Victor's Blog about the Web, Security and Life

Ziad Baroud Spamming?

victor — Tue, 02 Mar 2010 06:32:57 +0000

Today, I received an email from Mr. Ziad Baroud, the Minister of Internal Affairs, asking me to check my listing on the DGPS website. While the majority would like the fact that Mr. Baroud is using a one-to-one communication method to reach as much Lebanese citizens as possible, I did not like the fact that Mr. Baroud is encouraging spammers to send out such emails.

Lebanon is already a spammed country. Tens of companies send out SPAM / JUNK emails every day. We all nag and complain from such emails and spend 20-30% of our email time identifying and deleting SPAM / JUNK emails before starting to actually reading legitimate emails.

It would have been nice if Mr. Baroud had:

Avoided spamming me by sending me an email that I did not ask to receive (this is what SPAMming is after all)
Used a more modern e-Marketing tool to spread out the word. A banner on a few websites (Facebook, Google, Yahoo!, MSN, Tayyar, Yellow Pages of Lebanon, etc.) could have done the same effect if not better since it wouldn't be dropped into the JUNK folder like what happened with this message. Of course the banner would have cost him a little bit more but I don't believe that budget is a problem in this case.
Used this case as an exercise to help him identify Lebanese SPAMMING companies and warn them to stop providing this service.
Used this article as an alert to start pushing an Anti-SPAM rule / law into the Lebanese system.

I would love to see a minister / parliament member / president / anybody in the Lebanese government starting to handle rules and regulations related to Technology. Digital signatures and Anti-SPAM rules are just the beginning.

Standard Chartered Email & Website Phishing

victor — Sun, 21 Feb 2010 00:39:33 +0000

If you receive an email related to the suspension of your Standard Chartered account with a link to www.standardchartered.ae in it asking you to login in order to update your account settings, don't click on it.

Beware of it. This is a phishing email leading to a phishing website and has been reported as such. Just don't click the link in that email. The website it takes you to is: http://sinhwatech.com/V1/Standardbankae.html

I checked it again right now and Google is reporting it as a phishing website but it is good to note it here just in case you didn't have the Google bar installed.

Huge Lighters Security Alert

victor — Sat, 20 Feb 2010 12:01:39 +0000

Recently, I am noticing many individual walking around with huge lighters in hands and (barely) in pockets. Huge lighters (similar to the one shown in the picutre) are being considered as pretty cool these days by many. While I agree that such a thing is somehow cool, we must be aware of the many risks associated with this type of lighters especially when using them in crowded places (like restaurants) or when temperature is high (like the summer).

It is a well known fact that a small lighter (almost 1/8 the size of the huge lighter) can cause sever damage to the ears if it explodes. Small lighters usually explode under high temperatures only. If a small lighter falls down from a table, for example, it rarely explodes and, as such, you are usually safe carrying it into crowded places as long as you keep it away from direct contact with fire.

The huge lighter, however, does not share these same characteristics. The lighter that I bought as tall as a half-liter water bottle (check picture). While experimenting, it exploded from a height of 2 meters as soon as it touched the floor on its base. Another lighter exploded after 1 second from touching the fire.

Don't try experimenting unless you are extremely careful. An exploding huge lighter is very dangerous. Tens of small pieces fly around randomly and can cause harm and cause sever damage to the eyes and other body parts.

This leads us to conclude the following simple points:

Huge lighters can explode easily if they fall down from low heights (1-2 meters)
Huge lighters can explode after 1-2 seconds from being exposed to direct fire contact (unlike small lighters that can bare around 5 seconds)
Huge lighters cause sever damage to humans when they explode especially to ears (the explosion sound is very harmful) and to the eyes (from the small flying pieces)
Huge lighters should not be allowed in public places (for public safety)
It would be better if you simply avoid buying them especially if you have kids around at your place

I hope this helps us all learn about the harm that may be caused by this type of lighters so that we can enjoy the forthcoming summ

How To Recover Your Hotmail / MSN / Live Passport Account?

victor — Fri, 25 Sep 2009 07:13:37 +0000

Did you lose access to your Hotmail / MSN / Live account and cannot reset your password using normal techniques (like Secret Question / Answer or Alternate Email)?

