Tuesday, December 28, 2010

Do you worry about Dirty Electricity when you go car shopping? EMF Health Effect Research

I'm in the market for a new automobile. I don't think my current GM model has much life left in it after only 160,000 miles, bad transmission sensor, think the full pump is about to expire. I really wanted to get a hybrid, with the Toyota Prius being at the top of the list. In doing my due diligence research I changed my mind because the Prius seems to suffer from the problem of 'Dirty Electrcity'.

http://en.wikipedia.org/wiki/Toyota_Prius:

"The Prius has been known to emit excessively high electromagnetic fields. ICNIRP guidelines stipulate that the maximum long term exposure should not exceed 1mG but the Prius measures higher than 24mG in some locations, such as the rear right seat. ICNIRP guidelines are not law in many (if any) countries. The World Health Organization in conjunction with the ICNIRP conducted a study and found levels above 3mG contribute to a child's risk of developing leukemia. At 12mG, the electromagnetic radiation is so strong it's able to block the body's ability to inhibit cancers (in this case breast cancer) using melatonin. The Toyota Prius exceeds 12mG (up to 24mG) in some areas of the cabin. However Toyota claims that the Prius emits similar fields to conventional gasoline vehicles. The high voltage power cable from the traction battery and the forward electric drive motor/generator passes directly under the drivers seat."

In my blog on EMP I covered the work of the late Dr. Robert Becker, which I think it is important enough to repeat here:

I can not stress enough that anyone interested in the medical research field and/or the effects of our ever increasing exposure to EMF's, must read The Body Electric: Electromagnetism and the Foundation of Life by the late Robert Becker and Gary Selden. All research in the field starts here. One key point worth mentioning is that Becker's research showed that low power signals of the same frequency had biological effects that higher power levels of the same signals did not have.


 

Some will assume that because that work was done decades ago that the issues have been solved by now, alas not, which leads us to the relatively new book Dirty Electricity: Electrification and the Diseases of Civilization by Samuel Milham MD MPH. Dr. Milham covers the research since the time of Dr. Becker.

Less you think that health problems are limited to power lines and hybrid batteries, we must wonder what our modern wireless society is doing to our health and that of future generations as we design our fancy new Embedded Systems. There have been a few voices crying warnings in the wilderness such as my friend Dr. Nick Begich, who in 1999 wrote Cell Phone Convenience or 21st Century Plague? along with my friend the late James Roderick, that was originally published in 1999 in Explore! magazine, followed by the book Earth Rising II: The Betrayal of Science, Society and the Soul in 2002.

Here in 2010 we find Should You Be Snuggling With Your Cellphone? by Randall Stross. [The text is also available from the Risk Digest, should you find the previous link behind a pay-wall.]

Microwave News is a good place to stay up to date on what is happening in the health versus wireless technology arena. For example this obscure report released on the 21st of December 2010 in Epidemiology.

We should not fall into the cynical trap thinking that all EMF exposures are bad. In the early part of the twenty century before the American Medical Association and Big Pharma corrupted health care, there was a thriving Electromedicine Community. As far back as the time of Tesla we can find items like his Violet Ray. A glass tube filled with Argon that gives off a purplish glow when it is plugged in. Mine is extremely noisy and the smell of Ozone waif's through the air, so I don't use it much. The Inert Gas FAQ may interest you as well as the out of print book Einstein Doesn't Work Here Anymore by Maurice B. Cooke, should you be interested in such things.

Perhaps the best document work of lost Electromedicine knowledge is the work of Royal Raymond Rife as documented in Barry Lynes book The Cancer Cure That Worked: 50 Years of Suppression.


 



"It ain't so much the things we don't know that get us into trouble. It's the things we know that just ain't so." -- Artemus Ward and/or Josh Billings.

Friday, December 24, 2010

Is that new Christmas Present setup up naughty or nice? Better check it twice...

Did Santa Claus put a new SmartPhone, PC, Router, or other new electronic widget under your Christmas Tree this year? Do you know if Santa's Magic Elves setup the security properly? Better check it twice to see if it is setup up naughty or nice!

