[SecurityRatty] tag: magical

Extraordinary Journey from Fundamental Electronics to Fabulous Enchanted Systems with Arduino's and Magical Potions

Wed, 29 Oct 2008 19:00:18 +0000

New Video:Extraordinary Journey from Fundamental Electronics to Fabulous Enchanted Systems with Arduino's and Magical Potions

This is Morgellon and Droop's talks about hacking the Arduino micro controller platform from Phreaknic 12. Droops and Morgellon will take you from basic electronics to building embedded systems. Learn how to build a standalone RFID tag reader with a fancy LCD display or your own oscilloscope or children's toys that speak to you or how to solar power a geothermal heat pump. There may even be some giveaways and contests. Magical Potions will be consumed but not provided.

Check out the following sites by Droops and Morgellon:
http://dailyduino.com/
http://www.hackermedia.org/

I've done a little work to pull some noise out of the audio, but I may have made it worse in some spots. Thanks go out to the Phreaknic 12 A/V team SomeNinjaMaster, Night Carnage, Greg, Brimstone, Poiu Poiu, Mudflap, and Drunken Pirate for setting up the rigs and capturing the video.

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

The Magical ATM Card and SMS Message in Thailand

Sun, 03 Aug 2008 09:30:52 +0000

It was not too long ago that I penned Keyloggers: Why Banks Need Two-Factor Authentication. In that post, I briefly mentioned how a number of banks in Thailand use inexpensive SMS-based two-factor authentication (2FA) with one-time password (OTP) to authenticate transactions.

One of my favorite banks in Thailand is K-Bank. With K-Bank I can simply walk up to an ATM machine and pay a mobile phone bill, purchase mutual funds, buy insurance, or transact an ever-growing list of services payable at the modern and sleek K-Bank ATM.

For example, tomorrow I fly to Chiang Mai in Northern Thailand and found K-Bank’s service amazingly better than in the US. For example, I booked my flight as usual (over the phone, but could have used the Internet) and told the reservation agent I was going to pay by ATM. He simply gave me a PayCode and told me I had three hours to go to the ATM and enter the PayCode to perfect my reservation. I also got the PayCode via SMS. This gave me the time I needed to make sure I had booked the perfect boutique hotel in Chiang Mai, the Fern Paradise.

Then, I went out into the beautiful Thai weather and completely my airplane reservation at the ATM machine; which also printed out a receipt with my flight details and reservation number.

It sometimes amazes me how much further advanced some services are in Thailand compared to the US. To me, it feels more secure not to use an on-line payment center or give out my credit card details over the phone. I can simply book a ticket, take a PayCode, and complete the transaction at a nice modern, shiny, K-Bank ATM machine.

Who knows, maybe soon I can select the perfect window seat at the ATM and the receipt will act as my boarding pass!

Easy Google Income

Tue, 29 Jul 2008 13:58:49 +0000

Here's an interesting piece of spam trying to cash in on the Google name that could wind up being quite costly for anyone willing to take a chance and see what it's all about. This was sent to one of my friends:

Click to Enlarge

Is it a good thing or a bad thing that the office is based in the West Indies and to unsubscribe your email goes to Romania? At any rate, they don't seem to want my patronage - unfortunately, I'm not particularly interested in free iPods or a Nintendo Wii so a few clicks later and I'm where I should be:

Click to Enlarge

At the bottom of the page, it says "Google does not sponsor, endorse, and is no way affiliated with Easy Net Income or this promotion."

Well, they could have fooled me what with all the Google material they've splashed across the site. The quote in the box is interesting, too: "Riches range from a few hundred dollars a month to $50,000 or more a year".

Go hunting on USA Today though, and the quote doesn't have anything to do with something called "Easy Google Income" - it's to do with Adsense. Bits missing have been reinserted and bolded:

"Tales of AdSense riches range from a few hundred dollars a month to $50,000 or more a year, though high-dollar paydays are rare. They require a Web site with tons of traffic and the ability to put in 18-hour days working the system.

I think the missing parts are kind of important, don't you? Of course, the CD title clearly makes you think you're going to get some mysterious money magnet, but stops short of telling you whether it would be a program, ebook or magical leprechaun.

In fact, what happens is you apparently sign up for the CD at the cost of subscribing yourself to some kind of "free trial" - at the end of which, you have to pay $39.90 a month for access to training courses to "Internet Wealth University" (I swear I'm not making this up). There's also an "activation fee" charged immediately to the card you subscribe with, though I'm guessing you only enter your details once you've entered your name / address and moved onto the second page (which I'm not about to do, in case you were wondering).

Internet Wealth University must have an awful lot of poor students, going by the problems people are having unsubscribing.

"When you try to call the company, you get an automated answering system that tells you all representatives are busy and then puts you on hold-forever, or they disconnect you after 5 minutes!"

Indeed, there's quite a lot of people wondering what this is all about, including the inevitable concern over billing issues.

Our advice? Steer well clear. There is a lot of money up for grabs here, but it's all being netted by the people running these websites. Their customers don't appear to be so lucky...

