Stupid Technology

Belly-Laugh of the Day

A co-worker of mine came across a slide-show on cio.com (of all places!) on vintage technical ads.

How one ad for Daisy guns got in there, I’ll never know, but it does fit in well (believe it or not) with the overall theme. And the comments next to the slides had me ROTFL (Yes, I know, I couldn’t help it - Rolling On the Floor Laughing).

It’s absolutely amazing what people came up with to advertise, including some not so “Politically Correct” items that made me thankful we have progressed as a society. When I wasn’t laughing really hard.

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

Hack My Coffee - Please

From Craig Wright comes this riveting post:

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.

The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart - a remote coffee machine ENGINEER. (A NEW acronym:RCME)

It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.

Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.

And you can buy it for only $1798.00 at Amazon.

What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.

And Jura’s response?

“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.

“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?

will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?

“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine - is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?

I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.

Losing My Identity At the Drugstore Instant Photo Machine

A few days ago I went with my partner to the local drugstore (all the big chains have these machines) to print out a jpeg to send with a card for Father’s Day. The picture was on a thumb drive for easy transport, and I was along to provide technical support (I try to at least appear useful).

Imagine my HORROR when, after plugging in the drive as the machine requested, I saw the machine begin reading everything on the thumb drive, including financial spreadsheets, letters, family photos and lots of confidential stuff. Turns out she was using the same thumb drive she backs up all her critical documents with to transport the photo to the drugstore.

Needless to say, it was too late to recall, and my poor partner could only say, “I didn’t know!” at my yelp of despair. We printed the photo and left, with me mumbling under my breath about what a good column THAT was going to make.

So, how long before some poor minimum wage guy working behind the counter and hacking on weekends says, “Hmmm. Look at all that interesting data along with all those dumb pictures.” There is no warning or indicator on the machines that we should think about what we’re giving away on those thumb drives along with pictures of junior and his new fishing rod. Perhaps they’re assuming we know better. (ROTFL)

More likely, it has not occurred to the designers nor the drugstore management that those machines should only be reading for .jpeg, .tiff, .bmp, .raw and other illustration files, not ALL files. Although the information was not printed, it was acquired. Even if there is no hard drive (which I highly doubt) the files would remain in memory. Where is all that information sitting? Who has access to it? Am I nervous? You betcha.

I can only wonder how long will it be before we get something in the news about these machines.