Category Archives: Security

Cryptography, Security, Hacks, etc..

Microsoft ‘Genuine Advantage’ – Kill Your PC ?

Posted on by

Boy am I glad I don’t use Windows! I don’t have to worry about another company deciding that I don’t have the right to use my computer..

There is a ZDNet blog article relating a conversation someone had with a Microsoft support person which was posted to the interesting people list in which the MS support person said:

“in the fall, having the latest WGA will become mandatory and if its not installed, Windows will give a 30 day warning and when the 30 days is up and WGA isn’t installed, Windows will stop working, so you might as well install WGA now.”

I don’t think this is actually likely to be true as the only way they could be sure to disable Windows it if WGA wasn’t installed is to have planned this from the first release of Windows XP, otherwise they’d have no guarantee that the code they need to do this would be installed.

However, the ZDNet person questioned Microsoft and only got this in response:

As we have mentioned previously, as the WGA Notifications program expands in the future, customers may be required to participate. Microsoft is gathering feedback in select markets to learn how it can best meet its customers’ needs and will keep customers informed of any changes to the program.

Now given that MSFT is already being sued over WGA for violating the Washington Consumer Protection Act, Washington Anti-Spyware Laws, California Consumer Legal Remedies Act, California Anti-Spyware Laws, California Business and Professions Code and California’s Unfair Competition Law you would think that they would take this opportunity for a good PR exercise about it..

New Blog Anti-Spam Tools

Posted on by

Recently I’ve added a three new tools to my anti-spam arsenal. A few weeks back Rich gave me a heads up that he’d gotten the time to modify the WP 2.0 Akismet plugin to allow you to simply ban spamming IP addresses to your blog based on what Akismet classifies as spam.

Basically you get a top-10 of comments ordered by IP address and URL allowing you to quickly dispatch (and ban in the case of IP addresses) those evil posts. It works rather nicely, I must say.

This evening I’ve just added the Did You Pass Maths plugin from Aussie Steven Herod which is kind of a numeric captcha plugin for comments.

But this won’t stop trackback spam which seems to come in bursts, so I’ve also added the Trackback Validator Plugin from the Computer Security Lab at Rice University which visits the referrers of trackbacks received to ensure that there is really a link to you from that site in that page.

It’s not infallible as spammers can still configure a fake blog with links to your site, but they believe that when that happens it is no longer completely a spam trackback as it does originate from a real posting somewhere – just that you may disagree with the content and agenda behind it.

So, we’ll see what happens!

Business to get access to Aussie ID Card Data ?

Posted on by

Just in on the ABC news:

Federal Human Services Minister Joe Hockey has signalled that private sector companies like banks and supermarkets may be given access to information stored on the Government’s “smart card”.

Joe Hockey says:

So a blanket policy saying that the private sector can have no access to the card, or a blanket policy saying that only certain government agencies can have access, or a blanket policy saying that individuals can or cannot change the information, I think is crazy at this particular point of time

No, Mr. Hockey, I think you’re crazy for considering letting private companies get access to this data!

Australian Government to Introduce De-Facto ID Cards

Posted on by

From the ABC:

Federal Cabinet has approved the introduction of a smart card for all people who use Government health and welfare services.

The card will include a photograph and personal details, and will be used to access Medicare rebates and family benefits. […]

Announcing the decision, Prime Minister John Howard says the Government has decided not to continue with a proposal for a national identity card for all Australians.

So if you want to be able to claim your Medicare for going to see the doctor, you will have to have one of these cards…

US Wants to Remove More Rights, Expand DMCA

Posted on by

It would appear a coalition of the repressive wish to expand the remit of US Copyright law, including the DMCA, to make it even harder to do research, play media on any OS but those you have to payed Microsoft/Apple for, or defend yourself against damaging software they put on silver circles they claim to be (but are not) Compact Discs.

Jessica Litman, who teaches copyright law at Wayne State University, views the DMCA expansion as more than just a minor change. “If Sony had decided to stand on its rights and either McAfee or Norton Antivirus had tried to remove the rootkit from my hard drive, we’d all be violating this expanded definition,” Litman said.

Even the current wording of the DMCA has alarmed security researchers. Ed Felten, the Princeton professor, told the Copyright Office last month that he and a colleague were the first to uncover the so-called “rootkit” on some Sony BMG Music Entertainment CDs–but delayed publishing their findings for fear of being sued under the DMCA.

..and how do they propose to get this through ? Fear of course! That resurgent American political tool.

During a speech in November, Attorney General Alberto Gonzales endorsed the idea and said at the time that he would send Congress draft legislation. Such changes are necessary because new technology is “encouraging large-scale criminal enterprises to get involved in intellectual-property theft,” Gonzales said, adding that proceeds from the illicit businesses are used, “quite frankly, to fund terrorism activities.”

Ed: my emphasis added

Intel/Skype “Deal” Locks Out AMD CPUs For 10-Way Calling

Posted on by

According to this Business Week article Intel and Skype have a deal to only activate 10-way calling on machines with Intel dual-core CPUs, everyone else is limited to 5. This has prompted AMD to subpoena Skype over this as part of their anti-trust action.

There are claims that this has been cracked, but the site that they link to has gone (the nameserver records don’t appear in the DNS for some reason).

Update: Details (including assembler decodes) have appeared here – thanks to Hakan Aydin for this pointer!

Using Shorewall to Limit SSH Attacks

Posted on by

Firewalling with Shorewall SSH brute-force attacks

Category: Personal article (non-blog)

Year created: 2005

Overall rating: 5 out of 5

Content rating: 5 out of 5

There’s an excellent post over at Debian Grimoire which gives a simple recipe to defend against SSH brute force attacks using Shorewall, including a whitelist port-knock in case you manage to lock yourself out. Very useful!

Tags: shorewall ssh

Elliptic Curve Cryptography

Posted on by

An interesting article from LWN about Elliptic Curve Cryptography and Open Source.

ECC is based on some very deep math involving elliptic curves in a finite field. It relies on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) in much the same way that RSA depends on the difficulty of factoring the product of two large primes. The best known method for solving ECDLP is fully exponential, whereas the number field sieve (for factoring) is sub-exponential. This allows ECC to use drastically smaller keys to provide the equivalent security; a 160-bit ECC key is equivalent to a 1024-bit RSA key.

As always though, there are the problems of patents..

The wild card in the ECC patent arena seems to be Certicom which claims a large number of ECC patents and has not made a clear statement of its intentions with regard to open source implementations. The NSA licensed Certicom’s patents for $25 million to allow them and their suppliers to use ECC, lending some credence to at least some of the Certicom patents. Other companies also have patents on various pieces of ECC technology.

Be interesting to see what happens..