Web kiloseven.blogspot.com
www.arrl.org www.eham.net


US Bank, Bank of America & Chase still force users to be vulnerable to ID theft

Posted in the highly recommended Risks Digest:

This may have been discussed before, but with the recent spate of DNS cache poisoning attacks and fake WiFi hotspot proliferation I believe it has new relevance.

I was actually rather shocked to find that U.S. Bank, Chase and Bank of America all still *force* users to enter their login and password on an insecure page. This exposes account holders to a great risk of their credentials being stolen. The login forms on their genuine home pages are submitted to a secure site, as they claim.

The problem is that you need security *before* you enter your data. If DNS, a router or a proxy server anywhere along the path to their server were compromised, the login page could be substituted for one that submits to another site or injected with JavaScript that sends info elsewhere, asynchronously, before it goes to the real destination. Without an SSL certificate chain there is no way to verify that the insecure page with the form came from a trusted source and no way short of exhaustive code inspection to tell where the form data is actually going.

BankOne, Wells Fargo, Citi, Washington Mutual, Bank of the West, Key Bank and Sun Trust all offer SSL versions of their login page, but for some reason, U.S. Bank, BofA and Chase redirect to an insecure site or return an error when trying to connect with SSL. You *can't* log in securely, even if you try. The existence of this kind of obvious and fundamental security mistake after all the publicity about this category of attack (note that all these banks *do* have a user education page on phishing/fraud prevention!) is definitely something to keep in mind when choosing a bank.

- Brad Hill


How Dense Is Your Weblog? Test it here.

Calculate the readability of your web log and see how you stack up. I'm getting a 9.8, which is OK for the tech site, but I have to lower it some for the Clackamas community weblog.


How to Throw a LAN Party

Courtesy Tom's Hardware/Tom's Networking.


Books and Books and Bucks

If the corner drugstore don't have the book on IPv6 or whatever you're looking for, well, buying on-line's popular. However, if you go to Powell's and shop them against Amazon, you'll find Powell's is more spendy, even though Powell's is Amazon's largest warehouseing & fulfillment partner.

This leads one to ponder if further discounts are to be had by looking further. My favorite tactic has been to go to Froogle and type in the ISBN of the book, and then sort from low to high. Other good sources of prices include ABE Books, Bookpool, Books-A-Million, EveryBookstore and Fatbrain. I'm sure I'm forgetting at least one other good source.

Now, isbn.nu and Booksprice are offering comparison shopping of multiple bookseller locations. Kewl.
Update: A well-read friend adds his recommendation of the AddALL service. Kewler.

Update #2: ThriftBooks, an Amazon reseller, now comes out with their own website, focusing on books at extremely low prices.


RealPlayer? Really?

If you use RealPlayer, make sure to get the security patches which solve a 'very critical' security problem.

And, if you have not been able to run it because you use Linux, never fear: Helix is an open source player which uses the same engine. There's a version for Symbian smartphones, too.


Got Spyware?

Spyware (sometimes called malware) is software loaded secretly or sneakily into your system through your Internet web browser.

Visit a site on the net (especially if you use Internet Explorer) that uses ActiveX or other 'improvements', or download a program and install it, and you can find yourself with thousands of new Registry entries and new programs you didn't know were coming, monitoring your Internet use, searching through your personal data and sending that private data off to other sites who can use it for fraud or abusing your credit. No, I'm not kidding.

Firefox and Opera are more immune to this abuse, but they don't stop everything.

Yahoo adds Anti-Spy to their toolbar (but which does other things to your system).

Anti-Spyware tools reviewed: 1 2 3 4

And, my favorite freeware tool, Spybot Search and Destroy


Crack your wireless security in 3 minutes

From the Your Tax Dollars At Work Department: Here's a demo of the FBI, using commonly available and openly documented hardware & software to crack WEP 128-bit security in three minutes. Yes, three minutes.

What I tell you three times is true:
WEP is not security.
WEP is not security.
WEP is not security.

Get WPA security now.


Amiga car computer?

If your ride is not adequately pimped-out now, you could do what this bloke did and add a computer into your dashboard (although the choice of computer Stateside might be a wee bit different...)


Marine Corps Blimps?

Yes, the Corps is getting blimps, to use as radio relays in Iraq.
The blimps, called the Marine Airborne Re-Transmission Systems (MARTS), will receive signals through a fiber-optic tether. Then, the airships will transmit messages up to 100 miles away, via UHF and VHF frequencies. Troops on the ground, as well as pilots in the air, will be able to communicate through the blimps.

One airship, first tested in February, is being deployed to Iraq right now (exactly where, the Corps won't say). A second is being readied. The Marines are scrounging up $14 million to buy four more. It may sound like a lot, but it's cheaper than building radio towers -- and having Marines protect those towers.

