Sequoia, Diebold... what's the difference? None of them are doing their job right.

This is your Sequoia touch-screen voting machine with Pac-Man hacked onto it without disturbing any of the "tamper-evident" seals supposedly meant to protect it from hackers…

Apparently, they put tamper seals on the ports and plugins, but NOT the case itself. Therefore, the university was able to just dismantle the machine and connect on the inside instead. Pathetic attempt Sequoia, just pathetic.

Source

As if we didn't see this coming

So all that time I spent warning people about OnStar seems to have been completely justified.

OnStar was recently admonished by several senators for its plan to spy on people (even non-customers).

OnStar is apparently hoping to create a new revenue stream by collecting data about the movements of OnStar-equipped cars. Obviously, this data set will be more comprehensive—and, therefore, more lucrative—if it includes data from former OnStar subscribers as well as current ones. In an announcement e-mailed to subscribers earlier this month, the company said that, starting December 1, it would continue collecting data from subscribers even after they cancel their service. OnStar also said it reserved the right to sell aggregated and anonymized data to third parties.

Whoever somehow assumed that a big company with the capability of knowing where you are at all times wouldn't abuse that power was pretty short-sighted. Sorry.

Searching...(source)

You can't use rights you don't know about or don't understand. The Electronic Frontier Foundation has posted a summary of your 4th amendment rights to deny the government permission to search you or your belongings (digital or otherwise).

It's good to know what you can and can't do since you should know that even when you've done nothing wrong, you may still get yourself into a lot of trouble if you are careless with your privacy.

If you're with Citibank, then YOU'RE WITH STUPID!

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak and pathetic security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbascrap&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Even when this kind of problem was new over a decade ago, it seemed pretty dumb for major websites to be this sloppy. To think that a site run by such a large (and rich) company would make this kind of mistake would be laughable if it weren't so contemptible.

Citi, TJX wants to thank you from the bottom of their hearts for finally doing something so stupid that we can forget about their horrible mistake (at least just a little).

Source

Photo shamelessly stolen from the source article

I've always thought that prisoners should be made to work to support themselves and others. Maybe the Chinese have hit on something with this:

"Prison bosses made more money forcing inmates to play games than they do forcing people to do manual labour," Liu told the Guardian. "There were 300 prisoners forced to play games. We worked 12-hour shifts in the camp. I heard them say they could earn 5,000-6,000rmb [£470-570] a day. We didn't see any of the money. The computers were never turned off."

The Guardian says that prisoners were beaten if they couldn't make their quota so maybe they're taking it too far, but the idea itself is still sound.

You're kidding, right?

So…

Wait.

What now?

A Yahoo article says that because women's cloths sizing is hard, they're going to nude scan them to figure out what they can wear. Seriously!?

Ms. Shaw, the entrepreneur, is chief executive of a company called MyBestFit that addresses the problem. It is setting up kiosks in malls to offer a free 20-second full-body scan — a lot like the airport, minus the pat-down alternative that T.S.A. agents offer.

Lauren VanBrackle, 20, a student in Philadelphia, tried MyBestFit when she was shopping last weekend.

“I can be anywhere from a 0 at Ann Taylor to a 6 at American Eagle,” she said. “It obviously makes it difficult to shop.” This time, the scanner suggested that at American Eagle, she should try a 4 in one style and a 6 in another. Ms. VanBrackle said she tried the jeans on and was impressed: “That machine, in a 30-second scan, it tells you what to do.”

That's cute. A strip search in the name of getting something to wear? So instead of wasting millions on this disrobing plan, why not standardize women's clothing and use inch measurements like men's clothes? How's that for an idea?

How long until someone hacks these poorly protected machines to record copies of all women scanned and the photos show up on the Internet? Will you put your teenage daughters in them?

This is so, so stupid, I can't believe it's actually true. I really hope this doesn't catch on because if it does, my faith in humanity will suffer yet again.

As anyone who reads much of my site knows, I'm not a fan of how RFID is being implemented. However, I'm not against the technology itself as it has many practical uses. For example, some hotels have begun putting washable RFID in the towels and bathrobes to keep people from stealing them.

Since the RFID towels have no privacy invading purpose at all and serve deter self-entitled punks who think it's ok to take hotel items, I will offer my tentative support for this. The main concern is feature creep meaning that depending how they implement this, they may also know which towels you used and when. I can't really see the hotels bothering to do so, but if they did, that would be crossing the line big time.

Source: http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-up-in-my-suitcase/ (H/T to The Consumerist for the link)

Sony has been going crazy trying to keep clever users from unlocking the PS3 to run homebrew (like the Wii hack which I love!).

First of all, companies are trying everything they can, but in the end it won't amount to much. Consider that all it takes is one person anywhere in the world to figure out the encryption codes (not the real name, but it's simpler) who then shares it online (like in this hilarious example where a user tricked a Sony spokesperson into sharing a PS3 related code to his audience of thousands on Twitter!).

And yet companies get increasingly difficult and stupid about trying to protect their games which only makes things harder for the legitimate users (obligatory comic referencing this concept). All I can say is good luck Sony.

This is awesome terrible. Apparently a UK immigration officer added his wife to the no-fly list when she was out of country effectively stranding her.

Based on the lack of details and the fact that she could have just taken a ferry not an airplane, this story doesn't really seem that likely, but it's making the rounds and the most important issue here is that the possibility of a single government official working alone abusing the system. While important security databases are poorly controlled, these kinds of abuses are possible.

Speaking of, I found a supposed copy of the no fly list online. Check it out!

I'm fairly ambivalent about the whole Wikileaks issue. I've long been a supporter of whistleblowing in general as companies and the governement should be held accountable for abuses and wrong-doing and often it's only fully public scandals that allow that to happen (though sometimes not even then).

Anyway, as to whether Wikileaks has done anything wrong, one must first ask if there was anything posted that caused significantly more harm than good (which so far has been a "no" it seems).

But to the point, Wikileaks is expected to release a lot of data about Bank of America very soon. There's a lot of speculation, but more interestingly, there are reports that Bank of America is preparing focused teams to respond to whatever drops when it drops.

I look forward to seeing how slime covered that rock is when it's lifted.