tax phish

Tax Phishing season is open. Go catch yourself a good one!

iphone's ambiguous http-auth

I'm a little disappointed at Apple. While I think the iPhone is a pretty nice piece of work and their browser is pretty nice too, I don't like the way it handles HTTP-AUTH. (There are other gripes I have, like no "find" feature in safari or the mail app, but we'll stick with a security problem for now). Most browsers are kind enough to display on the "safe" pop-up login box which which website requested the authentication. This is not so with iPhone Safari.

Not only does the pop-up "enter your password" box fill the whole screen (a rather necessary evil), but it doesn't display the domain, URL or any information about the website where you're sending your credentials. If I had some free time, I would hack together a quick demo to show how, using iframes (suitably) or images, I can make you think you're logging into one site but you are actually sending your password to another one entirely. It does indicate whether you are sending your password in the clear or if the connection is secured with TLS/SSL, but in a subtle gray font under the login boxes.

I want to know where my password goes!

Drive-by pharming (really) exists!

According to my colleague at Symantec, Drive-By Pharming has been spotted in the wild.

Maybe this indicates that attackers read academic papers?

I presented our paper (finally) in China last December. It was pretty fun...

battery woes

I'm traveling right now and I am taking along my teeny little 12" PowerBook which has been good to me for many years. Only, this time, I upgraded it to Leopard and I think it messed up my battery stuff. (Also, upgrading may not have been a good idea since Leopard heavily uses CoreImage, and this computer doesn't support it. The 12-incher is also the minimum specs for the OS: 867MHz, 640MB RAM, 32MB GeForce 4MX video).

I noticed that it goes to sleep quickly -- say when the battery was drained less than half -- and it charges quickly. This lead me to believe it might be a power management issue, so I rebooted the machine and reset the PMU and PRAM. No luck. Still problems. I decided to "condition" the battery, or drain it all the way and charge it again, but I planned to monitor the battery status with pmset (a mac os x command line utility). Here's it's output:

sid-stamms-powerbook-g4-12:~ sidstamm$ pmset -g pslog
pmset is in logging mode now. Hit ctrl-c to exit.
12/12/07 4:57:20 AM GMT-05:00 
Currently drawing from 'Battery Power'
 -InternalBattery-0 98%; discharging; 10:00 remaining
12/12/07 4:57:24 AM GMT-05:00 
 -InternalBattery-0 97%; discharging; 10:00 remaining
12/12/07 5:05:05 AM GMT-05:00 
 -InternalBattery-0 96%; discharging; 10:00 remaining
12/12/07 5:14:44 AM GMT-05:00 
 -InternalBattery-0 95%; discharging; 10:00 remaining
12/12/07 5:25:30 AM GMT-05:00 
 -InternalBattery-0 94%; discharging; 10:00 remaining
12/12/07 5:34:33 AM GMT-05:00 
 -InternalBattery-0 93%; discharging; 10:00 remaining
12/12/07 5:45:17 AM GMT-05:00 
 -InternalBattery-0 92%; discharging; 10:00 remaining
12/12/07 5:54:55 AM GMT-05:00 
 -InternalBattery-0 91%; discharging; 10:00 remaining
12/12/07 6:03:09 AM GMT-05:00 
 -InternalBattery-0 90%; discharging; 10:00 remaining
12/12/07 6:11:24 AM GMT-05:00 
 -InternalBattery-0 89%; discharging; 10:00 remaining
12/12/07 6:19:20 AM GMT-05:00 
 -InternalBattery-0 88%; discharging; 10:00 remaining
12/12/07 6:20:08 AM GMT-05:00 Sleeping...
12/12/07 6:20:08 AM GMT-05:00 
 -InternalBattery-0 0%; discharging; 0:00 remaining

Notice how it drops into sleep at 88%, and the perceived status drops to zero... I think either this battery is toast, or Leopard destroyed it. (I verified the full/empty statuses by pushing the meter button on the battery itself, watching the LEDs tell me how full it is.)

Anyhow, I'm going to let it try to charge all night, even though it will surely give up. Maybe the Internets will tell me what's going on, or maybe I'll just use it as a portable desktop computer. I'll follow this post up with results from pmset while charging to see what it tells me.

Here's some info from system profiler about the battery as it begins charging:

Battery Information:

  Charge Information:
  Charge remaining (mAh): 177
  Charging: Yes
  Full charge capacity (mAh): 20494
  Health Information:
  Cycle count: 294
  Battery Installed: Yes
  Amperage (mA): 2079
  Voltage (mV): 12250

drive-by pharming (kind-of) exists!

TidBITS is reporting a Mac OS X Trojan that masquerades as a QuickTime codec; the idea is that people are told to install this codec to view a sketchy video on the web, then when they do, the "codec" actually manipulates their computer's DNS settings. Very reminiscent of drive-by pharming, but more obvious than a simple CSRF.

Link to more drive-by pharming info.

expensive ice

I have a math problem:

Assume both 1) and 2) are 16 ounce beverages.

1) hot coffee = $1.80
2) iced coffee = $2.30

Let me rephrase:

1) coffee + paper cup = $1.80
2) coffee + plastic cup + ice = $2.30

This means that

plastic cup + ice - paper cup = $2.30 - $1.80 = $0.50

In English, the cost of ice and the cost of using a plastic cup instead of paper is $0.50. But wait, there's more: there is less coffee in the iced coffee since ice replaces roughly 50% of it!

Okay, so this means:

1) 1.0*coffee + paper cup = $1.80
2) 0.5*coffee + plastic cup + ice = $2.30

Thus:

plastic cup + ice = $0.50 + 0.5*coffee

Lets go out on a limb and say that the paper cup costs $0.80, which is probably an extreme upper bound. This makes the equations a bit easier:

1) 1.0*coffee + $0.80 = $1.80 :: 1.0*coffee = $1.00
2) 0.5*coffee + plastic cup + ice = $2.30
  :: $0.50 + plastic cup + ice = $2.30
  :: plastic cup + ice = $1.80

This is friggin' ridiculous. There's no way that a cup costs more than a dollar, you can get a pack of 1000 of the exact cup I'm drinking from for $120; that's twelve cents each. That means that the ice must cost $1.68!!! There's no way it costs that much to make ice, especially when you use it in frappés all day and make it in bulk.

I hope the owner of Java Haute reads this.

celebrity

This is a random mood construction I wrote after biking along the bay...

The wind tore through the land, causing the million golden, fibers of grass to murmur in gossip. Seagulls hung lazily in the air, craning their necks into the wind, attempting to get ahead of the others. The water rippled, insistently swimming in circles, consuming the algae on the rock-lumped shore.

The hills in the distance slouched in their balcony seats, squinting at the sun as it hung low in the west. The slouching was necessary to avoid the cheese-slice railing of the power lines, long wires segregating the hazy picture into sea and sky.

Alongside the insistent murmurs of the whispering grass stalks, an asphalt carpet rolled out, marking a path for celebrities and holding back the landscape from getting in the way. This swervy pavementrain conducts many elite passengers between venues, allowing a voyeuristic view into the dangerous wild; a view without the bane of submitting to the whispering mass of conspiracy amidst the shores of the bay.

And then: the paparazzi.

small victory for privacy

"A U.S. appeals court in Ohio has ruled that e-mail messages stored on Internet servers are protected by the Constitution as are telephone conversations and that a federal law permitting warrantless secret searches of e-mail violates the Fourth Amendment."

"ISPs, the ruling states, have 'mere custody' over the e-mail and subpoenaing them 'is insufficient to trump the Fourth Amendment warrant requirement.'"

"[David Rivkin] said that, even given the expectation of privacy, the context of the effort to access the data -- whether it was part of a criminal case or an intelligence-gathering effort, for instance -- had to be considered."

Link