Re: California Bans a Large-Caliber Gun, and the Battle Is On

[Riad S. Wahby]

"Roy M. Silvernail" <[EMAIL PROTECTED]> wrote:
> What leads you to believe that was accidental?

Most likely the fact that Michael Moore is pro-gun control.  It shows a
certain level of cognitive dissonance to say "guns aren't the problem!
Ban guns!"

Of course, in Michael Moore's case, that level of dissonance was long
ago demonstrated (and surpassed).

-- 
Riad S. Wahby
[EMAIL PROTECTED]

Re: California Bans a Large-Caliber Gun, and the Battle Is On

[Tyler Durden]

Well, I used to be pro gun-control prior to the Patriot Act. Guess the 
Patriot Act made me something of a Patriot.

And come to think of it, "Bowling for Columbine" has the accidental affect 
of making it clear that Guns themselves are not the problem in the US.

-TD

From: "Major Variola (ret)" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: Re: California Bans a Large-Caliber Gun, and the Battle Is On
Date: Thu, 06 Jan 2005 06:45:22 -0800
At 09:53 AM 1/4/05 -0500, R.A. Hettinga wrote:
>Terri Carbaugh, a spokeswoman for the governor, said Mr.
Schwarzenegger, a
>Republican, had made his position clear during his campaign.
>
> "It's a military-type weapon," Ms. Carbaugh said of the .50 BMG, "and
he
>believes the gun presents a clear and present danger to the general
public."
Ms C has earned herself a few hundred footpounds, or a few meters of
rope
and tree-rental.  The Constitution explicitly protects our right to bear
military (not animal-hunting) arms.
--
An RPG a day keeps the occupiers away.

Re: California Bans a Large-Caliber Gun, and the Battle Is On

[Roy M. Silvernail]

Tyler Durden wrote:
And come to think of it, "Bowling for Columbine" has the accidental 
affect of making it clear that Guns themselves are not the problem in 
the US.
What leads you to believe that was accidental?
--
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
"It's just this little chromium switch, here." - TFT
SpamAssassin->procmail->/dev/null->bliss
http://www.rant-central.com

Re: sitting ducks

[Trei, Peter]

Major Variola (ret) wrote:
> 
> At 12:16 PM 1/4/05 -0500, John Kelsey wrote:
> >Interesting questions:  How hard is it for someone to actually 
> hit an airplane with a rifle bullet?  How often do airplane 
> maintenance people notice bulletholes?
> >
> >My understanding is that a single bullethole in a plane 
> is not likely to do anything serious to its operation--the 
> hole isn't big enough to depressurize the cabin of a big 
> plane, and unless it hits some critical bits of the plane, 
> it's not going to cause mechanical problems.
 
> FWIW Recall that a few 'copters have been taken down with 
> AK fire, though the birds/round is likely low.  And copters 
> are more delicate than a  multi-engined fixed wing.

It appears that the Iraqi resistance fighters figured out that
of several of them simultaneously fire full-auto AK's in front 
of a chopper flying overhead, sometimes they'll get lucky. Of
course, these are low, slow targets. 

We're discussing a terrorist trying to take out a commercial
jet with a 50 BMG, right? Even at takeoff, a passenger
jet is moving at 150-200 mph, a *lot* faster than a clay
pigeon, or the choppers the Iraqis hit.

> Hitting the cabin would be pretty effective though.  And 
> certain parts of big planes are vital, perhaps moreso 
> on fly by wire Airbus planes.

I understand that there is redundancy in the critical
components. Hitting the pilot AND copilot at takeoff
would probably be effective, but you've got one (1)
shot before its out of range, and its moving fast.
A tracer into a fuel tank may also be effective.
 
> A homemade mortar through the roof of your van 
> (IRA style) onto a stationary, taxiing plane 
> would be pretty spectacular, sitting ducks... 
> lots of cameras... easy getaway or
> repeat fire..

But that's not the 50 BMG scenario. The most effective
way to use the 50 BMG would probably be to hit an
engine intake rotor while the jet is still on the
ground, starting its takeoff roll. This probably
won't kill anyone, but would have a big economic
impact as people decided not to fly.

..but that's still a damn difficult shot. The
target is moving, the bullet has non-trivial
flight time (well over a second at long range).
Getting a first shot hit is highly improbable.

All in all, the 50 BMG vs jet scenario is just
plain bogus.
 
> Of course the BMG crap is all about eroding 
> rights, not reality.

I honestly don't think that many politicians
wake up in the morning and think to themselves
'What rights can I erode today?'. I think it's
more 'what can I do that will make me *look* 
good?' . It doesn't matter if their action is
actually effective, it matters that it makes
them appear to be 'doing something' and makes
for a good 5 second sound bite.

