jueves, 10 de diciembre de 2009

New Default Facebook Privacy Settings: More Stuff Going Public

"Meet the new privacy, the same (or worst) than the old privacy." - Unknown (2009)

This week has been deployed the new Facebook privacy interface and the new default privacy settings. We are interested in the latter, although is useful to have privacy settings per Facebook object the default settings are the most used because these respect the minimal effort of the average user.

Check this screen shot with the default settings proposed.

  • About Me: has gone from Only Friends to Everyone.
  • Family and Relationships: has gone from Only Friends to Everyone.
  • Work and Education: are still in Everyone.
  • Posts I Create: has gone from Only Friends to Everyone.
  • Photos and Videos of Me: has gone from Only Friends to Friends of Friends.
  • Birthday: has gone from Only Friends to Friends of Friends.
  • Religious and Political Views: has gone from Only Friends to Friends of Friends.
  • Email Addresses and IM: are still in Only Friends.
  • Phone Numbers: are still in Only Friends.
  • Address: is still in Only Friends.
Please comments any errors or doubts.

miércoles, 9 de diciembre de 2009

Notes from Minsky talk on Artificial Intelligence

After watching talk Emotion Machine: Commonsense Thinking, Artificial Intelligence and the Future of the Human Mind by Marvin Minsky I share my notes.

The talk is mostly pessimistic. He warns about a work emergency, not enough people working and we will need AI to replace human work in the next years. Now, robots work in small domains, for example in the construction of standardised objects. But there is no automation of maintenance. Little or big maintenance is not accomplish by robots because this work usually has unexpected elements. Minsky has a gloomy view of the last 20 years of AI. He calls to recall old fields of AI like Sematic Information Processing. He also wants to emphasize the lecture of other books from the 60s and 70s. An example of restricted domain where AI was successful is symbolic integrals. Also algebra problems represented with natural languages have very good old solutions, hardly improved in the last years. But no commonsense knowledge is embedded in AI in these days. Human intelligence has multiple domains of knowledge in parallel: physical, social, emotional, spatial, mental, etcetera. He recommends his book: The Emotion Machine. Also warns about fad techniques and research areas, some of these will go away: genetic programming, insect robots, artificial neural networks, etcetera. They work with a well defined problem, not very general. For example with genetic programming, the problem is that only remembers what succeeded. No common mistakes are learn. On the other side, culture teaches common mistakes. Memes, propagated beliefs, not genes, include positive and negative information. Also the representation of knowledge is diverse. Minsky proposes a "Critic-Selector" model of the brain. It seems a very abstract model of the brain, including many levels, at least 6 of them. He emphatizes that you need theories of the mind before doing mental experiments with the brain. He observes that there are many Ways To Think: analogy, planning, simplify, reformulate, simulate, etcetera. Also that there are more parts than you need in the mind, there is no Occam's Razor in psychology! Many levels and structures. Minsky talks about different types of goals, seems to static to me if you have static categories. Finally he confess he professes isolationism, not connectionism, the existence of isolated levels and structures, that only interact when they need to.

I liked the emphasis on:
  • Commonsense is mostly social.
  • If you can solve a problem you cry for help, social intelligence comes to rescue.
  • Any machine with Minsky's Model it's "... got to learn from people.".
Happy AI Hacking!

lunes, 7 de diciembre de 2009

Understanding Facebook Tagged Photos Privacy

We discuss how to enhance the privacy of Facebook when facing users tagging you in third-party pictures.

To understand the tagged photos privacy features of Facebook we design a Facebook usage lab. Our laboratory includes three individuals who graciously volunteered to be part of the tests. Bob is in Alice's contact list because he is her lover and Chuck is in her contact list because he is her official couple. Chuck suspects that Alice is unfaithful but he needs evidence to attract Alice into a vortex of unhappiness and sorrow.

Each of the users respectively uploaded one picture: PhotoB, PhotoA and PhotoC. The critical photo is PhotoB, uploaded by Bob, where Alice is included.
In Facebook, a user can tag photos with names. If the name belongs to a contact of the user the tag is linked to other public photos of that contact. The privacy features of tagged photos are centered around:

a) who can view the photos published by user A and
b) who can view the photos where user B was tagged.

We will discuss briefly the scenario where Bob tags Alice in his photo, with the default configuration.
By default, Bob's photos are only visible by his friends, in this case Alice and not Chuck. But if Bob one day needs to share something and changes his profile privacy from "Only Friends" to "Friends of Friends" (Settings > Privacy > Profile > Profile) then Chuck will notice in his Facebook feed that Alice was tagged in a photo owned by Bob. This is due to the default photo tagged visibility configuration of Alice, i.e. "Only Friends" allows her to view the photos where she was tagged. If Alice changes her tagged photos settings to "Only Me" (Settings > Privacy > Profile > Photos Tagged of You > Customize... > Only Me) then Chuck will not see the critical PhotoB.

To search for photos and test the visibility you can use "photo_search.php".


There you can view the photos "visible" by the user A who is logged right now. This photos can be from the user A profile, or from another user but tagged with the name of the user A whom numerical identification is USER_NUMERICAL_ID.

Join the privacy lab via Facebook (Alice, Bob and Chuck) or the Data Privacy Army if you want to contribute with scenarios or comments!

martes, 1 de diciembre de 2009

Social Rings: A Simple Method For Enhancing Privacy In Web 2.0 And Social Networks

Disclaimer: This post was written for the annoyingly paranoid.

If you are worried about your privacy but you don't want to be isolated in Internet then you may want to implement social rings. Here we will describe the simple method we devised for enabling a little privacy in web 2.0 and social networks. We design four privacy levels or social rings to access the web and contact people through social network services. Keep in mind, that as soon as other abstract communication layers don't provide any privacy, probably your privacy is invaded by your local ISP, government intelligence/security agency or employer.

This method includes human and automatic computer interactions. We have been testing it for about a year and provides a more clear understanding of privacy in the Internet, given the little effort of managing the different rings. It is designed to avoid phishing, spamming and optimized your mindshare/attention online, a limited resource.
  • Social Ring 0 (The Circle Of Trust or The Social Circle): Include here close friends, trusted co-workers and trusted family members. Create an e-mail for this ring. Identify yourself with your complete name but don't include your complete name in the e-mail, you don't want people knowing your complete your name to deduce the e-mail. Use this e-mail only for human-human contacts, not for automatic subscriptions, the latter usually contains messages from people you don't trust. This email, not directly deducible from your complete name, will be the key/token (we will call it token0) to enter social ring 0, but assume that contacts in this ring know your complete name. Use token0 to create and account on you favorite social network service. Check that people can only contact you in this ring if they have token0. In Facebook for example you must not use your complete name, but you may want to be contacted with token0 in the people search queries. From example if your name is Alan Smithee you may use alans or as23 as privacy token0. Only people (or robots?) will enter this ring after physical contact or personal recommendation from an existing contact. You may subscribe to news feed system only in this feed systems allows anonymous subscriptions or followers. Twitter allows anonymous subscriptions via RSS feeds but following people in Twitter with your Twitter account is not anonymous.
  • Social Ring 1 (The News/Nickname Ring): Here are included not so close friends, untrusted co-workers/family and automatic subscriptions/robots. Create an email with privacy token1, similarly as with ring 0 but now with a token completely uncorrelated to your complete name. Don't use your complete name anywhere within this ring (!), use a simple nickname, such as alan666 or morfeus. Using token1 you can subscribe to people and systems that only supports non-anonymous subscriptions such as Twitter. E-mail newsletters and lists are included in this ring because this qualifies as an interaction with an untrusted machine possibly aggregating content and spam from people you don't know. Don't use token1 for possible spammish subscriptions or people/social network systems suspected of being malicious. You may want to use your complete name in blogs and services associated with token1 but only for publishing content, not consuming.
  • Social Ring 2 (Social Event Horizon): create a totally uncorrelated social key token2 for this ring. Use it for subscriptions/services you don't trust at this moment. You can probe suspicious services or people comfortably standing in this ring. Surely you will need an email for this ring.
  • Social Ring 3 (The Anonymous Moors): anonymous polls, anonymous social comments in web forums, no credentials needed. As you can be approximately geographically located, you may want to used anonymous routers such as Tor to avoid geographical bans or censorships. Remember to don't use any ring 0-2 credentials in this ring.
Some improvements may include Social Ring -1 with an encrypted web vault for storing personal data such as financial information, other critical data and Social Ring 0-2 credentials.

You want to avoid scenarios were people/machines can't deduce token{n-1} from token{n} so that can elevate their social ring level.

Please comment any method bugs or possible improvements.