If yes, here is the link that allows you to "try" to recover your account by contacting Microsoft directly.

https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs

Click on the link above and fill in as much information as possible. Make sure you use an email address that you have access to. The more information you provide (contacts in your address book, folders, email activity, etc.) the more convincing your request will be for the staff member who will be reviewing your request.

Normally, if convinced, Microsoft will simply reset your account password and send it over to the email address that you provide. Pay attention not to get confused between the stolen account email address and the email address that you want to receive the recovered password on.

IEEE Ethical Hacking Seminar

victor — Thu, 04 Dec 2008 08:53:41 +0000

Yesterday, I gave a seminar entitled "Ethical Hacking: It's All About the Ethics". What I really enjoyed about the seminar was the amount of interest that the topic had on students as well as the questions asked during and after the seminar.

I received today some pictures about the event and are available under the Albums Section.

Emerald Who's Who is a Scam

victor — Tue, 28 Oct 2008 18:01:14 +0000

I am writing this article in here so that everyone else out there can be aware of this SCAM and FRAUDULENT company named Emerald Who's Who. These people are very professional at their SCAM business to the extent that you will feel very stuck in their deal. I was almost caught yesterday except for this small silly mistake that they did and got my defensive mechanisms up.

If you are intereseted in this story, click to read more. If you are not intereseted in the details, simply be aware of anybody calling you over your phone from a company named Emerald Who's Who.

My story with this is short and simple. A long time ago (around 6 months ago), I received an email from Emerald Who's Who informing me that I have been referred to them by experts in my domain as one of the credible people in my field. As such, they are inviting me to become listed as part of their Who's Who. I visited their scam website and, to my surprise, it looked like a normal one with some listings of other members on it (some of them being well known in my region). The website uses SSL encryption verified by Verisign so these people must be doing some real business (although not completely verified). I felt safe about it so I completed the form (a very long one) and submitted it.

Six months after that (literally six months), I recieved a call during a business meeting that I had. The man on the other hand of the line was very business oriented and used terms that caused me to feel really special. I know I am special in one way or another but I just did not know that Louis Gerstner was my next possible competitor ;)

He asked me many questions related to the way I conceive my business, what I think makes NetDesignPlus a special web development company, as well as many other questions that made him look really interested in preparing a mini-bio about me.

So far, I was the rat in the trap. I was thinking about all the possible ways to make use of this connection to the maximum extent possible. The guy moved forward to add that in addition to being listed, I can make use of some optional premium services in return for money. These services include being published in many forms (online, catalogs, journals, etc.) as well as a selective service that allows me to use their services to select potential customers from their database of professionals, etc.

The interview lasted around 20 minutes during which I completely believed this guy. Then, the BIG mistake was done when he started becoming pushy towards my credit card. I tried being polite with this extremely polite person by telling him that I will review his proposal (which he promised to send by email) and then, I will proceed and register for the package that I choose.

At this point, he started becoming more and more pushy (he must be this way since the rat is starting to vision the trap now) by offering me packages for lower prices and trying to get my credit card number over the phone. I explicitly mentioned to him that I cannot give my credit card number to anyone (isn't this what my bank told me when I got it?). How about giving it over the phone to some person calling himself Jerry Aguire (yup, Aguire and not Maguire). At this point, he said that he has an alternative solution for me where he can send me the proposal while he is over the phone and then, I can check it while he is on the phone with me and decide whether I want to buy or not while he is on the phone with me. I asked why I cannot get some time. He said that they have thousands of requests that they need to consider (poor them) and cannot go back and forth on a single application. At this point, I realized the scam and decided to have some fun (by increasing his phone bill as much as I can). So I told him that I have my credit card ready (and got him to wait for me to get it). Then I spent another 20 minutes trying to get as much information as possible about him (I got his phone number that surely nobody answers) and I tried recording his voice on my mobile phone (didn't work since the call was already in progress).

Finally, I really got tired of this so I told him that I will try to do my best to get back to him within the 24 hours period that he agreed on (I thought they cannot go back and forth on applications).

In brief, this guy is a real genius. The approach that he uses during his phone call simply traps you. You must be very aggressive to succeed in escaping his offers and proposals.

I hope this article helps some people out there escape this type of scams.

The links below are for you to read more about other people who went through the same story:

The Ghost in Internet Explorer 6, 7 and even 8 (Beta)

victor — Wed, 24 Sep 2008 16:06:20 +0000

I found an interesting article written by Marius Oiaga, related to Internet Explorer security, and addresses the existence of what can be called "Ghosts".

Whether you believe in ghosts or not is irrelevant from a browser point of view. The matter is that you'd better start believing because Microsoft's browsers allow "ghosts" to take more than a peek over your shoulder, in fact, it permits them to see and register every move associated with the browsing process. Secunia has published an advisory titled "Internet Explorer 7 Frame Location Handling Vulnerability" warning of the risks faced by IE users, but not only IE7 is affected. Exploits have also been tested with success on IE6 and even on IE8 Beta 1. And to top it all off, a sample proof of concept is available in the wild at (http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html) [You must be using Internet Explorer for this demo to work].Apparently, the issue has been brought to Microsoft's attention at the company's exclusive BlueHat Security in spring 2008 behind closed doors. "Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move," reads a fragment from the session description of Manuel Caballero, Independent Security Researcher.

Initially, the security flaw was demonstrated only on Internet Explorer 6 and 7, but Sirdarckcat made available a sample PoC affecting Internet Explorer 8 Beta 1 and IE7.5730. The proof of concept permits the hijacking of IE6 and IE7 frames and enables the capturing of user keystrokes. Every key the user presses, be it for login into a web account, including the username and the password, and down to the credit card number and other sensitive information, will be registered.

"No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts," Caballero added.

Microsoft has yet to comment on the matter or to issue a fix designed to protect Internet Explorer users. However, the issue is pressing, to say the least, as IE6, IE7 and IE8 beta 1 are all vulnerable, and proof of concept code is publicly available.

"Microsoft Internet Explorer fails to properly restrict access to a document's frames. This can allow an attacker to replace the contents of a web page's frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document's cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event [sic]. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible," reads the official description of the flaw from US-CERT.

This article has been taken as-is from:
http://news.softpedia.com/news/The-Ghost-in-Internet-Explorer-8-Beta-1-89094.shtml

lebanese-forces.com: The Attack Was Not From Hezbollah!

victor — Tue, 13 May 2008 07:33:38 +0000

Two days ago, on Sunday night, Roland, a friend of mine, called me and said that the lebanese-forces.com website was under a heavy denial of service attack and that they were receiving emails from Hezbollah advertising the attack and asking them to shut down the website. My natural reply to his request was to meet so that I can help in any way possible. One hour later, we met at my place and the process of restoring the website started. It turned out that Hezbollah was not the party attacking the website. How was this deduced?
The server was still accessible via all other services (RDP, FTP, SMTP, etc.). The attack only covered an exceeded load of HTTP requests in addition to SMTP spamming. After exploring the source of attack, fake IPs were being used to generate thousands of requests on port 80 (the port that HTTP uses to serve website requests). The cure was simply to ban these IPs. The process took around 30 minutes and the server was back online working normally as the attack continued using various other IPs.

Why am I writing this here?
While I am personally supportive in the case of any abuse in Internet resources, I would also like us all to relax a little bit before deciding on attack sources. Let us say that Hezbollah really wanted to attack the website, will Hezbollah send an email to them telling them that they will be attacked? If I am attacking someone, will I send him a proof of my identity first? Of course not.

