Page : 1/2

First Page    Prev. Page    Next Page    Last Page


Thursday, 16 Aug 2007

I just had an e-mail which was far too good to fail to make any comments and poke holes at.

"FRESHERS CARNAGE IS HERE!" it exclaims the second paragraph in.

We're killing freshers now?! Second and third year revolt!?

"What else do we need to say? THE biggest bar crawl ever to hit university life just arrived for its autumn term installment!!" now this being from a company formally known as "StudentNightTickets" is to be expected.. but what is this carnage they are refering to?

Plus, do we really hate freshers that much that we wish to excercise "The savage and excessive killing of many people" on first years?

For those of you who dont know what Carnage is (i.e. me) "read here" the e-mail states :

"Carnage is probably the most well known event that carnival holds, it involves quite simply dressing up in the theme we give you, or any theme for that matter, we all meet in the guild for pre - drinks and picture taking whilst we are sober enough to look semi decent, and everyone still has the majority of their costumes intact!! Next on a bus to town, the bus journey should never be missed you will learn many new drinking games and the sports teams like to teach you songs with absurd lyrics!!! Pile off the bus and do a bar crawl through town; harass many people by completing the dares on your t-shirt which always involve pulling as many stewards as poss!!! We end up at Oceana, if you make it that far, u are truly a hardcore carnival groupie!!!!"

Go on, preach to me that Birmingham University supports a "Safe and mature drinking" policy... Go on.. lie to me... Whilst they're learning their myriad of drinking games, absurd lyrics and looking anything beyond semi decent you can just imagine this now "Hi, i'm Dave, founder of "Freshers Carnage" and I have an important announcement to make..firstly you're all going to get completely and totally wrecked on this boose up.. and secondly, The University of Birmingham PR department has advised us to inform you that the UoB has a safe drinking policy.." now, on to the drinks!

Saturday, 25 Aug 2007

This is part 2 of the step by step in-order documentation of the NatWest Card Reader and my findings and review of it.

Introduction :
On the 16th of August 2007 I receive a letter from my bank.. "Oh not ANOTHER terms and conditions change? It's not like I read the last 7.. Right, fire up the shredder!" but no, this one had a rather exciting heading so we went for it..

You can catch up on how that went here because we're not going through all that again.. why? Well this isn't "Part 1" anymore, no, it's Part 2.. We get it out!

Packaging :
Firstly it's packaged in a plastic wrap, inside bubble wrap inside a box inside a box on a tray... No expenses, plastic or environment spared..

When you get the device out it just looks like a calculator.. fairly unimpressive Sad and in fact I got rather bored of this "2 Part Special" after opening the box.. but anyway.. on to the detail.

Interesting Details :
- It is completely stand alone and does not connect with your computer in any way.. other than requiring you to enter in a number you see on screen and for you to read the number off it and type it back in on your keyboard.

- The device is capable of barring/blocking your card.. With "Chip and pin" the pin is ACTUALLY stored on the chip (I didn't know this.. I assumed the chip was just some serial number but in actual fact they are WRITING the new pin to the card when you change your PIN)

Get your PIN wrong 3 times on this device and you're looking at speaking to the jolly good people at your bank.

Are there security implications? I think there are..

"something tells me that some clever clogs will modify this device to not lock the card after 3 incorrect guesses and thus make a PIN cracking tool out of it." (http://blog.jazzle.co.uk/why-i-might-leave-my-bank-the-natwest-card-reader)

Though also on that page they dictate it is actually the chip that does all the processing including locking itself out.. I'm no chip and pin expert so I'll have to leave that to the experts.

- At the moment only certain high-risk transactions (paying people) initiate a "You need a reader" session.. though I imagine the number of card-reader required tasks will increase.

- On another environment related note.. It's cheaper for NatWest to send you a new card reader than batteries for an existing one (http://blog.jazzle.co.uk/why-i-might-leave-my-bank-the-natwest-card-reader)

- The basic idea for the device is that it runs some clever number crunching on your card, incorporates the number the website gives you and returns back a code.. the NatWest server validates this code and the job is done..

