SF: The Children of Hurkin

Posted on March 1, 2009 by wunderbarb

Sunday, March 1, 2009

:Sad: This book has been recently edited by the son of J.R. Tolkien. It was an opus that had never been published before.

There was perhaps a reason why Tolkien father did not publish it. I really was never thrilled by the book. The plot is too simple. The story was never exalting. We are far from the Lord of The Rings. Perhaps the French translation was poor. But, it would not explain all.

One of my indicator is if I would be pleased to read again the book in the future. I read “Lord of The Rings” four times. I will not read again this book.

Did you read it? Did you like it?

SF: new category

Posted on February 28, 2009 by wunderbarb

Like many technical engineers of my generation, I am fond of science fiction literature. Here science fiction is in the very broad meaning, i.e. it encompasses also fantasy or heroic fantasy. Engineers have some affinity with this genre. Perhaps, it is a need of some bits of irrationality in our (hopefully) rational mind.

I read my load of this stuff. Thus, I decided to add a new category which is far more personal. I will describe the books I loved or hated once I read them.

In order now to disturb the readers who are solely interested on my security oriented thoughts, I will prefix the title of corresponding entries with SF. SF is the French abbreviation for SciFi. Thus, these readers will be able to skip these non security related entries.

For the SciFi fans, do not hesitate to comment my reviews and suggest other books.

Wardriving RFID passports?

Posted on February 27, 2009 by wunderbarb

Wardriving is the game to wander in a location and build the cartography of the wireless networks. Of course, the most interesting ones are the ones which are not protected or WEP protected (The equivalent of not being protected. It is too easy to break WEP).

Chris Paget, a well known white hacker who plays with RFID, has demonstrated a new type of wardriving: collecting information from the new US passport or driving license using RFID. In a video, he shows how he retrieved data needed to clone these cards.

In US passport and RFID, I presented the risks associated to these new cards. Paget shows how to do it with not much cost. The range of reading depends on the emitting power of the antenna. Even without cloning, with this type of attack, it would be possible to spot a person, once you sniffed his/her RFID identification code.

It should be noted that this type of RFID is not the one used in the e-passport (the booklet passport). The e-passport is more secure.

Nevertheless, it is worrying to see administrations deploying such weak systems.

Hate and Love authentication

Posted on February 26, 2009 by wunderbarb

Raven White proposes a new authentications system Blue Moon Authentication in the trend to replace typical password challenge by a more user friendlier (and less memory requesting) one.

The authentication will ask you your dislike and like choices on 15 questions. If you have right on a large numbers, you are authenticated. The initialization of the system requires you to select 8 like topics and 8 dislike topics among a selection of about 70 topics.

:Happy: The choice of the topics seem to have been done nicely. Interview of a sample of users of about 200 topics has allowed to reject the topics that have the less entropy. Some Human Computer Interaction specialists participated.

:Sad: The distribution of 8 like and 8 dislike helps a lot when trying to guess the answer. Remember that the challenge is about 15 topics. Mathematically, you need to end up with 7 from one side and 8 from the other side. I did not do the math, but it decreases the space of exploration. I’m too lazy It is too late, and the day was hard) to calculate but is is less than 2^14 trials. Of course, if you know a little bit the person you want to impersonate, the odds are definitively changing.

:Sad: The system is supposed to remove the burden of password replacement. Nevertheless, with such a limited challenge, you will have necessary to block any brute force attack. Once the user is blacklisted, how will he be reauthorized? Through which authentication mechanism? Password?

I did not read the papers. I will do soon.

It reminds me the authentication based on the selection of pictures or icons among a set of pictures.

Would you trust this authentication process?

Security and cloud computing

Posted on February 25, 2009 by wunderbarb

RSA recently published a white paper entitled The role of Security in Trustworthy Cloud Computing. The document is extremely interesting.

It presents the different security challenges that enterprise will face when switching to public or even private cloud computing. With cloud computing, IT departments will loose control. This loss of control needs to be balanced by more trust and confidence in external providers (cloud infrastructure provider such as Amazon’s E2C, service provider in case of SaaS…).

For instance, the document some requirements for secure data

It will require
* Data isolation
* More granular data security
* Consistent data security
* Effective data classification
* Information Rights Management
* Governance and Compliance

We could argue that all these requirements already exist in the non cloud world. Nevertheless, they become MANDATORY in cloud computing! They will be more complex to implement and to monitor.

The document seems to lack one important threat. The insider threat was already a member of the cloud provider who illegally access private data. I believe there is another threat, another user of the cloud that attempts to access your data if isolation is not perfect.

There is already a rush towards cloud computing. But clearly, security of cloud computing is not yet mature. There is no integrated secure available solution.

Light sentence for French pirates

Posted on February 24, 2009 by wunderbarb

In February 2006, the French blockbuster “Les Bronzés 3” was released on P2P in DVD quality at the same time than the theatrical release. The audience still reached 10 millions of entries.

Unfortunately, forensics allowed to trace back the leakage. It incriminated three employees of French broadcaster (and the producer of the movie) TF1.

They were sued in court together with three persons, using pseudos Darkpingoo, H2o and Vb2n who posted the movie on Freenet, by the producers and some actors. They asked several millions € in damages. The main argument was that the sales of DVDs did not reach the million. Usually, such blockbuster is expected to reach 2 millions of sold DVDs.

The judge showed clemency. The infringers will have to pay 27,000€ in damages and have been given a one-month suspended prison sentence.

New look

Posted on February 23, 2009 by wunderbarb

Welcome to the new look & Feel of the blog. In fact, I changed the engine of the blog. I use now FlatPress. The reason is simple. simplePHPBlog was not anymore maintained and active for two years. FlatPress is active and some developers are even writing new plug ins.

The second reason to change the look and feel was to be more consistent with my personal site.

For a few weeks, there may be some minor adjustments. Do not hesitate to report to me some eventual bugs.

The blog of content protection

A site managed by Eric Diehl