Thursday, January 24, 2008

2 Billion dollars to pay for ignoring sound principle

The recently exposure of the attack on the Dutch Transit System's electronic ticketing system should be a lesson for anyone contemplating implementing any form of security into their environment and system.

As Ed Felten dissects and analysis this mess, he concludes that:
Unmasking of the algorithm should have been no problem, had the system been engineered well. Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that security should never rely on keeping an algorithm secret. It’s okay to have a secret key , if the key is randomly chosen and can be changed when needed, but you should never bank on an algorithm remaining secret.

Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key.
[...]
This kind of disaster would have been less likely had the design process been more open. Secrecy was not only an engineering mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it allowed the project to get so far along before independent analysts had a chance to critique it. A more open process, like the one the U.S. government used in choosing the Advanced Encryption Standard (AES) would have been safer. Governments seem to have a hard time understanding that openness can make you more secure.
Perhaps the organization that designs and implements this system has been warned internally by people who is aware of this kind of principle, which can be found in any cryptography text, but chooses to ignore it. This is not an unusual reaction in many software organization.

Many manager also have the view that if you can program in one area of expertise you can program in any area.

I have encountered so many muttering like this: We can't crack this key or reverse engineer it, so it must be secure!

Ed Felten correctly identifies the other failure is the lack of checks and inspections in a system of this magnitude and importance. I am wondering how they can now argue that Inspection would cost their project more. This is a classic example that using Inspection (using subject experts of course) would have save $2 billion!

Wednesday, January 23, 2008

Exaggerated piracy figures admitted

An article appearing on WSJ titled "Piracy Figures Restated" (subscription required) reports that:
In a 2005 study it commissioned, the Motion Picture Association of America claimed that 44% of the industry's domestic losses came from illegal downloading of movies by college students....
[...]
Now the MPAA, which represents the U.S. motion-picture industry, says "human error" in that survey caused it to get the number wrong. It now blames college students for about 15% of revenue loss.
[...]
He says 3% is a more reasonable estimate for the revenue at stake on campus networks.
Talk about exaggeration! 44% and 3% are poles apart. Even blind Freddy can tell of the such a huge discrepancy. Of course MPAA sits comfortably with using region locks etc schemes to prevent legitimate owner of their materials from playing in different region.

Sunday, January 13, 2008

Do not follow the sign blindly

Don't following this sign if you want drinks and food unless you have strange taste: