December 3, 2007 by Saar Drimer
In 1992, when I was 17, I traveled with my father to the US for a few weeks. We had a family friend living in Huston, whom we wanted to visit. He was away and due back a day of so after we arrived so he gave my father the alarm access-code so we can help ourselves in. We arrived at the house late at night, something went wrong with entering the code, and the alarm went off. Almost instinctively my dad rushed me to the car and we drove off to check into a motel for the night. My dad explained that we were likely to end up in jail if the police got to the house, regardless of our explanation. Back then I thought it was a bit extreme; surely we can reason our way out of it, like we would be able to back in Israel. Looking back at it, it was probably a reasonable choice given the circumstances.
Today, if we were caught, in addition to being arrested we would surely be additionally tased for bad measure. The near-daily news of people being tased for no good reason reminded me of my story above. Some taser cases and videos can be found on top hits from reddit on the topic; Andrew Meyer coined the “don’t tase me, bro” catch phrase while being tased after making a bit of a fuss asking John Kerry some questions; here’s the comic. Some people die after being tased, though the marketing says that the tool is supposed to be non-lethal. But when you give people a “non-lethal” alternative to verbally or physically dealing with other people, it is a natural outcome that it turns from an alternative to a norm. This is the situation today, with cops tasing without much thought and it seems as though the chances of being tased is largely random, mostly depending on how the cop feels at the moment. With the general sense of paranoia and justification that anything is permissible in the name of security and anti-terrorism, all you have to do is act out of the ordinary, like being slow to hand a cop your proof of insurance; Schneier calls this “The War on the Unexpected“.
This arbitrary taser treatment given by trigger happy cops is scary, and certainly does not contribute to a general feeling of security it was meant to promote. The long term effect is the continuous erosion of trust in police and the “system” — not that it is in any good shape currently — which will be difficult to recover from even if tighter controls are placed on taser use. When this happens the unintended consequence would be that police lost the “touch” of actually dealing with people, and even worse, they would use their lethal weapons (guns) more casually than before. I wouldn’t be surprised to hear in the near future of a case where a cop claims that he/she reached for the taser, but instead shot the poor speeder in the chest with a lethal bullet.
Category personal, security, unintended consequences | Tags: | 3 Comments
July 9, 2007 by Saar Drimer
studentuniverse.com sells cheap airline tickets for students. They also have a neat little bonus they give for free to every student who signs up!
That’s like me demanding a medal for my good social conduct because I don’t go around randomly punching people in the face.
Well, thank you very much studentuniverse.com for protecting me from yourself and for practicing restraint with regards to your right to spam me and sell my information! It is also much appreciated that you are using my private information only for the purpose I am providing it for. (link to page imaged above).
Category rants, security, tech | Tags: | 2 Comments
February 24, 2007 by Saar Drimer
The Times is a pretty popular newspaper here (I always have to ask the locals, since there are so many). A couple of weeks ago, subsequennt to our Chip & PIN relay attack, I got a call from a journalist regarding the use of Chip & PIN cards in petrol (gas!) stations (there has been a surge of fraud lately, particularly in these shops). This is the resulting article with my quote below:
Saar Drimer, a security expert and researcher at Cambridge University, also said he had stopped using his cards at petrol stations. â€œThe more we look into the ways that you could be defrauded, the more worrying it becomes. Cash is always better to use because there is no record and youâ€™re not giving away any of your secrets,â€ he said.
After talking to the guy I learned that he first called Steven, who refused to spoon feed him the quote that he was after. Namely, “I recommend people not use Chip & PIN cards at petrol stations.” Then, he called me, the media novice. I told him many things, among them that I don’t own a car and therefore, I don’t use petrol stations. He then massaged the questions such that I gave him the above (general) quote, which he wrapped in an untrue preamble. Ah, well, I should have known.
One of the things I told him was that I wouldn’t use those stand-alone ATMs because they are easier to manipulate (attachements or complete fakes, etc.); a point he wanted me to elaborate on. However, that may have put him in a bind because his point was that people should use cash in stations, but where would they get it? From the station’s ATM…
Anyway, next time a journalist type calls I’ll cut the bullshit and ask him what exact quote he is after and see if I am comfortable saying it. Someone suggested that next time I should write it down for him so there are no mistakes, and that’s what press releases are for. Lesson learnt ;)
Category security | Tags: | 2 Comments
February 10, 2007 by Saar Drimer
A few weeks ago Steven J. Murdoch and I released a video of a Chip & PIN terminal playing Tetris (YouTube version). Back then, I alluded to the fact that this is just a small part of something grander. We were working on an experiment that showed a particular vulnerability Chip & PIN is prone to. This is important because banks now maintain that if the PIN was used, then the customers must prove they were not negligent, which is impossible (given that they do not have access to the evidence and no way to show that no one has been looking over their shoulder, for example). Therefore, due to at least one way of defrauding customers who clearly have not been negligent with their PIN, they should be reimbursed.
