[Noisebridge-discuss] Any chance in hell this might work?

aestetix aestetix aestetix at gmail.com
Mon Mar 22 17:43:45 UTC 2010


This kinda reminds me of FX's barcode scanner talk from 24c3:

http://hackaday.com/2007/12/30/24c3-toying-with-barcodes/

In terms of having data scrubbing for license plate readers, barcode
scanners, etc.... most of those systems have NOTHING like that. Many
governments and private companies just hire non-security-minded programmers
who whip up something that basically works, usually duct-taping like three
software packages together in the process, and pray that it works enough to
ship. The companies that have extra resources might hire a security
consultant to do some fuzzing, but past that, these tricks work remarkably
well.

Now, for this specific example, I doubt it actually works, but it'd be funny
as hell if it did.

On Mon, Mar 22, 2010 at 10:18 AM, Matt Brannock <heisroot at gmail.com> wrote:

> Maybe when the OCR fails, it's passed to a human being to interpret. If the
> human being decides to enter the full line, and their entry form does no
> validation/sanitization, it's conceivable.
>
> I've seen physical security system software (especially surveillance
> software). Unbelievably awful.
>
> Still quite a long shot...
>
>
> On Mon, Mar 22, 2010 at 7:53 AM, Red ShuttleGunner <
> redshuttlegunner at gmail.com> wrote:
>
>> perfectly reasonable question.  physical security systems are crap.
>> people who build video analytics software (that "we can read your licence
>> plate on the far side of the corporate parking lot" stuff) are indeed the
>> kind of microsoft koolaid-sipping idiot app programmers who would drop
>> unscrubbed input into the backend.
>>
>> I love it.  will take this picture with me to ISC West (physical security
>> conference this week in 'Vegas, where I'm doing a talk.)
>>
>> Yes, sensible developers aware of 21st century coding defenses could
>> trivially survive this, were it to get back a rationally designed set of
>> equipment that might read this.
>>
>> Like I said, not the folks running the monitoring cameras...
>>
>> On Sun, Mar 21, 2010 at 10:36 PM, Ozzy Satori <ozzymandi at gmail.com>wrote:
>>
>>> http://i.imgur.com/RQcCi.jpg
>>>
>>> I know it's a long-shot, but I'm seeing the most epic civil-disobedience
>>> campaign in history.
>>>
>>> I'm a mobile client guy whose always depended on Database Programmers for
>>> my SQL stuff, but I'd love some tech feasibility opinions from people who
>>> know more than me.
>>>
>>> Is this an injection vector that the vendors would have likely
>>> considered?
>>>
>>> -Ozzy.
>>>
>>> _______________________________________________
>>> Noisebridge-discuss mailing list
>>> Noisebridge-discuss at lists.noisebridge.net
>>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>>
>>>
>>
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100322/d179e208/attachment-0003.html>


More information about the Noisebridge-discuss mailing list