(Last photo courtesy of lois_15354.)

jueves, 26 de noviembre de 2009

Another Categorization of Social Networking Data

Following Bruce Schneier post on social network data taxonomies I made my own categorization. You will observe that is not a taxonomy because data is not exclusively in one of the categories, that is, the categories are not disjoint. It is a categorization centered on data destination, places and people that can store it, access it and the use it. Schneier taxonomy is centered on trust levels I think.
  1. Collected Data. Data collected by the service provider. Unless this data is encrypted on the client-side and stored this way on the server we assume it is plain text data accessible by the service provider. Usually includes profile and network data explicitly provided by the user, and click history implicitly provided. You can assume that everything you do and upload in the browser tab of the service is collected if the privacy policy of the service doesn't state it otherwise.
  2. Public/Disclosed Data. Data that is published openly, such as complete name or e-mail. It can be useful for other people trying to locate you.
  3. Social Data. Data that is openly shared with your trusted contacts. Unless these contacts are inside your circle of trust, they can't access it.
  4. Monetized Data. Data that is actually used by the service provider to serve you personalized advertising. This category also includes data that can be sold anonymized or aggregated to third parties.
You can observe that in some services, such as web logs, all social data is public/disclosed. It is common nowdays, that the service provider collects all the data, so the public/disclosed data and the social data are included there. On the other side, a encrypted social network service could possibly assure a minimization of collected data. Obviously monetized data can only be extracted from some data collected from the provider. If the social data can be widely collected by other users infiltrating your social contact list they can build a dataset that can be turn into monetized data. Another example is Google's Social Graph effort, they are transforming part of your social data in services they can't access into public/disclosed data that fits better inside their business model.

Some ideas in this post are related to Alex Iskold post on attention silos.

jueves, 19 de noviembre de 2009

Precauciones Básicas para Evitar Ataques Web en ASP

Repasamos algunos conceptos de seguridad web básicos y recorriendo la web comentamos algunas soluciones para evitar ataques en aplicaciones web desarrolladas con ASP.

Como toda falla de seguridad, la tecnología que se desarrolla antes de que se popularice la falla, es víctima segura de la misma. En el caso de ASP es así, recién en ASP .Net se toma conciencia de las fallas de seguridad habituales en SQL y JavaScript y se implementan medidas incluidas por defecto, por lo menos en las librerías.

Las principales fallas que afectan a ASP son las que afectan a la mayoría de las aplicaciones web, son de inyección de código JavaScript y código SQL dentro de los datos enviados a la aplicación. La inyección de código dentro de datos enviados a programas es una categoría central de fallas de seguridad. En el caso clásico de aplicaciones nativas se inyecta código máquina dentro de datos enviados a servidores programados en C/C++ o dentro de datos multimedia para ataques clientes web o correo programados también en C/C++.

En el caso de una falla de inyección SQL la ejecución de una sentencia SQL en el servidor puede ser afectada o desviada mediante datos provistos por el usuario. Usualmente al mezclarse la sentencia SQL en forma de string de caracteres con la entrada provista por el usuario/atacante, este último puede escapar de la sentencia SQL con algún tipo de caracter como comilla simple o doble y luego agregar SQL a la sentencia existente o ejecutar una sentencia distinta (por ejemplo con ";" en el MS SQL Server). Luego el impacto habitual es pasar alrededor la autenticación entrando como administrador al sistema o listando la lista de usuario, aunque también dependiendo de los permisos de la base de datos SQL se pueden llegar a modificar tablas de datos o ejecutar comandos de la consola de sistema [1].

Las inyecciones de JavaScript, también conocidas como XSS o Cross-site Scripting parecen mas inofensivas porque afectan en principio a los navegadores web cliente de los usuarios, pero aparte de servir para robar credenciales de los usuarios pueden servir para sobrecargar al servidor con peticiones. Se inyecta JavaScript en los datos y estos son reflejados en el HTML que se devuelve, entonces si la inyección se puede persistir o se puede reproducir con un URL (XSS de petición GET), entonces las víctimas pueden acceder al mismo y de ellas se podría eventualmente robar sus cookies de sesión. Para el caso de peticiones POST alcanza con dirigir a las víctimas al dominio "notanevilhacker.org" y de ahi andar el POST con el XSS al dominio "vulnerable.org" para robar credenciales [2].

En general la mejorar manera de evitar la inyecciones SQL es depurando la entrada de datos. Por ejemplo se puede solamente dejar pasar (lista blanca o white-listing) los datos alfanuméricos en ASP con el siguiente código [3]. En este caso se filtra el complemento alfanumérico con "^". Hay que incluir letras con acentos que se usan en el español posiblemente, que no están en este ejemplo. Destaquemos que siempre es preferible el white-listing antes que el black-listing, por que en el último caso se puede escapar algún caso no filtrado por la tangente, ergo, se nos escapa la tortuga de la seguridad por algun caso no cubierto.
'Crear un objeto expresion regular
Dim regEx
Set regEx = New RegExp

'Esta propiedad global le dice al moto de RegEx que busque TODAS las
'subcadenas, en vez de la primera aparicion. Tiene que ser true.
regEx.Global = true

'Nuestro patron dice que tenemos que buscar en el string... En este caso
'buscamos cosas que no sean alfanumericas...
regEx.Pattern = "[^0-9a-zA-Z]"

'Usamos la funcion de reemplazo de RegEx para limpiar el username. La funcion
'de reemplazo toma un string para buscar (usando el patron de arriba como criterio=
'y la string que va a reemplazarla.
'En este caso, queremos reemplazar con nada, porque los caracteres no
'alfanumericos son los que queremos quitar.
dim username
username = regEx.Replace(request.form("UserName"), "")
Para el caso de los XSS si es una entrada de usuario que incluye caracteres no alfanuméricos lo mejor es codificar la entrada para que sea interpretada como datos en el HTML de vuelta, y no como HTML en si mismo. En ASP la función que provee esta funcionalidad es "Server.HtmlEncode" [4].

Por ejemplo se reemplaza la entrada maliciosa:
<form method="POST"
Podemos observar que si aparecen los dos tipos de vulnerabilidades juntas como el filtrado para evitar inyecciones SQL es mas restrictivo seguramente alcance con aplicar eso y no la codificación para HTML. Si ya fuimos víctimas de un ataque lo mejor es tratar de eliminar código remanente JavaScript malicioso en la base de datos [5].

miércoles, 11 de noviembre de 2009

Detecting Shameless Logo Plagiarism!

I guess that we must clarify language confusions here. As we are talking about intangible assets here, information, we use the words steal and theft only refering to the act of plagiarism. It is immoral when no reference to the original author is explicited then it is assumed that the copied logo is an original work of the graphic designed. No logo is completely original as particular features are always present in another logos but plagiarism is assumed when many features are present in more than one logo.

It's very funny to observe that to save money and time some companies copy (steal?) the iconographic logos from another companies. In some cases the small ones copy from the bigger ones and in other cases is the other way around.

I recommend to use the wonderful photo search engine called TinEye plus the Firefox TinEye plugin. In this case, is very clear that the photo similarity search of the service is a perfect fit for the detection of logo clones (thefts?).

These posts (part 1, part 2) written by a logo design company explain the details and techniques for shamelessly copying a complete logo or part of it. For example they show the similarities between the Sun Microsystems logo and the Columbia Sportswear logo. I tried to use TinEye to detect the Sun/Columbia similarities but failed.
In this article called Protecting Your Custom Company Logo Design's Copyright it is explained how to legally protect your logo, I guess is only useful when a explicit copy of your logo is made (and your logo is originally enough to be considered something that can be copied!).

An plagiarism example I detected with TinEye was the Kibon plagiarism (page 1, page 2). Kibon some years ago was an ice-cream brand, but the logo is also used by Olá, Good Humor and Wall's. Apparently these ice-cream brands are all owned by Unilever so they use the same logo in many places. But at least is not clear who design the logo. In site Brand's Of The World you can found the different logos: Olá (Portugal), Kibon (Brazil) and Wall's.
The TinEye approach did not work also for detecting one of my favorite plagiarisms: Livra (a prosumer web company from Argentina) versus CounterPath (a VoIP client software company).
We can conclude that plagiarism is usually accepted within an organisation because the organisation owns the copyright of the logo and can reuse and modify it without permission of the original graphic designer whether it works for the company or not.

Finally, swiss site Plagiat is completely devoted to plagiarism in it's various forms.

domingo, 20 de septiembre de 2009

¡Equipo de Ganzuas Básico!