- The increased security idea is that someone would also need this device (or at the very least the numbers off your card and the algorithm) to emulate such a response even if they know your password/PIN. Also, you are not typing your password or PIN numbers in to perform certain requests, so whereas before a key logger could be installed on people's computers (especially the non computer wizardry folk's) and this would mean the password/PIN was a free for all.. This is the second level of security the card reader will add... Though this will make little difference to my security as I would like to think I would notice a key logger installed.

- This card reader will only work with newer cards with small chips, the fatter chips are close but no cigar for this little reader.

- As for NatWest rolling them out, changing a card or an old card expiring seems to force you to receive one of these cards... After all the card reader won't read "old school" cards.. so it'd be pointless them giving you one in advance.

- Apparently this card reader will work with other banks too.. the algorithm is in principle the same. Though I cannot confirm this.

Photos & Screenshots :
NatWest Card Reader

This is a step by step in-order documentation of the NatWest Card Reader and my findings and review of it.

Introduction :
On the 16th of August 2007 I recieve a letter from my bank.. "Oh not ANOTHER terms and conditions change? It's not like I read the last 7.. Right, fire up the shredder!" but no this one had a rather exciting heading so we went for it..

"NatWest OnLine banking security" it says in bold.
"I would like to advise you of some enhanced security measures that we will be introducing shortly to help further protect our customers against Internet banking fraud."
I'm ok with the protecting me part.. what are they asking from me?

"In future, when you use your NatWest OnLine banking service, you will be prompted to provide additional security information for certain transactions before you can proceed."
.. oh great ANOTHER passcode or ANOTHER maiden name or "Secret Word" or "Secret Phrase" or "Secret Color" or "Secret Number".. or whatever other awful "new, we're one step of the hackers" technique they thought would be a good idea? No

"You will be able to provide this information by using a Card-Reader (Ed:sic) that we will send to you within the next few weeks along with simple instructions on its use."
... not that I asked for this of course.

"This extra level of security demonstrates our continued commitment"
...uhoh brown nosing...
" to keeping your OnLine banking transactions with us safe. Please look out for your Card-Reader"
(Ed: ooh not underlined this time.. the underlining police must have got them this time)
"that will be sent to you within the next few weeks.

If you have any questions or you would like to know more about this enhanced security please go to www.natwest.com/reader or contact 0845 300 6431* (Textphone 0845 900 5961).

Yours sincerely

<Signature>
Garry Stern
Head of Internet Services

*Lines are open 24 hours a day, 7 days a week. Maximum call charge from a BT landline is 4p per minute. Calls from other networks may vary. Calls may be recorded. If calling from abroad please dial +44 (0) 161 931 9951
"


I certainly haven't heard that NatWest were doing this.. I know a few banks were trialing it a few years ago.. I know it's not being rolled out to all customers as my mum hadn't recieved one and neither had Emma.

If we were being cynical we could wonder if anyone could send a device.. get me to put my card in.. and it would then upload my card details.. they could pretend to be NatWest and nobody would be any wiser.. I happened to think this was a fairly legitimate letter.. but what's not to stop someone sending fake devices? That thought dawned on me after reading the letter.

Anyway, ripping the letter (metaphorically) to shreds was some good childish pedantic fun.. Next comes the wait.

The Arrival (Letter)
My dad comes into my room (25th August 2005) and presents me at 8am in the morning with a package the size of a pencil case, looking somewhat bewildered as to what it is.. I take a look at the jet black package and go "...NatWest!"

"We wrote to you recently regarding some enhanced security measures that we have introduced to help futher protect our customers against Internet banking fraud."
.. it starts, in such a friendly way I feel like Garry Stern and I are Christmas card buddies.

"Your new Card-Reader along with simple instructions on its use is now enclosed. To proceed with certain OnLine banking requests such as setting up a new bill payment, you will need to use a unique code which the Card-Reader will generate everytime it's used.

This extra level of security demonstrates our continued commitment in keeping your OnLine banking transactions with us safe."
... will you PLEASE stop brown nosing me!

"This change to your NatWest OnLine banking service will start automatically"
..what what what!
" within the next 21 days, however you can use this facility earlier by logging on to NatWest OnLine banking and selecting 'Change Settings' menu and then choosing the 'Enable Card-Reader' option."
I can opt-in EARLIER? what about opting out?! I didn't ask for it in the first place..

