NBNBNB This post contains various hints at arcane actions. For reasons which will be obvious these are obfuscated severely. PLEASE DO NOT discuss these onlist. email me offlist if you wish - but I will not be handing out any related ideas. > > Dangerous work. One could say that code protection only keeps honest > > people honest. I used to tell people something along those lines. It seems to have largely have dropped out of my auto-repeat vocab in recent years. I hate passwords, encryption and security systems that people and systems insist I have. I'm very happy to be offered a range of tools and given the options of what to use. I had to de-de-verify myself with Visa from mid China after my wife and my dual carded single channelled VISA account asked her for a V.W.V. code, which she obligingly supplied, thereby unknowingly trashing mine. I understand why VWV is there, but so far it has caused me a number of problems and it's not obvious that it has probably done me any good. (ie I don't know what the black hats have been doing unsuccessfully, but it seems likely that they would still not have succeeded without VWV on my account. I've had security compromised twice that I'm aware of. And N times that I'm unaware of. ( 0 <=3D N < K. K unknown)( :-) ) Once I probably had a GMail password sniffed when used on Hong Kong airport's free WiFi. Somebody or something changed the password between HK and wherever I was going next. If it was a person they were not astute and/or fast enough to also reset the password restore feature - or less fast than I. Stupid of them. Next trip I installed Comodo's secure WiFi pipe product. Not free. Comodo's bread and butter includes selling SSL certificates - they should [tm] know what they are doing. Other breach was via an internet purchase of an MP3 from a UK site for a funeral. My card details were subsequently used illicitly in Europe. The bank did far more damage than the thief by closing that account, immediately wiping all online records and offering no redress. If you want sensible risk management you may wish to avoid BNZ VISA. I am confident that I would have a very good chance of stopping a standard passenger inter or intra continental aerial transport system at any spot of my choice with me on board, including within the land of the free, after having been checked over thoroughly by the friendly people whose job it is to stop people doing this. Please do NOT clarify that statement on list OR speculate on methods. Needless to say I have absolutely no intention or desire to do this, just note that it seems "not too hard". And no - absolutely no clues from me re how, on list or off. The main point is, that if I THINK I could probably achieve this there should be any number of professionals who surely could. The great question is Fermi's paradox viz "Where are they?"I guess the existing security weeds out the low level wannabees, but it's hard to believe that it can stop a concerted assualt by dedicated professionals. Or Engineers :-). [[Bonus - I reckon I could drop GGB into SFB for 'not much'. What ARE the baddies thinking of these days.]][[NO. No clues. But if you think you can do it I understand that the FBI are interested in your ideas to help improve their responsiveness. Really.]] > I like that this sort of stuff is done. > Trying to break protections I believe actually serves the public > interest. We often blindly trust that whatever protection there is > actually works. When someone figures out a way to circumvent the > protection I can actually make an informed decision as to how secure the > protection is. > > Consider a case where code protection is important: If one chip's > protection can be broken by a glitchy reset, while anothers can only be > broken by removing the top with acid and shining a UV light in sideways, > guess which chip I'm likely to choose? Long ago Apple [tm] sponsored a university to study whether it was possible to create an unbreakable software security system. (aka rights management). Thy concluded that it was impossible. To that add the proviso "... using software alone". Long ago I considered that I had arrived at a (obvious enough) program securing method, which used a combination of mechanical and cryptographic means, which could virtually guarantee the security of a programmed device from "hacking" using any reasonably conceivable means of attack. I shared the method on an informal NDA basis with a few friends. One subsequently proposed that we co write a paper on it for presentation at an overseas conference (twas only Oz :-) ). He as lead author and me as co author. My contribution was the original idea, the basic proof of concept descriptions etc and the name =3D Ninox. After "Ninox Novaseelandii" (Gargoyle knows) - it sees in the dark :-). I think he may have received funding to attend the conference to present the paper. He subsequently told me that for whatever reason he had decided to leave my name off the paper. He did. Conclusion: Security systems need to protect you from attack from the darndest* places. We're still friends :-). I think that a number of people have implemented similar schemes since - probably wholly independently. * Just noted that darndest and damdest look the same in this font. ie d a r n d e s t & d a m d e s t Now damdest is not a word AFAIK (ie <> damndest), but interesting Gargoyles. Well, fancy that. I actually get mention as "an associate" here :-) http://search.informit.com.au/documentSummary;dn=3D409980673= 807340;res=3DIELENG 1987! Wow. Source: In: Conference on Computing Systems and Information Technology (1987 : Brisbane, Qld.). Conference on Computing Systems and Information Technology 1987: Preprints of Papers. Barton, ACT: Institution of Engineers, Australia, 1987: 151-155. Document Type: Conference Paper ISBN: 0858253488 Abstract: This paper describes a software protection system which will probably become widely used over the next few years in an effort to control the software piracy problems experienced by the developers of microcomputer software. The system described was developed by the author and an associate. A number of other researchers have independently come up with similar techniques, but we believe that the work described in this paper includes some useful new developments. We have called the system Ninox. The system uses a serialized device in each computer system and provides facilities so that software supplied to the user will be able to execute only on the user's machine and it is effectively impossible for the software to be modified to execute on another machine. Public key cryptography is used to encrypt programs and a method of program distribution is described. The paper also examines some of the difficulties with the system and suggests some of the methods by which the system might be attacked and how it stands up to these attacks. Whatever. > I find this is also true with these massively publicized breaches of > companies like Sony. Until now big companies have only had to SAY they > protect their info, there was no third party confirmation that the > protections were worth anything. "Pretty good" security can be implemented in such systems with very little cost at all. Any realistic system may not withstand brute force attack available to people with very significant multi processor resources, such as eg any suitably competent hacker with an internet to hand, but would greatly slow down Joe hacker in the street. > Now companies are SLOWLY starting to realize that if they don't properly > secure their systems, they will be breached, and will suffer the > consequences. I like that. All systems break. Time is the only variable. > Sony stored millions of user passwords in plain text. No-one knew that > until they were breached. That little tidbit of insanity has permanently > made my choice with regards to Sony products. It doesn't matter which way you arrive at the decision, its ending up making the right choice that matters. (I use a Sony DSLR :-) ). Russell -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .