Our 95% glowing review of the LifeShield products and services earned me a DMCA takedown notice from a “Digital Content Protection” company on behalf of LifeShield. You’re saying “OK, that sure sounds dumb, but what are the grounds for a takedown notice in the first place?” I had the same question.
The content of the notice was:

It has come to our attention that your website or website hosted by your company contains links to LifeShield, Inc website (www.lifeshield.com) which results in financial losses by the company we represent, because of search engine penalties.

I request you to remove from following website (pskl.us)
all links to www.lifeshield.com website as soon as possible.
In order to find the links please do the following:
1) If this is an online website directory, use directory’s search system to find “LifeShield” links.
2) If there are hidden links in the source code of website, open website’s main page and view its source code. Search for “lifeshield.com” in the source code and you will see hidden links.

I have a good faith belief that use of the material in the manner complained of is not authorized by LifeShield, Inc, its agents, or the law. Therefore, this letter is an official notification to effect removal of the detected infringement listed in this letter.

I further declare under penalty of perjury that I am authorized to act on behalf of copyright holder and that the information in this letter is accurate.

Please, inform me within 48 hours of the results of your actions. Otherwise we will be forced to contact your ISP.
LifeShield, Inc will be perusing legal action if the webmaster does not remove the referenced link within 48 hours.
LifeShield, Inc will be forced to include the hosting company in the suite for trademark infringement.

Makes perfect sense, right? Trademark infringement. Because of links. As part of a review.

As you would assume, I was furious. I forwarded the email to a sales manager at LifeShield and then called them and left a message. I got a call back later that night from the sales manager. She apologized and said I didn’t have to remove the links. I said I was pretty annoyed at being threatened with a BS takedown notice and a simple apology wasn’t going to cut it. I wanted to know that this isn’t how they do business.

I got an email from her later that night:

I didn’t want to call you because it is so late, but I wanted to go ahead and contact you about this. I did hear back from my manager via email and she said that they are contacting the gentleman who sent the email, and they will have this taken care of immediately. There will be no further action that you have to take and you will not receive any more emails like this. I apologize about this and if you have any questions please feel free to contact me.

I got another email from upper management:

I am the svp interactive for lifeshield.com.  Please ignore the dmca email you received.  We hired them to protect our trademark and your site was accidentally included in our list of sites.  I just sent them a note to take you off their list.  Please keep our links on your site.  We apologize for the inconvenience.

I was no longer really worried about the “inconvenience” so much as I was worried that I was supporting and endorsing a company with unethical business practices. I replied with this:

While I appreciate the apology, I have a bigger question: are you OK with how this guy is going about “protecting your trademark?”
Telling people you are going to sue them (and their ISP) if they don’t remove LINKS to your website is unethical at best and quite possibly fraudulent use of the DMCA. Did you read the email he sent me? Here are a few of my favorite parts:

It has come to our attention that your website or website hosted by your company contains links to LifeShield, Inc website (www.lifeshield.com) which results in financial losses by the company we represent, because of search engine penalties.

I’m sure this isn’t news to you, but this is 100% BS. You can’t claim losses via poor SEO and leverage a law suit against somebody else to fix it.

I have a good faith belief that use of the material in the manner complained of is not authorized by LifeShield, Inc, its agents, or the law. Therefore, this letter is an official notification to effect removal of the detected infringement listed in this letter.

Once again, I’m sure you know that permission is not needed to provide links to a publicly-available website. This guy identified himself as the head of “anti-piracy.” He is basically equating a link to intellectual property. This is fallacious on so many levels, I don’t even know where to begin.

Please, inform me within 48 hours of the results of your actions. Otherwise we will be forced to contact your ISP.
LifeShield, Inc will be perusing legal action if the webmaster does not remove the referenced link within 48 hours.
LifeShield, Inc will be forced to include the hosting company in the suite for trademark infringement.

Finally, the threat. Remove the links or we’ll sue you and your hosting company. For trademark infringement. You’ve got to be kidding me.

This is not how you protect a trademark, Evan, this is how you ruin it. Am I to understand that the people intended to be on your “list” (bad reviews?) are also getting letters like this? Have you heard of the Streisand Effect?
Now, if there are people out there legitimately infringing on your trademark, by all means, pursue them and shut them down… but do it with legitimate DMCA takedowns, not this thug-style intimidation BS. We all know how these work: people will do as you ask because it isn’t worth the trouble (or possible legal fees) to put up a fight, even though they know you have ZERO legal ground to stand on.

Please tell me you are straightening this out with the IP protection company (or cutting off your business relationship with them). I’m willing to accept the explanation that you hired this company thinking they were above-board and you didn’t know they’d be up to these shenanigans, but now you DO know. This isn’t how you want to handle your business on the Internet. I can tell you I don’t want to be involved with or endorse a business that does so.

Sums up my feelings well, I think. They were not impressed with my righteous indignation, however, and replied thusly:

I appreciate your feedback.  However, we had a site cloak lifeshield and generate over 700K back links to our site without our knowledge.  Google stepped in and slapped us with a search ranking penalty to which our business has suffered major losses.  Understood that the links on your site to LifeShield.com may be legitimate (and we rectified this) but we needed to be aggressive to rectify the situation and protect our business.  We are a legitimate home security brand with hundreds of employees and had to layoff great employees due to this and our business is still down significantly. Again, I apologize for the inconvenience; however, as a business owner yourself, you can imagine our loss.

So I said:

So you’re saying that somebody went out and bought 700K back links for you, knowing that it would get you penalized by Google? So does that mean you had (Company name) send out 700K DMCA notices? Talk about throwing good money after bad. Report the linkspam to the spam team at Google, then spend that money on an SEO expert rather than on trying to bully people with intimidation.