A MARTS blimp "can run for two weeks before it would need refueling, and can remain afloat in winds up to 50 mph," according to DD. With a combination kevlar/mylar skin, the aerostat can even "handle small arms fire... function[ing] with a 4-inch diameter hole."

And we thought all the helium-heads were over in the Navy.

Google improves mobile phone use again, for free

Google's new free service for PDA phones is another winner. Just enter http://mobile.google.com/local into your phone's browser, and you'll quickly see a mobile-friendly home page which asks for your location, and remembers if for subsequent requests (until you change it).

Maps, directions, store locations, even click-through dialing;this thing is slick, and a nice step up from their SMS-based text-only locator.

Text-only from Google? Well, you send an SMS to 46645 {which is GOOGL on a dialpad} and then the name of the store, to get the address and phone numbers back in very short order.

Both are good demos of what a PDA phone can do for you, and will help win the hearts and minds of folks who want 'just a phone.'


Emergency recovery via iPod/MP3 player

Here's a plan to use an iPod or generic MP3 player as a personal jumper cable to make recovery easy from an otherwise fatal Registry or other software-based error. Since you can continue to use the media player for its original purpose, as well as use if for recovery, this is much better than my previous recovery method, the Koppix disc.

Of course, USB memory has already exceeded the capacity of the CD-Rs I used to make Knoppix and other recovery discs... and one software house has already started marketing a system which copies Outlook and other important documents to a USB memory drive.


Cooking the books of global warming

Friends, you're smarter than the average bear, else you wouldn't be here. You're hams, and other techies, so you've evinced the willingness to use your brains and to study. Please, give me, and your future, a few minutes, and read this text, then visit the sites linked, for it's becoming clear a key element of the scientific basis for a Global Warming problem is rapidly falling apart:

This discussion, BTW, was excerpted from Dr. Jerry Pournelle's blog:
One of the pillars of the case for man-made global warming is a graph nicknamed the hockey stick. It's a reconstruction of temperatures over the past 1,000 years based on records captured in tree rings, corals and other markers. The stick's shaft shows temperatures oscillating slightly over the ages. Then comes the blade: The mercury swings sharply upward in the 20th century.

The eye-catching image has had a big impact. Since it was published four years ago in a United Nations report, hundreds of environmentalists, scientists and policy makers have used the hockey stick in presentations and brochures to make the case that human activity in the industrial era is causing dangerous global warming.

But is the hockey stick true?

According to a semiretired Toronto minerals consultant, it's not. After spending two years and about $5,000 of his own money trying to double-check the influential graphic, Stephen McIntyre says he has found significant oversights and errors. He claims its lead author, climatologist Michael Mann of the University of Virginia, and
colleagues used flawed methods that yield meaningless results.

Then, discussion continues:

Paul S. Linsay: The "hockey stick" has been controversial for a long time. One of the best analyses of it is at http://john-daly.com/hockey/hockey.htm, by the late John Daley. I think one of the most telling criticisms of the graph is that it is a concatenation of two types of data: thermometer data from 1900 to the present; and proxy data for earlier times. This is a big no-no, they have different accuracy, precision, and systematics. The only honest graph would use proxy data to reconstruct the temperature for all times. In particular, it means estimating modern temperatures using proxy data uncorrelated with the calibration data. I've seen one such reconstruction, can't lay my hands on the link, but it was pretty unimpressive, flat temperatures for all thousand years.

The other hole in all the global warming hoo-hah is the thermometer temperature record. It suffers from all sorts of problems which the believers won't acknowledge. It's data taken over 100 years without any sort of calibration or control from thousands of weather stations by many thousands of observers. Quality control is a bit problematic.

The most famous problem is the urban heat island effect which the believers claim to have solved. Hard to understand how that was done since there is no way to model the effect. How do you correctly account for highways, buildings, and parking lots built wily-nily over time? The data for the US, where they claim to have taken it all into account, shows the 1930's as the warmest decades of the 20th century. Throw in the third world and you get global warming.

JP: I understand; what confused me was that I had not known he kept the actual methods he used for combining different data a SECRET, as well as keeping SECRET some of the data he used. I thought I had some deficiency of understanding. That isn't science. You can 'prove' anything that way.

And I note his curve does NOT show the rapid change in temperatures from Viking times, but we have records of what happened to their dairy farms in Greenland.

If you can't mail it in a letter to a colleague so that he gets the same result you do, it isn't science.


Neil McNabb: If you're looking for more info on the "hockey stick" or as the authors put it, "Critique of the Mann et al Northern Hemisphere Average Temperature Reconstruction" you might want to look at http://www.uoguelph.ca/~rmckitri/research/trc.html. I'm not sure I have enough math to understand fully the process but it is interesting reading. Especially the section that suggests that it was warmer in the 1400s than it is now!

