Good news for you RFID security worriers.

A Platform for RFID Security and Privacy Administration is a paper by Melanie R. Rieback and Georgi N. Gaydadjiev that won the award for Best Paper at the USENIX LISA (Large Installation Systems Administration) conference today.

RFID Firewall PDF

Via Boing Boing: Personal firewall for the RFIDs you carry

Put your hands up who wants to use a i386 X windows server which has access to your kernel’s memory?… What? no takers? Well its a good thing an OpenBSD developer, Matthieu Herrb (matthieu@) just committed this patch for OpenBSD i386 X Server users.

CVSROOT: /cvs
Module name: xenocara
Changes by: matthieu@cvs.openbsd.org 2006/11/29 13:07:10

Modified files:
driver/xf86-video-wsfb/src: wsfb_driver.c

Log message:
Add support for vesafb to the wsfb driver. This makes it possible to
run an unaccelerated and unprivileged X server
with machdep.allowaperture=0 on i386.

‘CVS: cvs.openbsd.org: xenocara’ - MARC

And from From Theo’s reminder on the X Aperture , March 2006

I would like to educate people of something which many are not aware
of — how X works on a modern machine.

Some of our architectures use a tricky and horrid thing to allow X to
run. This is due to modern PC video card architecture containing a
large quantity of PURE EVIL. To get around this evil the X developers
have done some rather expedient things, such as directly accessing the
cards via IO registers, directly from userland. It is hard to see how
they could have done other — that is how much evil the cards contain.
Most operating systems make accessing these cards trivially easy for X
to do this, but OpenBSD creates a small security barrier through the
use of an “aperture driver”, called xf86(4)

http://www.openbsd.org/cgi-bin/man.cgi?query=xf86

This device exists on i386, amd64, alpha, cats, macppc, and sparc64.
(Other architectures do not need such a thing, since they have less evil).

Please be aware that other operating systems don’t even have an
aperture device, because they simply let root processes talk to the
video cards (via /dev/mem). Their X servers also run entirely as
root, while ours is now privilege seperated and running jailed as user
_x11. Even so, our privilege seperated X server is talking directly
to the IO registers of a video card with much evil in it. And many
newer video cards are very smart, capable, and thus dangerous. So we
have concerns.

> Are these new programable cards capable of reading main memory, which
> OpenBSD would not be able to prevent if machdep.allowaperture were
> set to something other than 0?

Yes, they have DMA engines. If the privilege seperate X server has a
bug, it can still wiggle the IO registers of the card to do DMA to
physical addresses, entirely bypassing system security.

From the xf86 man page mentioned by Theo

in addition to allowing access to pci(4) configuration registers,
the aperture driver allows access to the whole first megabyte of
physical memory, permitting use of the int10 emulation in X.Org
6.8 and later. Note that this can cause some security problems,
since the process that has access to the aperture driver can also
access part of the kernel memory.

So what Matthieu has done is stop a non yet existent exploitable bug in X from compromising the security of the host by not allowing an i386 X server access your kernel’s memory. Yet another reason to choose OpenBSD, possible bugs that may never occur are already protected against.

Great going Matthieu and good luck with the Xenocara port.

More biometric police crap in the UK, this time its road side fingerprinting….. is it time to chop your fingers off?

Ten police forces in England and Wales are to test handheld fingerprint checking devices on the roadside.

The forces’ automatic number plate recognition (ANPR) teams, who already cross check vehicle number plates against databases, will be able to verify a person’s identity within five minutes without having to take them to a police station.

Police pilot roadside fingerprinting | The Register

Link to a Sky News Video of the road side fingerprint scanner
http://news.sky.com/skynews/video/videoplayer/0,,30100-prints_221106_0900,00.html

Linux 2.6.x NTFS __find_get_block_slow() denial of service

Looks like the Linux NTFS compatibility could lead to a denial of service attack

Kernel Fun: MOKB-19-11-2006: Linux 2.6.x NTFS __find_get_block_slow() denial of service

OpenBSD 4.0 has started to hit the mirrors but there is no official word as yet on the release, so get downloading now before official release (Nov 1)

Mirrors with OpenBSD 4.0 are as follows

Second Level Mirror (Vienna, Austria) ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.0

Second Level Mirror (Stockholm, Sweden) ftp://ftp.stacken.kth.se/pub/OpenBSD/4.0

Second Level Mirror (Lake in the Hills, IL, USA) ftp://rt.fm/pub/OpenBSD/4.0

Second Level Mirror (Vienna, Austria) ftp://spargel.kd85.com/pub/OpenBSD/4.0

For the full list of mirrors please check http://www.openbsd.org/ftp.html and don’t forget that you can buy official OpenBSD 4.0 cd’s and help support the project on http://openbsd.org/orders.html

Early morning motorists got a shock yesterday when digital car park signs were tampered with by computer hackers and were left displaying an obscene message.

The message appeared on all similar signs around Crawley at about 6.45am.

Thousands of motorists travelling into the town would have been subjected to the unsavoury advice.

Rude Awakening For Dawn Drivers (from The Argus)

via theregister.co.uk

The government is funding the roll out of fingerprint security at the doors of pubs and clubs in major English cities.

Some licensees were not happy to have their punters fingerprinted, but are all now apparently behind the idea. Not only does the council let them open later if they join the scheme, but the system costs them only £1.50 a day to run.

Oh, and they are also coerced into taking the fingerprint system. New licences stipulate that a landlord who doesn’t install fingerprint security and fails to show a “considerable” reduction in alcohol-related violence, will be put on report by the police and have their licences revoked.

Offenders can be banned from one pub or all of them for a specified time - usually a period of months - by a committee of landlords and police called Pub Watch. Their offences are recorded against their names in the fingerprint system.

Beer fingerprints to go UK-wide | The Register

OK I don’t agree with violence but what is going on in the UK? The government has taken away the majority of your rights to anonymity and freedom and its getting worse

The government as I see it is

a) Forcing biometrics into public places
b) Forcing businesses into obtaining biometric data from everyone that enters the premise and send it to the police otherwise the government will revoke its license
c) Locking all seaports and airports to anyone who doesn’t want to give their biometrics.
d) Tracking nearly your every movement via CCTV, number plate recognition, oyster tube cards, the recording of every telephone conversation, every email sent and every website visited.

So what happens to the people who don’t want to hand over there biometrics or be tracked? Well basically they can’t as they can’t go the pub and they can’t escape to another country. The usual saying of “if you don’t like it you can leave” does not apply as you can’t leave! Big brother’s tracking has stepped up and will be coming to pubs and clubs near you soon.

YouTube Video - UK ID CARDS: In the Name of Security
For more info on the database state please see http://www.no2id.net/
For an article on fingerprinting children please see indymedia’s article http://www.indymedia.org.uk/en/regions/cambridge/2006/07/344228.html
For a pdf on spoofing fingerprints please see http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf

Sidenote: Don’t the government realise that normally the dodgiest people in the club are the door security?

Looks like some more hackers got caught.

Ivan Maksakov of Balakovo, Alexander Petrov of Astrakhan, and Denis Stepanov of St Petersburg extorted up to $4m from online bookmakers and casinos in the UK alone prior to their capture

Russian bookmaker hackers jailed for eight years | The Register

Interview with Christoph Egger about Xen on OpenBSD.

bsdtalk069 - Interview with Christoph Egger about Xen on OpenBSD

Mp3 Link:
http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk069.mp3
Ogg Link:
http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk069.ogg

OpenBSD have updated their slogan for the 4.0 release to include
“No remote hole in the default install, in more than 4 years!”

Not a bad claim to fame combined with only one remote hole in the last 10 years.

Get your OpenBSD 4.0 preorders in now http://www.openbsd.org/40.html

**Update** looks like Theo didn’t like the change so it back to the original slogan
“Only one remote hole in the default install, in more than 10 years!”

Coca Cola Japan have launched a new vending machine that incorporates iD technology to allow for micro payments via a mobile phone. iD, launched Autumn 2005 is a brand of NTT Docomo with the technology behind it being the the Sony / NTT mobile FeliCa chip. Coca Cola estimate that by the end of 2006 there will be 10,000 FeliCa vending machines and by the end of 2008 200,000.

Vodaphone and AU have licensed the Felica technology and a few of the new phones can be found on the following link. There is also another picture of a FeliCa phone in use.
http://bcnranking.jp/feature/04-00007596.html

More info on iD can be found on this NTT Docomo’s English press release from Autumn 2005 http://www.nttdocomo.com/pr/2005/000698.html

Talk on email and the joys of spamD with Bob Beck

bsdtalk: bsdtalk068 - Interview with OpenBSD Developer Bob Beck

MP3 Link: http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk068.mp3
OGG Link: http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk068.ogg

OpenBSD 4.0 is now available to pre-order.

* Three CDROMs in a regular size soft-shell DVD case.
* The complete install components for FIVE architectures: i386, amd64, macppc, sparc, sparc64.
* The following architectures only available via FTP download: alpha, armish, cats, hp300, hppa, luna88k, mac68k, mvme68k, mvme88k, sgi, vax, zaurus.
* The CDs are bootable on i386, amd64, macppc, sparc, and sparc64.
* A funky and surprisingly artistic CD insert sheet which contains installation instructions. The information on this piece of paper makes OpenBSD somewhat easier to install than if you do an FTP install.
* A full source tree (ready for AnonCVS use).
* X.Org 6.9.0 (+ patches) binaries and source code.
* Our own ports tree which has improved an insane amount since OpenBSD 3.9. Almost all packages work on almost all architectures.
* Several pre-built binary packages for the most common architectures, which are very easy to install directly off the CDROM.
* As always, stickers included!
* And many other things…

Oooo soft-shell DVD cases, so hopefully no more broken cases people have been complaining about.

There is also a shed load of improved hardware support and a few platforms extended… now including UltraSPARC III (still not the quickest it can be due to some caching problems but certainly a triumph for OpenBSD who campaigned Sun to open the documentation.) Happy happy joy joy

* OpenBSD/armish.
Various ARM-based appliances, using the Redboot boot loader, currently only supporting the Thecus N2100 and IOData HDL-G.
* OpenBSD/sparc64.
UltraSPARC III based machines are now supported!
* OpenBSD/zaurus.
Support for the Zaurus SL-C3200.

For the full changelog check http://openbsd.org/plus.html

Also there is a 11 track audio cd that you can purchase:

The OpenBSD Audio celebrates the artwork and songs that have been released with each OpenBSD release. All the songs from the 3.0 to 4.0 releases are included (plus one bonus track by Ty Semaka explaining his role in the development of the art that accompanies OpenBSD releases). Includes a 11cm silver-on-clear die-cut wireframe Puffy sticker!

Lyrics to the 9 of the songs on the cd can be found here http://openbsd.org/lyrics.html