Cryptosmith

I took my site off line for roughly 24 hours as part of the Net-wide strike against impending US Congressional action. As a published author I applaud efforts made to protect my income from piracy. However, the current legislative efforts put the operation and culture of today's Internet at risk. They also undermine the concept of due process.

Recent news reports suggest that the Congressional juggernaut has been slowed down or even diverted. Let's hope so.

I installed Lion last night and spent today figuring out what does - and does not - work. As a huge fan of full-disk encryption (FDE), I'm disappointed in their drive encryption.

RAID may have been improved, but Lion's encryption features, including Time Machine encryption, are not compatible with Apple's RAID.

The diagram at right (from Elementary Information Security) shows how full-disk encryption (FDE) typically integrates into the system software. The diagram doesn't show where the RAID software might reside. I'd expect it to be very closely tied to the device driver. However, it appears instead that Apple placed the FDE below the RAID software. Perhaps this improves performance, or perhaps the choice was driven by design decisions invisible outside Cupertino.

The Time Machine improvement: they have explicitly documented how to switch in a new mirrored drive for an old one. I haven't tried their suggested process since the upgrade. I'd tried the suggested process a couple of years ago, only to have it fail. So we'll see how it goes.

This is the Comcast report on our broadband usage last summer, after Alex and Courtney moved back home while they looked for an apartment.

Comcast did not provide the annotations in red. The heavy dashed line is Comcast's 250GB "limit" on monthly broadband usage. I'm relieved that the limit is an advisory thing, so far, and not something they necessarily enforce.

Bad user interfaces really annoy me. At best, a bad interface costs us time and effort. At worst, it can trick us into breaking something. A bad user interface is an assurance problem just waiting to happen.

Here are my nominations for the five worst user interfaces:

• Recovering a lost phone call
• Voicemail
• Adding high-quality sound to a TV
• Electronic calendars and time zones
• Setting a watch

I've probably forgotten a few that are much more common and much, much worse. When you've lived with a bad interface for a really long time you adapt to it and forget how much trouble it causes.

My friend and colleague Al Dowd pointed me to Troy Hunt's blog post last April on password entropy.

A nice thing about this posting is that it talks a lot about Rainbow Tables and how they relate to password attacks. There aren't many good, general discussions out there of Rainbow Tables. While working on the textbook, I skipped the topic for two reasons: 1) it's a specific case of some general techniques I talked about already, and this is supposed to be an introductory textbook, and 2) none of the curriculum standards I followed demanded me to cover it.

I've been fantasizing about constructing some animated diagrams to illustrate various basic concepts, but I haven't gotten to it quite yet.

After finishing a blog entry about the Homeland Security test using hacked CDs and USB drives, I took a look at a much nastier - though more expensive - attack.

Last year, Irongeek constructed a "penetration test device" with a USB interface - this is essentially a device that sends commands to a computer as if it is a USB keyboard, and uses the commands to attack the computer. He demonstrated it last year at Defcon. The device generates interface signals to open a command window, hide it, and enter keyboard commands to execute. But it gets worse.

Bloomberg has posted an interesting summary of recent hacker triumphs based on social engineering attacks. The fundamental piece of hard news was that the US Department of Homeland Security ran a test last year in which they dropped CDs and USB drives around near some US government offices. The test detected that 60 percent of these were inserted into government computers. Several had official logos on them; and 90 percent of those were detected as having been inserted.

If such things were just passive storage devices, this might not be much of a problem. Unfortunately, many systems will automatically extract software from such devices and execute the software. Such behavior is optional on some systems. The system may ask the user to confirm whether the software should run or not. If execution is automatic, though, the attack will probably succeed.

I've been looking at the various files LulzSec has uploaded from their victims. These include Sony (several different sites on separate occasions), PBS, the game company Bethesda, Fox TV, Nintendo, and a computer security company called Unveillance. They actually defaced the PBS site, posting a bogus article claiming that dead rapper Tupac was located alive. 

They also extracted the hashed password file belonging to the Atlanta chapter of Infragard, an FBI-affiliated organization, and cracked a bunch of the passwords. The site is now offline.

My initial impression is that these folks are using some fairly simple attacks, like SQL injection, to retrieve a lot of the data. Note that in most cases they didn't actually deface the victim. I suspect they would have if they could have. Thus, they're taking advantage of the weaknesses they do find.

There's been buzz in computer hardware blogs over the past few days about how faster processors (and GPUs in particular) are rendering strong passwords "useless." One experimenter, named Vijay Devakumar, posted a description of his success at cracking passwords, which has been recently picked up by bloggers on PC Pro and ZDNet.

This is - or should be - old news in the computer security community. I think passwords play a worthwhile role for local authentication, but they'll always be vulnerable to attack on networks.

Passwords are vulnerable in two ways: first, they might be intercepted in plaintext and second, they might be intercepted in a crackable, though encrypted, form. In keeping with the traditions illustrated by the sinking of the Titanic, many administrators demand "hard to crack" passwords, just as most Titanic victims were wearing their life vests as they froze to death in the icy North Atlantic.

Passwords are only effective as long as attackers can't intercept them in a crackable form. Unfortunately, many software products still ship passwords around in a crackable format. Most LAN software (file sharing, printer sharing, etc.) is vulnerable this way.

Grumble, grumble.

There has been an update to the DiskUtil program that prevents my RAID backup procedure from working.

The version I am running - Version 11.5.2 (298.4) - no longer provides a "Remove" or "Demote" function when a RAID drive is missing or offline. I've found two ways around this. I recommend the first approach for regular use. The second is only provided to illustrate a bizarre feature of Apple RAID.