Monthly Archives: July 2010

History, Security

Fighting Terror With Jobs

Leave a comment

A sunny afternoon in December of 1990 I hiked down from Sarangkot Summit, near the base of Annapurna north of Pokhara, Nepal. I carefully chose my steps in the loose dirt on a narrow path, trying to keep balance enough to catch a glimpse of Phewa Lake.

“Girl at Summit of Sarangkot”, Photo by Davi Ottenheimer © All rights reserved

Looking ahead I noticed a young man headed towards me. He nodded hello and I stopped to ask a question about the trail. His English was basic at best and my Nepalese was nothing to write home about. We nonetheless struck up a rudimentary discussion when I saw a book under his arm.

He said he was a Maoist. I asked him about Lenin. He was unfamiliar with the name. Marx? Never heard of him. Stalin…Mao only. He spoke of making a village strong by giving people power. No more king he said. The conversation lasted no more than ten minutes but it etched an unforgettable portrait of rural Nepalese life in my mind.

I soon realized I was witness to the growing disillusionment of rural people and birth of local propaganda by Maoists. This time was characterized by political confusion as Nepal started an experiment in democracy; King Birendra just had taken a “step away” from power in November 1990.

BBC reports today that this struggle continues. They describe anti-rebel steps taken in India, with the measure of security in a region linked to jobs and economic development.

In Lalgarh, for example, some 125 villagers were engaged in making a small dam worth three million rupees. Five days into the work, the rebels came and asked for a meeting in the jungle with villagers and government officials.

“We could not agree so we backed out,” one official said.

The jobs scheme created an average of 52 man-days of work per household in West Midnapore during 2009-2010. But in the Maoist-affected areas it created only 36 days of work, up from 21 days of work in 2008-2010.

“But it is the only way forward to take on the Maoists,” said one official.

“This is nothing about winning hearts and minds. It’s only about giving people work before the rebels come in and convince them that they are a better option than the state.”

Boy at Sarangkot Summit offers refreshment. “Coke, One dollar! Coke, One dollar!”. Photo by Davi Ottenheimer © All rights reserved.
Security

Charging is not supported with this accessory

2 Comments

Yet another odd problem with the iPhone has surfaced with virtual systems. When the USB charging/sync cable is connected to an emulated USB the following error will popup:

The phone then drops its connection. This is easily repeatable:

  1. Plug the phone into a USB port on the host computer and note that it is charging
  2. Boot the guest computer
  3. Connect the guest computer USB port to the iPhone
  4. Wait a few seconds as communication is established over USB and note that the phone throws an error and stops charging

Apple Support tells you that this error message is supposed to be related to hardware:

Charging with a FireWire-based power source is not supported – except on original iPhone and iPod touch (1st generation). If you connect your device to a FireWire-based charger or accessory, you will see the alert screen below:

The solution, however, is with the software.

Here is the configuration that fixed the problem in VirtualBox. In this example the host is Ubuntu 10 and the guest is Windows 7.

Create a static USB filter with Vendor ID 05ac. Then boot the guest OS and note that the iPhone no longer throws the above error message — communication now will be stable.

I have read endless forum speculation about the cause of the charging error — quality of cables, third-party hardware issues, etc. and most seem to end with “go to the Genius Bar and get a new phone”. Apple is mum on troubleshooting but some report success getting the Genius Bar to give them a brand new phone under warranty.

The repeatability of this error shown above shows that Apple’s iPhone software should be suspect, rather than just hardware. They interpret communication over USB perhaps to protect the phone from earlier generation (firewire) chargers or to force licensing by third-party manufacturers. Whatever their reason, hopefully they will soon fix the software to be more reliable.

Security

The “Bomb Magnet”, a British Soldier in Afghanistan

Leave a comment

The Sunday Telegraph has a fascinating first-person account of military operations in Afghanistan by the ‘bomb magnet’ soldier blown up 15 times. The A Company 4 Rifles fought against 500 attacks and had 200 IED incidents at Forward Operating Base Inkerman, Sangin, Helmand Province. One in four of the company were killed or injured by situations such as this one:

On another occasion, the sergeant major spent 26 hours in a Mastiff, which had been blown up by two Russian-made anti-tank mines stacked on top of each other.

Describing the event, he said: “We were moving down Route 611 to recover a vehicle which had been blown up after a 107mm rocket had been fired at it. The vehicle had burned for 36 hours and no one had gone near it but as soon as the fire went out, the area as flooded with kids. We recovered the vehicle and then returned along the same stretch of road two hours later on another job.

“What we didn’t know at the time was that the Taliban had managed to lay three devices in a carefully planned IED ambush in just 20 minutes, in broad daylight in an area being monitored by two bases with cameras.

Food, Poetry, Security

Hacking passwords to Hell

Leave a comment

Hell is actually a pizza chain that started in 1996 that now has 64 stores in New Zealand, England, Australia and Ireland:

Clever marketing strategy but a website they used to manage customer information is said to have been breached. A police report revealed more than 230,000 “entries” at risk with names, phone numbers, email addresses and passwords. Risky Business claims an exclusive on this story called I know what you ate last summer

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a ‘feature’ of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) – and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as “about 50 steps of fail”.

HD could have gone for the 9 levels of Infernal fail, or called it divinely comical, but 50 steps is still pretty good.