Saturday, January 29, 2005

Build-in Against the Broadcast Flag Mandate (Wendy Seltzer). With just five months left until the broadcast flag, EFF is staging a build-in: Build your own high-definition video recorder that lawfully ignores the broadcast flag. We're using MythTV, a remarkably full-featured platform that can manage not only live and recorded television, but also music, movies, photos, weather, even VoIP phone calls. Because it's all Free Software, if you don't see a feature you want, you can code it yourself or find a friend who will. While the broadcast flag mandate threatens to make TV back into a one-way, watch-only medium, open PVRs like MythTV give control back to us. Cut the commercials and watch only the show; or cut out the game and watch only the commercials, as some I know do for the Super Bowl. Re-mix television to make a point. Build your own Google video. Watch for photos from throughout the day, and let us know the unexpected ways you use your PVR. [Copyfight] 12:23:48 PM    comment []

Commenting on the below, though, Wes sagely weighs in: When I see an academic paper with its own domain and a note that the paper "does not provide information that might allow its work to be duplicated" (for the good of the public, naturally), I am immediately reminded of Michael Crichton's lecture about politics masquerading as science. [Hack the Planet] Good worries as a rule. I don't share them in this instance. 9:40:40 AM    comment []

It's Double Crypto Crack Day, apparently, here at A blog doesn't need a clever name: Graduate Cryptographers Unlock Code of 'Thiefproof' Car Key. Researchers at Johns Hopkins cracked the code used by a chip-based "immobilizer" car-key security system, raising questions about systems that rely on similar technology. By JOHN SCHWARTZ. [NYT > Science] From the story: Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at Lowe's. Nothing unusual about that, except that the automobile industry has spent millions of dollars to keep him from being able to do it. Mr. Green, a graduate student at Johns Hopkins University, is part of a team that plans to announce on Jan. 29 that it has cracked the security behind "immobilizer" systems from Texas Instruments Inc. The systems reduce car theft, because vehicles will not start unless the system recognizes a tiny chip in the authorized key. They are used in millions of Fords, Toyotas and Nissans. All that would be required to steal a car, the researchers said, is a moment next to the car owner to extract data from the key, less than an hour of computing, and a few minutes to break in, feed the key code to the car and hot-wire it.  . . . The implications of the Hopkins finding go beyond stealing cars. Variations on the technology used in the chips, known as RFID for radio frequency identification, are widely used. Similar systems deduct highway tolls from drivers' accounts and restrict access to workplaces.  . . . The computer scientists are not doing R.&D. for the Mafia. Aviel D. Rubin, a professor of computer science who led the team, said his three graduate students did what security experts often do: showed the lack of robust security in important devices that people use every day. "What we find time and time again is the security is overlooked and not done right," said Dr. Rubin, who has exposed flaws in electronic voting systems and wireless computer networks. David Wagner, an assistant professor of computer science at the University of California, Berkeley, who reviewed a draft of a paper by the Hopkins team, called it "great research," adding, "I see it as an early warning" for all radio frequency ID systems.  . . . The Hopkins researchers got unexpected help from Texas Instruments itself. They were able to buy a tag reader directly from the company, which sells kits for $280 on its Web site. They also found a general diagram on the Internet, from a technical presentation by the company's German division. The researchers wrote in the paper describing their work that the diagram provided "a useful foothold" into the system. (The Hopkins paper, which is online at www.rfidanalysis.org, does not provide information that might allow its work to be duplicated. The researchers discovered a critically important fact: the encryption algorithm used by the chip to scramble the challenge uses a relatively short code, known as a key. The longer the code key, which is measured in bits, the harder it is to crack any encryption system. "If you were to tell a cryptographer that this system uses 40-bit keys, you'd immediately conclude that the system is weak and that you'd be able to break it," said Ari Juels, a scientist with the research arm of RSA Security, which financed the team and collaborated with it.  . . . The team wrote software that mimics the system, which works through a pattern of challenge and response. The researchers took each chip they were trying to clone and fed it challenges, and then tried to duplicate the response by testing all 1,099,511,627,776 possible encryption keys. Once they had the right key, they could answer future challenges correctly. Mr. Sabetti of Texas Instruments argues that grabbing the code from a key would be very difficult, because the chips have a very short broadcast range. The greatest distance that his company's engineers have managed in the laboratory is 12 inches, and then only with large antennas that require a power source. Dr. Rubin acknowledged that his team had been able to read the keys just a few inches from a reader, but said many situations could put an attacker and a target in close proximity, including crowded elevators. The researchers used several thousand dollars of off-the-shelf computer equipment to crack the code, and had to fill a back seat of Mr. Green's S.U.V. with computers and other equipment to successfully imitate a key. But the cost of equipment could be brought down to several hundred dollars, Dr. Rubin said, and Adam Stubblefield, one of the Hopkins graduate students, said, "We think the entire attack could be done with a device the size of an iPod."  . . . Dan Bedore, a spokesman for Ford, said the company had confidence in the technology. "No security device is foolproof," he said, but "it's a very, very effective deterrent" to drive-away theft. "Flatbed trucks are a bigger threat," he said, "and a lot lower tech." Good perspective from the Ford guy. A bit less so fro the TI guy quoted in the piece. And, once again, WTG, Avi! 9:40:29 AM    comment []

United States and Europe Differ Over Strategy on Iran. The U.S. seems divided over whether to promote the overthrow of Iran's Islamic Republic or to support the approach embraced by the Europeans, which favors negotiation. By ELAINE SCIOLINO. [NYT > International] 9:38:55 AM    comment []

PS2 Cheat Codes Hacked. From Adam Fields weblog: Some guy tore apart his PS2 controller, connected it to the parallel port on his computer, and wrote a script to press a large number of button combinations. He used it to figure out all of the cheat codes for GTA San Andreas (including some not released by Rockstar, apparently). http://games.slashdot.org/article.pl?sid=05/01/17/1411251 This is a great example of a "class break" in systems security -- the creation of a tool means that this same technique can be easily used on all games, and game developers can no longer rely (if they did before) on the codes being secret because it's hard to try them all. [Schneier on Security] 9:24:06 AM    comment []

But what about grandma?. NY Times: "If every parent in the world has a blog, then maybe it really will be about the child rather than the parent," Ms Waldman said. "Because at that point the child is the only one who's going to read it." BigPub fallacy #1 about blogs -- the main thing about a blog is how many people read it. [Scripting News] 9:22:49 AM    comment []