Skip to main content

XSS Vulnerability in the Real Life: Passports

I'm traveling again. This time to Australia. I travel a few times a year, always departing from the U.S.

Each time I travel internationally, the check-in airline agent dutifully inspects my passport. The latter has acquired a sizable collection of visa labels, admittedly much flashier than the dull black-on-white photo page of the Polish passport. The visas usually occupy the whole page, look nice, and are formatted to somewhat resemble a passport page -- they have a picture, same personal data, and the two machine readable lines on the bottom.

Each and every time the airline personnel will ignore the photo page and look at the first official-enough-looking visa. Somehow it always happens to me in the U.S., and never abroad. Heck, they get angry at me for pointing out that they really should not be looking at the flashy visa labels, but at the picture page. Sigh.

Call me paranoid, but if this isn't a huge honking screaming-in-yer-face security vulnerability in the passport inspection process, then I don't know what is. It's like the cross-site scripting vulnerability. You have a trusted webpage (document), and a third party can inject arbitrary data and have it be trusted just the same. IANAL, but last time I checked anyone can stick anything into the visa pages of a passport.

Next we know, someone will find that a system that dutifully reads and trusts machine readable pages will have some sort of a null-terminated string vulnerability. Perhaps one that can lead to executable code injection. Thus we make the full circle: from code on punched cards, to code on optically machine-readable paper. Not that some card readers didn't use optical readouts, mind you :)

Comments

Popular posts from this blog

Both INCLUDEPATH and DEPENDPATH are usually needed in qmake .pro project files.

qmake, the build tool provided with the Qt toolkit, converts project files written in its own mini-language to platform-specific Makefiles.

This process includes adding necessary dependencies to the Makefile, so that changes in source files trigger rebuilding of the outputs that depend on said sources.

If your project is spread across directories, you'll likely add an INCLUDEPATH line to your .pro file so that the #include directives look sane -- say #include "library/foo.h" instead of #include "../library/foo.h". This can be done by adding INCLUDEPATH += "../" to the .pro project file.

This, by itself, doesn't cause the files in include directories to be treated as dependencies. This is a sane default, since you likely don't want to rebuild your whole project if a system library changes -- assuming, of course, that the library is meant to stay binary compatible between releases!

Thus, if any of your source files references a file from somewhe…

Asterisk 1.8 with SELinux on RHEL 6 / CentOS 6

Asterisk 1.8 is the current long term support (LTS) version of Asterisk. You can find it in the atrpms repository. Using atrpms requires a bit of ingenuity, since you must enable yum priorities. Here's how I've set up my yum priorities and excludes to play well with RHEL (lower priority is higher):

# /etc/yum/pluginconf.d/rhnplugin.conf
priority = 9

# files in /etc/yum/repos.d - current samba and subversion override those of RHEL
sernet-samba - 5
wandisco - 6
rhnplugin - 9
centos-base - 20, includepkgs=xfs* fftw-* glpk-* dell-firmware-repository - 30 dell-omsa-repository - 30 rpmforge-repo - 50, exclude=hdf5*
epel - 60, exclude=dahdi* atrpms - 70
I'm using a bunch of non-redhat packages, including Asterisk, recent subversion, octave, xfs tools, and Dell server management tools.

For Asterisk proper, I'm running an AGI caller id script, and a fax receiving script. The fax script uses cups to print. Those scripts require exceptions to the targeted SELinux policy. Note that the polic…

Details of Migrating Zimbra 6 to Zimbra 8

I have a small Zimbra system that needed to be migrated from 6.0 to 8.0. Generally:
You must update to 6.0.16 on the source system. The account export functionality is broken in versions prior to 6.0.15 and will fail on some accounts.Start with a fresh 8.0 install. On a small system (dozens of users), that seems like the simplest option.Keep the 6.0 system running. Use the migration wizard in 8.0's admin console (Tools & Migration -> Account Migration) to move over account records only.
Set "type of mail server" to Zimbra Collaboration Suite. Set "would you like to import mail" to No.Import from another Zimbra LDAP directory.Set the LDAP Search Base to "dc=foo,dc=com" where foo.com would be your domain. This saves work on manually moving accounts between systems.
To move account contents and filter settings between servers, you can do the following on the source server:
su - zimbra
ACCT=user@foo.com      # account to move
DEST=root@destination  # ss…