The Star Trek physicist enters the Seed Salon to discuss participation, the politics of knowledge production, and seduction with the artist/engineer.

Lawrence Krauss and Natalie Jeremijenko | Seed Video

I recently worked on a project that involved embedded systems and reverse engineering. This sort of territory can be a little hairy the first few times out. I ran into some interesting challenges and discoveries along the way which I thought might be worth writing a little bit about. I can’t tell you what the target was. But, it was important. And, we beat the crap out of it. So instead, I’ll tell you what I wish it was: a networked 4-slot toaster.

Now… to make things interesting; Early on, I’d discovered a vulnerability in the toaster that allowed any attacker to load their own firmware on the device. Ouch! My toast! My beautiful toast!

In order to drive home the risk (mostly to the vendor) of the firmware loading vulnerability, I was asked by my customer (also the vendor’s customer) to demonstrate the attack by actually loading malicious firmware onto the device and getting it to run.

Mind you, the request to prove this is actually pretty sane. I had little knowledge of the boot loader, or even of the firmware image format. I couldn’t say for sure that there wasn’t a code-signing feature, which would prevent the toaster from loading any image that wasn’t cryptographically signed by the vendor. That would have rendered the firmware loading attack impotent. To make things worse, the vendor was being pretty light on details. Can’t say I blame them.

Matasano Chargen » Retsaot is Toaster, Reversed: Quick ‘n Dirty Firmware Reversing

If you're a security pro, you might be familiar with the U.S. Treasury Department's Office of Foreign Asset Control (OFAC) requirements, which basically require companies to check their customers' identities against a list of known terrorists to prevent them from unwittingly providing products or services to an enemy. Most major credit bureaus check customers and applicants against these lists, so if you're vetting your partners and customers that way, you're probably covered.

However, you may not have heard yet about the Federal Trade Commission's "Red Flag" program, which is designed to warn companies when they are about to do business with identity thieves or money-laundering operations. The Red Flag program, which takes effect Nov. 1, requires enterprises to check their customers and suppliers against databases of known online criminals -- much like what OFAC does with terrorists -- and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction.

"The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts," the FTC says in the rules, which were passed last year.

Companies May Be Held Liable for Deals With Terrorists, ID Thieves

Robert Kaplan:

All the debate about Colombian free trade has obscured something important: Colombia is far safer now than it was five years ago. In fact, if Iraq were reclaiming terrorist-controlled areas as effectively as Colombia is, even the most die-hard opponents of the Iraq War would admit error. Colombia is, after Iraq and Afghanistan, our third-biggest nation-building project, and it is by far our most successful.

Colombia demonstrates the value of the indirect approach in our overseas military deployments. Our military role there, started by Bill Clinton and continued by George W. Bush, has been significant: Army Special Forces have trained elite Colombian units, who have in turn engaged the narco-terrorists. When I first visited Colombia in early 2003, the border with Venezuela was a no-go zone. Now new businesses are opening, and the streets are crowded, even at night. Parts of the south and east are experiencing the same success. Indeed, by 2006 I could visit large swathes that were inaccessible before.

Colombia is what Iraq should eventually look like, in our best dreams. Colombian President Alvaro Uribe has fought -- and is winning -- a counterinsurgency war even as he has liberalized the economy, strengthened institutions, and improved human rights. Nuri al Maliki and Hamid Karzai could learn from him. The failure of Congress to pass a free-trade pact indicates that the greatest threat to our power is our own domestic dysfunction. What should be the icing on the cake to a successful nation-building program has become an embarrassment.

A Colombian Vision for Iraq

Zorba is a general purpose XQuery processor implementing in C the W3C family of specifications. It is not an XML database. The query processor has been designed to be embeddable in a variety of environments such as other programming languages extended with XML processing capabilities, browsers, database servers, XML message dispatchers, or smartphones. Its architecture employes a modular design, which allows customizing the Zorba query processor to the environment’s needs. In particular the architecture of the query processor allows a pluggable XML store (e.g. main memory, DOM stores, persistent disk-based large stores, S3 stores). Zorba runs on most platforms and is available under the Apache license v2.

Zorba: The XQuery Processor

Commanders on the battlefield will soon be able to anticipate enemy moves through Deep Green, a new program developed in part by USC's Viterbi Information Sciences Institute.

