This kinda reminds me of FX's barcode scanner talk from 24c3:<br><br><a href="http://hackaday.com/2007/12/30/24c3-toying-with-barcodes/">http://hackaday.com/2007/12/30/24c3-toying-with-barcodes/</a><br><br>In terms of having data scrubbing for license plate readers, barcode scanners, etc.... most of those systems have NOTHING like that. Many governments and private companies just hire non-security-minded programmers who whip up something that basically works, usually duct-taping like three software packages together in the process, and pray that it works enough to ship. The companies that have extra resources might hire a security consultant to do some fuzzing, but past that, these tricks work remarkably well.<br>
<br>Now, for this specific example, I doubt it actually works, but it'd be funny as hell if it did.<br><br><div class="gmail_quote">On Mon, Mar 22, 2010 at 10:18 AM, Matt Brannock <span dir="ltr"><<a href="mailto:heisroot@gmail.com">heisroot@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Maybe when the OCR fails, it's passed to a human being to interpret. If the human being decides to enter the full line, and their entry form does no validation/sanitization, it's conceivable.<div>
<br></div><div>I've seen physical security system software (especially surveillance software). Unbelievably awful.</div>
<div><br></div><div>Still quite a long shot...<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Mon, Mar 22, 2010 at 7:53 AM, Red ShuttleGunner <span dir="ltr"><<a href="mailto:redshuttlegunner@gmail.com" target="_blank">redshuttlegunner@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div>perfectly reasonable question.� physical security systems are crap.� people who build video analytics software (that "we can read your licence plate on the far side of the corporate parking lot" stuff) are indeed the kind of microsoft koolaid-sipping idiot app programmers who would drop unscrubbed input into the backend.</div>
<div>�</div>
<div>I love it.� will take this picture with me to ISC West (physical security conference this week in 'Vegas, where I'm doing a talk.)</div>
<div>�</div>
<div>Yes, sensible developers aware of 21st century coding defenses could trivially survive this, were it to get back a rationally designed set of equipment that might read this.</div>
<div>�</div>
<div>Like I said, not the folks running the monitoring cameras...<br><br></div>
<div class="gmail_quote"><div><div></div><div>On Sun, Mar 21, 2010 at 10:36 PM, Ozzy Satori <span dir="ltr"><<a href="mailto:ozzymandi@gmail.com" target="_blank">ozzymandi@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="padding-left: 1ex; margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204);"><div><div></div><div><a href="http://i.imgur.com/RQcCi.jpg" target="_blank">http://i.imgur.com/RQcCi.jpg</a>
<div><br></div>
<div>I know it's a long-shot, but I'm seeing the most epic civil-disobedience campaign in history. ��</div>
<div><br></div>
<div>I'm a mobile client guy whose always depended on Database Programmers for my SQL stuff, but I'd love some tech feasibility opinions from people who know more than me.</div>
<div><br></div>
<div>Is this an injection vector that the vendors would have likely considered?�</div>
<div><br></div><font color="#888888">
<div>-Ozzy.</div></font><br></div></div><div>_______________________________________________<br>Noisebridge-discuss mailing list<br><a href="mailto:Noisebridge-discuss@lists.noisebridge.net" target="_blank">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br><br></div></blockquote></div><br>
<br>_______________________________________________<br>
Noisebridge-discuss mailing list<br>
<a href="mailto:Noisebridge-discuss@lists.noisebridge.net" target="_blank">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Noisebridge-discuss mailing list<br>
<a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
<br></blockquote></div><br>