b.cognosco

MacLockPick: A Vital Tool For Our Trusted Protectors

terrywfrazier@gmail.com — Thu, 17 May 2007 18:21:00 GMT

Only $499 and available in bulk from Subrosasoft, The MacLockPick is a handy little device for computer-illiterate trusted civil servants to plug into sleeping MacBooks and collect data from all those computers left lying around at crime scenes - just like on TV. Via Digital Trends Magazine:

MacLockPick Pulls Private Data Via USB Port
Friday, April 27th 2007 @ 6:50 AM PDT
By Nick Mokey
Staff Writer, Digital Trends News

Uncle Sam has a new way to pry into your data, and it's as simple as popping in a thumb drive.

Lock up your MacBooks, Apple fans: SubRosaSoft announced Friday that they are shipping a USB thumb drive, dubbed MacLockPick, that can extract passwords, Internet history, and system settings from an OS X user just by slipping it into a USB drive.

Of course, the drive is only available to law enforcement, but we have to wonder if the same technology that powers it will ever become available to less scrupulous individuals. […]

Anyone wonder just what security measures are in place to ensure that only law enforcement can purchase this. Better yet, what security is in place to ensure that law enforcement doesn't lose, misplace, or steal the device? Not that it does anything that a power user couldn't do given a little private time with the computer, but it does make it seamless, simple, silent, and quick - just the thing for the sort of abuse-prone neanderthals that seem to make up far too much of the law enforcement population.

The following is a list of file items that can be extracted using SubRosaSoft’s MacLockPick:
Apple Keychain Passwords

System - The user password of the logged in user. Often this is shared for root access and FileVault encryption.
General - Includes (but is not limited to) passwords for encrypted disk images, wifi base stations, iTunes music store, iChat login, Apple Remote Desktop.
Internet - Includes (but is not limited to) login and password details for web sites, email accounts, some peer to peer networks, online services and stores, auction sites, and .mac accounts.
AppleShare - A list of login and password details for appleshare servers this mac has connected to.

Files and Folder details

Folder Dates - A list of all the key user folders along with their creation date, date of last modification, date of first access, and date of the most recent access.
Disk Images - Paths to the most recent disk images that have been mounted on this mac.
Preview - Full paths to recent files that have been viewed in the preview program.
QuickTime - File names for recently viewed movies fro the QuickTime player applications
Recent Applications, Documents, and Servers - Program names for the most recently used items on this Macintosh computer.

Instant Messaging

Default Login - for iChat instant messenger system.
Complete buddy list - including buddies who have since been deleted.

eMail

Account Details - login names and server addresses used.

Address Book - Address details for entries in the address book including contacts that have been deleted. This address book is used by most communication programs on the Mac and is used to synchronize with the iPod and other portable devices.

Opened Attachments - Paths to files that have been received as an attachment then saved or opened including the date and time of opening.

Web History and Preferences

Search Strings - The most recent items that the user has searched for using the google toolbar in safari.
Cached Bookmarks - Sites that have been bookmarked in Safari including items that have been deleted.
Current Bookmarks - Sites that are currently bookmarked in Safari.
Cookies - A full list of cookies include the server address the cookie value and the date and time of assignment.
History - Complete details of browsing history including the number of times visited and the date and time of the most recent visit.

Hardware Preferences

iPod - Serial numbers of any iPod that have been connected to this Mac along with the date and time it was first used.

Bluetooth Devices - hardware address of any bluetooth devices that have been paired with this mac along with the most recent time these devices have been paired.

Wifi Connections - Listings for wifi base stations that have been used on this computer including the base address and the date and time of the first connection.

Network Interfaces - MAC address for each integrated network interface on the suspect's machine.

No doubt there will be, if there isn't already, an open source version of this or a free set of instructions to DIY for anyone with the time and inclination to do so.

Tracking The Loss of Private Data

terrywfrazier@gmail.com — Wed, 16 May 2007 13:23:06 GMT

If you're interested in the subject of data breeches, data loss, and mishandling of private information you might want to have a look at etiolated.org.

