I have just written a short essay entitled Physics, Mathematical Models and Human Intuition (the title should say it all) drawing on my previous job as researcher and professor in elementary particle physics.
Since it is a little too long for a blog entry (just 4 pages) you can download it here.
(You can also check my website for most of my recent papers.)
For unclear reasons, the Java saga is continuing, and there have been more news about updates, patching and security in the last days. Just a few I picked up of possible interest:
This last news leaves me quite puzzled: one of the golden rules in managing a security incident is to notify all people and organizations involved: so why was iPhoneDevSDK not notified of what was going on?
According to JBN, with a sequence of moves it is possible to bypass iOS 6.x passcode lock, to directly access the address book and from here to make calls, get emails, SMS, pictures etc.
I am just curious to know if this is a planned “feature”, a back-door or just a bug and in this last case how someone managed to discover it.
The security consequences for iPhones’ owners who have their phones stolen, lost or just borrowed, should be obvious.
Ho appena pubblicato sul mio sito un breve articolo intitolato “Ridisegnare i Sistemi Operativi per una Nuova Sicurezza” sulla presunta necessità di ripensare i fondamenti della sicurezza dei Sistemi Operativi per poter soddisfare le nuove richieste di funzionalità di sicurezza necessarie in ambito Cloud e Mobile. L’articolo può essere scaricato da www.ucci.it.
The idea is not new, but the implementation is new, interesting and eye-catching. Tilo Müller and Michael Spreitzenbarth of FAU managed to implement FROST: “Forensic Recovery of Scrambled Telephones”.
The story in brief goes like this: Android phones from version 4.0, have a built-in option to encrypt all data on the storage device. Obviously data is decrypted on the fly when needed and stored not encrypted in the memory (RAM). When not needed anymore or the phone is turned-off, all un-encrypted data in RAM is very carefully deleted.
So what you do is to remove the battery with the phone on and then immediately restart the phone performing a so-called “cold.-boot”. In principle by removing the power all data is lost in the RAM and maintained (encrypted) only on the storage device. But it takes some (short) time for the RAM to forget all data, and this time depends on the kind/material of RAM chip and its temperature. Müller and Spreitzenbarth discovered that if the temperature of the chip in some Galaxy Nexus devices is below 10 degrees Celsius (please put your phone in the fridge…) then you have just enough time to read the unencrypted data in the RAM after the cold-boot, without need to know the password or PIN.
Enjoy the pictures on their website!
Oracle has announced (see here for the official page) that on February 19th a new Java Critical Patch Update will be released which will fix the February 1st patch. But what worries me most is that the next updates are scheduled for
In my opinion this indicates that Oracle has not yet managed to implement the software development and patching cycle in the correct way, or otherwise it should have been possible to release scheduled monthly updates. We know that it is not easy to do, but Oracle’s competitors have been able to, so what is going wrong with Oracle’s software development practices?
This is a nice summing up of the main Android security issue: “Platform Fragmentation”. In other words, if nobody is responsible, the user is going to suffer (and your phone will never get any security update).
I enjoy following the IEEE Spectrum Risk Factor Blog, the “IT Hiccups of the Week” posts are particularly worth notice, “This Week in Cybercrime” posts are also good, but I usually get those news from more direct channels.
Overall, if you are interested in technology and science, consider joining the IEEE just to receive the monthly printed version of the IEEE Spectrum journal, always a good and interesting reading.
When you leave around old (buggy) software, sooner or later you pay the consequences. This is what happened to Yahoo! recently, see here for example.
It is a very old and still valid rule to keep your house clean and in order (and audits and auditors should be good for something).
It has just been published here a paper by Ross Anderson and Robert Brady on Quantum Computing, Quantum Cryptography and Quantum Mechanics.
I personally know some of the people mentioned in the paper and who worked for many years on these aspects of fundamental Quantum Mechanics and Particle Physics. Without discussing the details of the theory proposed in this paper, I think that some comments can be useful since I worked in research in theoretical physics for a good part of my life.
It is true that the Bell’s inequalities and the EPR paradox have been and are the cause of many debates in fundamental theoretical physics, beginning with Einstein’s reject of these concepts. I believe that today there is enough experimental evidence that on this point Einstein was wrong and the Bell’s inequalities are violated. In other words, I believe that Quantum Mechanics is a valid description of elementary physics at the Quantum scale. We know very well that (non-relativistic) Quantum Mechanics does not work eg. at very high energy scales like the ones probed by the CERN experiments which led recently to the discover of the Higgs particle.
We know very well that there is a lot that we do not understand yet in Particle Physics. This could mean that Quantum Computing could be harder than what we expect due to our ignorance of some new (quantum) physics.
But I disagree with Ross Anderson this time since I do not believe that Classical Mechanics can explain this kind of phenomena nor that it can show that the theory of Quantum Cryptography is flawed (implementing Quantum Cryptography in practice is a completely different story).
My 2c.
Andrea Pasquinucci 