b.cognosco

MacLockPick: A Vital Tool For Our Trusted Protectors

terrywfrazier@gmail.com — Thu, 17 May 2007 18:21:00 GMT

Only $499 and available in bulk from Subrosasoft, The MacLockPick is a handy little device for computer-illiterate trusted civil servants to plug into sleeping MacBooks and collect data from all those computers left lying around at crime scenes - just like on TV. Via Digital Trends Magazine:

MacLockPick Pulls Private Data Via USB Port
Friday, April 27th 2007 @ 6:50 AM PDT
By Nick Mokey
Staff Writer, Digital Trends News

Uncle Sam has a new way to pry into your data, and it's as simple as popping in a thumb drive.

Lock up your MacBooks, Apple fans: SubRosaSoft announced Friday that they are shipping a USB thumb drive, dubbed MacLockPick, that can extract passwords, Internet history, and system settings from an OS X user just by slipping it into a USB drive.

Of course, the drive is only available to law enforcement, but we have to wonder if the same technology that powers it will ever become available to less scrupulous individuals. […]

Anyone wonder just what security measures are in place to ensure that only law enforcement can purchase this. Better yet, what security is in place to ensure that law enforcement doesn't lose, misplace, or steal the device? Not that it does anything that a power user couldn't do given a little private time with the computer, but it does make it seamless, simple, silent, and quick - just the thing for the sort of abuse-prone neanderthals that seem to make up far too much of the law enforcement population.

The following is a list of file items that can be extracted using SubRosaSoft’s MacLockPick:
Apple Keychain Passwords

System - The user password of the logged in user. Often this is shared for root access and FileVault encryption.
General - Includes (but is not limited to) passwords for encrypted disk images, wifi base stations, iTunes music store, iChat login, Apple Remote Desktop.
Internet - Includes (but is not limited to) login and password details for web sites, email accounts, some peer to peer networks, online services and stores, auction sites, and .mac accounts.
AppleShare - A list of login and password details for appleshare servers this mac has connected to.

Files and Folder details

Folder Dates - A list of all the key user folders along with their creation date, date of last modification, date of first access, and date of the most recent access.
Disk Images - Paths to the most recent disk images that have been mounted on this mac.
Preview - Full paths to recent files that have been viewed in the preview program.
QuickTime - File names for recently viewed movies fro the QuickTime player applications
Recent Applications, Documents, and Servers - Program names for the most recently used items on this Macintosh computer.

Instant Messaging

Default Login - for iChat instant messenger system.
Complete buddy list - including buddies who have since been deleted.

eMail

Account Details - login names and server addresses used.

Address Book - Address details for entries in the address book including contacts that have been deleted. This address book is used by most communication programs on the Mac and is used to synchronize with the iPod and other portable devices.

Opened Attachments - Paths to files that have been received as an attachment then saved or opened including the date and time of opening.

Web History and Preferences

Search Strings - The most recent items that the user has searched for using the google toolbar in safari.
Cached Bookmarks - Sites that have been bookmarked in Safari including items that have been deleted.
Current Bookmarks - Sites that are currently bookmarked in Safari.
Cookies - A full list of cookies include the server address the cookie value and the date and time of assignment.
History - Complete details of browsing history including the number of times visited and the date and time of the most recent visit.

Hardware Preferences

iPod - Serial numbers of any iPod that have been connected to this Mac along with the date and time it was first used.

Bluetooth Devices - hardware address of any bluetooth devices that have been paired with this mac along with the most recent time these devices have been paired.

Wifi Connections - Listings for wifi base stations that have been used on this computer including the base address and the date and time of the first connection.

Network Interfaces - MAC address for each integrated network interface on the suspect's machine.

No doubt there will be, if there isn't already, an open source version of this or a free set of instructions to DIY for anyone with the time and inclination to do so.

