Comments for Jefferson's Wheel

Comment on Private Editing Using Untrusted Cloud Services by David Evans

David Evans — Sun, 15 May 2011 15:09:23 +0000

See also Nate Lawson's comments on this: Encrypted Google Docs done well, Root Labs, 9 May 2011. [Hacker News]

Comment on Hacking the World Cup Draw by David Evans

David Evans — Fri, 04 Dec 2009 04:52:36 +0000

From my analytics logs, here’s the google search query the NY Times reporter used (on December 1st) that led to finding this exam:
“2006 and world cup and draw and rig”.

Comment on The Queen’s iPod by David Evans

David Evans — Thu, 09 Apr 2009 21:18:28 +0000

Thanks, I’ve updated to the latest WordPress version.

I agree that the current copyright system is badly broken. Its worse than Life + 70, its really Life + N where N is however large a number needed to keep Mickey Mouse under copyright. Jefferson’s notion of 19 years seems about right.

Then 19 years is the term
beyond which neither the representatives of a nation,
nor even the whole nation itself assembled, can validly
extend a debt… This principle that the earth belongs
to the living, and not to the dead, is of very extensive
application…

More here.

Comment on The Queen’s iPod by sean.talts

sean.talts — Thu, 09 Apr 2009 16:47:31 +0000

That’s a really interesting article. Copyright reform is needed so very badly, starting at the very basics. Life + 70? What?

P.S. Your blog would like me to inform the site administrators that WordPress 2.7.1 is available.

Comment on Technology Review, How Smart Is a Smart Card? by Jefferson’s Wheel » Blog Archive » Technology Review: RFID’s Security Problem

Tue, 10 Feb 2009 04:30:39 +0000

[...] a University of Virginia security researcher’s analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-transit systems of Boston, London, and other [...]

Comment on Barker’s gift … funds chip research? by Jeffersons Wheel Blog Archive Barkers gift funds chip … | YOUR PETS DEPOT

Thu, 15 Jan 2009 12:12:09 +0000

[...] A smart blogger added an interesting post on Jeffersons Wheel Blog Archive Barkers gift funds chip …Here’s a small excerptPerhaps we can combine projects to work on preserving pet privacy when implanting RFID tags in animals. â¦ âAnimal law is a growing area that is in much discussion,â Riley said. âIt is a good way even for a student who … [...]

Comment on cs201, Bill Gates, and Intelligent Design by Bio-moleculartony

Bio-moleculartony — Sat, 08 Nov 2008 05:58:19 +0000

I am a big believer in intelligent design and of course God.

What might surprise you is that all that God has made, he made it all look as real as possible. So what is life, just another “looks like” a living creature.
Is man a “living” machine or just a machine that “thinks” he is living? I now would say we think we are alive or living yet there are no living molecules and no living “flesh”. We seem to be designed and finely tuned to perceive things in a directed narrow scope so as too believe “what we can only see” and know only what the hands can tell us. If life is not really alive then the whole earth is just full of bio-machinery swarming everywhere. And the universe is just made of look-a-”likes”, artificial creations made to order to create the illusion of a PHYSICAL reality. Oh yea, atoms are not physical, but are electro-magnetic energy fields created by the electron in orbit of each atom. WOW even reality is created to be a look-a-like illusion. And so the story line goes on and on…..
God must have had a lot of time on his hands to go through all that trouble, to create all that detail, just to make us “feel” at home in our own little artificial reality.

Comment on Technology Review, How Smart Is a Smart Card? by David Evans

David Evans — Tue, 04 Nov 2008 15:49:15 +0000

Dear Jianying,

Thanks for your comments. You can download our simulator from
http://www.cs.virginia.edu/mcl/mcl-simulator.tar.gz
I hope you find it helpful.

— Dave

Comment on Technology Review, How Smart Is a Smart Card? by JianyingZheng

JianyingZheng — Tue, 04 Nov 2008 08:13:41 +0000

Dear Professor Evans:

It is very nice to write to you. I am a PhD student in Chinese Academy of Sciences. Recently I have read your paper “localization for mobile sensor networks”. Excellent work has been done by your teams. Since localization is also my research area, I hope that you can give a help and send me the simulator and data. I think that will help me greatly. Thank you so much.

Your sincerely

Jianying Zheng

Comment on Faith-Based Security by jlstrauss

jlstrauss — Sat, 12 Apr 2008 14:35:07 +0000

I don’t want to shoot down the writings of someone like Berghel because he comes across as a very gifted individual in matters of security. Having added that disclaimer, this article strikes me as the cynical cry of despair that most security professionals experience (fairly regularly) in their careers, when the sheer weight of the world’s lacklustre attitude towards our chosen field gets us down and the booze just doesn’t help.

Unfortunately after having read it in its entirety, I can’t say I’ve come away with anything new or useful from it. Sorry to be so harsh but really this is just shooting that same fish in that same barrel. The fish is dead, long live the fish.

On the age-old ‘security through obscurity is bad’ argument, who could possibly argue against the theory of this and come home intact?
But I can say that many systems have incorporated obscured security measures, fully taking into account both the risk of compromise and the (often prohibitive) cost of ‘perfect world’ security. To paraphrase a quote I’m sure you’ve all heard, “98% of security professionals have implemented security through obscurity at some point in their careers and 2% lied”. With this in mind it’s important to differentiate between pure anti-’security-through-obscurity’ and being simply against bad security, if for nothing else than so you can sleep at night.

When confronted by our industries own extenstential crisis, I’m soothed by another quote: “Security is in it’s fundamental nature an undesired inconvenience, sadly but very necessarily interfering with the day-to-day operations of our lives.” I couldn’t agree more with this.
If nothing else it helps remind me of why security doesn’t get a front row seat in the thoughts of 99.99% of the population of the world. That’s how it’s always going to be and it’s OK because that’s life…

Cheers,
jls

P.S. Also, a couple of points on the examples:

1) The mifare crypto-1 compromise is significant, there can be no argument about that. But this isn’t the last word in most systems that have implemented a mifare-based scheme. You may be able to extract keys, but with proper key diversification mechanisms in place and protection of the master key(s), this is not a system-wide attack.
You may be able to clone a card, but a combination of UID-based diversification, data MAC’ing, f/o & b/o fraud detection systems, transactional checks/traps, etc you can reduce the financial scope of this attack to the point where most implementations would consider the potential exposure to be acceptable.

2) On WEP security, I don’t really understand how this is falls into the security through obscurity category? It was just a straight-forward set of catastrophic bugs that probably went through numerous rounds of IEEE committee work, but were still overlooked and made it into a public document, available for the world to pick at. (I gratefully accept that perhaps I’m missing something in the history of this, perhaps the flaw was with a secretive IEEE process?)