Table Tennis Top 10 Shots - The most amazing home videos are here

Wow. WordPress 2.5 is a nice upgrade. I mean, serious improvements. Go get it.

[ WordPress Download ]
[ WordPress 2.5 Features ]

Q: What did one em say to the other em?

A: Who’s your daddy?

Most in the United States don’t know much about the Middle East or the people that live there. This lack of knowledge hurts our ability to understand world events and, consequently, our ability to hold intelligent opinions about those events.

For example, frighteningly few know the difference between Sunni and Shia Muslims, and most think the words “Arab” and “Muslim” are pretty much interchangeable. They aren’t. So here’s a very brief primer aimed at raising the level of knowledge about the region to an absolute minimum.

Basics

1. Arabs are part of an ethnic group, not a religion. Arabs were around long before Islam, and there have been (and still are) Arab Christians and Arab Jews. In general, you’re an Arab if you 1) are of Arab descent (blood), or 2) speak the main Arab language (Arabic).

2. Not all Arabs are Muslim. There are significant populations of Arab Christians throughout the world, including in Lebanon, Syria, Jordan, Northern Africa and Palestine/Israel.

3. Islam is a religion. A Muslim (roughly pronounced MOOSE-lihm) is someone who follows the religion. So you wouldn’t say someone follows Muslim or is an Islam, just as you wouldn’t say someone follows Christian or is a Christianity.

4. Shia Muslims are similar to Roman Catholics in Christianity. They have a strong clerical presence via Imams and promote the idea of going through them to practice the religion correctly. Sunni Muslims are more like Protestant Christians. They don’t really focus on Imams and believe in maintaining a more direct line to God than the Shia.

5. People from Iran are also known as Persians, and they are not Arabs.

6. Arabs are Semites. We’ve all heard the term anti-Semitism being used — often to describe Arabs. While antisemitism does specifically indicate hatred for Jews, the word “Semite” comes from the Bible and referred originally to anyone who spoke one of the Semitic Languages.

7. According to the Bible, Jews and Arabs are related [Genesis 25]. Jews descended from Abraham’s son Isaac, and Arabs descended from Abraham’s son Ishmael. So not only are both groups Semitic, but they’re also family.

8. Sunni Muslims make up most of the Muslim world (roughly 90%). ¹

9. The country with the world’s largest Muslim population is Indonesia. ²

10. The rift between the Shia and Sunni started right after Muhammad’s death and originally reduced to a power struggle regarding who was going to become the authoritative group for continuing the faith.
    
    The Shia believed Muhammad’s second cousin Ali should have taken over (the family/cleric model). The Sunni believed that the best person for the job should be chosen by the followers (the merit model) and that’s how the first Caliph, Abu Bakr, was appointed.
    
    Although the conflict began as a political struggle it now mostly considered a religious and class conflict, with political conflict emanating from those rifts.

Sunni vs. Shia | Arab vs. Non-Arab

Here’s how the various Middle Eastern countries break down in terms of Sunni vs. Shia and whether or not they are predominantly Arab. Keep in mind that these are generalizations; significant diversity exists in many of the countries listed.

• Iraq Mostly Shia (roughly 60%), but under Saddam the Shia were oppressed and the Sunni were in power despite being only 20% of the population. Arab.

• Iran Shia. NOT Arab.

• Palestine Sunni. Arab.

• Egypt Sunni. Arab.

• Saudi Arabia Sunni. Arab.

• Syria Sunni. Arab.

• Jordan Sunni. Arab.

• Gulf States Sunni. Arab.

Conclusion

What’s depressing is the fact that this only took me 30 minutes to write, and you 2 minutes to read. Yet most people in the United States, including those in the media, the house of representatives, and probably even the Pentagon, lack even this cursory level of knowledge about the region.:

References

¹The CIA World Fact Book | Field Listing - Religions

²The CIA World Fact Book | Field Listing - Indonesia

Wikipedia | Sunni Muslims

Wikipedia | Shia Muslims

Wikipedia | Arabs

This insanely cool contraption can take sound and modify it in a highly directional fashion so that it can’t be heard in transit to a target, and then when it hits a human it sounds as if it’s coming from inside their own head. And nobody else can hear it. It “encodes” before leaving, and “decodes” when it hits the person (not really, but that’s my description).

It’s called HyperSonic Sound, or HSS. And a company called American Technology Corporation (ATC) has many patents on some devices that can do it. So a few things come to mind:

• Target church people with satanic or God messages as they leave the church, as a joke.
• Target church people with donation messages, as a crooked preacher trying to get rich.
• Pointing it at people within specific parts of the church during a sermon, “I know what you did Friday.”
• Targeted advertising based on profiling of visual appearance.

Oh, and from the article, there are already military applications where you can incapacitate people through pain and nausea using it as a weapon. So I guess crowd control can be added to the list.

What other applications can you think of?

[ Targeted Sound Beam Machine ]

[ Edit: Disregard this post. It was written by an evil, stupid man impersonating me. No, not really. It's just wrong. The focus of REST is HTTP verbs, not actions within URLs. I knew that, but mentally pooped myself while writing this. ]

I just realized something while on the Twitter site. Shouldn’t sites built using REST principles be more susceptible to CSRF attacks? I’ve only studied REST concepts for a few minutes when building a little sample Rails app, so I could be totally off here, but follow me for a second.

