Pull Crypto Keys from My Cold (Dead) RAM Chips!

February 23rd, 2008

So perhaps you want to ensure the privacy of your computer files and encrypt them, or perhaps simply just encrypt the entire disk. You certainly can, but where do you store your crypto keys (on a USB stick?), in a TPM, encrypted on the disk? But at some point in time, it does not really matter, because the crypto keys will likely be copied to RAM so that they can be used to encrypt/decrypt the files… and it’s possible to dump the memory in RAM itself. So you may think that just powering off the PC will effectively erase the RAM – and your crypto keys are gone right? … well, not entirely, as some CS students at Princeton have revealed and was reported on news.com by politechbot journalist Declan McCullagh.

One thing I’ve always been curious about, is just “how long” does the data persist on “DRAM” chips after the system power is shut down. (When referring to “RAM” in a PC, this usually means DRAM or “Dynamic” RAM as opposed to SRAM or “Static” RAM, which has different properties.) Unfortunately I still do not understand the ‘exact’ physics details as to how RAM works (I assume it’s stored magnetic/electrical charge). What is fascinating to me though, is that the RAM can be read after power is lost and also that it can be read nearly perfectly for up to 10 minutes or longer after power loss if cooled properly! Peter Gutmann revealed this even back in his famous 1996 publication on secure deletion, but I’m impressed that students were able to finally test these results and publish them to the public!

Make History Tomorrow – Nov 5th!

November 4th, 2007


The cost of a “Ron Paul – Hope for America” bumper sticker: $3
The cost of a Ron Paul for President T-shirt: $11-25 (other T’s Revolution, Zazzle 100% proceeds to Ron Paul)
The cost of a 12″x18″ Ron Paul 2008 car magnet: $39
The cost of liberty and justice: PRICELESS

“This message is powerful!” – Ron Paul
Let’s help get the message out to the main stream media and the rest of our American brothers and sisters not watching YouTube and reading about Senator Dr. Ron Paul online!

Is LIBERTY worth $100 to you? $200, $500, $1000? Let’s make History!
This November 5th… join me in contributing $100 or more to Ron Paul and the message of Liberty and Justice for all! This is a Revolution – it’s time to take back the U.S. Constitution!

See also: Ron Paul Nation, and in particular the many videos online at freeme.tv and on youtube RonPaul2008dotcom.
Mark November the 5th and speak for Freedom!!!

Remember V’s message to the nation in the film V for Vendetta… here is V for Vendetta Speech to the nation:


June 7th, 2006

In the online blogging world, there’s a new synonym for SSO, and it’s name is sxore! Well, actually the protocol/architecture is sxip (see faq) and sxore is the “identity and reputation system for blog authors” but sxore.com also provides the “homesite” functionality now for me to manage my online identity in the blogging world!

I’ve just started hearing about Identitiy 2.0 since discovering Dick’s OSCON ’05 presentation, but his latest presentation Who is the Dick on your site? really got my attention — with a demo of a super-easy to install WordPress plugin — so that I had to drop everything to immediately turn my blog into a “membersite” for others to post to! Waiting for my first sxore-powered commentor!

First Thoughts:

Similar to drupal’s distributed authentication system where you could comment on a blog from any drupal account. (apparently there were some problems?) Unfortunately, this required the “membersite” and “home/base-site” to be running drupal. I’m patiently awaiting for the free “homesite”* software release so that I can store my identity information on my own server. =)

How long do you think before google tries to buy this one up? Likely they’ll quickly find a way to painlnessly integrate your google account into the SXIP framework. =)

*Update: posted too soon, just found the homesite 2.0 software on the sxip.org Downloads page. =) I save that for tomorrow! * re: terms “homesite” == “Identity Agent”, “membersite” == “Identity Consumer”, and I believe the homsite acts as an “Identity Issuer” as well.

IEEE SP 2006

May 28th, 2006

The IEEE Security & Privacy 2006 conference was held this week from May 22-24 at the Claremont Resort in Berkeley, and I was there! Our professor, Dr. Irvine, invited us to volunteer at the conference to help with registration and thus get to check out some of the latest research going on in computer security. The conference was quite a success this year with over 240 in attendance, up for under 200 last year – and partly because there were more papers presented this year. There were several great short papers and “works in progress” presented that provided a more diverse picture of current research and livened up the tone a bit from the long 30min paper presentations. One downside to the large success, is that we did not print enough proceedings! There was certainly plenty to eat and drink though.

Noteable “computer security” celebrities in attendance included (among others): Paul Syverson (creater of The Onion Router/Tor), Paul Karger (as in the Multicians Karger & Schell), Peter Neumann (anotherMultician), and a gentleman who introduced himself as ‘Whit Diffie’. Apparently he did some work in a thing called PKI. So it was a pleasure to rub shoulders with such giants. I also got to work in a couple early morning runs, including up to the Lawrence Hall of Science which offered a spectacular view of the San Francisco bay!

UNO Alumni NUCIA article

April 13th, 2006

I was just quoted in an article of the Spring 2006 issue of the UNO (University of Nebraska at Omaha) Alumni magazine speaking about the NUCIA program there where I studied Information Assurance under the Computer Science curriculum. Dr. Blaine Burnham has really setup a great program there in Omaha, and I’m very proud to have been a part of it (as one of the first actually)! I coincidentally met Blaine when he first moved to Omaha and was living in the dorms with his wife and us other students. We struck up a conversation in the cafeteria and found we had a similiar interest in computer security… and things just took off from there! Actual interview responses below…

Read the rest of this entry »

Toorcon anyone?

September 5th, 2005

Since I’m starting orientation at a new school on Sept. 19th and have not even been to a con this calendar year (21C3 was just before new years) I thought I’d check out Toorcon (Sept. 16-18th) for the first time. My major incentive to go was that my main hacker-con buddy of mine was going… but then she bailed out (something about a new job – how lame is that? -j/k).

So, anyone want to join me in beautiful San Diego? Allow me to assist the decision making process for you:

  1. Cheap Flights on Southwest.com (and kayak too)
  2. Cheap Stay at Downtown San Diego or USA hostels just blocks from the con!
  3. Great Lineup of speakers including Dan Kaminsky (whose presentations always rock) so you’re sure to enjoy!
  4. It’s in S a n   D i e g o

Check it out and register now online by the 7th for only $70! (and a free T-shirt!) Drop me a line if you plan to be out there!

Dumb Admins = Your Lost Data

September 1st, 2005

This post fits nicely about my last one about always being sure to save your data… but as you will see, that’s not protection from ill-conceived computer network policies! [editor note:] To refine the headline, I know the admins are not “dumb” in the academic or technological sense, but upon implementing their latest technology features onto an unsuspecting userbase (with dire consequences) they have certainly failed to think about the users beyond themselves. So, I’ve been a student at UNO in the College of IS&T for a good 4-5 years (1 semester off to study abroad). I’ve always been proud of our network admins because we have several great features that make our computer labs better than the ones on main campus:

  • No student login/password required to use – so you can sit down and go straight to work – print that file or submit that homework assignment fast
  • Mozilla Firefox – for people that want a serious web browser with tabs
  • Other software – specific for IS&T students not found elsewhere on campus
  • Efficient printing w/o hassle – this was just last year, but you print, name the print job “whatever” and you swip your print card and choose the job to print, simple and fault tolerant
  • 1 Setback – No OpenOffice.org Yet – this really should have been out once OOo hit 1.0 in 2003, I should hope 2.0 final gets put on the desktops

Some other noteworthy properties of our lab:

  • Your files stay on the computer – even after you leave the lab, your files will be there all semester long if no one has deleted them, so a backup copy is in the lab if you ever need it
  • Lab closing announcement – the lab monitor always goes around 10-5 minutes before closing to tell students (usually in a middle-eastern accent) that the lab is about to close, so finish up your work

Read the rest of this entry »

Save, save, save – or use DD

August 30th, 2005

The golden rule when doing any work on a computer is Save your work. Save early and save often! Yet even as a self described computer guru and security guy, I still forget to save my work at times. Luckilly, I was editing only text and had some common GNU/Linux utilities available to save me the frustration of doing the work all over again!

