A Sceptical Mind

So one of my friends recommended Google Adsense today. I’ve never been too fond of adds myself, however I thought I might try it out and see if it pisses me off or not. So you’ll probably be noticing a few ads on the blog now and again.. If you don’t like them – then ignore them! If you saw an add here you think I would be completely against – please do write me an e-mail because that was specfically one of the things I was worried about when adding the Adsense stuff – Ads I would find dishonest or misleading!

So anywho – Ads are here on a trial basis!

So I read this article today on Comon.dk: http://www.comon.dk/news/forste.store.smishing-angreb.i.danmark_36080.html

It’s Danish, so if you followed the link and thought to yourself: “What the f*ck?” – That’s probably because you’re not Danish, so lets start with me explaining what the article says!

The article talks about the first big SMiShing attack in Danish history and features comments from Danish security expert Peter Kruse (CSIS Security Group). Now for all of you who don’t know what SMiShing is, SMiShing is basically just a SMS oriented way of doing Phising. So instead of trying to scam a victim to a fake website (which is Phising), SMiShing tries to scam you into calling a specific number due to something like “Hey you won 10 million dollars. Call #somenumber# to claim your prize”. So what’s really dangerous about this? Is people really gonna fall for something like this? – A lot of stuff and yes!

Let’s have a look at the SMS sent to a bunch of Danes the other day:

“Your mobile number won 750.000 Euros from the Espana global promotion. Contact claim dept. on: Tel: 0034664219273 Fax: 0034911013657 mcellproiaim.com”

How many do you think would fall for this scam and call the number? There’s no official number, but former numbers for other Phishing sites have stated that 1-2% of all recipients visit the site after receiving the scam e-mail. So is it also 1-2% with SMiShing? – I would argue no, specifically because e-mail is still being stigmatized. People don’t trust e-mails because they’ve grown accustomed to spam and other forms of fake emails – but they trust their mobile phones! So while we see numbers like 1-2% for e-mail scams, I fear we will be seeing numbers like 4-6% for mobile phone scams – if not even more than that.

So what happens if you call the number? According to Peter Kruse, one would probably be met with the scam artist himself, trying to get your bank information so that he can “transfer the money to you”, while in fact he just wants the information to do some form of identity theft. – Personally I don’t believe this one! It seems very much unlike mass computerized criminals to initiate contact to their victims. Experienced hackers do it, however they’re usually also a lot more focused.. they plan ahead and hit one or two companies very specifically. SMiShing’s nature of mass-oriented scamming is not well suited for this type of theft attempt. No, I find it much more likely you’re met with a computerized voice asking for a lot of information – including a bunch of information that doesn’t seem odd but just completely unnecessary, like address, city, postal code, state, country, gender and so on. So why would a scammer want to know all of these things? Very easy – he wouldn’t! But he would very much like you to stay on the line while you’re chunking up huge premium rate fees – all of which go straight into the scammer’s pockets, without you being able to do much about it.

Scams with premium rate numbers have been around for a very long time and while obviously illegal, it can be very difficult to get someone convicted. So the scammers can sit back while perhaps 2000 people call (if they’ve contacted enough victims with SMS) and on average use 12 minutes on the phone with a fee of 15$ a minute – adding up to: 360000$ in profits for the scammers. – Actually these numbers are probably way to low if they’ve attacked several countries.

But this is just one of the ways you can use SMiShing and is actually one of the more naive ways. A much better way would be to exploit the way SMS’s actually work. Many people believe that SMS’s include numbers and the only way their phones can show names (like “Tom” instead of 08005552342) is if they themselves added it to their phone book. But this is actually not true! You can very easily spoof names instead of numbers, so that when a victim receives a message from you, instead of having 08005551215 as a number, you could choose “Mom”. This way, you would be able to do a very evil form of SMiShing, where the number of callers would quite likely be much higher:

“Hi son. You need to call me straight away – We’re in Honduras and your Dad just had a heart attack! I’m sitting here in the hospital but my phone isn’t working well and almost has no more batteries. Would you please call the hospital’s phone at: (504) 559 – 0300. Love you! – Mom.”

If I were trying to scam people with SMiShing (and I had no soul) – this would be the way to do it!
Assuming it isn’t possible for the son to call his mother (as in she’s not picking up or at work) and the son’s parents aren’t dead already, this will work wonders and a lot more than 4-6% would call!

