• Skip to main content
  • Skip to primary sidebar

the blog of a bear

this is where a bear will post stuff.

security

nice going, HTC.

October 4, 2011 by stickbear 1 Comment

Yep I haven’t been around in awhile. But today’s blogging starts out with this little ppiece of information about a security leak in HTC android phones. Here’s the article in it’s entirety. and all I gotta say is smooth move, HTC.

HTC Phones Suffer Major Security Exploit
Latest Update Provides Easy Access to Personal Data
by Karl Bode
The folks over at Android Police note that several HTC model smartphones suffer from a rather major security exploit that can give a hacker access to personal information, e-mail addresses, and your location. The vulnerability is part of HTC’s Sense UI and affects several popular HTC phones, including the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, and several more. The problem began with a recent HTC update that introduced a suite of logging tools that creates a HTCLoggers.apk file accessible by any app with Internet permissions. That provides easy outside access to:
•The list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations phone numbers from the phone log.
•SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely).
•System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, and phone numbers.
HTC was contacted on September 24th but has yet to comment on the vulnerability. “In my experience, lighting fire under someone’s ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry,” notes the website. Only stock phone firmware is impacted — users who have modified their Android HTC devices to run CyanogenMod are not impacted.
Update HTC is telling news outlets they’re “investigating” the security flaw.

according to further research, this issue only effects factory firmware for the android.
We’ll see what HTC does about this in the coming days.

Filed Under: articles, cell phones, security, technology

And people wonder why I don't fly?

December 27, 2010 by stickbear Leave a Comment

and here, we go again.
TSA, seriously
agaain

The 50-year-old pilot, who lives outside Sacramento, asked that neither he nor his airline be identified. He has worked for the airline for more than a decade and was deputized by the TSA to carry a gun in the cockpit.
He is also a helicopter test pilot in the Army Reserve and flew missions for the United Nations in Macedonia.
Three days after he posted a series of six video clips recorded with a cell phone camera at San Francisco International Airport, four federal air marshals and two sheriff’s deputies arrived at his house to confiscate his federally-issued firearm. The pilot recorded that event as well and provided all the video to News10.
At the same time as the federal marshals took the pilot’s gun, a deputy sheriff asked him to surrender his state-issued permit to carry a concealed weapon.
A follow-up letter from the sheriff’s department said the CCW permit would be reevaluated following the outcome of the federal investigation.
The YouTube videos, posted Nov. 28, show what the pilot calls the irony of flight crews being forced to go through TSA screening while ground crew who service the aircraft are able to access secure areas simply by swiping a card.
“As you can see, airport security is kind of a farce. It’s only smoke and mirrors so you people believe there is actually something going on here,” the pilot narrates.
Video shot in the cockpit shows a medieval-looking rescue ax available on the flight deck after the pilots have gone through the metal detectors. “I would say a two-foot crash ax looks a lot more formidable than a box cutter,” the pilot remarked.
A letter from the TSA dated Dec. 6 informed the pilot that “an administrative review into your deputation status as a Federal Flight Deck Officer has been initiated.”
According to the letter, the review was directly related to the discovery by TSA staff of the YouTube videos. “The content and subject of these videos may have violated regulations concerning disclosure of sensitive security information,” the letter said.
The pilot’s attorney, Don Werno of Santa Ana, said he believed the federal government sent six people to the house to send a message.
“And the message was you’ve angered us by telling the truth and by showing America that there are major security problems despite the fact that we’ve spent billions of dollars allegedly to improve airline safety,” Werno said.
The pilot said he is not in trouble with his airline, but a supervisor asked him to remove public access to the YouTube videos.
He does, however, face potential civil penalties from the TSA. He said he would likely go public when it becomes clear what the government plans to do with him.

The pilot said he had resigned his position as an FFDO and was told by a TSA representative the resignation would result in the case being closed. The pilot’s attorney, Don Werno, said he was waiting for formal written confirmation.

In my opinion, why should he have to resign his job, because he showed flaws in a security system? it doesn’t make sense.
from the same article we have this

Current regulations require flight crews to pass through a TSA checkpoint, while ground crews can gain access to the same aircraft simply by swiping a card at an unmanned door.
“How effective is security when everybody on board is screened and everybody on the ground isn’t?” the pilot asked.

How safe do I feel now knowing that?
Should the ground crew not go through *the exact* same screening everyone else does?
I stand behind my previous claims, I’ll stay with greyhound, at least, until such time, as stuff like this is put in place for ground transportation.
Then I may just stop traveling crossboarder all together.
TSA, kindly, die.

