Author Archives: wunderbarb

Identity and its verification

Posted on by
Reply

Nicholas BOHM and Stephen MASON explore the problems of identity and to verify it (or them). as the authors are lawyers, this paper has an interesting point of view. They are fully aware(and even surprisingly accurate) of technology and security limitations.

First, they explain what an identity (or an identifier) is, and what the challenges are in our modern shrinking world. My preferred statement is

And there is an increasing tendency to confuse a person’s knowledge of an identifier with evidence that the person with the knowledge is the person to whom the identifier relates

Then, they explore the difficulty to prove the relationship between an identifier and a person. They show the limits of identification documents (intrinsic such as birth certificate, or extrinsic such as utility bill). Finally, they tackle the identity cards, more precisely electronic identity cards. They show the short-come because not every one will have a trusted reader, and especially not with general purpose devices.

Due to their background, the paper has a strong focus on liability. For instance, no Government will ever take liability for the passports it issues. This analysis of the identity problem is enlightening.

Due to this special point of view, it is recommended to read this paper. Even if you’re not interested in identity matters, the paper will be educational for the liability point of view.

Reference
N. Bohm and S. Mason, “Identity and its verification,” Computer Law & Security Review, vol. 26, Jan. 2010, pp. 43-51 available at http://www.stephenmason.eu/wp- … 011/01/bohm-mason-identity.pdf.

TMG’s snaffu

Posted on by
Reply

The French company Trident MediaGuard (TMG) specialized in detecting downloads of illegal content has made the headlines. TMG is the company that scouts the net for the French HADOPI. HADOPI is the organism in charge of the graduated response.

In a nutshell, a French expert by the code name of Bluetouff discovered one of TMG’s server with public access. On the server, he found many valuable data such as a password in the clear ( :( ), list of hashes of content to detect, list of IP addresses of detected clients, and executable! He disclosed his discovery here. After that the community analyzed content of the server, and spread it. You may find a good description of the full findings here by cult.of.the.dead.HADOPI (homage to cdc). Among the disclosed data is the a list of IP addresses owned by TMG. No doubt that they will be blacklisted by the major tracker sites.

TMG’s official answer is that this server was a test server and thus having no critical information. Even if this is true, there were some hiccups that a test server should not have, such as a public access or personal information such collected IP addresses.

Lesson: when you are on the side of Law enforcement on the net, you’d better use the best security practice. It is about your credibility.

Thanks to Patrice and Olivier for the good pointers.

Security Newsletter #18 is available

Posted on by
Reply
Finally, the Summer 2011 edition is out. It took a long time to issue it. I expect the next one to come faster.

In this issue, you will find an interview of Jean Jacques QUISQUATER, a leading and respected character of the crypto community. Of course, we tackle the HDCP hack explaining what it is exactly and what are the expected consequences. This issue has also a look on the banning strategy in games. The big slice of the cake is a deep dive into sandboxing.
I hope you’ll enjoy it. Do not hesitate to send your comments

Ten security concerns on cloud

Posted on by
Reply

Cloud computing becomes the hot buzz topic. We will all migrate to cloud computing, sooner or later. Although it is extremely attractive from the financial point of view, it raises extremely serious concerns about security.

Global knowledge has issues a white paper that provides a kind of check list for selecting your provider, or to decide if it is wise to switch to the cloud.

  1. Where’s the data?
  2. Who has access?
  3. What are your regulatory requirements?
  4. Do you have the right to audit?
  5. What type of training does the provider offer their employees?
  6. What type of data classification system does the provider use?
  7. What are the service level agreement (SLA) terms?
  8. What is the long-term viability of the provider?
  9. What happens if there is a security breach?
  10. What is the disaster recovery/business continuity plan (DR/BCP)?

By the way, many of these questions are equally valid with an internal/outsourced IT traditional service. For instance, 1 or 2. have you asked yourself these questions for your current system. What is the answer for 5 in your company?

The document is here.

Glider versus WoW

Posted on by
Reply

Many years ago, company MDY issued the Glider Bot for World of Warcraft (WoW). The Glider Bot allowed to automatically do mandatory routine tasks in the (which are not thrilling but simulate “real” life). Using the bot allowed you to accelerate your progression by earning experience without in fact being in front of your screen. An alternative is gold farming, i.e., you pay somebody to take care of your character while you’re not playing, thus also gaining experience.

As you may guess, Blizzard, the editor of WoW, does not like the bots. It has even installed a tool, called warden, that attempts to detect such bots. Glider passes under the radar of the warden.

Thus, Blizzard sued MDY for copyright infringement because it violated the EULA (End user License Agreement). In February, the Ninth Court of appeals ruled that MDY did not infringe copyright (under some complex difference between covenant and condition, for more legal details see the blog “Lawyers in a Gamer’s World”).

But the court ruled that indeed MDY infringed DMCA’s circumvention of technical prevention measure (the other TPM) although it did not bypass it!

As usual, copyright and DMCA issues are awfully complex.

PS3 jailbroken v(3)

Posted on by
Reply

As I reported, the hacker George Hotz, aka GeoHot, was sued by Sony under DMCA for having leaked the private signing key of PS3.

Sony and GeoHot have settled down an agreement. Under this agreement, GeoHot will never again hack any Sony product. See the official press release by Sony.

Interestingly, during this fight in March, Sony succeeded to get a subpoena that allowed them to have access to every IP address that visited GeoHot’s blog since January 2009.

Anonymity Loves Company

Posted on by
Reply

It is the title of an interesting paper by Roger Dingledine and Nick Mathewson. They are members of the Free Haven project. This project studies topics such us onion routing (technology used by TOR), or Mixminion an anonymous email network.

The paper presents two challenges: usability and network effect.

  • Usability is a typical challenge of security solutions. The authors show that often privacy setting requires technological skills that are opposed to ease of use for everybody. The easy solution is often to delegate security decision to the user, who is not necessarily the best person to decide. This reminds me the security model of Android, where you have to decide (too) many parameters.
  • Network effect; efficient anonymity requires to have a lot of traffic to hide within. This rises the problem of bootstrapping. And here is a nice tradeoff. If your system is extremely secure, it will most probably be difficult to use, thus attract fewer people, thus reducing the strength of anonymity. On the other hand, if the system is easy to use, thus less secure, it may attract more users, thus strengthening anonymity.
    For instance, in the design of Mixminion, they had to answer the following tradeoff:

    Since fewer users mean less anonymity, we must
    ask whether users would be better off in a larger network where their messages
    are likelier to be distinguishable based on email client, or in a smaller network
    where everyone’s email formats look the same.

The three described use cases, Mixminion, TOR, and JAP, are excellent illustrations of the issues. An excellent paper.

Citation: N. Mathewson and R. Dingledine, “Anonymity Loves Company: Usability and the Network Effect,” Proceedings of the Fifth Workshop on the Economics of Information Security WEIS 2006, pp. 547-559.