50 BMG rifles are used, very rarely, for
hunting. For an example, see:
http://www.fcsa.org/articles/1994-1/elk_hunt.html
More people are into very long
range (1000 yard and up) target shooting.
Those are the only 'legitimate' civilian
reasons to use a 50 BMG. It's like owning a
McLaren F1 - you can't use it much, but its
very, very, cool.

As a result, it's difficult for most people 
to come up with a justification to own 
one beyond 'because it's very, very cool'.
[I'm deliberately leaving aside the 2A
rights issue (which in a better world would
be then end of the argument) since it 
doesn't seem to get much traction with 
most politicians or sheeple any more].

50BMG rifles look very, very, tactical.
I've never seen one with a walnut stock. 
They are the canonical 'scary looking gun'.

So, the politician sees a type of gun:
* Which theoreticly could be used to do Very
  Bad Things.
* Owned by a group of people too 
  small to be significant voting block.
* For which its difficult to come up with
  a practical use.
* Which looks very photogenicly scary.

..and he or she thinks 'Wow, a lot of 
people will feel safer it I ban these,
and I can make them think I'm protecting
them. Also, getting on TV with one of 
these is a great visual.'

Actual reality doesnt enter it.

Peter Trei

 
 

Ready, Aim, ID Check: In Wrong Hands, Gun Won't Fire

[R.A. Hettinga]

Ah... Book-entry to the trigger.

The ganglia, as the man said, twitch.

Whole new meaning to digital "rights" management.

Cheers,
RAH
---



The New York Times

January 6, 2005
WHAT'S NEXT

Ready, Aim, ID Check: In Wrong Hands, Gun Won't Fire
 By ANNE EISENBERG


HE computer circuits that control hand-held music players, cellphones and
organizers may soon be in a new location: inside electronically controlled
guns.

Researchers at the New Jersey Institute of Technology in Newark are
building a handgun designed to fire only when its circuitry and software
recognize the grip of an authorized shooter.

 Sensors in the handle measure the pressure the hand exerts as it squeezes
the trigger. Then algorithms check the shooter's grip with stored,
authorized patterns to give the go-ahead.

"We can build a brain inside the gun," said Timothy N. Chang, a professor
of electrical engineering at the New Jersey Institute of Technology who
devised the hardware for the grip-recognition system. "The technology is
becoming so cheap that we can have not just a computer in every home, but a
computer in every gun."

The main function of the system is to distinguish a legitimate shooter
from, for example, a child who comes upon a handgun in a drawer.
Electronics within the gun could one day include Global Positioning System
receivers, accelerometers and other devices that could record the time and
direction of gunfire and help reconstruct events in a crime investigation.

For a decade, researchers at many labs have been working on so-called smart
or personalized handguns designed to prevent accidents. These use
fingerprint scanners to recognize authorized shooters, or require the
shooter to wear a small token on the hand that wirelessly transmits an
unlocking code to the weapon.

At the New Jersey Institute of Technology, Michael L. Recce, an associate
professor in the department of information systems, decided instead to
concentrate on the shooter's characteristic grip. Dr. Recce created the
software that does the pattern recognition for the gun.

 Typically, it takes one-tenth of a second to pull a trigger, Dr. Recce
said. While that is a short period, it is long enough for a computer to
match the patterns and process the authorization.

 To bring Dr. Recce's recognition software to life, Dr. Chang created
several generations of circuits using off-the-shelf electronic components.
He equipped the grips of real and fake handguns with sensors that could
generate a charge proportional to the pressure put on them.

 The pressure on the grip and trigger are read during the beginning of the
trigger pull. The signals are sent to an analog-to-digital converter so
that they can be handled by the digital signal processor. Patterns of
different users can be stored, and the gun programmed to allow one or more
shooters.

 At first the group worked mainly with a simulated shooting range designed
for police training. "You can't have guns in a university lab," Dr. Recce
said.

The computer analysis of hand-pressure patterns showed that one person's
grip could be distinguished from another's. "A person grasps a tennis
racket or a pen or golf club in an individual, consistent way," he said.
"That's what we're counting on."

During the past year, the team has moved from simulators to tests with live
ammunition and real semiautomatic handguns fitted with pressure sensors in
the grip. For five months, five officers from the institute's campus police
force have been trying out the weaponry at a Bayonne firing range. "We've
been going once a month since June," said Mark J. Cyr, a sergeant in the
campus police. "I use a regular 9-millimeter Beretta weapon that fires like
any other weapon; it doesn't feel any different."

For now, a computer cord tethers the gun to a laptop that houses the
circuitry and pattern-recognition software. In the next three months,
though, Dr. Chang said, the circuits would move from the laptop into the
magazine of the gun. "All the digital signal processing will be built right
in," he said.

