Darth Reed

Now that I have a place to put my quasi-technical babble over at MSDN, the space is reserved for me to spew my political bile and enjoy all things sci-fi. Heh.

Thursday, December 29, 2005

bluejack Q :: Mobile Phone Bluejacking

With Citibank and other poised to issue mass quantities of RFID-enabled credit cards next year, this will be fun! Bluejacking

An SD Time email newsletter (that they don't webify for some stupid reason - hence it's clipped in its entirety since I can't link to it) reminded me to post this.

From SD Times “News on Thursday” 2005.12.29:

What the Heck Is Blue Jacking, and Can I Do It in Public?
By Alex Handy

There was a time when our wallets were the most secure location on our bodies. Then, along came cell phones and PDAs, and human beings were granted the ability to lock down their portable information with a password. But as phone and PDA technology advances, those wallets are starting to look a lot more secure.

Enter blue jacking, the act of sniffing out information transmitted via Bluetooth. While a pickpocket must be physically touching his victim in order to yank out that wad of bills, a blue jacker need only be within effective transmission range. And that range has been extended by garage-bound geeks with high-gain directional antennae. And, as is usually the case with new security vulnerabilities, many developers weren't even aware that they should have been trying to prevent such attacks.

While the art of preventing blue jacking is still in its infancy, there is now a tool to help. It's called Bluediving, and it's only just hit version 0.1 this week. But since it's an open-source project, the more cooks, the faster the soup will be finished.

Bluediving is a Bluetooth penetration tester, designed to poke Bluetooth-using hardware with the dreaded BlueSnarf, BlueSnarf ++, BlueSmack and BlueBug attacks common among cyberpunks. In addition, Bluediving can spoof Bluetooth addresses, allowing testers and their nefarious evil twins to jump into transactions and muck things up.

So for device developers and Bluetooth users, it's time to start paying attention to blue jackers. Otherwise, we'll all have to start keeping our precious information on folded sticky notes inside our wallets again.

My only criticism of Alex's piece is that he gives developers of insecure software a complete pass for developing sniffable, insecure crap and dumping it on us unawares. I don't. Security nazis have been wailing in the wilderness for DECADES about insecurity in software. This is more evidence that there are too many people who don't belong in software development -- both on the developer side AND the management side.

In my experience many of the security lapses are due to executive management pushing too aggressive a timeline to ship product and failing to take seriously the security issues raised by developers. It's time that we impose civil liability for software security violations. Where's a good attorney when you need one?! Oh, wait, there aren't any. Except mine - when I get sued. Heh. Yes, I'm talking out of both sides of my mandibles. Deal with it.

I started leaving Bluetooth turned off on my phone a couple weeks back when I caught another Avanaut (who shall remain nameless) on my current project sniffing Bluetooth traffic... unless I absolutely have to use my headset (currently busted awaiting warranty replacement Jabra 250v) or ActiveSync via Bluetooth, but I turn it right back off when I’m done. You should, too. Think of it the same way you do locking your doors or setting your car alarm.

I’ll bet most people don’t know if their Exxon-Mobile SpeedPass or even their cell phone are constantly broadcasting “Me! Hack me!"... Heh.

Strike now!

Wednesday, December 28, 2005

Battlefront: You might be a good candidate for sith lord if...

You might be a good candidate for sith lord:

  1. If you've ever been killed by the last wookie in the room... while you were reloading...

  2. If you think it sucks that killing jawas is considered "friendly fire."

  3. If you've ever gotten completely lost in Jabba's palace...

  4. If you've ever killed another player by "running him over" with a starfighter... just because you could.

  5. If you've learned that it's more dangerous to run while looking through a sniper scope than it is to run with scissors.

  6. If you've racked up more ewok kills inside an assault walker without firing your weapons than by firing them. Field goal!

  7. If you don't mind being turned into a droid just so long as it means that you get to kill gungans.

  8. If you know how many seconds of free fall you can get before you die after jumping (or falling, see #5) from Cloud City on Bespin.

  9. If you ever gone on a killing spree of just Gamorian guards while ignoring the real rebel enemy. (See #3.)

  10. If you believe the rebel scum are no better than those damn Tusken raiders. Kill 'em all and let the midichlorians sort 'em out.

You might be addicted to Battlefront if you go back and read the list again adding "More than once." at the end of each item and find that they're all still true. Heh.

Strike back!

Friday, December 02, 2005

BizTalk 2004 + .NET 2.0 not always happy together :: In case you were wondering...

Under certain circumstances, BizTalk 2004 cannot run side-by-side with .NET 2.0. Big :-( It seems to work fine on a single processor machine, but on a multiprocessor Windows 2003 Server, something ugly breaks in the threading model and any orchestration that tries to enlist an MSDTC transaction fails. There's an XLANG synchronization failure that kills the BizTalk process and forces it to restart every 60 seconds. Boo! Removing .NET 2.0 from the box cures it. If I find time later, I'll pump in more documentation of the failure.

Very big ;-(

Too bad Blogger doesn't automatically insert the right smileys. Maybe I need a new blog?

Strike out!!