|
2016.03.18 Verifying the Substitution Cipher FolkloreA substitution cipher has each letter substituted with another. Cryptography folklore has it that simple substitution ciphers are trivial to break by looking at the letter frequencies of the encrypted text. I tested the folklore and the results were not quite what I was expecting. Continue reading "Verifying the Substitution Cipher Folklore"2013.10.21 A Better Air GapBruce Schneier recently published ten rules for setting up an air-gapped computer; a computer that even the NSA can't hack, because it's not connected to the internet. His rules are practical and make sense, but, given the number of vulnerabilities regularly found in modern operating systems, I think that they need strengthening. Continue reading "A Better Air Gap"2012.02.07 How to Decrypt "Secrets for Android" FilesSecrets for Android is a nifty Android application that allows you to securely store passwords and other sensitive data on your Android phone. Your data are encoded with your supplied password using strong cryptography and are therefore protected if your phone gets stolen. Although the application offers a backup and an export facility, I found both wanting in terms of the availability and confidentiality associated with their use. Continue reading "How to Decrypt "Secrets for Android" Files"2011.12.28 Pretend InvitationsChoosing between people you want to invite to a function and people you have to invite is sometimes difficult. Say Alice wants to invite Tom, Dick, and Harry to a party, but she'd actually prefer if Dick didn't show up. Here's how Alice can send invitations by email from an email-capable Unix system to achieve the desired result, while covering her scheming with plausible deniability. Continue reading "Pretend Invitations"2011.12.14 Apps are the New UsersSome facilities provided by mature multi-user operating systems appear arcane today. Administrators of computers running Mac OS X or Linux can see users logged-in from remote terminals, they can specify limits on the disk space one can use, and they can run accounting statistics to see how much CPU time or disk I/O a user has consumed over a month. These operating systems also offer facilities to group users together, to specify various protection levels for each user's files, and to prescribe which commands a user can run. Continue reading "Apps are the New Users"2011.01.06 Sophisticated Targeted Link SpamWhat appeared to be an intelligent comment in one of my blog postings turned out to be targeted link spam. This is a worrying trend, because, although we can defend ourselves against mass attacks, we're very vulnerable to targeted strikes. Continue reading "Sophisticated Targeted Link Spam"2009.11.25 The Risk of Air GapsAs some readers of this blog know, from this month onward I'm on a leave of absence from my academic post to head the Greek Ministry of Finance General Secretariat of Information Systems. The job's extreme demands explain the paucity of blog postings here. I'll describe the many organizational and management challenges of my new position in a future blog post. For now let me concentrate on a small but interesting technical aspect: the air gap we use to isolate the systems involved in processing tax and customs data from the systems used for development and production work. Continue reading "The Risk of Air Gaps"2008.10.08 An Inadvertent Denial of Service AttackIf you're wondering why this blog was down for the past few hours, here is the story. In an earlier blog post I listed a small script I'm using to lock-away door knockers who attempt to break into our group's computer by trying various passwords. If you like puzzles, read the script again and think how it could be used against us by isolating our computer from the entire world. Continue reading "An Inadvertent Denial of Service Attack"2008.01.07 The Relativity of Performance ImprovementsToday, after receiving a 1.7MB daily security log message containing thousands of ssh failed login attempts from bots around the world, I decided I had enough. I enabled IPFW to a FreeBSD system I maintain, and added a script to find and block the offending IP addresses. In the process I improved the script's performance. The results of the improvement were unintuitive. Continue reading "The Relativity of Performance Improvements"2007.08.02 Location-Based Dictionary AttacksI get daily security reports from the hosts I manage. Typically these contain invalid user attempts for users like guest, www, and root. (Although FreeBSD doesn't allow remote logins for root, I was surprised to find out that many Linux distributions allow them.) Continue reading "Location-Based Dictionary Attacks"2007.07.08 A Phone Exchange RootkitAn article titled The Athens Affair appears in this month's IEEE Spectrum. In the article my colleague Vasilis Prevelakis and I provide an overview of the technical aspects of last year's cellphone wiretapping incident. An interesting aspect of the way the wiretapping took place is that it involved a rootkit that took advantage of the exchange's lawful interception capability. Continue reading "A Phone Exchange Rootkit"2007.04.16 Breaking into a Virtual MachineSay you're running your business on a rented virtual