Taking Something On Purpose By Being "Clever" Is Still Stealing

I just just reading through Bruce Schneier's latest newsletter published on September 15, 2007, and it had this article:

Getting Free Food at a Fast-Food Drive-In

It's easy.  Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food.  This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food.  The video demonstrates the attack at a McDonald's in -- I assume -- France.

Wait until there is someone behind you and someone in front of you. Don't order anything at the first window.  Tell the clerk that you forgot your money and didn't order anything.  Then drive to the second window, and take the food that the person behind you ordered.

It's a clever exploit.  Basically, it's a synchronization attack.  By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.

It's relatively easy to fix.  The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food.  Or the second window could demand to see the receipt.  Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer.  But, of course, these security solutions reduce the system's optimization.

So if not a lot of people do this, the vulnerability will remain open.


While it is a 'clever exploit, taking something purposely without paying for it is still stealing and stealing is illegal.

Privacy Thoughts - Google Vs. ISPs

There is a lot of good blogger analysis about Google's ability to drill down deep into the search world and possibly get  into trouble by not keeping personal privacy data private. 

Given Google's business model of matching people to ads, it is in their best interest to not blow this, and keep private data private.

However, there seems to be a small group of alarmists raising issue with Google's recent purchase of RSS service provider Feedburner.

I do have to disclose that I am a big fan and happy customer of Feedburner. Congrats to the team over there. 

Based on my above assertion that Google must, if they want to be successful, protect privacy, that this new found very rich data in Feedburner will get the same high-level of protection. 

Plus, I don't see any signs of Google behaving badly, and that can not be said about ISPs.

Wired recently published a piece that outlines one of my big privacy concern areas - the data ISPs can and will be collecting, and what they plan to do with it as it effects public disclosure (overt, covert, and stolen), and possible manipulation as it enters 'their' network and gets to your devices.

EVDO Router Refences Mentioned In Podcast

A recent Kevin Devin's In The Trenches podcast discussed the following email I sent in to him and George Starcher on the topic of EVDO wireless routers:

Here is some background if you want to chat about it (sorry I would send in some audio comments but I can't get any recording done today) ...  I have both the Junxion Box JB110b and the Kyocera KR1.  But I've been using the Junxion box for nearly a year but the Kyocera for only a couple of weeks.  I'll travel with the Kyocera this week and I'll have more to say about it later.

  • JB110b:
    • supports EVDO and other services like from AT&T/Cingular
    • ruggedized case (ideal for industrial or field operations)
    • can route/load balance from broadband Ethernet (DSL, Cable, etc.)
    • WI-FI features seem advanced
    • network mgmt features available
    • one thing I don't like is the power brick
    • 2 Ethernet ports (but only one for client if you are route/load balancing)
    • ~$599
  • KR1:
    • EVDO only (with support for select EVDO cellphones)
    • consumer looking router (I think is is actually OEM'd from D-Link
    • can not load balance or route
    • WI-FI features don't seem as robust
    • weight is less than the Junxion box
    • comes with a car power adapter and better designed power brick
    • 4 Ethernet client ports
    • ~$299

One of the more interesting thing for me is both units are using open source software as the operating system (OS) on the units and each has a pretty good web interface (not great but better than some).

On the topic of business continuity, I think the Junxion Box would be ideal for that.  It is an idea I am proposing internal at my work.
and the

Related to this topic are to recent posts about new gear from Engadget and Gizmodo.

QuadPolar #002 - Hacking, Vinyl, Artwork, & Food

QuadPolar #002 ... links for you and me:

  1. Crosley Radio Specials: radio and turntables with support for CDs and tapes. {Crosley@Amazon}
  2. Military artwork by Charles Waterhouse
  3. Hack-A-Day notes that Metasploit is now running on the Linksys WRTSL54GS.
  4. 'Tech' Food Conference (25Jun06 via Wired)


  1. I'm looking to move some vinyl to digital format, and I'd also like to listen to some vinyl directly from time to time, especially Frankie Valli and The 4 Seasons plus I still have a pretty good size catalog of 80's music on vinyl and tape.
  2. This is interesting for a yet-to-be-announced new project.
  3. Just plain technically cool.
  4. Food and technology are independently interesting to me, together they seem even more interesting.

Mini-Link Fest - New Media Focus?!?

I made a recent dent in reading through my RSS feeds, and I have the following items to check up on when I'm working through @Internet, and I thought I'd share them: