Schneier on Security
A blog covering security and security technology.
« The Onion on Browser Security |
| 2007 NSA Manual on Internet Hacking »
May 10, 2013
Friday Squid Blogging: Squid Festival in Monterey
It's at the end of May. Note that it's being put on by the Calamari Entertainment Group.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on May 10, 2013 at 4:26 PM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Video presentation by Jonathan Zittrain last September. If you haven't already seen it yet, he uses the Hierarchy/Polyarchy & TopDown/BottomUp quadrant really well, to explain the power struggle taking place in technology and with the Internet. He also offers a very good explanation around 48m of why the gov't is confounding - it both monitors everything and doesn't seem to care about anyone's privacy, but then wants everyone to be as alarmed as they are and pitch in to help defend privacy and protect against attacks.
I lived in Monterey from '02-'06. Our landlord was a squid fisherman. Loved it there.
How 'bout them 3D printable guns?
Gotta ban 'em, so that people who want to kill somebody, but care whether or not it's legal to build a gun, won't be able to build one.
Of course, those people who want to kill somebody and *don't* care whether or not the gun is legal... well, I guess they're not a problem.
@Jordan Brown - or if you really wanted to kill somebody, email them the link, wait for them to build the gun, and have it explode in their face
Re: Ban on 3D guns.
How? I can't think of any practical way of enforcing that, other than after the fact if someone is somehow found in posession of one during some other crime. Software/hardware-wise before the fact? Nuh-uh.
link above on how the NSA does its Google hacking. maybe we can too
This is the beginning...
Thank you. Thoroughly enjoyed that! "you have entered into a long term relationship with a breakfast oriented service provider.." hahaha :o)
Here's to hoping the most powerful people in IT&T & politics watch it and feel inspired! 4k views is not nearly enough.
It's not exactly a story thats in the news (not yet anyway...) , but I've a roadbike listed on ebay at the minute & have of course had the usual run of scams and odd offers. Among them is this email, of course from someone with single digit feedback,
"Sorry to ask this question - I know you've said 'cash on collection only', for payment - but would you accept a bank transfer prior to collection? I'm not in the country at the moment and would be looking to pay online, then have a courier do the pick up. Thanks."
How does this one work? Do they somehow reverse the bank transfer afterwards, or do they try to make it look like a transfer has happened when it hasn't? Or are they reallly just after my bank details to use them for other purposes?
OFF Topic :
The UK has a political issue over more invasive prying into digital communications.
The plans for a new act that were in place has faced oposition from one of the coalition partners (lib dems) who will not vote for it and the opposition parties (mainly Labour) probably would not vote for it either so the Conservative party have basicaly dropped the measures down to what appears to be just better tracability  in the Queen's Speech (given at the opening of Parliment to set the agender for the "governments" intended business for the next parlimentry period).
Only time will tell if the MI's and LEA's can push through what they want via the cover of other legislation, but at the moment it looks as though privacy has not suffered another loss.
 As I've mentioned a couple of times in the past on this blog, in the UK and a lot of other places where "Mobile Broadband" usage is very high there is a significant issue with IPv4. Basicaly there are not enough IPv4 addresses to go around which means that one IP adress could be used by several hundred Mobile Broadband users at the same time or in a very very short time frame. What has caused a problem for the authorities is that it appears the EU legislation is written in such a way that the Mobile Service Providers currently belive that they are not required to store information on the port assignments just the IP addresses so they don't log / store the information so tracability is lost...
@Vles - thanks, here is an EXACT instance in the news just today, of the consequence of moving upwards to more top down.
What is happening, as Zittrain elaborated, is that the consumer Internet has being closed off or sandboxed by corporations. But no matter how good the technology, once it is accessible, even just to the manufacturer, the gov't will use the force of law to get it. This parallels what was presented in several essays here (ie feudalism).
This really moves technology to a different ballpark altogether. In the CNET article above, McCullagh is asking what good is encryption if the keys aren't really in your control? It gets worse, is it possible that large corporations are receiving favorable treatment by the gov't during mergers and acquisitions when they agree to open technology for these purposes?
OFF Topic :
Further to my post above, just to make it clear... In most parts of the world where mobile broadband is available from two or more seperate service providers you can make a usefull device to help break your tracability.
What you make using a gumstick or Rasberry Pi Linux single board computer and two mobile broadband dongles is the equivalent of a full stack network bridge which you could use in quite a few interesting ways.
