Saturday, 27 February 2010

The Nobel Peace Prize, quickly turning into a joke.

(Straight off the bat, the security based stuff will not be covered. There's just way too much and it would deviate from the point.)

I sincerely hope that all of you are familiar with the Nobel Prize, more specifically the Nobel Peace Prize. This is awarded annually to the person(s) who have, to quote Alfred Nobel's final Will & Testament, "who shall have done the most or the best work for fraternity among nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses."

So, as we have seen in history there have been some very deserving candidates, such as the International Committee of the Red Cross, President Woodrow Wilson, UNHCR, Mother Theresa, Archbishop Desmond Tutu, Kofi Annan and so on. It can truly be said to be the most coveted award known to man.

However recently its integrity of late has been highly questionable. Of course there is the glaring omission of Mahatma Ghandi, despite 5 nominations. The year Ghandi died, there was no prize awarded, as "there was no suitable living candidate." Of course it must be noted that there is a rule that no person may receive a Nobel Prize posthumously. This rule was bent in the case of Secretary General Dag Hammarskjöld, who was nominated while alive, but passed away before the award was given. Not to take from Secretary General Hammarskjöld's work, for he truly deserved the prize, despite his unfortunate demise prior to its award.

As we get a bit closer to home, chronologically speaking, we move to 2009. As most people will know President Barack Obama received the Nobel Peace Prize. It was awarded to him a scant 9 months after he assumed office. Now not only is that an exceptionally short period of time, but he very quickly afterwards announced INCREASES in troop numbers in Iraq/Afghanistan. I'm no expert, but that is not very peaceful, apart from being contrary to his election promises.

Now we jump forward just a shade to 2010. (Still love the fun people are having trying to say it out.) The nominations are in and they are: Russian activist Svetlana Gannushkina et al., Chinese dissident Liu Xiaobo and the Internet.

No, really, this actually happened. I know it was a while ago, but I thought I might as well throw my 2 cents into the mix.

UTTER TRIPE!

The Internet is full of nonsense, garbage, crap, trash and a variety of other things I can not bring myself to describe. Agreed there is a small percentage of it which is, as the citation goes, a tool to advance "dialogue, debate and consensus through communication" and to promote democracy. But, really? This is the equivalent of nominating an entire University for the work that 1 single academic has done.

Of course Svetlana Gannushkina is nominated with her activist group, but that is a group of individuals who share a common goal. Most of the people on the Internet really do not care about "dialogue, debate and consensus through communication." Don't believe me, then pop over to a public forum. It's really bedlam over there, with uniformed, irrational and uninhibited people arguing in the most disjoint manner possible.

Then there is the small idea that the Internet is an abstract concept. It's not a single person, nor represented by a single person and/or small enough group. The anthropormorphisation just makes me sick to the core. Of course there is also the issue of "what is the Internet?"

The term internet (notice the lower case 'i') is simply a network of networks. Glossing over the technical details, a network is several computers connected to share resources. Connect networks together and you have an internet. Now we have a special case of an internet, the Internet (notice the upper case 'I'). Yes, the terminology is horrible, but nobody saw it coming.

The 1st internets were DARPA-NET (Defence Advanced Research Projects Agency - NETwork) and JANET (Joint Academics NETwork). The use of these is obvious: military communication and sharing of academic data respectively. Somebody got the idea to make it global, and hence the World Wide Web was born.

Now herein lies the problem, there was no legislation to control this. People joined and did whatever they wanted. Hence the Internet is in the form it is known to all today.

If the Internet were to win the Peace Prize, then I would be exceptionally distressed.

Thursday, 25 February 2010

Chip-and-PIN payement System "broken"

For those of you not familiar with the concept, I will go over it quickly. The "Chip-and-Pin" or EMV(Europay, MasterCard, VISA) system is the usage of Smart Cards, which is basically a card with a tamper-resistant chip on it, for payments via Debit/Credit cards. That is the "chip" part, so now for the "PIN", which a 4-digit code, which you use to verify that you are indeed authorised to use this card. (Some people give thier card and PIN to family members, friends, etc., which is an entire discussion in itself.)

So this system is in wide use in the United Kingdom and has become a vital part of everyday life. So obvioulsy any sort of major security failure woulde be catastrophic. Professor Ross Anderson has published such an attack, or so he claims. Even Bruce Schneier thinking its a big thing

He uses what is known as a Man-In-The-Middle attack. The basic concept is that the attacker places himself between two parties who wish to communicate. He then intercepts all communications and distorts them to serve his purposes, what ever they may be.

I would advise you watch the video demonstration which was aired on BBC Two, with the accompanying article. Go on, watch it, I can wait.

So after having seen the video, I would like to tell you why this is not the end of the world:

  1. You need someone else's card. Arguably it is easy to get one, but the point is that if somebody has stolen your card, there are far worse things they can do than buy a bottle of water. There are several ways to use a card, without knowing the PIN, over the phone for example. Physical possesion of the card would allow you to use it in several circumstance without knowing the PIN.
  2. It only works in offline terminals. So you can't put it in an ATM or use it in any store where the transaction is verified online witht he bank. In that case, a cryptogram contain the PIN is sent to the bank which will then verify the PIN. You would well pressed to be able to fake that.
  3. You need a specific setup of reader, as the one used in the demo. Ofcourse one could get better at hiding the wire and the actual "performance" of the attack, but no amount of practice would allow you to hand a card with a wire on it to a merchant and not raise suspicions.
  4. The hardware and software is really non-trivial to construct. The script is in Python, which is a difficult language to master and all the harware is custom built. So really the kit is not absolutly accessible.
  5. If the card has been cancelled, this attack will not work. So again, because the attacker needs to steal your card, they only have the time between stealing the card and you reporting it stolen and cancelling your card.
So the moral of the story is: If your card is stolen, the thief can spend your money. Oh, wait, isn't that EXACTLY WHAT WE ALREADY KNEW! So now they have a smarter way of doing it, but it still depends on the attacker physically having your card.

Agreed, that this is a technical flaw and indeed a security hole, at least from a theoretical point of view. Practically speaking, this can be done on any stolen card (doing it to your own card, while possible is pointless), but there are worse things you could do. As a consumer, if my card is stolen I perosnally don't care how my money was stolen, just that i get it back. So taking a slighty pragmatic view-point, I would say that this is an issue, but nothing to lose sleep over, that is unless you have already lost your Credit/Debit Card.

iPhones

Hey, you!
Yes, you with the iPhone.
Get a real fucking phone!

Yeah not really related to security, but this is just me bored far too late at night.

Wednesday, 24 February 2010

First!

So.....yeah
Well as a general rule I am not very amused by blogs and/or bloggers (people who constantly update their blog just for the sake of updating it). However certain things make me so furious that I really just have to get it out there.

So all you people who think its cool/funny/whatever else to "first" as the first comment on anything, it's really not. Get a life