Filed Under: articles, general, general ranting, news, news articles, opinion, other stuff, rantings, rants, response, security, travel, Uncategorized, wtf

is your personally identifiable inforrmation on facebook, really secure?

October 18, 2010 by stickbear Leave a Comment

so as I do on a regular bases i keep up with interesting newsbits, and techy things, as well as blogs, via rss.
I ran across
this story
witch raises a lot of questions about facebook’s apparent lack of security when it comes to third party applications.
The article tells us that some applications, are in violation of facebook’s *own8 rules and regulations.
In my opinion, shold facebook not have been checking applications, before allowing them to be used by the general public to ensure they met their own guidelines for information security?
The article indicates that some applications are giving peoples names, and those of friends, to nearly 25 different advertising agencies, in clear violation of the setout policies that facebook has in place.
The article does indicate facebook is taking steps to fix this issue, but my point here is this.
Facebook should be keeping a better handle on it’s applications, and ensuring no matter the app, that it meets minimum security guiddelines before even releasing it to the public, if it doesn’t sorry your app can’t be used until it meets our minimum security requirements.
I’d like to here your thoughts on this.
What do you think of this latest facebook fiasco.
Should facebook impose stricter control over 3rd partty applications to ensure things like this, don’t happen in the future?
I await your comments.

Filed Under: facebook, news, opinion, security, Uncategorized

Is freedom scientific finally losing their touch?

October 20, 2009 by stickbear 2 Comments

Hello fellow blog readers
It’s been awhile since I posted something of major substance to the blind community here.
On
this blog
We have some very interesting posts to reference.
I’m going to post each of them below, exactly as posted, and I’ll follow each one of them up with my comments.
The first one is entitled

Critical security flaw in JAWS

and was posted on october 16, 2009.

Critical security flaw in JAWS
October 16, 2009 by Tyler Spivey
I have found a critical security flaw in the JAWS Screen reader that allows an attacker to gain full system-level access to
the machine. I have tested this on 32-bit Windows Vista
with JAWS 10.0.1154 and 32-bit Windows 7 with JAWS 11.0.611 Beta.
Instructions:
1. From the Windows logon screen with JAWS running, press insert+f2. Run JAWS Manager will appear.
2. Select Settings Packager, and press ok. Settings Packager will open.
3. From Settings Packager, go to File menu > Open, or press ctrl+o.
4. In the open dialog, type “%windir%\system32\*.exe” into the file name field (without the quotes) and press enter.
5. In the list of files, find cmd. Right click on it, or press the applications key and select Run as Administrator.
A system-level command prompt should open. To get out of it, type exit and press enter, then close the Settings Packager.

my comments on this one
Note that this was during the last public beta build of jaws 11, build 611. I was able to varrify this issue with this build of jaws on all machines I have access to. After build 729 the final release to the public on DVD version of jaws came out on october 19 2009, tyler reported in his next post, see below, had been fixed. but as this next will show, this problem still exists using a different set of varrifiable instructions.
The next post entitled

JAWS security flaw, round 2

has this to say.

JAWS security flaw, round 2
October 19, 2009 by Tyler Spivey
In my First Post, I described a security vulnerability that allowed local users to gain system-level access to a machine. A quick test with JAWS 11.0.729, the release build of JAWS 11, reveals that it is fixed. Here is a slightly different set of instructions that will do the same thing.
1. From the login screen, press insert+j, and navigate to utilities/configuration manager.
2. When configuration manager opens, press control+o.
3. press the Import button. The open dialog will appear.
4. On my Windows 7 test machine, I got an error box that can safely be dismissed. Once done, type %windir%\system32\*.exe into the open dialog.
5. find cmd in the list, and press the applications key on it. Select Run as administrator if it appears. If not, keep following these steps.
6. From cmd’s context menu, pick select. answer no to the question asking you to overwrite settings files, if it comes up.
7. press import, and pick cmd from the list again. Activate the context menu, and select Run as administrator.
If done correctly, you should have an administrative command prompt

I took that set of instructions and again tested them on as many systems as possible, and low and behold, I received an administrative command prompt.
But the ensanity doesn’t end there.
On the same day, this post

Gathering passwords with the JAWS builtin keylogger

hit his blog.
The text is below.

