[SecurityRatty] tag: feet

Hacking Airport Wi-Fi

Mon, 24 Nov 2008 17:10:02 +0000

Richard Farina booted up his computer on an American Airlines flight in October from New York to San Francisco. It was one of the first commercial flights to offer wireless Internet service. Within a couple minutes of reaching 10,000 feet, Farina was snooping the airwaves with the ability to see what his fellow pass

Bush's exit to put new e-records system to the test

Fri, 21 Nov 2008 02:00:00 +0000

The National Archives received only 32 million e-mails from the Clinton administration eight years ago, but in a few months, it expects to get hit with 50 times that from the Bush administration, which has exacerbated the problem by dragging its feet in supplying the data.

What would you do if you knew the Air Marshal on your plane was smuggling Drugs?

Sat, 15 Nov 2008 20:34:00 +0000

According to a recent USA TODAY article, Federal Air Marshals have been convicted of smuggling drugs, molesting children, abducting a female escort during a layover in Washington D.C., hiring a hitman to kill a spouse and many other criminal acts.

The ex-Air Marshal who was convicted of smuggling drugs apparently used his position to work with a drug dealer to carry cocaine and drug money with him on flights around the country. He was caught on tape telling an informant that he was "the man with the Golden Badge".

We should remember though, that with a current force of between 3,000 - 4,000 (exact numbers are confidential), there are bound to be a few bad apples in the bunch - that is the way in every profession.

What makes it much more alarming when we talk about Air Marshals gone bad is the fact that at 30,000 feet in the air - their authority is absolute. The last thing a passenger in a plane needs to be concerned about is the very person on the plane whose job it is to protect the passengers.

The Marshal's decision making skills should be beyond reproach. If their judgement is clouded over however, due to experimenting with the cocaine they are smuggling, the consequences could prove fatal.

Perhaps the fact that prior to 2001, the Air Marshal service had an annual budget of $4.4 million and 33 agents which exploded to $786 million and between 3,000 to 4,000 agents today might have something to do with undesirables falling through the cracks.

Not that rapid hiring needs are an excuse for allowing criminal behavior to go unnoticed. The office of Inspector General or Internal Affairs needs to get actively involved and properly supervise the agency so that rogue Marshals are not allowed to remain in the service.

Why there's no logging standard -- it's not our fault, mate

Tue, 28 Oct 2008 21:00:00 +0000

Over the years there have been more attempts at creating a logging standard than I’ve had hot dinners – to borrow a Britishism. No standard has ever really emerged that has caught on. And I bet I’m going to get at least one e-mail that will place the blame squarely at the feet of vendors like us, who make money out of the present chaotic situation.

However, the problem runs much deeper than just a lack of will among ourselves and our peers...

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Remotely Eavesdropping on Keyboards

Thu, 23 Oct 2008 08:48:16 +0000

Clever work:

The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They've outline four separate attack methods, some that work at a distance of as much as 65 feet from the target.
In one video demonstration, researchers Martin Vuagnoux and Sylvain Pasini sniff out the the keystrokes typed into a standard keyboard using a large antenna that's about 20 to 30 feet away in an adjacent room.

Website here.

Quantum Cryptography

Tue, 21 Oct 2008 02:48:49 +0000

Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life.

The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance alerts legitimate users as to the eavesdropper's presence. No disturbance, no eavesdropper -- period.

This month we've seen reports on a new working quantum-key distribution network in Vienna, and a new quantum-key distribution technique out of Britain. Great stuff, but headlines like the BBC's "'Unbreakable' encryption unveiled" are a bit much.

The basic science behind quantum crypto was developed, and prototypes built, in the early 1980s by Charles Bennett and Giles Brassard, and there have been steady advances in engineering since then. I describe basically how it all works in Applied Cryptography, 2nd Edition (pages 554-557). At least one company already sells quantum-key distribution products.

Note that this is totally separate from quantum computing, which also has implications for cryptography. Several groups are working on designing and building a quantum computer, which is fundamentally different from a classical computer. If one were built -- and we're talking science fiction here -- then it could factor numbers and solve discrete-logarithm problems very quickly. In other words, it could break all of our commonly used public-key algorithms. For symmetric cryptography it's not that dire: A quantum computer would effectively halve the key length, so that a 256-bit key would be only as secure as a 128-bit key today. Pretty serious stuff, but years away from being practical. I think the best quantum computer today can factor the number 15.

While I like the science of quantum cryptography -- my undergraduate degree was in physics -- I don't see any commercial value in it. I don't believe it solves any security problem that needs solving. I don't believe that it's worth paying for, and I can't imagine anyone but a few technophiles buying and deploying it. Systems that use it don't magically become unbreakable, because the quantum part doesn't address the weak points of the system.

Security is a chain; it's as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they're not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Cryptography is the one area of security that we can get right. We already have good encryption algorithms, good authentication algorithms and good key-agreement protocols. Maybe quantum cryptography can make that link stronger, but why would anyone bother? There are far more serious security problems to worry about, and it makes much more sense to spend effort securing those.

As I've often said, it's like defending yourself against an approaching attacker by putting a huge stake in the ground. It's useless to argue about whether the stake should be 50 feet tall or 100 feet tall, because either way, the attacker is going to go around it. Even quantum cryptography doesn't "solve" all of cryptography: The keys are exchanged with photons, but a conventional mathematical algorithm takes over for the actual encryption.

I'm always in favor of security research, and I have enjoyed following the developments in quantum cryptography. But as a product, it has no future. It's not that quantum cryptography might be insecure; it's that cryptography is already sufficiently secure.

This essay previously appeared on Wired.com.

EDITED TO ADD (10/21): It's amazing; even reporters responding to my essay get it completely wrong:

Keith Harrison, a cryptographer with HP Laboratories, is quoted by the Telegraph as saying that, as quantum computing becomes commonplace, hackers will use the technology to crack conventional encryption.
"We have to be thinking about solutions to the problems that quantum computing will pose," he told the Telegraph. "The average consumer is going to want to know their own transactions and daily business is secure.

"One way of doing this is to use a one time pad essentially lists of random numbers where one copy of the numbers is held by the person sending the information and an identical copy is held by the person receiving the information. These are completely unbreakable when used properly," he explained.

The critical feature of quantum computing is the unique fact that, if someone tampers with an information feed between two parties, then the nature of the quantum feed changes.

This makes eavesdropping impossible.

No, it wouldn't make eavesdropping impossible. It would make eavesdropping on the communications channel impossible unless someone made an implementation error. (In the 80s, the NSA broke Soviet one-time-pad systems because the Soviets reused the pad.) Eavesdropping via spyware or Trojan or TEMPEST would still be possible.

Hackers spy on your keyboard by reading electromagnetic data

Mon, 20 Oct 2008 19:50:02 +0000

Some folks from the Security and Cryptography Lab at Switzerland's EPFL have managed to eavesdrop on the electromagnetic radiation shot off by shoddy wired keyboards with every keystroke. The attack works through walls, as far as 65 feet away, and analyzes a wide swath of electromagnetic spectrum to get its results.

Hackers spy on your keyboard by reading electromagnetic data

Mon, 20 Oct 2008 19:50:02 +0000

Wired Keyboards Keystrokes Can Be Hijacked From Up To 65 Feet Away

Mon, 20 Oct 2008 17:38:35 +0000

Swiss researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne have found a variety of ways to eavesdrop on the sensitive messages computer users type by monitoring their wired keyboards. At least 11 models using a wide range of connection types are vulnerable. The researchers are able to capture keystrokes by monitoring [...]