You can never prevent an end-user who has physical control of a device from breaking any DRM scheme you can invent.
Sony just learned their DRM lesson (again). I'm sure that people at Sony already know this principle, but some "suit" tells the engineers to "do something about the problem" so they implement a technical speed bump. That's all it is and will ever be.
 |
| Look but don't pay attention to key teeth details! |
What would you do if you found out that the Certificate Authority that provides Digital Certificates to your company was compromised, and Microsoft was adding the Certificate Authority’s public key to Windows un-trusted Root Store? Well if you have not got a contingency plan to implement then I can presume you will be in a panic to purchase new certificates from another Certificate Authority... It can take Certificate Authority’s (CA’s) a few days to validate domain ownership and company registration details... While all this is happening your customers are getting a message from Internet Explorer that your SSL certificate is not to be trusted.
What can you do?Keep in mind that the worst-case scenario described above would require the Root CA Certificate to be compromised. Most Root CAs are offline certs, meaning the computers that house them are not powered on except during special circumstances when new intermediate CA certificates are generated, OR, they are online in an "air gap" (disconnected from the internet) network accessible only via sneakernet. Exploiting an offline CA is a big deal, and if it occurs it won't be just your organization that is affected, but likely a large part of the entire internet.
- Do not rely on one Certificate Authority for all of your certificates. You should have a relationship with at least two well known Certificate Authority’s and the CA’s should have validated all of your domains. This will let you quickly order Digital Certificates from the second CA without having to go through the company validation process...
- If you cannot tolerate any downtime for a service you can take the extra step in which you create backup certificates for each service using your backup Certificate Authority. This will enable you to implement the backup certificates without having to contact the second CA and joining the queue of company’s looking for new certificates.
 |
| Bourtange Star Shaped Fort |
Protesting is About Attention!Use that to your advantage. Protesters love the press. It can be a relatively simple proposition to get a press pass that will get you through/past protests that completely block traffic. Afterwards, ask them for a letter stating you have written for them, etc.
Set up a blog using a free service like Blogger or WordPress.
Write an “About” page or article telling people that this blog is for covering local protests or demonstrations
Design your own press ID using a template (Here’s an example template). Don’t lie on the pass. It’s not necessary.
Print it on a solid plastic card. There are tons of companies that will do this for a few bucks. (Here are a few) I had mine printed locally for about $.80 each.
Throw the ID on a lanyard or in an ID armband and stash it in the glove compartment for whenever you may need it.
If you have to use it, present it with authority! It has never failed me, even under the scrutiny of armed soldiers at roadblocks.
Reconstruction
The reconstruction of sensitive documentation has been around as long as shredders have. According to a fantastic NY Time article that everyone should read, reconstruction was first brought to light during the 1979 US Embassy takeover in Tehran. The Iranians elicited the help of local carpet weavers to reconstruct sensitive documents, which were sold on the streets of Tehran as a testament to US imperialism.
Just know that with some time and even the help of computer programs like Unshredder, there isn’t much reassurance that your documents will stay shredded.
 |
| Document Burn Bag |
Intel's McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.
Our guess is that when cars get to the point that they drive themselves, those who understand how malware works-- and more important: how undeniably complicated modern software and its hardware architecture can be-- will start donning a pair of Converse Chuck Taylors and resemble a modern Luddite by driving themselves, a la Will Smith in I, Robot.
It's scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.
Toyota Motor Corp, the world's biggest automaker, said it was not aware of any hacking incidents on its cars.
"They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close," said Toyota spokesman John Hanson. [emphasis ours]Oh, we've never heard that before...
Officials with Hyundai Motor Co, Nissan Motor Co and Volkswagen AG said they could not immediately comment on the issue.
Mums the word is a much smarter response to the press.
A spokesman for Honda Motor Co said that the Japanese automaker was studying the security of on-vehicle computer systems, but declined to discuss those efforts.
A spokesman for the U.S. Department of Homeland Security declined to comment when asked how seriously the agency considers the risk that hackers could launch attacks on vehicles or say whether DHS had learned of any such incidents.They probably declined to comment because they are working on exploits for these as well. Say it ain't so? Look no further than Stuxnet and Flame, of which the US Gov takes full authorship credits. It's the future of the "cyberwarfarestate".
 |
| Ken Thompson is on the left. That's not Adam Savage on the right. |
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.Ken was referring to the trojan modifications he embedded into the C compiler, illustrating that you need to rely on more that source code, but the compiler, the assember, the loader, all the way down to the instruction sets of the CPUs. Or as Schneier famously pitched: "security is a chain; only as strong as its weakest link".
 |
| Breaking into a hotel room with less than $50 in hardware |
It should come as no real surprise: MS-CHAPv2 is broken. It's an ancient scheme. If you were paying attention, you would have migrated your VPNs and Wireless networks away from it years ago anyway.
This is a bit of a stretch from the normal topics, but in a severe disaster scenario (think Hurricane Katrina or third world country), it may be desired to send real time digital text communication when there is no communication infrastructure in place any longer (i.e. telephone lines are down and the Internet "tubes" were all clogged up).
Turns out it may be more than RFID protection you may need for your wallet. New Scientist reports how some academics at University of Washington - Seattle can exploit some of the metallic features of dollar bills to count the money in your wallet. An excerpt:They found an ordinary handheld metal detector was able to pick up a dollar bill from 3 centimetres away, and placing the notes behind plastic, cardboard and cloth did little to block the signal. Adding further bills in $5 increments increased the strength of the signal, making it is possible to count the number of bills, though converting this into an actual dollar value would be difficult as notes of different denominations contain the same amount of magnetic ink.Using larger metal detectors such as those found in airports should also increase the range of sensing, though detecting banknotes in such situations would be trickier as many other sources could interfere with the signal.
