Saturday, November 29, 2008

The Do's and Don't's Live Blogging an Event

I lived microblogged my second event today, the goodbye too Roel van Duijn. It was quite fun, and I was getting some interesting looks from people as I was typing my commentary into my BlackBerry. I wasn't entirely satisfied with the ease. Both of the events I used Ping.FM, the first using GTalk, which was easy, and the second using Ping.FM Mobile, which is terrible together with the BlackBerry browser.

Firstly I learned I should have read the following two articles, which contain handy tips:I really should have prepared before I went, I didn't know the names of all the guests and didn't know the schedule. I was slightly late, and as I didn't know I was going I didn't really have time to prepare. I really should have used HashTags, I did think about it, but it was all going fast enough that the fleeting thought was discarded.

So I'll know for next time to:
  • Do come prepared
  • Do know who is speaking
  • Do use an easy to use tool
  • Do use hashtags
  • Do take pictures
  • Don't forget the names of the speakers
  • Don't attract too much attention
  • Don't arrive late

I'll update this list and repost with anything which pops into my mind, and naturally comments are welcome.

Technorati Technorati Tags: , , , , ,


Thursday, November 27, 2008

FireFox Hacks For Flash #hacks

It always annoys me that when I arrive at a page I get the message:
Additional plugins are required to display all the media on this page.
I don't want to run Adobe's Flash in my current context, I would actually prefer to not run it at all. Even Microsoft agrees that Don't blame us, blame the browser add-ons.
Eric Lawrence Security Program Manager on Microsoft's Internet Explorer team argued on a Black Hat webcast about Clickjacking that Microsoft is not to blame. [...] "One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore. The browser is becoming a harder target and there are many more browsers," Lawrence said. "So attackers are targeting add-ons."
So how did I disable the stupid warning? In FireFox's about:config I changed the plugins.hide_infobar_for_missing_plugin entry from false to true, now I decide when I see a legoblock whether I want that to work or not.
plugins.hide_infobar_for_missing_plugin true

Technorati technorati tags: , , , ,

Labels: ,

Thursday, November 20, 2008

LinkedIn or MySpace for Security Clearance Checks #risk #linkedin

I went over to visit Peter Went this week, his company WCC Group produces a Fuzzy Logic Database which amongst other things used for matching Biometric Data. He said he was going to be in Milan today giving a talk to start discussion on the following point.

Governments only really know about 5-10% of their population, a few because they have had a security clearance check performed and the restbecause they have a criminal record. The remaining 90-95% of their population they have no clue about, they only know whether they paid there taxes. (Percentages may vary slightly.)

A portion of the population does currently has a Social Networking account with a profile showing you who their friends are, so what if we assume guilt or innocence my association. My friend Peter Went, a connection on LinkedIn, is quite highly graded, I don't think he has NATO Blue Clearance, but it will be pretty high. One of my friends who works for Peter also has pretty good security rating, although maybe not as good as Peter. In this system I would get 7 points for knowing Peter and 5 for knowing my friend, which would give me a current average rating of ( 7 + 5 ) / 2 = 6. I also have a friend who fell on some bad times and spend a little time as a criminal, although he is now reformed his criminal past and is on LinkedIn he brings down my average rating to ( 7 + 5 + 2 ) / 2 = 4 2/3. Calculating all the way through my +4000 LinkedIn contacts you could discover that I am either good enough to even start a clearance procedure or not.

Added to that you could also weight people more or less based on the type of friendship we have, Peter I know, but have no real contact with besides from the occasional job offer. :) So we can weight Peter's score against mine giving me only a percentage of the points I received before. ( 7 * 1 ) I used to work with the friend who works for Peter, which you can extract from LinkedIn, so his rating should count higher against me. ( 5 * 2 ) In fact he gave me a recommendation on LinkedIn, which adds even more to my score. ( 5 * 3 ) When we then calculate the scores you see that Peter's score is less of an influence on my score than my friend. ( ( 7 ) + ( 5 * 3 ) ) / 4 ) = 5.5. Adding my reformed criminal friend will further affect my score.

This can be taken even further, the score of my reformed criminal friend has an effect on my score so it also effects Peter's, but not as much as it effects my friend who works for Peter. Depending on the depth of your algorithm this could effect Peter's score for a second time as my friend has a lower score, all because of the past actions of my reformed criminal friend. Any different algorithms will further alter the effect of the weights on those in my network.