Anyway, there is a somewhat of a technical article on ZDNet, with more info here, and Steven dissecting an insulting response from the Financial Ombudsman Service to a customer who seeks to know on what grounds he has been refused a refund.
What was missing from the media hype over this is what is included in the academic paper. In it, not only do we describe the attack in detail, including background, we also describe and implement a defense against it called “distance bounding”, which is the main contribution.
In addition, we spilled the beans on prime-time TV here on the island’s BBC1, in a program called “Watchdog“, which is a popular and long running consumer-watch program. This was quite an experience and I learned a lot from it. We spent about 11 hours with the crew, with the outcome of about 2 minutes of us appearing and a not-so-clear representation of the attack. Sigh. Before all this, I thought TV was evil; let’s just say I have not changed my mind.
I cannot post the video publicly (it would probably infringe on someone’s rights) but if you’d like to see yours truly say the line in the heading of this post on TV, email me at <first name><last name>@gmail.com.
UPDATE: Someone has posted the segment on YouTube, here. If you want a better quality version, email me.
Category personal, security, tech | Tags: | 2 Comments
January 9, 2007 by Saar Drimer
All good things, though…
On Christmas day, Steven Murdoch and I decided it would be fun to post a video of a Chip & PIN terminal playing Tetris on our group’s weblog. It was an excuse to say merry Christmas and happy new year to our readers. Then, I spent a week in Edinburgh, which is a lovely city, even in the winter. If you haven’t been, I’d recommend. Rosslyn chapel was really nice. They are doing really well due to the “Da Vinci Code Effect”–people flocking places Brown mentions in the book. Regardless, worth a visit. The Scottish parliament was nice, people were nice… I’ve seen enough castles for a year or so, though. I also learned about the Scottish history and now understand better the “situation” between them and the English. The Hogmanay on new year’s eve was canceled due to 70 mph winds, but that wasn’t a big deal.
When I got back I found out that a paper of mine got accepted to a workshop, and I need to produce a final version. Then, our little “Tetris stunt” was picked up by some blogs and it went crazy from there… newspapers, radio… I’ll save you the details. It did, however, culminated in a Slashdot mention, which made us pretty damn happy.
Since no one is reading this very weblog anyway, I can say that there is more surprises to come on the “Tetris” front! Stay tuned.
Category personal, security, tech | Tags: | 1 Comment
December 23, 2006 by Saar Drimer
Todd Shriber contacted, what may be considered, random people online soliciting them to hack into his former college and give his GPA a face lift. He gave them all his personal information, including SSN, and some pictures of local squirrels the “hackers” required as “proof”. They, in turn, put the e-mail correspondence online, of course.
Turns out the idiot works as a communications director for a Montana congressman. He was later fired after his extracurricular contractual endeavors were publicized in sites like reddit.
So, two things. Firstly, not everyone who talks shop is an expert… this applies to real life too. Secondly, if people still have not realized that other people are not who they say they are (in real life too!) they deserve this kind of treatment. The more this happens, the more people be careful what they say or write, mostly in consideration of their future. In our world, where everything is recorded and archived, nothing is forgotten. Memory is cheap. Remember this when, in five years’ time, your potential employer asks you about the time you got drunk, busted, and jailed on new years’ eve, as you detailed with pride on your now moldy myspace page. Old-school cool becomes new-school stupid.
Oh, yeah, some fucker stole my bike; the joy of living in Cambridge. Somehow, uncharacteristically to the island, no security cameras covered the scene.
Category blogging, cambridge, security, unintended consequences | Tags: | 2 Comments
July 21, 2006 by Saar Drimer
Edit: I found the proper credit for the image… Clay Bennet… who appears to do great work!
Category security | Tags: | 1 Comment
July 1, 2006 by Saar Drimer
Last week I attended most of the WEIS and PET sessions. The topic is a bit removed from my interests but it was good to hear what is out there and chat with all the interesting people. The most valuable thing I learned, however, was that I am happy where I’m at, as far as research interests goes.
