The Musings of Harry

An interesting vulnerability has been found in BBCode. Apparently, this problem affects most products that use BBCode - the de-facto standard for formatting posts in online forums.

The problem exists with the [IMG] tag, which allows users to embed images in their posts. It generally works something like this:

[IMG]http://server/folder/image.jpg[/IMG]

The vulnerability works by creating a folder called /folder/image.jpg, and linking to that folder in the image tag. By placing a default document (say, index.php) in that folder, you can trick the user into visiting your script. At that point, you could redirect them to a new URL (for example, to log them out), display some malicious image (The GDI vulnerability comes to mind), or simply record their visit.

I like this kind of problem - it’s been sitting under all our noses for years. Good lateral thinking on the part of whoever spotted it!

A couple of things happened over the weekend, which I found interesting.

First, I had to travel by tube. Upon entering the tube system, my first thought was “I wonder if I’ll get mistaken for a suicide bomber”. It was not “I wonder if I’ll get blown up by a suicide bomber”. Of course, I considered the likelihood of either to be pifflingly small, but nevertheless, that was the order of my thoughts. I suppose, technically speaking, the government has had much more success in ‘terrorising’ me than anyone else.

Second, I was conversing with some friends about the whole incident, and one of them pointed something out that should, on hindsight, have been quite obvious: this policy was conceived in Isreal, and is thus totally inapplicable to us. In Isreal, due to the horrifying frequency of suicide attacks, there’s a reasonable chance that if a police officer suspects someone of being a suicide bomber, then they are - simply because there are more of them. In this country, the same simply does not apply. Because we have so few suicide bombers, the balance of probability is that a suspected suicide bomber will not, in fact, be one - unless there is credible intelligence indicating otherwise, in addition to an officer’s suspicions.

Regardless of the outcome of the IPCC inquiry into de Menzes’ shooting, the shoot-to-kill policy is misguided, and should be rethought. At the very least, it should only be applied in the presence of overwhelmingly convincing intelligence, and never on suspicion alone.

A few weeks ago, I wrote about an interview with Sir Ian Blair, the Metropolitan Police Commissioner, and its implications on the shoot-to-kill policy.

As well as writing that post, I contacted Scotland Yard to see if they would like to comment, and - after several follow-up phone calls - they have responded. Unfortunately, but understandably, they are waiting for the IPCC report on Jean Charles de Menezes before commenting on shoot-to-kill. From their response:

I am sorry but at the moment I am not in any position to comment. It is important to wait for the outcome of what I have no doubt will be a full, impartial and very thorough investigation by the Independent Police Complaints Commission. It would be highly inappropriate for me to comment in any way that would pre-judge or possibly prejudice the outcome of such an inquiry.

So, not a terribly successful outcome. I, also, will wait for the IPCC’s report. Hopefully, it will answer this question - if not, I’ll get back in touch with them.

This is so cool.

Google blog describes the uses for wildcard searches:

Sometimes one wants to use a search engine to find a very specific piece of information rather than to learn about a topic. If search engines were truly intelligent, you could just pose a question the same way you would ask a person. An alternative is to get the search engine to ‘fill in the blank.’ So instead of asking [who invented the parachute?], you can enter the query [the parachute was invented by *]. (The blank, or wildcard, search is marked by * - an asterisk.)

This is really cool. I’m sure it’ll come in useful for digging up little facts, and the answers to obscure questions.

If Google supported proper regular expressions, that would be even cooler - I wonder if it ever will?

The Guardian reports that senior sources in the Metropolitan Police have told the Observer that de Menezes was not considered a bomb threat by the surveillence team who followed him to Stockwell tube station. Apparently, he was only considered a threat once the armed officers arrived.

These officers are trained to deal with suicide bombers, and their training tells them that a bomber will likely detonate immediately if he suspects he has been identified. The Observer’s source claims that a member of the surveillence team shouted “He’s in here” to the armed officers on the platform. This alarmed de Menezes, who stood up. Upon standing, he was restrained by a surveillence officer - as we have heard before - but apparently, the armed officers considered de Menezes’ movement to be aggressive, and opened fire.

Every time I read something new about this shooting, I become more horrified. I keep saying I won’t make my mind up until I read the IPCC report on the incident, but these leaks are making that pretty hard.

TheNewspaper.com reports that a study conducted by the Department for Transport, uncovered by a FOIA request, has shown that the presence of speed cameras increases the number of personal injury accidents - accidents in which someone is hurt.