¡Me quería meter en el mundo de la seguridad física! Entonces me compré un equipo básico de lockpicking en la conferencia Ekoparty de la gente de TOOOL.
Como no tenía nada para abrir con el equipo (solo sirve para candados comunes, no para candados tipo palanca). Luego me compré un pequeño candado SilverShadow, 30 mm, para probar el equipo. Este candado es importado por Herralfer S.A. de China.
La sopresa fue que solamente tuve que la pequeña palanca para abrirlo ¡Este candado no provee ningún nivel de seguridad! ¡Solamente necesitás girar el mecanismo con algo! ¡Incluso funcionó con mi uña!

Miren las fotos con la palanca, algo de tensión alcanza.

Ahora una foto con mi uña abriendo el candado. ¡No hizo falta el equipo hoy!

La moraleja de hoy es que no importa que tan fuerte sea el metal del candado, si el mecanismo es pobre, entonces el candado no provee seguridad.

Probablemente voy a enviar una queja a la empresa que importa estos candados. Esta es la información si quieren hacer lo mismo:

Herralfer S.A.
CUIT 30-66108409-6
Carrasco 729/31 (C1407)
Buenos Aires - Argentina
Telefax: (5411) 4139-8978
E-mail: info@herralfer.com.ar

Basic Lockpicking Kit!

I wanted to introduce myself into the world of physical security! So I bought a basic lockpicking kit at Ekoparty from the guys of TOOOL.
I didn't have anything that can be opened with the kit (it is only useful for classic locks, not lever locks). Then I bought a SilverShadow small lock, 30 mm, to test the kit. This lock is imported by Herralfer S.A. from China.
The surprise is that I only have to use the small lever to open it. This lock don't provide any security at all! You just need to turn the mechanism with something! It even worked with my nail!

Check the photos with the lever, some tension is enough.

Now a photo of my nail opening the lock. No need for the kit today!

Today's moral is that it does not matter the strength of the lock metal, if the mechanism is poor then the lock does not provide security.

I will probably send a complain to the company importing these locks. This is the information if you want to do the same:

Herralfer S.A.
CUIT 30-66108409-6
Carrasco 729/31 (C1407)
Buenos Aires - Argentina
Telefax: (5411) 4139-8978
E-mail: info@herralfer.com.ar

viernes, 21 de agosto de 2009

Workshop de Seguridad Informática 2009 en las 38 JAIIO

Voy a ir a este workshop de Seguridad Informática, es el primero que se hace en Argentina creo. ¿Alguién más va? Aca esta el artículo que presento.

SQL/JavaScript Hybrid Worms As Two-stage Quines
Delving into present trends and anticipating future malware trends, a hybrid, SQL on the server-side, JavaScript on the client-side, self-replicating worm based on two-stage quines was designed and implemented on an ad-hoc scenario instantiating a very common software pattern. The proof of concept code combines techniques seen in the wild, in the form of SQL injections leading to cross-site scripting JavaScript inclusion, and seen in the laboratory, in the form of SQL quines propagated via RFIDs, resulting in a hybrid code injection. General features of hybrid worms are also discussed.

jueves, 23 de julio de 2009

Google AppEngine 99.9% Up-time With ORACLE?

I am testing a little application on Google AppEngine to send Twitter updates to my cellphone. For two-weeks this free cloud-computing hosting has just worked perfectly. But a couple of days ago it throwed a strange error (check it below). The system makes a cron web request every 2 minutes. That is a honorable 99.9% aprox up-time! Apparently they say I consumed some quota but I was using almost nothing of it. What is weirder is that I received an ORACLE error on my cellphone!

ORA-00604: error occurred at recursive SQL level 1
ORA-02067: transaction or savepoint rollback required
ORA-02067: transaction or savepoint rollback required

This is the AppEngine detailed error I get from the webapp cloud log. You can see that the error raises from the AppEngine DataStore, maybe is a limitations not observable from the application dashboard and it's quotas. But on the other side the ORACLE error codes indicate that the problem is a concurrency bug in the DB.

The lesson we learned from Cloud Computing is that you can't debug or report this kind of errors because you don't know who is responsable (in this case Google, Twitter, Claro-phoneprovider or me?), besides the inability to replicate them.

