Feb 212013
 

I have been password protecting my smartphone ever since I got one, and more recently, now that Android supports encryption, I took advantage of that feature as well.

The reason is simple: if my phone ever gets stolen, I wouldn’t want my data to fall into the wrong hands. But, it appears, there is now another good reason: it seems that at least in Ontario, if your phone is password protected, police need a search warrant before they can legitimately access its contents.

Privacy prevailed… at least this time.

 Posted by at 3:21 pm
Feb 122013
 

I was reading about full-disk encryption tools when I came across this five-year old research paper. For me, it was an eye-popper.

Like many, I also assumed that once you power down a computer, the contents of its RAM are scrambled essentially instantaneously. But this is not the case (and it really should not come as a surprise given the way DRAM works). Quite the contrary, a near-perfect image remains in memory for seconds; and if the memory is cooled to extreme low temperatures, the image may be preserved for minutes or hours.

Degrade of a bitmap image after 5, 30, 60 seconds and 5 minutes in a 128 MB Infineon memory module manufactured in 1999.

Decay of a bitmap image 5, 30, 60 seconds and 5 minutes after power loss in a 128 MB Infineon memory module manufactured in 1999. From https://citp.princeton.edu/research/memory/.

So even as we worry about public servants losing USB keys or entire laptops containing unencrypted information on hundreds of thousands of people, it appears that sometimes even encryption is not enough. If a lost laptop is in a suspended state, an attacker could access the contents of its RAM using only a rudimentary toolkit (that may include “canned air” dusters turned upside-down for cooling).

I wonder what the future will bring. Tamper-proof hardware in every laptop? In-memory encryption? Or perhaps we will decide that we just don’t care, since we already share most details about our personal lives through social networks anyway?

On that note, Canada’s government just decided to scrap a planned cybersurveillance bill that many found unacceptably intrusive. Good riddance, I say.

 Posted by at 8:58 am
Jan 122013
 

jstor_logoComputer pioneer Alan Turing, dead for more than half a century, is still in the news these days. The debate is over whether or not he should be posthumously pardoned for something that should never have been a crime in the first place, his homosexuality. The British government already apologized for a prosecution that drove Turing into suicide.

I was reminded of the tragic end of Turing’s life as I am reading about the death of another computer pioneer, Aaron Swartz. His name may not have been a household name, but his contributions were significant: he co-created the RSS specifications and co-founded Reddit, among other things. And, like Turing, he killed himself, possibly as a result of government prosecution. In the case of Swartz, it was not his sexual orientation but his belief that information, in particular scholarly information should be freely accessible to all that brought him into conflict with authorities; specifically, his decision to download some four million journal articles from JSTOR.

Ironically, it was only a few days ago that JSTOR opened up their archives to limited public access. And the trend in academic publishing for years has been in the direction of free and open access to all scientific information.

Perhaps one day, the United States government will also find itself in the position of having to apologize for a prosecution that, far from protecting the public’s interests, instead deprived the public of the contributions that Mr. Swartz will now never have a chance to make.

 Posted by at 4:53 pm
Jan 122013
 

The SANS Institute is one of the preeminent firms in Internet security. I subscribe to their security-related mailing lists for all the obvious reasons, and I also receive their print course catalog on a regular basis.

I was flipping through the pages of the latest when I came across this gem (which should really belong among Jay Leno’s Headlines, assuming viewers of The Tonight Show could actually tell the difference between Unix and Windows):

winlin

Which leaves me wondering if SANS really can’t tell the difference between the two operating systems. (They probably can.) Or perhaps it’s the US Navy that cannot? (I doubt it.) Or perhaps the real problem, apart from careless proofreading, is that these security training courses have become rigid and mechanical, predictable even, which is precisely why hackers seem to have so little trouble penetrating even military networks?

 Posted by at 10:57 am
Dec 112012
 

fbspamThank you, Facebook. Now I am getting garbage that is apparently coming from some of my Facebook friends, all because (no doubt in your eagerness to please your corporate sponsors and push your sinking share price up a little) you happened to leave open a gaping security hole allowing spammers to “scrape” friend lists and e-mail addresses.

Worse yet, it is possible that the same spammers are sending garbage to others in my name. And while I may know not to click on an unsolicited link even if it appears to come from a good friend, colleague, or close relative, others may not be so cautious.

One of these days, I’ll find myself a spammer and slowly strangle him.

