Monthly Archives: November 2012

Opening an Email = Pwned (default image loading on Apple products)

iPhones, iPads, and Macs (presumably Mail.app only) apparently load images by default. A researcher found several routers can be configured just through POST and GET requests. Most people don’t change their default router password. Therefore, all the researcher had to do was embed a 1×1 image in the email, whose src=”” link was a specially […]

DIY Backscatter X-Ray Machine

This is pretty badass. A guy built his own backscatter X-Ray machine using stuff off eBay (x-ray tube, scintillation screen, photomultipler tube) and some home-shop CNC machined parts. He demos it as if it were an airport machine, but backscatter X-ray has rather more applications: it lets you do X-ray imaging without needing access to […]

Onity Hotel Lock Thefts: Victims Support Full Disclosure

Remember the “hacking hotel locks with an Arduino” bit from a while ago? There’s been a rash of hotel thefts which the hotels attribute to this flaw. One thing few people noted when the hole came out was how not-responsible-disclosure it was. The guy who came up with it sold the flaw to a school […]

Onity Hotel Lock Thefts: Victims Support Full Disclosure

Remember the “hacking hotel locks with an Arduino” bit from a while ago? There’s been a rash of hotel thefts which the hotels attribute to this flaw. One thing few people noted when the hole came out was how not-responsible-disclosure it was. The guy who came up with it sold the flaw to a school […]

Secret Documents From the Sky, Redux

So it turns out secrets from the sky is something of a tradition over there: http://sports.espn.go.com/mlb/playoffs/2009/news/story?id=4632491 Note the parade authority actively provided blank paper to the offices en route to prevent just this sort of thing. Which means the 2012 Macy’s parade was at least the third time it happened. Government has (only? at least?) […]

Virtual Machines Aren’t (Necessarily) Secure

Been meaning to send this out for ages. About a month ago RSA figured out how to extract GPG private keys from a virtual machine given access to another VM on the same server. This, generally speaking, sucks. Virtual machines were one of the few hopefully-halfway secure ways to use the whole “cloud” thing. Now […]

Secret Documents, Raining From the Sky

I’ll leave summarizing to the subhead: “[Macy’s] parade-goer found that confetti that fell on him and friends had detectives’ social security numbers, bank info and unveiled undercover officers’ identities.” (These internal documents were strip- rather than cross-cut shredded.) Somewhere in an anonymous warehous, a paranoiac securicrat’s had the remnants collected in a giant swimming pool, […]