|
|
Technology Industry News & Career Management information, brought to you by BrainWave Consulting Company.
July 2009 - Posts
-
-
In cryptography, we've long used the term "snake oil" to refer to crypto systems with good marketing hype and little actual security. It's the phrase I generalized into "security theater." Well, it turns out that there really is a snake oil salesman.... Share Post: Read More...
|
-
Interesting TED talk by Eve Ensler on security. She doesn't use any of the terms, but in the beginning she's echoing a lot of the current thinking about evolutionary psychology and how it relates to security.... Share Post: Read More...
|
-
More fearmongering. The headline is "Terrorists could use internet to launch nuclear attack: report." The subhead: "The risk of cyber-terrorism escalating to a nuclear strike is growing daily, according to a study." In the article: The claims come in a study commissioned by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND), which suggests that under the right circumstances, Read More...
|
-
A new and very impressive attack against AES has just been announced. Over the past couple of months, there have been two (the second blogged about here) new cryptanalysis papers on AES. The attacks presented in the paper are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that... Share Post: Read More...
|
-
Excellent essay by Jonathan Zittrain on the risks of cloud computing: The cloud, however, comes with real dangers. Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody... Share Post: Read More...
|
-
Interesting, although I want some more technical details. ...the new iPhone 3GS' encryption feature is "broken" when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said. Zdziarski said it's just as easy to access a user's private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first... Share Post: Read More...
|
-
Clever: Nigerian scammers find homes listed for sale on these public search sites, copy the pictures and listings verbatim, and then post the information onto Craigslist under available housing rentals, without the consent or knowledge of Craigslist, who has been notified. After the posting is listed, unsuspecting individuals contact the poster, who is Nigerian, for more information on the "rental."... Read More...
|
-
A large sign saying "United States" at a border crossing was deemed a security risk: Yet three weeks ago, less than a month after the station opened, workers began prying the big yellow letters off the building's facade on orders from Customs and Border Protection. The plan is to dismantle the rest of the sign this week. "At the end... Share Post: Read More...
|
-
Seems like the Swiss may be running out of secure gold storage. If this is true, it's a real security issue. You can't just store the stuff behind normal locks. Building secure gold storage takes time and money. I am reminded of a related problem the EU had during the transition to the euro: where to store all the bills... Share Post: Read More...
|
-
This is funny: Tips for Staying Safe Online All citizens can follow a few simple guidelines to keep themselves safe in cyberspace. In doing so, they not only protect their personal information but also contribute to the security of cyberspace. Install anti-virus software, a firewall, and anti-spyware software to your computer, and update as necessary. Create strong passwords on your... Share Post: Read More...
|
-
Nice description of the base rate fallacy.... Share Post: Read More...
|
-
NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to... Share Read More...
|
-
Social Security Numbers are not random. In some cases, you can http://www.wired.com/wiredscience/2009/07/predictingssn/">predict them with date and place of birth. Abstract: Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their Read More...
|
-
Excellent article detailing the Twitter attack.... Share Post: Read More...
|
-
I wrote about this in 2007, ut there's New research: Scientists from Oregon State University, the University of Washington and McGill University partnered with city workers in 96 communities, including Pendleton, Hermiston and Umatilla, to gather samples on one day, March 4, 2008. The scientists then tested the samples for evidence of methamphetamine, cocaine and ecstasy, or MDMA. Addiction specialists... Read More...
|
-
Cryptography has zero-knowledge proofs, where Alice can prove to Bob that she knows something without revealing it to Bob. Here's something similar from the real world. It's a research project to allow weapons inspectors from one nation to verify the disarming of another nation's nuclear weapons without learning any weapons secrets in the process, such as the amount of nuclear... Share Post: Read More...
|
-
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke. Abstract: Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer... Read More...
|
-
As a technologist, I am always on the lookout for new and exciting products, solutions and discoveries which will be coming to a store near me at some point in the future. Whenever possible, I look to jump on the beta bandwagon and preview or test...( read more ) Share Post: Read More...
|
-
Only in Japan: Bandai toy company from Japan has finally realized that bottles of water just aren't cute. As Japan is the cute capital of the world, this just wouldn't do. To fix the problem, they developed these adorable floating squids that can be added to any bottle of water. Thank god for Japanese innovation. Of course, they're only available... Share Post: Read More...
|
-
South Africa takes its security seriously. Here's an ATM that automatically squirts pepper spray into the face of "people tampering with the card slots." Sounds cool, but these kinds of things are all about false positives: But the mechanism backfired in one incident last week when pepper spray was inadvertently inhaled by three technicians who required treatment from paramedics. Patrick... Share Post Read More...
|
-
Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience," and Leslie John, Alessandro Acquisti, and George Loewenstein -- all at Carnegie Mellon University -- demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behavior -- "Have you ever cheated on... Share Read More...