We just covered the NSA's new data center, so it seems appropriate to mention Visa's new data center, complete with a moat! The 8-acre facility looks like any other industrial park in a sleepy suburb. But the serene setting masks hundreds of cameras and a crack team of former military personnel. Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can't navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.Here is the exact location of the data center. So much for trying to hide from Google Maps!
The data center resembles a fortress, with dogged attention to detail. It can withstand earthquakes and hurricane-force winds of up to 170 mph. A 1.5-million-gallon storage tank cools the system. Diesel generators onsite have enough power, in the event of an outage, to keep the center running for nine days. They generate enough electricity for 25,000 households.
Once you get clearance from a guard station, get an OK from a roving security guy in a golf cart, and surrender a photo and fingerprint inside, the adventure begins.
Stanford University has a free online Cryptography Course. Looks very interesting for someone who wants to peel back the layers of the onion, but isn't scared off by the math. (Many applied cryptographers aren't necessarily experts in the theoretical mathematical aspects and vice versa.)
Having just caught up on the positive achievements of Alex Halderman, we have discovered that another promising young mind has been lost forever.
Computer Science Professor J. Alex Halderman is an upcoming academic star that we at Securology have been watching for awhile now, since some of the earliest days of all the great work put on at Princeton by Ed Felten and his Freedom to Tinker group (an excellent blog). Halderman, having completed his PhD (Bell Labs UNIX and C programming language creator Brian Kernighan was on his PhD committee!), has moved on to the University of Michigan as a member of the faculty and is continuing his excellent work at the intersection of technology and public policy, which always means security and privacy issues are in the spotlight.
This is a creative implementation that discovers several information flow theory violations. The end result is a website that is not part of a given social network can tell if a connected user is logged into the social network.
PCI Regulations allow merchants to store the first 6 digits plus the last 4 digits of a customer's credit card number. Ever wonder just how secure that is?
6 digits
|
10 ^5 = 100,000
|
5 digits
|
10^4 = 10,000
|
4 digits
|
10^3 = 1,000
|
3 digits
|
10^2 = 100
|
2 digits
|
10^1 = 10
|
1 digit*
|
10^0 = 1
|
using System;
using System.Linq;
namespace Luhn
{
public class Luhn
{
private static int _middle = -1;
private static int _counter;
private static int _places;
public static void Main(string[] args)
{
if (!args.Any())
{
PrintUsage();
return;
}
var cc = args[0].Replace("-", "").Replace(" ", "").Replace("x", "X");
if (cc.Length != 16)
{
Console.WriteLine("input is not correct length.");
PrintUsage();
return;
}
_places = cc.Length - cc.Replace("X", "").Length;
var limit = Math.Pow(10, _places);
Console.WriteLine("Places: {0}", _places);
Console.WriteLine("Limit: {0}", limit);
while (_middle < limit)
{
var s = FindNext(cc);
if (!PassesLuhnCheck(s)) continue;
Console.WriteLine("Valid: {0}", s);
_counter++;
}
Console.WriteLine("\r\nFound {0} potential matches for {1}", _counter, args[0]);
}
private static void PrintUsage()
{
Console.Write("Usage: luhn.exe [credit card number]\r\n"
+ " in format like 1234-56xx-xxxx-1234\r\n"
+ " or like 1234-5678-xxxx-1234, etc.\r\n\r\n");
}
private static string FindNext(string number)
{
_middle++;
var middle = _middle.ToString();
while (middle.Length < _places)
{
middle = "0" + middle;
}
return (number.Replace(GetPlaceHolder(), middle));
}
private static string GetPlaceHolder()
{
var s = "";
for (var i = 0; i < _places; i++)
{
s += "X";
}
return s;
}
private static bool PassesLuhnCheck(string number)
{
var deltas = new[] { 0, 1, 2, 3, 4, -4, -3, -2, -1, 0 };
var checksum = 0;
var chars = number.ToCharArray();
for (var i = chars.Length - 1; i > -1; i--)
{
var j = chars[i] - 48;
checksum += j;
if (((i - chars.Length) % 2) == 0)
checksum += deltas[j];
}
return ((checksum % 10) == 0);
}
}
}
When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.Here's better advice:
Now, United States companies, government agencies and organizations are doing the same by imposing do-not-carry rules. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said its members could bring only “clean” devices to China and were forbidden from connecting to the government’s network while abroad. As for himself, he said he traveled “electronically naked.”and probably the best advice:
McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.The cost of doing business in places like that is the cost of "burn devices". The hardware, data, and software on them, should all be thrown away upon exit. Don't risk powering it back on. Like a disposable camera. Send your data in before you leave in-country, and let go of any and all emotional attachment to the hardware.
Do It Yourself Surveillance Drone Aircraft. Why? Because you still can.It is extremely easy to build a drone now that can do not just surveillance but can carry rather large payloads. If you want to see how large some of these planes get, check out this video of a model Airbus A380. I don’t have to spell out the implications of this. I want to have my drone before the government makes them illegal. The US has been fighting such low-tech enemies lately that we haven’t thought through the nature of a world in which lots of people have sophisticated drones, not just other countries but private individuals. One somewhat worrying thing is that virtually all of this equipment comes from China or Taiwan.
classified and released to the public. Now you can read for yourself how John Nash was essentially 20 years ahead of the world around him in his plans for a cryptographic system.
"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."I knew instantly why Baker is a former Assistant Secretary to DHS: because he understands the gravity of a real security incident. Had he not understood, he would probably still be employed at DHS, along with all of the other laughing stocks and poster children for security theater.
This is a very premature response to what I believe is the single best solution to dangers like SOPA, PIPA, and ACTA: DNSCrypt.
