I have a couple of devices at home that provide http servers on my local network. I have them tucked nicely behind my firewall so that they are not accessible from the outside, but occasionally, I would like to login to them to perform some reconfiguration or the like. This is where ssh comes to the rescue: you can use it to create a secure tunnel, a port that I can connect to on my local machine that gets routed to my remote machine through my firewall.
The problem is, I can never remember the command, and it takes me a few minutes of thought to reconstruct it. So, I thought I’d write it down here so I’d remember.
I’ve been interested in TEMPEST and related technologies for a while. Here’s another link to another paper:
This project investigates a novel eavesdropping technique for spying at a distance on data that is displayed on an arbitrary computer screen, including the currently prevalent LCD monitors. Our technique exploits reflections of the screen’s optical emanations in various objects that one commonly finds in close proximity to the screen and uses those reflections to recover the original screen content. Such objects include eyeglasses, tea pots, spoons, plastic bottles, and even the eye of the user.
We have demonstrated that this attack can be successfully mounted to spy on even small fonts using inexpensive, off-the-shelf equipment (less than 1500 dollars) from a distance of up to 10 meters. Relying on more expensive equipment allowed us to conduct this attack from over 30 meters away, demonstrating that similar attacks are feasible from the other side of the street or from a close-by building. We additionally establish theoretical limitations of the attack; these limitations may help to estimate the risk that this attack can be successfully mounted in a given environment.
For all the people who’ve come to see this as my ham radio blog, I apologize, but I do have other interests, and computer security is one of them. It’s not that I am any kind of expert, but I have played around quite a bit with various bits of computer security and cryptography over the years, and enjoy reading up on it. Recently a small interdisciplinary workshop was held at MIT on this subject, and Matt Blaze was kind enough to make recordings of the workshop. I’m loading these onto my iPhone (perhaps the last thing new it will see before my new iPhone 3GS arrives!) Haven’t checked the audio quality yet, but hopefully the sessions will be interesting…
I’m not 100% obsessed (more like 98%) with radio topics: this morning, I found this link on Hack a Day which provided a link to several articles having to do with TEMPEST. I’ve blogged about TEMPEST before, but for those who haven’t heard of it before, it’s a way of eavesdropping on electronic signals by listening for insecure, electronic emissions. I’d seen some of these before, but I hadn’t seen this work on evesdropping on USB keyboard emissions:
I’ve bitched before about CSI and their use of “video enhancement” to read displays and the like using low resolution security cameras reflecting off objects. It’s interesting to see what is actually possible using this basic idea though. Link courtesy of Bruce Schneier’s security blog:
Matt Blaze and company have a new paper just out entitled Signaling Vulnerabilities in Wiretapping Systems, which details a number of problems with the methods and equipment normally used by law enforcement to tap phone equipment. These include vulnerabilities that allow the surveilled party to make it appear to call numbers other than the one reached, to disable recording of specific calls and to just generally make it hard for tappers. Interesting stuff, and using relatively straightforward ideas and methodology.
Xerox printers use a watermarking technique to insert codes onto all printed documents from their Docucolor color laser printers. These identify date, time and printer serial number with a grid of yellow dots which appear in the printout. Presumably these codes are inserted to make the job of the Secret Service simpler in tracking their use in creating counterfeit money. What’s kind of cool though is that the EFF has figured out how to decode them. Interesting bit: the dots are simple to see when viewed under an intense blue light, like one of those blue Photon LEDs.
Jef is a the author of the really nice thttpd, which I used to run my website for years before shifting to the Apache/PHP/Wordpress monstrosity that it is now. It’s really cool, if you need a low requirement bulletproof http server, check it out.
If anyone wants to volunteer to pie Bill Gates again, I’ll contribute to the defense fund. Or if you prefer, you could just kick him in the nuts.
Low-rights IE will only be available in Longhorn because it’s based on the new Longhorn security features that make running without Administrator privileges an easy option for users (User Account Protection). When users run programs with limited user privileges, they are safer from attack than when they run with Administrator privileges because Windows can restrict the malicious code from taking damaging actions.
My, that does sound innovative. Kind of like running IE inside a jail or something, maybe with an isolated directory, It’s good to see that Microsoft is on top of things.
Who uses PGP?
People who value privacy use PGP. Politicians running election campaigns, taxpayers storing IRS records, therapists protecting clients’ files, entrepreneurs guarding trade secrets, journalists protecting their sources, and people seeking romance are a few of the law abiding citizens who use PGP to keep their computer files and their e-mail confidential.
Businesses also use PGP. Suppose you’re a corporate manager and you need to e-mail an employee about his job performance. You may be required by law to keep this e-mail confidential. Suppose you’re a saleswoman, and you must communicate over public computer networks with a branch office about your customer list. You may be compelled by your company and the law to keep this list confidential. These are a few reasons why businesses use encryption to protect their customers, their employees, and themselves.
PGP also helps secure financial transactions. For example, the Electronic Frontier Foundation uses PGP to encrypt members’ charge account numbers, so that members can pay dues via e-mail.
Whether this individual is guilty or not, this seems incredibly ill-conceived.
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.