Finance and firewalls

Posted on 03 Oct 08

Last night, the US administration and Congress worked late to agree a deal to save Wall Street. The head of the European Central Bank and finance ministers of the Netherlands and Luxembourg worked late in Brussels with the Belgian cabinet to save Fortis, and the British government had to work late to save Bradford & Bingley.

IMF researchers also brought out a report on all the systemic bank crises since 1970: there have been either 42 or 124, depending on how you define "systemic". (What? You missed some of them? OK - so did I!) They acknowledge that it is too early to give a definitive view on the current problems, but do add an interesting insight. In this blog, we have already considered the shift to the "originate to distribute" business model in the banking world: where banks in the past would arrange a mortgage and then sit on the risk, they have recently been packaging the risk and selling it on - to someone else who repackages it and sells it on again, etc.

According to the IMF researchers, this allowed credit (and the associated risk) to move from regulated areas of the market to unregulated areas. Turning to the world of technical ICT, the equivalent problem is faced by firewall administrators who set up firewalls between security domains in a network, only to find that data packets are being encrypted (maybe several times over) as they pass through the domains.

The firewall can no longer tell accurately if the data is a risk, so it faces a choice: it either blocks too much (and the administrator comes under pressure for blocking things that must be allowed), or it blocks too little - the inevitable result. If we want independent supervision at security domain boundaries, rather than leaving all responsibility to the individual users or applications generating traffic, we need a technical infrastructure which supports this.

No Comments

Announcement imminent of TWO new Mersenne primes

Posted on 12 Sep 08

As you probably know, a prime number is called Mersenne if it is one less than a power of 2 (so, for example, 3 and 5 are prime but 3 is a Mersenne prime and 5 is not). Mersenne primes are extremely rare, but because of their form include the largest numbers that are definitely known to be prime (not just using probabalistic methods). There are currently just 44 known Mersenne primes - but that is about to change.

The Great Internet Mersenne Prime Search (GIMPS) project was started by George Woltman in 1996 and uses spare time on the PC's of thousands of volunteers. It applies the Lucas-Lehmer algorithm for testing numbers and has found the last 10 Mersenne primes, but no new ones have emerged for 2 years now. In the past few weeks, however, TWO computers of volunteers have reported new discoveries. These are being double-checked (over-clocking has produced false results in the past), after which a press release will appear.

The Electronic Frontier Foundation (EFF) has promised $100,000 to the first person or group to find a ten million digit prime number, so one of the two may also claim this prize.

For more information (or if you want to take part!), see www.mersenne.org

No Comments

Does honesty render security superfluous?

Posted on 21 Aug 08

Security is perceived different at various places in the world. While many of us would like to make fraud (technically) impossible, some may think that prohibiting fraud may be sufficient.

In South-Korea we witnessed a bank employee refilling an ATM at the front side, in full view of the customers standing in line. Although there seems a good opportunity for robbery here, this is apparently not seen as a risk. Within the comfort of such honest communities one may wonder if there is a need for the highly sophisticated security systems that we like to promote. Is security a concept that only fits our suspicious minds?

I think not.

In our modern interconnected world we have no closed communities. Remote attacks ignore any local courtesy standards. Furthermore, things not only go wrong intentionally, but also unintentionally. Decent security brings us accountability, which helps us to find (and solve!) the cause of incidents.

1 Comment

Hardware Hacking on TV (and for a cause)

Posted on 15 Aug 08

Everyone who regularly tinkers with hardware will eagerly await the new Discovery series Prototype This (CNET and Wikipedia)! It is a new series that will start airing on October 15th in the US and it is all about hacking together real hardware and electronics. Joe Grand is one of the hackers on the show. He is also the guy teaching the Hardware Hacking class at Black Hat. If you ever want to know what it is to take hardware apart and do something useful with it, this is the class to check out. (combine it with our Side Channel Analysis class!)

What you may not know is that Joe is also Kingpin. One of the legendary hackers from a group called the L0pht. Now there is the Kingpin Empire where Joe and friends use their talents to help fund a number of charities. So when you've become a fan of Joe and the Discovery show, be sure to order some swag for a good cause.

No Comments

Plausible deniability feature for crossing borders

Posted on 14 Aug 08

Earlier on this blog the plausible deniability of Truecrypt was mentioned. You may wonder in what cases this feature is really needed. Only a criminal has reasons to suspect to be searched for something illegal, right?

Well if you do any traveling to the United States you might want to think again. A policy that has been in practice already for a long time has now been published by the Department of Homeland Security (DHS). As described in this article in the Washington Post  there is no need for any suspicion for an immigration officer to confiscate your laptop or any other means of information storage and keep it for an unlimited amount of time.

Now still you may have nothing to worry about. You don't have anything illegal. But you may have information under NDA on there. Or other strictly confidential information that will be out of your control for a significant period of time. And you will be asked for keys if they can't get to it. So when traveling to the US, disk encryption with plausible deniability may not be such an exotic feature anymore. Of course making a good backup before traveling is no luxury either. And for any terrorist I would advice you: do not take information on a laptop but download it over the Internet once you entered the United States.

2 Comments

Bad Protocol Engineering

Posted on 12 Aug 08

If you phone someone, the network sets up the call at your request, but you are not the first one to speak - you wait until the person you are calling says something, and only then do you start talking. Smart cards work the same way: the reader applies power and resets the card, but the card sends the first higher lever message (the answer to reset).

The oldest Internet protocols do this too: look up the specs for SMTP or FTP, say, and although there is a clear client-server relationship, it is always the server that talks first.

Newer protocols (for example HTTP, SIP) omit this and let the client send a message first.  He can end up sending his first request before the server is ready (if there are proxies in between it can even be before he has a connection with the server).

This is one simple example of the way best engineering practice is being ignored in modern systems.  If we want robust systems, we need to care about such details.

No Comments

3,000 passports and visas stolen in UK

Posted on 29 Jul 08

Greater Manchester Police has launched an investigation into the theft of 3,000 blank passports and visas. http://news.bbc.co.uk/1/hi/uk/7530180.stm

No Comments