How freaking awesome is this: After I finished a forensics workshop in liberal Canada, where civilians aren’t allowed to own or even possess handguns, the most awesome regional cops let me come in and shoot at their police range. We tore through about 200+ rounds wearing bullet proof vests (which are required while shooting) and wasted several cardboard dummies like this one. This is one for the history books for sure. I was initially surprised to find that I shot tighter groups than some of the cops, and most of the cadets – but then realized that even the police aren’t allowed to carry their firearms off duty; how much practice can the average Canuck blue get in? Turns out that, due to the heavily restrictive laws on handguns, most only get to shoot once or twice a year when they qualify… very different from our American culture where many cops have been shooting since they were kids. It was amusing to see how excited they were about a new model of handgun being introduced to the force, which they hadn’t gotten to shoot yet… two of which I’ve owned for the past four years. I guess when you’re not allowed to own anything, you can’t just walk into a gun shop to check something out; everything seems new to you.
We were walking down the halls of the police department with my little cardboard cutout getting some strange looks from the cadets, who are required to carry plastic blue guns instead of real ones. A couple of young, blonde female 18-year old cadets looked my way, saw the target, and were noticeably impressed. They then looked at me, and… notsomuch.
In short, this has to be the best trip to Canuckistan I’ve had to date. It was a beautiful drive through western NY, where there are still cows and farms (who knew!). In spite of the fact that NY is almost as liberal as all Canada, you wouldn’t have guessed it driving through the countryside. I guess it’s all of those city liberal babies that really screwed everyone else in the state. Canada consisted of some great scenery around Niagra Falls followed by some fantastic steaks at Ruth’s Chris in Ontario, lots of handguns, and even more hacking. All this crammed into three great days. What more could you possibly ask for? Thanks for a great trip guys!
Yesterday I test drove a 2010 Lincoln Navigator equipped with the MS Sync feature advertised to make driving safer and easier by accepting voice commands. First of all – yes, I loathed the Navigator. The quality was about that of the cheap Rolex watches sold on eBay. Among all of the other things I hated about the Navigator’s poor design, its MS Sync feature made me want to get out a flathead screwdriver and forcibly remove the Navigation system, along with the “Powered by Sync” logo stuck on the dashboard. If you are among those few who love pain and actually like Microsoft Windows, Sync may be for you. For the rest of us who are merely forced to tolerate the craptastic wonderland of a Microsoft-based corporate cesspool, I promise you that once you push the Sync button, you’ll find new meaning to the phrase, “Microsoft crashing”, as you struggle to use sync without dying a horrible, fiery death.
In the audio below, it took me a total of three minutes and thoughts of suicide to assign a simple destination using MS Sync. I was forced to take my eyes off the road several times to read numerous lists of possible voice matches for city, street name, and more. Every time you hear, “Please say a line number” in the recording, I’m actually reading through a list instead of watching where I’m driving. After answering nearly a dozen questions, I had to end up touching buttons on the console, and later the navigation system screen to finally set the destination and accept an “agreement” to drive safely and obey all traffic laws. So MS Sync is sort of a voice-button-screen hybrid input, which I’m pretty sure entirely defeats its purpose.
Continue reading “Microsoft Sync Could Lead to Certain Death”
A nasty windstorm blew through a couple weeks back and decimated the power infrastructure in my town. A large part of the town was out for as much as six days. While most of us New Englanders have generators to take care of the necessities (laptops, WiFi, PS3, etc.), I noticed that many of my fellow generator-powered neighbors were still unreachable via their telephone, and weren’t online. No connection to the outside world, or even down the street, and most importantly – no 911. Come to find, they were all on Comcast.
A few days into the outage, what began as fast busy signals finally began to change into telco messages telling me that these numbers were unable to receive calls. So while Comcast’s network was beginning to light back up, their customers were still dark. By now, it was about four days that I began seeing Comcast trucks finally make it onto the scene (that’s a pretty terrible response time). They were placing what appeared to be battery backup units all over town, about a mile or so apart from each other. I don’t think they were gas powered, but were more likely heavy-duty DC battery units (which work fine on NEBS-rated telco equipment). It took until almost the sixth day for Comcast to bring enough of their repeaters back up to where my neighbors were able to make phone calls. I don’t think their Internet connections came back until even later.
Continue reading “FiOS vs. Cable During a Windstorm”
“Don’t ask yourself what the world needs. Ask yourself what makes you come alive and then go do that. Because what the world needs is people who have come alive.” – Howard Thurman
A friend of mine was going on about really knowing people; “people… are not defined by what they do”, he said. The point he was making was not to judge people by the cover of what they do in life. But the deeper point, that he may not have even realized, was the tragedy in the truth of that statement. How tragic it is that we aren’t defined by what we do. It seems to me that, given the finite amount of time we have to live and become, that we spend more of our lives thinking about what we want to do than actually doing it.
Continue reading “Do What Defines You”
Bypassing Passcode and Backup Encryption:
Forensic Recovery of Raw Disk:
What Data Can You Steal From an iPhone in 2 Minutes?
These YouTube videos demonsrate just how easy it is to bypass the passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes’ time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]’ vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them.
The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term “hardware encryption”, which many have taken at face value. Serious vulnerabilities such as these threaten to put our country’s national security at risk. Apple’s only fix thus far has been to consistently put a few nails on the front door, but they have thus far failed to fix the major underlying design issues that allow for this threat. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs.
The National Center for Missing and Exploited Children and I have been building a revolutionary new tool. The iPhone AMBER Alert System is now available in the App Store FREE and not only provides up-to-the-minute detailed information on all AMBER Alerts, but revolutionizes the way that sightings are processed. By using the iPhone’s GPS, we’re able to feed this data into a GIS system and build any number of geoanalytical models to identify multiple credible sightings within a given radius. This information is relayed directly to the NCMEC hotline where it is processed and disseminated to the appropriate law enforcement agency. The first version of AMBER Alert sends this data through email, but a private API is in the works, opening the door for taking photographs of sightings for visual confirmation and further improving response times. All of this is made available, of course, at no cost, and is a free download.
I recently did a talk at O’Reilly’s Ignite Boston party about the exciting iPhone forensics community emerging in law enforcement circles. With all of the excitement came shame, however; not for me, but for everyone in the audience who had bought an iPhone and put something otherwise embarrassing or private on it. Very few people, it seemed, were fully aware of just how much personal data the iPhone retains, in spite of the fact that Apple has known about it for quite some time. In spite of the impressive quantities of beer that get drunk at Tommy Doyle’s, I was surprised to find that many people were sober enough to turn their epiphany about privacy into a discussion about full disclosure. This has been a hot topic in the iPhone development community lately, and I have spent much time pleading with the different camps to return to embracing the practice of full disclosure.
Continue reading “Full Disclosure and Why Vendors Hate it”
The MIT Spam Conference concluded today with some great talks by various researchers in the field. I was particular sorry that I arrived late to miss Kathy Liszka’s talk on “Neural Networks for Image Spam”, as the tail end of it appeared very good. One thing I did notice that was quite refreshing about this year’s conference was that there were a few fresh faces, like Kathy, who were very passionate and enthusiastic about the subjects they were talking about, having an almost child-like giddiness (as in a “candy store” sort of way) zeal for what they were working on. It’s very hard to find people who have been in the field who still consider it that exciting, and these are the ones from whom the best technology typically emerges.
I was also honored with the award for “best overall paper” for the 2008 conference, which is available for download here, and is titled “Reasoning-Based Adaptive Parsing”. The presentation will be available on the conference website shortly. I’m glad people were so inspired by it. Hopefully, I provided enough of a solid level of technical content to help people realize that not all enterprise corporations are evil, secretive empires who engage academic conferences with brand whoredom on their mind.
The Spam Conference appears to be turning over a new leaf and returning to the academic field. Now that they’ve switched the cameras off and gotten rid of the press, the conference is beginning to feel like a true classroom experience once again. The “workshops”, which are really round-table type discussions, were intriguing, and the vendor whoredom was kept to a minimum. In addition to this, the first day of the conference was in a relatively small classroom, allowing for a more personal feel. I look forward to seeing how next year’s goes – hopefully it will continue in this direction.
