2009
10.28

The Ultimate Gadget Decision Flowchart

Category: Everything / Tag:  / Add Comment
Should I buy that gadget? Should I not?

Should I buy that gadget? Should I not?

For all who buy gadgets, geek or not ;)

(Click on the diagram for the full sized one.)

(via Alltop, BuzzFeed)

2009
10.28

Beware of the Evil Maid

Category: Everything / Tag:  / Add Comment
The friendly room cleaner, potentially no longer that friendly

The friendly room cleaner, potentially no longer that friendly

Invisible Things Lab (founded by Joanna Rutkowska, who came up with the controversial Blue Pill) has released the Evil Maid tool. This tool is aimed at grabbing the passwords needed to decrypt entire hard drives using TrueCrypt.

The simplest mitigation factor from their list would be to physically secure the laptop when left unattended (i.e. shut down, lock it up). In addition, it’s a good idea to remove external drives from the BIOS boot sequence, and to set the BIOS to ask for a password whenever it boots up.

There’s another thing that can be done by the end user, though that needs to be properly managed too.  Read the entry for details.

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

Edit: More discussion at Schneier’s blog post.

2009
10.22

Cover Your Ass / Transfer Of Liability

Category: Everything / Tag:  / Add Comment

Quoting from Schneier here:

Security warnings are often a way for the developer to avoid making a decision. “We don’t know what to do here, so we’ll put up a warning and ask the user.” But unless the users have the information and the expertise to make the decision, they’re not going to be able to. We need user interfaces that only put up warnings when it matters.

Pretty true.  People only get irritated and pay less/no attention to incessant warnings that prove not to be warnings at the end of the day, and when the real warnings come, the user glosses over them and clicks “Allow”.

A couple of classic examples would include “The Boy Who Cried Wolf”, and using self-signed/invalid/expired/revoked SSL certificates in a production site.  I’ve seen the SSL certificate one occurring in a site belonging to a MNC, heh ;)