Saturday, May 29, 2010

Flipping the Death Switch | Institute For The Future

Flipping the Death Switch | Institute For The Future: "Flipping the Death Switch

A couple days ago, I was listening to a typically brilliant episode of RadioLab when I heard about a fascinating, niche service: The Death Switch. The name is morbid, but surprisingly apt. Users receive periodic emails prompting them to sign in and prove that they're, well, still alive. And if they fail to sign in after a few prompts, it triggers the death switch, sending emails that the user wrote while living to friends, family and colleagues. They market themselves as 'information insurance.'

The site was developed by Neuroscientist David Eagleman who wrote a fascinating article about the concept of deathswitches in Nature a few years ago. In it, he writes:

Individuals began to use death switches to reveal Swiss bank account numbers to their heirs, to get the last word in an argument, and to confess secrets that were unspeakable during a lifetime.

It soon became appreciated that death switches provided a good opportunity to say goodbye electronically. Instead of sending out passwords, people began programming their computers to send e-mails to their friends announcing their own death. “It appears I’m dead now,” the e-mails began. “I’ll take this as an opportunity to tell you things I’ve always wanted to express...”

Soon enough, people realized they could program messages to be delivered on dates in the future: “Happy 87th birthday. It’s been 22 years since my death. I hope your life is proceeding the way you want it to.”....

In this way, death switches have established themselves as a cosmic joke on mortality. Humans have discovered that they cannot stop Death, but at least they can spit in his drink.

As we've been looking at the future of well-being in health this year, I've been thinking about what it might mean to 'die well.' The Death Switch strikes me as both as a tool with enormous potential and danger, in this regard. Eagleman's example of sending a birthday greeting from beyond the grave is just one of the wide variety of thoughtful messages a person could pass along to loved ones.

But I'm also reminded of another excellent NPR story, this one on This American Life, about a woman in her forties who was dying of cancer in the early 1990s and left a series of letters for her daughter to be delivered on her daughters birthdays. While the daughter described feeling incredibly loved by the letters, they also made her feel distraught for a variety of reasons. For example, the mom had been a Mormon in her life, and while the daughter drifted away from the church, her mother focused on Mormonism in many of her letters. In effect, the daughter received an annual reminder from her dead mother that she was breaking one of her dying mom's last wishes.

It's likely, of course, that had the mom lived, she could have adjusted her expectations about her daughter. But dead people lack that ability.

In this sense, concepts like the Death Switch suggest, as my colleague Jason Tester likes to say, our ability to think about the future is still in beta. A death switch, is, in a very real way, a path to communicate with a future that we're not part of. How to do that well--to help give solace to loved ones, for example--is a concept that's still very much in beta.

- Sent using Google Toolbar"

John Graham-Cumming: Inside the RFID 'virus' that 'infected a man'

John Graham-Cumming: Inside the RFID 'virus' that 'infected a man': "Friday, May 28, 2010
Inside the RFID 'virus' that 'infected a man'
Earlier this week the BBC reported on a man who had 'infected' himself with a computer virus. The story, of course, is rubbish. The man wasn't 'infected' with anything, he had simply reprogrammed a chip that had been inserted under his skin and then stated that the code in the chip could 'infect' a machine.

There's nothing at all surprising in this. The idea that one machine could infect another is just the run of the mill virus story. The idea that a piece of data (for that is what is stored in his subcutaneous chip) could cause a machine to misbehave is nothing new either: many, many attacks are based on subverting the difference between data and code to take control of machines.

So, the BBC should never have run with the story since it was sensationalist bollocks.

The story states: 'In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said.' So what is this virus? I tried emailing the scientist involved, Dr Mark Gasson but have not received any response.

For coders the BBC did happily show two screen shots of the 'virus':



The top shot shows that ASCII version of the virus, and the bottom the hex. If we concentrate on the top shot we'll see that the contents of the virus on the chip are (I used § to indicate a character I can't read):


41207§§§676e206f66207§§§696e677329746§§§636f6d65202d2§§§
7220476173736§§§',NewProfile =(select SUBSTR(SQL_TEXT,1)FROM v$sql
WHERE INSTR(SQL_TEXT,'',0)--


So what you have is a SQL injection attack (note the first ' mark) which then executes a SQL statement (against an Oracle database because it's using the special v$sql table). The SQL itself is rather odd because it's looking for a piece of JavaScript in the currently running database query and then returning the query.

Since I don't have access to the machine that is running this code this is where a guess is needed, but it look like he's causing the machine to insert JavaScript that will force a web browser to visit a site he owns kablamm.com.

So, in summary, the sum total of this is that the RFID scanner has a SQL injection vulnerability. Big deal. SQL injection is everywhere, it hardly takes a 'researcher' to realize that unchecked input from the user (in this case in the form of a passive RFID tag) could have a consequence.

The entire demonstration stinks, and worse the BBC has reported on this type of vulnerability (the data in an RFID tag could corrupt a host system) four years ago in a sensible and calm manner. A quote from that article:


In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.

'Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong,' wrote the trio in their research paper.

The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.


The sensible article which the BBC is talking about back in the 2006 is The Evolution of RFID Security.

PS Eagle eyed ASCII loving readers may have wondered about the block of hex code at the start of Dr Gasson's RFID tag: 4120 7§§§ 676e 206f 6620 7§§§ 696e 6773 2974 6§§§ 636f 6d65 202d 2§§§ 7220 4761 7373 6§§§. If, like me, you think this looks a lot like English text in ASCII you'd be right. It reads 'A sign of things to come - Dr Gasson'. So, Dr Gasson signed his 'virus'. All he needs is a leet h4x0r name to complete his transition to script kiddie.

Now script kiddie might seem a bit rude until you go back and look at the virus above. It's using a technique called 'self referential SQL queries'. Their use in 'infecting' RFID systems is detailed here and also in the 2006 paper Is your cat infected with a computer virus?.

So Dr Gasson's virus looks less and less clever: he used a four year old technique to infect a machine and got himself on the telly because he 'infected himself' (an audible gasp from the audience).

There's a nice description of how the attack works here. Notice the incredible similarity between Dr Gasson's 'virus' and the code on this page.

Oh, and by the way, v$sql isn't accessible unless the user is a database administrator. So you need a machine running as database administrator, and a SQL injection vulnerability to make this happen.

PPS What annoys me most about this story is that Dr Gasson didn't invent the clever bit (the self-referential SQL query), he just got himself on the telly with a bit of grandstanding four years after the original, interesting report on the subject.

Labels: rants and raves, security

posted by John Graham-Cumming at 08:35 Permalink
1 Comments:

Blogger Heds said...

I left Reading University's Cybernetics Department in 1997 with a degree of which I was proud.

Then Kevin Warwick started showboating. Now Gasson is.

I dread to think what employers think of new graduates from the department. Poor sods.
3:55 PM

Post a Comment
Links to this post:

<$BlogBacklinkTitle$>
<$BlogBacklinkSnippet$>
posted by <$BlogBacklinkAuthor$> @ <$BlogBacklinkDateTime$>

Create a Link

<< Home
Available Now

The Geek Atlas
With this unique traveler's guide, you'll learn about 128 destinations around the world where discoveries in science, mathematics, or technology occurred or is happening now. Travel to Munich to see the world's largest science museum, watch Foucault's pendulum swinging in Paris, ponder a descendant of Newton's apple tree at Trinity College, Cambridge, and more. Each site in The Geek Atlas focuses on discoveries or inventions, and includes information about the people and the science behind them.

GNU Make Unleashed
230 pages of GNU Make from basics to advanced. Covering topics not covered in other GNU Make books such as: eliminating recursive make, doing arithmetic, Makefile debugging techniques and more.

Everything you wanted to know about making real Makefiles.
Search
Enter your search terms

Web www.jgc.org
Submit search form
Previous Posts

* Naming competition: The London 2012 Mascots
* British Computer Society Pioneers vote is easily d...
* Make friends with Porgy
* Talking to Porgy
* Would you pay for this service?
* If you're going to search the web, make an intelli...
* Project Gutenberg shines on the iPad
* Two more NewsTilt stories (and how to follow me th...
* What's going on in this advertising?
* Please stop with the -gate suffix

Powered by Blogger

Subscribe to
Posts [Atom]
Copyright (c) 1999-2010 John Graham-Cumming



- Sent using Google Toolbar"

profligate - Wiktionary

profligate - Wiktionary: "profligate
Definition from Wiktionary, a free dictionary
Jump to: navigation, search
WOTD - 13 October 2007
Contents