Whilst far from perfect it does provide a usefull "fire break" against many investigators, simply because the mobile service providers cannot produce information to link the two mobile broadband devices together.
You can of course extend the device by using two Linux SBC's and have each one with a single mobile broadband dongle and a WiFi dongle that you can work in an appropriate link mode.
Such systems can fairly easily be placed on roof tops in various (almost) publicaly accessable places.
@ Petrea Mitchell
They do say history repeats itself. I think the section on Martin Luther King is especially interesting (link below). The assassination was believed by many to be a covert op by a state group. There were many possibles. That Congress confirmed the existence of a near constant barrage of covert actions against MLK certainly doesn't inspire trust in government's side of the story.
I was reading this article in latest EDN, then found it online to link here. includes familiar arguments but also brings up trade and supply disruptions as an inadvertent consequence of 'cyber' confrontation. Read Taleb? They're playing with fire.
Short: Afaik (but IANAL nor banking expert): The transfer can be cancelled/reversed.
If curious, ask your bank about it. IIRC the time after which the money is actually transferred can be quite large (weeks).
Automatic fraud detection gone wrong: The local transit agency was sending transaction data to banks with the wrong ZIP code, and that resulted in thousands of credit and debit cards being wrongly placed on security holds because that made the transaction look fraudulent. (The rest of the mechanism is unexplained, but I'm guessing it's the "card being used suddenly outside of its normal range" rule.)
That is one of the stupidest articles I have ever read on the internet and that is saying something. First, while it may indeed be no better than a knife the truth is that a metal detector will spot a big knife and will not spot this gun. More importantly, it is the "proof of concept" that is the key. These printers are only going to get cheaper and better like all technology. In ten years anyone will be able to turn their home into a little arms manufacturer, undetected by the government.
So yes, it is true that the gun isn't a game changer this exact pico-second in time. But only a functionally retarded person like the author of that article would think that was the point of releasing the plans.
I thought this was an interesting article:
With No Cash for Upgrades, Local Government to Disconnect WinXP PCs from Net and Tape up Ethernet Ports:
The concept to me seems absurd. Do all of these systems really become (more) insecure when MS drops support? Is something tried & true inherently more insecure than a brand new product? I don't know about anyone else, but I can't think of the last time I saw a computer of any sort connected directly to the 'net without some form of router/firewall in place. I'd hope governments would have at a minimum a decent firewall/IDS. Not like they cost a lot these days. I know I certainly don't rely upon an OS' built in firewall/security features to protect my users.
The kind of thing you would expect from The Onion, but it's actually real:
83-year-old nun convicted of sabotage for breach of US atomic complex: http://rt.com/usa/...
Prosecutors argued that the breach of security was serious, and caused the plant to shut down for two weeks as security staff were re-trained and defense contractors replaced.
OFF Topic :
Apple has another "loony tunes" patent granted.
The idea is begilingly simple, Apple want to turn you into a mobile ATM and make money, and some people think it's a good idea,
Put slightly less simply you have an app on your iPhone etc that helps you out when you discover your wallets empty and there are no ATMs around... The Apple view is there you are a bit short of cash so you open the app and ask for 20 dollars. The app reads your GPS location and passes your request via Apple to other iPhone users in the area. If one agrees to give you the 20dollars Apple send you the name and location of the person and you walk over. They give you 20 dollars you press the button on the app at which point Apple deducts 20 dollars from your iTunes account and a commission fee and then deposits the 20 dollars into the iTunes account of the person giving you the 20 dollars.
One first sight through Apple red tinted glasses it sounds like a wonderful idea. You get 20 dollars cash, Apple gets 20 dollars pluss commission from you and at some point the person who gave you the cash gets a 20 dollar credit note from Apple.
The problem is it's not a good idea unless you are a criminal...
Oh and the idea is far from new, back in the 1980s when digital wallets were first being touted around a very similar concept was suggested needless to say it was fairly quickly realised just how bad an idea it was.
@ Dirk Praet,
And what were they realy guilty of... Embarising a Federal Organisation with very very lax security.
It reminds me of the old joke,
Two Russians are in a labour camp in siberia discussing their fate and the older on asks what the younger one had done to deserve the 20year re-education program. The younger on says "I don't realy know I was a kean and active member of the communist party and as part of that I was organising an entertainment show to get more party members during which I was arrested". The older one says "thats very laudable but surely not the reason for being arrested and brought here?". The younger one scratches his head and says "Well you'ld think not but they arrested me immediatly after one of the entertainers told a joke about the premier that was in poor taste". The older one looks at the younger one and says "Surely not, even in mother Russia we don't lock up people for poor taste otherwise the goolags would be full and the streets empty, tell me what was it that this joker said?". The younger man replies "It was some nonsense about the economic plan and that the premier was stupid, just realy bad taste at a party event". To which the older one replies "Ahh that explains it my son, that was not poor taste but revealing State Secrets".
@Clive Robinson Re: The Latest Escapades in Fanboism
--What's wrong? You don't trust loaning random strangers money? I thought this world was a trustful place.
So let's say someone gets their phone stolen, doesn't have the "track me down" app b/c they think the world's a sweet place, and said criminal downloads the app, asks for a thousand dollars, and bargains by giving previous victims electronics to his new victims as collateral. "Thumbs-up" bots made the criminal's rating look pristine.
One good (albeit very trashy) scenario I can think of is, a smoking hot female needs 50¢ for vending machine. I accept and meet her there, flip 2 quarters at her, she catches them w/ her tongue, launches them at machine w/ her mouth, I tell her to "keep the change" and feel so rich. Turns out we're at a gas station and she just bought a condom...
I wonder which scenario is more likely given the extent to which some of these ATM-cash scrubs go to...?
Bruce has a new article coming up in theatlantic.com. The 2 wisest bits of wisdom are the last 2 paragraphs IMO. All well meaning Law Enforcement Officers take a look and consider what you may unwittingly be a part of.
@alex - incoming firewalls are easy. Outgoing are hard
Somebody on an old computer opens an email which makes a connection to a website - should the firewall allow it? Do you need a whitelist of approved sites? Do you need to inspect all the packets to check what is being sent? What if it's an ssh connection? Does the firewall have to know if this is a machine in marketing, that is allowed to connect to that site, or one in engineering that should be more carefully restricted.
The author does not believe that the veil of secrecy provides any value-only protection-and does not serve the public. The real effect of litigation and other general issues beyond the author's control, the reporting is a resource to help guide near and long term responses to complex industrial and socio-political issues in the United States of America. The fate of whistleblowers today is not good, even the press can be prosecuted for not playing along--let alone not getting along.
And so it begins...
Big business; SAIC (Boeing), Lockheed Martin, and Microsoft along with the Pentagon and the federal government have fallen in love-meet my new boyfriend "Big Data". He's special! Backed by recalcitrant and draconian new federal laws, "Big Data" can make changes that "Just weren't popular before, it's all about 'Social Media' don't ya know!" says the new and improved CEO's of the corporate gentry. The privileged class(es) have made a calculation or two on a silicon tablet-your name's on it (along with your SSN, DOB, DMV, IRS, E-Mail, Phone Calls, Bank Accounts, and blood tests-oh, and you need to return that video to netflix) and it looks like they have away to cash in on you! Not only are you commoditized, but small and medium size business and other players are at real risk of being swallowed whole by this new world order. The opportunity and the tools to make it happen are being coalesced around an already stewing caldron of riches and rape. Never has the alignment of government (law), the military (force), and the means (moneyed corporations) had such a useful and helpful impact on this new three-way friendship (I have the pictures).
Feel the love...
NO, I SAID...FEEEEL THE LOVE!
With all the issues facing the citizenry; the de-industrialization, de-intellectual, and dumbing down of the U.S society; the masters believe it has become increasing necessary to find solutions that offer "A way out!" The way out is "THROUGH YOU!" Uncle sam really does want you, well not you--the vessel that is you.
"...a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything."
Is this possible?
@luca - assuming the other device has wifi/bluetooth but isn't connected to the network there might be a security flaw where one device can connect directly to another one.
Some really silly systems even allow pushing new firmware over the network link
Yes. The threat flies beyond wifi/bluetooth into ham radio tech and more if you research enough and in the right places. Even your LEDs can betray your data.
More random shooting. I think its something in the north American air. What's going on? This random killing is getting childish.
Tempest for ATSC
"This isn’t the first time I’ve seen video outputs used in strange and unusual ways: long ago I coerced the LCD controller on a 68EZ328 (2nd generation Palm Pilot CPU) to generate a VGA signal. The horizontal and vertical blanking signals were painted right into the framebuffer. What really tickles me about this demo is that it’s exploiting the EMI given off by the card to modulate the finished RF signal."
"This would definitely be the first time I’ve heard of OpenGL used to accelerate a radio."
