Joi Ito's conversation with the living web.

Recently in the Computer and Network Risks Category

Conversation with Adafruit »

I recently visited and had a conversation with Limor "Lady Ada" Fried and Phil Torrone of Adafruit. I first met them about ten years ago at SxSW. Limor is an MIT grad that we're super-proud of and Phil is an amazing pioneer in communications, hacking and many other things. Phil and Limor are two of my most favorite people and I aways get giddy just getting a chance to hang out with them. We discussed making, electronics, business, manufacturing, hacking, live video and more. They've been doing live video daily for the last 10 years or so and are...

Conversation with Julia Reda, MEP and Pirate Party of Germany »

I learned about Julia Reda reading Kaz Taira's blog post about her visit to Japan for a Movements for Internet Active Users (MIAU) meeting. Julia Reda is a Member of the European Parliament representing Germany, and she also serves as a Vice-President of the Greens/EFA group, president of the Young Pirates of Europe and a member of the Pirate Party of Germany. She is was the rapporteur of the Parliament's review of 2001's Copyright Directive. We set a Skype call and some of the EU's secret conversations about copyright leaked just as the call was starting so we used...

Why anti-money laundering laws and poorly designed copyright laws are similar and should be revised »

Published this on pubpub.ito.com. Please comment there. Abstract: Intentionally or unintentionally, poorly crafted or outdated laws and technical standards threaten to undermine security, privacy and the viability of our most promising new technologies and networks, such as Bitcoin and Blockchain. We should vigilantly be reviewing and revising laws and standards for the public good and working to prevent the creation of fragile and cumbersome systems designed to comply with these poorly crafted or outdated laws. In this post, I discuss the Digital Millennium Copyright Act's Anti-Circumvention provision, Digital Rights Management, Anti-Money Laundering Law, Know Your Customer Laws and security backdoors....

Japanese government bans Ejovi's talk »

Ejovi was prevented from giving his talk by the Japanese Ministry of Internal Affairs and Communications. Ejovi did the security audit on the local government system connected to the Japanese National ID system (Jyukinet) for the prefecture of Nagano. I audited his audit and wrote an opinion for Governor of Nagano last December. It does suck that they blocked is talk, which I think would have been fair and balanced as Ejovi says. However, I can easily imagine the government taking a hard stance on this considering all of the trouble they are having controlling the spin. Anyway, welcome to...

Vote counting computers hacked »

Black Box VotingWe now have evidence that certainly looks like altering a computerized voting system during a real election, and it happened just six weeks ago. MONDAY Nov 1 2004: New information indicates that hackers may be targeting the central computers counting our votes tomorrow. All county elections officials who use modems to transfer votes from polling places to the central vote-counting server should disconnect the modems now. There is no down side to removing the modems. Simply drive the vote cartridges from each polling place in to the central vote-counting location by car, instead of transmitting by modem. “Turning...

Diebold Brand Media Player? »

Diebold ATMLooping Windows Media Player original image onMidnight Spaghetti Midnight Spaghetti & The Chocolate G-StringsDiebold ATM Media Player March 17, 2004 Midnight Spaghetti causing a ruckus as always. The Scene: Carnegie Mellon University The Event: A newly installed Diebold Opteva 520 ATM crashes, then reboots. Suprizingly, it's vanilla-style Windows XP operating system initialized without the actual ATM software. The Result: A desktop computer with only a touch screen interface is left wide open for the amusement of the most wired university in the U.S.Take a look at the site for details, but you can imagine how much fun they had....

"authenticated" my ID with Google »

I was on the phone trying to consolidate two mileage accounts on the same airline. The operator needed the address, phone number and other details of the card I had registered in 1996. I had no idea. I started googling. Bits and pieces were all over the Net. I was able to "authenticate" my identity based on this info including my phone number in a mailing list post that I found. Where would I be without Google. On the other hand, I wonder if we have to think about better authentication for the post-Google era. Don't blog about your mother's maiden name or the name of your pet. ;-p

You have a switch? SSH1? A wep key? Ha! You're not safe. »

When the WiFi network went down at FiRe and Max quickly mapped out the network, grabbed a free IP address and started hunting for the rogue network, it was useful and cool. I hadn't messed around with "security tools" recently so I decided to spend one hour searching for some tools that would work on my Mac.First I downloaded trusty nmap which scans your network for computers, does an OS fingerprint and will often find the name, revealing the owner. It will also do quiet portscans to see what services are running on the machines.Then I found ettercap. (Lastest version doesn't run properly on the OS X, use version 0.6.7.) This is a full-featured packet sniffer with an easy to use interface. It is unique in that instead of doing IP sniffing, it uses ARP hacking and MAC address spoofing to allow you to sniff across switches. It has a variety of "plug-ins" that let you easily capture email, passwords and keyword filtered bits and pieces into files or onto the screen. It lets you insert your own text into connections so you could for instance type a command into someone's telnet session. Of course you can also terminate other people's sessions and connections. Another interesting feature in the recent release is that you can now sniff SSH1 sessions. (Lucky for Dan we installed SSH2 on his computer.)

Appointed committee member of the Committee for the Protection of Indentification Information for the City of Yokohama »

I was just appointed committee member of the Committee for the Protection of Identification Information for the City of Yokohama.

Chris Goggans aka Erik Bloodaxe is now a Visiting Associate Professor at Tokyo University! »

Chris giving me his new Tokyo University name card with Professor Yasuda looking onProfessor Yasuda and "Visiting Associate Professor" Chris Goggans visited our office today. Professor Yasuda has invited Chris to Tokyo University as a Visiting Associate Professor to help educate Japan about security and to break into a few computers.

Davos Blueprint for Japan 2020 panel »

Yu Serizawa and her team worked on some great slides including the problems that we all traditionally talk about, a picture of Koizumi-san trying to attack the difficult problems on the surface, and the dysfunctional democracy which resists change.The members of the panel were Carlos Ghosn, President of Nissan, Nobuyuki Idei, Chairman and CEO of Sony, Jiro Tamura Professor of Law, Keio University, Motohisa Furukawa, politician, Oki Matsumoto, the CEO of Monex and me. The Moderator was Karl T. Greenfeld, Editor of Time Asia.Reuters did a great summary

PGP key transition announcement »

This is my pgp key transition announcement. If you don't know what this means, you should. You can go to the pgp web site and Rich and Bob explain the key transition process to my on my blog.The key is here.

Hacking traffic lights »

I love that the "tone" of phrack articles is the same as Cook's Illustrated articles. ;-)phrackA more environmentally friendly way of traveling by car. As some of you might recall in almost all the hacking movies, books, TV shows, etc. there has been a case of someone fiddling with traffic lights. Well we all just giggled at the unrealistic aspect of it and didn't think twice. Well in my quest for a more appealing planet for our children I felt compelled to think of a way in order to reduce the amount of pollution emitted by vehicles of today.Standing at a intersection, nobody else around, you're still stuck behind the red light, and this invisible barrier of governmental guilt has enough power to let you wait there and pollute the air more and more, just for a measly green light. Wouldn't it be leet having a laptop in the car where you could just select the intersection off a list, change the timing or current stream running, and ride off with fewer time wasted and fewer pollutants exhausted and a clear conscience.Now, enough crap about the reasons, now for the technical shit.Today's traffic controlling system is a well oiled redundant network that utilizes the same protocols that we are all aware of. Yes it is hackable and it is like in the movies. :) here we go!

Japanese National Police Agency General Security Response Council »

This is a picture of Suguru Yamaguchi smiling when I told him I'd blog him.

PGP Key »

I just uploaded my PGP Key because Cyrus mentioned that I didn't have one my web page. It's quite an old key that I created in 1997. The good thing is that it's signed by many people. The bad thing is that since it has been sitting around for a long time, It's more likely to have been stolen. So I'm trying to figure out whether I should dump the key and start using a new one. I have made a new one, but no one has signed it and I never end up using it. It's also kind of...

Roger Clarke on ENUM »

Roger Clarke, one of my favorite privacy experts and the person I learned the notion of separation of "entities" and "identities" has written a paper about the problems with ENUM. I wrote about ENUM when Australia announced their initiative. I am on a mission to make sure that Japan doesn't try to link ENUM with the national ID...Roger ClarkeFrom: Roger Clarke Subject: Glitterati: ENUM: Case Study in Social Irresponsibility I've just finished a paper on a proposed Internet scheme that will have extremely serious implications if it's implemented: ENUM - A Case Study in Social Irresponsibility http://www.anu.edu.au/people/Roger.Clarke/DV/enumISOC02.html As always, constructively...

Court posts MS Ruling on web before it was supposed to »

This reminds me of the incident where the Ministry of Finance leaked information vital to the market on their web page in August. The other funny similarity is that the newspaper called me the night before the article and asked me for a comment. I guess they wanted something like what David Farber said to the Post. However, I said something more like, "it's not a big deal. I'm much more worried about the leakage of information about citizens," which I guess wasn't realy what the paper was looking for. ;-) I also love the "Internet enthusiasts" label. Sitting here...

W-Fi Security? »

InfoWorldWiFi eyes better wireless LAN security By Stephen Lawson October 30, 2002 11:37 am PT THE WIRELESS ETHERNET Compatibility Alliance (WECA), which certifies IEEE 802.11 wireless LAN products with the WiFi label, on Thursday will announce a new set of mechanisms to combat the security problem that has plagued wireless LANs. A WECA official did not provide details of the mechanisms but said they are intended to replace the current security system based on WEP (Wireless Encryption Protocol). WEP, which is built in to products that use the IEEE 802.11b and 802.11a standards, is easy for intruders to break into,...

