Side Channels

studentuniverse.com sells cheap airline tickets for students. They also have a neat little bonus they give for free to every student who signs up!

That’s like me demanding a medal for my good social conduct because I don’t go around randomly punching people in the face.

Well, thank you very much studentuniverse.com for protecting me from yourself and for practicing restraint with regards to your right to spam me and sell my information! It is also much appreciated that you are using my private information only for the purpose I am providing it for. (link to page imaged above).

The first patent I submitted while I was at Xilinx was finally awarded. It was frustrating to wait nearly four years for the system to process it, though. The patent system is kind of broken and bad patents do manage to go through, but this one was actually useful. We’ll see how the other five I have in the pipeline take to be approved ;)

“Method of measuring the performance of a transceiver in a programmable logic device” (USPTO, PDF)

A few weeks ago Steven J. Murdoch and I released a video of a Chip & PIN terminal playing Tetris (YouTube version). Back then, I alluded to the fact that this is just a small part of something grander. We were working on an experiment that showed a particular vulnerability Chip & PIN is prone to. This is important because banks now maintain that if the PIN was used, then the customers must prove they were not negligent, which is impossible (given that they do not have access to the evidence and no way to show that no one has been looking over their shoulder, for example). Therefore, due to at least one way of defrauding customers who clearly have not been negligent with their PIN, they should be reimbursed.

Anyway, there is a somewhat of a technical article on ZDNet, with more info here, and Steven dissecting an insulting response from the Financial Ombudsman Service to a customer who seeks to know on what grounds he has been refused a refund.

What was missing from the media hype over this is what is included in the academic paper. In it, not only do we describe the attack in detail, including background, we also describe and implement a defense against it called “distance bounding”, which is the main contribution.

In addition, we spilled the beans on prime-time TV here on the island’s BBC1, in a program called “Watchdog“, which is a popular and long running consumer-watch program. This was quite an experience and I learned a lot from it. We spent about 11 hours with the crew, with the outcome of about 2 minutes of us appearing and a not-so-clear representation of the attack. Sigh. Before all this, I thought TV was evil; let’s just say I have not changed my mind.

I cannot post the video publicly (it would probably infringe on someone’s rights) but if you’d like to see yours truly say the line in the heading of this post on TV, email me at <first name><last name>@gmail.com.

UPDATE: Someone has posted the segment on YouTube, here. If you want a better quality version, email me.

All good things, though…

On Christmas day, Steven Murdoch and I decided it would be fun to post a video of a Chip & PIN terminal playing Tetris on our group’s weblog. It was an excuse to say merry Christmas and happy new year to our readers. Then, I spent a week in Edinburgh, which is a lovely city, even in the winter. If you haven’t been, I’d recommend. Rosslyn chapel was really nice. They are doing really well due to the “Da Vinci Code Effect”–people flocking places Brown mentions in the book. Regardless, worth a visit. The Scottish parliament was nice, people were nice… I’ve seen enough castles for a year or so, though. I also learned about the Scottish history and now understand better the “situation” between them and the English. The Hogmanay on new year’s eve was canceled due to 70 mph winds, but that wasn’t a big deal.

When I got back I found out that a paper of mine got accepted to a workshop, and I need to produce a final version. Then, our little “Tetris stunt” was picked up by some blogs and it went crazy from there… newspapers, radio… I’ll save you the details. It did, however, culminated in a Slashdot mention, which made us pretty damn happy.

Since no one is reading this very weblog anyway, I can say that there is more surprises to come on the “Tetris” front! Stay tuned.

A good friend, Nir, has sent me a link to a website he’s been working hard to make and promote: BidTheGrid. He launched it less than two weeks ago and it looks like people are showing interest. The idea is interesting and site is well done… but after my last poor attempt at making predictions for the success of such internet fads, I’ll end with wishing him good luck.

Skype’s great; no need to deliberate on that any further.

Yet, skype developers, I have one major issue, one minor and one feature request.

Major: once I grant other users the privilege to see my “online status,” I can not revoke it. Ever (for that UID.) I may remove them from my contacts, or even block them, but they can still see me. That bothers me. I’m not sure what’s going under the hood, but it would make me feel better if I can revoke the permission. Anyone of us can easily think up scenarios why this would be desirable.