Site features real-time graphs, statistics, and searchable full-text database of company names, event summaries, and comments. Thanks to my friend Al Macintyre.

What Are The Risks of Letting Others Write In Your Space

terrywfrazier@gmail.com — Wed, 16 May 2007 03:55:40 GMT

In the last couple of weeks I had someone come on this site and post, via anonymous comments, a series of diatribes that were a serious attack on another individual and company. The information was detailed but utterly unsubstantiated. The tone was extremely angry. The allegations ranged from deception to outright fraud. I also did a little IP address tracing and determined that the person had gone to some lengths to hide their address.

Within a matter of hours I contacted people who knew something about the companies and person involved, cogitated on what to do, and decided to remove all posts from that individual. I did so without compunction and didn't think anything else about it. I don't normally remove comments, in fact that was only the second time in the four five years I've had this site. But I guess this kind of thing is going to become more common and we're being forced to deal with it.

Recently a blog author I follow has been forced to withdraw from blogging and even cancel personal appearances due to death threats received via comments on her blog. The story has received major news coverage, making CNN, the New York Times, and BBC News among others.

Kathy Sierra, author of Creating Passionate Users wrote a nice, user-centered blog about keeping users engaged and had a wonderful sense of graphics and graphic usage. It was good stuff. But somewhere someone got ticked off and began a campaign of vile and serious threats against her. I find this almost incomprehensible. I didn't have much to say that hadn't already been said, and I didn't feel like adding to the long list of people linking to the murky, disturbing post that describes it all from Kathy's perspective. But there, I've linked to it, as I can't really talk about this without doing so.

In response to the Sierra fiasco Tim O'Reilly (of O'Reilly Publishing) came out with a Blogger's Code of Conduct that has created it's own little tempest in a teapot, as bloggers debate what is censorship, what isn't, what are we liable for, what is protected speech, etc. I was reminded of all this today when I came across a post by Michelle Lintz at the writetechnology blog:

The Blogosphere Grows Up a Little
Everyone has growing pains as they progress from toddler through to adulthood. The blogosphere is a living, dynamic thing and it's no different. It was inevitable, of course. That's not to say it's not painful for some, and emotional for many.

I debated on even mentioning it, but when it was picked up by the New York Times and the BBC (here and here), I had to investigate further.

To understand it, you have to acknowledge that as in any industry or field, there are certain high-profile folks. In the blogosphere, we have our own "stars" or "celebrities." People like Dave Winer, Robert Scoble, Kathy Sierra, just to name a few. These folks are incredibly high profile, speak at many events, are public figures that express their views on widely read and well respected blogs. The rest of us are just regular bloggers and the rest of us make up the majority of the blogosphere. In fact, for many of us, these blog stars exist on the periphery of our blogging existence, if at all. So, why are their problems important?

[...]
As the blogosphere, or at least the high-profile part, reeled from all this, Tim O'Reilly (yep, the guy who puts animals on his tech books) decided to step in. I concur with many bloggers out there that his actions as "hall monitor" are slightly misguided, no matter how well intentioned. O'Reilly has issued a draft Blogger Code of Conduct and suggests blogs have badges - those who subscribe to the Code of Conduct and those who have an "Anything Goes" badge. Basically, Anything Goes means that any sort of comment can be posted on the blog.

It raises valid questions. Are bloggers responsible for the comments posted to their blogs? Can we censor the comments, and is it censorship? What information do we actually own, when it comes to our blogs, and how accurate are we expected to be? Should we allow anonymous commenting? Are we responsible for the people who choose to remain anonymous? [...]

I had some discussions with a lawyer friend when the untoward comments appeared on my blog. He advised that I might expect a cease and desist letter, which he admitted would be a monumentally stupid thing to do on the part of the company's attorney (he knew what I would do with it.) But we agreed that corporate attorneys don't get paid for being smart, they get paid for being lawyers. We also agreed that such a letter would have little legal standing other than possibly causing me a little inconvenience. Ultimately, fear of lawyers had nothing to do with my decision.

