Monthly Archives: April 2012

Food, Security

Penguin Satellite Surveillance

Leave a comment

Scientists are perfecting their ability to survey penguins by using high-resolution satellite imagery. The birds now can only hide by flying (underwater)

The satellites are actually providing the first ever species-wide population count of an animal. The space-based species census had good news:

“We are delighted to be able to locate and identify such a large number of emperor penguins,” lead author Peter Fretwell, a geographer for the British Antarctic Survey, said in a press release. “We counted 595,000 birds, which is almost double the previous estimates of 270,000 – 350,000 birds. This is the first comprehensive census of a species taken from space.”

Any guesses what the next target species will be? The secret sauce to the surveillance seems to be linked to waste analysis.

Although finding a great splurge of penguin poo on the ice is a fairly straightforward – if laborious – process, counting individual birds in a group huddle is not, even in the highest resolution satellite pictures.

This means the team therefore had to calibrate their analysis of the colonies by using ground counts and aerial photography at some select sites.

Penguin Guano from Space
The Guardian in 2009 showed penguin guano from space

Few probably realise that waste is one of the primary ways to find and monitor them (e.g. tracking is all about impact). I’ve written before about the security implications of innovative recycling and avoiding centralised sewer systems. Analysis of waste, especially water quality, tells us a lot about behaviour to predict risks. In this case the scientists are trying to predict how climate change affects the penguins but the methodology could easily be flipped around.

Security

CVE-2012-1182: Samba root remote exploit

Leave a comment

Update immediately to Samba 3.6.4, Samba 3.5.14 and 3.4.16, although patches even have been made available for versions out of support.

== Subject: “root” credential remote code execution.
==
== CVE ID#: CVE-2012-1182
==
== Versions: Samba 3.0.x – 3.6.3 (inclusive)
==
== Summary: Samba 3.0.x to 3.6.3 are affected by a
== vulnerability that allows remote code
== execution as the “root” user.

Security

Disabling Stolen Phones

1 Comment

Here are some answers to questions I’ve been asked recently by reporters on the U.S. stolen phone registry.

> How does this plan work from a security standpoint?

Phones are meant to have a unique identifier. GSM phones, for example, use the International Mobile Equipment Identity (IMEI). This is similar to a Media Access Control (MAC) address many people are familiar with for networking equipment. It’s used by carriers for billing and linking services/support to devices. An identifier tends to includes manufacturer and model information as well as a unique serial. It also has a check digit to help prevent fake numbers.

Carriers could in theory use an identifier to block use of a stolen phone when the identity is unique to that phone. This requires someone to report the phone as stolen, a carrier to have a current and maintained list of stolen phones, and someone to try and register the stolen phone with a carrier with a list. If one or more of these three steps does not happen then the phone can still be used.

> Why is the U.S. far behind other countries in speed in creating database for stolen mobile phones?

Unlocked phones have been more common in other countries. You can easily buy an unlocked phone from Nokia, for example, while Apple clearly does not want their users to unlock their phones. The lock-in of devices to carriers made a centralized/shared database of stolen devices less relevant. With more people using unlocked phones the need for sharing identity information becomes far more important.

> Does this actually prevent theft? If not, what would be a more effective way to do so?

It changes the market dynamics of phone theft. Criminals will try to modify the identifier on the phone when carriers block the identifier. Laws get passed to make modifying the identifier illegal but it is still possible. It turns out that there already are collisions in identifiers and it is not terribly difficult to modify the identifiers. Carriers thus also have to be capable of identifying bogus or stolen identification. This is a centralized model of security, which also raises a question of privacy risk. A centralized database may be considered by some a bigger threat to privacy than the loss of a device. A decentralized model could be where phones use encryption and self-destruction to be rendered valueless when stolen.