Andrew Breese

Musings of a professional geek

Category Archives: Uncategorized

Humble Bundle on Cybersecurity and Crypto

Heads-up on a great Humble Bundle on crypto, security, hacking, and all sorts of related topics. As a pay-what-you-like deal it’s amazing given these books are worth. I’m really keen to read Threat Modeling: Designing for Security and Cryptography Engineering: Design Principles and Practical Applications; that is my bed side reading set for months to come. Offer ends around the end of July, and found via Bruce Schneier’s blog.

Advertisements

Wartime Lorenz crypto machine

As a Crypto fan seeing a pic of the Lorenz is good, knowing its in a museum is even better (article from The Register). Cool.

Receiving the Lorenz machine, TNMOC’s Clark said: “We are enormously grateful to the Norwegian Armed Forces Museum for its generous loan. It completes a truly unique set at TNMOC and helps bring further life to the story that we have always wanted to tell as clearly and dynamically as possible.”

“The arrival of the Lorenz… brings into even sharper focus the astonishing achievements of those wartime code-breakers,” he added in a TNMOC statement.

Go on, geek it up with me. That is a fascinating mechanical beast.

What are the eBay hack implications for ordinary people?

So eBay was hacked pretty badly (Soylent post, and eBay’s own announcement), which for the geeky type folk is interesting in terms of how they did it; but more importantly – every eBay user should take care and think about what they have shared with these companies.

The nature of the hack is typically complex, and the explanations of how are not really that relevant to every day users (I’m not being condescending by saying that, as I consider myself an end-user too). eBay has made a fair effort to give details recently, but can also be rightly questioned about how long the advice took to reach their customers. Rightly or wrongly it is around 2 months since the actual event, and that is a fairly long amount of time to wait to request password resets.

  • For users it means change your passwords now. Change them to something which is hard to guess; preferably a gibberish nonsensical combination of letters, numbers, and special characters.
  • Also change any passwords for services which you used with ebay too.
  • And please ensure the password is not the same as any other services you are using.
  • Consider using a password vault of some sort. It makes having all these different password easier, and also helps you when using multiple computers. Yes, it can be hacked too, but everything can be.

The reason for this is we don’t know what other attacks are being attempted, or what previous attacks might not have been understood well. PayPal is certainly a regular target for trouble too, so consider altering your credentials with them as well.

The tech jargon translates to mean that your password wasn’t easy to read, but it is only a matter of time until it is. Database encryption is a wonderful thing, but time and brute force will beat almost anything in use today; and by comparison the “safe”encryption methods of five or so years ago and now considered questionable.

Of the 140 million accounts compromised, wouldn’t you rather be one of the ones that isn’t open when the hackers decrypt all those old passwords?

Is this an alarmist approach?  We’ll no. This time resetting your credentials is the first step.

There are additional steps “normal” online users should do too:

  • Consider changing what personal information you are currently saving into and sharing with every online service (a.k.a. website). Each app, each URL, every vendor, all those games, and whatever Facebook widgets all collect information from you and you’re far better off if the collection of information out there is as vague as possible. I recently went through Facebook, eBay, paypal, and a few other services that I use and removed a lot of personal information. From now on they only get the minimum.
  • As part of that depersonalization, consider getting your orders delivered to a place which isn’t your home address. I often use my work address, as there will always be somebody there during postal delivery hours, but it also means that eBay and such have no idea of where I actually live.
  • Don’t trust your app vendors and more than you’d trust the guy at your local clothing store, cafe, or petrol station. Just like it is trivial for somebody working in the store to grab your card number, it is a lot harder but also a lot easier to do in huge quantities for online transactions. This means that while you’re generally more secure online for a single transaction, the methods of attack are far more complex and harder to understand.

Hope this was useful, and also wish the darn hackers would get into something a little less destructive and nasty. The skills to do some of this activity are significant, and there has to be a better way to gain money or notoriety.

 

Beautiful Rotating Skyscraper

How would you feel living in a rotating skyscraper? This proposed building in Dubai is about as strange and mythic a building I’ve seen which also is supposed to be functional.

Features:

  • each floor can rotate 360 degrees each 90 minutes,
  • controlled via voice commands by tenants,

What I love is the idea that no particular part of the building is permanently facing a cardinal direction. Our house is primarily south facing which means we get little light through it. I think if the house rotated even every week it would be an incredible change in the way we live. If this actually gets built I’d love to read commentary from the inhabitants of the building to see how the rotation was used, and what unexpected experiences they had.

