"ross anderson"

The world's preeminent cryptographers can't get visas to speak at US conferences

Ross Anderson (previously) is one of the world's top cryptographers; the British academic and practitioner was honored by having his classic, Security Engineering, inducted into The Cybersecurity Canon; however, he was not able to attend the awards gala himself because the US government sat on his visa application for months, and ultimately did not grant it in time. Read the rest

World's oldest message in a bottle (probably) discovered

A nearly 132-year-old message-in-a-bottle was found in late January (or was it?).

Here's the story: While walking around Wedge Island in Western Australia, beachcomber Tonya Illman discovered the old bottle in the dunes.

Inside was a tightly-bundled scroll with a piece of twine around it which Tonya and her husband Kym took home to dry out in their oven.

Once the note was dried out enough, they unrolled it and learned the bottle's message, dated June 12, 1886, was in German.

Some people believe the find is part of an elaborate marketing hoax staged by Kym, a known "ambush marketer" in Perth.

Still, according to BBC News, the couple got the note to an expert who confirmed its authenticity:

Dr Ross Anderson, Assistant Curator Maritime Archaeology at the WA Museum, confirmed the find was authentic after consulting with colleagues from Germany and the Netherlands.

"Incredibly, an archival search in Germany found Paula's original Meteorological Journal and there was an entry for 12 June 1886 made by the captain, recording a drift bottle having been thrown overboard. The date and the coordinates correspond exactly with those on the bottle message," Dr Anderson said.

The handwriting on the journal, and the message in the bottle, also matched, he added.

The bottle was jettisoned in the south-eastern Indian Ocean while the ship was travelling from Cardiff in Wales to Indonesia, and probably washed up on the Australian coast within 12 months, where it was buried under the sand, he wrote in his report.

Read the rest

How Netflix is driving permanent, terrible, standards-defined insecurity for billions of browser users

The New Scientist has published a good piece on Encrypted Media Extensions (previously), the World Wide Web Consortium's proposed standard for adding DRM to video streams; they're creating their first-ever standard that is encompassed by laws protecting DRM (such as the DMCA), and in so doing, they're creating new liability for security researchers, who'll face unprecedented criminal and civil liability just for reporting defects in browsers. Read the rest

UK's new surveillance law creates a national browser history with a search engine to match

The Snoopers Charter, an extreme surveillance bill that passed last week, and it's the most extensive domestic spying regime that any "democratic" country has passed, and is a potential blueprint for Orwellian surveillance elsewhere in the years to come. Read the rest

Solder a 0.3mm chip onto a credit card and Chip-and-PIN is yours to pwn

No one's exactly sure how fraudsters stole over $680,000 from hijacked chip-and-PIN credit cards in Belgium, because the cards are still evidence and can't be subjected to a full tear-down but based on the X-rays of the tampered cards, it's a good bet that the thieves glued a 0.3mm hobbyist FUN chip over the card's own chip, and programmed it to bypass all PIN entries. Read the rest

Computer scientists on the excruciating stupidity of banning crypto

A paper from some of the most important names in crypto/security history scorchingly condemns plans by the US and UK governments to ban "strong" (e.g. "working") crypto. Read the rest

Privacy vs network effects

Respected cryptographer and security researcher Ross Anderson has a fascinating new paper, Privacy versus government surveillance: where network effects meet public choice [PDF], which explores the "privacy economics" of mass surveillance, pointing out the largely overlooked impact of "network effects" on the reality of who spies, who is spied upon, and under what circumstances.

My first big point is that all the three factors which lead to monopoly – network effects, low marginal costs and technical lock-in – are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily involved in information sharing with the NSA, even though they have tried for years to pretend otherwise. A non-aligned country such as India used to be happy to buy warplanes from Russia; nowadays it still does, but it shares intelligence with the NSA rather then the FSB. If you have a choice of joining a big spy network like America's or a small one like Russia's then it's like choosing whether to write software for the PC or the Mac back in the 1990s. It may be partly an ideological choice, but the economics can often be stronger than the ideology.

Second, modern warfare, like the software industry, has seen the bulk of its costs turn from variable costs into fixed costs. In medieval times, warfare was almost entirely a matter of manpower, and society was organised appropriately; as well as rent or produce, tenants owed their feudal lord forty days’ service in peacetime, and sixty days during a war.

Read the rest

UK tax authority caught sneaking in plan to sell Britons' private financial records

Just weeks after a plan to sell "anonymized" sets of British health-records collapsed in the face of massive public criticism, a new plan has emerged to sell the country's tax records to companies and researchers, prompting an even more critical response. One Tory MP called the plan "borderline insane," and tax professionals are in an uproar. The plan was buried as a brief mention in the autumn budget. HMRC's defense rests on the idea that the information in the datasets will be anonymized, something that computer scientists widely believe is effectively impossible. Read the rest

Cybercrime, patent-theft numbers are total bullshit

In case there was any doubt in your mind, the alleged $1T cost to America from cyberwar and the $250B cost to America from "cyber-theft of Intellectual property" are both total bullshit. Pro Publica breaks it down.

