Entries Tagged "videos"

Page 15 of 18

How to Get Free Food at a Fast-Food Drive-In

It’s easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won’t work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald’s in—I assume—France.

Wait until there is someone behind you and someone in front of you. Don’t order anything at the first window. Tell the clerk that you forgot your money and didn’t order anything. Then drive to the second window, and take the food that the person behind you ordered.

It’s a clever exploit. Basically, it’s a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It’s relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system’s optimization.

So if not a lot of people do this, the vulnerability will remain open.

EDITED TO ADD (9/20): The video has been removed from YouTube. It’s available here.

Posted on September 10, 2007 at 6:27 AMView Comments

APEC Conference in Sydney Social Engineered

The APEC conference is a big deal in Australia right now, and the security is serious. They’ve blocked off a major part of Sydney, implemented special APEC laws allowing extra search powers for the police, and even given everyone in Sydney the day off—just to keep people away.

Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren’t stopped until right outside President Bush’s hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.

Excellent.

Most excellent:

The ABC later released a statement saying the team had no intention of entering a restricted zone and had been wearing mock “insecurity passes” that stated the convoy was a joke.

“It was a piece testing APEC security and the motorcade looked pretty authentic,” the Chaser source said.

“They approached the green zone, and they just waved them through ­ much to their amazement, because the sketch was meant to stop there with them being rejected.

“They were then waved through into the red zone, but rather than go all the way through they made the call to turn around.”

“Apparently that was the first time the police realised it was not authentic and they swooped in and arrested everybody.”

Eight members of the comedy team, including the film crew, were arrested, as well as three hire car drivers.

The fake motorcade ­ three cars and a motorcycle escort ­had Canadian identification.

“We just thought Canada would be a country the cops wouldn’t scrutinise too closely,” said Chaser performer Chris Taylor.

Another article.

I’ve written about these large-scale social engineering pranks before (although at this point I doubt that the Super Bowl prank was real). The trick: look like you fit in.

I’ve also written about the Australian comedy group before. They’re from a television show called The Chaser’s War on Everyhing, and they’ve tested security cameras and Trojan horses. And interviewed ignorant Americans.

And APEC security is over-the-top stupid:

On the same day police won a court battle to stop protesters marching down George Street through the APEC security zone, it emerged yesterday that at least one cafe near George Bush’s hotel has been ordered by police not to set outdoor tables with silverware, lest it fall into the wrong hands.

And office workers in Bridge Street’s AMP tower have been told to stay away from the windows, draw the blinds and not to look at helicopters.

EDITED TO ADD (9/7): Video of the motorcade and the arrests. Photo of the fake security pass.

Great video from The Chasers on APEC and security, including some very funny footage about what normal people are willing to do and have done to them in the name of security.

Posted on September 7, 2007 at 1:53 AMView Comments

Bush's Watch Stolen?

Watch this video very carefully; it’s President Bush working the crowds in Albania. At 0.50 minutes into the clip, Bush has a watch. At 1.04 minutes into the clip, he had a watch.

The U.S. is denying that his watch was stolen:

Photographs showed Bush, surrounded by five bodyguards, putting his hands behind his back so one of the bodyguards could remove his watch.

I simply don’t see that in the video. Bush’s arm is out in front of him during the entire nine seconds between those stills.

Another denial:

An Albanian bodyguard who accompanied Bush in the town told The Associated Press he had seen one of his U.S. colleagues close to Bush bend down and pick up the watch.

That’s certainly possible; it may have fallen off.

But possibly the pickpocket of the century. (Although would anyone actually be stupid enough to try? There must be a zillion easier-to-steal watches in that crowd, many of them nicer than Bush’s.)

EDITED TO ADD (6/12): This article says that he wears ar $50 Timex. It also has some more odd denials.

EDITED TO ADD (6/13): In this video, from another angle, it seems clear that Bush removes the watch himself.

Posted on June 12, 2007 at 10:52 AMView Comments

1 13 14 15 16 17 18

Sidebar photo of Bruce Schneier by Joe MacInnis.