JP: The main thing I got from this was confirmation that Mann has not published his algorithms for producing his curves. How you can call something science when you have a computer program but no one else knows what the program does or how it does it is, I fear, beyond my ken.

Here's the actual link to the WSJ "hockey stick" article:



Joe Hennessey: Prof. von Storch is director of the division of Systems Analysis and Modelling, Institute of Coastal Research, University of Hamburg. His web site is at http://w3g.gkss.de/G/Mitarbeiter/storch/ There is a link to the English translation of the Der Speigel story, A Climate of Staged Angst.

One example of this is the discussion of the so-called "hockey stick," a temperature curve that allegedly depicts the development over the last 1000 years, and whose shape resembles that of a hockey stick. In 2001 the Intergovernmental Panel on Climate Change, the committee of climate researchers appointed by UNO, rashly institutionalized this curve as the iconic symbol for anthropogenic climate change: At the end of a centuries-long period of stable temperatures, the upward-bent blade of the hockey stick represents the human influence.

In October 2004, we were able to demonstrate in the specialist journal "Science" that the methodological bases that led to this hockey-stick curve are mistaken. We wanted to reverse the spiral of exaggeration somewhat, without also relativizing the central message - that climate change caused by human activity does indeed exist. Prominent representatives of climate research, however, did not respond by taking issue with the facts. Instead, they worried that the noble cause of protecting the climate might have been done harm.

Other scientists lapse into a zeal reminiscent of nothing so much as the McCarthy era. For them, methodological criticism is the spawn of "conservative think tanks and propagandists for the oil and coal lobby," which they believe they must expose; dramatizing climate change, on the other hand, is defended as a sensible means of educating society.



James: Michael Crichton gave about a 40 minute talk, broadcast on CSPAN (I think) this past weekend, in which the Mann Report figured quite prominently. Crichton quoted a long list of problems with the data, one of which was that data some sets were repeated and in some instances, just plain wrong. But the most startling thing is that someone, (sorry, I didn't catch the name), took the Mann data sets and substituted a Monte Carlo set of numbers...and then did it again and again. ALL the data sets produced the same hockey stick graph. Crichton flashed a slide as part of the presentation, that showed at least a dozen different Monte Carlo generated numbers, and they all produced a hockey stick type graph.

One point Crichton did make that caught my attention, was to predict that soon such reports would be covered by "product liability" laws. He was maintaining that reports are "products" of the Information Age, just like any other manufactured product.

My only point is that somewhere, someone has already dismantled the Mann Report....


PS: I can't find any mention of the program on the CSPAN site, so I may have that wrong, however, a summary of the presentation is here... http://www.intellectualconservative.com/article4131.html

JP: Yet the Mann Report is still in the official Canadian government data, and is still one of the major arguments used for the "Kyoto Concensus". One wonders how much consensus there would be if it were generally known that no one can repeat Mann's results because he doesn't give out his algorithm.


Subject: DDT, Global (non)warming, Nuclear war survival (yes it's varied)

EAS: I like your site a lot, found it by accident a few years ago, and thought I would finally send something in. The Oregon Institute of Science and Medicine has several interesting side sites. They cover things from NWSS to homeschooling, global warming, and DDT use. I found their site while searching for Kresson Kearny's Nuclear War Survival Skills book for the nuclear effects tables in the appendices, while looking for info on Project Orion, and it turned out to have lots of other helpful info also.


http://www.oism.org/oism/s32p686.htm is a lecture on global non-warming. A review of the research literature concerning the environmental consequences of increased levels of atmospheric carbon dioxide leads to the conclusion that increases during the 20th Century have produced no deleterious effects upon global weather, climate, or temperature.


JP: Oregon Institute is the successor chosen by Petr Beckmann to publish his Access to Energy. I have been a subscriber to Access to Energy since Beckmann founded it. I should say, worthy successor although no one will take Beckmann's place.


Another reason why WEP security, isn't security

No wireless network based on WEP provides protection against replay attacks. With the right freeware and inexpensive wireless card, you can take any captured packet and reinject it back onto the network.... creating a back door through the 'security' of WEP. Conclusion: Convert to WPA security now.


How about a phone system, about the size of a laptop?

How about a phone system, about the size of a laptop, with multiple lines, voice mail, et al, serving an entire office? No only is it practical, but the Open Source software for it is free, using Asterisk on OpenWRT. There's another Open Source project, SIPatH, which complements the Asterisk software which is already finding wide acceptance and will turn a WiFi router with a Broadcom chipset, like the popular Linksys WRT54G into such a phone system.

Here are a few more notes on Asterisk:
Installing Asterisk @ Home
Configuring Asterisk@Home For BroadVoice

And, on Linux computers even smaller than the Linksys and other Broadcom-chipset routers:
Gumstix computers
Alternative single-board Linux computers