Viewdle, a video search engine, launched recently, and won the 2008 LeWeb Gold prize . It’s very similar to a technology that casinos have had for years. In previous times they’d look up your face in the five-volume Griffin GOLD book, a litany of cheats. Machine vision has surpassed the book, by far.

I’ve long been fascinated by casino security. Only the military and casinos have access to massive budgets used to track, identify, and secure locations. While other corporations may have similar budgets they lack the zeal of the casinos and their lust for security technologies.

This application is essentially video facial recognition, combined with crowd sourced tagging. The casinos did this, but shared data between themselves across the Internet. Viewdle opens up this possibility to the public.

A nice flowchart of their process is here…

They appear to have close ties with Reuters, and Reuters is using Viewdle for theironline people search.

They called me one of the “good guys”. Heh!

You can listen to it here:

http://datasecurityblog.wordpress.com/2008/08/11/data-security-podcast-episode-13-aug-11-2008/

The CERT advisory is here.

A partial overview, from the PDF released by Secuonis…

On July 8th, technology vendors from across the industry will simultaneously release  patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it’s important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations. 

Earlier this year, professional security research Dan Kaminsky discovered a major issue in how Internet addresses are managed (Domain Name System, or DNS). This issue was in the design of DNS and not limited to any single product. DNS is used by every computer on the Internet to know where to find other computers. Using this issue, an attacker could easily take over portions of the Internet and redirect users to arbitrary, and malicious, locations. For example, an attacker could target an Internet Service Provider (ISP), replacing the entire web — all search engines, social networks, banks, and other sites — with their own malicious content. Against corporate environments, an attacker could disrupt or monitor operations by rerouting network traffic traffic, capturing emails and other sensitive business data. 

Exact details on this are being withheld for the safety of the Internet; I prefer full disclosure, but that doesn’t seem to be the case here given that the hole is so large and vulnerability so widespread. 

Today I wore my EFF sweatshirt into the NSA booth at the RSA Security Expo. The NSA laughed at me. Little did their booth occupants know that the EFF had gone after them recently over the AT&T domestic wiretapping affair, shown to the word by Mark Klein. He was awarded an EFF Pioneer Award this year for his actions.

In any event, they had an Enigma, and oh boy, do I love enigma. It is the time when the world learned of cryptograhpy, security, and the first time that an army of cryptographers fought a machine to save the lives of the Allies. 

Sure sure, I hate the NSA, but I dealt with them to talk to their Museum Curator, who let me play with the Enigma for a few. The kerchunk-kerchunk sound of the rotors turning and the lamps lighting on the front panel of the device scared me for a moment. The messages encrypted by this machine killed thousands of people, stumped engineers across the world, and caused many convoy ships to sink in the atlantic. We are all in debt to the men who risked their lives to capture this machine and decode it’s secrets.

Some photos from today’s RSA conference are now available online, here: Enigmas at RSA Conference (Set)

While this is an older article ( from 2004 ), it still addresses many dangerous issues that developers continue to create in production code.

One of our developers here recently wrote a fairly large scripting system to deliver advertising to customers that was vulnerable to at least four XSS attacks, and I spent a fair amount of time sanitizing input and securing her code.

Do you accept input from users? Are you ensuring that you strip_tags (to block XSS/XSRF), escaping strings (to block SQL injection) and sanitizing all user input before storing or displaying it? If not, you might be vulnerable.