REST

The concept here is for URLs to both indicate functionality to users, as well as provide that functionality. So a URL like:

http://acme.com/products/cart/display

…would display the contents of your cart. Nice, right?

And a URl like:

http://acme.com/account/delete

…would nuke your account. Again, as you would expect from reading the URL.

CSRF

Cross Site Request Forgery (Sea Surf) works by getting people to follow links, via a number of methods such as embedding links in IMG tags or just plain getting them to click them via social engineering.

The trick is that if you can get someone’s browser (or them) to follow a URL, while they’re logged into a given site, the “action” associated with that URL will be executed using their credentials. By credentials I usually mean a valid cookie. When your browser sends requests (even for images) to remote websites, and you happen to have a cookie for that site on your system, that cookie will be sent with ALL requests to that site. It’s kind of scary, really.

I did a proof of concept on this over at DSLR recently, where just by visiting a page I could log you out of your account there. I did that via the IMG tag trick. An image on the page pointed to the logout URL, so if you had a cookie for DSLR and loaded the fake image (which the browse does for you without your knowledge), you were logged out.

How It Would Work

So that’s the thing — RESTful URLs are associated with actions, and CSRF is based on getting you to visit URLs that have actions associated with them. Imagine a CSRF campaign against ACME company where tons of links are emailed out to ACME users with the following URLs in them:

http://somesite.com/product/1234/purchase http://somecause.com/campaign/donate http://favoritesite.com/account/terminate

Remember that if any of the people following those links have valid cookies for those sites, they could automatically have those things happen. And if the attacker uses the IMG trick like I demonstrated, the user wouldn’t even know anything took place because it would have been their browser that performed the action, not them.

Anyway, just a thought. Maybe something to think about when working with RESTful designs.:

My buddy Ken just put up a short Twitter primer over on his blog. The primer was spawned from my dumb ass accidentally responding to him directly in my Twitter window rather than via direct message. So here he’s showing us how to reply to people’s tweets directly and send direct messages to people.

Definitely good stuff to know for Twitter users.

[ A Twitter Primer | kenswain.com ]

I’m excited about a certain type of security product, or, at least the idea of such a type of product. This product type does two things:

1. Offers the same or higher level of security to the user.
2. Offers that security while being easier, more transparent, or less annoying to use.

One product in this space that I’ve talked about before is BioPassword, which offers two-factor authentication based on typing characteristics. So the user thinks they’re using only one factor — the password they know, but in fact they’re uniquely identifying themselves as well, giving us the are bit.

Vidoop

The latest one I’ve seen is Vidoop. Vidoop allows users to forego static passwords and construct a one-time-password (OTP) by recognizing images from pre-selected categories. So below am being prompted to enter credentials by Vidoop.

Let’s say my categories (defined during account creation) are cars, dogs flowers. My password would then be LPK. We get a few things from this:

1. No passwords to remember.
2. Protection from keylogging since passwords are only good once.
3. A visually appealing, engaging login procedure.

The unique thing about this system is that there’s a monetization element. As you can see with the screenshot, there’s a series of images. What Vidoop is doing is allowing advertisers to do product placements within the categories. So the “car” might be a Ford Mustang, for example. And Vidoop is sharing that ad revenue with those who implement the solution.

Very innovative.

Downsides

There is a downside, however (there almost always is). There are many users that will be too dim to use the product. They’ll either forget their categories or they’ll be unable to properly pick out the proper letters and put them in order. The question is simply one of how much security we’re getting vs. how advanced the user-base is (i.e. how much it’ll impede business and cause complaints).

Conclusion

Overall I think it’s a really interesting technology. Ultimately it’ll reduce to how easy it is to implement. Many products are awesome in the demo and are a nightmare to get into production. Either way, it’s an exciting idea and I look forward to seeing how it does.:

The University of Washington’s School of Computing and Engineering is offering a new course on how to think like a security professional. The class looks very cool, but look at the requirements:

You should have maturity in both the mathematics of computer science and in the engineering of computer systems. This means that you should: have a good understanding of data structures and algorithms; be comfortable writing programs from scratch in C and Java; be comfortable writing and debugging assembly code; and be comfortable in a command-line Unix development environment (gdb, gcc, etc). You should also have a good understanding of computer architecture, operating systems, and computer networks.

Um, how many people do you know at the very TOP of infosec who:

1. is comfortable writing programs in C and Java from scratch, and
2. is comfortable writing and debugging assembler, and
3. is comfortable coding in UNIX using gdb, gcc, etc.

I mean like Bejtlich, Gula, Ranum, Roech, Parker, etc. Do they even qualify? If so, how many of them? I understand that most people at some point could do this — even me to some degree. But damn, not anymore. I think most people learn assembler, Java, etc. and that stuff quickly atrophies unless it’s part of your daily work.

Oh, and that’s just to get in to the class… You should see the final. :)

Anyway, I’m being silly. But the class does sound like it’d be cool. There’s even a course blog.

[ CSE 484: Computer Security ]