So to sum it all up. Is SMiShing much of a threat? Well yes because it uses an old technology which hasn’t had any real security boosts and which people mistakenly trust. So in that sense it’s much worse than scamming over e-mail (Phising) as it’s much more likely the victim will fall for the scam. I fear we will be seeing a lot of these scams in the future unless something is done to secure SMS – a scenario that’s probably very unlikely!

I have a Lenovo Thinkpad T61 as my work laptop – You know, one of those laptops with the fancy fingerprint scanner in the bottom right corner. Now without getting into a big discussion about the dangers of biometric security systems, I’m going to tell you why I think these kind of devices are completely ridiculous and benefit with absolutely no extra security what so ever.

Let’s first consider the premises for using a biometric fingerprint scanner! The premises for using a fingerprint scanner, instead of e.g. a password, is that a password can be guessed while a fingerprint is something unique to a user – something the user is the sole possessor of and always carries with him. So while that sounds more secure (since you don’t have to worry about e.g. password strength), in reality it really isn’t. Let’s say we had a hacker Charlie and Charlie here wanted to gain access to a building only Alice had access to – a building using biometric authentication in the form of a fingerprint scanner. How would Charlie accomplish this? Well, it actually turns out he has quite a few options:

• He can force Alice to let him in (read “big fucking gun”)
• He can jump Alice and chop off her finger (thereby giving him the “key” he needs)
• He can break the fragile window next to the top-security, 20 inch steel door (as in: don’t make your damn security systems more solid then what surrounds them.. before long you’ll have burglars blowing up your walls to get in.)
• He can break into the fingerprint scanner and steal the stored fingerprint (fingerprints aren’t stored as images, as some may believe.. Fingerprints are stored as a seemingly random sequences of characters uniquely identifying the fingerprint. It’s much like a hashing function like md5() og sha())
• He can swipe Alice’s fingerprint of some glass or whatever he can find, and then use the same technique as Chaos Computer Club did when they stole a German officials fingerprint, to then reproduce the fingerprint and use it as if he was Alice.

All in all there are tons of ways to break a biometric system. However one of the more disturbing issues isn’t that it’s easy to break. It’s the fact that when it’s been broken – the users are screwed! If you get your fingerprint stolen, you can never use a fingerprint scanner securely again.. simply because the premises isn’t there anymore – you are no longer the sole possessor of the fingerprint. So there are many very real concerns with the use of biometric systems and I can tell you right now – I usually avoid all of these systems!

So back to the subject here: Why the fingerprint scanners on laptops from IBM, Lenovo, HP etc. are completely useless when it comes to security! So really the issue is quite simple. The premises for using biometrics is that the user is the sole possessor and therefore the only one who can log in. Now consider this scenario: Your walking down the street, your laptop in hand, and then suddenly out of the blue a skinny guy runs past you, grabs your laptop and runs like the wind! You, exhausted by the last burger you just ate, try to run after the perpetrator but fail when you start to loose your breath (after 10 meters).. but then – aahhh – a sigh of relief when you remember you had a 35 digit password, encrypted harddrive and a biometric fingerprint scanner! No worries right? … — … — … — … — … — WRONG! The perpetrator gets home and takes a look at your laptop. He noticed your “Linux rocks – I secure my toilet brush” t-shirt while running past you and concludes your harddrive is probably encrypted and your password is probably psycho – but then.. aaahhhh – a sigh of relief when he notices you’ve activated your fingerprint scanner! He then takes a piece of tape, picks a random spot on your laptop, swaps your fingerprint right of, uses CCC’s method to copy your fingerprint and uses it to log in and steal all your data – despite the whole encryption, psycho password stuff.

It’s actually really simple: The fucking key is on the machine you’re trying to break into!!

Imagine an office building having break-in keys hanging from the fucking front door – just for burglar convenience!

All in all it comes down to this: The laptop fingerprint scanners are there because it’s hype! Like Apple, Facebook and a bunch of other stuff, fingerprint scanners for the common man is hype these years – it sells! But while companies are telling people to use these devices, they’re actually misleading the public and giving them a false sense of security – thereby actually weakening security very extensively.

