Nikon IAS Cracked

May 3, 2011

The Nikon Image Authentication System has a simple enough mission – it is supposed to provide a cryptographically secure path from the camera to the newsroom, ensuring that any image used can be proven authentic.

Apparently, due to a weakness in the signing key storage in the camera, it doesn’t work. The key can be extracted and used to sign arbitrary image data, “proving” it legitimate.


iPhoneTracker

April 26, 2011

I assume that you’ve heard at least some of the wailing and gnashing of teeth about iDevices caching location information, allowing for the use of an iPhone or the computer that it syncs to as a record of the owner’s physical movement.

Well, if you would like to see how thorough it is, check out iPhoneTracker. This is a simple application for OS X that will search the hard drive of your computer, find the cached information from an iDevice that’s synced to that computer, and build a map of where you’ve been with it. Ta-da! If you’re using a Windows machine, check out the Linux port iPhoneMap under Cygwin instead.


Glue Gun Theft

April 19, 2011

How do you steal hundreds of dollars from someone’s ATM account with nothing more than a five dollar Wal-Mart glue gun?

It’s simpler than you think.


Dropbox Decryption

April 19, 2011

Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.

Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.


Trusted Identities

April 15, 2011

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.

There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.

It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.


Fourth Amendment in the Cloud

April 10, 2011

According to the law currently on the books, email stored for more than 180 days in a hosting environment – including on so-called “cloud” servers like those of Hotmail or Gmail – is considered “abandoned” and can be obtained without a warrant. Efforts to rectify this mid-1980s legislative situation are being actively opposed by the Obama administration, who apparently feel that due process is a bit of a hassle and would rather not deal with the realities of how people now use email.


Disabling GSM Phones With SMS

March 11, 2011

Researchers at CanSecWest gave a presentation this week on disabling various GSM phones using only SMS messaging. OpenBSC, an open source toolkit, was used to build a custom GSM network and the SMS messages were generated using it. Phones could be frozen, rebooted, locked, even completely bricked.

From one of the comments on the article:

It’s actually pretty well known –has been known for a while, too– that handsets are mostly tested against the few types of base stations Out There and, er, that’s it. Malicious input checking? Never needed; all the base stations are made by just a few manufacturers, right? Right?

Well, that’s what OpenBSC changed. Phones are still back where computers were back in the eighties. And now we can poke at them. There’s more where this came from. Far more.


Lojack for Students

February 19, 2011

The Anaheim Union High School District of California has come up with a new scheme for battling truancy: track students with GPS units.

Students with four or more unexcused absences are issued a GPS unit, which they must carry with them during the day. Their locations are checked five times a day – when they leave home for school, when they arrive, lunchtime, when they leave school, and eight PM. In addition to location tracking, students are assigned to a mentor for one-on-one planning sessions to avoid future truancy.

This is an interesting solution to a common problem – although I have to wonder how beneficial it really is to the other students to divert funds from education to technology, in the interests of filling the classroom with students who would rather not be there.


Robotic Safe Cracking

February 16, 2011

So, what do you do when you get your hands on an old safe with an unknown combination?

Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything!


Rivest Lecture

February 16, 2011

Ron Rivest, perhaps best known as the “R” in “RSA”, delivered a lecture yesterday at MIT on the past and future of cryptography. It touches on his invention of public-key crypto in the 1970s, as well as some possible applications — such as micropayments and electronic voting systems — in the future. Not a lot of new material for people who work in the field, but still interesting stuff.