Furthermore, the tools used in such simple attacks are widely distributed across the Internet and anyone, literally anyone from a 10-year old child to an 80-year old bored person, can get similar tools, install them on his/her PC and start the attack at any given moment.

On the other hand, such a claim at such a sensitive situation in Lebanon will only lead to spreading hatred among citizens. This article is written to simply clarify the case and to ask whoever is related to this incident to relax and help make things better instead of worse.

Google Adwords Phishing Emails

victor — Sat, 05 Apr 2008 20:13:04 +0000

This is just an alert about emails that are being sent to many people that I know regarding Billing Information for Google Adwords. The email is asking people to visit a website that looks exactly like the Google Adwords website and asks visitors to login and update their credit card information. Pay attention not to fall for this.

Moreover, I will list below the URLs of the emails contained in the link with the hope that they get blocked soon:

adwords.google.com.x855ws.cn/select/step1.php
Apparently blocked on Apr. 6.
www.adwords.google.com.oiloc.cn/select/Login/

Domain Name Locking

victor — Fri, 07 Apr 2006 07:46:15 +0000

It has come to my attention lately that many hosting companies in Lebanon do not implement the domain locking policy that was recommended by ICANN back in 2004. In this article, I will simply state what ICANN (Internet Corporation on Assigned Names and Numbers) has to say about this topic and about its importance.
ICANN's Policy (Nov. 2004)

ICANN (Internet Corporation on Assigned Names and Numbers) is the agency that sets the policies that govern the sale, distribution, and protection of domain names. When you purchase a name, it's through an ICANN-approved registrar. If you have a trademark dispute pertaining to a domain name, it's handled through ICANN's dispute resolution process. ICANN also approves new top-level domain (TLD) extensions and sets domain name registration and transfer policies that registrars must follow.

It's this last responsibility that should concern you the most right now.

In an effort to streamline the domain transfer process, ICANN is imposing new regulations as of November 12, 2004. Section 3 details when and how registrars must handle transfer requests:

"Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.

In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed. "

In non-bureaucratic language, this means that anyone can transfer your domain name to a new registrar and change the contact and nameserver information if you fail to respond to the transfer notification within 5 calendar days (not working days!).

This completely changes the previous system, whereby the transfer was denied if the owner failed to respond.

Why Should You Lock Your Domain Name

Once your domain name is locked, all requests for transfer to other registrars will be denied. You must EXPLICITLY unlock the domain name for others to be able to transfer it.

To check whether your domain name is locked or not, you must see the "Status: REGISTRAR-LOCK" when you query your domain name whois.

A whois implementation is provided by NetDesignPlus and can be accessed at the URL below:
www.netdesignplus.net/whois/

Bird Flu Abuse: A Broken Trust Chain Problem

victor — Fri, 10 Feb 2006 19:20:39 +0000

As the bird flu problem gets closer and closer to Lebanon, I have been informed of some people making use of the safeless state that people are going through to achieve success in other illegal actions such as theft, drug abuse, rapes, etc.

This message is of two parts:

The first is humanitarian and simply asks you NOT to open the door to anyone who claims to be from the Ministry of Health in Lebanon to give you Bird Flu vacancies. These people simply drug victims and rob appartments!

The second part is related to security and serves as a valid up-to-date example of how a broken trust-chain can be misused by criminals. In this type of security attacks, criminals are pretending to be from the Ministry of Health. People, driven by the search for being safe of this lethal disease, simply forget to ask for a proof of authenticity. The "doctor" simply goes in, takes out a needle, puts some "trojaned-drug" in it, and "vaccinates" the victim. Trojaned because the drug that is supposed to protect from Bird Flu is actually putting the victim into a deep sleep.

In this simple example, while taking into consideration how tragic the result can be, we find a simple proof of how broken trust chains can be easily used to bypass authenticity.

A lesson to the Lebanese Government, in general, and to the Ministry of Health, in particular, from this fact is that the minimum required proof of authenticity is to have an identity card (Yes a simple card similar to the ones that the Police use in Western Movies, it is that simple I know ;). This identity card must show the picture, name and job title of the person working for the ministry. A stamp, as well, must be provided as a proof of trust.

