The Nikon Image Authentication System has a simple enough mission – it is supposed to provide a cryptographically secure path from the camera to the newsroom, ensuring that any image used can be proven authentic.
Apparently, due to a weakness in the signing key storage in the camera, it doesn’t work. The key can be extracted and used to sign arbitrary image data, “proving” it legitimate.
Leave a Comment » | 
Exploits, Syndicated | 
Permalink
Posted by matt
I assume that you’ve heard at least some of the wailing and gnashing of teeth about iDevices caching location information, allowing for the use of an iPhone or the computer that it syncs to as a record of the owner’s physical movement.
Well, if you would like to see how thorough it is, check out iPhoneTracker. This is a simple application for OS X that will search the hard drive of your computer, find the cached information from an iDevice that’s synced to that computer, and build a map of where you’ve been with it. Ta-da! If you’re using a Windows machine, check out the Linux port iPhoneMap under Cygwin instead.
Leave a Comment » | Smartphones, Syndicated, Tools | Permalink
Posted by matt
How do you steal hundreds of dollars from someone’s ATM account with nothing more than a five dollar Wal-Mart glue gun?
It’s simpler than you think.
Leave a Comment » | Exploits, Syndicated | Permalink
Posted by matt
Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.
Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.
There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.
It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
According to the law currently on the books, email stored for more than 180 days in a hosting environment – including on so-called “cloud” servers like those of Hotmail or Gmail – is considered “abandoned” and can be obtained without a warrant. Efforts to rectify this mid-1980s legislative situation are being actively opposed by the Obama administration, who apparently feel that due process is a bit of a hassle and would rather not deal with the realities of how people now use email.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
Researchers at CanSecWest gave a presentation this week on disabling various GSM phones using only SMS messaging. OpenBSC, an open source toolkit, was used to build a custom GSM network and the SMS messages were generated using it. Phones could be frozen, rebooted, locked, even completely bricked.
From one of the comments on the article:
It’s actually pretty well known –has been known for a while, too– that handsets are mostly tested against the few types of base stations Out There and, er, that’s it. Malicious input checking? Never needed; all the base stations are made by just a few manufacturers, right? Right?
Well, that’s what OpenBSC changed. Phones are still back where computers were back in the eighties. And now we can poke at them. There’s more where this came from. Far more.
Leave a Comment » | Exploits, Smartphones, Syndicated | Permalink
Posted by matt
The Anaheim Union High School District of California has come up with a new scheme for battling truancy: track students with GPS units.
Students with four or more unexcused absences are issued a GPS unit, which they must carry with them during the day. Their locations are checked five times a day – when they leave home for school, when they arrive, lunchtime, when they leave school, and eight PM. In addition to location tracking, students are assigned to a mentor for one-on-one planning sessions to avoid future truancy.
This is an interesting solution to a common problem – although I have to wonder how beneficial it really is to the other students to divert funds from education to technology, in the interests of filling the classroom with students who would rather not be there.
Leave a Comment » | Legal, Syndicated | Permalink
Posted by matt
So, what do you do when you get your hands on an old safe with an unknown combination?
Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything!
Leave a Comment » | Exploits, Syndicated | Permalink
Posted by matt
Ron Rivest, perhaps best known as the “R” in “RSA”, delivered a lecture yesterday at MIT on the past and future of cryptography. It touches on his invention of public-key crypto in the 1970s, as well as some possible applications — such as micropayments and electronic voting systems — in the future. Not a lot of new material for people who work in the field, but still interesting stuff.
Leave a Comment » | Syndicated | Permalink
Posted by matt