I understand that it sucks when people mess with your business, but it doesn’t excuse slimy tactics by you. If your house catches on fire, you don’t put it out with manure. How many other innocent people got your pit bull’s strong-arm, unethical (borderline fraudulent) DMCA takedown notice? Do you care? Or are you just scorching earth?

I want to be on your side, but you are making it difficult by standing behind a practice that represents all that is wrong with the internet. I really, really believe you should rethink this methodology.

No response. 2 days later, I got ANOTHER takedown notice, identical to the first one. I informed LifeShield:

I received another takedown notice this morning from the brilliant minds of (Name of company), identical to the last.

If you’d like to call him off, I’d like to be CC:’ed on the emails for my records, and I’d like to receive an email from him stating that he will not be taking legal action against me or my hosting service.

I got no response from LifeShield, but I got this from the genius at the IP protection company:

I have received a complaint from our customer LifeShield.com about you not satisfying our business practice.

While I have some objections I must accept that you are right and would like to apologize for any inconveniences caused.

As a  justification of our good intentions I’d like you to realize that we’ve been put on a very tight deadline and had to remove over 5 thousands links within 10-14 days and we had no ability to check the quality and the nature of those links. Our client hired an SEO expert requiring to remove links in the list before they go ahead and submit a reconsideration request with Google.

As a result we’ve got it done in that way. Again I do apologize and would like you to reconsider your opinion about us and our client.

Please let me know if you have any questions, I’d be happy to explain.

P.S. We are like the police dealing mostly with online criminals and sometimes we forget that there are a lot of good people around, honestly doing their online business.

Yes, everybody, have some sympathy for these heroes, these “internet police.” Brilliant. I like that he admitted that I’m right, though. My response:

My problem with your business practice is very simple:

A party creating large quantities of backlinks to a site in order to generate SEO (or, in this case, destroy SEO) is unethical.

It is not illegal.

Threatening legal action against this party (and making the spurious claim of “trademark infringement”) for doing so is even more unethical (since you are supposed to be the good guys) and short-sighted, in my opinion.

Any “SEO Expert” who recommends this course of action is just as misguided and, in my opinion, not very good at their job.

His response to this was very telling, I think:

I got your idea. All this “link removal” thing is quite new to us. It is our second order of this kind, but we have already processed more them 30k links. And what we find is that people not react when we kindly ask them to remove the links. We tried to contact huge amount of website and ask them to get rid of those links, but didn’t get any response at all. And on the opposite email which you got from us first time worked really good. I felt like this is not the right thing to do, but you know we had to finish our business. However, I apologize once again for any inconvenience we caused. And in case you will ever need any Intellectual Property protection service just shoot me an email. I’ll give you a discount for our services.

While all this was going on, I had one other little issue with LifeShield. They weren’t paying me for referrals I had earned. When I originally wrote my reviews of the LifeShield products and services (March, 2010), they had a referral system in place. If I got 5 referrals, I’d get free security system monitoring for life. They provided a link to give to possible customers. I used it all over my reviews. I personally knew 3 parties that had purchased systems via my referral link, but I figured there were more that I didn’t know about (based on the amount of traffic my post was getting and the comments/questions I received). I called them up one day and asked what the status was of my referrals to see if I had earned my free monitoring yet.

They said I had zero referrals. Zero. I asked to speak to a manager immediately, and the manager basically told me that the referral system wasn’t working. Thanks so much for telling us, folks. I told them I was pretty upset about that and I felt confident that I had provided them with 5 customers and I’d like my free monitoring. She spoke with management and got back to me quickly to tell me that they agreed. They gave me the free monitoring for life. Great, right? At that point, the referral system became useless to me so I removed the links and just left the review stand. I updated it from time to time and answered any questions people posted as comments or emailed to me. I was grateful for a product I really like and for the free monitoring.

Fast forward to late 2011: they launched a new referral system that offered $150 per referral for new customers! Great deal, especially since the referred party also would get a free network camera. After verifying that I could take part (since I had used the previous referral program), I signed up immediately and added the new referral links and info to my reviews. I also updated the review to reflect some of the changes they had made to their service (such as requiring a contract). They would email me when people used my referral link so that I could send a personalized link to the new customer to help make sure the referral was recorded properly. I didn’t understand why this was necessary, but I did it anyway. Every time.

I noticed that the referral tracking system was (once again) showing that I had not earned any referrals. I had email and phone conversations with sales reps and sales managers over and over, checking to make sure that I was, in fact, getting credit for my referrals. They assured me that I was. “The system only updates once a month,” they told me. A month later, still nothing. “I’ll make sure they get put in immediately,” they’d tell me. Still nothing. Around this time is when the first DMCA takedown notice shows up. Nice timing, eh?

At this point, I had $1350 worth of referrals that I could document (and that LifeShield had confirmed…who knows if there were more, perhaps?). I was told at one point:

I just heard back and was told that all the credits should be processed by the end of the day today. If there is any change in that I will let you know.

And that was the very last email I ever received from LifeShield. As you would probably assume, I never received my referral payout. Combine this with the shady DMCA takedowns and you have a very unhappy blogger. The sad part is that I still love the products and service. That’s the only reason I left the reviews up. I emailed LifeShield to let them know I was removing all my referral links (and why) and that I’d be eventually writing a blog post (like this one) explaining the whole ordeal. I’d like to let customers read my review and also read this description of their business practices and then make up their own minds as to whether or not they’d like to do business with LifeShield. If you think I’m being a whiny turd about all this and the product sounds great: go ahead and buy it. If you think the product sounds great but you don’t like the way they work: move on to the competition. Regardless, let me know what you think in the comments below.

Oh, one last thing. The “SVP Interactive” of LifeShield inexplicably cc’ed me on a recent email to the IP protection company with a new list of sites to harrass over “trademark infringement.” That doggone “reply to all” button will get you every time, eh? Seriously, learn how to internet.

That seems fine, however, one “snag”…   I use a dual boot Backtrack 5 and Windows 7 machines DAILY at work.  So, being the guy who lives by the rule “Don’t give an order that you’re not willing to follow yourself” kind of guy, I had to figure out how to encrypt my windows side and still boot Backtrack 5.

I got it to work.  I was painful.

take a second to re-read that.  yes, it works, and yes, it caused me pain to make it work.

So, here are the steps I used to make this work:

Step 1: Wipe the drive.  (you should have backed it up if you needed to save something…  I shouldn’t have to tell you that.)

Step 2: Create a partition for the Win7 to be housed.  Make it the first partition.  Leave unallocated space for BackTrack.  (I left 30 gigs for backtrack…  you probably want more, I have a lot of scripts that always put captured data on something external that I mount and encrypt with Truecrypt…)

Step 3: Install Windows7 (or dump your standard image) to that partition.  Mine created a 100MB boot thing before the windows 7 partition, let it do whatever it wants to do, except use that unallocated space you already saved for Backtrack.

Step 4: Boot Windows 7 and test.   Make sure Windows 7 works first! (Well, functions as well as one could expect for Windows)

Step 5: In Windows, run this command from a command prompt: “%windir%\System32\BdeHdCfg.exe” -target default  (this command preps the drive for Bitlocker.)

Step 6: Encrypt the drive via Bitlocker with your pin.  (record the recovery key.  this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it.  This key is your life, young padawan…)

Step 7: When it’s done, Boot Windows 7 and test.   Make sure Windows 7 still works!  (Well, functions as well as one could expect for Windows)

Step 8: Pause Bitlocker.   I turned it off.  (this seems to make no sense, but I had a problem testing this that if I tried to encrypt the drive after installing Linux, forget it, it died.)

Step 9: Boot Backtrack 5 DVD/USB key.

Step 10: Install backtrack 5 to that new unallocated partition.   I configured /dev/sda3 as my /boot partition and /dev/sda5 as my root and /dev/sda6 as my swap.  /dev/sda1 was the windows 7 boot partition and /dev/sda2 was my windows 7 system partition)

Step 11: make sure when you install grub, you install it to /dev/sda3.   DO NOT PUT IT IN THE MBR or /dev/sda or /dev/sda1.  If you do, you just screwed yourself.

Step 12: This will only boot to Windows 7 still.   Grab BCDEDIT for windows, and add a boot option to boot linux on /dev/sda3.

Step 13:  Boot Windows 7 and test.   Make sure Windows 7 still works! (Well, functions as well as one could expect for Windows)

Step 14: Boot Backtrack 5 from the windows boot menu.  it should shell to grub, boot it.  Make sure Backtrack 5 works.

Step 15: Boot Windows 7 and turn Bitlocker back on.   (record the recovery key.  this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it.  This key is your life, young padawan…)

Step 16: It should present you the windows 7 boot menu, where option 1 is Windows 7 and option 2 is Backtrack Linux then it should now prompt you for your Bitlocker pin.

I can’t stress two things: #1) this took me weeks of wiping the drive to figure this out.  Don’t be shocked if you have to tweek the steps for your specific situation.  #2) that recovery key is the most important thing in this process…

a few notes: (things that make you go Hmmmm…)
1) It asks you to pick which OS first, then prompts you to enter your Bitlocker pin…   You can’t boot linux unless you unlock bitlocker first.  Not sure why, but I’ll call it an “added feature!”  Remember, the linux side is NOT ENCRYPTED!   That means don’t be an *idiot* what you store there, assume it’s accessible if someone takes your laptop.
2) After you update-grub, plan on having your recovery password around for Bitlocker…  it always keeps asking me for it after I update grub, even though it’s installed to the /boot partition. (/dev/sda3 in my case)  Don’t leave your recovery key in your laptop bag, because that defeats the purpose of encrypting it, duh. I can’t stress that enough. The whole “point” is to protect the windows side in case anyone takes your laptop from getting any useful info off it….  Don’t forget the goal while you’re having so much fun messing with this nightmare.

–Bill (General Major Webelo Captain Zapp Brannigan)

If you have a rooted Android phone, maybe you’ve messed around with replacing your boot animation (there are ways to do it without root, but you’re rooted anyway, right?).

I was bored a few months ago and I made a boot animation for my Droid Incredible that is based on the opening credits of the fantastic show The IT Crowd (look it up on Netflix if you haven’t seen it. You can thank me later). Now I’ve updated the animation for the 720p screen on my new Galaxy Nexus.

I made a crappy video demonstrating the boot animation here: http://bit.ly/ITCBoot

If you’d like to download them, they are here:

Galaxy Nexus (1280×720 version)

Droid Incredible (800×480 version)

Basic readme instructions are included in the zip file.

Install at your own risk!

My animation got a nice mention here on Androinica: http://androinica.com/2012/01/galaxy-nexus-it-crowd-boot-animation/

Question came up, “how do you do a bare metal restore from that backup?” which tags along with the question “how do you do a bare metal copy from old server to brand new server?”

If the hardware isn’t too odd (usually hardware RAID controllers you have drivers in your initrd is the limiting factor here, but you can work around that too with some Linux foo skillz…), or it’s a bare metal restore to same hardware, yes, you can use RSYNC.

for my examples: “sourceserver” is the other running server that you want to bare metal copy to the destination.
“target” is the destination server.
First: boot the destination server with a rescue disk.   I use RHEL rescue CD.
Create your partitions to taste, and reboot again with the RHEL rescue CD.

