Category Archives: Security

Security

POS Prints Expletives, Customers Demand Compensation

Leave a comment

I do not have a humor category, but if I did this BBC story would surely go there. Nice example of POS control failure.

Ten friends found the abusive and sexually-explicit message on their bill at Joe Delucci’s Italian restaurant in Bird Street, Lichfield, Staffordshire.

Gives new meaning to the term “receipt”.

Ms Watkin said: “I couldn’t believe it. The bill read ‘fish cakes’, which one of us had for a starter, and it was written right above it – absolutely disgusting language.

Fish cakes for £4.95? Disgusting. Oh, I mean disgusting language, indeed!

Joe Delucci’s owner Mr Langsdon said the message had been meant to be seen only by kitchen staff and he did not know how it ended up as an item on the receipt.

He said: “That shouldn’t come out on the bill, so we’ve got to find out what’s gone wrong there.

Receipt
I see. The problem is that the system was designed so staff could to enter messages into the register and have them seen only by the kitchen staff. Clearly, then, this expletive message went to the wrong place.

But then I have to ask if “Suck My Dxxk Fxxk Face” is really a message for which the kitchen staff would have any use? Input validation seems suddenly very appropriate for wait staff.

Incidentally, the BBC also reports the meal cost £284.68 and the image of the receipt shows £73.45 in drinks. I don’t know why the price matters, but as long as everyone seems to be sending random data as output, I thought I would join in on the fun.

Ok, who now is still worried about the POS vendors who handle money or voting machines?

How long would this type of message be stored in the system, and would it be tied to the credit card number, or a customer name?

Security

DoubleTwist Cracks iTunes DRM

Leave a comment

DoubleTwist announced today that, in divergence from Apple’s mostly proprietary model, you now can transfer files from iTunes to other media devices including Nokia, Microsoft and Sony:

“When you receive an email, you can read it on your Blackberry, web mail, or Outlook. E-mail just works. With digital media such as video from a friend’s cell phone or your own iTunes playlists, it’s a jungle out there. It can be an hour-long exercise in futility to convert files to the correct format and transfer them to your Sony PSP or your phone” said Monique Farantzos, co-founder and CEO of doubleTwist. “The digital media landscape has become a tower of Babel, alienating and frustrating consumers. Our goal is to provide a simple and well integrated solution that the average consumer can use to eliminate the headaches associated with their expanding digital universe.”

Quote from a PDF announcement.

Sometimes people refer to security as a headache. I’ll try to sidestep that point. Hmmm, who owns the email content? Who “owns” the digital media? Maybe that’s his point.

Personally, I think the Nokia N96 is a much better device than the iPhone but I’m not sure I have enough incentive from Apple to want to use iTunes with the Nokia. Then again, I still remember when open mp3 file servers were hosted in Sweden and shared through the supercomputer center in San Diego, so maybe I’m just behind the times and need to learn to use a “free” Apple GUI to access pay-per-use music.

Food, Security

US Toy and Food Safety Laws

Leave a comment

I wrote about this issue a while ago, and now the questions I pondered are being answered. The BBC reports:

A mandatory certification programme is now being developed by the US Toy Industry Association and the CPSC as part of the House of Representatives bill on consumer safety.

The plan provides for stricter procedures for analysing safety during the design and manufacturing of toys and the testing of finished products, as well as factory audits.

Sounds good, although the fact that there are huge beef recalls in recent news does not inspire a lot of confidence in the controls system proposed. In particular, I was just reading how a massive California meat recall was started after undercover video was released by the Humane Society.

The recall by the Westland/Hallmark Meat Company, based in Chino, Calif., comes after a widening animal-abuse scandal that started after the Humane Society of the United States distributed an undercover video on Jan. 30 that showed workers kicking sick cows and using forklifts to force them to walk.

[…]

The video was embarrassing for the Department of Agriculture, as inspectors are supposed to be monitoring slaughterhouses for abuse. It surfaced after a year of increasing concerns about the safety of the meat supply amid a sharp increase in the number of recalls tied to a particularly deadly form of the E. coli pathogen.

And in another case auditors discovered that their inspectors audited the wrong Chinese facility. Controls are definitely non-trivial to design and manage properly.

“The recall is obviously the big news,” said Wayne Pacelle, president and chief executive of the Humane Society. “The longer-term problem is the inadequacies of the inspection system. How can so many downers [cows that can no longer walk] have been mistreated day after day within a U.S.D.A. oversight system that was present at the plant?

“We need more boots on the ground at the plants,” he said.

Yes, although the fact that the video on YouTube created a public outcry might suggest some technology solutions that could reduce this requirement for “boots”. Surveillance obviously has some advantages over moving bodies, especially in terms of remote locations. And the fact that surveillance, video and RFID, might also help ranchers manage their own stocks could make it a good thing for everyone. On the flip side, everyone knows that ranchers hate accuracy and measurements in the system as it shifts the balance of control away from them and into the regulators/auditors. That means higher tax and overhead implications. Like I said, controls are non-trivial to design properly.

Security

Press Pass to RSA

Leave a comment

Many years ago a friend who is well respected within the security community told me he was going to RSA on a press pass. “It’s free, easy and I don’t really like the conference” he explained as I asked why he did not just register to be a speaker as usual.

I suspected that he was getting some sort of weird satisfaction from getting free access through a legitimate channel, like a soft hack. Perhaps he could argue he was actually doing some press work by being so active in the security community, while at the same time no one really considered him a member of the press.

Since I will be presenting at RSA this year, or to be more accurate “leading” a peer-to-peer session, I get a full conference pass for free. But the thought did cross my mind to use the “FOR PRESS” method…

BTW, this is not just a phenomenon for RSA but any conference you might be interested in attending. The bar to prove press credentials is not terribly high:

Press credentials are restricted to press and industry research analysts who provide a business card with an editorial title, a current masthead that includes their name and a sample of a bylined article or industry-related report published within the past six months. Bloggers are subject to the same press registration process as all other media, and registration will be judged based the credibility of the blog. Information such as the focus of the blog, the longevity of the blog, frequency of updates, Technorati ratings and number of page views will be taken into consideration.

Or maybe it is just high enough?