Cops: Lottery terminal hack allowed suspects to print more winning tickets | Ars Technica

Seems like an old-school race condition:

Citing arrest warrants, here’s how The Hartford Courant said the Connecticut scheme worked:
An investigator for the Connecticut Lottery determined that terminal operators could slow down their lottery machines by requesting a number of database reports or by entering several requests for lottery game tickets. While those reports were being processed, the operator could enter sales for 5 Card Cash tickets. Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners. If tickets were not winners, the operator could cancel the sale before the tickets printed.

Source: Cops: Lottery terminal hack allowed suspects to print more winning tickets | Ars Technica

Reunited Guns N' Roses confirms Detroit show, but date a mystery

In case you’re a fan or care …

The reunited Guns N’ Roses are planning to go on tour this summer, but haven’t announced exactly when.
… Detroit is on the list, along with 20 others, including Chicago, Pittsburgh and Toronto.
Not only have the dates not yet been announced, but we don’t know the venues.

Source: Reunited Guns N’ Roses confirms Detroit show, but date a mystery

Full Disclosure vs Cover Up vs Sneaking

Netflix hasn’t had a good Public Relations (PR) week.
The company admitted to throttling the bandwidth of users coming from Verizon and AT&T mobile in the US. Netflix claimed it was for the good of those users so they would less likely exceed their data allotment. Netflix also said they were doing such throttling for years.
I get why Netflix did what they did. As a former network manager I made similar decisions.
I did not, however, do so without the informed consent of my customer. Netflix seems to have missed that part.
There’s a saying in the US: The coverup is often worse than the crime.
As far as I know, Netflix didn’t retroactively try to bury references to what they were doing.
They did perpetrate perhaps a more egregious sin – sneaking it in without telling anyone.
By failing to “get in front” and “come clean”, Netflix engendered ill will from users. They got bad press.
It was easily avoidable, and Netflix probably would’ve received kudos for their actions.
Had Netflix simply let users on those networks know that throttling was taking place, either for performance or to save user’s data allotments, I doubt any concern would be raised.
By not coming out, being clear, and informing users of their practices, Netflix will live under a shadow of doubt for years.
As security professionals, if we want the Business and users to take us seriously, we need “upfront and transparent” as our mantra as much as possible. Take the lesson here and apply it in your environment.
What are your thoughts?

Michigan to Enbridge: Give us understandable pipeline data

Michigan officials are going back to Canadian energy giant Enbridge for more information on the integrity of its controversial Line 5 under the Mackinac straits, but this time they want the company to send data in a usable format.
On March 11, Michigan attorney general Bill Schuette sent a letter to Enbridge Inc. vice president Cynthia Hansen asking for pipeline inspection and operating pressure data in an “unrestricted” form instead of through a “read-only data portal.”
That data portal was a source of frustration for Michigan officials during a yearlong inquiry into the submerged pipeline that resulted in a 2015 report critical of “gaps” in pipeline information that Enbridge says it gave through the limited-access portal.
Enbridge later apologized for sending the data in a format “too complex” for state officials to understand, saying that it might “mean something to someone who has a Ph.D in metallurgical engineering, but its not usable data to many people.”

Source: Michigan to Enbridge: Give us understandable pipeline data
I know companies don’t want to divulge more than they have to in order to conduct business. Things like pipelines, especially ones so old, require objective & current data. That Enbridge is not helpful in this process doesn’t bode well for their chances.
Were I asked to vote on this right now, I would vote to shut the pipeline down.

En Route to Tokyo Observations, Part II

More musings from my trip:

  • I lost a great post to WordPress web interface requiring a random re-authentication.  I need to reconfigure Emacs org-mode to get it working with the new VPS.
  • There’s a bug in Delta’s InFlight Entertainment (IFE) system I often trigger. I turn the display off during boarding since all it does is flash advertising. The IFE kicks in for the safety video, and then shuts off as it was before departure. Unfortunately, that means the IFE no longer works unless I can talk the cabin crew into a reboot, which I doubt I’d do. I miss the travel map & stats.
  • Speaking of the IFE safety video, Delta’s quality seems to drop with each iteration. This “best of, award show” version is not just bad but a clip show at that.
  • At least Richard Anderson STOPPED YELLING AT US IN HIS MONOTONE SOUTHERN ACCENT. Now a days, Mr. Anderson talks to us at a normal volume & even throws in some inflection. Nice!
  • On a big international flight light mine (MSP – NRT), don’t follow the first cattle call to the gate. Almost always they open up another lane on the other side of the desk. Get there.
  • I hate neck pillows. More specifically, I hate that people have those giant half fuzzy inner-tubes around their necks. Throw in a pair of over-the-ear headphones and eye shades also around the neck and you hit the trifecta!
  • I LOVE Internet over the ocean! Well done, GoGo!
  • There’s a woman sitting behind me who is loving the show she’s watching. I hear her laughing every 5 minutes or so.

Paul Feig on Suits – Confessions of a Suit, by Paul Feig

In the 12 years I’ve been doing it, outside of one incident in which a producer tried to convince me not to dress up because he said I was putting myself above the actors — seriously — I’ve been thanked by both cast members and crew people for showing them a little respect by dressing like a leader and like the adult I’d always wanted to be. And, selfishly, yes, I’ve also just really enjoyed wearing my suits — just like I did before I grew out of that Pierre Cardin three-piece.

Source: Paul Feig on Suits – Confessions of a Suit, by Paul Feig
By the way, there are practical uses to wearing a suit every day: you can use the bathroom in most all hotels (Mr. Feig spoke with Jesse Thorn & others on the topic), and if you’re on a plane it’s easier to make use of the business/first class facilities if you’re not in it, regardless of your row. As with all power, use it responsibly and only when alternatives are exhausted.
Also: Be nice; Be polite; Be friendly; Be fun; Don’t be a jerk.

En Route to Tokyo Observations, Part I

Random musings and reflections and notes from my current trip to Tokyo:

  • The Hilton Tokyo Shinjuku doesn’t answer their phone. I tried calling three times to inform them of my delayed arrival. I called the Hilton Diamond Help Desk and even they couldn’t confirm the information was understood once they managed to communicate with the hotel. Apparently this location has a reputation.
  • Delta still doesn’t know how to board planes. Our flight took 40% longer to board than it should have (by my estimation). Boarding was like elderly man’s urination stream, dribbles and drabs.
  • Airbus might want to have airlines mount signs at the entry informing passengers where the row numbers are.
  • I do love the overhead bins on the Airbus A320(OW), the “turn your bag on its side” kind.
  • It’s funny that the cabin crew had to explain how the “space ship” style overhead controls work, and funny how they did it.
  • The woman sitting next to me is 5’0″ or so, yet she has an iPhone 6s Plus. She uses it like a tablet and it works well for her. I’m oddly impressed.
  • The Hootoo travel router ROCKS.

My New Venue: Tokyo

Listeners of the PVC Security podcast already know I’m headed to Japan for a year or two on an assignment.
Now you know, too, readers yet non PVCSec subscribers. Why aren’t you listening to the podcast?
I depart for my first Tokyo visit in five years this week. I’m excited to see the city again without having to rush out so quickly.
If you recommend venues for me to visit, please place them in the comments or tweet me at @prjorgensen with your keen insight.