Police raids of parties in San Francisco at the end of 2009 started a series of protests and then legal action by the EFF. The EFF site makes the case that police acted in violation of the law.

San Francisco law currently requires after-hours parties with live DJs to get a permit, and failure of those throwing the party to do so can be punished as a misdemeanor. But DJing an unpermitted party is not a crime, and certainly not one for which one’s laptop could be forfeited and held. EFF brought witnesses from the Halloween party and other events to testify that what happened to our clients was part of a pattern of illegal police practices, including rifling through purses and backpacks to find and seize laptops by people who were not even DJing.

They bust into parties and seize random laptops? This sounds like a story from a war-torn or undeveloped country. Perhaps you have the urge to be angry at the San Francisco police. You and the EFF might be right. Note, however, that the story has been boiled down by the SFBG to the actions of just one or two police officers.

Two undercover enforcers have been at the center of just about every recent case of nightclubs or private parties being raided without warrants and aggressively shut down, their patrons roughed up (see “Fun under siege,” 4/21/09) and their money, booze, and equipment punitively seized “as evidence” (see “Police seize DJs laptops,” 11/24/09) even though few of these raids result in charges being filed in court.

Officer Larry Bertrand of the San Francisco Police Department’s Southern Station and Michelle Ott, an agent with the California Department of Alcoholic Beverage Control, are plainclothes partners who spend their weekends undercover, crashing parties, harassing disfavored nightclubs, brutalizing party-goers, and trying to send the unmistakable message that they’re in charge of San Francisco nightlife. Neither responded to our interview requests.

People often ask me how PCI can work if every QSA comes up with a different interpretation of the requirements. I say take a look around (e.g. try being a DJ at a party in SF). We interpret rules every day everywhere we are. A compliance standard is based on interpretations and the resolution of disagreement — it is all part of the process. One QSA opinion does not spoil the standard, just like one nail that bends does not ruin the bag.

My guess is that other police officers not only disagree with Bertrand and Ott’s tactics but also realize that they are generating a backlash that could change the laws (protect the public) regarding seizure of electronic evidence.

A CVE note that popped up this morning is linked to sudo versions before 1.7.4p4. The CVE record is not complete yet but apparently sudo fails to restrict user access when using Runas groups with group (-g) command line option. Secunia says it is related to the -u option. Sudo.ws puts it all together and explains it’s the -g with the -u.

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

In either case a local user could escalate privileges but only as defined for commands in the sudoers file. Examples of how to test the flaw are conveniently listed by Sudo.ws.

ihack ? iam has posted a highly amusing and detailed analysis of Web Laundry (In)Security

Ok, now we just need to guess the write 7 password. The password is 24 bits… That gives us 16,777,216 attempts to brute force it. At 4 attempts per card that will take 4,194,304 cards or 2,097,152 cards on average… There must be an easier way… My next idea was to sniff the traffic between the reader and card to get an idea of what kind of data is being passed back and forth, then after wading through the paper above, implement the algorithm to crack the cipher itself. Then I found this little diddy in the datasheet

[…]

Surely you would think the engineer(s) implementing this weren’t negligent enough to leave the default password… you would be wrong.

This is very much along the same lines as my presentation at The Next HOPE on Keypad Entry Systems. Start with the most basic tests and you will be surprised how quickly things fail, even things sold as “Unmatched Security and Cutting Edge Technology”.