It was shortly after midnight, and I was up writing a quick page on my wiki about planning what to run on the wiesefam.org website. Time passed quickly and I had now been working on it for nearly 1/2 hour, but it was not quite finished yet and I didn’t want to “save” it until I was done. The “just save it” thought came into my head (thanks God), yet I dismissed it thinking “what could go wrong? I’m just adding text”.

Read the rest of this entry »

Gmail invites – not for “Anyone”

August 26th, 2005

In January and possibly even up to April of this year, I was sending out my google gmail invites out to friends via the Mailinator
service. Mailinator acts like an anonymous drop box, its a place to direct emails that you expect to receive instantly (like from web-registration pages) that you can “pickup” on the website, and keep your own personal inbox clean.

I’ve just tried this test again, and now google gmail is blocking invites to mailinator.com (and related) addresses. I was able to send an email directly to the same account from within gmail though, so apparently they are only worried about the invite process. The reverse psychology (that entices us, along with the cool technology) and tragedy of google’s “invite only” system appears be of significant importance to them.

Big Brother Google is watching you…, see the 21C3 presentation (german) (babel de-en, google de_en)

Google controls more and more of the information we (out of our free will) access every day. With a new google single sign-on account, you now access google services who controls how you search the net, search local information, map out directions, shop online, read the news, send email, send sms, send im and chat online, write your blog, socialize with other people, etc (more) and all of these words transmitted are subject to targetted advertising (including your email). Google basically owns the Net – the Information Sphere in which modern society exists.

The GoogleOS has surpassed Microsoft’s plans for world domination of the operating system, software, game console, MSNBC, computer hardware, television, email and other markets (just now getting more into online maps, etc). The world now runs off of the Internet and web services are the tools.

Do you love Big Brother? (btw- I just finally read 1984 this summer, and I need to learn German)

Subpoena YOUR OWN call history

August 25th, 2005

You wouldn’t think, but it’s true – To follow-up on my lost/stolen cellphone story… so, when you buy something with your credit or debit card, in most scenarios you can (within a couple hours usually) verify the transaction by logging into your banking account via the Internet. Sometimes it may come up as a ‘pending’ transaction, but nonetheless it’s still there. The marvels of technology and the Internet. But… did you ever think for a minute that you could possibly do the same thing for your phone call activity? WOW – wouldn’t you be wrong!!!

Since Monday morning I’ve been trying to get a __report of the call activity from my own phone__ for 4 days now… and the response is that all I can do is wait for my billing statement to come in the mail! YES – isn’t that bizzare?! Alltel will _not_ provide me with my own call activity — the same information I will receive in a billing statement within weeks (up to 1 month possibly mind you!!!) — without a subpoena! Why do I need a subpoena for my own call activity?!

Read the rest of this entry »

Lost Cellphone Story, Harassment

August 21st, 2005

The Suprise – Last night after my brother’s wedding (which was great btw — future post) we went out to eat after the reception for a 2am breakfast at Perkins. Apparently then my phone slid out of my pocket and got left behind at the booth, then the next early-morning customer likely found it… and began to abuse it extensively. He made his way through calling perhaps everyone in my address book on my phone and left them terrible messages early Sunday morning or harassed them over the phone personally, eventually pretending to be me after finding out my name from the conversations. Almost all of my family and friends in town for the wedding received the nasty messages, and were a bit shocked to receive them of course. I don’t think many had even checked yet to see that they were supposedly from “me”.

My parents received the messages as well, and that morning we worked to get the phone back and get it disconnected. Calling my cellular service providor (Alltel) from their number in the phone book and the 1800-Alltel9 number, all I got was an automated machine with no option to speak with a person for technical support until regular office hours resumed on Monday. I found this perhaps the most frustrating and disturbing, even more so than the harassing calls being made on my behalf all morning, was the feeling of not being able to do anything in response. (Assuming everyone who knows me would be able to immediately conclude these calls were not from me since it is completely out of character for me and voice differences.)
Read the rest of this entry »