 Posted by at 10:23 pm
Nov 152012
 

The sordid saga around the resignation of Gen. Petraeus continues. It became such a tangled story, Gawker.com actually published a flowchart to make it easier to decipher.

Meanwhile, however, The Guardian raises some very troubling points:

  • In response to Ms. Kelley’s initial complaint about a vaguely offensive e-mail, the FBI devoted substantial resources and engaged in highly invasive surveillance for no reason other than to do a personal favor for a friend of an agent;
  • Without any evidence of an actual crime, and without a search warrant, they gained access to Ms. Broadwell’s e-mail account;
  • Again, without any evidence of any actual wrongdoing, they also got their hands on e-mails exchanged not only between Ms. Broadwell and Gen. Petraeus but also between her and Gen. Allen.

The Guardian comments about the “sweet justice” aspect of all of this: namely that America’s security surveillance system that is running amok is targeting the very people in charge of that system, such as the head of the CIA. However, I do not share their implied optimism; I don’t think the growth in surveillance will stop anytime soon. We are nowhere near close to anything like the McCarthy era’s pivotal “have you no sense of decency?” moment. For that, a lot more good people will have to be harmed a lot more gravely first.

 Posted by at 10:13 am
Oct 222012
 

Think of an essential part of your life. Now imagine relinquishing control over it to others, people you don’t know, people who may in fact be in different countries, providing a service on an industrial scale. Most of the time they do an admirable job; but when they make a mistake you and many others suffer, possibly with life-altering consequences.

No, I am not describing cloud computing. I could have, but I was actually thinking about manufactured foods. When you buy a bag of snacks at a supermarket, for instance. The materials used to manufacture that food come from all four corners of the world. Some are organic in origin, often waste products from the processing of hundreds of animals or tons of vegetables. Others are manufactured at chemical plants, e.g., from petroleum. And when the controls fail; when an unscrupulous manufacturer in China, for instance, introduces an unapproved substitute to boost the measured protein content of a manufactured ingredient, people or pets suffer, even die.

But what I am really struck by are these similarities between cloud computing and “eating from the cloud”: that for the sake of convenience and easy access we willingly relinquish control over something essential, and that we generally trust society to such an extent that we are not the least bit worried when a private e-mail with an intimate personal photograph travels halfway around the world before arriving in our Inbox (which itself may be physically located in another country, perhaps on another continent); or when we put bits of food in our mouths without the slightest worry about the origin of its ingredients produced in distant lands by people we will never get a chance to know.

 Posted by at 8:27 am
Sep 072012
 

So recently, I got a nice new phone, a Samsung Galaxy S II.

When I set it up, I realized that Samsung chose to replace the built-in Google e-mail application with their own. This was a bit of a disappointment as the Samsung version seemed a tad less flexible and less configurable than the (also pedestrian) Google program, so I opted for the open-source K-9 Mail instead, which works very well indeed.

Today, I noticed that all of a sudden, my server is showing IMAP logins using my user ID from a strange IP address, occurring like clockwork, every five minutes. The IP address belongs to Samsung in Germany, Frankfurt to be precise. This was odd because my phone was actually connected to my home Wi-Fi, so there was no reason for it to go through a distant proxy server. Suspecting that something was afoul, I turned the phone off. The IMAP logins from the German IP address continued.

At this point, I immediately changed all relevant passwords. The login attempts (no longer successful) continued for a while, then stopped.

But what was this? A bit of research showed that the IP addresses are characteristic of Samsung’s “Social Hub” program. Apparently when I entered my login credentials using the Samsung version of the basic e-mail app, it passed on that information to Samsung’s Social Hub servers. So without my knowledge and my approval, my password to my personal account on my Linux server was sent to, and stored on, a server in a foreign country. (And no, I don’t want to hear that I actually gave my approval by clicking the Accept button on a 50-paragraph unreadable user agreement when I started using my phone. This kind of potential security breach must require up-front notification of the user and explicit approval.)

I have since kind of confirmed it by noting that Social Hub indeed shows my e-mail account as being registered, even though I deleted my login credentials days ago from the Samsung e-mail app proper. Worse yet, it seems impossible to delete this account from Social Hub; when I try, I just get a “Loading…” screen that stays on forever.

I still like this phone, but my opinion of Samsung just sank several notches all at once. A high technology company should be much more conscious of its users’ security needs and much more proactive in protecting them. Indeed it leaves me wondering if, perhaps, it might have been possible for a smart hacker to use social engineering and trick Samsung into revealing this information… which Samsung should never have obtained without my explicit permission in the first place.

