Living in Fear

I love my Country.
It's the GOVERMENT I'm afraid of!

How the USA is become a police state.

Princeton University describes the term "Police State" as:
a country that maintains repressive control over the people by means of police (especially secret police)
http://wordnet.princeton.edu/perl/webwn?s=police%20state

The United States was founded to protect "Life, liberty and the pursuit of happiness" as described in the United States Declaration of Independence. These are considered "unalienable rights". However, today, I question whether these ideals still exist.

When I was young I trusted everyone as did most people. You left their home unlock, and car running on a cold day while they went in the store. (1950)  These trusts died quickly. But some trusts continued.  A Policeman could be trusted.  (1960)  When you where in trouble you called the police or hoped one would drive by. Today even the process of democracy it self, voting, is thought thought to be rigged.

Because trust is accepting power without fear. Trust can be betrayed. Today people feel betrayed and untrusted by those we have put in power.

Continue reading

Decrypting SSL

Today I'm studing network security / firewalls / SSL monitoring.  I'm treating these three items as one subject.  Network security is the general topic and a network firewall is the most common methiod of controling network traffic.  Today, SSL monitoring is the real goal.

As a part of a network security event that happend at work, I was hit by the two edegged sord that is SSL network encryption.  On one side it keeps your network traffic safe from spying eyes.  On the other side, it keeps the traffic safe from your eyes and anything a hacker is doing to your web site.

I've been looking for a product to monitor (IE spy on) SSL traffic.  There are lots of ways to do this.  You could:

1) use a Man in the Middle (MITM) proxy
2) use a network sniffer with a SSL decryption tool
3) use a plugin in Apache to write out all the html traffic

With a MITM proxy, the user connects to the proxy and then the proxy decrypts the ssl data, write it to a log, and passes the request on to the web server.  The reply is, writen to a log, encrypted by the proxy and passed back to the user.  A working example is webmitm witch is a part of dsniff projeject. (http://www.monkey.org/~dugsong/dsniff/) The problem with this sort of proxy is it doesn't scale well.  If the web site is doing hundres of ssl connections the prxoy handel all the traffic for all the web servers.  A good white paper about this is avaible from SANS. (http://www.sans.org/rr/whitepapers/threats/480.php)

Wireshark (this was etheral) is a network sniffer. (http://www.wireshark.org) I have tried the plugin called Ethereal ssl decryiption (http://ssl-decrypt.sourceforge.net).  I have yet to get this to work.  I think the problem is between the chair and the keyborad, not in the program.  For me, more documentation and examples are needed.  (Maybe this will be a story for another day.)

TCPDUMP is the best program I have found. (http://www.rtfm.com/ssldump) This program is simple to use and can decrypt live traffic from an ethernet port or you can feed it a tcpdump (URL) file.  The trouble I'm having with this program, and I may find this is true of all SSL decryption programs, is it only decrypts part of the traffic.  I can see the heards and some of the HTML data comming through the network but not all.

Another program I've looked at is SSL Sniff (http://www.thoughtcrime.org/ie.html).  

The Apache module mod_trace_log (see: http://webauthv3.stanford.edu/manual/mod) will write to a log all the users data as well as the access information.  

With all this I have yet to find a good solution to this problem.  I still can not view my SSL traffic going to  my customers.

Do any of you know how to decrypt a SSL stream given the keys? 

Cingular = Crack

I love my doughter and we talk often. We have a very trusting, open relationship.  She is 15.  To help me with the heckic paise of  her world, I added her to my Cingular phone system for only $9.99 a month.  Life was good, and the phone made picking her up school, gym, and work, easier with the simple words, "where are you" just like in the commericals. 

All was well untill she, or a friend she lowned her phone to, sent a text message to a "Free ring tone" service seen on TV.  You know the ones.  The ads with the small print reading "monthly charges of $29.50".  The next month my bill had gone from about $140 to $350. 

Needless to say I took the phone away from her and turned it off.  I keept it in my desk drawer at work.  Then grounded her for a month.  Still the charges keep comming. $450 and I started to get past due. Then $540. The payments where hard to keep up with and one month my cell phone bill was over $1200 in current and past due charges.

What I didn't know, but suspected, was how shady these companies really are and how the phone companies, Cingular in my case, work with them.  Not only did my doughter get the monthly riging tone charge but lots of other charges from places I still can't find any information on.  For months I tried, in vain, to have these charges stopped and removed from my billing.  I have learned is called cramming.

I called Cingular to have the charges removed. Each month I ask for an accounting of the charges.  I ask how many there where, who they where from and how much each charge was.  I was told one month "I will remove this one.  I don't know why your doughter would download the same ring tone five times." Even after they took off charges some months I was left to paid $80 to $150 in 3rd party charges to keep my phone. 

Cingular syyley removed charges without removing them all.  My shyley I mean they would remove them without telling me who made the charges are what they where for.

Just when I thought I had this cleaned up it started again.  I needed it all to stop.  I couldn't pay my medical expencies and the phone bill.  My two year contract has expired, so I turned off the phones and waited for the account to be stoped.  I was afreed to pay the bill because I didn't want the cramming to start again.  This was a BIG mistake. 

With my account "terminated", I coun't pay the bill on-line.  They turned off my Cingular.com web account as well.  I  couldn't pay my bill over my phone because my phone was dead and I gave up my home "land line" phone years ago to go cellular only.  So I took time off work and went into their store.  I paid a large portion of what I owed the day my service ended. 