One of the figures Alexander attributed to Symantec — the $250 billion in annual losses from intellectual property theft — was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery.

McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. "I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large," said Eugene Spafford, a computer science professor at Purdue.

Spafford was a key contributor to McAfee’s 2009 report, "Unsecured Economies: Protecting Vital Information" (PDF). The trillion-dollar estimate was first published in a news release that McAfee issued to announce the report; the number does not appear in the report itself. A McAfee spokesman told ProPublica the estimate was an extrapolation by the company, based on data from the report. McAfee executives have mentioned the trillion-dollar figure on a number of occasions, and in 2011 McAfee published it once more in a new report, "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency" (PDF).

In addition to the three Purdue researchers who were the report’s key contributors, 17 other researchers and experts were listed as contributors to the original 2009 report, though at least some of them were only interviewed by the Purdue researchers.

Read the rest

Get yer ORGcon 2012 tickets now!

Reminder: tickets are going fast for ORGCon 2012 in London on March 24: speakers include Larry Lessig, Wendy Seltzer, Ross Anderson, Tim Lowenthal and me. Read the rest

ORGCON 2012 with Lessig, Seltzer (and me)!: Mar 24, London

Nisha from the Open Rights Group sez,

Lawrence Lessig, Cory Doctorow and Wendy Seltzer will be leading this year's Open Rights Group conference (aka ORGCon) in London on 24th March 2012. From the government snooping on your data to default internet blocking and monitoring to the corporate capture of state and democratic institutions - we'll be covering vast regions of the digital rights sphere. And there may even be a competition or two! Sessions will include:

* Lawrence Lessig on "Recognizing the fight we're in: A plea for some realism about IP activism"

* Cory Doctorow on "The Coming War on General Purpose Computing: The copyright wars were only the first level"

* Wendy Seltzer on the SOPA/PIPA challenge in the US

* Ross Anderson, Cambridge Professor of Security Engineering, on the problems with Anonymity in Open Government Data.

* Tom Lowenthal, Mozilla Privacy Expert, on the Do Not Track - tracking cookies, advertising and privacy

* Graham Smith, Legal Expert, on "'Have warrant, will extradite - copyright cops go international"

* Theo Bertram, UK Policy Manager for Google, and Jeff Lynn, COADEC Director, on the Communications Bill: Copyright Enforcement

And much much more...

BOOK YOUR TICKET NOW!

Announcing ORGCon 2012 Read the rest

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.

Read the rest

Chip-and-PIN is broken

Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".

It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above.

Read the rest

Chip and PIN terminals pwned

Jacob sez, "I'd like to pass on a nice practical attack against the Chip and Pin system used in most of the world Saar Drimer, Steven J. Murdoch and Ross Anderson, researchers at the University of Cambridge, have shown how to compromise supposedly tamper-proof Chip and PIN terminals. With a paperclip, off the shelf electronics, and basic technical skills, fraudsters can capture card details and PINs, then create counterfeit cards. The full results of the team are published their academic paper and were featured on BBC Newsnight."

Link

(Thanks, Jake!) Read the rest

Index On Censorship's new issue on "cyberspeech"

The latest volume of the magazine Index on Censorship focuses on issues related to free speech online. I'm among the contributors. Here's a snip from the issue overview:

The Internet was supposed to spell the end of censorship – instead governments now have unprecedented possibilities for controlling what we do and what we read. But this is a revolution in free expression that can’t be stopped. Index examines the explosion in communication, the rise in new forms of censorship (and the ways to get round them) and the impact on social attitudes.

I wrote about what I've learned about internet filtering technology from my experience co-editing BoingBoing, which is routinely blocked by various censorware applications for all sorts of silly, inaccurate reasons. Nearly every day (certainly every week) we receive a perplexed message from a would-be reader asking "why is BoingBoing blocked from [library/airport/hotel/whatever place name] in [location name somewhere in the world]?"

Subscribe to the Index in print here. Longer list of other contributors to this issue, and their chosen topics, after the jump. This is a fine publication, and a fine bunch of writers from around the world sharing important ideas and testimonies -- what a shame the contents are not freely available online. Read the rest

Biometric car lock defeated by cutting off owner's finger

Andrei sez, "'Malaysia car thieves steal finger.' This is what security visionaries Bruce Schneier and Ross Anderson have been warning about for a long time. Protect your $75,000 Mercedes with biometrics and you risk losing whatever body part is required by the biometric mechanism."

...[H]aving stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road - but not before cutting off the end of his index finger with a machete.

Link

(Thanks, Andrei!) Read the rest

:)