 Posted by at 9:37 pm
Jun 302012
 

Last year, many people debated whether or not the Iranians had the wherewithal to hijack that US military drone which they were so proudly displaying afterwards.

Well, wonder no more. Apparently a team from the University of Texas at Austin showed how it can be done using equipment that cost no more than a thousand bucks.

OK, you say, but this drone was using the non-encrypted civilian GPS signal. True… except that if you simply jam the encrypted signal, many military drones fall back (or at least, used to fall back) to using the civilian signal. (As designed, the encryption was primarily about preventing an adversary from using the high accuracy military GPS signal, not about preventing spoofing.)

 Posted by at 1:49 pm
Jan 182012
 

Here is Google’s way of protesting proposed copyright legislation: black out the company logo and direct users who click on it to a protest page.

And then here is Wikipedia’s form of protest: black out the entire site. Never mind that the people you are most likely to hurt are your friends, and the people who are the least affected are your opponents. Why not be vindictive about it, if you can?

Indeed, while you are at it, why not black out Wikipedia even for non-US users, just for good measure, despite the fact that there is very little they can do that would affect the decisions of the US Congress.

Fortunately, the blackout is easily circumvented.

Nonetheless, doing what Google did would have been just as effective, and far less harmful both to Wikipedia’s reputation and to users who rely on its services every day. Unfortunately, radical activism prevailed over common sense: the difference between public protest and sabotage was forgotten. This is what dooms revolutions: they may be started by idealists and poets but ultimately, it is characters like Boris Pasternak’s Strelnikov in Doctor Zhivago, who set the tone.

 Posted by at 1:11 pm
Jan 152012
 

Meet the father of all hackers: Nevil Maskelyne.

In 1903, this gentleman gained notoriety by hacking into Guglielmo Marconi’s purportedly long-distance secure wireless telegraph, causing it to tap out unflattering messages about Marconi minutes before it was to be demonstrated at the Royal Institution. Maskelyne was a disgruntled competitor, his business suffocated by Marconi’s overly broad patents, but he justified his actions claiming that it was in the public interest to expose the flaws of Marconi’s system.

If his name sounds familiar, by the way, it’s perhaps because of his famous namesake, Nevil Maskelyne, the Astronomer Royal who a century and a half earlier was the cause of so much frustration to John Harrison, creator of the marine chronometer.

 Posted by at 1:15 pm
Nov 242011
 

2012 is supposed to be the year when the world comes to an end, courtesy of a stray planet or something. No, this is not something that I worry about, not the least bit.

Yet the world as we know it may still come to an end of sorts. Here are some of the things I do worry about:

  1. Germany is having trouble raising cash. This alarming news may mark the beginning of the end for the Euro, triggering a massive worldwide depression.
  2. A collapse of the Eurozone may trigger a collapse of the Chinese economic bubble. The consequences of an economic depression in China are unimaginable.
  3. Recently, a successful SCADA attack on a water plant in the US was confirmed. Perhaps in 2012 we shall see the first large scale SCADA attack on some essential infrastructure in the United States or Western Europe. How Western governments might respond is anyone’s guess.
  4. Israel may actually commit an act of utmost self-destructive stupidity and attack Iran.

Thankfully, there is one item that I can strike out from my list: it seems increasingly unlikely that one of the tea party fundamentalists would win the Republican nomination in the United States and go on to defeat Barack Obama. Obama may end up a one-term president, but if he is defeated by a Gingrich or a Romney, I’d know that at the very least, an adult remains in charge of the White House.

 Posted by at 5:14 am
Nov 152011
 

This comic, from xkcd.com, would be funny if it weren’t so darn frightening:

The original caption, which also appears as hover-over text, reads: “I hear in some places, you need one form of ID to buy a gun, but two to pay for it by check. It’s interesting who has what incentives to care about what mistakes.”

 Posted by at 2:02 pm
Oct 112011
 

Yesterday, I watched Terminator Salvation, the latest movie in the Terminator franchise.

Today,  I am reading in the news about an attempt to reconstruct visual images from MRI brain scans.

I am also reading about US military drones hacked by a virus of unknown origin and purpose.

All of which makes me wonder just how close we are actually to the kind of dystopian future depicted by the Terminator movies.

