Phillip Hallam-Baker's Web Security Blog

DES has been broken for a decade now. So why do some banks still rely on DES based security?

One reason is that until recently the compromise of DES has been distinctly theoretical. Deep Crack was built for $250,000 in 1998. If the cost of the developer's time was factored in the cost would be twice that.

So now I learn at Financial Cryptograpy that Tim Guneysu and Christof Paar from University of Bochum have put together a machine 'COPACOBANA) for $10,000 using more or less off the shelf parts that can brute force DES keys in a few days.

That is a figure that should be much more worrying for the banks. An Internet criminal would have to go to considerable effort to steal $250K of computer parts but blagging $10K of stolen parts is an afternoon's work. The risky, time consuming part of the phishing process is converting fenced goods into cash.

The ANSI X9.9 OTP tokens should not be a great concern, they are easy enough to change. Secure OATH-compatible tokens using 128 bit secret keys are available from VeriSign and other vendors. But other parts of the banking infrastructure that almost certainly depend on 56 bit DES should be a real focus of urgent concern.

Posted by Phillip Hallam-Baker at 09:48 AM | Permalink | Comments (1)

Today we pay for the power to the data center twice. First to power the racks, then to remove the heat from the building via HVAC. A new technology from Berkeley Labs is intriguing, a more efficient means of turning a heat differential into power.

The explanation is confused, I am pretty sure that Berkeley does not beleive it has found a way to break the second law of thermodynamics as one might imagine from the article. If energy is extracted from the system the hot region must get cooler and the cool region hotter.

Another way to achieve the same effect would be through a steam turbine. This is done in power stations today. In principle one could use a steam turbine to extract energy from a data center without getting up to the boiling point of water by using a liquid with a lower boiling point and operating it at lower pressure. This was investigated by the chemical industry during the 1970s oil price shock but abandonded because their low grade heat sources tended to be contaminated by corosive chemicals. One plant I worked on in the 1980s that made neoprene precursors was continuously disolving its infrastructure.

Now that extracting waste heat from data centers is becomming a major concern I expect new interest in these technologies. Pretty soon we will be seeing heat pipe technology integrated into equipment racks as a matter of course. Why give the energy way when you can recover some of it?

Posted by Phillip Hallam-Baker at 07:48 AM | Permalink

I recorded this podcast on Extended Validation shortly after the Computer World article mentioned came out. But it took me a while to get the editing software to run on Vista and then the day after I finished it YouTube did a redesign which made me want to redo it to take advantage of the new features. Here it is at last:

There is more information on the Web site for my book The dotCrime Manifesto: How to Stop Internet Crime

Posted by Phillip Hallam-Baker at 05:09 PM | Permalink | Comments (1)

Just before the holidays I bought a Microsoft Home Server, or rather the box was made by HP and the software by Microsoft. A few hours later the box was installed and every machine in the house had been backed up. Since then the only time I have touched the box was to slot in a couple of 1Tb drives to beef up the storage capacity. Total cost for 2.5Tb of network attached storage was less than $1,200.

The point here is not how great Home Server how different the market for computer systems has changed. Its not just the capacity of the box that has changed but the ease of use. Five years ago a similar three drive NAS box would have cost considerably more and I would have considered myself lucky to have 80% of the necessary features working after three days. That approach is simply not acceptable in today's computing market. Even a 1.0 product has to deliver the goods from day one.

It isn't just Microsoft that has got the message either. Before the launch of the Apple iPhone I was skeptical. Many computer manufacturers had attempted to enter the cell phone market and without exception the 1.0 versions of their products had been only fit for the landfill. Apple did not merely hit a home run, they hit the ball out of the park.

And that is what you have to do to launch a new computing product today. In 1992 the typical Web user either had a degree in nuclear physics or like me hoped to have one in the near future. Today there are over a billion Web users and most of them just want the tool to work without fuss.

The challenge going forward is how to retro-fit the new aesthetics and usability demands of the new computing user to existing applications. Today we author documents for the Web as much as for the printed page yet the architecture of Word Processing systems has remained essentially static and our primary tool for numeric calculation is the spreadsheet, a design originally built around the constraints of 8-bit processors with 32Kb of memory or less.

In particular we have to work out how to apply these new aesthetics and usability standards to security infrastructure. The reason that we hear so much about data breaches is not because governments and corporations have not heard about cryptography, its because they don't have the means to deploy that technology in a form that their employees can use in their every day routine.

Posted by Phillip Hallam-Baker at 08:43 AM | Permalink