The Musings of Chris Samuel

One of the techniques used by the MIT students in their MBTA report was the impressive Warcart.
They must be off their (shopping) trolley!

Posted on August 11th, 2008 under Computers, Electronics, Security. Comments: None

In the USA a court has ordered that three MIT students not talk at DEFCON about their security assessment of the Massachusetts Bay Transit Authority (MBTA) fare cards. Apparently the court believes that “discussing the flaws at a public conference constituted a ‘transmission’ of a computer program that could harm the fare collection system“, [...]

Posted on August 11th, 2008 under Computers, Cryptography, Electronics, Legal, Politics, Security. Comments: None

From the Washington Post:
Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop’s contents with other agencies and [...]

Posted on August 3rd, 2008 under Computers, Evidence, News, Politics, Security. Comments: None

On the Beowulf list there has been a long thread on GPGPU and especially nVidia’s CUDA language. As part of it Prentice Bisbal posted about a friend of his, Mario Juric, who decided to write a proof of concept MD5 password hashing program to take advantage of CUDA.
In his message to the Beowulf list [...]

Posted on June 19th, 2008 under Cryptography, Security, Software. Comments: None

Now this is a scary (and pretty cool) potential abuse of network card firmware and PCI bus architecture to bypass firewalls described by Arrigo Triulzi (quoted on Ben Laurie’s blog):
3) from 1 & 2 above, after about two years, I’ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which [...]

Posted on June 1st, 2008 under Security. Comments: None

Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.
I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting [...]

Posted on May 20th, 2008 under Internet, Security. Comments: None

In his blog Glen writes on the Debian OpenSSL stuffup:
Hopefully this fiasco will re-energise hardware manufacturers into providing hardware-based randomn number generation. The current scavenging across the operating system for any source of entropy isn’t acceptable and is one of the root causes of this current flaw.
But this wouldn’t have helped in this situation as [...]

Posted on May 19th, 2008 under Linux, Security. Comments: 2

Update: Debian has a good summary page on their wiki.
This is pretty serious - a packaging stuff-up for OpenSSL by Debian (and hence Ubuntu) has resulted in not-very-random randomness being used in various packages such as OpenSSH for key generation. The Ubuntu report says:
A weakness has been discovered in the random number generator used by [...]

Posted on May 14th, 2008 under Linux, News, Security. Comments: 3

By Bruce Schneier:
You know you’ve got a problem when you can’t tell a hostile attack by another nation from bored kids with an axe to grind.
Also, on a crypto related humour note - The Traveling Cryptographer’s Problem, via Bart.

Posted on May 6th, 2008 under Humour, Security. Comments: None