private server. How secure is your setup? I wouldn't expect it to be more secure than the system your server runs on, and a simple experiment confirmed it. Continue reading "Breaking into a Virtual Machine"2007.02.16 Malware on the FlyApparently, rogue servers listening on the p2p Kad network intercept the search terms of queries and generate on the fly appropriate file names linking to files that contain malware. Continue reading "Malware on the Fly"2007.01.08 Why Key Fingerprints are ImportantI admit it: I seldom verify the key fingerprint of a host I connect to against a fingerprint I have obtained through secure means. As things stand today, I consider it unlikely that somebody will stage a man-in-the-middle attack at the time I first connect to an unknown host. Today however I almost got bit. Continue reading "Why Key Fingerprints are Important"2006.12.13 Secure Passports and IT ProblemsIn 2003 Greece, in response to new international requirements for secure travel documents, revised the application process and contents of its passports. From January 1st 2006 passports are no longer issued by the prefectures, but by the police, and from August 26th passports include an RFID chip. The new process has been fraught with problems; many of these difficulties stem from the IT system used for issuing the passports. On December 12th, the Greek Ombudsman (human rights section) issued a special 22-page report on the problems of the new passport issuing process. The report is based on 43 official citizen complaints. Continue reading "Secure Passports and IT Problems"2006.12.01 (Not) Hacking the Digipass Go 3 OTP DongleMy bank moved to two factor authentication solution, and thus required me to purchase from them a Digipass Go 3 dongle in order to authenticate my transactions. To register my dongle I keyed-in a five-digit code they gave me, and also the key's serial number appearing on its back. Given that Go 3 utilizes an open authentication framework, and a published algorithm for generating the one time password (OTP), could I utilize the key and the numbers I keyed in, for using the key in my own applications, of for cloning the dongle in my mobile phone or palmtop? Continue reading "(Not) Hacking the Digipass Go 3 OTP Dongle"2006.05.24 Security is a Problem of the Weakest LinkWhile attending the ICSE 2006 conference I stayed at the Tong Mao hotel. My room featured an impressive-looking safe: thick steel, two bolts, and a digital lock. Continue reading "Security is a Problem of the Weakest Link"2006.02.15 A Malfeasant Design for Lawful InterceptionEarlier this month it was revealed that more than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year (see Wikipedia article). Apparently, the tapping was implemented by activating Ericsson's lawful interception subsystem installed at the Vodafone service provider. How could this happen? Continue reading "A Malfeasant Design for Lawful Interception"2005.11.09 US Military Removes Word Documents from the Web?On August 25th 2004 the comp.risks forum run an article I submitted regarding the large number of Microsoft Word documents available on US milatary sites (sites in the .mil domain) through Google searches (23.50 "U.S. military sites offer a quarter million Microsoft Word documents"). The article documented how such documents could lead to the leakage of confidential data. A week later I setup a script to watch the number of Word documents available through Google searches to see if and when the military would recognise the threat those documents posed and remove them. Continue reading "US Military Removes Word Documents from the Web?"2005.05.19 Cats and Cigarette LightersOn April 14th, the US Transportation Security Administration started enforcing a new ban on cigarette lighters. A month later, I saw the corresponding announcement posted on a check-in desk at the Samos international airport. At the same airport I also saw a free-roaming cat getting its food delivered directly on the tarmac. I entered my flight feeling a lot safer. Continue reading "Cats and Cigarette Lighters"2005.04.27 Solving Singh's Substitution CipherMany of us enjoy playing with encryption algorithms. Simon Singh, before a book promotion trip to Greece, published a "substitution cipher with a twist". I would consider solving a substitution cipher aimed at the general public unfair, but the "twist" made me curious. Continue reading "Solving Singh's Substitution Cipher"2004.10.05 Cracker Code ReviewAccording to a popular myth, crackers are computer whiz kids: brilliant software developers who run circles around their "peers" in the corporate world. When my undergraduate student Achilleas Anagnostopoulos sent me a pointer to the source code of the Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow exploit, I decided to test the myth by performing a code review of the exploit's source code. The results are not flattering for the exploit's developers: no self-respecting professional would ever write production code of such an abysmally low quality. Sorry M4Z3R. Continue reading "Cracker Code Review"2004.08.31 U.S. military sites offer a quarter million Microsoft Word documentsI was Google-searching for the Air Force Operational Test & Evaluation Center publication "Software Maintainability - Evaluation Guide". To make my search more efficient I restricted it to military (.mil) sites, using the Google keyword "site:.mil". I was not able to find the publication I was looking for, but was surprised to see a number of Microsoft Word documents in the search results. Continue reading "U.S. military sites offer a quarter million Microsoft Word documents"2004.02.03 A Spam-resistant Email NetworkI am really fed up with spam. Yes, I am behind a spamassassin filter, and it is getting less and less useful with every passing day. Many other interesting ideas (including ji's patent) have failed to catch on and provide significant relief. In a recent column in IEEE Spectrum Robert Lucky expressed his yearning for the days when email was only used by the elite in the know, the select few who "were on email". Continue reading "A Spam-resistant Email Network"2004.01.21 How Not to Conduct a PollRecently the ACM Council asked members to provide feedback on the issue of expanding legal protections for collections of data by means of an on-line poll. Opening the policy feedback decision-making process to the ACM membership promotes member participation and transparency. However, I have two serious reservations regarding the way the member feedback was requested. Continue reading "How Not to Conduct a Poll"2003.06.28 Security researcher beguiled by email spoofOne would expect someone who is reading and contributing to comp.risks since 1990 to know better, especially if he is also lecturing courses on IT security, and has written a couple of papers in the area. Maybe it was also a well deserved punishment for laughing at emails titled "Valuable business proposition" and "Renew your e-bay account" (who is so dumb so as to fall for these schemes?) Continue reading "Security researcher beguiled by email spoof" |
Navigation
Recent Entries
Revision Control Smells (2016.09.13) The Computer Tube (2016.05.07) Verifying the Substitution Cipher Folklore (2016.03.18) Raspberry Pi vs USB vs Mac Audio (2015.12.13) Raspberry Pi Zero vs Elliott 405 (2015.11.29) Impact Factor of Computer Science Journals 2014 (2015.06.28) Grady Booch on the Future in Software Engineering (2015.05.22) ABS's 2015 Academic Journal Guide (2015.02.28) What's the Best Time and Day to Tweet? (2015.01.13) First, Do No Harm (2014.09.25) Category Tags
AWS (3) Android (2) Apple (9) C (18) C++ (16) Computers (54) Discussion (5) Electronics (14) Environment (1) FreeBSD (25) Funny (14) GSIS (5) Google (6) Government (1) Hacks (25) Hardware (22) History (2) Internet (12) Java (25) Linux (5) Management (25) Microsoft (11) One Laptop Per Child (3) Open source (56) Opinion (28) Parenting (11) Perl (13) Photos (13) Politics (3) Programming (101) R (1) Raspberry Pi (2) Risks (5) Scala (1) Science (31) Security (26) Sights (18) Smartphones (3) Software (19) Software engineering (80) Standards (6) System administration (39) Teaching (8) Technology (24) Tips (39) Tools of the Trade (52) Travel (9) UML (6) Unix (31) Web (30) Windows (13) Writing (40) XML (9) vim (5) Archive
Complete contents (321)
September 2016 (1) May 2016 (1) March 2016 (1) December 2015 (1) November 2015 (1) June 2015 (1) May 2015 (1) February 2015 (1) January 2015 (1) September 2014 (1) August 2014 (1) July 2014 (1) April 2014 (1) January 2014 (1) December 2013 (2) October 2013 (1) September 2013 (1) July 2013 (2) June 2013 (2) May 2013 (1) March 2013 (2) February 2013 (1) January 2013 (1) December 2012 (3) October 2012 (2) September 2012 (3) August 2012 (1) July 2012 (1) June 2012 (1) May 2012 (1) March 2012 (2) February 2012 (1) January 2012 (2) December 2011 (3) November 2011 (1) October 2011 (1) September 2011 (1) July 2011 (3) May 2011 (3) February 2011 (1) January 2011 (1) November 2010 (1) October 2010 (2) August 2010 (3) July 2010 (1) June 2010 (1) May 2010 (1) April 2010 (1) March 2010 (2) January 2010 (1) December 2009 (1) November 2009 (1) October 2009 (2) September 2009 (2) August 2009 (5) July 2009 (3) June 2009 (3) May 2009 (4) April 2009 (6) March 2009 (4) February 2009 (5) January 2009 (4) December 2008 (3) November 2008 (2) October 2008 (5) September 2008 (4) August 2008 (4) July 2008 (3) June 2008 (2) May 2008 (5) April 2008 (3) March 2008 (2) February 2008 (2) January 2008 (5) December 2007 (3) November 2007 (3) October 2007 (3) September 2007 (4) August 2007 (2) July 2007 (2) June 2007 (4) May 2007 (3) April 2007 (5) March 2007 (5) February 2007 (3) January 2007 (4) December 2006 (5) November 2006 (5) October 2006 (5) September 2006 (7) August 2006 (1) July 2006 (5) June 2006 (3) May 2006 (3) April 2006 (4) March 2006 (2) February 2006 (3) January 2006 (5) December 2005 (3) November 2005 (4) October 2005 (3) September 2005 (6) August 2005 (1) July 2005 (4) June 2005 (2) May 2005 (6) April 2005 (3) March 2005 (4) February 2005 (6) January 2005 (2) December 2004 (3) November 2004 (3) October 2004 (5) September 2004 (3) August 2004 (5) July 2004 (1) June 2004 (1) May 2004 (1) April 2004 (2) March 2004 (1) February 2004 (2) January 2004 (3) October 2003 (2) September 2003 (1) July 2003 (1) June 2003 (2) May 2003 (1) Syndication
This blog is also available as an RSS feed:
Search
|
Last update: Thursday, September 22, 2016 9:56 am