07-20 01:08PM 19.632



0kb - - [20/Jul/2009:13:08:24 -0700] "GET /broadcast/realtime HTTP/1.1" 500 84 - - "twittus.appspot.com"

  • E 07-20 01:08PM 24.533

    Traceback (most recent call last):
    File "/base/python_lib/versions/1/google/appengine/ext/webapp/__init__.py", line 501, in __call__
    File "/base/data/home/apps/twittus/1.335015795539495654/broadcast.py", line 59, in get
    if get_status().status == 0:
    File "/base/data/home/apps/twittus/1.335015795539495654/broadcast.py", line 20, in get_status
    for s in TwittusStatus().all().fetch(1):
    File "/base/python_lib/versions/1/google/appengine/ext/db/__init__.py", line 1426, in fetch
    raw = self._get_query().Get(limit, offset)
    File "/base/python_lib/versions/1/google/appengine/api/datastore.py", line 959, in Get
    return self._Run(limit, offset)._Get(limit)
    File "/base/python_lib/versions/1/google/appengine/api/datastore.py", line 903, in _Run
    File "/base/python_lib/versions/1/google/appengine/api/datastore.py", line 2055, in _ToDatastoreError
    raise errors[err.application_error](err.error_detail)

  • domingo, 5 de julio de 2009

    Facebook Secure Pro, Encripting it!

    Facebook supports the usage of secure encrypted connections, i.e. HTTPS or HTTP over SSL. (See technical note below for technical security concepts.) But unless the Facebook team decides to put it by default or as an option in their configuration is not usable. So I decided to make a small GreaseMonkey script to replace HTTP with HTTPS whenever is possible. I call it Facebook Secure Pro because it is based on the script Gmail Secure Pro version 1.1.

    The last version of the script, version 1.1, Is working okey except for the following issues:

    - Photos and Videos are not supported encrypted by Facebook, probably due to performance.
    - Facebook Chat apparently is not supported by Facebook or the script broke it.
    - Share button is apparently broken.

    Please report any comment you have or error you found in the Issues section. I hope the Facebook team decides to use secure connections by default, like Gmail these days, or at least optional from the configuration.

    Download the script!

    Technical Note: In this case secure means that using HTTPS anyone sniffing your Facebook traffic can't see it, for example in your favorite cybercafe, unless the eavesdropper uses a more sofisticated attack called man-in-the-middle. Also, in the latter case, the eavesdropper very probably can't use the original and secret certificate owned by Facebook for the connection. That means you conversation will be stolen but you will problably see a wrong certificate, not assigned to Facebook. Messing with SSL certificates can be done by an eavesdropper but a really hard and experimental attack.

    sábado, 27 de junio de 2009

    Un libro poco lúcido

    Me encanta leer los libros que me regalan porque ya tengo la certeza de que puedo discutirlo con alguién. En este caso leí La cámara lúcida (La chambre claire) de Roland Barthes (Cherburgo, 12 de noviembre de 1915 – París, 25 de marzo de 1980). Es el primer libro que leo de este autor. Sabía que me iba gustar leerlo para desmenuzarlo y criticarlo como se merece. Como sospechaba, Barthes, como muchos filósofos del siglo XX cae en la tentación de hablar de un tema que desconoce. En todo el libro Barthes no comenta ninguna fotografía sacada por él, ni dice haber obturado alguna vez una cámara. Entonces pienso que interesante un libro sobre fotografía escrito por una persona que pareciera nunca saco una fotografía y que además vivió toda su vida con su madre. Como Barthes se dedica al estudio de los símbolos, la semiótica, voy a inferir que esto es otro símbolo de la decadencia filosófica en el siglo XX. Ni hablar que cita en este libro a otro libro del autor, llamado Roland Barthes por sí mismo, una autobiografía que nos llega como otro símbolo de su humildad y modestia. El problema que yo encontré es que como libro de filosofía es pobre porque el autor busca en su escrito hacer una fusión de conceptos filosóficos, literarios (con citas a Proust incluidas) y autobiográficos. El resultado final entonces es poco nutritivo en los tres aspectos y transmite una suerte de sensación onanista fotografica amateur.

    La cámara lúcida se centra en una análisis poco superficial de tema, del cual yo también soy lego. Si principal tesis es que en la fotografía se trata de la búsqueda del Esto-a-sido. Podemos comentar que no siempre la fotografía es realista porque se puede buscar hacer una fotografía surrealista o retocada con herramientas de post-producción. Esto contradice la tesis de Barthes.

    Recorramos brevemente algunas de las gemas literarias con las que nos hace reír Barthes. Enfaśis incluidos en el original.

    [..] si la fotografía se convierte entonces en algo horrible es porque certifica, por decirlo así, que el cádaver es algo viviente, en tanto que cadaver, es la imagen viviente de una cosa muerta.

