] In recent years automatic identification procedures (Auto
] ID) have become very popular in many service industries,
] purchasing and distribution logistics, industry,
] manufacturing companies and material flow systems.
] Automatic identification procedures exist to provide
] information about people, animals, goods and products.

An extremely technical discussion of RFID including schematics!

RFID-Handbook - RFID: a short introduction

] This section shows the pricing obtained from
] manufacturers for tags, readers and related equipment. At
] present, purchasing inquiries should be made direct to
] the manufacturer or distributor. RFID Exchange will
] establish direct purchasing arrangements as soon as
] possible - please contact us for more information.

This guy has compiled a comprehensive list of companies offering rf-id developer kits. Some are extremely expensive. Some are really cheap, but not standards compliant. I like the Crosspoint unit the best.

RFID Exchange - Purchasing Options

] RFDump is a tool to detect RFID-Tags and show their meta
] information: Tag ID, Tag Type, manufacturer etc. The
] user data memory of a tag can be displayed and modified
] using either a Hex or an ASCII editor. In addition, the
] integrated cookie feature demonstrates how easy it is for
] a company to abuse RFID technology to spy on their
] customers. RFDump works with the ACG Multi-Tag Reader or
] similar card reader hardware.

This was one of the more interesting presentations from Black Hat. Apparently a company deployed a retail RF-ID pricing system in Germany in which the tags could be rewritten! So this guy can roll into a store with his iPaq and a PCMCIA rf-id card and recode items in the store.

Unfortunately, I can't figure out how to purchase the rf-id card that is compatible with this software. So I started doing some research... See the post above...

RFDUMP.ORG - Hacking RF-ID

This morning there was a post on Slashdot about two *blackhat* talks about pointless twists on the PortKnocking concept, in which one of the authors confuses the concept of a one time password and a one time pad. Man, it doesn't take much to be considered a computer security expert these days.

Between a flashy website, articles in all the major admin journals, Blackhat talks, and endorsement from Bruce Schneier, its quite clear that this is one meme that has gone too far. It occurred to me that I could write a single packer stealth authenticator with better security and more flexibility then most pork knocker implementations in a single afternoon, so I did a google search, and fortunately somebody already did it.

] This particular implementation deviates a bit from his
] original proposal, in that the doorman watches for only a
] single UDP packet.   To get the doorman to open up, the
] packet must contain an MD5 hash which correctly hashes a
] shared secret, salted with the client's IP address and
] the (correctly rounded) time-of-day.

No replay, no multi-port silliness, no problems with route flaps fucking up your authentication, lots of features. Straight up protection from port scanners without all of the lunacy. If you think portknocking is "cool" this is what you are looking for. You can stop writing presentations for hacker cons. Its over.

The Doorman - Putting this portknocking silliness to rest

] As for the theories that DREs could be programmed to change
] an election outcome, Mr. Andrew dismissed them by saying,
] "the liberal Internet activists are bonkers." John Lott,
] an American Enterprise Institute economist who has
] studied election systems, adds that some of the obsession
] about DREs, "sounds a lot like an effort to anger some
] people into voting while providing the basis for lots of
] election litigation if the results are close."

OpinionJournal - WSJ thinks concerns about electronic voting are 'bonkers'

Well, I voted today. A few impressions.

1. There seemed to be a lot of polling locations around my apartment, and a lot of machines. No lines when I showed up (at 3). If you DOSed one machine I think it would have little effect on the outcome unless a race was very close.

2. You can't get access to the machines unless you are registered to vote in the district in question. This means that you would either have to attack your own district or you would need to be able to effectively fake the identity of someone in the district of choice while preventing them from showing up before or during your visit.

3. Old people can easily distract poll workers with stupid questions.

4. Swaping the smart cards would have been dead easy. If the system could be attacked with a bad smartcard, then you could get away with this, and you would have at least 10 minutes to play around on the console without drawing any attention.

5. You're not in an enclosed booth, so putting a sniffer inline between the smart card and the reader might get noticed. You'd have to be pretty slick to hide it. Maybe drop your copy of the league of women voter's guide on top of the reader once the card is inserted. Also, the card snaps into place in the reader. That mechanism might interfere with any custom hardware, but it depends.

6. The smart card reader is attached to the machine with a plainly visible rs232 cable. If you were really slick you might be able to place a device inline between the reader and the cable, but you might get noticed, and certainly such a device would be discovered later.

7. You could probably Van-Ek phreak polling places. I don't think anyone has discussed that. I was happy to see that in Georgia they enter you registration on a scantron form. In Tennessee they used a computer, which seemed to be network conected. I figured one might be able to associate votes with people because of that.

8. If Diebold could devise a way to make the machine start beeping in the event that one of the critical processes crashed or the administrative modes were accessed this would be a somewhat effective security mechanism. Any attack would depend on a lot of slight of hand under the noses of other people. Things that make loud noises tend to draw attention. Obviously this could never be fool proof.

9. The UI was nice. I had some trouble getting the touch screen to recognize some of my presses, but all in all it was a good voting experience.

] The origin of the video was traced to Silicon Valley Land
] Surveying Incorporated, a California land surveying and
] mapping company, said Spiegel online, the internet
] service for the respected German weekly.
]
] The magazine said that according to its research the move
] was the first time al-Qaeda had "hijacked" a website to
] broadcast its propaganda.
]
] The network usually spreads its message through Islamist
] sites but this time, Spiegel maintains, hackers created a
] special file at the company's web address at least an
] hour before global news agencies broke word of the video.

First report of Al'Q hackers

Hackers spread hostage video

The slides from Greg Conti's talk about Network Security Data Visualization are available here.

Greg gave a very good talk. Many links and references to visualization tools.

Interz0ne3 Network Security Data Visualization

] NANOG actively works to produce sessions and seminars to
] help foster security on the Internet. All sessions are
] taped and converted to streaming media for all to use for
] their personal education. Slides are available for each
] session as well. Over time, this effort has generated a
] valuable online tutorial for engineers and others seeking
] to learn more about running a more secure network.

Wow. Nanog has developed an awesome collection of security presentations for previous conference.

NANOG Security Curriculum

An interesting article about tracking terrorists through mobile phone SIM cards.

[ISN] How Tiny Swiss Cellphone Chips Helped Track Global Terror Web