Second: Mount partitions in the order you want them.  example: (I just picked an example partition table, seriously, match what you really need…)
mount /dev/sda2 /mnt/sysimage
mkdir /mnt/sysimage/boot
mount /dev/sda1 /mnt/sysimage/boot
mkdir /mnt/sysimage/home
mount /dev/sda5 /mnt/sysimage/home
mkdir /mnt/sysimage/var
mount /dev/sda6 /mnt/sysimage/var

this mounts all of the “target” under /mnt/sysimage on the rescue cd.
Third: I have this script I run:  (which you can make on the rescue disk, once again, a little bit of foo goes a long way…)

#!/bin/sh
rsync –verbose  –stats –owner –group –devices \
–recursive –times –perms –links \
–rsh=/usr/bin/ssh \
–delete \
–include=/opt/nfs \
–exclude=/proc \
–exclude=/sys \
root@”sourceserver”:/ /mnt/sysimage
#

enter your SSH password  (yes, you should allow root logon through SSH for this one, if you don’t know how to enable that, look it up on google, it’s braindead easy…)

Fourth: reset the permissions on the “/” share and make sure they are right:
chmod 755 /
Fifth: Finally, fix grub.  (this example is from my VMware ESX servers…)

From the linux rescue:

Issue the grub command:
grub

then type in these commands:  (depending on your hard drive layout and 0 = zero for those easily confused…)
device (hd0) /dev/sdm  (this server was /dev/sdm instead of something normal like /dev/sda…   salt to taste, or add butter like Paula Dean…)
root (hd0,0)
setup (hd0)
quit

then reboot and test, test again, enjoy!

Unfortunately, after less than a year of use, it simply stopped working.  Somewhat ironically, the way you find out that your helmet has stopped working is by getting a flash burn in your eyes when you weld using a broken helmet.

One of the guys in my welding class mentioned that there are batteries in the helmet which can go bad over time.  Batteries in a solar-powered helmet?  Clearly this guy was nuts — but I thought I’d check it out anyway.

Turns out, he wasn’t crazy.  There are two CR2330 coin cells soldered directly to the main circuit board inside of the unit:

Checking the batteries with my voltmeter, I quickly discovered that one of them was completely dead.  The other battery was still putting out a solid 3VDC.

Since soldering in batteries every time they go dead is not exactly a user-friendly solution, I decided to replace them with AAA’s.  Here’s the procedure.

1)  Remove the darkness adjustment knob by gently prying it off with a screwdriver.  Un-screw the plastic nut which holds the unit in place.

2)  Remove the clear plastic shield from the front of the helmet, and then gently remove the electronics assembly by unhooking the retaining spring.

3)  Use a utility knife to pop open one corner of the enclosure.  Work your way around the circumference with a screwdriver, breaking apart the plastic weld, until the cover can be removed.

4) Mark the locations of the (+) and (-) of each coin cell.  Using your desoldering braid, remove the coin cells.

5)  Go to Radio Shack and buy two AAA battery holders.  I used these:

6)  Solder one AAA holder in place of each of the coin cells that you removed.  Be sure to observe polarity.

7)  Using the shaft of your soldering iron, melt a hole in the side of the enclosure so that the wires from the battery holders can exit.  You’ll also want to melt a corresponding hole in the cover.

8)  Mix up some 2-part epoxy, and epoxy the wires to the enclosure.  This step probably is not necessary, but I don’t want to burn my eyeballs again.

9) Wait for the epoxy to dry.  Take this opportunity to clean all the viewing windows with Windex and a lint-free cloth, then  reassemble the unit.  There are four friction pins which seem to hold everything together just fine.

10)   Re-install the electronics housing into the helmet.  Re-attach the darkness adjustment dial.

11)  Glue the two AAA holders to the inside of the helmet.  I initially used the same epoxy that I used to hold the wires in place, but it didn’t bond to either the plastic of the helmet or the plastic in the battery holders.  I ended up using my hot glue gun, which worked very well.

12)   Install four AAA batteries, and then test your helmet.  I found – quite by accident – that the helmet will darken when you look at a halogen light bulb.

13)  Go weld stuff.

Good luck with your repair!

~Eric

Here’s a conversation I had with an AIM bot which called itself “Jenny”…  (note:  I added the .noclick suffix to the URL)

(1:11:17 PM) incandescence20:
(1:12:49 PM) x2716057: this seems legitimate.
(1:13:06 PM) incandescence20: hello whats up? 21/f you
(1:13:35 PM) x2716057: my name is Alan Turing
(1:13:58 PM) incandescence20: Jenny
(1:14:17 PM) x2716057: Jenny.py I bet
(1:14:37 PM) incandescence20: o i’m sorry i can be forgetful at times..
(1:15:01 PM) x2716057: The thing about Arsenal is, they always try to walk it in.
(1:15:30 PM) incandescence20: so whats up
(1:15:39 PM) x2716057: My hovercraft is full of eels.
(1:16:08 PM) incandescence20: not much just got done reading a book.. it got me feeling naughty..
(1:17:00 PM) x2716057: I bet that you have a webcam you want me to check out.
(1:17:22 PM) incandescence20: are you in the mood 4 some fun?
(1:18:13 PM) x2716057: Are we going to balance my checkbook?
(1:18:37 PM) incandescence20: weII i have a webcam do you wanna play?
(2:13:15 PM) x2716057: Shocking!
(2:13:38 PM) incandescence20: i would love to let you watch me play with my pussy for u do you want to see?
(2:14:24 PM) x2716057: What kind of cat do you have?
(2:14:42 PM) incandescence20: ok click http://secretchatroulette.noclick.com/acceptinvite?=1796 & fill out your info don’t worry it’s FREEE!!!
(2:15:28 PM) x2716057: All that trouble to write an AIM bot and your URL doesn’t even work. Sheesh.
(2:15:48 PM) incandescence20: if i was a bot ..why would i be wearing this hat?? lolz
(2:16:34 PM) x2716057: you must be regex’ing on the word bot
(2:16:59 PM) x2716057: if ( $string=~/bot/i ) { print “I am not a bot”}

Jenny stopped talking to me after the last IM.  I guess she doesn’t like Perl.

First thing, startx didn’t load from the DVD until I removed some cache files…
rm /root/.kde/cache-root/icon-cache.kcache
rm /root/.kde/cache-root/plasma_theme_Volatile.kcache
rm /root/.kde/cache-bt/icon-cache.kcache
rm /root/.kde/cache-bt/plasma_theme_Volatile.kcache

So finally startx loaded and I was able to use the graphical installer to install it to my hard drive on my laptop.

When I rebooted, I did startx, and got a kernel panic (blinking caps lock light).   So I’m like, “M’kay, x64 kde is borked…” so I grabbed x64 gnome, repeat process, same things, x32 gnome, repeat process, same thing.  ok, it’s NOT borked, I’m just not doing it right.

so I searched and searched, found nothing immediately useful.  (I could bore the heck out of anyone with some of the searches I did to get at this one…)

Finally, I found this kernel parameter: i915.modeset=1

they should rename that to “setbrokentofixed=1″

So, put that at the end of your GRUB_CMDLINE_LINUX_DEFAULT in your /etc/default/grub and update-grub!

Boom, I appended that and now startx works and I can enjoy the BT5 goodness…   Now I just gotta configure my metasploit account on there and put my pskl directory back with all out awesome scripts.

Enjoy BackTrack 5!

Update (June 15th 2011): Talking with a few others, including the great comments here, you might need this like in your /etc/default/grub
Alternative line from Daveonator:
GRUB_CMDLINE_LINUX_DEFAULT=”text splash vga=791 i915.modeset=1″
then update-grub.

Try it, and let us know.

In case you haven’t seen it described on 50,000 websites at this point, here’s the deal with the new “feature:”

Click on “Account” at the upper right of your facebook page and choose “Account Settings” … you’ll get something like this:

Click on “Account Security” and you’ll be able to check the new https box, illustrated here:

note that it says “whenever possible” … this implies that there are some parts of the facebook site that are NOT capable of being served up via https. I have no idea why this is still the case, but it clearly is. The wording would also imply that once you check this box, you will get a https connection “whenever possible” and a http connection when https is not possible. What it DOESN’T say is that the first time you view a non-https page, the box will simply uncheck itself and next time you go to a https-capable page, it’ll be back in vanilla http mode.

So what are these non-https-capable pages? I can’t speak for all of them, but I’d be willing to bet that most of them are “facebook applications.” The only facebook app I use is Scrabble. After checking the https box, I tried to go to Scrabble and I got this page first:

Excellent, right? It is warning me that I’m leaving the safe-and-cozy https-zone. What this warning SHOULD say is “if you hit ‘continue,’ you are permanently turning off the https option.”

Yes, that’s right, once I’m done playing my turn in the http-only-danger-zone of the Scrabble application, I go back to facebook home and I’m back to http.

I went back to check my account settings and I see this:

Well, that’s just fantastic. What’s the point of saying “whenever possible” when it means “until impossible?” This has to be a mistake, and I hope they fix it… then we can all tell our moms to go and re-check the box as it has probably been turned off when they went to play farmville or whatever the hell other pages are non-https.

Update:
This was discussed on Tech News Today (first 5 minutes)

Subject: Hardware
Inquiry: Toughbook CF-C1 tablets… I have 7 of them so far.
I got them without WWAN cards but now I would like to add them. I see the mini PCIe slot and the antenna wires seem all ready to go, but when I put in a Sierra Wireless MC5725 (Verizon) card, it is as if it isn’t there. The system doesn’t see it at all. The option in the bios to enable or disable a WWAN card seems to be missing completely. These Sierra cards work fine in my Dells and my Lenovos.
Is it possible to get this to work? Is there a hardware switch somewhere that I need to turn on to enable the mini-PCIe slot?

It only took about 8 hours to get a response I should have expected:

Thank you for your continued support of Panasonic Toughbook computers.

The CF-C1 does not have a Sierra Wireless MC5725 (Verizon) card it has a Qualcomm / Gobi module.

Yes, yes… that is what I was confused about: which card the system ships with. Thanks so much for taking the time to skim my question with the attention of a coke-sniffing gnat.

If anybody out there knows the definitive answer to my question, I’d love to hear it, but really just for the sake of curiosity. I’ve decided to just have the users get MiFi units instead of messing with built-in Verizon cards from now on.

For what it’s worth, these Toughbooks are really really nice. They are REALLY expensive, but really nice, too. They are shockingly light…the first time people pick them up they think it is an empty shell and not a real computer. They are very fast, too, and the semi-ruggedness is very handy for us because our users aren’t the most gentle people with their hardware. Battery life is excellent, especially if you get the optional second battery (get it).

Thanks, Panasonic tech support!

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_8031.html

Unfortunately, but not surprisingly, the feature isn’t built into any of the common SFPs that most network engineers use on a day to day basis, such as the GLC-LX or GLC-SX units.  Cisco thinks that DOM functionality is worth an extra $300 a pop, putting the cost of a DOM-enabled single mode SFP close to $800.

I have found, however, that some third-party SFPs include the DOM functionality.  I’ve been using the single-fiber SFPs from Champion One for many years.  They work great, only use a single fiber (instead of a pair) and give you DOM functionality for free.

Here’s how to get started with DOM:

1)  Enable support for non-Cisco SFPs:

PSKL_6509(config)#service unsupported-transceiver

2)  Enable DOM Monitoring :

PSKL_6509(config)#transceiver type all

3)  Install some DOM-compatible transceivers.

4)  Take some light measurements!  In this example, I’m using a 1000SFP31B20L Single Fiber SFP in slot 2/9/22:

PSKL_6509#sh interfaces gigabitEthernet 2/9/22 transceiver 

ITU Channel not available (Wavelength not available),
Transceiver is internally calibrated.
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, +  : high warning, -  : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).