How Does the Visual Code work?

victor — Mon, 23 Jan 2006 11:39:31 +0000

Another interesting question that I received was about how the Visual Code protection works? I will try to explain it here in brief for the curious researcher.
Generate a Unique ID
The first step is to generate a unique ID that serves as the basis for all future generation of visual code. This ID must be related to a timestamp that is valid for a relatively short period of time. In my blog's case, the ID is valid for one hour. In other words, yes, you can spam my blog using the same ID for one hour before it becomes invalid but I can live with that to avoid using databases to make sure that each id is used only once.

Generate a Secure Code from the ID
Once the ID is ready, two steps are done:
1- The ID is written into a hidden field (inside the form) and will get submitted with the form data.
2- The ID is passed to the Visual Code Generation formula that generates a code out of it (explained below) and displays the image based on the code.

How To Generate the Code
In my case, I am using a hash to generate the code.
The hash is generated as follows:

md5(PASSWORD_PART1 + ID + PASSWORD_PART2)

The password is very long and weird (e.g. 238s8df823847___ASdflaskdfj__ASDFjalskdjfASDF93498sarf) so you can feel free to try to guess it ;)
The password is split somewhere NOT in the middle, concatenated to the Generated ID and hashed to produce a 32 long Hexadecimal MD5 hash.

A 6-Character long substring is taken from the Hash and given to the visual code generation formula that produces a PNG image out of it. This code was taken from the PHP-BB Forum library. What I liked about this code is that it arbitrarily pushes the text to the left-right to make it harder for Visual-Code-Guessing scripts to read the value in there.

Form is Ready
The form so far is ready and includes the hidden ID as well as the image code that was generated. The visual code itself is not saved anywhere in there and, thus, to be able to guess it, the script must either read the image or try to reverse the hash. Reversing the hash requires either guessing the password (a very long string in this case) or trillions of years to finish random guessing (except if luck is involved). If luck is involved and a tool guessed the code, I wouldn't mind posting a comment for a lucky intruder ;) Nothing serious is being damaged here anyways!

Form is Submitted: Revalidate the Code
Once the form is submitted, the form data is sent along with the hidden ID and the Visual Code that was entered by the user.
The ID is taken, validated based on a certain timestamp generation formula to make sure the id was generated sometime soon, the Visual Code is re-calculated (same steps as above) and compared to the given visual code.

If the two codes match, Welcome to Heaven and your comment will appear. If they don't match, see you later and sorry for wasting your and my time.

Is This Really Secure and Bullet Proof?

For a personal blog where spammers requrire posting some comments for SEO, I think this is more than enough security.
If my blog was a more security-critical system, this simple visual code would be one of many other security checking countermeasures to be performed.

A rule of thumb in security is: Why would you protect a 100 USD item with a 10,000 USD countermeasure. If the countermeasure was broken, you would have lost more than if the 100 USD item was stolen ;)

Is Spamming a Security Breach?

victor — Mon, 23 Jan 2006 11:22:13 +0000

I received some interest emails from readers regarding the relation between Spamming and Security breaches. In summary, some of these emails thought about spamming comments as a security breach related to Denial of Service attacks where the space is "filled" up by bogus messages.

I tried answering some of them but it turned out that a lot of typing and explanation is required so I figured out that the best thing to do would be to post the anwer in here as an article.

The question to answer is the following:
How To Avoid Blog Spamming?

Read more for the answer.
In Denial of Service attacks, a system is usually busy serving bogus requests sent by attacking hosts. In the case of Spam, this becomes a problem if all the disk space on the website is filled up with spam and, thus, no more comments are being accepted.

In the case that I faced lately, the website was not full yet (luckily) since my space is almost unlimited here. Thus, the main concern was not about whether this was a security breach or not (since it failed filling up the space) but was whether these spamming comments were annoying to visitors or not.

