TCLP 2009-08-23 News

This is news cast 188.

In the intro, I will be speaking at the Maryland gathering for Software Freedom Day on September 19th. More details after Dragon*Con.

This week’s security alerts are new research to predict online attacks and cracking real time ID generators.

In this week’s news new research into nanoscale lasers using surface plasmons to break the previous scale limits with some more good technical detail in Ars’ coverage, an excellent discussion of transformative works, URL shortening service Tr.im cheats death by opening its source and its data, and an operating system programmed in assembly.

Following up this week i4i confirms OpenOffice doesn’t violate its patent and Nina Paley shares the source files to her wonderful open content workSita Sings the Blues“.

[display_podcast]

Grab the detailed show notes with time offsets and additional links either as PDF or OPML. You can also grab the flac encoded audio from the Internet Archive.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

One Reply to “TCLP 2009-08-23 News”

  1. Tom,

    Thank you for sharing the information about Minuet. I’ve lamented for years that high level programming languages and “sloppy” coding have made operating systems expand to consume all the resources our screaming fast machines have available. No matter how fast hardware gets, the user experience seems to remain tedious. This includes embedded systems that I work with, which operate via a command line.

    Minuet gives me hope that we can start seeing this trend invert and user interfaces in the operating system gain some serious optimization. I would have never found out about this project if I hadn’t listened to your show. Please keep bringing us news of these clever, elegant, and awesome things like Minuet.

    Regarding the new exploit for SecurID Tokens. There has been an exploit in the wild regarding this product for over a decade. It effects less than 2% of the tokens, but it allows an attacker who sees the pseudo random code on the keyfob once, to recreate the seed code and therefore be able to create a software duplicate at any time in the future. The attacker needs to also get a time stamp along with seeing the code.

    Most security guys I’ve worked with don’t worry about this, because it also requires the user’s login and password in order to successfully hack the user’s account. But if an attacker gets one look at a keyfob and then a second one at a later time, he can validate wether or not the user’s SecurID token is vulnerable to the attack. If it is, then he can concentrate his efforts on hacking that specific user now that the linchpin of the security system, SecurID, is known to be compromised.

    This specific attack, as described, actually doesn’t worry me that much. All the SecurID systems I’ve worked on have only allowed a specific code to work once for authentication. Unless the attacker’s code can get authenticated before the user’s login attempt, that specific code will be useless. However, if you combine it with the above vulnerability I describe above, then you no longer need to look at the token, you can just try out the attack and see if the user’s token is one of the less than 2% that are vulnerable. If they are, you already have all the credentials and can impersonate that user to the system any time you like.

    Keep up the excellent work,

    -Paul Fischer

Leave a Reply

Your email address will not be published. Required fields are marked *