                                  Optical   Optical
            Temperature  Voltage  Current   Tx Power  Rx Power
Port        (Celsius)    (Volts)  (mA)      (dBm)     (dBm)
----------  -----------  -------  --------  --------  --------
Gi2/9/22      44.1       3.26      22.2      -2.5      -5.1

This feature is incredibly handy when troubleshooting fiber issues.  A low value in the Rx Power column indicates that you have a bad fiber, or more commonly, a dirty jumper somewhere.    You can even use MRTG or Cacti to log and graph your optical health over time.

~Eric

I may stand alone, but I’d rather be groped than blown up in an airplane with a murderer who had not been groped.

This is clearly an oversimplification of the argument (it isn’t an “A or B” situation…a lot of people on twitter were shouting “False Dichotomy!!”) and is beneath Jeff, in my opinion. For those who don’t know Jeff, you can find info about him here http://www.buzzmachine.com/about-me/

Generally speaking, I’m a big fan of his work and of his opinions. Just about every time I hear him speak or read his blog, I feel like he “gets it.” Not so much today, though. Jeff kept spouting fallacious arguments in favor of the TSA’s policies and many people responded unfavorably to what he was saying (Jeff has about 55,000 followers, FYI). I think he’d agree that most of his twitter feedback was negative. I jumped in and sent a few replies but I was frustrated, as usual, by the 140 character limit. Jeff replied to a few of my tweets in a very civil manner, as one would expect, except for the fact that he called me a drama queen. Oh, and he joked that people who are against the TSA procedures must have small penises. Once again, this is beneath you, Jeff.

I won’t recap the entire conversation here (you can see it on twitter if you want to), but Jeff agreed to read my argument if I were to post it in blog form… so here we are. I’ll try to keep this as brief as possible, Jeff, I know you’re a busy guy.

“Enhanced” Security Screenings Are Merely Security Theater And Will Not Keep Us Safe

To many people, this is not news. Many years ago (pre-9/11), George Carlin put it brilliantly when he spoke of the illusion of safety. More recently, Bruce Schneier coined the term “Security Theater.” I don’t know why I’m even writing this post since so many others have already made the point so much better than I ever could, such as Noah Shachtman in this piece from the WSJ….but I’ll do it anyway because I have some bits I’d like to add.

Fallacy #1: If we had these measures 10 years ago, it would have prevented 9/11

My opinion:

The only thing preventing 9/11 from happening again is 9/11 itself. Today’s terrorists know they can’t pull off another 9/11-style hijack-then-crash-into-specific-targets attack again because the passengers won’t stand for it. On September 10th, 2001, we were all told that we should comply and be quiet if we are on a hijacked plane. The September 11th attacks depended upon that and, for the most part, it worked. Evidence has shown that this is no longer the case. Passengers that get goofy on a flight get a first-class ass kicking courtesy of their fellow passengers.

So if we had today’s security and September 10th’s mindset, could they have pulled it off? Of course they could have. They possibly wouldn’t have their boxcutters but there are plenty of other ways to intimidate Sept 10th-mindset passengers with equipment you can still get on a plane. Don’t make me list specifics, I don’t want to get a visit from the FBI. Use your imagination… that’s what the terrorists do. Even using something as simple (and previously thought of as harmless) as boxcutters was fairly inventive on their part. They made use of something they were pretty sure they could get through security. When all you have to do is sit around, day after day, thinking of ways to beat a system, you will find a way. As long as the TSA procedures are made public and the limitations are detailed, which has to be the case, the enemy will think of a method to abuse those limitations. Remember, we cannot project our perception of what is acceptable behavior onto them: they will use children or other extreme measures that will make us sick to our very cores if it will help them accomplish their goals.

Fallacy #2: Today’s security would have caught the underwear bomber.

My opinion:

This one comes straight from one of Jeff’s tweets. While this is essentially true, it misses the point entirely. We started taking our shoes off because of the “shoe bomber” and now we get groped because of the “underwear bomber.” Do you see the pattern? There was never another shoe bomber, there will probably never be another underwear bomber (I’d also like to point out that neither of these dingbats boarded a plane in the US…they both went through European security). Both of them sat around their (no doubt) smelly apartments for weeks formulating a plan based on the limitations of the security through which they would have to pass. I really really hate to say it, but there are probably more dingbats sitting in smelly apartments thinking about the same stuff right now.

We keep reacting to previous threats and the bad guys keep evolving. That is the very crux of security theater: make it look like we’re “doing something about the problem.” Would there have been another underwear bomber if we hadn’t started the new procedures? Possibly, but he probably would have been just as successful as the first one. My understanding of the underwear bomber is that he was a nervous mess. He would have been denied access to a plane in Israel simply from one of their well-trained security people talking to him. They probably would have snagged the shoe bomber, too.

Fallacy #3: The logical conclusion is that we’ll all end up flying naked. THEN we’ll be safe for sure.

My opinion:

This may not come as a surprise, but the goal of a terrorist attack is not “blow up planes” or “hijack planes” … it is to kill or injure a very large group of people. Airlines were, for a long time, an ideal target for this kind of action. Some planes carry over 200 people and none of them can get away from the bad guys. Security was really lousy up until the hijack-happy 80′s when people suddenly became afraid to fly. Security was beefed up and hijackings went way down (especially on flights coming out of the US). As a result of this heightened security, pulling off the September 11th attacks took a great deal of planning, organization, and luck.

After September 11th, airlines in the US ceased to be a viable target for serious terrorists. I say “serious” terrorists because the terrorists who have tried to walk through security since then are crackpots and utter failures. The combination of heightened security efforts (pre-gropefest) and passengers who will not be cowed into compliance makes the chances of success drop lower and lower. I’m not saying that there will never be another airplane-based terror attack, I’m just saying the chances are extremely slim at this point. The bombs-disguised-as-toner recently showed that airplanes can still work for terrorists on SOME level but it also shows that they are not willing to try their luck with security checkpoints any more.