"If you have any questions or you would like to know more about this enhanced sec..."
wait why does this sound familiar.. oh yeah, it's a similar line again as before...
"..urity please go to www.natwest.com/reader where you can also view an OnLine demonstration. Alternatively please contact 0845 300 6431* (Textphone 0845 900 5961).

Yours sincerely

<Signature>
Garry Stern
Head of Internet Services

*Lines are open 24 hours a day, 7 days a week. Maximum call charge from a BT landline is 4p per minute. Calls from other networks may vary. Calls may be recorded. If calling from abroad please dial +44 (0) 161 931 9951
"


The Arrival (The Box Opening)
I'm going to be a tease and put this in Part 2.

More Information : http://www.natwest.com/reader/

Tuesday, 21 Aug 2007

I couldn't find anywhere on the internet that already offered this so I had to make a makeshift solution myself using network sniffing software and a bit of research.

Do you want to use VBScript to ask a UPnP capable router what its current external IP address is?

Open up notepad and save this as "WhatIsMyIP.vbs"

Option Explicit

Dim xmlhttp 'As MSXML2.ServerXMLHTTP
Set xmlhttp = CreateObject("MSXML2.ServerXMLHTTP")

xmlhttp.open "POST", "http://192.168.1.1:2869/WANIPConnCtrlUrl", False

'-- http://www.oreillynet.com/xml/blog/2002/11/unraveling_the_mystery_of_soap.html --'
xmlhttp.setRequestHeader "SOAPAction", "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"

Dim theRequest 'As String

'-- http://www.w3.org/TR/2000/NOTE-SOAP-20000508/ (SOAP 1.1) --'
theRequest = "<?xml version=""1.0""?>" & VbCrlf & "<SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""%lt;>SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""/></SOAP-ENV:Body></SOAP-ENV:Envelope>"

' -- http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#soapencattr (SOAP 1.2 Part 1) --'
'theRequest = "<s:Envelope" & vbCrLf
'theRequest = theRequest & "    xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/""" & vbCrLf
'theRequest = theRequest & "    s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/"">" & vbCrLf
'theRequest = theRequest & "  <s:Body>" & vbCrLf
'theRequest = theRequest & "    <u:GetExternalIPAddress xmlns:u=""urn:schemas-upnp-org:service:WANIPConnection:1"">" & vbCrLf
'theRequest = theRequest & "    </u:GetExternalIPAddress>" & vbCrLf
'theRequest = theRequest & "  </s:Body>" & vbCrLf
'theRequest = theRequest & "</s:Envelope>" & vbCrLf
  
xmlhttp.send(theRequest)

Dim xmlDoc 'As MSXML2.DOMDocument30
Set xmlDoc = xmlhttp.responseXML
  MsgBox (xmlDoc.Text)
Set xmlDoc = Nothing

Set xmlhttp = Nothing


Notes :

  • I haven't actually set this script to properly interpret the response

  • This code is based on the Linksys WRT54GS (I imagine the WRT54G and WRT54GL will handle it just as well).

  • It should work on all Linksys routers but I haven't any other Linksys equipment to hand to test this...

  • I am assuming your router's IP address is 192.168.1.1 (The default)



Either way this is a pretty neat script that you can go on to use in other Visual Basic or VBScript.. I for instance originally had my server e-mail me of any IP address changes of the main network adapater.. but since installing the router this somewhat messed it up.. thankfully this little script now provides a suitable work around.

I'm sure others will have a use for this too.

Keywords : UPnP, IP Address, Visual Basic, VBScript, SOAP, External, Address, Router, Linksys, WRT54, WRT54GS, WRT54GL
This is a journey.. into stereophonic sound.

This week's journey leads us to "Pump Up The Doorbell".. yes that's MARRS vs The White Stripes :

The White Stripes vs. Eric B & Rakim
"Pump Up the Doorbell"
4MB 192kbps mp3
http://www.partyben.com/PartyBen-PumpUptheDoorbell.mp3

and then if you want to take it back to last summer I bring you "Crazy As She Goes" another mashup with The Raconteurs and the unforgetable Gnarls Barkley :

The Raconteurs vs. Gnarls Barkley
"Crazy As She Goes"
4.54MB 192kbps mp3
http://www.mashuptown.com/files/The_Legion_of_Doom-Crazy_as_She_Goes.mp3 (this is a mirror as the Official site requires signup)

Enjoy!