* 1 English
o 1.1 Etymology
o 1.2 Pronunciation 1
+ 1.2.1 Adjective
# 1.2.1.1 Synonyms
# 1.2.1.2 Derived terms
+ 1.2.2 Noun
# 1.2.2.1 Synonyms
o 1.3 Pronunciation 2
+ 1.3.1 Verb
# 1.3.1.1 Synonyms
o 1.4 Related terms
o 1.5 External links

[edit] English
[edit] Etymology

From Latin prōflīgātus (“‘wretched, abandoned’”), participle of prōflīgō (“‘strike down, cast down’”) < pro (“‘forward’”) + fligere (“‘to strike, dash’”)
[edit] Pronunciation 1

* (RP) IPA: /ˈprɒflɪgət/
* (US) enPR: prŏʹflĭgət, IPA: /ˈprɑːflɪgət/
*
Audio (US)
Play sound
(file)

[edit] Adjective

profligate (comparative more profligate, superlative most profligate)

Positive
profligate


Comparative
more profligate


Superlative
most profligate

1. Inclined to waste resources or behave extravagantly.
2. Overthrown; beaten; conquered, especially by vice.

[edit] Synonyms

* (inclined to waste resources or behave extravagantly): wasteful, extravagant
* (overthrown; beaten; conquered, especially by vice): overthrown, beaten, conquered
* See also Wikisaurus:prodigal

[edit] Derived terms

* profligateness

[edit] Noun

Singular
profligate


Plural
profligates

profligate (plural profligates)

1. An abandoned person; one openly and shamelessly vicious; a dissolute person.
2. An overly wasteful or extravagant individual.

[edit] Synonyms

* (overly wasteful or extravagant individual): wastrel
* See also Wikisaurus:spendthrift

[edit] Pronunciation 2

* (RP) IPA: /ˈprɒflɪgeɪt/
* (US) enPR: prŏʹflĭgāt, IPA: /ˈprɑːflɪgeɪt/
*
Audio (US)
Play sound
(file)

[edit] Verb

Infinitive
to profligate


Third person singular
profligates


Simple past
profligated


Past participle
profligated


Present participle
profligating

to profligate (third-person singular simple present profligates, present participle profligating, simple past and past participle profligated)

1. (obsolete) To drive away; to overcome.
* 1840, Alexander Walker, Woman Physiologically Considered as to Mind, Morals, Marriage, Matrimonial Slavery, Infidelity and Divorce, page 157:

Such a stipulation would remove one powerful temptation to profligate pennyless seducers, of whom there are too many prowling in the higher circles ;

[edit] Synonyms

* (to drive away; to overcome): overcome

[edit] Related terms

* profligacy
* profligately
* profligateness
* profligation

[edit] External links

* profligate in Webster’s Revised Unabridged Dictionary, G. & C. Merriam, 1913
* profligate in The Century Dictionary, The Century Co., New York, 1911

Retrieved from 'http://en.wiktionary.org/wiki/profligate'
Categories: Word of the day archive | Latin derivations | English adjectives | English nouns | English verbs | Obsolete
Hidden category: Entries with Pronunciation n headers
Views

* Entry
* Discussion
* Edit
* History

Personal tools

* Try Beta
* Log in / create account

Search

Navigation

* Main Page
* Community portal
* Wiktionary preferences
* Requested entries
* Recent changes
* (by language)
* Random entry
* (by language)
* Help
* Donations
* Contact us

Toolbox

* What links here
* Related changes
* Upload file
* Special pages
* Printable version
* Permanent link

In other languages

* Eesti
* Ido
* Magyar
* తెలుగు
* Tiếng Việt
* 中文

Powered by MediaWiki
Wikimedia Foundation

* This page was last modified on 27 March 2010, at 01:48.
* Text is available under the Creative Commons Attribution/Share-Alike License; additional terms may apply. See Terms of Use for details.
* Privacy policy
* About Wiktionary
* Disclaimers



- Sent using Google Toolbar"

YouTube - Atheists Don't Have No Songs-Steve Martin With The Steep Canyon Rangers

YouTube - Atheists Don't Have No Songs-Steve Martin With The Steep Canyon Rangers: "Atheists Don't Have No Songs-Steve Martin With The Steep Canyon Rangers

- Sent using Google Toolbar"