Re: Test of BIOS Spyware
Ralf-P. Weinmann wrote: This is *NOT* the interesting part. The interesting part is the payload it is to deliver. The claim This enables the software to spy on the user and remain hidden to the operating system. rather interests me. How do they achieve this in an OS-agnostic fashion? They won't even try - I am under the impression this is for use as a black bag job, possibly even remotely; they can target the machine with a specific update for the currently running OS. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Schneier gets the heebie-Brin-jeebies (was Re: CRYPTO-GRAM, October 15, 2003)
At 10:58 PM -0500 10/14/03, Bruce Schneier wrote: The Future of Surveillance At a gas station in Coquitlam, British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair was able to steal millions before they were caught. In at least 14 Kinko's copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords, and using them to access and open bank accounts online. A lot has been written about the dangers of increased government surveillance, but we also need to be aware of the potential for more pedestrian forms of surveillance. A combination of forces -- the miniaturization of surveillance technologies, the falling price of digital storage, the increased power of computer programs to sort through all of this data -- means that surveillance abilities that used to be limited to governments are now, or soon will be, in the hands of everyone. Some uses of surveillance are benign. Fine restaurants sometimes have cameras in their dining rooms so the chef can watch diners as they eat their creations. Telephone help desks sometimes record customer conversations in order to help train their employees. Other uses are less benign. Some employers monitor the computer use of their employees, including use of company machines on personal time. A company is selling an e-mail greeting card that serriptiously installs spyware on the recipient's computer. Some libraries keep records of what books people check out, and Amazon keeps records of what books people browse on their website. And, as we've seen, some uses are criminal. This trend will continue in the years ahead, because technology will continue to improve. Cameras will become even smaller and more inconspicuous. Imaging technology will be able to pick up even smaller details, and will be increasingly able to see through walls and other barriers. And computers will be able to process this information better. Today, cameras are just mindlessly watching and recording, but eventually sensors will be able to identify people. Photo IDs are just temporary; eventually no one will have to ask you for an ID because they'll already know who you are. Walk into a store, and you'll be identified. Sit down at a computer, and you'll be identified. I don't know if the technology will be face recognition, DNA sniffing, or something else entirely. I don't know if this future is ten or twenty years out -- but eventually it will work often enough and be cheap enough for mass-market use. (Remember, in marketing, even a technology with a high error rate can be good enough.) The upshot of this is that you should consider the possibility, albeit remote, that you are being observed whenever you're out in public. Assume that all public Internet terminals are being eavesdropped on; either don't use them or don't care. Assume that cameras are watching and recording you as you walk down the street. (In some cities, they probably are.) Assume that surveillance technologies that were science fiction ten years ago are now mass-market. This loss of privacy is an important change to society. It means that we will leave an even wider audit trail through our lives than we do now. And it's not only a matter of making sure this audit trail is accessed only by legitimate parties: an employer, the government, etc. Once data is collected, it can be compiled, cross-indexed, and sold; it can be used for all sorts of purposes. (In the U.S., data about you is not owned by you. It is owned by the person or company that collected it.) It can be accessed both legitimately and illegitimately. And it can persist for your entire life. David Brin got a lot of things wrong in his book The Transparent Society. But this part he got right. Kinko's story: http://www.computercops.us/article2568.html http://www.securityfocus.com/news/6447 ATM fraud story: http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/ BNStory/Technology http://canada.com/search/story.aspx?id=f07cac50-62c7-46d8-892a-b66dfa2f 1d88 Net spying: http://www.nytimes.com/2003/10/10/technology/10SPY.html http://news.com.com/2100-1029_3-5083874.html -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List
Re: NCipher Takes Hardware Security To Network Level
Jerrold Leichter [EMAIL PROTECTED] writes: There was also an effort in England that produced a verified chip. Quite impressive, actually - but I don't know if anyone actually wanted the chip they (designed and) verified. The Viper. Because it needed to be formally verifiable, they had to leave out most of the things that people are used to in modern CPUs and that make writing an OS easy, leading to a vaguely early-60s level of CPU architecture that probably would have been unpleasant to program for for anyone used to modern CPUs, and requiring expensive custom development of almost everything from scratch (you can't run Linux on that one). Eventually the project went into a meltdown over what was actually done (for example is verifying a set of 4-bit slices the same as verifying a 32-bit CPU?) and the legal battles lead to the demise of the company that was to exploit it commercially (there's a lot more to it than that including a fair bit of politics, that's a cut-down version to save space). Very few real efforts were made to actually produce a provably correct OS. There were actually quite a few efforts, starting in the 1970s, some of which went on much longer than the 9-year VAX VMM effort. PSOS - SAT - LOCK - SMG (it may be called something else again now) has been going for about 25 years. However, this is a really complex topic (way too much to cover here), so I'll cheat a bit and refer anyone who's really that interested in the problems that people ran into to Chapter 4 of Cryptographic Security Architecture Design and Verification to save me having to paraphrase 40 pages of text here. The point of my post wasn't to start yet another round of formal-methods bashing, but to point to an example of measuring what we know how to measure even if there are strong indicators that this isn't the best way to do it. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: WYTM?
Jon Snader wrote: On Mon, Oct 13, 2003 at 06:49:30PM -0400, Ian Grigg wrote: Yet others say to be sure we are talking to the merchant. Sorry, that's not a good answer either because in my email box today there are about 10 different attacks on the secure sites that I care about. And mostly, they don't care about ... certs. But they care enough to keep doing it. Why is that? I don't understand this. Let's suppose, for the sake of argument, that MitM is impossible. It's still trivially easy to make a fake site and harvest sensitive information. Yes. This is the attack that is going on. This is today's threat. (In that it is a new threat. The old threat still exists - hack the node.) If we assume (perhaps erroneously) that all but the most naive user will check that they are talking to a ``secure site'' before they type in that credit card number, doesn't the cert provide assurance that you're talking to whom you think you are? Nope. It would seem that only the more sophisticated users can be relied upon to correctly check that they are at the correct secure site. In practice almost all of these attacks bypass any cert altogether and do not use an SSL protected HTTPS site. They use a variety of techniques to distract the attention of the user, some highly imaginative. For example, if you target the right browser, then it is possible to popup a box that covers the appropriate parts. Or to put a display inside the window that duplicates the browser display. Or the URL is one of those with strange features in there or funny letters that look like something else. In practice, these attacks are all statistical, they look close enough, and the fool some of the people some of the time. Finally, just in the last month, they have also started doing actual cert spoofs. This was quite exciting to me to see a spoof site using a cert, so I went in and followed it. Hey presto, it showed me the cert, as it said it was wrong! So I clicked on the links and tried to see what was wrong. Here's the interesting thing: I couldn't easily tell, and my first diagnosis was wrong. So then I realised that *even* if the spoof is using a cert, the victim falls to a confusion attack (see Tom Weinstein's comments on bad GUIs). (But, for the most part, 95% or so ignore the cert, and the user may or may not notice.) Now, we have no statistics on how many of these attacks work, other than the following: they keep happening, and with increasing frequency over time. From this I conclude they are working, enough to justify the cost of the attack at least. I guess the best thing to say is that the raw claim that the cert ensures that you are talking to the merchant is not 100% true. It will help a sophisticated user. An attack will bypass some of the users a lot. It might fool many of the users only occasionally. If the argument is that Verisign and the others don't do enough checking before issuing the cert, I don't see how that somehow means that SSL is flawed. SSL isn't flawed, per se. It's just not appropriately being used in the secure browser application. It's fair to say that its use is misaligned to requirements, and a lot of things could be done to improve matters. But, one of the perceptions that exist in the browser world is that SSL secures ecommerce. Until that view is rectified, we can't really build the consensus to have efforts like Ye Smith, and Close, and others, be treated as serious and desirable. (In practice, I don't think it matters how Verisign and others check the cert. This is shown by the fact that almost all of these attacks have bypassed the cert altogether.) iang http://www.iang.org/ssl/maginot_web.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: WYTM?
Hopefully everyone realizes this, but just for the record, I didn't write the lines apparently attributed to me below -- I was quoting Bruce Schneier. By the way, I strongly agree with David Honig's point that the wrong entities are doing the signing. Regards, Bryce O'Whielacronx David Honig [EMAIL PROTECTED] wrote: At 01:51 PM 10/16/03 -0400, Bryce O'Whielacronx wrote: I doubt it. It's true that VeriSign has certified this man-in-the-middle attack, but no one cares. Indeed, it would make sense for the original vendor website (eg Palm) to have signed the MITM site's cert (palmorder.modusmedia.com), not for Verisign to do so. Even better, for Mastercard to have signed both Palm and palmorder.modusmedia.com as well. And Mastercard to have printed its key's signature in my monthly paper bill. (This is aside your main point about it being Mastercard et al. doing the checking/backup for the customer, not certs.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]