Minor: There is no need to show how many contacts I have as part of my profile. It is permissible to have no other info than the UID on one’s profile but this piece of (private) info always appears. Easy fix.

Request: I’d like to assign different “online status” to different users instead of a common one for everyone. Some people, I wouldn’t mind bothering me anytime, some I’d like to be invisible forever :) This will also help with my first concern above. It can probably be done through grouping; even two groups will suffice.

There you have it.

The popular myth, heard many times over:

“…in the 1960s, NASA astronauts discovered that their pens did not work in zero gravity. So like good engineers, they went to work and designed a wonder pen. It worked upside down. It worked in vacuum. It worked in zero gravity. It even worked underwater! And it only cost a million dollars!

The crafty Russians used a pencil.”

This well written article discusses the origin and the truth. Good reading.

“The Million Dollar Space Pen Myth is just that, a myth. The pens never cost a lot of money and were not developed by wasteful bureaucrats or overactive NASA engineers. The real story of the Space Pen is less interesting than the myth, but in many ways more inspiring. It is not a story of NASA bureaucrats versus simplistic Russians, but a story of a clever capitalist who built a superior product and conducted some innovative marketing. That story, however, is a little harder to sell to a public that believes what it wants to believe.”

Snopes has a page about it as well.

I was in Cologne, Germany for a few days attending SHARCS ‘06- Special-purpose Hardware for Attacking Cryptographic Systems workshop. It was great meeting people in the field and talk hardware and crypto and hear the presentations. I came back with a few ideas for projects and increased motivation. I’ll have a more detailed and technical post on our group’s weblog in a couple of days. One notable hardware project is COPACOBANA: “How to Break DES for € 8,980[in 9 days]” by Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, Andy Rupp and Manfred Schimmler. It uses 120 low-cost Spartan3’s (XC3S1000) from Xilinx.

I’d like to thank the organizers for providing for my attendance; it is much appreciated.

On a questionably related topic… why do taxi drivers never wear seat belts? I’ve taken a few taxi rides recently to notice that it is common practice even outside Israel (where no respectable taxi driver be caught … wearing one.) I mean, do they think statistics don’t apply to them? physics? Someone have a good answer? Just wondering out loud here.

Not much to add to this; when some claim sounds too good, go through this list.

The Seven Warning Signs of Bogus Science:

1. The discoverer pitches the claim directly to the media.
2. The discoverer says that a powerful establishment is trying to suppress his or her work.
3. The scientific effect involved is always at the very limit of detection.
4. Evidence for a discovery is anecdotal.
5. The discoverer says a belief is credible because it has endured for centuries.
6. The discoverer has worked in isolation.
7. The discoverer must propose new laws of nature to explain an observation.

Looking for a way to encrypt some of my directories and files I remembered that MS offered the Encrypting File System (EFS) in stock Windows. When I got to the “Advanced” dialog the encryption option was greyed out as seen below.

Given the way it’s presented, I assumed it needs to be enabled somewhere, or that I, of course, had done something wrong. After much frustration and searching I found that this feature is not available in WinXP Home edition (that’s what I got with my laptop, so don’t tell me I should have chosen a different OS; if Dell had offered Linux/No-OS I would have chosen that.)

Clearly, Microsoft chose the worst possible way of letting me know this. Given the choice of 1) not showing the option at all, 2) putting a little note saying “not available in this version” or 3) enabling this damn feature… they chose to grey it out. WTF were they thinking? Oh, maybe thinking wasn’t involved here.

What do you use for directory/file/HDD encryption?

A few weeks ago I’ve written some criticism of reddit.com that got some attention and was moderated up quite a bit over there (it’s at a 105-point standstill and now off the top page.) I was happy to know that people mostly agreed with what I had to say and in general responded in a positive manner. I could write more about the aftermath of that post, but it’s no use… I’m giving it up socially “democratic” bookmarking services. (I know I am using this term loosely, so don’t get all caught up on the definitions.)