 Posted by at 8:08 pm
Aug 172011
 

I am not usually in the business of recommending software or hardware products, and it’s certainly not something anyone pays me to do… but recently, I began using two products, both of which have exceptional value, even though one came free of charge and the other cost only 150 dollars.

The free product is Secunia’s Personal Software Inspector (PSI), a software application that turned from something I never heard about into something I cannot live without virtually overnight. It is an application that keeps tabs on all the software installed on your computer and lets you know if any of them are out of date and require updates. Like antivirus software, PSI sits quietly in the background most of the time, but it pops up an unobtrusive warning whenever a new update becomes available, and even offers a direct link to the manufacturer’s download site. It is nice, incredibly useful, it recognizes hundreds of installed applications, and, well, it works as it is supposed to and doesn’t cost a penny.

The product I paid money for is a Cisco RV042 small business router. It does what small business routers do, connects your internal network to an external (DSL, cable, etc.) Internet connection. What makes it special is that it allows your internal network to be connected to two external connections at the same time, and it performs dynamic load balancing and failover functions between the two. I now set up my network architecture to take full advantage of it… and in the coming days, it will be working overtime, as I am planning a major change to my DSL service which will likely involve some unpredictable downtime. The router has other useful functions, too, not the least of which is that it can act as a VPN server, allowing a remote computer to connect to the internal network. The best part is that, like Secunia’s software, it simply works as advertised.

 Posted by at 8:47 pm
Jul 082011
 

Today, I received a phone call from 1-510-943-3040.

A gentleman with an Asian accent informed me that he is from the MS Windows Service Department (or whatever) and that in the last 30 days, they received repeat warnings from my computer about some malware attack.

I played along for a minute or two… but when the gentleman asked me to turn on my computer, I just couldn’t any longer. Still holding back my anger, I first explained to him that right now I am staring at a bookshelf containing a number of books I wrote about C++ and Windows programming; that I’ve been a computer professional since the 1970s (true, I received my first professional contract at the tender age of 16 in 1979)… and then, in language more rude I am afraid, I also told him that they are nothing but crooks and criminals, and that he should get off my f…ing phone.

The insolence!

 Posted by at 9:45 pm
Jun 022011
 

Although the Chinese are protesting loudly, too loudly perhaps, I have no reason to question the credibility of Google’s claim that recent attacks targeted at high-profile Gmail accounts were, in fact, coming from China. As a matter of fact, I can confirm from my own experience that a clear majority of automated ‘bot attacks intercepted by my server originate from Chinese IP addresses (here is a recent small sample of 14 attempts: 5 came from China, 2 from the US, 1 each from Japan, Bulgaria, Thailand, Ecuador, Poland, Singapore and Brazil; a previous data set of 15 attempts included 6 from China and 1 from Hong Kong). Which is why I thought it was high time for the Pentagon to declare publicly that hacking can constitute an act of war.

 Posted by at 1:08 pm
Feb 152011
 

Here’s a useful unit of measure that I just found out about, thanks to Bruce Schneier’s security blog: it’s called a micromort, a one-in-a-million probability of death. Curiously, according to the Wikipedia, your chances of dying on a train due to an accident are the same as your chances of dying due to cosmic radiation received while flying on a jet: 1 micromort every six thousand miles.

 Posted by at 3:22 pm
Jan 252011
 

The other day, I saw a report on the CBC about increasingly sophisticated methods thieves use to steal credit and bank card numbers. They showed, for instance, how a thief can easily grab a store card reader when the clerk is not looking, replacing it with a modified reader that steals card numbers and PIN codes.

That such thefts can happen in the first place, however, I attribute to the criminal negligence of the financial institutions involved. There is no question about it, when it’s important to a corporation, they certainly find ways to implement cryptographically secure methods to deny access by unauthorized equipment. Such technology has been in use by cable companies for many years already, making it very difficult to use unauthorized equipment to view cable TV. So how hard can it be to incorporate strong cryptographic authentication into bank card reader terminals, and why do banks not do it?

The other topic of the report was the use of insecure (they didn’t call it insecure but that’s what it is) RFID technology on some newer credit cards, the information from which can be stolen in a split second by a thief that just stands or sits next to you in a crowded mall. The use of such technology on supposedly “secure” new electronic credit cards is both incomprehensible and inexcusable. But, I am sure the technical consultant who recommended this technology to the banks in some bloated report full of flowery prose and multisyllable jargon received a nice paycheck.

 Posted by at 1:39 pm