So why am I writing this? Well pretty simple actually – Disable your fucking fingerprint scanner!

So I’ve been looking into the problem of getting FreeBSD running on Microsoft Hyper-V the last few days and then yesterday I finally got it working.

Apparently people have been quite upset that Hyper-V only offered support for Windows based systems and Linux SuSE systems, which is obviously not very bright or community friendly – to be quite honest I would rather use WMWare due to the very few *nix systems Hyper-V officially supports.

However you can’t always pick and choose, and in this particular situation – I couldn’t either! So I had to get it working, so first I tried FreeBSD 7.0 RELEASE with a bootonly .iso and tried to mount that in the virtual machine – however the only thing I got out of that was a disc trying to boot but failing almost immediately with the message:

“Can’t load kernel”

So I tried FreeBSD 6.3 STABLE instead since it was obviously due to the kernel loading with FreeBSD 7.0. But again – no luck and just the same message:

“Can’t load kernel”

So finally I tried FreeBSD 8.0 CURRENT and to my great surprise – this would actually boot and let me install. However there are a few quirks that I haven’t worked out yet. Like the fact that FreeBSD apparently doesn’t detect the network interface given to it by Hyper-V – something that is somewhat of a huge problem.

So anywho – FreeBSD 8.0 CURRENT works with Microsoft Hyper-V… so for all you people I’ve seen with this problem, use FreeBSD 8.0 for your install.

I’ll write more when I’ve done some more extensive benchmarking and configuration.

So Sara and I were planning our weeding next year and were talking about wine. We were trying to decide on which white wine to use for the first course, since we didn’t want to use extreme amounts of money on it, but still didn’t want to slack too much on quality.

So we came to the perfect compromise – Silverlake Sauvignon Blanc 2006.. One of the best white wines we’ve ever tasted (which probably isn’t saying much – but we still like it).. So if you ever need to buy a bottle of wine that’s good, but not “get homeless buying it” good – then Silverlake is the wine for you..

At the time of writing, the price for a Silverlake Sauvignon Blanc 2006 was 11,95$.

So I watched Jon Stewart today and once again I caught myself thinking: “Wow – this is probably the best thing for the US-image ever”. What could be better really? Here you have an extremely intelligent, articulate, witty comedian and skeptic – all of which benefit to a more sane image for the US – contradicting our view that all Americans basically have to be idiots!

Now if you hadn’t guessed – Yes I like The Daily Show! – I’m guessing most Danes do – specifically because many of us are very unlike Americans when it comes to politics.. I’m guessing if I actually knew every single opinion of Jon Stewart, I would probably still disagree with him on many fields.. So really he’s just the best American out there when it comes to politics – at least amongst the public figures.

So what’s the actual idea behind this post? Well there really isn’t one .. I just felt like making a tribute to Jon Stewart.. America’s coolest jew

Now if you’re reading this and you’re by some freak coincidence actually Jon Stewart – please do write me!.. I’d like to talk to you about any and all forms of politics.. specifically to see if there actually is a subject where I disagree with you.

And if you’re some other random person – well then write anyway.. Give your opinion of Jon Stewart perhaps?

I just found one of the nicest unix commands I’ve had the pleasure of using. I recently had to convert a large number of images from one format to another (due to a crappy image display device without PNG support), so I stumbled onto this little wonder.

It’s very simple to use. So for example if you wanted to convert a directory of PNG images to JPEG, just do:

# mogrify -format jpeg *.png

Simple right?

It can also be used for a bunch of other stuff – like resizing pictures

# mogrify -resize 800x600! somepicture.tiff

Actually you can find a full set of examples here:

http://linux.about.com/od/commands/l/blcmdl1_mogrify.htm

So there you have it – juts thought I would share.

Okay then – I watched Fitna 10 minutes ago and here’s my initial thoughts. While we should protect our freedom of speech at all costs, what Gert Wilders is doing is clearly manipulative. He’s deliberately taking quotes from the Quran and using these to portray Islam as being a violent religion – completely ignoring the fact that most Muslims don’t follow these extremist ideas.

So basically the film lacks reality and has clearly been made to attempt a fear frenzy. Especially the last part is very questionable, where Mr. Wilders shows how The Netherlands will be in the future, with women getting murdered, gays murdered and children raised as warriors in blood.

No doubt that the clips Mr. Wilders show are completely real – there’s no doubt there is a relatively small group of extremist Muslims believing the things he portrayed – and yes these should by any means necessary be defeated. Not for saying what they believe (as Mr. Wilders has at times suggested by wanting to ban the Quran), but for executing it. Whenever an extremist Muslim does anything which is against our laws, we should hit down on it hard and fast – however that’s in no way the same as saying Islam is a bad, dangerous or extremist religion.. Actually Islam and Christianity are much alike, and some of the extremist sections in The Quran are equally present in The Old Testament as well – yet you don’t see Mr. Wilders fighting to ban the Bible (which is especially hypocritical when looking at the level of Christian extremism in e.g. The United States of America).

So all in all Gert Wilders’ movie just lacks perspective. He apparently believes terrorists are terrorists due to Islam and not due to external factors like manipulation from government individuals and extremist anti-westerns.

We shouldn’t be fighting Islam as a religion – Islam is actually fine.. we should however be fighting terrorists for what they are – criminals! They should be treated like criminals and fought like criminals. Furthermore we should be doing more work into why these people decide to strap a bomb to themselves and try to fight these causes, instead of attacking the terrorist’s excuse for violence! Islam is being misused by terrorists world wide. Islam is not a religion of hate, it is merely being used as an excuse for violence and prejudice. As long as our Muslims don’t fight freedom, democracy and any other corner stone of our civilization, we should respect their right to believe what ever they want to believe – as we do any other religion.

That being said I still want to point out that Gert Wilders has complete freedom of speech and any attack on him is an attack on all of the Western world’s freedom – and it should treated as such! So no matter how little I agree with him, I deny any claims that he should be prosecuted and obviously any and all attempts to threaten his life or the lives of his family. Any attack on Mr. Wilders, successful or unsuccessful, should be viewed as an attack on all of the western world and the perpetrator(s) should therefore be imprisoned for life – with no exception!

For the first time in a long while, it really snowed here in Aarhus, Denmark.. Like REALLY snowed.

So me and my fiancee decided: “Hey – why not make a snowman”.. So we did!

Introducing Smokey the Snowman!:

I was watching TV today, when I suddenly stumbled upon a YouTube/CNN debate with the democratic candidates on CNN. Now – most Europeans probably don’t know much about the candidates in the US and many might even claim they don’t care because it doesn’t affect them. Well as a proud European let me just say : BULLSHIT! Anything in the US affects the rest of the world simply due to the fact that the US maybe over on another continent, but the US lifestyle and culture has spread to the whole world – oh yeah and of course because many Americans think they own the world

Now for the people interested in the current candidates:

http://en.wikipedia.org/wiki/2008_Democratic_presidential_candidates

This is by the way only the democratic candidates – but seeing as you’re on my website, you’re probably not interested in the Republicans – plus who are we kidding, as if the republicans are going to win (thank God).

Now what was interesting to see here – most of these actually don’t have very European like opinions – a lot of these people are still pro death penalty, against same-sex marriage and such.. Sadly I might add! But then – out of the group of crappy propaganda idiots one person shined .. A candidate I would have imagined I would agree with. He’s one of the oldest candidates, yet he has some of the most modern and realistic ideas … So without further adieu I give you:

Mike Gravel:

http://en.wikipedia.org/wiki/Mike_Gravel

- Pro drug legalization (Drug use is a medical issue – not a criminal issue)

- Pro choice

- Pro national non-profit health care system (like we Danes already have)

- Pro same-sex marriage

- Pro elimination of the IRS and income tax (wants to replace it with a national sales tax of 19-23% on newly manufactured products and services)

- Pro immigration (supports the guest worker program)

- Wants to reduce dependency on carbon (not due to global warming – but rather the availability of the resources)

He is like the perfect candidate .. and he’s 77 years old! How weird is that? He has some of the same ideas we “Radical Youth”‘s have in Denmark – a social liberal political agenda (mostly liberal). Simple fantastic.. so to all Americans out there:

VOTE MIKE GRAVEL!

Oh yeah – I just took a look at this poll:

http://www.pollingreport.com/wh08dem.htm

And logically – most Americans disagree with me – Mike Gravel has 0% and the two other candidates I could support has 1% and 2% Go figure.