Spamming IS Annoying to Users

Spam is not a security breach. It is simply an annoying action done on public systems by kiddos.
You avoid spam to maintain your visitors, not to avoid security breaches.

If DoS occurs, then spam might be considered as a security breach. In that case, PUBLIC systems must be taken private to prevent spam (such as Email Spamming). In my case, I would like to keep my blog a public system (this is called a business constraint) to maintain a secure anonymous system.

This creates a two-weight balance between anonymity and trust. Thus, I will have to balance between spam and normal visitors.
Action taken? Visual Code Confirmation

The reasoning is that spammers use tools to attack websites. Tools fail visual code confirmation. Thus, tools are stopped.

Spam Tools vs. Human Being Spammers

The question now becomes: what if human beings attack the comments section?
In this case, the visual code countermeasure fails.
Another countermeasure becomes required here and that is to train the system to identify spam and block spammers. This feature is already built in but was time-consuming in the earlier case due to the large amount of spam messages that was recevied. The ones that appeared on the website were approx. 30% of the real messages that were received.

Now that human intervention is requried, the effectivity rate becomes bigger and the IP Blocking feature becomes more effective ;)
If they all fail, the only solution will be private blogging and this is exactly what I don't want to achieve.

How Long Will This Last?

The real challenge now becomes whether the spam identification and IP-Blocking countermeasures will last long before someone comes up with an attack that succeeds at both levels. My answer is normally to wait and see. Needing a solution is at the basis of all Inventions. We will wait and see and, when these countermeasures start failing, I will worry about getting something new. Meanwhile, I don't see any reason for this headache ;) This is a personal blog afterall and I don't see aliens flying towards it yet with pretty advanced security attacks :) If you ever see one, please let me know and I will make sure to solve it. Meanwhile, I will be working on a private version of this blog just in case it took me a long time to come up with a solution.

A Nice Try Dangerous for Security Beginners!

victor — Thu, 01 Dec 2005 10:48:36 +0000

Many emails are sent daily claiming that a certain website is another website. This usually occurs the most with Paypal.com (a website that I sometimes use to accept payments). Intruders will send emails holding Paypal logos asking users to verify their account. The link (a normal HTML link) shows paypal.com as the destination while, in fact, they are being redirected to another website with the word paypal in it somewhere. This is a normal thing by now and many advisories were issued out asking people not to trust such emails.

Today, however, an interesting attempt was made from another website called www.usaa.com. This attempt was different in its approach to provide trust to the user. How?The email that I received claimed that a payment was held because my identity was not verified. Then, they asked me to click on their link:
https://www.usaa.com/ The link and the underlying link were the same: first trust impression passed.

When I clicked on the link, a corporate website appeared. The page is asking me to login using my username and password. If I don't remember my account, I must use my Social Security Number. The website is also Verisign Verified with the Verisign logo at the bottom of the page.

I clicked on the logo (and it is clickable), nothing happened. Hmmmm Let's take a look at the link that the logo is pointing to:
javascript:popUp('https://digitalid.verisign.com/as2/ddd50ed4782b078aff907597ba4833b7')

This looks like a javascript popup leading to digital.verisign.com. It must be that my Popup blocker blocked it.

Well, I should trust it (as a first impression) and move forward with my Social Security Number. This is where the trust was almost accomplished and for, beginners, it will be OK to fill in their SSN.

If, however, we strip off the Verisign Link and check it out:
https://digitalid.verisign.com/as2/ddd50ed4782b078aff907597ba4833b7

You will notice that the certification belongs to SOUTHTRUSTONLINEBANKING.COM and it has already expired. I found this try a nice one since it was designed so well to try to provide the maximum possible trust level by Fraud websites and malicious users.

Nice Try! If you are reading this article, then you would better be carefull not to actually provide your SSN.

OSSTMM

victor — Thu, 29 Sep 2005 09:51:32 +0000

The open source security testing methodology manual can be download from here.