    (Pág. 124)

    Suele decir que fueron los pintores quienes inventaron las Fotografía [..] Yo afirmo: no, fueron los químicos.

    (Pág. 126)

    [..] muchos dicen que es el azúcar es dulce, pero yo encuentro el azúcar violento [..]

    (Pag. 141)

    [..] la Foto [..] como un organismo viviente, nace a partir de los granos de plata que germinan [..]

    (Pág. 143) El fragmento que sigue es muy deprimente, suicidas abstenerse.

    Antes la única foto en la que veo juntos a mi padre y a mi madre [..] es el amor como tesoro lo que va a desaparecer para siempre jamás; pues cuando yo ya no esté aquí, nadie podra testimoniar sobre aquel amor [..]

    (Pág. 145)

    La Fotografía es llana en todos los sentidos del término [..]

    (Pág. 160)

    [..] la mirada es siempre virtualmente loca: es al mismo tiempo efecto de verdad y efecto de locura.

    Los dejo con Roland Barthes, su fotografía y su madre.

    martes, 9 de junio de 2009

    BioBricks, Syntetic Biology and Future Security Challenges!

    Synthetic Biology is the design and construction of new biological parts, devices, and systems, and the re-design of existing, natural biological systems for useful purposes. BioBrick is a standard specification being recently developed to specify bio-molecular parts, that is, the building blocks of molecular biology. These DNA bricks are contained inside plasmids, that are circular strings of DNA copied inside bacteria. The even have an open repository were everyone can upload their own parts and share them with other researchers.

    For example here I retrieved the DNA that encodes a device for generating insulin (when present in the form of a plasmid inside bacteria?).

    >BBa_I761007 Part-only sequence (600 bp)

    Browse the complete bioparts catalogue here.

    Some (futurologist?) security challenges that arose in their yet immature engineering projects are the possibility of malicious contributors injecting spoofed genetic materials to produce illegal drugs, poisonous substances or even dangerous viruses. Even some companies now are providing services to produce DNA at your command, you upload the nucleotide sequence via Internet and they send you the DNA packaged like Amazon, read this, circa 2004, EETimes article.

    domingo, 31 de mayo de 2009

    QR Codes Security: Cross-site Scripting

    This is my new T-shirt. In this post I will explain what are QR Codes, why this technology is making some noise now and a couple examples of security issues raised by this useful technology.

    Quick Response Codes (QR Codes) are two-dimensional barcodes that have been developed by a japanese corporation called Denso in 1994, a subsidiary of Toyota. In Japan, every cellular uses this codes for many services. Now there is sudden explotion of web sites providing services related to QR Codes, for example BeeTagg, with the idea of all things being tagged and tracked from the Internet.

    These codes have the following abilities.

    - Can be quickly processed for tagging industrial parts, car industry born.
    - Axis information to correct photo orientation.
    - Redundant information and Solomon-Reed error correcting codes.
    - According to some sources, redundant information can be used for artistical goals (?). No interesting example besides this one, poem Walrus and the Carpenter.
    - Maximum content size, 2,953 bytes.

    For my experiments I used the online Google Chart API barcode generator. Also the open source Zebra Crossing Project provides and interface to this generator. They are developing a QR Code scanner for various mobile devices. Check the following example.

    To decode this barcodes you can use some software from you cellphone, your desktop or any online decoder like the one provided kindly by DrHu.org here.

    Attack Vector 1: Embedded URLs with Non-Persistent XSS

    Because this barcodes many times contains URL that redirect mobile phones to webpages, URLs possibly containing JavaScript code reflected back a-là non-persistent cross-site scripting (XSS) can be found. An example extracted from OWASP follows.


    Malicious JavaScript can be used to do any web operation within the victimized domain and also to send stolen information to other malicious domains.

    Attack Vector 2: JavaScript code directly included inside the barcode

    If you observe the DrHu.org online web decoder you will notice that HTML sensitive characters are not escaped, so you can insert JavaScript code inside the encoded text. The following barcode shows a popup and redirects the browser to another web page when it is decoded using DrHu.org's service.

    The decoded text follows.

    location.href = location.href.replace(/^http:\/\/www.drhu.org\/QRCode\/QRDB_Java.php/,'http://mechpoe.blogspot.com');

    Notice that DrHu.org's site is not always working because is not an industrial-sized project. These ideas were partly inspired by SQL injections on RFID chips described on paper Is Your Cat Infected with a Computer Virus?.

    Final Remarks

    We conclude that browser executable code can be included inside QR Codes directly or within URLs. Although the examples I present are not very dangerous is possible that more critical examples will appear in the future if QR Codes become more and more used in daily life.

    Check below the remarkable video from the Pet Shop Boys's song Integral.

    domingo, 24 de mayo de 2009

    XSS on WolframAlpha's Blog (owned!)

    A reflected XSS has been discovered in the blog of WolframAlpha's proyect. Check the screenshot, it's not very dangerous but it's funny, inserts a lolcat photo from another domain.



    martes, 3 de febrero de 2009

    ¿Sirven los billetes con inscripciones contra el sistema?

    Bueno, llegó a mis manos un billete argentino de 2 pesos con una inscripción viral que dice "si te toca este billete la plata nunca te fallaría hace 3 copias".

    Me parecio muy simpático este hoax (o bulo o cadena falsa) que usa el dinero para replicarse, es decir, obviamente es falso pero mucha gente ante la promesa del billete, más su necesidad de dinero y la superstición, hará lo que dice.

    En el 2007, billetes con sellos de protesta contra la empresa papelera Botnia invadieron las billeteras argentinas. Según el siguiente articulo periodístico, ¿Sirven los billetes con sellos contra las papeleras?, la cantidad de billetes sumaría alrededor de 100.000 pesos, me pregunto si un monto tan grande podría haber sido sellado por un particular privado o si fue una campaña del gobierno nacional. Algo interesante es que el Banco Central de la República Argentina (BCRA) dijo que estos billetes adulterados "[..] mantienen pleno valor circulatorio y de pago." y que esta entidad ser reserva la facultad de promover las acciones pertinentes ante quienes desvirtúen el uso de los billetes a través de inscripciones.

    A modo de desobediencia civil voy a continuar con la cadena, haciendo 2 copias en vez de 3 (lo importante es que sean más que 2 para que el crecimiento de los billetes afectados sea exponencial). Me hizo acordar a este documental llamado El Dinero Como Deuda (Money as Debt), que explica como la moneda mas fuerte de todo el mundo, el dolár, es emitido por un banco central gobernado por intereses privados, la FED, lo que lleva a que los dólares en circulación sean notas de deuda que tiene el gobierno estadounidense con el sistema bancario privado. En el caso de Argentina el Banco Central de la República Argentina esta dirigido por un directorio elegido por el Poder Ejecutivo, pero en la práctica se ve que la dirigencia de este banco central argentino proviene del sector privado financiero internacional más que del gobierno de turno (ver la lista de directores) y que el peso argentino estuvo los ultimos casi 20 años atado o regulado para estar atado al dolár.

    Tecnicamente, si el dinero se emite para acompañar el crecimiento del país no habría problema (igual el crecimiento indefinido es insostenible), pero la cuestión es que ,viceversa, el que emite el dinero controla o influye fuertemente en el crecimiento del país, luego si el peso esta atado al dolar y el dolar lo emite la FED privada a pedido del gobierno estadounidense con un interés que controla la FED, entonces los interés privados de banqueros internacionales o estadounidenses controlan el crecimiento argentino y la inflación argentina.

    Al principo de este post esta el documental, en español.

    Voy a hacer un URL pequeño para poner en los billetes que voy a liberar, asi rastreo parcialmente el éxito de esta humilde campaña viendo la cantidad de visitas a este artículo en mi blog.

    Entonces mi inscripcion será la siguiente:

    "si no te alcanza el dinero hace 2 copias y entra a http://tinyurl.com/cedbxz"

    Liberen sus propios billetes inscriptos si quieren.

    ¡Basta de control privado internacional sobre la política monetaria argentina o de cualquier país libre y soberano!

    Otras alternativas creativas que se han puesto a circular son:

    - Si no queres que te falte el amor entra a http://tinyurl.com/cedbxz y hace 2 copias (versión Hare Krishna)
    - Si odias a los bancos hace 2 copias y entra a http://tinyurl.com/cedbxz (version Corralito)
    - ¡Desobediencia civil! hace 2 copias y entra a http://tinyurl.com/cedbxz (version desobediente)
    - ¡Sumate a la Resistencia! hace 2 copias y entra a http://tinyurl.com/cedbxz (version resistente)
    59-09: 50 años Rev Cubana, hace 2 copias y entra a tinyurl.com/cedbxz (versión cubana)