How to surf from hostile networks

NYT article claiming to help with the issue of kiosk network connections. They could have keyboard sniffers, network sniffers, or just good old spyware.

Print edition

Circumventing censorship

The filtering takes place in at least three ways:

de-listed domains: specific websites are removed entirely from search results; it is as if the website never existed.
de-listed urls: specific urls are removed from search results if they contain a de-listed domain.
restricted keywords: specific keywords are restricted to searches of web pages hosted in China only.

Blocking VOIP

Derek Bambauer explains the legal ramifications of Service class blocking.…

/whois Bruce_Schneier

Cryptography and Computer Security Resources

Crypto-Gram Newsletter


Free Software
Password Safe
S/MIME Cracking Screen Saver

Essays and Columns on Cryptography and Computer Security
Academic Papers by Bruce Schneier
Bibliography of Papers by Other People

Microsoft PPTP
CMEA Digital Cellular

Wireless Security Review: Kismet++

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Wardriving news portal
– Ethereal/Tcpdump compatible data logging
– Airsnort compatible weak-iv packet logging
– Network IP range detection
– Built-in channel hopping and multicard split channel hopping
– Hidden network SSID decloaking
– Graphical mapping of networks

Q: What happens when I ask a question thats already answered here?
A: I’ll probably be rude to you and tell you to go read the docs.
But of course everyone already read the docs all the way to the end,
right? Right?

Greater Boston Area 802.11 Wireless Database

NYC Wireless Group‘s wireless antenna shootout
Antenna Systems antenna supplier wireless equipment
TheRFC RF Connector and custom cable supplier with no minimum order.
Solwise UK connector and equipment supplier.

Internet Filtering: Psiphon

Legal perspective on Internet Filtering from John Palfrey.

More on Psiphon

Psiphon is a censorship circumvention solution allowing users to access blocked sites in countries where the Internet is censored. Psiphon turns a regular home computer into a personal, encrypted server capable of retrieving and displaying web pages anywhere.

Internet Filtering: Chinese Filtering

Paper by Berkman’s J Zittrain on Chinese Filtering (warn: PDF)!

/whois jzittrain

Jonathan Zittrain – Berkman Center for Internet & Society
Jonathan Zittrain is a co-founder of HLS’s Berkman Center for Internet & Society and served as its first executive director from 1997-2000.

  • Control of digital property & content
  • Cryptography
  • Electronic privacy
  • Internet governance
  • Technology in education

Subject Areas for Supervising Written Work

  • Cyberlaw
  • Intellectual Property
  • Torts
  • Trademark

Subject Areas for Accepting Press Inquiries

  • Cryptography
  • Cyberlaw
  • Electronic commerce
  • Internet governance
  • Privacy


  • Yale University B.S. 1991, Cognitive Science and Artificial Intelligence
  • Harvard University John F. Kennedy School of Government M.P.A. 1995
  • Harvard Law School J.D. 1995


  • Lecturer on Law, 1997
  • Faculty Co-Director, Berkman Center for Internet and Society, 2000
  • Assistant Professor of Law, 2000
  • Jack N. and Lillian R. Berkman Assistant Professor for Entrepreneurial Legal Studies, 2001
  • Jack N. and Lillian R. Berkman Visiting Professor for Entrepreneurial Legal Studies, 2005
  • Chair, Internet Governance and Regulation, Oxford University, 2005

Security Review: openVAS

For more information:
from the bug logs:
There seems to me a consistant misuse of autoconf “localstatedir” variable. It is traditionally seen that localstatedir be $prefix/var if not supplied. In the following example from there are two issues. One being that if $localstate dir was $prefix/var then this would create $prefix/var/lib/nesuss. And the second being that is broken. If in this case the auth type is “pass” and MD5 is not present, it will make an auth password in an entirely different tree then if it did have MD5

Plug in count seems low or maybe I’m reading this wrong. Check out the nikto plugin.

The SSH DSA fingerprint is: 08:e9:69:cb:d6:42:9f:24:7d:40:de:12:ee:9e:92:23. The SSH RSA fingerprint is: 48:5f:a5:1c:7e:1c:b4:ef:53:b9:08:49:2d:c0:cb:1b.

openVAS 2007

Date: Mon, 9 Apr 2007 09:50:04 -0400
From: “Jon D”
Subject: Giving Nessus Reports to clients — Licensing, Legal, etc
To:  nessus at

Content-Type: text/plain; charset=”iso-8859-1″

I’ve heard of PenTesters giving a Nessus scan report to the client as part
of their final report.
I read through the nessus licensing agreement, and I didn’t say where it
said it’s not allowed.

Is this legal?
Also, is it legal to copy text from the nessus scan for a report?

Secrecy and Search and Seizures

Also called Sneak and Peeks the law enforcement community is sometimes permitted to search a persons place or things without telling them. In certain cases, such as library records or your off site data storage provider, the LE agent will issue a gag order so no one will know they were searched. One of these SSPs (storage service provider) has an interesting “canary” to help their users know when privacy has been violated.
The idea is simple. They sign a notice (cryptographically) with a snippet of text from a news site to validate the timestamp stating no government agents have made a search against any users data. If the message is not updated then something has gone wrong.

There is an obvious weakness which even they acknowledge. “Signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce to produce false declarations.”]