Gathering passwords with the JAWS builtin keylogger
October 19, 2009 by Tyler Spivey
JAWS so helpfully contains a built-in script that logs all keys pressed on the keyboard. This method has a better chance of working on XP than the others. You must have a user account on the machine to make this work.
1. Open Keyboard manager, and open the default file. Add a key to the “ToggleKeyboardLogging” script.
2. Once done, log out of the machine. Your profile will still be loaded. Press that key. The only thing JAWS will say is “enabled”. Log into the machine, then open keystrokes.log in your jaws program directory. all keys pressed will be there, from the last time the script was enabled

At the time of writing, do to my keyboard manager acting up, I have not been able to test this particular vulnerability relating to the keylogger.
At the time this went to press, Freedom scientific LLC,
http://www.freedomscientific.com
was closed.
But the following e-mail was dispatched to both the support and info addresses.

subject: freedom scientific’s response to the security wholes found in jaws 11?
To whom this may concern,
I am writing this message in reference to three blog posts available at:
http://tspivey.wordpress.com/
and who’s text and my comments were placed on my own blog at
http://stickbear.me/blog
To summarize these posts, it was discovered that not only can system level access to the computer be gained using your software, but your program includes a hidden keylogger that isn’t even documented that logs all keystrokes entered and can gain sensative information from a users computer?
These keys hense are logged to keystrokes.log.
I would like to ask, what is freedom scientifics stand on these issues, and is freedom scientific willing to comment publicly for airing on ACBRadio’s main menu and in other public venues regarding these security wholes?
I Thank you for your time.
Sincerely,
Shane Davidson

We shall see what comes of this.
until then.
piece yall.

Filed Under: accessibility, articles, computers, e-mail, Freedom Scientific, general ranting, interesting blogs, internet, opinion, security, technology, Uncategorized

Primary Sidebar

Subscribe to Podcast

Apple PodcastsGoogle PodcastsSpotifyAndroidiHeartRadioBlubrryby EmailTuneInRSS

my goodreads challenge!

2020 Reading Challenge

2020 Reading Challenge
Shane has read 2 books toward his goal of 40 books.
hide
2 of 40 (5%)
view books

my currently reading shelf

Shane's currently-reading book montage



Shane's favorite books »

Recent Posts

  • the Shane O train, World’s awakening Radio, April 15, 2021!
  • the Shane O train, double and triple play country addition!
  • Shane O train, World’s awakening Radio, April 1, 2021!
  • the Shane O train, extended addition, for March 25, 2021!
  • the return of the Shane O train, on world’s awakening radio, March 18, 2021!

Recent Comments

  • Steve on people seriously had the balls to whine about this app going free?
  • DM on they actually certified it.
  • stickbear on More on the lawsuit, a letter being sent around, and inaccessible forms, for serious?
  • Steve on More on the lawsuit, a letter being sent around, and inaccessible forms, for serious?
  • Tay on More on the lawsuit, a letter being sent around, and inaccessible forms, for serious?

Archives

  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • August 2014
  • June 2014
  • May 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • July 2010
  • June 2010
  • May 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • February 2007
  • December 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • January 2006
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • January 2004

Categories

  • accessibility
  • ADBC
  • adult humor
  • amber
  • amusement
  • articles
  • audio posts
  • blog announcements
  • book reviews.
  • brain-vomit
  • Bryan Carver
  • cell phones
  • children
  • christianity
  • computers
  • court
  • crappily designed software
  • e-mail
  • facebook
  • feelings
  • Freedom Scientific
  • FSU stupid
  • general
  • general ranting
  • GPS
  • guideDogAdventures
  • hockey
  • humanware
  • humor
  • humour
  • interesting blogs
  • internet
  • iphone
  • josh
  • kerri
  • Leukemia
  • life
  • lists ftw
  • maple leafs
  • mojo radio
  • motherzilla
  • music
  • my braille note
  • my child
  • news
  • news articles
  • ODSP
  • open communication
  • open source software
  • opinion
  • other stuff
  • people needing a clue
  • personal
  • personal life
  • podcast
  • psycho-x-girlfriends
  • quiz's
  • radio show
  • raille note
  • random posts from random locations
  • random posts of random things
  • random shows
  • rantings
  • rants
  • relationship
  • relationships
  • response
  • reviewing my life
  • rose
  • school
  • security
  • selfish people
  • shane
  • skype
  • skype church service
  • special events
  • stuff that fails
  • stupid people
  • technology
  • tek savvy
  • testing
  • thought
  • threats
  • toronto
  • travel
  • trekker.
  • tv
  • Uncategorized
  • updates
  • useless stats
  • weird and slightly deranged
  • writings
  • WRMS fire
  • WRMS lawsuit
  • wtf

Copyright © 2021 · News Pro on Genesis Framework · WordPress · Log in