Links for 2008-07-23 [del.icio.us]

Wed, 23 Jul 2008 20:00:00 +0000

Interview with Paul Cannon, Mozy Software Engineer

Wed, 16 Jul 2008 11:00:49 +0000

Mozy Awesome Process
Sometimes people come up to me and say, “Paul, how is it that Mozy has created such an unrelenting output of Awesome?”

Today I have been authorized to share with you some of the unique facets of the Mozy Awesome Process that until now have been tightly controlled trade secrets of Mozy, Inc. It all starts with giant robots (virtually perpetual sources of raw Awesome). We attach them to special Awesome Siphons of our own design and pipe the yield directly into our engineers’ development workstations. Further, peripheral Awesome needs are farmed from old He-Man reruns, a roomful of ninjas wailing on electric guitars, and our captive Happy Fun Ball.

The crude Awesome is skillfully transformed by Mozy engineers into powerful software and hardware configurations, then carefully inspected and regulated according to a host of eldritch acronyms: SWAGs, PMQs, PRDs, and the ever-inspiring CFRRCs. Once a successful creation is stamped with the Seal of Acronymic Approval for Mozy (SAAM), it is subjected to final endorsement by the mystical, revered Mozy Leprecorn*. Finally, a highly trained team of Box Monks put the new Awesomery into place in the Mozy systems, where it becomes available to you, the user.

Our rigorous Awesome Enforcement Policies and Magical Oversight have brought us to what we believe is the most Awesome-efficient development process in the world of backup software.

Be safe,
Paul Cannon
Mozy Software Engineer

*Leprecorn (noun): a rare but phenomenal creature; half Unicorn, half Leprechaun, and all magical.

Visit Mozy now for a great reliable online backup service, I use it myself.

Vote for Mozy
Lifehacker is currently holding an online backup showdown. Show your love for Mozy. Vote now.

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

Its All Friggin Magic, Mkay?

Tue, 17 Jun 2008 11:04:44 +0000

OK, whoever named this product should be shot: Ashampoo Magical Security.

However, as much as I love sprinkling on the Magic FISMA Fairy Dust, “Magical Security” is craziness.

I won’t go into too much detail on hackers, shampoo, washing, and South Pacific. I have a feeling I’ll get plenty of comments to that effect.

Bookmark to:

Slow removal of child sexual abuse image websites

Wed, 11 Jun 2008 10:02:32 +0000

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, excepting illegal pharmacies hosted on fast-flux networks; and we’re unsure if anyone is seriously trying to remove them at all!

It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

The Security Mindset

Tue, 25 Mar 2008 02:27:19 +0000

Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.

I replied: "What's really interesting is that these people will send a tube of live ants to anyone you tell them to."

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

SmartWater is a liquid with a unique identifier linked to a particular owner. "The idea is for me to paint this stuff on my valuables as proof of ownership," I wrote when I first learned about the idea. "I think a better idea would be for me to paint it on your valuables, and then call the police."

Really, we can't help it.

This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems.

I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset.

Which is why CSE 484, an undergraduate computer-security course taught this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach a security mindset.

You can see the results in the blog the students are keeping. They're encouraged to post security reviews about random things: smart pill boxes, Quiet Care Elder Care monitors, Apple's Time Capsule, GM's OnStar, traffic lights, safe deposit boxes, and dorm room security.

One recent one is about an automobile dealership. The poster described how she was able to retrieve her car after service just by giving the attendant her last name. Now any normal car owner would be happy about how easy it was to get her car back, but someone with a security mindset immediately thinks: "Can I really get a car just by knowing the last name of someone whose car is being serviced?"

The rest of the blog post speculates on how someone could steal a car by exploiting this security vulnerability, and whether it makes sense for the dealership to have this lax security. You can quibble with the analysis -- I'm curious about the liability that the dealership has, and whether their insurance would cover any losses -- but that's all domain expertise. The important point is to notice, and then question, the security in the first place.

The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don't stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.

That part's obvious, but I think the security mindset is beneficial in many more ways. If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they'll be more sophisticated consumers, more skeptical citizens, less gullible people.

If more people had a security mindset, services that compromise privacy wouldn't have such a sizable market share -- and Facebook would be totally different. Laptops wouldn't be lost with millions of unencrypted Social Security numbers on them, and we'd all learn a lot fewer security lessons the hard way. The power grid would be more secure. Identity theft would go way down. Medical records would be more private. If people had the security mindset, they wouldn't have tried to look at Britney Spears' medical records, since they would have realized that they would be caught.

There's nothing magical about this particular university class; anyone can exercise his security mindset simply by trying to look at the world from an attacker's perspective. If I wanted to evade this particular security device, how would I do it? Could I follow the letter of this law but get around the spirit? If the person who wrote this advertisement, essay, article or television documentary were unscrupulous, what could he have done? And then, how can I protect myself from these attacks?

The security mindset is a valuable skill that everyone can benefit from, regardless of career path.

This essay originally appeared on Wired.com.