Michael Tocci, a captain in the Bayonne Police Department, recently saw a
demonstration of the technology. One shooter was authorized, Captain Tocci
said. When this person pulled the trigger, a green light flashed. "But when
other officers picked up the gun to fire, the computer flashed red to
register that they weren't authorized," he said.

 The system had a 90 percent recognition rate, said Donald H. Sebastian,
senior vice president for research and development at the institute.
"That's better fidelity than we expected with 16 sensors in the grip," Dr.
Sebastian said. "But we'll be adding more sensors, and that rate will
improve."

Dr. Chang said the grip for the wireless system would have 32 pressure
sensors. "Now, in the worst case, the system fails in one out of 10 cases,"

Technology vs social solutions

[Major Variola (ret)]

At 12:06 PM 1/4/05 -0500, John Kelsey wrote:
>>From: "Major Variola (ret)" <[EMAIL PROTECTED]>
>>3. Homebrew warning systems will face the same problems as eg pro
>>volcano warning systems: too many false alarms and no one cares.
>
>The best defense would seem to be a population with a lot of TVs and
radios.  At least after the first tsunami hit, the news would quickly
spread, and there were several hours between when the waves arrived at
different shores.  (And a 9.0 earthquake on the seafloor, or even a 7.0
earthquake on the seafloor, is a rare enough event that it's not crazy
to at least issue a "stay off the beach" kind of warning.)

Actually, people should know this as *background* in the same way that
you know
not to stand in open fields during lightening, play with downed
powerlines, or
walk into tail rotors.  I think some places have signs pointing
to higher elevations, with wave-glyphs.  I know that FLA has signs like
that for
hurricane storm-surges, and there are tornado signs in the midwest.

The rational explanation, I suppose, is that tsunami are so rare that
the knowledge is not
maintained.  (How many 'Merkins would know how to construct a nukebomb
shelter
these days?  How many SoCal'ians know how to drive on icy roads?)

Of course, broadcast media are used to tell people the obvious, eg don't
play in
channellized rivers during storms, and the evolution of the species
suffers slightly
but not entirely from the caveats.

Re: AOL Help : About AOL® PassCode

[Joerg Schneider]

Florian Weimer wrote:
I think you can forward the PassCode to AOL once the victim has
entered it on a phishing site.  Tokens à la SecurID can only help if
Indeed.
the phishing schemes *require* delayed exploitation of obtained
credentials, and I don't think we should make this assumption.  Online
MITM attacks are not prevented.
So, PassCode and similar forms of authentication help against the 
current crop of phishing attacks, but that is likely to change if 
PassCode gets used more widely and/or protects something of interest to 
phishers.

Actually I have been waiting for phishing with MITM to appear for some 
time (I haven't any yet - if somebody has, I'd be interested to hear 
about), because it has some advantages for the attacker:

* he doesn't have to bother to (partially) copy the target web site
* easy to implement - plug an off-the-shelf mod_perl module for reverse 
proxy into your apache and add 10 minutes for configuration. You'll find 
the passwords in the log file. Add some simple filters to attack PassCode.

* more stealthy, because users see exactly, what they are used to, e.g. 
for online banking they see account balance etc. To attack money 
transfers protected by PassCode, the attacker could substitute account 
and amount and manipulate the server response to show what was entered 
by user.

Assuming that MITM phishing will begin to show up and agreeing that 
PassCode over SSL is not the solution - what can be done to counter 
those attacks?

Mutual authentication + establishment of a secure channel should do the 
trick. SSL with client authentication comes to my mind...

sitting ducks

[Major Variola (ret)]

At 12:16 PM 1/4/05 -0500, John Kelsey wrote:
>Interesting questions:  How hard is it for someone to actually hit an
airplane with a rifle bullet?  How often do airplane maintenance people
notice bulletholes?
>
>My understanding is that a single bullethole in a plane is not likely
to do anything serious to its operation--the hole isn't big enough to
depressurize the cabin of a big plane, and unless it hits some critical
bits of the plane, it's not going to cause mechanical problems.

FWIW Recall that a few 'copters have been taken down with AK fire,
though the birds/round
is likely low.  And copters are more delicate than a multi-engined fixed
wing.

Hitting the cabin would be pretty effective though.  And certain parts
of big planes
are vital, perhaps moreso on fly by wire Airbus planes.

A homemade mortar through the roof of your van (IRA style) onto a
stationary, taxiing plane would be
pretty spectacular, sitting ducks... lots of cameras... easy getaway or
repeat fire..

Of course the BMG crap is all about eroding rights, not reality.

Re: AOL Help : About AOL® PassCode

[Ian G]

Joerg Schneider wrote:
So, PassCode and similar forms of authentication help against the 
current crop of phishing attacks, but that is likely to change if 
PassCode gets used more widely and/or protects something of interest 
to phishers.

Actually I have been waiting for phishing with MITM to appear for some 
time (I haven't any yet ...

By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real
time?
Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.
(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)
Perhaps we need a name for this:  real time MITM
versus delayed time MITM?  Batch time MITM?

Assuming that MITM phishing will begin to show up and agreeing that 
PassCode over SSL is not the solution - what can be done to counter 
those attacks?

The user+client has to authenticate the server.  Everything
that I've seen over the last two years seems to fall into
that one bucket.
Mutual authentication + establishment of a secure channel should do 
the trick. SSL with client authentication comes to my mind...

Maybe.  But that only addresses the MITM, not the
theft of user information.
--
News and views on what matters in finance+crypto:
   http://financialcryptography.com/

Re: Banks Test ID Device for Online Security

[Eugen Leitl]

On Wed, Jan 05, 2005 at 02:43:00PM -0300, Mads Rasmussen wrote:

> Here in Brazil it's common to ask for a new pin for every transaction

Ditto in Germany, when PIN/TAN method is used. There's also HBCI-based banking, 
which
either uses keys living in filesystems, or smartcards -- this one doesn't
need TANs.

Gnucash and aqmoney/aqmoney2 can do HBCI, even with some smartcards.

-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpJ1kjse2XhX.pgp
Description: PGP signature

Re: California Bans a Large-Caliber Gun, and the Battle Is On

[Major Variola (ret)]

At 09:53 AM 1/4/05 -0500, R.A. Hettinga wrote:
>Terri Carbaugh, a spokeswoman for the governor, said Mr.
Schwarzenegger, a
>Republican, had made his position clear during his campaign.
>
> "It's a military-type weapon," Ms. Carbaugh said of the .50 BMG, "and
he
>believes the gun presents a clear and present danger to the general
public."

Ms C has earned herself a few hundred footpounds, or a few meters of
rope
and tree-rental.  The Constitution explicitly protects our right to bear

military (not animal-hunting) arms.

--
An RPG a day keeps the occupiers away.

Re: Banks Test ID Device for Online Security

[Anne & Lynn Wheeler]

Bill Stewart wrote:
Yup.  It's the little keychain frob that gives you a string of numbers,
updated every 30 seconds or so, which stays roughly in sync with a server,
so you can use them as one-time passwords
instead of storing a password that's good for a long term.
So if the phisher cons you into handing over your information,
they've got to rip you off in nearly-real-time with a MITM game
instead of getting a password they can reuse, sell, etc.
That's still a serious risk for a bank,
since the scammer can use it to log in to the web site
and then do a bunch of transactions quickly;
it's less vulnerable if the bank insists on a new SecurID hit for
every dangerous transaction, but that's too annoying for most customers.
in general, it is "something you have" authentication as opposed to the 
common shared-secret "something you know" authentication.

while a window of vulnerability does exist (supposedly something that 
prooves you are in possession of "something you have"), it is orders of 
magnitude smaller than the shared-secret "something you know" 
authentication.

there are two scenarios for shared-secret "something you know" 
authentication

1) a single shared-secret used across all security domains ... a 
compromise of the shared-secret has a very wide window of vulnerability 
plus a potentially very large scope of vulnerability

2) a unique shaerd-secret for each security domain ... which helps limit 
the scope of a shared-secret compromise. this potentially worked with 
one or two security domains ... but with the proliferation of the 
electronic world ... it is possible to have scores of security domains, 
resulting in scores of unique shared-secrets. scores of unique 
shared-secrets typically results exceeded human memory capacity with the 
result that all shared-secrets are recorded someplace; which in turn 
becomes a new exploit/vulnerability point.

various financial shared-secret exploits are attactive because with 
modest effort it may be possible to harvest tens of thousands of 
shared-secrets.

In one-at-a-time, real-time social engineering, may take compareable 
effort ... but only yields a single piece of authentication material 
with a very narrow time-window and the fraud ROI might be several orders 
of magnitude less. It may appear to still be large risk to individuals 
.. but for a financial institution, it may be relatively small risk to 
cover the situation ... compared to criminal being able to compromise 
50,000 accounts with compareable effort.

In some presentation there was the comment made that the only thing that 
they really needed to do is make it more attactive for the criminals to 
attack somebody else.

It would be preferabale to have a "something you have" authentication 
resulting in a unique value ... every time the device was used. Then no 
amount of social engineering could result in getting the victim to give 
up information that results in compromise. However, even with relatively 
narrow window of vulnerability ... it still could reduce risk/fraud to 
financial institutions by several orders of magnitude (compared to 
existing prevalent shared-secret "something you know" authentication 
paradigms).

old standby posting about security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61