Last night marked a unique event in history. The Apple Store in Cambridge MA allowed me to come in through the front door and deliver a keynote to some 200+ people as they hosted the Mobile Monday Boston conference. In spite of the sheer chaos of fitting so many people into such a small store, and the generally poor acoustics of a mall, what the conference lacked in elegance was quickly made up for in quality of content.
Continue reading “Tales From the Apple Store”
It looks like I missed the 1960s, but I’ve read that there were plenty of free drugs and free sex to go around. One thing that apparently wasn’t free, though, was telephone equipment. And behind all of the groovy things to do back then, the one thing nerds seemed to be more into than panty raids was having fun with the telephone networks. The digital telephone network was brand new, and so consumer ignorance was at an all-time high. This made for easy profiting – AT&T had made a killing by charging their customers not only for telephone service, but to pay usage and equipment rental fees for telephones, answering machines, and anything else you wanted to plug into your phone jack.
Continue reading “The Ethics of Hacking”
File Vault is the encryption mechanism used to protect user accounts on Apple’s Mac OS X file system. While disabled by default, many people rely on file vault to protect their personal data. Many criminals, no doubt, also use file vault to encrypt content that would otherwise be incriminating. The security offered by an encrypted volume comes at a price – Apple’s closed source approach has left a significant amount of ambiguity about how the system actually works, and many erroneous assumptions have left holes for data to be recoverable. Among these misconceptions are the idea that raw data inside a vault cannot be accessed, and the erroneous belief that mechanisms such as Apple’s free space wipe will remove deleted data. This brief how-to shows you how to obtain a raw disk image from a file vault, and illustrates that deleted data can be recovered. It also shows that mechanisms like Disk Utility’s “Erase Free Space” option doesn’t affect the deleted contents inside a vault.
Continue reading “File Vault’s Dirty Little Secrets”
Countless sermons have been preached instructing people to give, and God will let you have the car you want, the house you want, and the life you want. Amusingly, my web logs indicate that this essay is found frequently by pastors Googling for prosperity sermons to preach on Sunday. It seems strange, though, that a people who profess to follow Christ are so anxious to convince the church that God wants them to be rich, when the Bible teaches no such thing – God has promised us no such prosperity, but only trials, tribulation, and possibly martyrdom. James teaches us that there’s something profoundly wrong with a miser, treating the notion of being rich as a sign of poor character in their lack of generosity. So are pastors just in error, wanting to see their congregation blessed in this consumer driven American culture, or are they preaching up promises of breakthroughs and finances because they know they’ll reap some of the benefits? In either case, Christians shouldn’t be so naive, given the role model we have in Jesus’ life.
Continue reading “The Fallacy of the Prosperity Sermon”
Since the beginning of the early church, men have fought hard against the simplistic and servant-oriented church blueprint installed by the apostles. From the earliest days of the church, she has been plagued by power plays and factions, all attempting to use the church as a means of political, social, or economic power. Over a short period of about a century, Biblical church government had been abused, challenged, and eventually deposed.
Continue reading “Hijacking God”
I’ve spent many late evenings over the past month translating and researching an intriguing early Christian manuscript called the Didache. Greek for teaching, this first century Greek manuscript reveals the life and heart of the early Church. It has been the center of much academic interest and controversy since its rediscovery in 1883. Prior to this, it was once thought lost to history, although many early church fathers including Athanasius, Rufinus, and John of Damascas cited the book as inspired scripture. It was also accepted into the Apostolic Constitutions Canon 85 and the 81-book Ethiopic Canon. Many early church fathers including Barnabas, Irenaeus, Clement of Alexandria, and Origen either quote or reference the Didache.
Continue reading “Restoring the Beauty of the Didache”
A friend of mine proceeded half way home with lunch in hand after being delayed four minutes by an old, senile man who insisted upon checking his sandwich order. Shortly thereafter, she realized that her own turkey sandwich lacked an all-important ingredient – namely the turkey. They say that it’s counterproductive to turn back once you pass the halfway-home marker, and so she did what any other ordinary American would do – Continue reading “Embracing Senility”