Let me explain…

1. It doesn’t work. Most of the links are crap not worth the time clicking and reading. Since these services are not moderated, the content quality is poor. “But Saar, that’s why the readers moderate the links — to weed out the bad ones.” Well, that’s the idea, but in practice, we all have different likings and a (social bookmarking) site that is “everything new” (reddit) or even “everything geek” (digg) just doesn’t work. Democracy doesn’t work here, and hey, it shouldn’t…

2. It doesn’t work 2 (maybe.) I don’t have the statistics to back this up, but the admins of those sites must, so chime in. My intuition tells me that there are many more submissions than eyes looking for good content. Someone can post 15 articles in a row (I’ve seen this happen) and immediately shove everything before it to oblivion. Even the greatest content wouldn’t have a chance to shine. If it was my site, I would limit one submission per 10 minutes or per 10 other submissions. “Whoa? But that’s moderation! Moderation baaaaaad…”

3. People don’t read the articles. From my experimentation — and from the shaming fact that I do it myself — people mostly moderate based on the title and the domain the link is from rather than content. People flame and demote self-posting while I don’t see anything wrong with that… if something is good, it shouldn’t matter who submitted it. I truly don’t think content is evaluated in a fair manner.

4. Repeats and similar content. If there is a popular link, many “copycats” appear almost instantly… same item from a different source or a different spin. Some of those don’t get “socially” filtered; no good.

5. Old news. Yesterday, I had an embarrassing incident. I forwarded a BBCNews link I got from reddit to a fellow blogger to write about. Turns out he already did, 10 months ago! I didn’t even look at the date and assumed it was fresh news (after all, “reddit: what’s new online” says the title.) It wasn’t, and I was left feeling stupid. Lesson learned, but reddit got moderated down a notch in my book although realistically it is not entirely their fault; I should have looked at the date.

Overall, within the last few weeks I have concluded that non-moderated social bookmarking of the reddit type are a time-wasting hype that will soon (i.e. 9-12 months) make way to some other hype and be forgotten. Bold statement, some may say, based on the fact that Yahoo! just purchased del.icio.us for $25mil… but I’m sticking to it (del.icio.us isn’t the same as reddit/digg, to be fair.) People (with lack of time to spare) will soon want to go back to the good-ol’ days of moderated content providers (i.e. slashdot,) with all their shortcomings of the occasional dupes and some old content. Admit it though, in general it does the job very well. Why? Because it is specialized and moderated! No silly news and content about why Bush burped in China, 10 Mind-Numbing Quotes By Tom Delay, Lindsey Lohan’s constant expression, the next 1.2234GB iPod Nano or why Python eats Lisp for breakfast with AJAX sprinkled on top. I don’t care about that crap. When I do want crap news I visit CNN or BBC.

Just to be clear and avoid some flaming from the minions: social bookmarking is a good thing… but not for me, not anymore and I’m willing to wager I am not the only one. At the end of the day, the whole “social” part doesn’t work in sifting through the content to bring out the best. Nonetheless, I will keep self-posting content that I believe is good because it is great for traffic and exposure.

So, I’m giving up reddit, digg and all the rest and getting my geek news from slashdot with the horrific two day delay after everyone and their grandmother blogged about them in the “blogosphere.” The rest of my info needs I get on demand from Google and from my favorite weblogs.

Ari Paparo’s article explains the failure of Blink.com to become the del.icio.us of today back in 1999. He is lamenting now that Yahoo! purchased del.icio.us (for $25mil?) about what he and his colleagues failed to see back then. It is always refreshing to read people’s account of failure without them throwing dirt at the ones that succeeded… saying stuff like “we were wrong” instead of… “they are idiots with a lot of luck” or “we were visionaries before our time.” People who can do that, like Ari, are commendable…. I thank him for the insights.

I bumped into a page (via digg) with pictures of old game controllers. I never had a proper game console, and I thank my parents for it; they have always outfitted me with good PCs which were/are much more interesting. The following picture is of a game that I remember being addicted to and that got me very frustrated. That damn Donkey Kong! Mine was orange too… did it come in other colors?

