Philosophically Secure

For anyone interested in embedded systems and hardware security, the TAMPER (Tamper And Monitoring Protection Engineering Research) Lab site is a great resource. There are detailed papers discussing their areas of research, such as the information leakage caused by electromagnetic emanations, and cryptographic security of smartcards.

I highly recommend the paper titled “Design Principles for Tamper-Resistant Smartcard Processors”. The slides [pdf] are especially good, with excellent graphics and full-color photos of integrated circuits, close up.

This is such a common way to discover vulnerabilities:

“I was bored, and typed the name of my farm into Google to see what was out there,” said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.
…
Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers.
[CNET News.com]

It didn’t even take any fancy Google hacking to find this treasure chest of identity information. I wonder, how many other databases like this exist on the Internet? I’m sure we could ask identity thieves and spammers, who actively search for them on a daily basis.

The average citizen doesn’t realize how many databases his information is stored in. Trying to figure out which ones are accessible over the public Internet is damn near impossible. In fact, the government itself doesn’t know the extent of it. As the article says, this data was compiled years ago, when Social Security numbers were much less protected. Since they were never intended to be used as identification numbers, that is excusable. But now that we know better, maybe the government needs to take stock of legacy databases and do some house cleaning.

This article in SecuritFocus discusses the benefits of having consistent logging among applications, especially in security-related software. It’s a good idea, and any serious software development effort should have an established logging format and procedure. While there is an up-front cost, it will help with debugging and incident response in the long run.

This bug has been talked about to death, and the official patch has been released. Anyway, here’s a bit of a time line of relevant events.

• Microsoft announces the vulnerability
• Arbor Networks sees it being exploited in the wild
• A proof of concept exploit was posted to Full Disclosure
• Third party patches are released… then debated
• Microsoft releases the official patch, going off the usual Patch Tuesday schedule
• H D Moore announces two new Metasploit modules for this vulnerability

There you have it, I’ve documented a little part of Microsoft security history… Maybe I’ll come back to read these links years from now, and realize how far we’ve come - or how things have gotten much worse. Who knows!

Watch this video from TED 2005:

In this inspiring talk, Janine Benyus provides fascinating examples of biomimicry — humans mimicking nature in the products we build and the systems we implement. With 3.8 billion years of research and development on its side, evolution has already solved problems that human designers and engineers struggle with.