@Petrea : When flipping through reading bits of the Church report thanks to your efforts I ran across a pretty interesting small specific tidbit.
Reading through the litany of "political abuse" of intelligence situations cited in the report, it's interesting to contrast the Church report's portrayal that Johnson misused the FBI to investigate republican leader Anna Chennault two weeks before an election ( http://aarclibrary.org/publib/church/reports/... , page 228) without the context provided by the recently declasified Johnson tapes that explain precisely why Ms. Chennault was being investigated:
http://www.bbc.co.uk/news/magazine-21768668 .... ie that Nixon had been using her as a proxy to convince the South Vietnamese to walk away from the peace table, tilting the US election towards himself at the expense of prolonging the Vietnam war.
I don't mean to minimize accusations or concerns of intelligence abuse, but, (assuming Johnson's self-auto-recorded white house taping system itself was not self-serving, with Johnson "playing to the tape"), it is interesting to see in that bit of the Church report the dilemma between identifying and publicizing potential intelligence abuse and the true national security implications involved.
Is this possible ?
In theory yes, in practice it's going to be difficult to the point of not possible in most cases, unless there are design flaws.
To see why think of it as it in terms of a networking stack issue.
You thus first need to first think about the "physical layer" with the following basic issues,
1, TX energy source.
2, TX power.
3, TX modulation capability.
4, TX to transmission channel coupling.
5, Transmission channel charecteristics.
6, Transmition channel length.
7, Transmission channel to RX coupling.
8, RX sensitivity.
9, RX demodulation charecteristics.
Even if you can satisfy those physical layer requirments you still need to be able to have the ability to build the rest of the network stack at both ends to get data from the malware app in the TX system to a suseptable app etc in the RX system.
However if you think about you need four exploitable vectors,
A, Initial attack vector for malware into TX system.
B, Malware app to TX system physical layer.
C, RX system physical layer to susceptable application.
D, Application that is susceptable on RX system.
If any one of these vectors is unavailable then the attack cannot succeed. But as has been ably demonstrated for well over thirty years finding these vectors is just a matter of searching software anomolies to find them...
In fact one of the earliest well known diliberate malicious exploits to the physical layer was the "Poke to destroy" attack on Chuck Peddle's Commador PET. Basicaly if you put the wrong value in the graphics controler it would cause it to go outside the normal sync frequency of the inbuilt monitor with the result it would badly over heat and in some case burn out. A similar problem also occured with early third party IBM PC monitor cards and some monitors from the less well known far eastern manufactures, atleast one early MBR virus had this as a payload.
But even earlier in the days of "Mainframe batch computers" long before EMC standards it was well known that you could "hear the CPU" not just at the console speaker but also on an AM radio upto a hundred feet or so from the system. This was exploited for fun by atleat one system programer to play simple tunes on the radio... Likewise it was later demonstrated that the signals from early unshielded monitors could be picked up several hundred feet away and this is now known as "van Eck phreaking".
In fact the problem with elctromagnetic interferance became so bad that legislation in various forms was brought in to reduce the effects to managable proportions. In the US the FCC has laid down requirments on electronic equipment manufactures and in Europe there are the various EMC standards and in most other parts of the world their legislation is broadly based on one or the other.
But the problem with radiated signals carrying information and being exploited goes back atleast as far as the First World War where trench telephones due to a poor design choice (see single wire and "phantom circuits") coupled energy into the ground and also barbed wire and thus could be picked up considerable distances away to the enemy trenches and beyond. It was this explotation that gave rise to what used to be called TEMPEST and these days EmSec.
However the issue of usable leaking signals goes back to atleast the 1870's if not a lot earlier due to the fact that telegraph and telephone cables were not only very expensive they were also expensive to install and maintain. Thus to reduce costs single wire common ground return circuits and transformer fed phantom circuits were extensivly used and "cross talk" became common. However it was found slightly later with early "multi-core" cables another form of "cross talk" became apparent, caused not by resistive leakage of current but by either capacitive or inductive coupling. And it was soon found that the range of such coupling increased with the frequency of the signal. It was then shown that if certain conditions were met then the signals would travel through the ether for considerable distances and basic "spark gap transmitters" were developed that later became recognised as what we now call radio waves.
For all forms of cross talk to have an effect sufficient energy must be coupled from one circuit to another such that it causes meaningful interfereance within the used bandwidth of the wanted signal. However to go beyond interferance and produce an interfering signal of the same magnitude or more than the wanted signal requires considerably greater energy.
Because of various issues engineers tend to break "free space" signals into "near field" and "far field" the boundry is usually aproximated as two wavelengths from the radiating element (antenna) at which point the signal loss is considerable (around 1/50 for an isotropic radiator).
In the far field a first aproximation for the continuing decress in signal energy is based on the square law expansion of the surface of a sphear so is the inverse square of distance so needs the transmitted signal power to increase four fold for every doubling of distance in "free space".
But the energy needs to be coupled into and out of "free space" and this happens in the "near field" and in usuall circuit design circuit traces and components are designed in ways to reduce local cross talk and thus do not radiate energy into the near field efficiently or conversly be susceptable to energy in free space. Thus the signal antenuation is quite considerable and for most computer signals in milliwatt levels the received signal level is in nano or pico watt levels in a very short distance.
Further the EMC standards put constraints on the total level of energy a compleat system can radiate outside of it's case etc or be susceptable to. These are of necessity quite strict and are generaly defined by "masks" across the usable frequency spectrum (used to be VLF to microwave but gets expanded as technology and practical test systems improve).
Unfortunatly the mask system whilst being easy to specify and measure is also easy to cheat in various ways. As the cheating saves a considerable quantity of expensive filtering components there is considerable "profit" to be made in doing so. As some of the cheating techniques effect "system stability" they are turned on for compliance testing and often off for general use via the likes of BIOS options.
Thus for such an attack to work it needs to find a way to radiate significant energy from the TX system to a susceptable RX system. If the basic EMC standards were followed this should not be possible...
However over and above the cheating of the EMC masks the EMC standards have exceptions for "purposefull communications" which WiFi, Bluetooth and other radio communications fall into. And it is likely that it is in these devices that the attack system works.
For instance most modern laptops have WiFi and Bluetooth built in whilst some have compatability with similar Infrared communications systems found in older computing devices that used to be used to talk to printers and the like. As the desire for "connectivity" and "ease of use" increases we will see other comms added such as GSM for mobile broadband, NFC for payment and other smart cards, Zigbee and other similar standards for Personal Area and ad-hoc Networks for home automation et al.
A significant and rapidly up comming security threat is "Software Defined Radio" (SDR), it has many advantages for System on a Chip (SoC) designers. However it's great flexability leaves it wide open to security vulnerabilities.
So as many SoC's are manufactured within the sphear of influance of China I guess it's safe to modify the ancient curse to say it looks like we will be living in interesting times...
Risk. The Boston Marathon Bombings in context:
Boston Globe, May 6th (3 weeks later): "Since the bombings, six people have been shot and killed, and at least 23 people have been shot in Mattapan, Dorchester, and Roxbury, police said. Residents in low-income minority communities say they are constantly besieged by gunfire, noting the triple homicides on Harlem Street in Dorchester last year, the quadruple killings on Woolson Street in Mattapan in 2010 that left a 2-year-old dead..."
I think it's fair to say that Commander Chris Hadfield has just dwarfed any and all other geek news this week with his version of David Bowie's Space Oddity, recorded on board the International Space Station: https://www.youtube.com/watch?v=KaOC9danxNo .
If God, Allah, Buddha and the rest of that crew are watching: please take a note that we are still capable of doing better than just blowing up our planet and ourselves.
@Clive R. "it was well known that you could "hear the CPU" not just at the console speaker but also on an AM radio"
I am a bit too young for the big iron on AM radio feat, but I was able to roughly determine what my ZX Spectrum+ is doing by observing ripples on the monitor. The composite video signal picked up some interference from the address or data bus apparently - especially that I had made the low-frequency monitor socket myself (there was only TV-frequency modulated output socket originally) by running a pair of twisted wires from soldering points near the edge connector all over the board to the left side of the case.
Tim#3, re your scam message, I would assume that it's either an attempt to steal the bike and reverse the transaction (as another poster mentioned), or they'll "accidentally" overpay and ask you to Western Union them the overage. Then, after they reverse the transfer, you'd find that Western Union payment is irreversible. In that case, you might at least still have the bike.
OFF Topic :
Due to your more recent areas of research, I think you might find this article interesting,
It indicates that asside from the significant health issues and shortening of life loneliness can also cause significant social issues.
Some of which may explain various security issues to do with society including radicalisation, school shootings and certain types of crime.
The artical makes very interesting reading even if you don't agree with the idea of extending it into societal security.
@ Nick P,
This might be of interest,
It's an argument for migrating much of the kernel based activity out of the kernel and into the application.
Simplisticaly the heavy weight kernels like Linux have an inverse exponential performance with the number of connections due in part to some of the algorithms they use and in part by cache misses and other memory managment issues. That is whilst a hundred or so connections are handled quickly get to a thousand and the kernel is increasingly slow and inefficient so much so that it looks like it's fallen off a cliff.
A significant part of the "off the cliff" problem is the way most programers actually do things. Basicaly they write light applications that put the heavy lift on the kernel and in the process cause context switches (always slow) cache misses (even slower) and page misses which cause double cache misses due to loading in paging tables.
The soloution recomended is to do memory managment and device handeling in the application not through the kernel.
Not exactly a new idea as it's been touted for years with micro and nano kernels.
What the article does not mention is the security issue. For programers putting the heavy lift onto the kernel they can also indirectly off load much of the security issues with devices and memory managment to the kernel. But by migrating device and memory managment into the application, the application developer also takes on the security issues and risks as well, which most app developers are neither trained in or mentaly prepared for.
However as the article points out this migration is the way we need to be going for large scale services for the Internet and Cloud.
@NobodySpecial: My point is that these systems aren't any more insecure before or after Microsoft stops support for them. If there's a major hole, it might not get patched, but with the way most IT shops do updates, there's a lag between the time a security hole is reported to Microsoft & MS bothers to post a patch. Additionally, most large IT shops have learned to test such patches on workbench machines before pushing them out organization-wide.
Just because something is old doesn't mean it's bad.
I've noticed retailers asking me to read them the last 4 digits of my credit card number. I wondered why, and got to thinking. It's easy enough for bad guys to replace the mag stripe with a stolen number, so I'm guessing a policy was put in place to have the cashiers do a minimal verification that the card matched the magstripe. But cashiers aren't given real training or explanation, so to save time, they just ask you for the digits. Which utterly invalidates the whole thing - a bad guy with a rewritten strip would give the numbers he had put on the magstripe, ignoring whatever was printed on the card. Sigh.
@ John R
"I've noticed retailers asking me to read them the last 4 digits of my credit card number."
Interesting method. Most big retailers I shop with use an external device for reading cards. They don't see the last four digits until the payment has gone through. The method couldn't work for them.
It reminds me, though, of the other type of card processing device. At some convenience stores, they swipe my card, then type in something on front (expiration?), and then it processes. This type of reader seems to force the cashier to do essentially the same type of validation you mentioned. Maybe this is an argument for using that kind of reader. Yet, I think productivity will override the security benefit and most stores will opt for "seemless" types of card processing.
Radley Balko talked about the post-bombing lockdown in Boston, particularly regarding the situation where an unusual danger prompts an exceptionally forceful response, followed by the usage of increased force becoming more routine. (According to Balko, the first televised SWAT team raid was in 1973, and the idea of such teams was popularized as a result.) In the case of Boston, among other reasons, officials may have felt that doing a SWAT raid on a single home where the suspect had been isolated would have appeared as an inadequate response, due to such raids being used in far less spectacular circumstances. Aside from whether the response in Boston was justified, there is the issue of being able to evaluate the response as far as future actions go and keeping the response from setting the wrong precedent.
@alex - I agree, although it is possible that say a browser flaw that shows up in the version on a current OS could also affect older versions which use the same code base. If the older one is not fixed then when it becomes well known that all XP systems are vulnerable to exploit X then it does pose a problem.
@3D-printed gun: I agree that this design is far from practical right now, and printing something that deserves to be called a barrel from plastic will be "the hard part" for quite some time. Even Gerard Metral (the guy with the DIY Submachine Gun) recommends industrially manufactured barrels (of weapons that are less regulated) if you have any hope to get your hands on them, and his design is way more serious than that plastic pistol.
The printed pistol is nothing more than a proof of concept. Rapid Prototyping gear will get smaller, cheaper, better and more available - and once everyone has CNC machine tools in his basement, these problems will become relevant, and any attempt at regulating the distribution physical objects will be a joke, just like regulating the distribution of digital files is now.
@ Erik, Thunderbird. Yes, it seems the reversal is the most likely- which can happen when they didn't have permission to access the account that they transferred money from. There is also a second approach, where they log into online banking while at your place and carry out the transfer while you watch, yet somehow it never actually happens in reality - they must access a clone of the banking site somehow.
Anyway, I've now sold the bike to a nice chap from Nigeria, for £$25m, so all's good. I'm just sending him a customs fee.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.