In August, Apple announced a system to check all our iPhones for illegal images, then delayed its launch after widespread pushback. Yet some governments continue to press for just such a surveillance system, and the EU is due to announce a new child protection law at the start of December. Now, in Bugs in our … Continue reading Bugs in our pockets?
Today, May 11, EU Commissioner Ylva Johannson announced a new law to combat online child sex abuse. This has an overt purpose, and a covert purpose. The overt purpose is to pressure tech companies to take down illegal material, and material that might possibly be illegal, more quickly. A new agency is to be set … Continue reading European Commission prefers breaking privacy to protecting kids
CHERI (Capability Hardware Enhanced RISC Instructions) is an architectural extension to processor Instruction-Set Architectures (ISAs) adding efficient support for fine-grained C/C++-language memory protection as well as scalable software compartmentalisation. Developed over the last 11 years at SRI International and the University of Cambridge, CHERI is now the subject of a £187M UK Industrial Strategy Challenge … Continue reading Report: Assessing the Viability of an Open-Source CHERI Desktop Software Ecosystem
In this reboot of the Three Paper Thursdays, back after a hiatus of almost eight years, I consider the many different ways in which programs can be sanitised to detect, or mitigated to prevent the use of, the many programmer errors that can introduce security vulerabilities in low-level languages such as C and C++. We … Continue reading Three Paper Thursday: Sanitisers and Mitigators
The Wannacry malware that has infected some UK hospital computers should interest not just security researchers but also people interested in what drives fake news. Some made errors of fact: the Daily Mail inititally reported the ransom demand as 300 bitcoin, or £415,000, rather than $300 in bitcoin. Others made errors of logic: the Indy, … Continue reading Bad malware, worse reporting
I’m at Princeton where Ed Snowden is due to speak by live video link in a few minutes, and have a discussion with Bart Gellmann. Yesterday he spent four hours with a group of cryptographers from industry and academia, of which I was privileged to be one. The topic was the possible and likely countermeasures, … Continue reading Meeting Snowden in Princeton
I was intrigued this morning to see on the front page of the Guardian newspaper a new revelation by NSA whistleblower Edward Snowden: a US eavesdropping technique “DROPMIRE implanted on the Cryptofax at the EU embassy [Washington] D.C.”. I was even more intrigued by an image that accompanied the report (click for higher resolution): Having … Continue reading Eavesdropping a fax machine
It has been four or five months since NatWest launched a new function in its mobile phone app – GetCash. The goal is to allow customers withdraw cash from NatWest’s ATMs without a debit or credit card. The app will receive a six digit code that customers can type into an ATM and get as much as £100 at a time. I am not sure how useful it is as I personally forget my mobile phone more often than my wallet but it appears that some crooks found it very useful indeed.
Over a year ago, we blogged about a bug at Gawker which replaced all non-ASCII characters in passwords with ‘?’ prior to checking. Along with Rubin Xu and others I’ve investigated issues surrounding passwords, languages, and character encoding throughout the past year. This should be easy: websites using UTF-8 can accept any password and hash … Continue reading Of contraseñas, סיסמאות, and 密码
I’ve written quite a few posts about passwords, mainly focusing on poor implementations, bugs and leaks from large websites. I’ve also written on the difficulty of guessing PINs, multi-word phrases and personal knowledge questions. How hard are passwords to guess? How does guessing difficulty compare between different groups of users? How does it compare to … Continue reading The science of password guessing