Tracking The Loss of Private Data

terrywfrazier@gmail.com — Wed, 16 May 2007 13:23:06 GMT

If you're interested in the subject of data breeches, data loss, and mishandling of private information you might want to have a look at etiolated.org.

Site features real-time graphs, statistics, and searchable full-text database of company names, event summaries, and comments. Thanks to my friend Al Macintyre.

What Are The Risks of Letting Others Write In Your Space

terrywfrazier@gmail.com — Wed, 16 May 2007 03:55:40 GMT

In the last couple of weeks I had someone come on this site and post, via anonymous comments, a series of diatribes that were a serious attack on another individual and company. The information was detailed but utterly unsubstantiated. The tone was extremely angry. The allegations ranged from deception to outright fraud. I also did a little IP address tracing and determined that the person had gone to some lengths to hide their address.

Within a matter of hours I contacted people who knew something about the companies and person involved, cogitated on what to do, and decided to remove all posts from that individual. I did so without compunction and didn't think anything else about it. I don't normally remove comments, in fact that was only the second time in the four five years I've had this site. But I guess this kind of thing is going to become more common and we're being forced to deal with it.

Recently a blog author I follow has been forced to withdraw from blogging and even cancel personal appearances due to death threats received via comments on her blog. The story has received major news coverage, making CNN, the New York Times, and BBC News among others.

Kathy Sierra, author of Creating Passionate Users wrote a nice, user-centered blog about keeping users engaged and had a wonderful sense of graphics and graphic usage. It was good stuff. But somewhere someone got ticked off and began a campaign of vile and serious threats against her. I find this almost incomprehensible. I didn't have much to say that hadn't already been said, and I didn't feel like adding to the long list of people linking to the murky, disturbing post that describes it all from Kathy's perspective. But there, I've linked to it, as I can't really talk about this without doing so.

In response to the Sierra fiasco Tim O'Reilly (of O'Reilly Publishing) came out with a Blogger's Code of Conduct that has created it's own little tempest in a teapot, as bloggers debate what is censorship, what isn't, what are we liable for, what is protected speech, etc. I was reminded of all this today when I came across a post by Michelle Lintz at the writetechnology blog:

The Blogosphere Grows Up a Little
Everyone has growing pains as they progress from toddler through to adulthood. The blogosphere is a living, dynamic thing and it's no different. It was inevitable, of course. That's not to say it's not painful for some, and emotional for many.

I debated on even mentioning it, but when it was picked up by the New York Times and the BBC (here and here), I had to investigate further.

To understand it, you have to acknowledge that as in any industry or field, there are certain high-profile folks. In the blogosphere, we have our own "stars" or "celebrities." People like Dave Winer, Robert Scoble, Kathy Sierra, just to name a few. These folks are incredibly high profile, speak at many events, are public figures that express their views on widely read and well respected blogs. The rest of us are just regular bloggers and the rest of us make up the majority of the blogosphere. In fact, for many of us, these blog stars exist on the periphery of our blogging existence, if at all. So, why are their problems important?

[...]
As the blogosphere, or at least the high-profile part, reeled from all this, Tim O'Reilly (yep, the guy who puts animals on his tech books) decided to step in. I concur with many bloggers out there that his actions as "hall monitor" are slightly misguided, no matter how well intentioned. O'Reilly has issued a draft Blogger Code of Conduct and suggests blogs have badges - those who subscribe to the Code of Conduct and those who have an "Anything Goes" badge. Basically, Anything Goes means that any sort of comment can be posted on the blog.

It raises valid questions. Are bloggers responsible for the comments posted to their blogs? Can we censor the comments, and is it censorship? What information do we actually own, when it comes to our blogs, and how accurate are we expected to be? Should we allow anonymous commenting? Are we responsible for the people who choose to remain anonymous? [...]

I had some discussions with a lawyer friend when the untoward comments appeared on my blog. He advised that I might expect a cease and desist letter, which he admitted would be a monumentally stupid thing to do on the part of the company's attorney (he knew what I would do with it.) But we agreed that corporate attorneys don't get paid for being smart, they get paid for being lawyers. We also agreed that such a letter would have little legal standing other than possibly causing me a little inconvenience. Ultimately, fear of lawyers had nothing to do with my decision.

What did affect my decision was the fact that some yahoo had come on my site, using my weblog and its (admittedly minor) traffic to propagate their personal vendetta. I don't need O'Reilly's Code of Conduct to help me understand that people don't get to do that here.

I am not the government. I am a private individual and therefore cannot, by definition, engage in censorship. I have no obligation to protect anyone's speech. I have a vested interest in allowing people to post comments challenging my views, questioning my conclusions, forcing me to justify and defend my positions. But I don't have to let just anyone write just anything they want. Not now, not ever.

I really don't understand this whole censorship argument. Freedom of Speech and censorship are principles that apply to coercive forces, like governments. If the government didn't have the power to imprison and execute there would be no need for laws mandating protected speech. I don't have the power to do either of those things and therefore am not subject to such constraints. I'm just a guy who doesn't have to play with people who don't follow the rules of common decency and good sense.

So comment here all you want. I allow anonymous comments as long as no one abuses it. I don't mind if you disagree with me as long as you do so in a way that makes some sort of sense, and I won't delete comments unless there is something truly objectionable and unwarranted. But please, refrain from personal attacks, name-calling, making unsubstantiated allegations of illegal behavior, or engaging in other libelous diatribes. I just don't have the time or patience for it.

A EULA For Our Data

terrywfrazier@gmail.com — Thu, 31 Aug 2006 05:00:00 GMT

Matt Mower has another stellar idea for how to manage our data - how about a EULA that businesses have to accept before they can use our data. Wouldn't you love to turn the tables on Microsoft?

Legal Network Podcast on Patriot Act Renewal

terrywfrazier@gmail.com — Fri, 18 Nov 2005 22:18:15 GMT

Coast-to-Coast is a series of general interest legal podcasts produced by the LegalTalkNetwork and hosted by Robert Ambrogi and J. Craig Williams. These two bill themselves as the "top legal bloggers" and I find that bit of hubris a little offputting, but they do have some good shows.

Today's 'cast on The Patriot Act presents two views - a former FBI agent turned Congressional candidate and an ACLU representative. It's an interesting discussion and well worth listening. Both sides make valid points, and both sides are really worried about excesses already occurring.

The Steady Creep of Statist Control

terrywfrazier@gmail.com — Fri, 18 Nov 2005 19:36:34 GMT

The insidious creep of anti-terrorism laws to include all criminal activity - and the complementary definition creep which links every potential criminal activity to the support, promotion, or funding of terrorism - continues unabated amid abusive government behavior and growing use of secret National Security Letters that prevent recipients, under penalty of jail, from ever disclosing that they've been served. From a Washington Post investigative report:

Senior FBI officials acknowledged in interviews that the proliferation of national security letters results primarily from the bureau's new authority to collect intimate facts about people who are not suspected of any wrongdoing. Criticized for failure to detect the Sept. 11 plot, the bureau now casts a much wider net, using national security letters to generate leads as well as to pursue them. Casual or unwitting contact with a suspect -- a single telephone call, for example -- may attract the attention of investigators and subject a person to scrutiny about which he never learns.

The PATRIOT ACT Renewal bill - our first chance to undo many of the wrongs pushed through by the Bush Administration's John Ashcroft - is being gutted. It appears that rather than striking the most onerous parts of the PATRIOT Act, the bill is actually making them worse. EFF has all the requisite information.

Historically, what countries have embraced such laws - subjecting millions of citizens to secret surveillance, making it a crime to disclose the surveillance, and hiding the reality of the laws from the public? If you answer this question honestly you'll be hard-pressed to find a democracy on your list.

EULA-based Deep Root Spying On Blizzard Entertainment Customers

terrywfrazier@gmail.com — Sat, 15 Oct 2005 04:11:39 GMT

If you play Warcraft, World of Warcraft, or any other Blizzard Entertainment game you need to read this. You probably have no idea how much personal info the cretins at Blizzard are collecting from you. [via Copyfight]

I Spy With My Little EULA (Donna Wentworth)

You may recall that Blizzard is the videogame company that sued three software programmers for creating BnetD, a free, open source program that allowed gamers to play games they purchased with others on the platform of their choice. Blizzard claimed that the programmers violated several parts of the company's End User Licensing Agreement (EULA), including a provision on reverse-engineering. But it turns out that's not all that Blizzard's lawyers have inserted in the fine print. As Bruce Schneier reports, the company is also using its Terms of Use agreements to justify spying on gamers' computers.

Writes Greg Hoglund, co-author of Exploiting Software, How to Break Code:
I watched the [software] warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time. ...[The scanning] certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

As Schneier says, this is truly scary stuff. Yet even a few of the security-savvy readers at Schneier's weblog are downplaying its significance. Why? Annalee Newitz has a theory that rings true to me: people think of routine spying as normal. […]

Acoustical Spying Recovers Passwords With 90-percent Accuracy

terrywfrazier@gmail.com — Mon, 03 Oct 2005 02:51:15 GMT

Computer scientists at UC Berkeley have been experimenting with recordings of keystrokes. Using 10-minute sound recordings of users typing at a keyboards, researchers were able to feed the data into a computer and recover up to 96 percent of the typed characters. By running the audio repeatedly through a feedback loop that trains the computer, they were able to recover passwords, passphrases, and complete paragraphs. [via FutureEdition from Arlington Institute]

Once the system is trained, recovering the text became more straightforward, even if the text was a password and not an English word. After just 20 attempts, the researchers were able to retrieve 90 percent of five-character passwords, 77 percent of eight-character passwords and 69 percent of 10-character passwords.

[...]

What was particularly striking about this study, the researchers said, was the ease with which the text could be recovered using off-the-shelf equipment. "We didn't need high-quality audio to accomplish this," said Feng Zhou, a UC Berkeley Ph.D. student in computer science and co-author of the study. "We just used a $10 microphone that can be easily purchased in almost any computer supply store."

Does Your Doctor's Computer Have Spyware?

terrywfrazier@gmail.com — Sun, 02 Oct 2005 14:54:02 GMT

What is your doctor's computer security policy? Every time I have a blood test or visit a doctor I sign a new HIPAA form, but it's clear there's no understanding of digital privacy within the office. For a high-tech industry, doctors and their staff are woefully ill-equipped to deal with computers. What do you do when all the providers of a necessary service have little or no idea how to protect your information? [via Spyware Warrior]

Does your doctor's computer have spyware?

Recently I was the office of a local physician, not my personal physician, and overheard his staff talking about a problem with pop ups on the medical assistant's computer. Of course this caught my interest and I asked what was going on with the computer. The doctor said "Oh, I took care of it with some anti-spyware scannersâ and asked the assistant if she was having any more pop-ups. She shook her head "no" but her facial expression could have said otherwise. I tried to start a discussion with the staff about safe surfing on the net but they were busy and not particularly interested.

[...]

Back to the doctor's office, though. After that incident, I though about the recent reports of keyloggers and spambots being downloaded in spyware exploits. What about the doctor's home computer? When he/she gets that 2 AM call and logs in his/her computer to look up medical records, let's hope there is no keylogger recording and writing his/her login name and password to a file on a distant server somewhere. Let's hope that physicians' offices, practice groups and medical practitioners' computers are free of spyware, but there's no guarantee. If your doctor has online medical records or records stored on an office computer that goes online, I suggest you ask about their security practices. Some may not like being questioned but as a consumer of health care, I think you have the right to know.