If you look at it from the viewpoint of a terrorist who hates America (I know it makes you feel dirty, but you have to understand the enemy if you ever wish to defeat them), I’ll bet you can think of a LOT better targets than airplanes for accomplishing your goals. Once again, I’m not going to name specifics, but I’ve only thought about this for a few minutes and I can think of a few horrific ideas. Now imagine that you are a terrorist and this is ALL you think about.

I’m not saying all this so that you live your life in fear. We simply can’t allow that to happen. The truth is you have a much better chance of being struck by lightning than being injured in a terrorist attack. This doesn’t mean we should not be diligent, but there are limits to what is APPROPRIATE diligence. I feel strongly that the new TSA procedures cross that line. There are better ways to accomplish the overall goal and it is the job of the TSA to find these methods. Replace security theater with actual security.

I don’t know who said it first this morning, but somebody on twitter brought up the following Ben Franklin quote:

Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety

Couldn’t be more apt.

Some other reading you might be interested in:

Bruce Schneier talking specifically about new TSA procedures
Bruce Schneier – Beyond Security
Jason Alexander’s take on the situation
TSA confiscates heavily-armed soldiers’ nail-clippers
Former FBI Agent shares his feelings about the TSA

How Windows Boxes Become Infected from Layer Two on Vimeo.

I picked up a Alfa USB Wireless Adapter about a month or so ago, and it’s a definitely a good card for Backtrak 4.

For some reason, I’m one of the few that had to switch the realtek driver for it, and boom, every wireless utility a tried in BT4 worked great.  (I’m using BT4 RC1, on a Lenovo x201.)

So to get the good love, follow my simple steps in BT4:
vi /etc/modprobe.d/blacklist

find “blacklist r8187″ (if you don’t know how to use vi or vim, I weep for you.)
comment that out with the hash / pound / number / whateveryoucallitinyourworld “#”, and add this line:
blacklist rtl8187

save it and reboot. (too used to dealing winblows.. probably could remove it and rmmod the rtl8187)
it should be using the r8187 kernel module instead of the rtl8187.

Boom, kismet should work and all the other good stuff should work in BT4 with this good card.

A side item: if you’ve never used wepbuster to show someone how bad wep is, *do it*.
Eric and I wrote some scripts for DEFCON a few years ago to automatically crack WEP with the parts that were around then. This does something just like it, but seems to run through all the different vectors you could use. Basically, start it, and let it go… very handy!

Full disclosure: LifeShield sent me this camera for review, I did not purchase it.

As you all know from my InGrid/LifeShield security system review, I’m a big fan. I’ve been using the system for a few months now and I’m still very happy with my purchase. I’ve added on a few peripherals of sorts, such as a water detector, which will let me know if my second-floor laundry room is flooding. I had considered buying a network camera to attach to the system, but I just hadn’t gotten around to it yet.

Lucky for me, the folks from LifeShield contacted me and said that they liked my review. “Would you like to do a review of one of our new wireless cameras?” they asked. Not a difficult question to answer, so the camera showed up a few days later.

The Hardware:

The camera sells for $129.99 on LifeShield.com

Package includes the camera, the base/mount, AC power adapter and an ethernet cable.

The camera itself has 640×480 resolution.

This appears to be some sort of stock hardware made by a 3rd party as it looks exactly like the wireless camera you can get with the Schlage LiNK system.

Setup:

Adding the camera to the security system is very simple. Before you can use it wirelessly, you need to power on the camera and plug it into your wired network. The two lights on the front indicate power and network activity, so you can tell pretty quick if it is up and running. Once it is booted up, you simply navigate to Cameras >> Add Camera on the LifeShield handset or base unit. It will scan for a few seconds, find the camera, then allow you to “name” it.

Now that the camera is attached, you need to log on to My LifeShield and you’ll notice that now there is 1 camera listed under the Cameras tab. Click on Camera Settings and you’ll see the options that are available to you. The first thing you’ll probably want to do is adjust the wireless settings so that the camera can connect to your wireless network. It had no problem connecting to my home WPA2-encrypted wireless network.

On the settings page, you can also tell it to flip the image horizontally, vertically, or both, which will open up your camera mounting options. You can also tell it to turn the front LEDs off if you want a stealthier mount. Image quality settings are also available, such as brightness and contrast.

Now that you have the wireless settings nailed down, you can move the camera away from the wired connection and test it out. Make sure that the camera successfully connects to your wireless network by going back to the web UI and telling it to take a test shot. If it all works out honky-dory, feel free to move the camera to where you intend to permanently mount it. Once you plug it in, it should connect to your wifi and you can take another test shot to confirm that it is working.

General Use:

Now that the camera is set up to view your front door or your kid’s room or the garage, what can you do with it?

There are 2 levels of service for the camera with LifeShield. The basic service is free with the monitoring package you are already paying for, and this is the service I have. I’ll explain what you can do with this service in a moment. The 2nd level of service is $6/month, and it allows you to add special triggers and to view live video and images from the camera remotely. I have not tested this service, but I’ll report here if I decide to activate it.

I have reviewed the basic service, however, and here’s what it can do for you:

• When your alarm is triggered, have the camera take a pic or record video
• Using the new mobile app or the mobile My LifeShield page, you can tell it to take a pic at any time and then view it.

This obviously makes the camera a lot less useful, but if this is all you really want it to do, it is great that it won’t cost you any extra money per month.

I kind of glossed over it quickly, but you may have noticed my mention of the new mobile app from LifeShield. This was just released recently and if you have an Android phone, an iPhone, or a fairly new BlackBerry, you’ll want to install this app. It is a MUCH better experience than the mobile My LifeShield web page. I’ll be writing a review of the app as soon as I can.

Performance:

As I mentioned before, the camera only produces a 640×480 image, so you won’t be getting a lot of detail here. It is enough to get some idea of what is going on, though. I’d rate the quality as similar to a low-end USB webcam (like an old Logitech QuickCam). Actually, I’m sure the sensor in the camera is the same as is used in webcams. As is the case with webcams, performance is good as long as there is decent light. If you don’t have the camera pointing towards a well-lit area, the image quality will degrade and get extremely noisy very quickly.

…which brings me to my problem with the unit: it doesn’t have IR illuminating LEDs. If you don’t know what I’m talking about, check out this TRENDnet IP Camera. It has a bunch of IR LEDs around the lens that will (invisibly to the naked eye) light up the area in front of the camera. “Night vision,” for lack of a better phrase. Our eyes can’t see IR light but digital camera sensors pick it up just fine. A camera that turns on these LEDs once the lights go out allow you to see what is going on in a pitch-black room. It would look something like this (sample shot from a camera that does have IR illum):

So I ask: what is the point of the camera taking a picture at the time an alarm goes off if there is no IR illumination? Do you expect your thieves to come in during the day, or to turn on all the lights? Chances are good that you’d get a picture of blackness.

That’s a bit disappointing, but probably not a deal breaker. Chances are good that you’re more interested in using this camera for much more casual photos than for catching a crook. If you had this camera mounted in your front hall so you could see people coming in the front door (probably not in pitch-black), you’ll be just fine.

Conclusion:

If you are looking for an easy-to-implement home surveillance camera and you don’t want to spend a ton of money, this camera will work just fine. Some people would say “why not just buy an IP camera that is higher resolution and has more options?” Well, if you are asking that question, this camera might not be for you. IP cameras are fine for those of us who know how to set them up and allow access to them from outside our router/firewall, etc, but I don’t think that’s the target audience for this camera. This camera’s biggest selling point, I think, is the ease of setup and use. Unlike a lot of IP cams I’ve used in the past, I haven’t yet had to reboot this camera. It just works, and that’s the most important part.

UPDATE 12-08-2011: I’ve been using this camera a lot more since I realized that it has a web UI. What does this mean? It means I can view live video from the camera from my phone or tablet via a VPN connection and this app IP Cam Viewer. This requires some networking know-how on your part, but it sure beats paying an extra monthly fee to be able to view live video from the camera.

Do you own this camera, and has your experience been different from mine? Please let me know in the comments.

]]> http://www.pskl.us/wp/?feed=rss2&p=474 8 http://www.pskl.us/wp/?p=485 http://www.pskl.us/wp/?p=485#comments Tue, 05 Oct 2010 18:23:43 +0000 Eric http://www.pskl.us/wp/?p=485 Following up on our story from last week, we looked more closely at applications which used SSL to encrypt communications between iPhones and remote servers in order to determine if they were transmitting iPhones’ unique identifiers.

We performed SSL MITM attacks against several of these applications to obtain the messages in the clear.

While this study is not yet complete, so far the findings show that many of these applications are using SSL to transmit UDIDs to a remote host.  For example, the “Mirror Free” application (http://itunes.apple.com/us/app/id379516970?mt=8) which emulates a mirror using the iPhone’s front-facing camera was decrypted and shown to be transmitting UDIDs to a remote host.  Here is the plaintext of a portion of the SSL conversation;  the UDID of the test phone is the string beginning with “b3d1bad” and ending with “d46b”.

00 01 00 05 65 6e 5f 55 53 00 00 00 0b 34 2e 30       en_US    4.0
2e 31 2e 38 41 33 30 36 00 00 00 01 00 00 00 98   .1.8A306
0a 28 62 33 64 31 00 00 00 00 00 00 00 00 00 00    (b3d1badxxxxxxx
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xxxxxxxxxxxxxxxx
00 00 00 00 00 00 64 34 36 62 12 13 63 6f 6d 2e   xxxxxxd46b  com.
61 70 70 63 75 62 62 79 2e 6d 69 72 72 6f 72 1d   appcubby.mirror
00 00 00 00 32 09 69 50 68 6f 6e 65 33 2c 31 3a       2 iPhone3,1:
03 34 31 30 42 03 33 31 30 48 04 52 14 5d c8 f9    410B 310H R ]
23 42 65 ac e5 96 c2 6d 00 00 80 c0 7d 00 40 97   #Be    m    } @
47 58 c0 02 60 e0 03 68 90 01 70 02 7a 03 34 31   GX  `  h  p z 41
30 82 01 03 33 31 30 88 01 00 92 01 03 35 37 30   0   310      570
b2 01 05 65 6e 5f 55 53 00 00 00 0b 00 00 00 09      en_US
0a 05 08 c0 02 10 32 10 01 00 00 00 0c 00 00 00         2
00 00 00 00 0c 00 00 00 00 00 00 00 0c 00 00 00

We studied the following applications from our paper and confirmed they are transmitting UDIDs via SSL:

• Bed Intruder Soundboard
• Color Fill
• Galaxy on Fire
• I Bomber 2
• Mirror Free
• Mr.  Runner
• Pimple Popper

In most of the cases where SSL was used, communication terminated on the qwapi.com network.  The SSL certificate used on the servers on this domain indicate the name of the company is Quattro Wireless.

Quattro Wireless was acquired by Apple and is responsible for serving advertisements through the iAd system.  Quattro Wireless’s website went down after the acquisition, but the Wayback Machine cached the content.    In 2008 they boasted the following capabilities:

Quattro works with our agency partners to devise media plans to leverage our engaged audience based on partner goals and key targeting ideals: contextual, demographic information when available for both on and off deck sources, registration data, behavioral profiling and clustering. Targeting is available throughout the Quattro Network based on:

Channel, country, carrier, handset, time of day, Geo, demographic and mobile behavior across the Network

Standard Web advertising capabilities such as Frequency Capping, Pacing and Smoothing are available on a per campaign basis.

Sound familiar?