taint.org: Justin Mason’s Weblog

Security: It looks like the security people are starting to take a look at RFID, and it’s not pretty.

I link-blogged this the other day — RFDump is a tool to display and modify data in RFID tags — including deployed ones, at least in some cases. (Think rewriting the price tags in a shop, scrambling the tracking numbers on a warehouse full of goods, or corrupting frequent-shopper data on a card.)

It looks like this was also discussed at USENIX Security ‘04 in an RSA presentation (those notes are swarming with typos, but the content’s there ;)

That talk has some interesting stuff — ‘blocker’ tags which spoof readers with gibberish data, or crash the collision-detection network protocol; while that’s being discussed as a security tool here, if the protocol is that hackable, and the hardware is available, I could see that having additional interesting effects in a supermarket. Of course, range is an issue — but that hasn’t stopped Bluetooth hacking, wardriving, etc.

If you ask me, it looks an awful lot like RFID is chock-full of security holes, and the features that make it so attractive (low power use, low cost, tiny size) will be the very features that militate against adding security. We could be in for interesting times here…

Tags: day, look, price, protocol, rfdump, rfid, security, shop, tool, tracking

Net: WINW Is Not WASTE: ‘WINW is a small worlds networking utility. It was inspired by WASTE … (WINW) has diverged from its original mission to create a clean-room WASTE clone. Today, the WINW feature set is different from that of WASTE, and its protocol is incompatible with WASTE’s protocol. However, WINW and WASTE achieve similar goals: they allow people who trust each other to communicate securely.’

Not quite there yet — just a Windows version with no sharing — but actively under development. One to keep an eye on…

Tags: clone, feature, mission, net, networking, protocol, today, utility, waste, windows, winw

Music: Ever wondered what the lyrics to Plastic Bertrand’s classic belgopunk tune really said? (Apart from ‘I am the king of the divan’, that is.) Wonder no more. (…ok, maybe these are a bit more likely. ‘Ey up!’, indeed.)

Mail: Google Mail front page. It has MXes — but they don’t answer yet. No SPF record yet, either ;)

Funny: XCP - the XML Control Protocol ‘is a drop in replacement for traditional Transmission Control Protocol, or TCP. With the advent of XCP/IP, connection-oriented networking will finally move from the legacy environment of inscrutable bits and bytes to a structured, human-readable world relying upon XML. XCP is the first 4th Generation Protocol, or 4GP. It is designed for a networking environment that is very fast and very reliable - the Internet of today!’

Tags: belgopunk, control, environment, mail, music, networking, plastic, protocol, tune, xcp, xml

Web: Slurpie - (another) distributed peer-to-peer downloading protocol (via HtP).

This looks pretty interesting; no special server is required, Slurpie can be used to download files from a HTTP/FTP server in a ’swarming’ fashion similar to BitTorrent.

However, Slurpie does require a central server of its own, which it needs to ‘know about’ somehow in advance, and that server will then know who’s downloading what. Not sure how you’d do that effectively; in this case, a .torrent-type file format that contains the ‘main’ file URL and a URL for the Slurpie server, might be more effective.

Tags: download, fashion, file, ftp, htp, http, protocol, server, slurpie, url, web

Spam: Craig is publishing SPF records. Worth noting that I’ve been publishing SPF records for jmason.org for a month or two, even though the protocol hasn’t even stabilised yet — working on the ‘if you build it, they will come’ approach ;)

Anubis looks great; I’ve been meaning to hack up something like that. Nifty!

Tags: anubis, approach, jmason, month, org, protocol, something, spam, spf, the, worth

Slashdot posts a story about ‘Hacking the Streamium’ — the Streamium is an ‘internet micro hi-fi’ made by Philips. The poster writes ‘the main gripes (are) that Philips controls which Internet radio stations you can listen to and that the PC-link software … only runs on Windows. I managed to fix both of these problems by reverse engineering the PC-link protocol and writing my own pc-link server in perl, which can be run on practically any OS, *and* can trick the Streamium into playing any Internet MP3 stream that you want’.

A quick look at his page notes ‘the protocol consists of fairly simple xml tags’. It sure does; I’d imagine it took all of 5 minutes with a tcpdump reversing that! In fact, it looks so easy to reverse-engineer, you’d have to wonder if the engineers at Philips weren’t hoping something like this might happen ;)

Tags: hacking, internet, pc-link, philips, poster, protocol, radio, slashdot, story, streamium

Kaitlin Duck Sherwood writes a trip report. Good tidbits:

• many big players in the mail-sending side want to see an SMTPng; a new protocol which is spam-resistant.

• Jon Praed of the Internet Law Group said that ‘better spam filters make his job easier: the more contortions that a spammer goes through to make sure that the messages go through, the easier it is to convince a judge that the spammer knew it was wrong.’ Excellent!

Tags: group, internet, law, protocol, report, sherwood, side, smtpng, spammer, trip

ICAP-server, an (imaginatively-named) daemon which implements ICAP. This seems to be a transcoding proxy server; in other words, it will convert HTML content on the fly, while you browse.

ICAP itself seems to be a protocol for rewriting HTTP responses; in other words, it allows a proxy server to include a small snippet of ICAP client code, and call out to an ICAP server to do the rewriting. Nifty.

Sounds like this could be very handy for low-bandwidth situations; use ICAP to “downshift” web pages into low-bandwidth versions. For example, banner ads can be trimmed out, heavy images converted to small, low-quality JPEGs, etc. One to watch (or help out with).

Ericsson used to have a commercial product which did something similar, but I can’t find it now…

Tags: content, daemon, fly, html, http, icap, icap-server, protocol, proxy, server