Happy Spring Break!

By Tadayoshi Kohno at 9:58 am on March 25, 2008 | 1 Comment

Have a great spring break everyone!

To readers of this blog: Please expect low activity for a while. The University of Washington is on the quarter system, and our quarter just ended. Everyone in the class is, of course, encouraged to still contribute articles to this blog. And we’ll continue using this blog (or more sophisticated forum environments) in future courses.  Stay tuned for more information 🙂 .

Filed under: Announcements,Security Reviews1 Comment »

Security Review: IMA

By patriw at 12:09 pm on March 20, 2008 | 3 Comments

The IMA is a rather public place where students, faculty, and spouses can take fitness classes, lift weights, or use an expansive cardio room.

The assests include fitness machines, sports equipement, and simply the space, which when occupied by a unwelcome visitor, makes it unusable to a valid ima-goer. In addition, there is wifi access, as well as internet ready terminals. (Read on …)

Filed under: Miscellaneous3 Comments »

Security Review: Husky Union Building

By esoteric at 3:36 pm on March 18, 2008 | 7 Comments

The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.

(Read on …)

Filed under: Miscellaneous,Physical Security,Security Reviews7 Comments »

Security Review: Wireless Home Automation Systems

By chernyak at 10:57 pm on March 17, 2008 | 4 Comments

Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.

(Read on …)

Filed under: Physical Security,Privacy,Security Reviews4 Comments »


By robert at 5:52 pm on | 8 Comments

This blog post on freedom-to-tinker came up in my feed reader today: http://www.freedom-to-tinker.com/?p=1265

The post is an e-mail from a company that makes e-voting machines that is threatening legal action if their voting machine is analyzed and the results published.

What does everyone think of this?

Filed under: Ethics8 Comments »

Security Review: “Smart Guns”

By Trip Volpe at 11:59 pm on March 16, 2008 | 18 Comments


This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

(Read on …)

Filed under: Availability,Physical Security,Policy,Security Reviews18 Comments »

Microsoft, Yahoo, and Internet Breakage

By Justin McOmie at 11:58 pm on | 1 Comment

In a recent interview with “Condé Nast Portfolio”, Google CEO Eric Schmidt warns us all that a Microsoft-Yahoo merger might “break the internet” due to the consolidation of web-mail, instant messaging, and other services that would follow as a result. This relates to a still on the table 40+ billion dollar offer that Microsoft has proposed to Yahoo. While the deal is not cemented yet, representatives for the respective companies have reportedly had frequent rendezvous at Mayflower conference rooms to “feel things out” before big money exchanges hands.

The big issue at hand is the oncoming breaking of the Internet, which clearly has broad reaching implications, particularly for Google. The search giant has bet its entire business model on the premise that the Internet be categorically unbroken, at least most of the time, and has a vested interest in ensuring the continued heartbeat of the web. This is in contrast with Microsoft, which could deal with an Internet breakage without all that much worry for its bottom line. This fact should alarm anyone with perceptive eyes; perhaps “breaking the Internet” is the first gunshot in a drawn out war of attrition Microsoft has planned.

According to Schmidt, Microsoft’s previous antitrust trial was about breaking interoperable open systems. Thus, we should all be wondering what level of nefariousness currently runs through Microsoft’s veins that it would embark on a conquest to contort the consolidation of Yahoo’s web offerings in someway as to weaponize open systems into a torrent of Internet pain and disruptiveness. One can only grimace at the proverbial ring of power Microsoft will be able to wield when it is able commit such acts as merging its MSN messenger userbase with that of the wildly popular Yahoo Messenger.

The Internet using public should assess the risk for Internet breakage and policy makers should react accordingly. But we should also keep in mind that if a Microsoft Yahoo merger could break the Internet, smaller deals might lead to some sort of fractures or cracks in the Internet. For example, Microsoft recently invested several hundred million dollars into Facebook, which caused observable tremors in the Internet’s various tubes. Caveat emptor.

Source: http://www.portfolio.com/executives/features/2008/03/14/Google-CEO-Eric-Schmidt-Interview

Filed under: Current Events,Miscellaneous1 Comment »

Current Events: Wikileaks

By alpers at 11:02 pm on | 1 Comment

Something that really piques one’s curiosity are the documents and reasons why governments and institutions choose to go in the paths they do.  One site that caters to uncovering these sensitive documents is Wikileaks, which has been frequently featured on /.’s homepage.  Although many documents revealed on Wikileaks is done so for the first time so a wide public audience (the entire internet, and effectively the world), many are legally available to the public, but often buried in the archives of the administration.

What really interests me about Wikileaks is the fact that it chooses to pop out at this time.  Vulnerabilities that are uncovered in this manner, even if they may be up to eighty years after the fact, may allow individuals and groups to exploit those same vulnerabilities in today’s organizations and technology.  Presenting this information in this ‘anarchist’ format certainly does illicit entertainment, but not learning from and rebuffing the same mistakes today with knowledge of past wrongdoing.

What do you guys think of Wikileaks?  Of course, censorship is probably not within the interest of WL, and definitely not of me – some of the material on the site really does need to catch the public’s eye.

Filed under: Current Events1 Comment »

Security Review: credit cards stored in company databases

By Justin McOmie at 11:01 pm on | 6 Comments


It is now very common to do business with companies that will by default (or even as a requirement to patronize) permanently store credit card and associated personal information in a database to help speed up future transactions or insure them against liability. While this action can sometimes be a convenience to consumers it is worth exploring how it is a general security risk.


  • The confidentiality of credit card and personal information within the database. Only authorized individuals should be able to access it and it should be stored in a secure manner on disk.
  • The availability of the credit card number if it is is needed or depended on by a patron (say for something like Amazon’s One Click service)


  • Employees of a company who may use your personal information for their own gains. At a video store, they may do something like shift their own late fees onto your credit card.
  • Outsiders who would try to retrieve your credit card or personal information. This might include people who would physically steal machines or people who would use social engineering techniques to retrieve your credit card from an unsuspecting employee.


  • The employee who is the gatekeeper of the personal information is most likely not trained with security in mind and might therefore be likely to give up your personal information without proper verification.
  • The information will most likely be viewable by more than just the person who has to access it.


  • The ultimate defense to protect ones self would be to stay “off the grid” so that there wouldn’t be any concerns of private data getting in the wrong hands. Doing this, however, is becoming increasingly difficult and impractical for most people.
  • Being vigilant about credit card information. This involves auditing ones credit card bill each month to make sure that no unauthorized charges were made.
  • Being mindful of anything that may suggest someone is trying to use your personal information or impersonate you. It’s possible that what looks something like a phishing attack (mail from the bank) is actually an indication that someone has acquired personal information and is trying to use it.

Risk Analysis:

There is a very real risk that personal information will be compromised when stored in company’s databases. Perhaps the most interesting threats are those waged by adversaries who pursue a social engineering route. There is an interesting incident recounted in Kevin Mitnick’s book “The Art of Deception” (google “art deception filetype:pdf” p. 47) where a son is able to get his father’s credit card number from a videostore in a matter of minutes without leveraging his relationship or anything personal about his father.


The only practical approach consumers can take to limiting the risks that go with having credit card information in company databases (other than opting out altogether) is to be vigilant in recognizing when information might have been compromised. As consumers we have a broad range of choices to make when patronizing businesses, and ultimately the most important thing to do is to recognize one’s own habits and assess the threats accordingly.

Filed under: Security Reviews6 Comments »

Security Review: The Human Heart

By chrislim at 10:59 pm on | 6 Comments

As our professor has continually emphasized throughout the quarter, one of the primary aims of our course has been to go beyond technical details of current computer security in order to learn the security mindset. This new way of thinking enables us to analyze security issues in the future regardless of particular directions that technology may take. It also enables us to examine the security of less technical entities like physical locks, parking meters, etc. As I was considering some of these less technical systems, I began to realize the pervasive implications of applying the security mindset to broader aspects of life and so began my examination of the human heart.

Recently, Governor Eliot Spitzer of New York was revealed to have been involved with a prostitution ring despite his façade of crusading against white collar crime. As a result, his reputation was tarnished, his career ended and his family has been deeply hurt. Although this is just another note in the continual drumbeat of tragedies we hear about in the news, the frequency of these incidents, clearly demonstrate that each of us is vulnerable to fall in similar ways. How can we defend our lives (and hearts) against being deceived into compromising our integrity and falling into these common pitfalls?

A second observation motivating this study comes from the fact that insiders are often the adversaries who cause the most damage and harm because they are trusted and by nature must have access to the assets we desire to protect. Human beings are often the weakest component of any security system. This review of the human heart will hopefully provide insight into ways to protect the integrity of trusted insiders as well as our own hearts in relation to the people who trust us.

Finally, defending the human heart has significant ramifications in every aspect of physical/computer security. Much of the violence that takes place on campuses (e.g. shootings, assault, etc.) have at their root a compromised heart (e.g. someone who has been continually hurt and lashes out in despair to cause pain to others after he/she has received so much). Many of the adversaries in computer security scenarios are motivated by financial gain, prestige, and other related incentives, which are deceptive and violate the worth and personhood of the people they attack. If people’s hearts were able to be defended, many of the human adversaries that we encounter in typical security reviews might in fact become allies; the ideas in this post are tools that can provide another layer of defense in depth.

(Read on …)

Filed under: Ethics,Integrity,Miscellaneous,Security Reviews6 Comments »
Next Page »