Sean Reiser

Hi I'm Seán Reiser, this is my Personal Blog

“A person is what they think about all day long”
~Ralph Waldo Emerson

Thinking about Pwning a Soda Machine.

A local Popeye's has one of those Coca-Cola Freestyle machines. It was a little unusual because it didn't have a touchscreen, instead you join their WiFi network, scan the QR code with your phone which sent you over to a website where are you made your selections which filled the cup. Found it interesting for a couple reasons, although smartphones are popular, I'm surprised that they've gained such ubiquity that they become the default way for a person to fill their drink. Also I'm surprised, that people would willingly be joining Popeye's internal Wi-Fi network in order to get their soda filled.  

It was interesting to see people young and old trying to dope about how to fill their cups.  The advantage of the freestyle machine with the touchscreen is that there was very little learning curve push your cup against the thing that said ice, put your cup under the spout, select the flavor you want and poof you had soda. No joining networks, no scanning barcodes, you need to little if any tech-support. Here they had to be an employee that stood there showing people how to use it and filling soda for people who didn't have phones or were technical neophytes. It's funny although QR codes seem simple, I've heard them referred to as the herpes of technology. I'm not sure that's exactly the case but I think that there are people who are intimidated by them and don't get exactly how they work.  When you consider that the customer facing soda machines were installed because it's cheaper to allow a customer to refill their soda several times than it is to pay an employee to fill sodas, we've taken a step backwards and I don't suspect it'll improve with user education.

As always I wonder how easily this could be abused. Imagine joining the Wi-Fi net work, sitting at the opposite end of the restaurant and just screwing with the machine. Causing the machine to run with no one in front of it so soda is spilling all over the floor, we're changing somebody's flavor as they're filling their cup.  Also, I presume like most other Internet of Things devices the webserver is running on the soda machine so I wonder about the potential exploits  and what one could do if they pwned a soda machine

Should I Give the Last 4 Digits of my SSN to a Job Recruiter

Hack

I’ve commented on this blog about the trend recruiters have where they ask for the last 4 digits of a candidate’s SSN in their first contact email (Along with name, dob, location and other PII).  I thought I’d consolidate my thoughts on a post.

Let me explain the format of a SSN:

The first 3 digits are tied to the state where the applicant applied for their SSN.  Since most people in the US are born, live and die within a 50 mile radius this becomes guessable.

The next 2 are a group number and can be tied to the year the applicant applied for their SSN.  States only issue from a few group numbers a year.  Most Americans are issued their SSN in the first couple of years of their life.   Where a recruiter doesn’t know a candidate’s age / year of birth, it can estimated  from info on a candidate’s resume (graduation year or when the candidate entered the workforce).

The last 4 are assigned in sequence while isn’t really derivable from a candidate’s information.

So for a large portion of candidates, someone can whittle SSNs down to 1-100 possible options.  You can see when I am concerned that this could be a fishing attack.  Someone I don’t know asking for information that can lead to identity theft.  Also the thought that you’re submitting the info via email which is insecure by design which adds another vector for possible theft..

I understand that firms are using Candidate Tracking Systems where the last 4 digits of a SSN are used to ensure candidates don’t get double submitted, but there are risks involved that I think many people are unaware of.

Image
Curse

Stop Using your Personal Data for Passwords and Security Questions

Posts like this are popping up across my facebook feed and I want to say, I think you're all looking at this wrong.

Many people already know this information about you already. Friends from your school days who are no longer in your life, Ex-Lovers, that cousin of yours who's less then desirable. Some questions like High School Mascot can be derived from your resume. Others like Mother's maiden name are a matter of public record.

  1. Passwords should be random eg &Rtbpb4WWS9G (not my password on any system) can't be guessed no matter how well you know me.
  2. Don't use your personal information to answer security questions, no one is validating the information. You just need to know what the right answers are. You can use a fictional character and answer as them, (What street did you grow up on? "Baker Street", Who is your best friend "John Watson", etc.) Alternately, you can just respond with non-sense (Favorite Color: "Eighteen", Where did you go to Middle School: "The Piggly Wiggly". Etc.). You don't need too be "correct",  you just need to be consistent.
Image
Fist Bump

Wow, it appears that John McAfee is dead.

So if you follow this link from NYC.gov it brings you to a site that demonstrates ranked choice voting using pizza toppings as an example, I believe the mayor mentioned in a news conference yesterday. I took a look at it and I have to wonder ... Why are they including libraries from credit card processor stripe.com?

All of the layered protocols (SPF, DMARC, DKIM) on top of email to make it spoof resistant make me angry.