What did affect my decision was the fact that some yahoo had come on my site, using my weblog and its (admittedly minor) traffic to propagate their personal vendetta. I don't need O'Reilly's Code of Conduct to help me understand that people don't get to do that here.

I am not the government. I am a private individual and therefore cannot, by definition, engage in censorship. I have no obligation to protect anyone's speech. I have a vested interest in allowing people to post comments challenging my views, questioning my conclusions, forcing me to justify and defend my positions. But I don't have to let just anyone write just anything they want. Not now, not ever.

I really don't understand this whole censorship argument. Freedom of Speech and censorship are principles that apply to coercive forces, like governments. If the government didn't have the power to imprison and execute there would be no need for laws mandating protected speech. I don't have the power to do either of those things and therefore am not subject to such constraints. I'm just a guy who doesn't have to play with people who don't follow the rules of common decency and good sense.

So comment here all you want. I allow anonymous comments as long as no one abuses it. I don't mind if you disagree with me as long as you do so in a way that makes some sort of sense, and I won't delete comments unless there is something truly objectionable and unwarranted. But please, refrain from personal attacks, name-calling, making unsubstantiated allegations of illegal behavior, or engaging in other libelous diatribes. I just don't have the time or patience for it.

Don't Plan a Vacation in Nigeria

terrywfrazier@gmail.com — Fri, 11 May 2007 02:15:34 GMT

Not that you would, but don't make travel plans for Nigeria any time soon. Via Jeff Vail at Energy Intelligence

Nigeria Escalation
Energy Intelligence Note: 9 May, 2007

The situation in Nigeria is escalating--as expected, geologically-driven declines in oil production are spawning geopolitically-driven increases in disruptions from "above-ground factors." The recent attacks on major oil pipelines in Nigeria cut all oil flow to AGIP's Brass Export Terminal, taking a further 200,000 barrels per day off the market. On top of that, take a look at the latest unclassified figures on kidnappings in Nigeria, courtesy of the CIA:

2006:
Total Hostages (Unresolved): 66 (0)
American Hostages (Unresolved): 0 (0)

2007:
Total Hostages (Unresolved): 106 (17)
Amercan Hostages (Unresolved): 17 (5)

And 2007 is only half over! That represents a rougly 200% year-on-year increase in total hostages, and a huge leap in the "value" of these hostages, as reflected by the sudden shift toward higher-skill and western workers, as shown by the sudden prevalence of American hostages.

Private Intelligence and the Sovereign Individual

terrywfrazier@gmail.com — Wed, 02 May 2007 13:49:01 GMT

In The secret service for the rest of us, Matt Mower writes:

I've often wondered how feasible it would be for us to setup an intelligence service to watch them (most recently I was wondering whether there are intelligence services at work in Second Life). After all; What is an intelligence service other than an organization that collects data from the edge and analyzes it for the benefit of its customers?

Blogs and other read/write web tools give us all the ability to gather data and, in our own fashion, analyze it and pass it on. We are each miniature intelligence services for a varied clientelle and, although we too are biased, our bias can be adjusted for since it is more easily determined (over time).

More than a decade ago two futurists – James Dale Davidson and William Rees-Mogg – wrote of the coming breakdown of state-based security and the growth of independent, individual security forces in their books “The Great Reckoning” and “The Sovereign Individual.” They were ridiculed pretty widely at the time and the books were considered fodder for bunker-dwellers, albeit rich bunker-dwellers. Much of what they projected was based on cultural and social models already visible at the time in Latin countries dominated by drug cartels. 15 years and the meteoric rise of technology have changed the landscape of what can be done but, if anything, the predictions of Davidson and Rees-Mogg seem more tangible than ever. If they were guilty of anything, it was merely being too far ahead of their time.

Current futurists and military analysts like John Robb (my source for the original story) are busily deconstructing the projected fall of the nation-state, peak oil, the rise of non-state entities, etc all of which is important. But no one seems to be thinking about my problems in the way that Davidson and Rees-Mogg did – deciphering what all this chaos means to the individual – and more importantly what to do about it.

How do we predict the unpredictable? How do we assess probability and impact? How do we, as individuals, make the right choices for where to live, where to put our money, how to prepare for the unexpected, how to protect our family, our friends, ourselves? Packing the basement full of survival rations, bottled water, duct tape and gas masks is a shallow, and rather ineffectual, approach.

What we really need is analytic intelligence for the individual. Governments – no matter who’s – are unreliable sources of information for the individual (if they can be considered reliable sources for anything at all save waste and corruption.) But to get such intelligence will be very difficult. Matt is right, current social software tools provide a glimpse of what may be possible, and many of the tools are being deployed within intelligence communities. But that is the key. Could we, as individuals, build our own intelligence communities?

I Am So Happy

terrywfrazier@gmail.com — Sun, 01 Apr 2007 02:27:07 GMT

Since August of 2004 I have used a custom Linux firewall in my network. The firewall was built by Bob Toxen, author of Real World Linux Security, and it worked flawlessly for more than two years. When I first got it I had servers in my office and felt I needed the extra protection of a professional firewall. If you need top-notch security I can confidently recommend Bob. But I don't need enterprise-level security anymore. I never did, really. And, while I felt quite safe behind the firewall, it's safety had a cost in complexity that I don't want anymore.

I no longer have any application servers running in my office. I have my basic file servers, but nothing fancy. So my firewall needs are pretty basic and today's inexpensive, commercial firewalls are vastly improved over what was available just two years ago. I bought a little Netgear FVS124G Firewall/VPN/Router a couple of months ago for $125. I've had it laying around the office for a while because I knew it would take a good half-day to get the whole network changed over and tested. But today I set it up. And what a relief! I'm finally able to fix some niggling problems I've been living with forever.

First, I finally was able to clear and prioritize the ports for my VoIP adapter, assigning it top-level QoS ranking. After 2.5 years of having to shutdown my e-mail client and carefully monitor all UL/DL traffic on my LAN while making phone calls, I finally can ignore all that and just talk on the phone. Damn! That feels good. I made a phone call tonight while simultaneously listening to streaming audio and checking e-mail. It worked flawlessly.

I also started configuring the Netgear VPN. I haven't been able to do this before, because I just didn't have the expertise on Linux and it wasn't nearly important enough to pay someone to figure it out for me. So I waited. But the Netgear setup looks pretty simple and straightforward. I'll be testing it over the next few weeks as I have some travel to do. I look forward to being able to have seamless access to my home computers, and to being able to pop-up unexpectedly on my kids computers.

The other really cool thing the FVS124G has is two WAN ports with three modes of operation - fail-over, load balancing, and dedicated. This lets me have both a DSL and a cable-modem connection running simultaneously, with the router sharing the bandwidth between them. With my office at my house, and my connectivity subject to the vagaries of cheap-ass residential service from telco and cable monopolies, this sort of flexibility is priceless. The only feature I miss, and I could have it if I bought just a little more expensive unit, is the DMZ. I like to put an open wireless router on the DMZ so visitors can logon without hassle and I don't have to worry about my LAN. But I'll get that next time.

I avoid doing this sort of geek stuff much anymore - I just don't have the time and it always seems to take me 2x, or 3x, as long as it should. But today I didn't have any problems and the little Netgear is working flawlessly. Between the VoIP fix, the dual connections, and the simple VPN I'm in my own little nerd heaven. I know it's not much to you real geeks. But for me it's about as good as it gets .

Unable To Connect

terrywfrazier@gmail.com — Tue, 06 Dec 2005 18:06:04 GMT

I love this!

Courtesy of the hosts file I found via Gregor.