We need a “DO NOT TRACK” option for smart-phones!

smartphones tracking users

smartphones tracking users

Hey Apple, Google, when are you going to have a DO NOT TRACK option on your smartphones’ operating systems?
This is another idea, maybe RIM engineers can come up with a feature like that to give the BlackBerrys a fighting chance.

The fact that most of us carry (voluntarily) a tracking device should not be news for anybody. I guess the news-worthy part is that somebody expossed what Apple and Google where doing. I am not sure it is illegal, have you checked the small font bits of the contract you signed? Me neither.
Believe me, that Apple and Google know where you are and where you have been is not the biggest of our problems with privacy as discussed in here.


(h/t) Raymond who sent this link

Fingerprinting Computers – Part II – Hardware

The fingerprinting of a computer using data accessible or generated by software is subjected to a Replay attack or could be easily disrupted by malware. This method should not be used to authenticate the machine.
In order to defeat Replay attacks, the fingerprinting algorithm needs to generate a one time string, based on some unique property of the hardware and that can be used by the verifier to check the identity of the computer.
One example of such technology is the Intel IPT (Identity Protection Technology) that works by generating a unique 6 digit number every 30 seconds. This number is generated by a section of the chip that is inaccessible to the Operating system and holds some secret key shared with the validator/server. Once a particular processor is linked to a server, the server will be able to identify the CPU and validate the computer. Of course this does not imply user authentication and the intended use of this technology is as an additional factor on a multi-factor authentication scheme.
A Public Key infrastructure (Certificate Authority) is still needed to defeat the Man in the Middle attack.
Technologies that can identify hardware to the chip level are being developed to prevent counterfeiting. These are based on the PUF (Physically Unclonable Functions) that use physical variations of the circuit to extract certain parameters that are unique to each chip and cannot be reproduced nor manipulated without physically tampering with the circuit.
Power-up of a SRAM as a source of Entropy and Identification
Secure Processors, the ultimate battlefield
A PUF Design for Secure FPGA-Based Embedded Systems

Fingerprinting Computers – Part I – Your browser.

Authentication is about the only big open problem in the practice of internet security. The existing encryption and hashing algorithms as well as the key generation/management protocols offer a high degree of security, barring programming/implementation errors.
Authentication technologies face serious challenges mainly because identity is difficult to establish with a 100% certainty even using physical characteristics, i.e., signatures and credentials can be forged, the physical appearance of people can be manipulated, etc.
Read more of this post

It didn’t take very long… [UPDATED]

for my prediction to become a reality.
PC world reported on Feb 18 that a bunch of websites, only 84,000, were taken down “accidentally” by the ICE.
I have zero sympathy for people who uses the web to steal or commit morally reprehensible acts, however, if I can anticipate the heavy damage that a government agency with the power to shut down internet domains can unleash on hardworking and honest people,you cannot convince me that the legislators cannot figure this was bound to happen. Obviously they don’t care about the consequences of their grandstanding have for the rest of us mortals. And at the end of the day, shutting down websites doesn’t stop the traffic of child pornography or stolen intellectual property, it is just a nuisance for the bad guys that now need to go and setup another channel.
The danger for the rest of us is this, if we trust the government, any government, with the switch to the Internet, how long before the shutting down of domains is used as a way to silence dissent?
Oh wait! It did already happened? That was another prediction that turned to be right!


Check this Hall of Shame page at the EFF

The book gets excellent review at Amazon.com

A very nice surprise from the comment pages at Amazon.com, a 5 star rating for the Cryptography book authored by A. Bruen and myself.

The reviewer consider the book a Insightful Interdisciplinary Orientation on the subject, and gave this book the highest rating among similar books.




We are in good company too!


SSL 3.0 / TLS subjected to Man in the Middle Attack

An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:


IETF resources

Red Hat


The end of the road for MD5 signed SSL Certificates

X.509 certificates signed by Certificate Authorities that use MD5 function are certainly going to disappear form the Internet as flaws on the MD5 were successfully exploited to generate a rogue certificate that would be considered as valid by all browsers.

The proof of concept was recently published by A. Sotirov et al. , although the basis for the hack has been know for a few years know. The researchers exploited collisions (two different strings that hash to the same value) in the MD5 and the fact that CAs use a sequential numbering of certificates upon issuance.

News that SSL is broken are exaggerated as many CA are already using SHA-1 (a stronger hash function) and the ones that were using MD5 are switching quickly after publication of the flaw.  

See also:

Security and Economics

I suggest the reader to visit the Financial Cryptography blog (click on the link in the right column, under Security). In particular those interested in the economics behind the security market will appreciate the material being posted there by Ian Grigg.

Customers looking for reassurances from online retailers

Top Tech news reports on e-commerce trends in this article

A Yougov survey, of 2,500 UK adults, carried out for the security company has revealed that despite three-quarters of the population shopping and banking online, many are looking for additional reassurances from online retailers before spending more.

It found 66 percent of consumers believe that making transactions online puts them at increased risk of online fraud, and 30 percent agree that Internet security threats prevent them from making more online transactions.

Seven in 10 people said they would feel more comfortable carrying out online transactions if they were given assurance that online retailers were taking steps to secure their data.

However, only around three in 10 said they bothered to check the credentials of a company before making a transaction.

Three in 10 believed it is the responsibility of the business they are dealing with to secure their data, while only nine percent lay the responsibility with their bank.

Consumers also expect any compensation to come from these online retailers (40 percent), rather than from their bank or credit card company (18 percent).

A few years ago, by insuring most transactions, credit card companies took the responsibility from the hands of customers and retailers and diminished the incentives for better transactional security and authentication.