Street Art of the Day

A group of girls claiming to be affiliated with controversial Russian art collective “Voina” (of penis bridge fame) thrust kisses on female law enforcement officers as part of a bizarre statement of protest against the Russian police’s attempt to soften its image through re-branding.

(Via Adam Curry’s Gitmo Nation News Feed.)

Yubikey used for strong authentication with Apple iPad

Yubikey used for strong authentication with Apple iPad

Yubico, the leader in open source strong authentication, has successfully tested its innovative YubiKey with Apple’s iPad.

The iPad is recognized by many as a game changing device positioned between the laptop and the smart phone which sold one million devices in it’s first month. As this device is likely to be used with many applications requiring strong authentication, the YubiKey is the ideal partner.

Currently, the YubiKey has to be connected to the dock of the iPad using Apple’s Camera Connection kit which provides a standard USB port. Once connected, the iPad recognizes the YubiKey as a standard keyboard. Used with the iPad’s Safari browser, the user navigates to a site which requires the YubiKey. In the login field the user touches the YubiKey button and a securely encrypted one time pass code is generated and sent to the site. The YubiKey requires no client software as it uses the standard USB keyboard interface for sending the pass codes.

The popular single sign-on service LastPass is working on adding YubiKey support to their iPad app. Yubico look forward to other iPad application developers taking advantage of the YubiKey when easy and strong authentication is a benefit.

Strong Authentication on the iPad from John Salter on Vimeo.

Security theater tees

Security theater tees

Big Brother Tees, sporting a variety of slogans relevant to airport security: “Nobody is safer when you take my water,” “Cast Member of Airport Security Theater,” “You can only detect and respond,” “Technology can’t solve security problems,” “Franklin’s Essential Liberty,” “What airport security procedures miss.”

Someone will come along any moment in the comments to explain that if you get hassled for wearing one of these, it’s your own fault for antagonizing them.

But let’s be clear: the TSA’s job is to keep airplanes safe. Criticizing the TSA does not undermine the safety of airplanes. Hurting a screener’s feelings does not endanger our skies. Refusing to believe in the pseudoscience of binary explosives made in airplanes from the contents of your toothpaste tube does not constitute noncompliance with the magic-anti-terror-baggie rule.

Big Brother T-Shirts

(Via Boing Boing.)

Security Now 217: The Broken Browser Model

Security Now 217: The Broken Browser Model

How SSLs can be spoofed in man-in-the-middle attacks.

Security Now shownotes

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve’s site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by AOL Music and

Running time: 


(Via Security Now.)

Null-Prefix SSL Certificate For PayPal Released

Slashdot IT: Null-Prefix SSL Certificate For PayPal Released on Tuesday October 06, @06:45PM

An anonymous reader writes “Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What’s worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked.”

Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike’s account.