The Laboratory for Dependable Distributed Systems at the RWTH Aachen has gathered some statistics about directories forbidden by robots.txt files. There are some interesting entries there, e.g. "private", "secure", ...
Many people don't realize that the robots.txt files contain nothing more than hints for spiders, they do not "protect" you in any way. On the contrary, you're pointing potential attackers right where you absolutely don't want to have them.
(via disLEXia 3000)
Nothing really new for most of you, but still some good food for thought:
Cell tower records can pinpoint a phone owner's location for police, whether the phone is used or not.
Cell phone trails snare criminals, call or no — a nice article which tells us that several murderers were convicted using (among other things, I guess) cell tower records. Police could often pinpoint the location of the accused within a few blocks and thus "prove" they were lying in court about their location at a given time (i.e., their alibi was smashed).
Of course, this is not a reliable method in all cases. A murderer could give someone else his cell phone to create an alibi in the first place. I can easily imagine lots of other ways to abuse this.
While probably useful in some cases, this is pretty scary stuff. Authorities can track where you are at a given time, and where you are going in realtime. Combine this with Google Earth and you've got some pretty Big Brother style surveillance. This is inacceptable in general, but even more so if performed without probable cause (as has happened already). The EFF has some more information.
Issues like this always make me wonder whether I'm too paranoid or not paranoid enough...
(via Bruce Schneier)
Quick reminder: the goal of the contest is to
write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.
I blogged about the contest earlier, but only later decided to take part in the contest myself (together with Daniel Reutter). After some initial brainstorming we hacked together our solution in roughly one day.
Although we didn't win (damn, no beer for us ;-), we managed to submit one of the simplest solutions (ca. 34 lines of code), i.e., it's very hard to embed any malicious but innocent-looking code in there... Our solution exploits an array bounds overrun, with an extra equals sign ("<=" instead of "<").
I have yet to look at the two winning entries by M. Joonas Pihlaja and Paul V-Khuong (team submission), as well as Natori Shin. Congratulations guys! Also, I noticed the Slashdot story about the contest results, but didn't get around to read that article, either. Sigh...
I have updated my iptables scripts again.
This time fw_laptop got support for limiting logging in case of flooding, blocking of known-bad IP addresses (e.g. from DShield.org), optional blocking of certain outbound ports (e.g. X11 server, VNC, NFS etc.), and a few minor tweaks...
Thanks to Ryan Giobbi for several hints and comments. Further comments and suggestions are welcome!