On the Battlefield, There Are No Surprises

This paper seeks to explain the causes and consequences of the United States subprime mortgage crisis, and how this crisis has led to a generalized credit crunch in other financial sectors that ultimately affects the real economy. It postulates that, despite the recent financial innovations, the financial strategies—leveraging and financial risk mismatching—that led to the present crisis are similar to those found in the United States savings-and-loan debacle of the late 1980s and in the Asian financial crisis of the late 1990s. However, these strategies are based on market innovations that have heightened, not reduced, systemic risks and financial instability. They are as the title implies: old wine in a new bottle. Going beyond these financial practices, the underlying structural causes of the crisis are located in the loose monetary policies of central banks, deregulation, and excess liquidity in financial markets that is a consequence of the kind of economic growth that produces various imbalances—trade imbalances, financial sector imbalances, and wealth and income inequality. The consequences of excessive risk, moral hazards, and rolling bubbles are discussed.

Old Wine in a New Bottle: Subprime Mortgage Crisis—Causes and Consequences

RCFLs are a network of digital forensics labs sponsored by the FBI and staffed by local, state, and federal law enforcement personnel. These labs are available—free of charge—to 4,750 law enforcement agencies across 17 states.

Yes, RCFLs perform digital forensic exams in cyber crime cases, but they contribute to so many more kinds of investigations: terrorism, espionage, public corruption, civil rights, organized crime, white-collar crime, and violent crime. These days, computers and other technological devices are such a part of daily life that you’d be hard-pressed to find any type of criminal or terrorist who doesn’t use one. And when they do, RCFL examiners are there to extract and enhance information from these devices that may serve as evidence at trial.

You can read all about the accomplishments of these 14 labs—collectively and individually—in the RCFL Program’s Fiscal Year 2007 Annual Report.

Regional Computer Forensics Laboratory: Program Annual Report

The Department of Defense (DoD) is rapidly moving forward into the cyber domain of warfare, but the United States Government is not ready to exploit this evolution in Civil-Military affairs. With the United States facing new threats to its national security at home and abroad like never before, U.S. policy and law must change to enable DoD to fully defend and fight in cyberspace. Due to the highly automated and interconnected nature of U.S. critical infrastructure, it is not practical to erect a barrier between military and civilian operations that can serve U.S. national interests. Within the interagency framework, DoD should serve as the lead, including the response phase whenever defense critical infrastructure is involved or when a cyber attack has seriously affected other national critical infrastructure. To enable this transformation, the Posse Comitatus Act (PCA) should be amended or rescinded so DoD can conduct full defensive and offensive cyberspace operations against all required targets.

DoD Computer Network Operations: Time to Hit the Send Button

A lack of consistent and transparent regulations governing concentrated animal feeding operations (CAFOs) is underscored by a report released today by the Pew Commission on Industrial Farm Animal Production (PCIFAP) and the National Conference of State Legislatures (NCSL). The report is entitled Concentrated Animal Feeding Operations: A Survey of State Policies.

The survey is just one aspect of PCIFAP’s 2½-year study of the effects of industrial farm animal production on public health, the environment, rural communities, and animal welfare. Because of its familiarity with state regulatory issues, the Commission asked NCSL to conduct a 50 state survey of the appropriate state regulatory agencies in hopes of gaining a better understanding of the regulations already on the books, as well as whether the states have the resources available to implement those mandates.

“State and local governments have developed a patchwork of regulations typically using federal regulations as a basic guideline that can vary from jurisdiction to jurisdiction. That may result in imbalanced and ineffective enforcement,” said John Carlin, Commission chairman and former Kansas Governor.

The survey highlights the patchwork of regulation from state to state, and in many cases, a complete lack of regulation in areas that are essential to protecting public health and the environment. While many states do have regulations beyond federal requirements, it is clear that the regulation has not caught up with the CAFO model of food animal production. Kentucky, for example, is contemplating whether or not to even continue regulating CAFOs. And other states, like New Mexico, have limited policies on animal feeding operations and rely on the Environmental Protection Agency (EPA) to regulate CAFOs in their states. What is actually being done to regulate CAFOs within the EPA delegated states is obscure. South Dakota refused to respond to the survey and Mississippi responded only minimally. It should be noted that all information requested from state agencies is supposed to be available to the public.

The survey also revealed that several states have made strides in their attempt to mitigate the potential threats posed by CAFOs. Oregon, for example, has gone beyond regulating just those facilities that fit the federal definition of a CAFO, and thus regulates more than double the number of animal feeding operations that federal law requires. California, a state that faces ongoing water quality issues, appears to be working diligently to curb any runoff from CAFOs into water sources. While this survey showed that some states appear to be setting comparably robust examples of CAFO regulations, the survey did not address the actual enforcement of their respective policies.

Putting Meat on The Table: Industrial Farm Animal Production in America