Author Archives: Andrea Pasquinucci

Project Management and Boeing’s 787 Battery Blues

Posted on by

I found interesting this article by Prof. Tang and Zimmerman and this interview with Prof. Tang about complex Project Management like the one needed to build the 787 Dreamliner, and the problems and risks associated with it.

Needless to say I wonder what it could come out by looking at the IT part of this project. We know that IT projects are almost by definition exceedingly over budget, outrageously behind schedule and full of bugs. Add to this that for the 787 Dreamliner detailed requirements, specifications and integrations have been left to tier 1 suppliers, that for the first time ever the entertainment system is on the same network as the flight-control system, and I am not sure of what has been the final outcome. On the other side, if the IT part of the project has come out right, I believe we have a lot to learn from it.

Still on Java, Updates and Security

Posted on by

For unclear reasons, the Java saga is continuing, and there have been more news about updates, patching and security in the last days. Just a few I picked up of possible interest:

  • VMware promises better security and is considering scheduled updates (see VMware blog)
  • Apple updates its own Java version (see here) to the latest version released by Oracle, but too late since in between it has been widely exploited including its own developers, Facebook, Twitter etc. (see for example here and here)
  • At the same time it seems that until February 20th nobody (Apple, Facebook etc.) informed iPhoneDevSDK that its site was compromised and distributed the malware responsible for the above mentioned attack (see here for more details).

This last news leaves me quite puzzled: one of the golden rules in managing a security incident is to notify all people and organizations involved: so why was iPhoneDevSDK not notified of what was going on?

Bypassing iOS 6.x Passcode Lock

Posted on by

According to JBN, with a sequence of moves it is possible to bypass iOS 6.x passcode lock, to directly access the address book and from here to make calls, get emails, SMS, pictures etc.

I am just curious to know if this is a planned “feature”, a back-door or just a bug and in this last case how someone managed to discover it.

The security consequences for iPhones’ owners who have their phones stolen, lost or just borrowed, should be obvious.

Ridisegnare i Sistemi Operativi per una Nuova Sicurezza

Posted on by

Ho appena pubblicato sul mio sito un breve articolo intitolato “Ridisegnare i Sistemi Operativi per una Nuova Sicurezza” sulla presunta necessità di ripensare i fondamenti della sicurezza dei Sistemi Operativi per poter soddisfare le nuove richieste di funzionalità di sicurezza necessarie in ambito Cloud e Mobile. L’articolo può essere scaricato da www.ucci.it.

Decrypting your Frozen Mobile Phone

Posted on by

The idea is not new, but the implementation is new, interesting and eye-catching. Tilo Müller and Michael Spreitzenbarth of FAU managed to implement FROST: “Forensic Recovery of Scrambled Telephones”.

The story in brief goes like this: Android phones from version 4.0, have a built-in option to encrypt all data on the storage device. Obviously data is decrypted on the fly when needed and stored not encrypted in the memory (RAM). When not needed anymore or the phone is turned-off, all un-encrypted data in RAM is very carefully deleted.

So what you do is to remove the battery with the phone on and then immediately restart the phone performing a so-called “cold.-boot”. In principle by removing the power all data is lost in the RAM and maintained (encrypted) only on the storage device. But it takes some (short) time for the RAM to forget all data, and this time depends on the kind/material of RAM chip and its temperature. Müller and Spreitzenbarth discovered that if the temperature of the chip in some Galaxy Nexus devices is below 10 degrees Celsius (please put your phone in the fridge…) then you have just enough time to read the unencrypted data in the RAM after the cold-boot, without need to know the password or PIN.

Enjoy the pictures on their website!

More on Java, Updates and Security

Posted on by

Oracle has announced (see here for the official page) that on February 19th a new Java Critical Patch Update will be released which will fix the February 1st patch. But what worries me most is that the next updates are scheduled for

  • 18 June 2013
  • 15 October 2013
  • 14 January 2014.

In my opinion this indicates that Oracle has not yet managed to implement the software development and patching cycle in the correct way, or otherwise it should have been possible to release scheduled monthly updates. We know that it is not easy to do, but Oracle’s competitors have been able to, so what is going wrong with Oracle’s software development practices?

Following IEEE Spectrum Risk Factor Blog

Posted on by

I enjoy following the IEEE Spectrum Risk Factor Blog, the “IT Hiccups of the Week” posts are particularly worth notice, “This Week in Cybercrime” posts are also good, but I usually get those news from more direct channels.

Overall, if you are interested in technology and science, consider joining the IEEE just to receive the monthly printed version of the IEEE Spectrum journal, always a good and interesting reading.