Thursday, January 12, 2012

Things I haven't been writing about

Due to a hectic period at work (I'm currently trying to patch a cracked standardized security scheme) I haven't managed to post anything lately.  So here's a list of subjects I wanted to write about and a short summary of my thoughts.

Iranians capture of US military drone
I like Richard Langley's theory (quoted by Wired) regarding how the Iranians may have captured the US military drone. Langley proposes that perhaps the Iranians jammed the drone's secured GPS signal which in turn caused the drone to fallback to the generally used clear GPS signal which in turn the Iranians spoofed.
If Langley's theory is correct this is yet another case of functionality (ensuring drones can find their way home) trumping security. A more secure solution would be to rely on the last secure GPS reading and using on-board hardware (e.g. an accelerometer) to estimate a delta on that. Sooner or later the secured GPS signal will come back to correct any navigation errors made due to the estimates.

Android approved by Pentagon
This misleading headline appeared on many sites, including Slashdot. This is of course nonsense - Android as a standardized security system is a security nightmare. A specific device which happens to use Android was approved by the Pentagon. The above headline is equivalent to saying that Linux was approved by the Pentagon ...

Counterfeit chips in US military hardware
If you're interested in this subject, which has come up several times over the last last few years, make sure to read Bunnie's blog post. I have a feeling that a lot of the noise on this subject is coming from western vendors who simply can't compete with the Chinese vendors.

Upcoming posts
I have two big posts that I need to complete - so stay tuned. These are:
  • A summary post on why standardized security systems fail and what needs to be done to make a truly secure standard.
  • An announcement on the publication of version 0.01 of the security failures database. Of course, I need to build the database first :-) Any help would be greatly appreciated - if you can contribute please send a message to my dedicated gmail account (security.fails.db).