<sad feeling of youth long gone>Damn! Look what I found! I had a whole bunch of these games. I was never any good, but it didn’t keep me from trying.<still feeling it>

In 1992, the “software publisher’s association” released this video to educate youth on the “hazards” of software piracy. It’s so early 90’s it cracked me up. It tried to be hip with a rap theme… just watch it (the lyrics of the outrageous song are here.)

It contains all the basic arguments that we hear today about file-sharing:

1. Responsibility: Piracy will kill the industry because there will be no incentive for creativity (from the video: “welcome to the end of the computer age! booooha ha ha.”)

2. Sympathy: You are stealing from the nice artists/programmers who are working hard to produce a fine product for you (in the video there are 3 programmers and one lawyer interview.)

3. Threat: Piracy is illegal (video: “You can make one backup and install the software only on one PC.”)

4. Benefit: If you buy the product you get all the goodies (video: “you’ll get the manual and all…”)

Well guess what? The software industry is alive and is doing quite well. Music will also prevail.

.

.

.

.

.

.

.

.

.

A leading examination board is launching a pilot project to scan pupils’ GCSE and A-level coursework in an attempt to prevent plagiarism undermining the value of school qualifications. source.

Professors have been doing that for years, especially on computer code projects where it is relatively easy. This was mostly local and plagiarism was still hard to prove unless it was a 1-to-1 copy, or near to it. Today, many on-line services provide ready or custom made essays (”remember to change my names, dates and IDs to yours”) and some provide the comparisson service. I was surprised to find that even MA dissertations were available (for about $8000!)

turnitin.com seems to be the big-dog of plagiarism detection. These services are good in that they deter otherwise honest people from cheating in a moment of weakness. They may also help catch perpetual cheaters that shouldn’t get away with it. Here are my further observations:

1. I think that universities/institutions would rather ignore cheating if they can, even if it is right in front of their eyes. This is because they are either delusional about it by refusing to believe there could actually be cheating going on in their super-duper-establishment, or they are afraid that it would taint its reputation if reported. If major cases of plagiarism or data falsification occur that can be ignored no longer, they are reported. If there are minor cases they will slap someone on the wrist and make the issue go away as fast as they can with the least amount of people knowing about it.

In short, institutions would like to verify that the people they admit are not cheaters, but will be light on accusations once they are already in.

2. As the database increases, more innocent people would be accused of cheating:

Turnitin already claims more than 7 million subscribers worldwide, and compares submissions with a database of books and journals as well as more than 4.5bn web pages. It also checks them against its own library of more than 10m previously submitted papers.

It is inevitable that some unfortunate, hard-working souls would have their lives ruined by an algorithm. When people blindly rely on technology, it would be hard for the accused to prove that the work was actually theirs.

3. Since this is a profitable business, there is an incentive to figure out the comparison algorithm and create services that make sure you will not get flagged. I’m sure we’ll see these in coming years. If the process of modifying the “base work” takes more, or equal, time to writing it from scratch, then the detection system should be considered a success. However, given the problem, this would be almost impossible to achieve.

Sometimes a buzz-term pops out of nowhere and I try my best to ignore it for as long as I can. I don’t wikipedia it and blink on all article titles with this term in them. I don’t know why I do it. Maybe because I am waiting for the buzz to go away and if the term survives, then it is worth my time to read about it. I hate marketing micky-mouse bullshit.

“Web 2.0” is one of these buzz-terms that has been buzzing in my internet ears. Paul Graham is a consistently good writer and when he writes, I read. So, his new article, simply entitled “Web 2.0″ caught my attention. It’s time to see what the hell “Web 2.0″ is all about and if there is a “Web 3.0″ sequel in the plans. As I come to expect, Paul is very insightful and thorough. Enjoy. Here’s a quote:

I think everyone would agree that democracy and Ajax are elements of “Web 2.0.” I also see a third: not to maltreat users. During the Bubble a lot of popular sites were quite high-handed with users. And not just in obvious ways, like making them register, or subjecting them to annoying ads. The very design of the average site in the late 90s was an abuse. Many of the most popular sites were loaded with obtrusive branding that made them slow to load and sent the user the message: this is our site, not yours.

