This kinda reminds me of FX's barcode scanner talk from 24c3:<br><br><a href="http://hackaday.com/2007/12/30/24c3-toying-with-barcodes/">http://hackaday.com/2007/12/30/24c3-toying-with-barcodes/</a><br><br>In terms of having data scrubbing for license plate readers, barcode scanners, etc.... most of those systems have NOTHING like that. Many governments and private companies just hire non-security-minded programmers who whip up something that basically works, usually duct-taping like three software packages together in the process, and pray that it works enough to ship. The companies that have extra resources might hire a security consultant to do some fuzzing, but past that, these tricks work remarkably well.<br>
<br>Now, for this specific example, I doubt it actually works, but it'd be funny as hell if it did.<br><br><div class="gmail_quote">On Mon, Mar 22, 2010 at 10:18 AM, Matt Brannock <span dir="ltr"><<a href="mailto:heisroot@gmail.com">heisroot@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Maybe when the OCR fails, it's passed to a human being to interpret. If the human being decides to enter the full line, and their entry form does no validation/sanitization, it's conceivable.<div>
<br></div><div>I've seen physical security system software (especially surveillance software). Unbelievably awful.</div>
<div><br></div><div>Still quite a long shot...<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Mon, Mar 22, 2010 at 7:53 AM, Red ShuttleGunner <span dir="ltr"><<a href="mailto:redshuttlegunner@gmail.com" target="_blank">redshuttlegunner@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div>perfectly reasonable question. physical security systems are crap. people who build video analytics software (that "we can read your licence plate on the far side of the corporate parking lot" stuff) are indeed the kind of microsoft koolaid-sipping idiot app programmers who would drop unscrubbed input into the backend.</div>
<div> </div>
<div>I love it. will take this picture with me to ISC West (physical security conference this week in 'Vegas, where I'm doing a talk.)</div>
<div> </div>
<div>Yes, sensible developers aware of 21st century coding defenses could trivially survive this, were it to get back a rationally designed set of equipment that might read this.</div>
<div> </div>
<div>Like I said, not the folks running the monitoring cameras...<br><br></div>
<div class="gmail_quote"><div><div></div><div>On Sun, Mar 21, 2010 at 10:36 PM, Ozzy Satori <span dir="ltr"><<a href="mailto:ozzymandi@gmail.com" target="_blank">ozzymandi@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="padding-left: 1ex; margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204);"><div><div></div><div><a href="http://i.imgur.com/RQcCi.jpg" target="_blank">http://i.imgur.com/RQcCi.jpg</a>
<div><br></div>
<div>I know it's a long-shot, but I'm seeing the most epic civil-disobedience campaign in history. </div>
<div><br></div>
<div>I'm a mobile client guy whose always depended on Database Programmers for my SQL stuff, but I'd love some tech feasibility opinions from people who know more than me.</div>
<div><br></div>
<div>Is this an injection vector that the vendors would have likely considered? </div>
<div><br></div><font color="#888888">
<div>-Ozzy.</div></font><br></div></div><div>_______________________________________________<br>Noisebridge-discuss mailing list<br><a href="mailto:Noisebridge-discuss@lists.noisebridge.net" target="_blank">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br><br></div></blockquote></div><br>
<br>_______________________________________________<br>
Noisebridge-discuss mailing list<br>
<a href="mailto:Noisebridge-discuss@lists.noisebridge.net" target="_blank">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Noisebridge-discuss mailing list<br>
<a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
<br></blockquote></div><br>