Professor Felten has a reasonable write up. Cory’s class blog was one of those sites receiving a demand letter. I thought AACS was so technically superior that the licensing authority could cope by issuing key revocations? Perhaps I have misunderstood the material I’ve read on the subject and the 128-bit integer in question is not one of the many keys in the system that can be revoked. Or if it is, maybe it just isn’t practical to do so. I rather suspect that latter.

It has been several months since this particular cat escape the proverbial bag. This seems like a belated reaction, as ill advised as it is. I think Professor Felten is right, though, that once they started, they couldn’t very well stop without looking foolish. More foolish. I also hope that he is right and that this key reaches the same status as deCSS and moots the current generation of video DRM.

I was glad to see Felten also mention what I think is the greatest real barrier, currently, to widespread sharing of high definition video online. The god awful size. Since I suspect most commercial pirates are interested in selling physical media, that particular hurdle would seem to me to be only effective for personal sharing. Like DRM advocates get any of this and if they do, it just reinforces my view that DRM is about suppressing innovation, not preventing any real threat of piracy.

Technorati Tags: AACS, DRM

Oh, you’ve got to be kidding me. About the only upside to this story is that changing names changes the required privileges, it does nothing in terms of actually granting escalated privileges. Still, it seems like an intensely naive assumption, even with negligible actual security impact.

The article mentions that savvy malware authors will simply rename their installers to bypass the check, though this means foregoing administrative privileges. I worry that with the callous most Windows’ users develop when it comes to the privilege nagging, that a sly author will actually work the situation the other way.

Imagine a benign looking program that presents itself as an installer, updater or uninstaller but contains a vicious trojan. The naive user clicks OK to suppress the incessant system nags and in so doing lets a bit of malware get explicit elevated privileges, not through an exploit but by gaming a silly tact for flagging what needs which rights. Not really very far fetched and may already be happening.

Technorati Tags: malware

I suppose you have to give some credit to Secustick for trying a different tactic. The informed know that encryption is not a panacea. Since a thumb drive is easily lost or lifted, creative thinking about how to secure them should be praised. Well, if done well.

Tweakers.net has a good review of the product. The first thing revealed is that the security feature depends on a Windows only executable. No joy for those who use thumb drives with a mix of systems.

The next big surprise there is no real physical security to the product. The reviewers were able to easily open the case and mode the hardware without losing access to the information on it. This allowed them to thoroughly investigate the software as it ran, revealing a few more scary surprises.

The big one was that they could de-couple the verification of the user’s password from granting access to the flash chips. Only a little less surprising is that the drive doesn’t use any sort of encryption, meaning all you have to do is circumvention the password once, which with the ease of blue wiring the board means this product should never have been certified for the uses the article indicates.

There are more details in the article that would be useful for assessing other products, even if this one doesn’t really live up to any reasonable claim of security.

There sure are a lot of if’s in this article. I don’t propose to have the solution to phishing, but SSL certificate issuance was original supposed to imply verification of identity and we’ve seen how well that worked when handled by a single or very small set of entities. How would the proposed TLD fare any better?

Dick Hardt said something in our interview that I think really hints at a better solution that we see very few people pursuing. If the identity data we give to banks and the like were reduced in its value by a mature, identity protocol (machine negotiated, customer auditable, provider accountable, etc.), then that would direct take on the single greatest incentive phishers have.

As long as this data remains such a juicy target, i.e. it has general value outside of the specific relationship with a single vendor, then phishers will always find ways to surpass defenses and barriers. I am not arguing against making it harder for them to do so, but I just don’t see how the cost of setting up a new TLD is worth a very slight, if any, benefit.

Oh, yeah, the .xxx connection. Like The Treachery of Images, simply saying it is safe does not make it so. And once the system is gamed, is a substantial risk. And, like the .xxx TLD, the converse is also true–just because it does not say safe, or xxx, doesn’t mean that is any more true, either.

Technorati Tags: consumer rights, malware

Even if this proof of concept didn’t require alternate firmware, that is running Linux on the iPod, without a persistent and direct internet connection, I think malware for a PMP is a stretch at best. Far more likely, especially since it has already happened, is PMPs being vectors for PC virii. Remember those players that were infected at the factory? Like a carrier, the players were unaffected but infected PCs once they were attached to sync. That’s just a lot more practical than attacking a device that doesn’t have any useful resources it can yield to an attacker and where the channel for executing the attack is intermittent and conditional.

Technorati Tags: malware

Snyder was on the panel discussion I had really wanted to attend Saturday morning but missed. This was a discussion on disclosure practices, full, limited and responsible. Based on this register piece, now I am really kicking myself for not getting up and moving in time to catch it.

At question is the power security researchers have over vendors. However, since the researchers ultimately have little or no power to effect fixes, except perhaps for open source projects, I suspect there is a better balance than Snyder’s remarks imply.

Following through to the News.com piece, there is clearly more contention still going on with regards to responsible disclosure. As with any compromise, it can certainly be gamed, but however disclosure is undertaken, the vendor has to be incented to fix the flaw at issue.

I am inclined to side with the likes of Schneier on reject that responsible disclosure is only a marketing term. That only makes sense when the researcher forfeits their position completely to the vendor. I am not saying that does not happen but there are just as many examples of researchers who have stuck by their guns and tried to find a reasonable, and legal, balance, like, well, Abi Rubin, among others.

At ShmooCon, during the final panel, Ivan Krstic announced an upgrade to the OLPC X0-1. It will now be produced with an AMD Geode LX-700 running at 0.8 watts at 433 MHz. The chip caching has been bumped up to 128KB of both L1 and L2 cache. They’ve increased the memory from 128MB to 256MB and the storage from 512MB to a full gigabyte. It also looks like the new chip will have a crypto accelerator. Despite the announcement taking place first at ShmooCon, the OLPC specs page has already been update.

Personally, I am a little tired of the he said, she said over the Apple WiFi flaw and Maynor and Ellch’s research and demo. I think on some level, this account is probably at least a bit credible. Apple does not have the best history of PR, especially in the security arena. What I would much rather see is a focus on constructively moving forward, either a commitment to full or responsible disclosure. I know there are purported issues of liability and SecureWorks was as much of a barrier in this case as anyone. But how are the end users, the ones who benefit most from security research, being better served by any of this?

I can’t shake the feeling that this fellow is just an idiot. I am more worried about the problems keeping hard drive searches as narrow as possible, much like warrants have traditionally worked with physical searches, regardless of encryption. I think it is always safest to assume that no matter how strong the encryption you use today may be, thanks to Moore’s law, it will only ever get cheaper to crack. That being the case, encryption doesn’t obviate the need from some basic morality and, of course, common sense.

Technorati Tags: privacy, encryption

No big surprise that this happened. Discussion of possible defenses is already underway. I don’t think some of the ideas will hold water. For instance, the idea that since the user has to input the keys and the tool only runs the standard AACS decryption. It may not trigger the anti-circumvention clauses, specifically, but I don’t think the MPAA would have a hard time making arguments that there really are not any non-infringing uses for a such a tool, at least under the DMCA and in the wake of Grokster. I hope I am wrong and there is a tenable defense.

Technorati Tags: AACS, DMCA, intellectual property