use pod-o-matic, but don't use ClickCaster!