Over at Network Information Security & Technology News we can find current security news for the day. Around the holidays it is always good to keep up on the latest security issues. Those that just received their new Christmas Present might not understand the security issues that shiny new present might open them up to. It is especially important to explain security to the younger crowd. Here are few suggestions go get you started:

"Merry Christmas to all, and to all a good night..."

Saturday, December 11, 2010

What happens when our chips get sick? Is there a Chip Doctor?

A couple of things in the news about Bacteria and Viruses being engineered into our components, on purpose, has me wondering what happens when our components get sick?

Colloidal Silver and Oil of Oregano are popular home remedies when we get a virus or bacteria. However if we treat our components that way, if we could, they stop working.

Colloidal Silver is something you can make at home with a current source, see Q1 and Q2 in figure five of Design Note 189 from Linear Technology for an example of a current source, and some pure silver wire, the kind used for repairing jewlruy. Always make sure you measure what you make. I use a HM Digital TDS-3 myself.

Mix the Oil of Oregano with some juice or water when you first take it, otherwise it will burn a hole in your tongue.

Sorry I digress...

Logic gates to program bacteria as computers by Julien Happich:

"A team of researchers from the University of California, San Francisco (UCSF) has engineered E. coli with the key molecular circuitry that will enable genetic engineers to program cells to communicate and perform computations. The work builds into cells the same logic gates found in electronic computers and creates a method to create circuits by 'rewiring' communications between cells."

How the Future of Big Tobacco Could Be Tiny Lithium Batteries by Kit Eaton:

"The tobacco mosaic virus is a destructive beast infecting over a hundred different species of plants, including tomatoes. [This includes many other plants of the Nightshade Family as well.] But it may have a weird eco benefit: Incorporated into lithium batteries, it can increase storage capacity ten times."


Maybe we have the Andromeda Strain to look forward to...

Saturday, December 4, 2010

Where is that kick back for the SQL Injection on the Free Software Foundation you promised me?

Of course I had nothing to do with the Free Software Foundation attack, which Joab Jackson of IDG News goes into more details in his article Free Software Foundation's Software Repository Hacked. However the subject line gives me the opportunity to talk about Full Disclosure and the collectively pathetic job we are all doing in learning from past mistakes when it comes to Secure Coding.

business.ftc.gov | Your Link to the Law

The Federal Trade Commission (FTC) has in place their Endorsement Guides that require all blogger's to fully disclose any compensation a blogger receives from an other party. The FTC Business Center Blog tells us how these new rules came about, and why I'm bring them up now.

If you want more information, read The FTC’s Revised Endorsement Guides: What People are Asking or watch this video.

My current earnings from this blog are, as of moments ago, $9.73 via Google Ad Sense, and earnings from the Amazon Book Associate program so far has been nothing (No one wants to read books anymore?). You can see that I'm not going to be giving up my day job anytime soon to become a full time blogger, unless someone does come up with some great largesse to do so, which I'd disclose here.

The products I've mentioned here are ones I've used in some manner, or have hopes of using in the future, and no one has paid me to mention them.

The one priceless item for my blog here is Michael Barr's gracious linking to us from his Embedded Gurus site, which I link back to over on that menu to your right (if you using a web browser and not the RSS feed), hope you have checked out those resources.

Now with the legal like stuff out of the way lets move on to something usable in our products.


According to the FSF, attackers breached the FSF server Nov. 24 by using SQL injection attacks against the Savane bug tracking application.

On Black Friday (For our international readers: Black Friday is the day after the US Thanksgiving Holiday, when merchants hope people buy enough stuff to put them into black ink, verses red ink meaning loss, to have a profitable year), I coincidentally picked up the book SQL Antipatterns: Avoiding the Pitfalls of Database Programming by Bill Karwin, from The Pragmatic Bookshelf. Yearly on Black Friday they have a very generous discount for the frugal among us.

"Bill Karwin has helped thousands of people write better SQL and build stronger relational databases. Now he's sharing his collection of antipatterns—the most common errors he's identified in those thousands of requests for help.

Most developers aren't SQL experts, and most of the SQL that gets used is inefficient, hard to maintain, and sometimes just plain wrong. This book shows you all the common mistakes, and then leads you through the best fixes. What’s more, it shows you what’s behind these fixes, so you’ll learn a lot about relational databases along the way."

