security

robots.txt - Forbidden Directories

The Laboratory for Dependable Distributed Systems at the RWTH Aachen has gathered some statistics about directories forbidden by robots.txt files. There are some interesting entries there, e.g. "private", "secure", ...

Many people don't realize that the robots.txt files contain nothing more than hints for spiders, they do not "protect" you in any way. On the contrary, you're pointing potential attackers right where you absolutely don't want to have them.

(via disLEXia 3000)

Cell Phone Tracking Paranoia

Nothing really new for most of you, but still some good food for thought:

Cell tower records can pinpoint a phone owner's location for police, whether the phone is used or not.

Cell phone trails snare criminals, call or no — a nice article which tells us that several murderers were convicted using (among other things, I guess) cell tower records. Police could often pinpoint the location of the accused within a few blocks and thus "prove" they were lying in court about their location at a given time (i.e., their alibi was smashed).

Of course, this is not a reliable method in all cases. A murderer could give someone else his cell phone to create an alibi in the first place. I can easily imagine lots of other ways to abuse this.

While probably useful in some cases, this is pretty scary stuff. Authorities can track where you are at a given time, and where you are going in realtime. Combine this with Google Earth and you've got some pretty Big Brother style surveillance. This is inacceptable in general, but even more so if performed without probable cause (as has happened already). The EFF has some more information.

Issues like this always make me wonder whether I'm too paranoid or not paranoid enough...

(via Bruce Schneier)

The Underhanded C Contest - Results

Being too busy sucks. I didn't even have the time to blog about the Underhanded C Contest, whose results have now been announced.

Quick reminder: the goal of the contest is to

write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

I blogged about the contest earlier, but only later decided to take part in the contest myself (together with Daniel Reutter). After some initial brainstorming we hacked together our solution in roughly one day.

Although we didn't win (damn, no beer for us ;-), we managed to submit one of the simplest solutions (ca. 34 lines of code), i.e., it's very hard to embed any malicious but innocent-looking code in there... Our solution exploits an array bounds overrun, with an extra equals sign ("<=" instead of "<").

I have yet to look at the two winning entries by M. Joonas Pihlaja and Paul V-Khuong (team submission), as well as Natori Shin. Congratulations guys! Also, I noticed the Slashdot story about the contest results, but didn't get around to read that article, either. Sigh...

More Firewall / Iptables Script Updates

I have updated my iptables scripts again.

This time fw_laptop got support for limiting logging in case of flooding, blocking of known-bad IP addresses (e.g. from DShield.org), optional blocking of certain outbound ports (e.g. X11 server, VNC, NFS etc.), and a few minor tweaks...

Thanks to Ryan Giobbi for several hints and comments. Further comments and suggestions are welcome!

Google Earth

OK, I heard lots and lots of stuff about Google Earth so far. Yesterday, I actually installed it on some not-so-free-OS box and gave it a try. Two things are floating on my mind now:

  1. w00t!
  2. This is the scariest shit one can imagine!

I "browsed" different parts of the world and got more and more fascinated... and scared. For instance you can see the Statue of Liberty, and if you zoom in enough, you see people walking around on liberty island! Nice on the one hand, major security and privacy problem on the other hand.

There are loads of interesting ways to use Google Earth, e.g. over at Google Earth Hacks. I'm afraid most of my spare time during the next few days has just crumbled to dust... Now, if they would only port it to Linux, that'd be really nice...

Syndicate content