Common Criteria

victor — Thu, 29 Sep 2005 09:27:07 +0000

The common criteria redbook can be found here:
http://www.commoncriteriaportal.org/

The latest official version can be found here.

The latest unoffical release is still pending for public consulation (non-standard) and can be found by clicking on the download link.

Hacking the Papal Election

victor — Sat, 16 Apr 2005 08:31:13 +0000

This is an amazing article by my favourite Bruce Schneier sent in his April's CryptoGram Newsletter.

The rules for papal elections are steeped in tradition, and were last codified on 22 Feb 1996. The document is well-thought-out, and filled with details. The article elaborates on the election process overview, then on hacking the election process, concluding that the process itself is secure.

The original article can be found here:
http://www.schneier.com/crypto-gram-0504.html

A summary or the process follows below. The hacking process and the conclusion of Mr. Schneier can be found under the link above.

Election Process Overview

Major points of notion:

The election place is a church.
The ballot is entirely paper-based.
Ballot counting is done by hand.
Votes are secret, but everything else is done in public.

Pre-scrutiny phase

At least two or three paper ballots are given to each cardinal (including extras in case of mistakes)
Nine election officials are randomly selected

three "Scrutineers" who count the votes
three "Revisers," who verify the results of the Scrutineers
three "Infirmarii" , chosen randomly for each ballot, who collect the votes from those too sick to be in the room.

Voting Phase

Each cardinal writes his selection on a rectangular ballot paper
Emphasizes on handwriting that cannot be identified as his
Paper is folded lengthwise and holds it aloft for everyone to see.

Scrutiny Phase

Cardinals proceed to the altar one by one.
Each cardinal places his folded ballot on the paten (on the altar).
Then he picks up the paten and slides his ballot into the chalice.
If a cardinal cannot walk to the altar

one of the Scrutineers -- in full view of everyone -- does this for him.

If any cardinals are too sick to be in the chapel

the Scrutineers give the Infirmarii a locked empty box with a slot, and the three Infirmarii together collect those votes.

If a cardinal is too sick to write, he asks one of the Infirmarii to do it for him with the other two watching over.

The box is opened and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice

the first Scrutineer shakes it several times in order to mix them.
the third Scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process.

If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes

each ballot is opened and the vote is read by each Scrutineer in turn, the third one aloud.
Each Scrutineer writes the vote on a tally sheet.
This is all done in full view of the cardinals.
The total number of votes cast for each person is written on a separate sheet of paper.

Post-scrutiny phase

The Scrutineers tally the votes and determine if there's a winner.
The Revisers verify the entire process: ballots, tallies, everything.
Then the ballots are burned. (That's where the smoke comes from: white if a Pope has been elected, black if not.)

References:

Original Newsletter from Schneier's Website

Security References [Update]

victor — Wed, 16 Mar 2005 10:30:10 +0000

A list of new references for security attacks, countermeasures, and technologies including tracking botnets, a fascinating approach to destroying the earth, Unicode URL spoofing, Microsoft's Strider GhostBuster, IDS problems and evasion, as well as WEP 802.11 problems.This list was compiled from various resources on the web. Please click on the link below for more detailed information.

Tracking Botnets
How To Destroy the Earth

I don't know how long will this be kept online so I saved a local copy just in case it ceased to exist.

Unicode URL Spoofing
Microsoft Strider GhostBuster

An excellent tool that detects rootkits, trojan horses, spyware, etc. under Windows Operating Systems. Will it be open source? (Schneier asks)

IDS Problems

Is this the beginning of the end for these systems?

IDS Evasion with Unicode
WEP 802.11 Problems

If a link is broken or if you would like to add your own link, please feel free to tell me.

DoS Tools Analysis

victor — Fri, 11 Mar 2005 08:55:02 +0000

This is a list of links related to DoS Analysis tools. These are very useful for people learning or researching security topics.

Security Tools Links

victor — Thu, 10 Mar 2005 10:55:20 +0000

This is a list of links related to Security tools. These are very useful for people learning or researching security topics.