2009-12-29

The doghouse: GSM Association

It turns my stomach to see how antiquatedly defensive and counter-productive is the GSM Association's response to the recent cracking of GSM encryption:
Using the codebook, a "beefy gaming computer and $3,000 worth of radio equipment" would allow anyone to decrypt signals from the billions of GSM users around the world, he said.

Signals could be decrypted in "real time" with $30,000 worth of equipment, Mr Nohl added.
It looks like GSMA has a mindset stuck in 1995, completely failing to notice the evolution of security attitudes that happened in the software industry. They employ the classic approach of (1) shoot the messenger, (2) downplay the problem, (3) claim they're "working" on a solution:
The GSM Association (GSMA), which devised the algorithm and oversees development of the standard, said Mr Nohl's work would be "highly illegal" in the UK and many other countries.

[...]

[T]he GSMA dismissed the worries, saying that "reports of an imminent GSM eavesdropping capability" were "common".

It said that there had been "a number" of academic papers outlining how A5/1 could be compromised but "none to date have led to a practical attack".

The association said that it had already outlined a proposal to upgrade A5/1 to a new standard known as A5/3 which was currently being "phased in".

"All in all, we consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM," the spokeswoman said.
Security research should not be illegal anywhere, and the proper response to a vulnerability is to fix it. Immediately; not at some convenient time, far in the future.

Gravity wells

From xkcd, a very nice, easily graspable illustration of gravity wells. Click for the large version:

2009-12-26

The failed jet attack

Details here and here.

Note how all the security theater implemented after 9/11 failed to stop this attack.
  • Security processes were followed correctly, but did not detect the explosives in this man's underpants.
  • The man's name was checked against the "no fly" list; he wasn't on it.
  • In fact, the man was traveling on a valid US visa.
The real reason this attack failed?
  • The explosive device apparently malfunctioned. Instead of simply blowing up the plane, it merely caused a local fire.
  • When passengers smelled the fumes and saw the flames, they acted aggressively, perhaps preventing a worse turnout.
The response of the Obama administration: more security theater.
US President Barack Obama, on holiday in Hawaii, has ordered increased security for air travel.

The US Department of Homeland Security said "additional screening measures" had been put into effect since the incident.

"These measures are designed to be unpredictable, so passengers should not expect to see the same thing everywhere," Homeland Secretary Janet Napolitano said.
Prepare to be harrassed and inconvenienced again for a false impression of safety.

Then again - perhaps the existing security measures did help prevent a disaster, in that they forced the perpetrators to try a poorly tested design (PETN in underpants) rather than a more conventional device (which might have worked, and blown up the airliner). I just hope that the new "surprise" security measures won't again raise the frustration in air travel to a whole another level.

See also this hilarious South Park episode where Mr. Garrison invents an alternative to air travel.

2009-12-23

Please, put the patent system out of its misery

i4i. How suitable a name for a patent troll company. Another set of people who would leave the world no worse off if they were run over tomorrow by a train.

This is how it works. Register an overreaching, abstract patent that the small brains at the patent office have no chance of understanding the ramifications of. They will even let you patent the wheel, for smurf's sake.

Then hire an ethically challenged lawyer (or is that a tautology?), and possibly find a cooperative judge (it's not a bribe if they can't prove it!).

Then sue the bejezus out of a big corp, like Microsoft or Research in Motion.

The people who do this should all be dead. If they stole amounts like these in a bank robbery, they would be chased by every cop and would appear on every front page. But instead, they're doing it by abusing the legal system, and hardly anyone gives a damn.

Please put this broken patent system out of its misery.

2009-12-17

The doghouse: Predator drone does not encrypt video feed

Of all the billions that are spent on developing aircraft like the unmanned Predator drones, you would think that the designers would employ some decent encryption to protect the command channel and the video feed.

Nope.

2009-12-14

Unions destroy businesses

A fantastic example of how destructive a force workers' unions are for a business.

British Airways just recently lost 292 million GBP over a 6 month period, and its two pension schemes have a combined deficit of 3.7 billion GBP. Management is handling this by freezing pay and downsizing: 1000 employees have already left on voluntary redundancy, while 1200 more need to leave.

The union's response? An 11-day strike over the whole Christmas and New Year period, ruining the holidays of a million customers who now can't get tickets on any other airline because everything is booked out.

Edit 2009-12-17: A judge declared the strike illegal based on a technicality. Thank smurf.