I have a Dell Inspiron 9300 laptop, better described as a “desktop replacement.” It’s a great computer, but not for hauling around. I don’t take it to conferences or workshops; some of it has to do with the weight of the thing, but mostly, I believe that if I am somewhere, I should be fully there and give my undivided attention to the person on the podium–they deserve it.
As an experiment, I tried to phase out the speaker’s voice and listen to what I’ll call “conference clicks,” it’s quite astounding, you should try it. Looking around, I see that many people stare at their screens, meaning that they are not fully there; I can only imagine how the speaker feels (I have not spoken in front of this large crowed before.) I’d feel quite insulted, to be honest; I’d rather people not be there at all than not being fully there.
My solution? Cut the WiFi during sessions and have cabled ports outside the hall for people who choose not to attend the lecture. This may sound outrageous to some, but I think this is where we are headed.
To tie in one of my other rants, I’d ban laptops from business meetings too. When I am king/CEO, that will be corporate policy and I think this will become more wide spread soon as well.
Say no to “conference clicks”!
Category ideas, rants, security | Tags: | 6 Comments
April 5, 2006 by Saar Drimer
I was in Cologne, Germany for a few days attending SHARCS ’06– Special-purpose Hardware for Attacking Cryptographic Systems workshop. It was great meeting people in the field and talk hardware and crypto and hear the presentations. I came back with a few ideas for projects and increased motivation. I’ll have a more detailed and technical post on our group’s weblog in a couple of days. One notable hardware project is COPACOBANA: “How to Break DES for â‚¬ 8,980[in 9 days]” by Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, Andy Rupp and Manfred Schimmler. It uses 120 low-cost Spartan3’s (XC3S1000) from Xilinx.
I’d like to thank the organizers for providing for my attendance; it is much appreciated.
On a questionably related topic… why do taxi drivers never wear seat belts? I’ve taken a few taxi rides recently to notice that it is common practice even outside Israel (where no respectable taxi driver be caught … wearing one.) I mean, do they think statistics don’t apply to them? physics? Someone have a good answer? Just wondering out loud here.
Category security, tech | Tags: | No Comments
March 28, 2006 by Saar Drimer
In case anyone is interested (seems like most Israeli’s don’t, judging by the turnout) Israel is voting today. I thought it would be nice to provide some details on the how elections are done in Israel. Purely on a mechanical level, no politics.
If you are over 18, you can register to vote. Once you do, you get a little certificate telling you where you can vote, usually it’s in a school or other public venue near your residence. You may only vote there. If you are a soldier, you vote at your base. If you are not present in Israel on the day of elections, you cannot vote unless you were sent abroad by the country; in this case you vote at an embassy.
When you get to the polling station (there are observers from multiple parties present) you hand in your certificate with an ID (Israel has national IDs) and are marked on a pen-and-paper list and given a single blue envelope. You then go behind a cardboard set on a table that conceals most of your upper body. You are faced with a frame that has many compartments.
In each compartment lies a stack of rectangular pieces of paper with one to three Hebrew letters printed on them designating each party; there is also a blank stack so you can abstain. These letters may or may not correspond to the actual name of the party. For example, the “Labor” party has the designation ××ž×ª which means “truth” or “true.” But this is more an exception than the rule. This year there is confusion between the “Kadima” party with the designated letters ×›×Ÿ that mean “yes” and the “Green Leaf” party that promotes the legalization of marijuana, designated ×§× which is short of cannabis. Yes, these designations sound the same: “ken.” I doubt there will be an equivalent chad fiasco over this; although these confusions should have been thought of upfront. So, you are there, behind this cardboard… you pick one piece of paper of your choice, put it in the envelope and seal it. Then you come out and drop the envelope in a slotted box in full view. Then you leave. If there is more than one piece of paper, or it is defaced in any way your vote will not be counted.
As you noticed, the whole process is purely manual, there are no electronics involved or fancy punch machines. I, for one, think it is better this way. There is no reason to automate or complicate (i.e. jeopardize, open to mass cheating and coercion and so on) the process by introducing functions that are foreign to the voter; putting a piece of paper in an envelope is a universally simple task. If this means that manual counting will take a few more hours, so be it, it’s not a big deal; there are exit polls for people who can’t wait for the real numbers. The only time where we should consider electronic voting is when it can produce a paper trail that would enable the voter to verify that his or her vote was counted towards their choice candidate or party without the ability to be coerced. We are not there yet, and frankly, I don’t think we ever will be. I can think of one powerful attack against most proposed systems: the cellphone camera.
Category security | Tags: | 2 Comments