|
-
Last year, I wrote about the increasing propensity for governments, including the U.S. and Great Britain, to search the contents of people's laptops at customs. What we know is still based on anecdote, as no country has clarified the rules about what their customs officers are and are not allowed to do, and what rights people have. Companies and individuals... Share Post: Read More...
|
-
The NSA has known about this for decades: Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed. By analysing the information leaking onto power circuits, the researchers could see what a target was typing. The attack has been demonstrated to work at a distance of up to 15m, but... Share Post: Read More...
|
-
Hide files inside pdf documents: "embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader."... Share Post: Read More...
|
-
Interesting use of gaze tracking software to protect privacy: Chameleon uses gaze-tracking software and camera equipment to track an authorized reader's eyes to show only that one person the correct text. After a 15-second calibration period in which the software essentially "learns" the viewer's gaze patterns, anyone looking over that user's shoulder sees dummy text that randomly and constantly changes.... Read More...
|
-
To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. "Cyber Blitz hits U.S., Korea" was the headline in Thursday's Wall Street Journal. North Korea was blamed. Where were you when North Korea attacked America? Did you feel the fury of North Korea's armies? Were you fearful for your country? Or did... Share Post: Read More...
|
-
Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei Florêncio, Cormac Herley, and Baris Coskun. ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords Read More...
|
-
A hundred-pounder. They're still moving North.... Share Post: Read More...
|
-
Want to cause chaos at an airport? Leave a suitcase in the restroom: Three incoming flights from London were cancelled and about 150 others were delayed for up to three hours, while the army's bomb squad carried out its investigation, before giving the all-clear at about 5pm. Passengers were told to leave the arrivals hall, main check-in area at the... Share Post: Read More...
|
-
Commenting on Google's claim that Chrome was designed to be virus-free, I said: Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise. "It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible --... Share Read More...
|
-
They're expanding: The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will... Share Post Read More...
|
-
The talk has been pulled from the BlackHat conference: Barnaby Jack, a researcher with Juniper Networks, was to present a demonstration showing how he could jackpot a popular ATM brand by exploiting a vulnerability in its software. Jack was scheduled to present his talk at the upcoming Black Hat security conference being held in Las Vegas at the end of... Share Post: Read More...
|
-
Last month, IBM made some pretty brash claims about homomorphic encryption and the future of security. I hate to be the one to throw cold water on the whole thing -- as cool as the new discovery is -- but it's important to separate the theoretical from the practical. Homomorphic cryptosystems are ones where mathematical operations on the ciphertext have... Share Post: Read More...
|
-
Sometimes movie plots actually happen: ...three people have been arrested after police discovered their plan to free a drug trafficker from an island prison using a 13-foot airship carrying night goggles, climbing gear and camouflage paint. [...] The arrested men had setup an elaborate surveillance operation of the prison that involved a camouflaged tent, powerful binoculars, telephoto lenses, and Read More...
|
-
This is good news: A federal judge in June threw out seizure of three fake passports from a traveler, saying that TSA screeners violated his Fourth Amendment rights against unreasonable search and seizure. Congress authorizes TSA to search travelers for weapons and explosives; beyond that, the agency is overstepping its bounds, U.S. District Court Judge Algenon L. Marbley said. "The... Share Post: Read More...
|
-
Yesterday's Minneapolis Star Tribune had the front-page headline: "Co-sleeping kills about 20 infants each year." (The headline in the web article is different.) The only problem is, in either case, there's no additional information with which to make sense of the statistic. How many infants don't die each year? How many infants die each year in separate beds? Is the... Share Post: Read More...
|
-
Well, it’s been a while since we’ve had an active zero-day in Internet Explorer, but according to Microsoft Security Advisory 972890 , that’s what we’re looking at: a vulnerability in DirectX that allows for unauthenticated, remote execution attacks...( read more ) Share Post: Read More...
|
-
Anti-theft lunch bags, for those who have a problem with their lunches being stolen. Only works until the thief figures it out, though.... Share Post: Read More...
|
-
I wonder if it will work. Nepal's anti-corruption authority has come up with a novel solution to rampant bribe-taking at the country's only international airport -- the pocketless trouser. The authority said it was issuing the new, bribe-proof garment to all airport officials after uncovering widespread corruption at Kathmandu's Tribhuvan International Airport.... Share Post: Read More...
|
-
I don't even know where to begin on this one: As we have seen in the past with other technologies, while cloud resources will likely start out decentralized, as time goes by and economies of scale take hold, they will start to collect into mega-technology hubs. These hubs could, as the end of this cycle, number in the low single... Share Post: Read More...
|
-
-
Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password... Share Post: Read More...
|
-
Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by... Share Post: Read More...
|
-
Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The second is almost certainly guessable in one.... Share Post: Read More...
|
-
The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten... Share Post: Read More...
|
-
In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be... Share Post: Read More...
|
-
There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher... Share Post: Read More...
|
-
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"... Share Post: Read More...
|
|
|
|