This doesn’t surprise me at all. As is probably obvious to most, speed cameras do not reduce speeding overall — they decrease speeding where the camera is. I’m sure everyone is familiar with the phenomenon: people approach a speed camera, slow down from 70mph to 40, and then accellerate back up to 70. I daresay more examples of strange driver behaviour exist. Indeed, the original story notes the comments of Paul Smith, of Safe Speed:

We have all seen strange driver behaviour where fixed speed cameras operate. This report highlights the dangers. We’re not surprised to see this information — we have know for years that speed cameras were the wrong road safety strategy, and it’s a huge relief to see the truth coming out so clearly

I don’t think the Department for Transport has responded to these revelations yet. I’ll be interested to see what they say.

I don’t wish to jump to conclusions before the publication of the inquiry into the shooting of Jean Charles de Menezes, but documents have been leaked from the IPCC which cast a grave shadow over the whole affair.

It seems very likely that the following is true:

• De Menezes was not wearing loose clothing or a heavy jacket
• He did not run from officers or vault the ticket barrier
• He had been restrained by an unarmed officer before being shot
• He was apparently unaware that he was being followed, and was behaving normally - even stopping to pick up a free newspaper before boarding the train
• He was never positively identified, because the surveilling officer was going to the toilet at the time de Menezes left the house

Like I said, I don’t want to preempt the official inquiry, but this really does look bad. I don’t really see how these points - which are drawn from eyewitness testimony and CCTV footage - can be reconciled.

If it transpires that the worst scenario is true - that all these points are correct and there is no reasonable explanation for the egregious errors made by the police - then something must be done. I’d start by reversing this dangerous policy and disciplining the officers that allowed this to take place in the face of such shaky intelligence.

Via Schneier on Security: The US Transportation Security Agency is considering lifting its ban on small pointy objects. It’s also deciding whether or not to give screeners the discretion not to conduct pat-down searches, and not to require passengers to remove their shoes.

Well… it’s about time. This policy was always completely stupid. I’m glad that someone in charge has finally realised that.

Apologies for the recent lack of posts. I’ve been on holiday.

News.com reports that the Bush administration has asked ICANN to delay the creation of a .xxx top-level domain name, so that the suffix can receive “further scrutiny”.

The Bush administration appears to be reacting to approximately 6000 letters and emails from concerned citizens. They don’t seem to have objected to the concept on prinicple, which is encouraging. The Family Research Council, on the other hand, has this to say:

Pornographers will be given even more opportunities to flood our homes, libraries and society with pornography through the .XXX domain.

This, clearly, is a complete falsehood . Why would a link to a .xxx domain be any worse than a link to a .com when it arrives in a spam email? If anything, a .xxx domain would provide more opportunities to filter pornographic material and stop it getting into people’s inboxes in the first place.

Of course, a .xxx domain won’t solve the problem of inappropriate access to pornography — companies won’t be forced to relocate to the new domains — but to suggest that it might make the situation worse is just silly. It will provide an obious way for users to recognise pornographic links without needing to click on them. It will allow responsible pornography companies to facilitate better filtering of content where that is required. These things are good.

If there’s a rational, sensible, measured argument against creating a .xxx TLD, I’d like to hear it.

I recently wrote about a pilot scheme in the US to require visitors to carry RFID-enabled cards at border crossings, in an attempt to acheieve better border control (I assume).

Well, yesterday I read at Schneier on Security that the record for reading a passive RFID device was set at 69 feet! Just goes to show. The US government has said that they won’t read the cards except at borders, but who really knows. If cards can be read at 69 feet, tracking someone via an RFID tag becomes a real possibility — especially when you consider that, as Bruce points out, technology only ever gets better, not worse. In other words, the record next year might well be 100 feet. And what of the year after? And the year after that?

One must also consider that fact that anyone can buy an RFID scanner. It’s not only governments that may have an interest in tracking someone. Identity thieves, for example, may be interested in using the technology.

Today, a story at Wired News caught my eye: the British government is planning to run trials on active RFID car numberplates. The idea, presumably, is to make it easier for the Police to identify the owner of a vehicle at a distance. The privacy implications for this kind of scheme are dire. These RFID tags are active - not passive - and can thus be read at ranges in excess of 300 feet. This kind of range makes tracking of vehicles a perfectly viable idea and a real possibility.

Proponents of the scheme have thrown in the usual verbal diarrhoea about preventing terrorism:

Proponents argue that making such RFID tags mandatory and ubiquitous is a logical move to counter the threat of terrorists using the roadways, and that it will scoop up insurance and registration scofflaws in the process.

This kind of preposterous nonsense doesn’t even deserve to be credited with a response, in my opinion. I do agree that it would be an effective way to prevent people driving without insurance, but that problem in no way justifies the establishment of a scheme with such egregious privacy implications.

If RFID gets popular, I’ll be frying my RFID tags in the microwave before I leave the house!