There is no question something like this could be done, the question is whether it is morally correct to judge somebody not on their own actions, but on the actions of the friends of their friends? I know we are what we eat, but are we who we hang out with, or even who our friends hang out with?
Technorati technorati tags: , , , , , , ,

Predicting UnixTime in an Initialization Vector #security #cryptography

I'm always amazed that people use unixtime as a unique number for anything, even unixtime in milliseconds. A request that comes in milliseconds from the next might just pass muster, but for cryptography this is just not enough!

Sorry let me start from the beginning...

Due to some restrictions at regarding SSL certificates I was forced to come up with a way to encrypt sensitive data being passed from a user's browser to an application server. I thought it would be pretty simple to build my own Diffie-Hellman key exchange in JavaScript, which it was. Encryption on the otherhand is not my forté, so I thought I would rely on somebody else for that work. It was suprisingly difficult to find a Cipher Block Chaining implementation of Rijndael (Advanced Encryption Standard, AES) in JavaScript, so I decided to go with the Counter Mode implementation I found over at AES Advanced Encryption Standard.

All was well, the implementation was a little tricky as I was made some mistakes in my Diffie-Hellman implementation due to the lack of Big Number support in JavaScript. Once I'd finally solved that with a dive into arrays of numbers I was suddenly presented with strange behavior. All the encrypted blocks in a sequence seemed to start with the same block, 4 bytes which were similar in all messages and then 4 bytes which were identical. There was nothing wrong with the implementation. The SharedKey was always different - I was using an 64 bit key for testing - and I could decrypt the messages fine on both sides. I was a little baffled.

So when I was reading about the new SHA3 on Bruce Schneier's blog and thought that it could have something to do with the Salt, as SSHA or Salted SHA. The Salt is almost identical to the Initialization Vector or nonce used in Cryptography. So I examined the JavaScript code and saw this:
var counterBlock = new Array(blockSize);
var nonce = (new Date()).getTime(); // timestamp: milliseconds
var nonceSec = Math.floor(nonce/1000);
var nonceMs = nonce%1000;
for (var i=0; i<4; i++) counterBlock[i] = (nonceSec >>> i*8) & 0xff;
for (var i=0; i<4; i++) counterBlock[i+4] = nonceMs & 0xff;
var ctrTxt = '';
for (var i=0; i<8; i++) ctrTxt += String.fromCharCode(counterBlock[i]);

Needless to say I was surprised, also because initially I hadn't even noticed that the last 4 bytes of the 8 byte sequence were identical. So I double checked the rest of the code and saw that indeed the IV was prepended to the encrypted block. Shocking was the fact that unixtime was being used to create the nonce. Unix time is the number seconds since the January 1st, 1970 in UTC, which means that the current time and date can be extracted. For each second that passes only one is added to the total, which means that the first portion is predictable as long as you know what date and time it is in UTC. The second part can be guessed or even pre-calculated in a rainbow table, there are after all only 86400 seconds in a day. What's worse is that the number of milliseconds, is always less than 1000, so we can look it up in the same rainbow table we created for the seconds of the day. That means that this entire IV is predicable, as long as we can read a calendar and tell the time, or have a computer to do it for us.

So I took out my trusty editor and plugged the hole like this:
function generateIV() {
var counterBlock = new Array(16);
var nonce = Math.floor(Math.random()*18446744073709551616)
var nonceSec = Math.floor(nonce/4294967296);
var nonceMs = nonce%4294967296;
// encode nonce with seconds in 1st 4 bytes, and (repeated) ms part filling 2nd 4 bytes
for (var i=0; i<4; i++) counterBlock[i] = (nonceSec >>> i*8) & 0xff;
for (var i=0; i<4; i++) counterBlock[i+4] = (nonceMs >>> i*8) & 0xff;

var ctrTxt = '';
for (var i=0; i<8; i++) ctrTxt += String.fromCharCode(counterBlock[i]);

return ctrTxt;

I then I used the scatter chart option in Open Flash Chart 2 to create a distribution chart to verify that the distribution of x = nonceSec and y = nonceMs was random, which as far as I could determine it was. Had the person who wrote this had done the same he would have seen how predictable his nonce was and could have fixed it.

So what did you do today?

UPDATE: I had a discussion with Chris Veness, the author of the library I referred to above, and he said the following:
There is no suggestion that the nonce needs to be unpredictable (though it must be unique), hence your concerns are, to the best of my understanding, entirely misplaced.

I feel much more comfortable following SP800-38A to the letter (as I believe I have done with the 'second approach'), rather than second-guessing what might be improvements, as I have noticed that for a non-expert, alterations which intuitively appear to improve cryptographic strength can potentially have exactly the reverse effect.

Further, while your change results in a low likelihood of compromising uniqueness, it is clearly breaching this cardinal requirement of the specification ("A procedure should be established to *ensure* the uniqueness of the message nonces").

I trust you will update your blog so that your readers won't get drawn into a similar confusion.

Technorati technorati tags: , , , , , ,

Labels: , ,

Wednesday, November 19, 2008

Wireless Home Security Camera Systems #trends #seo

I like to examine Google Hot Trends to find out what's going on in the world. And today I found Google Search-based Keyword Tool on FriendFeed. So I type in the keywords with which I associate my blog "risk" and "security". After a little sorting - the interface is still beta I think - I find that the following keywords are well searched and sold ads: "wireless", "home", "security", "camera", and "systems".

In particular "home security" and "security camera(s)" are well searched, with the first being highest when I test the terms in Google Insights for Search (Try for yourself.) This information can be used in Google Sets to find out what other words are associated with my keywords. (Try for yourself.)

So what can you do with this information, besides from get your blog posts a high rating? :)

Technorati Technorati Tags: , , , , ,

Labels: ,

Where the Wild Things Are #books #movie

I'm happy and sad, they will be releasing a movie version of Where the Wild Things Are, originally by Maurice Sendak, on October 16th 2009. This is my all time favourite book, to the exclusion of all others. And I buy it for all the children I know for Christmas or their birthdays, if they hadn't already gotten it from me.

In the Netherlands they produced a translation which wasn't even half as good as the original, they called it "Max en de Maxi Monsters". In my humble opinion there is one thing you shouldn't do, NEVER! You shouldn't implant the idea of monsters in a child and you should certainly not attach what, in my opinion, is one of the best children's books to this concept.

I think this is what Sendak did so brilliantly, he gave us the Wild Things and Max who - says his mother - is the Wildest of them all. What does Sendak do with this potentially threatening (scary) situation? He does what the Wild Things do and make Max the King of all the Wild Things.

The reason it doesn't work in the Dutch version where Max is a Monster and is make the King of the Monsters is that there is no subtlety. It's in no way disarming. Monsters are intransient in the eyes of children. The world is frightening enough, would you really want to put monsters into your child's head before bed? Wouldn't you rather give them Wild tameable Things?

Spike Jonze's "Where The Wild Things Are" Interview

Technorati technorati tags: , , , , ,


Friday, November 14, 2008

Scoble and CNN prove me right...

I just saw this exchange from Robert Scoble and Rick Sanchez, so my previous analogy wasn't so far off the mark. :)

@PRsarahevans any PR person on Twitter is one of the good ones. :-) @Bluraven USA media only shows small part of China (and world).
03:28 PM November 12, 2008 from web in reply to PRsarahevans
@Scobleizer ur right, trying to get us all to think beyond the norm. twitter can lead the way. aint going to change overnight though.
03:34 PM November 12, 2008 from web in reply to Scobleizer
@ricksanchezcnn just Twittered me. Now THAT freaks me out! It's like CNN is listening to me. Heheh, got me to switch to CNN from BBC. :-)
03:36 PM November 12, 2008 from web in reply to ricksanchezcnn

Technorati technorati tags:


Bloglines Trouble, Historical Musing on "Geek Bloggers"

For some reason Bloglines had some problems yesterday, which lead to me reading historic /. articles. There were a couple which caught my eye, but none more than Geek Blogging is in Decline. You can view the current top 100 list by visiting Technorati.

I don't see it, I believe the statistics, but I just don't see it. These Geek Bloggers, such as Godin and Scoble are seen in many more places now than just on their own blogs. They are to technology what CNN's Christiane Amanpour is to war, they are the roving reporters sent in when the proverbial shit is hitting the proverbial fan.

Technorati technorati tags: , , , , ,


Tuesday, November 11, 2008

What about a Hyper Cloud?

I was reading Cloud(s), Hype, and Freedom on Freedom to Tinker and thought of the different concepts of cloud that he was describing and was thinking of a Hyper or Meta Cloud for such things as storage or computing power.

One of Stallman's objections - which I tend to agree with - is that you have no control over the service being provided remotely. This is the same as when I get network services from a Level 3 or MCI WorldMob, for more control I would distribute my traffic over multiple independent network vendors. In this way I can mitigate part of the risk I am facing.

Why shouldn't the same hold true for Cloud Computing?

Technorati technorati tags: , , , , ,

Labels: ,