25 February 2007

Tiny RFID tags

The BBC has an article about recent innovations in the miniaturization of RFID technology. The image at the top of the article is particularly astounding: these RFID chips are smaller than the width of a human hair. The very image suggests the possibilty of putting RFID tags in someone's hair gel and using the tags to track that person. That statement no doubt sounds paranoid, and maybe it is. But the fact that these things are getting so small means that surreptitiously distributing these devices is getting easier.

better-than-wholesale e-voting machines

Wired has an article describing a method one computer science researcher is using to acquire e-voting machines for security analysis: he bought them cheap off eBay. No background check, no non-disclosure agreement, nothing. And by cheap I mean he paid $82 for $25,000 worth of Sequoia e-voting equipment (that's a 99.672% markdown).

Although the Wired article claims that the research finds these machines to be more secure than products from competing companies, the researcher's Web page about his evaluation paints a dimmer picture.

17 February 2007

Media collection software

linux.com has had articles about a couple of media collection programs called gcstar and data crow. They're similar in concept: both are databases for your CDs, DVDs, books and such. Each allows you to enter your collections with searches of amazon.com, imdb.com, etc. So if you have a copy of X2 on DVD, you can type 'X2' in the search field and it'll retrieve the cast list, cover art, plot summary, and other stuff.

gcstar is built on Perl and gtk2, and data crow is built on Java. So both are more-or-less cross-platform (they run on Linux, Windows, and probably OS X).

Both also allow the user to add loaning information to records. If you loan your copy of X2 to someone, you can make a notation of that as part of the X2 record. And both let you import and export your data (gcstar seems more flexible in this regard, in that it supports a fairly wide variety of formats).

I've tried both, and I'm finding gcstar to be more reliable. data crow is pretty crashy, and I gave up on it.

Some drawbacks to gcstar are that you can only select one item from the results of a search. If you have several Star Trek DVDs and you run a search for 'star trek', you can only select one of the search results to add it to your collection (you have to run a separate search for each Star Trek DVD you own). It would be nice if you could do Ctrl-click to pick Wrath of Khan and The Undiscovered Country if they both show up in the search results (data crow actually lets you do this).

And gcstar also has gtk tooltips which pop up when you mouse over the items in your search results. These tooltips sometimes make it hard to click on the search result that you want.

And it seems that the current version of gcstar (v1.1.1) is less than completely compatible with the version of the Gtk2 Perl module currently available in CPAN (v1.142, 21 January 2007). To make it work, you have to comment out the set_row_separator_func() and set_focus_on_click() calls in a couple of gcstar modules. Lame.

I actually prefer the data crow interface, but it kept hitting out-of-memory errors. I had to restart the application pretty frequently. That was beyond annoying. So for now I'm using gcstar.

14 February 2007

RFID passport

My new passport arrived in the mail today, and it's got an RFID tag in it.

Crap.

(Here's my previous whining about passports.)

13 February 2007

Huge hole in the water

This is one of the coolest things I've seen in a while. You know that hole near the top of your bathroom sink which keeps it from overflowing? They put those in some reservoirs. I would love to see one of these in person.

ssh security features

ssh offers ssh keys as a nice alternative to password authentication, and putty is a pretty cool ssh client for Windows. There's a good tutorial on howtoforge which discusses many of the features of the putty suite including key generation (puttygen) and putty's ssh-agent (pagent).

And as the above article mentions, the PasswordAuthentication option in sshd_config can be cleared to force the use of ssh keys (password authentication will be disabled).

AllowUsers is another good sshd_config option. It can be used to provide a list of users who can connect via ssh. Any user not in this list can't connect by ssh. It's good for defeating ssh scans which try a few passwords against common account names (like root, guest, etc.). Another trick that might help dodge ssh scans is to run ssh on a port other than 22. The ListenAddress sshd_config option can be used to run ssh on some other (non-standard) port.

A nice trick for your ~/.ssh/authorized_keys file is to specify source hosts from which you can connect using certain keys. If you have the following in your authorized_keys file, then the key in question can only be used for connections from the hosts listed in the from list:
from="this_host,that_host" ssh-dss ...key data... USER@HOST
(This is discussed in the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page.)

Finally, the denyhosts project claims to be able to do dynamic edit to the tcpwrappers files (/etc/hosts.deny) when dictionary attacks are detected. It would probably be really useful for a server with lots of ssh users that need to log in from anywhere/everywhere.

10 February 2007

Checksum verification of large downloads

When you download software, the vendor often provides a checksum or a digital signature. If you download the software and then compute the checksum (or verify the signature), you're reading through the download twice. If the download is large (like a Linux kernel source archive or an ISO image), it can take a long time. Here's a way to do both at once.

If the vendor provides an MD5 checksum, try this:

wget -O - http://www.example.com/large_file.tar.bz2 |\
tee huge.tar.bz2 | md5sum

The -O - option tells wget to write the download to standard output, rather than to a file. Piping that to tee writes the download to a local file (huge.tar.bz2) and to standard output, and this is piped to md5sum: the checksum is printed to the screen.

You can do the same trick for an SHA-1 checksum (or any other digest supported by openssl):

wget -O - http://www.example.com/large_file.tar.bz2 |\
tee huge.tar.bz2 | openssl dgst -sha1

If the vendor provides a detached signature, you can do a similar trick. As an example, let's use the bzip'ed 2.6.0 patch file for the Linux kernel and the corresponding signature file. First grab the signature file, then the patch file:

wget http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.0.bz2.sign

wget -O - http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.0.bz2 |\
tee patch-2.6.0.bz2 |\
gpg --keyserver pgp.mit.edu \
--keyserver-options auto-key-retrieve \
--verify patch-2.6.0.bz2.sign -

In this case, you're piping the download into gpg, telling it to verify the data coming in on standard input (the '-' at the end) against the detached signature file. The --keyserver and --keyserver-options items tell gpg to fetch and import the key if necessary (this example uses pgp.mit.edu as the keyserver, but there are lots: type 'keyserver' into a search engine).

09 February 2007

Norah Jones' new album

If you get a chance, go pick up a copy of Not Too Late by Norah Jones. As much as I like her first two studio albums, I think I like this one even more.