Very brief recap: Sony included malicious code with a handful of CD’s. This code covertly installed itself on any computer the CD was inserted and put it in harm’s way, especially when you use Sony’s tool to remove it.

Geek outcry ensued. And some suing ensued.

Sony is now applogizing.

If you’ve read this weblog regularly, you noticed that I’m not big into corporate bashing. Even Microsoft has a right to be evil if that’s how they decide to make a buck. The market will decide their fate. Even Google will become evil one day, you’ll see. Ok, back to Sony.

My Father told me two things (among others):

1. Pissing in the pool is one thing, but pissing from the jumping board is going too far (this is an allegory, pissing in the pool is naughty too, I gathered that much.)

2. Never buy Sony, because they have proprietary hardware that is incompatible with other manufacturers’ and their technical support sucks.

Shit hit the fan pretty bad for Sony because they pissed in the pool and got caught. But now they are issuing an apology blaming someone else for the splatter and thus elevated themselves to the jumping board. I despise inacountability and sleaziness which is oozing from Sony like never before. So as much as I tried to follow my Father’s first recommendation, I am now following the second.

Sony, you lost me as a customer.

Spam mostly come from zombie computers. Weblog comment spam comes from zombie networks as well.

I am getting about 40 a day now; all of which are put in my moderation box because they contain words that are in my blacklist (these people are not very creative on the content front.) The IP address that the comment came from is recorded and contained in the email I get notifying me a new comment has been posted. Although it won’t point to the spammer, I though it would be nice to map where the spam is coming from using the Google maps API. In a more effective and useful form, bloggers may send a dedicated webpage their comment spam and it will add the IP to the map/database. Wordpress or other tools can be made to send a copy of the email to this website automatically upon detection of comment spam (there is really no privacy issue here.) I think that would be neat and may help in some way to identify spammers. If anyone is interested in making this happen, let me know, I’ll contribute what I can.

SM pointed me to mailinator.com which is a on-time-e-mail service that is very cool… and also to hostip.info for getting IP information… go there and see if they got your location right.

A “retired” profesional casino cheater is giving his 2 cents on the use of technology to mitigate the casino losses due to him and his likes (like putting RFID tags in all chips.) It’s insightful. In line with my fascination with unintended consequences, this rings very true:

Marcus argued that technology is still only as good as the casino’s workers, who he fooled for years. If cheaters don’t draw too much attention to themselves, quickly getting onto and then away from the table, it’s unlikely their records will be checked. “And even if they do check, I’d be long gone,” Marcus said. In fact, having technology to fall back on is actually making pit bosses and dealers less attuned to what might be happening right under their noses, he argued. “These people rely upon their technology too much,” he said. “There is no room for maneuver in their thinking. I don’t have to fool the camera or the technology, I only have to fool the dealer or his pit boss. If I fool them, the technology doesn’t come into play.”

_{(emphasis mine)}

As with other examples such as this one, the eventual outcome will be more loss due to cheating not less. Casinos will stop training their pit bosses to spot cheating until they’ll notice the reverse trend. Meanwhile, creative cheaters will enjoy more earnings.

It’s been proven that H-1B workers get paid less than their American counterparts in similar jobs.

When you look at computer job titles by state, California has one of the biggest differentials between OES salaries and H-1B salaries. The average salary for a programmer in California is $73,960, according to the OES. The average salary paid to an H-1B visa worker for the same job is $53,387; a difference of $20,573.

Well, that was my “working assumption” to date, although when I was an H-1B worker I know I was treated fairly with regards to salary (and any other respect.) Actually, every other visa worker I know was not getting robbed. But it was never a secret that this fact was prevalent.

I’ve always viewed working in the US as a privilege, not a right. I also believe that as a whole, we are responsible for our own situation. So, if a worker thinks (and they typically know) they are getting short-changed, they could resign or not accept the job. What this means is that although foreign workers are getting paid less, they still come/stay to/in the US since they think it is still worth it. Fact.

The bottom line is this: Sure, it’s unfair, but people make their choices and they decided that the price for living in Silicon Valley is worth it to them. It sounds bad on paper, but there is not much that can be done about it, we all sign personal contracts.

(through Slashdot.)