What’s in a name if it’s transparent? The concept of a “name” has always been an important part of interactivity due to the convenience of association. We use names to keep people and things distinct when we reference them. Beyond that, their significance can be magnified by the value we place on them (e.g. exorcisms, Rumpelstiltskin). It stands to reason that one’s true name, being something of value, would be protected to some extent. We typically accomplish this simply by sharing it selectively, or by using a partial name or a nickname. Our experiences online aren’t much different; pseudonyms have long been part of the fabric of the Internet and are basically e-nicknames. Handles, monikers, and ICQ numbers have all[…]

Black Hat Briefings have been going on all this week, with the expected announcements of vulnerabilities, tools, and other fun. I refuse to go to Vegas for health reasons, so I often miss out on Black Hat and Defcon. But this week, the one announcement that has me interested is that SMS messages are being used to unlock cars and start them – specifically the Subaru Outback. They also demonstrated that car unlocking isn’t the only capability that SMS messages have. Pretty much anything that uses the GSM network for communication may be vulnerable – electric meters, traffic lights, GPS-tracking, etc. With more and more devices being “always connected”, I suspect we’ll see more problems. And these are the kinds[…]

The UCLA Health System was just fined $865,000 for HIPAA violations. That probably sounds like an awful lot, but in truth it isn’t. It’s awfully difficult to find exact figures on regulatory fines – companies tend to be rather tight-lipped on the subject, after all. But on the scale of companies and business fines, and knowing that companies in general, and hospitals in particular, are generally good at cushioning themselves against such damage, it’s just not that much. Also, HIPAA is considered something of a paper tiger. Although HIPAA was passed in 1996, there weren’t any fines issued until 2006. While there have been quite a few fines and even criminal prosecutions since then, and the UCLA fine is the[…]

Disclaimer: I am *not* a mathematician. I just happened to take a Number Theory class from an awesome professor (Dr Blakley) at Texas A&M. When I took Dr Blakley’s Math 673 class, I was in over my head at first (and probably still would be if I hadn’t seen the applications of the topics in his class since taking his class). Unfortunately, I graduated and didn’t get to take the second part of the course, which friends told me was just as good as the first part. We learned about polynomial math, and at the time, I had no clue what it could be used for…. Then a friend linked me to this awesome stick figure explanation of AES. Once[…]

If you haven’t heard already about the PlayStation Network compromise, you should pay attention if you have a PS3 and use PSN. Your PSN online ID, name, address and birthdate have all been compromised, and (potentially) your secret questions, and credit card numbers. What I don’t understand is why Sony can’t definitively tell us that the secret questions and answers or the credit card numbers have been stolen? PCI rules require strict controls over the CC information, and the PAN (CC number) must be stored *unreadable* Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches: • One-way hashes based on strong cryptography • Truncation[…]

While the software industry continues to make strides in the area of security and data protection, the hardware industry shouldn’t be underestimated. With the announcement of storage devices like Toshiba’s MK-61GSYG hard disk drives, it may only be a matter of time before we see even more creative security features for hardware (due, in part, to industry-wide adoption of standards). Toshiba’s harddrive comes with some interesting security tricks, including the ability to configure the disk to erase itself when connected to an unauthorized host, and the ability for the drive to self-encrypt without relying on the host computer’s operating system for cryptographic operations. Most of the features are drawn from the standards found in the Opal Security Subsystem Class (SSC)[…]