I like filesystems. They’re not sexy, they do not feel good, but boy, are the fun to write. Ars Technica has a very good, albeit long, article on most filesystems ever seen on this planet.


UK Police Can Now Demand Encryption Keys

Bruce Schneier has an entry on his weblog about the UK police that have gotten the legal means to obtain encryption keys. Refusing to hand over the keys results in a maximum five year penalty.

Is this a smart law? I do not think so. There are a number of cases to be observed:

  • Handing over the key can also be described as ‘telling your password/phrase’. In a common situation all digital evidence is seized to be sorted out later. In that case, if they find a cryptocontainer you used twelve months ago on a forgotten USB stick (why, you do encrypt your USB stick, right?) chances are that I have forgotten the passphrase and/or thrown it away. I often use a line from a newspaper clipping or tear-off calendar as a phrase. This is very secure and also a sure-fire way to forget the phrase once it’s no longer needed. Ehm, but I have no way of proving that I used this method and I genuinely do not remember the phrase. This will get interesting in court.
  • What are they going to do with ephemeral keys? For instance, the temporary RSA key used in SSH2? Currently I have no means of retaining that key.
  • Do I have to retain the sessionkey for the HTTPS session to login to paypal, or is that paypal’s obligation?

I have missed other use-cases where it will be difficult for a law-abiding, yet security minded person to adhere to this law, even if I wanted to.

It feels like the bigger case from the compulsory identification law in the Netherlands. In that law it is stated that you are not required to carry an ID, but you have to be able to show one if you are asked for it by the police. In theory this is used to help the cases against the four horsemen of the information apocalypse. In practice it’s used as a ‘fine-doubler’ where the fine for a minor misdemeanor (jaywalking) is effectively doubled with the misdemeanor of not being able to show your ID. Seriously, this is going to catch terrorists?

But, if the law is made in the UK, you can start the counters for it to be implemented in the rest of the EU as well.

Artificial Intelligence

The Artificial intelligence Lab of the university of Arizona have done quite a lot of research on the topic of recognizing people by the way they write (as in, formulate their sentences, the choice of words, etc). It’s done as part of the Dark Web Terrorism Research projects which:

aim to develop and evaluate scalable techniques for collecting and analyzing terrorism information, modeling terrorist behavior and terrorist networks, and disseminating information to the terrorized (victims and citizens). The various various approaches and methods developed in these projects contribute to advancing the field of intelligence and security informatics.

It’s very interesting research and I wouldn’t mind to see this in various tools which can be used in fraud cases for instance.

Technorati Tags: ,

Technorati Tags: ,

SIP phones buggable

The full-disclosure list has revealed that SIP devices can be vulnerable to a ‘silent pickup’ feature.

“The research that was published indicates that, for at least one
vendor, it is possible to automatically call a SIP device from that
vendor and have it silently accept the call, even if it is still on the
hook – instantly turning it into a classic bugged phone. Whereas
historic telephony bugs needed physical targeting of the line running to
a property or place of business, the presence of VoIP in the equation
allows bugging from anywhere in the world with equal ability. Now anyone
can do from their armchair what only spies and law enforcement used to
be able to do from inside the telephone switch / pit / distribution
board, though it’s still illegal to do so.”

Read more…

New tools for security researchers

Mandiant released three tools that might help you with your investigations. I haven’t tested them personally, but on the outset they sound like useful stuff to have around.

The software is targeted at security researchers doing analysis on malware or first responder type work.

I’m going to test red curtain this week, if I can find the time. Keep posted.

Technorati Tags: ,

Threading issues

Roman Shaposhnik has a nice blogentry on how multithreading your application will make everything go buggy all of a sudden. With all the multi-core processors around (Rock as an example) more applications will be going multithreaded.

He quotes an article by Prof Edward A. Lee, which has also this quote:

I conjecture that most multithreaded general-purpose applications are, in fact, so full of concurrency bugs that as multi-core architectures become commonplace, these bugs will begin to show up as systems failures. This scenario is bleak for computer vendors: their next generation of machines will become widely known as the ones on which many programs crash. These same computer vendors are advocating more multi-threaded programming, so that there is concurrency that can exploit the parallelism they would like to sell us. Intel, for example, has embarked on an active campaign to get leading computer science academic programs to put more emphasis on multi-threaded programming. If they are successful, and the next generation of pro- grammers makes more intensive use of multithreading, then the next generation of computers will become nearly unusable.

I’ve seen some insane code in my life, but multithreaded code always tops the list.

But, in a forensics context, nondeterministic behavior is a big problem. The problems being solved are often very appropriate to handle in a multithreaded application. But one famous (or notorious) forensics application that is multithreaded quite often drops the ball. Sometimes with a heavy crash, but also with unexpected results, depending on the order and multiplicity you use for querying for instance. It’s very hard to verify all the results by hand (that’s why you’re using a computer) and you also do not know whether a new query will result in more or less results on the same data-set.

I do not know how to change this, one way is to use IPC and multiple processes all the time, since you don’t have two processes sharing address-space unintentionally. Other options are a change of language that has a better way to handle the non deterministic properties of todays processors.

Maybe I’ll be looking at Erlang any time soon.

Technorati Tags: ,