Chapter 21 is devoted exclusively to how SQL Injection work, and what is needed to do to stop them from happening. In a nutshell someone enters an SQL fragment into a web form on a site, and that site accepts the data without proper sanitizing of the inputs. This problem has existed for years, yet we still allow it to happen. Why? The other, related, and most common attack is some type of buffer overflow exploit. Again a problem that has been around for decades, and we still have not learned that it needs prevented in our code. Bill goes into great detail of the proper way to prevent a SQL injection.



The XKCD Carton on how Mom legally named her son "Robert`); Drop Table" to crash any database that tried to collect his identity.


Even if you have no reason to be interested in SQL Bill's book is still worth checking out because of some of the other chapters, such as the one on readable passwords and social engineering to get them, and what needs done to prevent such attacks. Like 'salting' a password. That is append random data to what they user enters so that dictionary attacks will not work. The random string is saved in the users account, the user has no knowledge of such a string.

As the issue of buffer overflows have been around a long time, there are already organizations like CERT (CERT is not an acronym; it is a name and a registered trade mark of Carnegie Mellon University) that have developed best practices Secure Coding Standards, for C, C++ and Java.

"Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. CERT staff has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

As part of the CERT Secure Coding Initiative, members of the Secure Coding team work with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed. We strive to identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and to advance the state of the practice in secure coding."

CERT is currently researching survivable systems engineering that includes analyzing how susceptible systems are to sophisticated attacks and finding ways to improve the design of systems.

We can find a good introduction to the problem of buffer overflows and injection attacks in Robert C. Seacord's 2006 paper Safer Strings in C: Using the Managed String Library.

CERT has a few libraries that you can use to make your code more secure, such as the Managed String Library:

The managed string library was developed in response to the need for a string library that can improve the quality and security of newly developed C-language programs while eliminating obstacles to widespread adoption and possible standardization. As the name implies, the managed string library is based on a dynamic approach; memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring that there is always adequate space available for the resulting string (including the terminating null character). The one exception is if memory is exhausted; that is treated as an error condition. In this way, the managed string library accomplishes the goal of indicating either success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of "safe" characters.

String Manipulation Errors:

Many software vulnerabilities in C programs arise through the use of the standard C string manipulating functions. String manipulation programming errors include buffer overflow through string copying, truncation errors, termination errors and improper data sanitization.

Buffer overflow can easily occur during string copying if the fixed-length destination of the copy is not large enough to accommodate the source of the string. This is a particular problem when the source is user input, which is potentially unbounded. The usual programming practice is to allocate a character array that is generally large enough. However, this fixed-length array can still be exploited by a malicious user who supplies a carefully crafted string that overflows the array in such a way that the security of the system is compromised. This remains the most common exploit in fielded C code today.

In attempting to overcome the buffer overflow problem, some programmers limit the number of characters that are copied. This can result in strings being improperly truncated, which in turn results in a loss of data that may lead to a different type of software vulnerability.

A special case of truncation error is a termination error. Many of the standard C string functions rely on strings being null terminated. However, the length of a string does not include the null character. If just the non-null characters of a string are copied, the resulting string may not be properly terminated. A subsequent access may run off the end of the string, corrupting data that should not have been touched.

Finally, inadequate data sanitization can also lead to software vulnerabilities. In order to properly function, many applications require that data not contain certain characters. Ensuring that the strings used by the application do not include illegal characters can often prevent malicious users from exploiting an application.

Take a look at 07. Characters and Strings (STR) for some specific examples.

Alas the String Library uses errno and depends on malloc()and realloc(), which are not MISRA compliant. So it becomes a design decision on how to best proceed with any given project.

Vulnerabilities are not limited to Strings. Integer overflows are a security issue as well. To that end CERT also provides the secure integer library IntegerLib, which was developed by the CERT/CC and is freely available.

While the CERT information is invaluable the presentation of it is hideous. Popup links that are impossible to click on, most pages start with the top half of the page with a completely useless blue box that you must scroll over to see the Interesting Stuff, then once on the blue pages have to click the top bold link to really get to what you want to see.