UW Computer Security Research and Course Blog

Within the last couple of years, Valve Corporation (of Half-Life fame) over in Bellevue designed and implemented a content distribution platform called “Steam” with the intent of distributing its games through a distributed network placed around the world. Their goal was three-fold: (1) make it simpler to roll out updates instead of forcing clients to manually download patches, (2) make a streamlined interface to purchase, configure, and use the games, and (3) cut out the middle-man (the publisher) and take the additional profit to implement Steam.

(Read on …)

The premise is, at some point in the future, it would be ideal for the internet to be using IPv6 as it’s main backbone, rather than the current IPv4. A discussion of the features and algorithms of IPv6 is beyond the scope of this review, but if you are unfamiliar with it, or have questions, wikipedia has some good information. The target of this review is that hypothetical night when ISPs, whether all at once or one-by-one, shut off access to the internet via IPv4.

(Read on …)

iPhone offers lots of convenient functionality, such as phone, internet, music play and etc., making it a communication power house. However, it also opens up lots of new security risks. Since there is already an security review on iPhone 3rd party apps, I will focus on iPhone it self. (Read on …)

I was recently informed about a rather interesting service that is being used in Kenya called M-PESA.   According to their website, “M-PESA provides an affordable, fast, convenient and safe way to transfer money by SMS anywhere in Kenya. Through M-PESA you can:  

At first glance, I thought that the original intent M-PESA was for buying and transferring airtime while financial transactions were just a side affect; however, according to the FAQ M-PESA is intended to be “an innovative mobile payment solution that enables customers to complete simple financial transactions including person to person money transfer. It is aimed at mobile customers who do not have a bank account, either through choice, because they do not have access to a bank or because they do not have sufficient income to justify a bank account.”  (Read on …)

My check engine light came on last week, so I called up Michael’s Toyota Dealership and Service Center in Bellevue, WA.  I made an appointment and had my husband bring the car into the shop and take a shuttle to work.  Later in the afternoon, the car is finished and I start walking over to the dealership to pick up my car.  With my mind on a hundred other things, I had left my purse at home!  With no time to go back home before the dealership would close, I decided just to try to get the car and hope it wasn’t going to cost me anything and that I wouldn’t need any ID to pick it up.  I told the Service Center attendant I was there for my car and what my last name was.  She typed it into the computer, found the service number, and called for the car to be brought up to the front.  Everything was covered under warranty, so I climbed into my car and went on my merry way.  So why do I tell you all this?  Because it seems to me that I could have picked up any old car with just a last name. (Read on …)

With everything going wireless now, many people are cutting the cord and getting wireless keyboards and mice. However, not many people stop and think what might happen if these wireless peripherals are compromised. If say someone could spoof the identity of your keyboard and mouse then they could potentially take control of your computer. However, the manufacturers anticipated that so some minimal amount of encryption is put in place. It was recently found here that older Microsoft devices working on the 27Mhz band could be easily compromised. The encryption scheme used in these products XORs the keyboard status with a random byte, resulting in only 256 possible keys… It is easy to see that this could be exploited fairly easily.

Newer products utilizing Bluetooth are more secure but still have vulnerabilities. The frequency hopping used in Bluetooth in conjunction with the packet encryption using the E0 stream cipher provide a sense of security. Attacking the PIN used in pairing has shown to be an effective way of compromising the encryption used in Bluetooth…
(Read on …)

On Thursday, Apple happily unveiled its plan for third party support of native iPhone applications. The plan involves an application development and distribution pipeline including an iPhone SDK, a suite of IDE tools, and a sales and distribution plan through the new iPhone “App Store”. Apple is restricting the distribution of 3rd party applications through their app store by requiring an iPhone developer account. There will be no other supported way to get 3rd party iPhone applications onto the iPhone. Apple has also made the claim that no malicious, pornographic, or software with security vulnerabilities will be distributed through their store.
(Read on …)