I ask the sales person about the charges and tried to get them taken off agian.  He told me they couldn't do it at the store. Odd because they had done it for me at this very store just two months before.  The Cingular person said I would need to call the customer support center.  

I called and was told after have some more charged removed (they did another $130+) they would reinstate my account.  I did, they didn't.   Now that my ballance is ZERO (0) they want $500 deposit to open a new account.  I told them Goodby.

I liked Cingular.  I was a customer for six years. I paied thousands to them in that time. I esimate it is something like $10,000 plus over the years.  I'd like to have a Cingular account still. My friends and older son are on Cingular. But this is too much to take.

New Family Pets

Traci brought home Two pets. She got two ball pythons on May 23rd. As you may know, she is a Junior Curator (JC) at the Oklahoma City Zoo. One of her favorite parts of the zoo is the herpitarium. She works hard at her goal to become a Veterinarian. She has wanted to be a vet since she was a little girl. I’m proud of her for going for what she wants and figuring out how to do it.

The JC program is a chance for high school students in Oklahoma to work with and learn things about animals. JC’s get to schedule their own hours of work and get to work in any area at the zoo. Her zoo year is almost over and is excited to reapply for next year to become a returning JC. If she gets chosen to return, she will get to work in giraffes, antelope, pachyderm, and with the vets at the zoo. Currently, she can work in upper and lower aquaticus, children zoo, birds, over wintering, herpitarium, island life, commissary and education. 

Traci got her new pets from Bob Clark. You may have seen Bob Clark on Latenight with David Letterman. She got a boy and a girl adult python. They are both are a  little over 3ft long. The boy’s name is Venom and the girl’s name is Itty Bitty. They are kept in the same tank and who knows, maybe we’ll get baby ball pythons. Traci bought these snakes on her own with her own money.

Continue reading

Who Am I

Who am I?

I google therefor I am.  But who am I.

On the Internet nobody knows you're a dog.  That's great. Anonymity is a wonderful thing that lets the truth be told without people being killed.  It also allows for identity theft.  Employs Google prospective employees to look into their past. What if someone with your name was arrested for drunk driving. How can you dis-claim stories using your name?

I've found ClaimID.com helps people simply and easily manage their online identity. You can claim things that are about or my yourself and deny things that have nothing to do with your or are false.  Here is who I am.

How many Internet logon ID's do you have? Do you have more then one to some sites? I do too. Do you use the same password for each? If you do your protection is only as good as the weakest of them. Do you use the same password for your bank as you do for your favorite blog?

If every website would use it, OpenID could end our password problems. OpenID is a free / Open protocol designed to manage authentication.  Here is how it works.

When you login to an site that uses OpenID it take you to your choice of websites to login.  For example, if I login to the OpenID Directory after clicking on login I type in mark.grennan.com. Whats on this page doesn't matter. What matters in in the header (not seen in your browser there is this string. <link rel="openid.server" href="http://openid.claimid.com/server" />. This send me to ClaimID's OpenID server and asks me my password. It then send me back to OpenID directory.

There is a great Video about OpenID on Google Video.

What makes OpenID good is it's simplicity. You control where your authentication is done and how. You can use a service like OpenID, CalimID or Verisign's Personal Identity Provider or you could create your own system that requiring all kinds info to authenticate you. If your logging into your bank type in the ID that redirects you to a high security level service.

Take control of your identity.

Things I own

Or maybe I should say odd things I own.  I hereby clam owner ship of these things. 

The word (The ring left on a plasic bottle after you unscrew the lid.)

Hurstrea

 The Integers

7F F8 7A 0F 7B 92 A2 4D 7D 4E E0 4D 4D D6 E1 0E
and
75 FC A2 82 03 C3 A3 A2 31 D1 E5 53 66 0C A8 72

You can own your own integer at http://www.freedom-to-tinker.com/?p=1155

What is this about you ask? I think copyright and pattend laws have gone crazy. Companies are claming ownership of all kinds of things that should not be pattened or copyrighted.  And if they can do it so can I 

I'm tempted to get a very large disk array and fill it with large numbers and endless lists of non sence words and claim ownership of all of it in hole and in part. Then start scanning the internet for their use and send letters to anyone using them.

One example the crazy ownership of your stuff is your DNA.  Several companies own large portions of the human genome. One of these days you may receive a notice to seace and desist the use of it or start paying them money for it's license. 

Check out http://genome.ucsc.edu/cgi-bin/hgTracks

Another example is AAC clam on the integer

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

This number is used to decrypt DVD data and therefor their protected by the DCMA.  But how can someone own a number.  And, if they can own one why can't I?  I could use the number above as password to a system and make the same claims.

What if is number, translated into DNA sequences, was the same as part of the human geanome?

AAGCTGCTT___CTAACAACA

It's eazy to translate.  Go to http://www.roostersgreatfood.com/cgi-bin/dec.cgi

If you have ever read a copyright agrement you may have notice you are not allowed to translate their properity into any other form.  Now with this comes to numbers the posibilities are infonent.  I could XOR "Translate" this squence with almost any other number and still retrive the origonal number.  So would that not be promitted under the DCMA?

9F911029D74E35BD  Xored with
1234567890  =
9F91103BE3184D2D
 

There you go… I've done it again.

UPDATE

I found this website today.  (http://intellectualweapons.com/index.htm ) Now people are advertising for you to find software bugs.  They will patend the solution to the bug and then when a companie patches them you get paid for them to use your idea.