Steven Bellovin is at it again. This time he is paying his keep at Lucent, and the implication are rather disturbing all around.

Remotely Counting Machines behind a NAT box (PDF)

] The Supreme Court has always held that what is reasonable
] depends on context. If you're in a situation where people
] are being killed and you're trying to save lives, you can
] be more intrusive...Protecting the state is a higher
] duty. To say otherwise is to sacrifice the ends to the
] means. If you're unwilling in times of crisis to depart
] from the law, and you lose your freedom, you've done no
] service to anyone.

Perspective: The first 'e-war'

] Like most information technologies, Mobile and Ubiquitous
] Computing carries a number of security and privacy
] implications. We feel that care should be taken to
] consider these issues when designing Ubicomp systems. In
] this report we will enumerate a number of the privacy
] concerns in Ubicomp and provide a philisophical
] discussion of the importance of addressing these
] problems. In considering these problems we have found
] that a number of Ubicomp techniques are in fact well
] suited to solving security and privacy problems that
] arise in Ubicomp. We will discuss some of these
] techniques in the hope of inspiring further
] consideration. Systems described include a secure RF-ID
] system, an architecture for setting privacy levels based
] on context, and a wearable cryptographic authenticator.

This is probably the coolest paper I've ever written, and for one of the coolest classes I ever took. I'm linking this here because I've had to dig it out of Georgia Tech's site twice now and I figure it ought to be easy to find...

Security and Privacy in Ubiquitous Computing

] President Bush has approved the White House's
] long-awaited national cybersecurity strategy, a landmark
] document intended to guide government and industry
] efforts to protect the nation's most critical information
] systems from cyberattack.
]
] In an e-mail sent Thursday to White House officials,
] cybersecurity adviser Richard Clarke said that the
] National Strategy to Secure Cyberspace has received
] Bush's signature and will be released to the public in
] the next few weeks.

After all the controversy about possible revised versions of this document, you mean to tell me that they fucking approved it without allowing public comment on the final draft?! If this thing is significantly different from the version they posted online in October, then you can rack this up as the administration giving the security industry, and the public at large, a big middle finger. This is NOT democratic, and if they think for one second that they have all the right answers we are in a lot of trouble.

(Slightly reminded of the military establishment's opinion of Rumsfeld.)

Bush Approves Cybersecurity Strategy (TechNews.com)

] Based on a detailed design and simulation (but without an
] actual implementation), we believe that the NFS sieving
] step for 1024-bit RSA keys can be completed in less than
] a year on a $10M TWIRL machine, and that the NFS sieving
] step for 512-bit RSA keys can be completed in less than
] 10 minutes on a $10K TWIRL machine.

Time to up those key sizes again.

[IP] Fast factoring hardware

] This white paper responds point by point to several
] papers and web pages which have criticized the TCPA chip
] based on misunderstandings and incorrect analysis.

This is an interesting paper. I'd like to see a response from Ross Anderson. Essentially, what it argues is that the capabilities that could be imagined for using TCPA chips as Fritz chips do not exist. A strong, but incomplete, argument is also made that DRM is not practical in the TCPA framework as it currently exists. Microsoft's Pallidium effort is claimed to involve a different chip which is similar, but not exactly the same. It is not known if Pallidium will support TCPA.

I think this is enough to say that its worth taking another look at TCPA. This analysis is not clear enough to say that I would recommend buying it. I want to know exactly how impractical DRM is in TCPA, and I want to know exactly what you can and cannot do with the endorsement key.

As my computer is secure to the extent that I control what it does and for whom, DRM and security are mutually exclusive. I will not buy a computer that enables third parties to absolutely subvert my control. If it can be demonstrated that TCPA cannot be used for this purpose, then I'll buy one.

IBM claims TCPA is NOT a 'Fritz Chip.'

] "The Open Web Application Security Project (OWASP) is
] dedicated to helping organizations understand and improve
] the security of their web applications and web services.
] This list was created to focus government and industry on
] the most serious of these vulnerabilities."

This top ten list is particularily well done.

The Open Web Application Security Project

This is a good laugh. Just follow the link...

DOD Computer Hacker Poster

] "The Neo Project, a group of distributed computing
] enthusiasts, on Wednesday said on its Web site that it
] had resumed its attempt to crack an encryption key used
] to digitally sign software for Microsoft Corp.'s Xbox
] video game console."

So, this is the first example of someone cracking a real key via distributed means. Of course, Microsoft could easily shut this down, but that may prompt moves to develop distributed cracking systems that are themselves secure from attack.

ITworld.com - Xbox encryption key hackers revive effort

Although most of the articles in the new phrack consist of more boring papers on buffer overflows, this article is interesting. How to Jam civilian GPS receivers. There is also an entertaining article about how traffic lights work...

Phrack: Jamming GPS