Drinks with Chris Goggans aka Erik Bloodaxe »

Chris Goggans posing next to the safe in my office. (The little Samurai thing is Jun's)

Support the EFF »

The EFF is one of the few organizations fighting on the issues of copyright and privacy in the US courts. They need our support more than ever. I just sent my contribution. If you care about the Net shouldn't you?...

Information Security Seminar »

Now I'm sitting on a panel sponsored by the government about security. The panel is focused on the security of government networks. I am sitting on the far left and the guy in favor of the national ID is sitting on the far left. I just talked about the importance of privacy and the fact that privacy is different from security. I talked about how privacy is not only a right of citizens, but a necessary element for demcracy. I talked about how the OECD guidelines for privacy were written before the Internet and that we needed to look...

Censorware funded by the Japanese Government »

Sakiyama-san is a co-founder of the Japan chapter of CPSR and one of the few privacy activists in Japan. He mentioned this issue at the last CPSR meeting, and I've been meaning to look into it. The perp of this whole thing, the Electronic Network Consortium, merged with the Internet Association of Japan (IAJ). I WAS a Councilor of the Internet Association Japan and was on their web page the when I check at the CPSR meeting, but I just checked and noticed that I am no longer on their web page. Hmm... I was going to threaten to quit...

MOF Accidentally Leaks Information on Web? »

I just got a call from a Kyodo News reporter asking for a comment about the Ministry of Finance (MOF) leaking (accidentally?) financial metrics on their web page before the official annoucement date. They are apparently going to make some announcement about their mistake and he wanted a quote from me to run in the story. I can't seem to find anything on the web about this. Does anyone know anything? (I thought it was the FSA, but it was the MOF) Anyway, the comment I made was that comparing Nippon Ham vs. Worldcom the CFO of Worldcom is taken...

National ID Card Technology - Popular Science »

found on Slashdot An article in Popular Science about what a national ID would look like and contain. On the issue of social security numbers on ID card, they mention that even though social security numbers on ID cards have been rejected by the federal government, "it's a good guess the Department of Homeland Security would manage it". On smart card technology, they say:For example, an ER doctor could view medical information and enter data about treatment (if the card's data storage device is read-write capable), but could not see security-related data (such as a traveler's flight history, or...

Microsoft's grant has strings attached? »

First spotted on David Farber's IP List So it sounds like the 300 students who receive this grant have to take the MS C# class which replaces the C++ course. Pretty sleazy... There is a student site about this. Following is a quote from CNET and a link to the CNET article. Microsoft's grant has strings attached? By Margaret Kane Staff Writer, CNET News.com August 16, 2002, 9:59 AM PT update A collegiate grant from Microsoft has created an uproar after one of the recipients agreed to require a class in a Microsoft programming language as part of the deal....

Audit Shows More PCs At the IRS Are Missing »

So, does anybody still wonder why I'm protesting our National ID in Japan? It makes it SO much easier to collect random data from things like stolen PC's and aggregate them into a database if every record has a conveniently simple 11 digit ID number tagged onto it... Thanks for this link Sen! Audit Shows More PCs At the IRS Are Missing By Albert B. Crenshaw, Washington Post Aug 16 2002 6:40AM The Internal Revenue Service has lost to thieves or has misplaced another batch of computers, adding to the thousands already missing from that and other government agencies. In...

US Justice Department to begin fingerprinting some foreign visitors on Sept. 11 »

Sounds like the beginning of the end. I definitely will begin to limit my travel to the US. I don't want my fingerprints in some database, I don't want to end up in some INS prison and I can't imagine how this racial profiling can get by all of those human rights advocates in the US. This is really incredible... Mon Aug 12, 9:46 PM ET By CHRISTOPHER NEWTON, Associated Press Writer WASHINGTON - The Justice Department has chosen Sept. 11 as the starting date for a new program that will require tens of thousands of foreign visitors to be...

Microsoft Downplays Severe Internet Explorer Security Vulnerability »

First spotted on David Farber's IP List Microsoft's Internet Explorer has a vulerability in it's implementation of SSL. It allows anyone with a valid CA-signed certificate to generate a fake certificate for any domain. This is because MS IE does not check the "Basic Constraints" which should tell whether a CA has authority to verify another domain. This is a significant vulnerability which would allow a "man-in-the-middle" attack without any dialog boxes. This means that someone could think they are accessing their bank or online shop securely and directly, but in fact be accessing through a hostile site. The hostile...
Whiplash by Joi Ito and Jeff Howe

Category Archives

Monthly Archives