Dynamic Tower

I’m a little suss on the power and mechanics needed to make this happen, especially as the floors are to be controlled independently from each other. The other odd feature is the idea of using voice commands. I get that it makes some things easier, and perhaps these will be intelligent enough to understand complex instructions.

“Rotate faster”, “Face the north”, “match the next floor”, “offset downstairs 90 degrees clockwise”…

The engineering required to do that is totally beyond me at the moment. What do you use to do that? A linked rotating core downward through the building, which is broken into segments at each floor? Each floor must be on a very structurally sound independent plate, and the torque and load limits must apply.

Can I put a grand piano and pool table out on the edge of my floor and hope that it does not tip downward over time?

Laughing Squid pointed to the article – Proposed Dubai Skyscraper Features Independently Rotating Floors Operated By Voice Command.

Giant Mars photos

A billion-pixel image of most things is likely to be wasteful. Not Mars, mars is bloody cool. But then what geek does not like images from another planet, taken by remote controlled robots, by nerds, in huge resolution? It’s frigg’n Mars people.

Billion-Pixel View From Curiosity at Rocknest. Coming soon – Streetview.

mars-giga-pic-pan

Observation on Security & Prism

I liked this, although the idea of keeping something secret while using facebook is ironic too (source).

prism

I like Gmail even more with advanced search

Gmail is a better email provides than most of the other free webmail options around, but folks still have issues. Yesterday I was trying to find a specific purpose and I realised that I’d never used any of the advanced search options.

e.g: from:andrew has:attachment – will find all emails from Andrew where there was an attachment.

Now that I know what they are I’ll be using them all the time. They make Gmail great. Some highlights are:

  • from:{name}
  • to:{name}
  • has:attachment, is so darn good for finding that lost file sent to somebody who you also trade 1000s of emails with
  • OR – where the or must be in caps
  • filename:{nameOfFile.txt}
  • after:{date}
  • before:{date}

Better still you can setup filters using these rules too, so that frequent searches are easy to redo.

Once again stalled by Metro

Rubber-hose Cryptanalysis

Its no secret that I love cryptanalysis and randomisation as concepts, and will spend a huge amount of time nutting at problems; firstly trying to understand, and then come up with uses or look at gaps. I’m a geek and that is what some geeks do. Today I cam across a term I’d not heard of: Rubber-hose Cryptanalysis.

Wikipedia = In cryptography, rubber-hose cryptanalysis is the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture,in contrast to a mathematical or technical cryptanalytic attack.

The term recognises that often the weakest point of security is human, and that we as humans are susceptible to forms of brute force attack. Damn, that is dark. Somebody created a term for a very specific reason for torture. I’m scared by that more than impressed, and frankly it is a little disturbing.

Found via a Geek-o-system blog post, which has a nifty XKCD cartoon.

Don’t look at me like that, I thought that was interesting.

Is CISPA another SOPA?

Update: CISPA Bill was successfully passed by the US House of Reps, 27 April 2012. Find a good encrypted VPN provider now!

The struggle between governments, corps, and the rights of the individual is not over. SOPA was brought down by a large public outcry, and my fear at the time was that we would see this a few more times until eventually we are sick of responding, or disinterested – and then something aberrant will get passed.

Well in the US a bill called CISPA (the Cyber Intelligence Sharing and Protection Act) is doing the rounds in headlines, and it appears to be a slightly less, but essentially the same as SOPA in terms of impact to personal freedom and information. Yes, yes, I know CISPA is very different in terms of focus, but the devil is in the implementation (Wired mag).

Once again the US govt is proposing very powerful changes to law without significant tangible borders, so that it can protect me, itself, and companies from my worse self. These powers come at the cost of my information and personal privacy. By default I think we should be against these changes.

CISPA is not without its own critics, and you’ll have to either trust me (or read further) that the bill in its current form is still a very large concern for a lot of agencies. So much so that basically all the organisations who were against SOPA and PIPA are alarmed by CISPA (do you hate acronyms yet?).

A point of difference is that many public, well known, and potentially trusted organisations are happy to support the bill. As the person on this end of the internet, I’m not happy to have faith that Microsoft, IBM, and Facebook etc are benevolent trustworthy companies.

There is a saying that rings true here, when we think about the impact this has and how trustworthy the govts, corps, and private companies are:

“If you are not paying for it but getting it for free, then you are the product, not the consumer.”

My privacy and security is not a commodity, and it worries me as Australia will likely follow what the Americans do.

%d bloggers like this: