Interesting that Tiltman was involved, as this is very similar to the method he used to extract the Lorenz key stream, which lead to Tutte deducing the machine's mechanism and that lead to the design and construction of Colossus.
Posts by Craig 8
25 publicly visible posts • joined 31 Jul 2009
Declassified files reveal how pre-WW2 Brits smashed Russian crypto
Bletchley Park remembers 'forgotten genius' Gordon Welchman
Security damn well IS a dirty word, actually
Tuesday 26th March 2013 13:33 GMT
Re: Its the people, not the computer
Some people are unscrupulous, and some people are gullible, and no amount of technology is going to change that.
It's not necessary to understand how to build a car in order to drive one, and I don't suppose anyone thinks mechanical engineering should be part of the driving test, so what happens? You take your car in for service and the garage tries it on by saying "your brake disks are under tolerance, you need new ones to be safe" which, if you have any sense, you politely decline. This happened to me a few years ago and I took the same car back to the same garage a year later and, for laughs, said "can you be sure to check out the brakes please?" and they came back and said "your brakes are fine, but we need to do [this other expensive work]". This was not a backstreet operation, it was a main dealer for a prestige brand, incidentally.
Perhaps what we need to do is stop wringing our hands about bad people using the Internet and just deal with it. You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.
Twitter clients stay signed in with pre-breach passwords
Monday 4th February 2013 11:42 GMT
It's NOT a login [Re: There is a very clear risk]
The "auth" stands for "authorisation", not for "authentication". The authorised service never had your password in the first place, so it is entirely irrelevant whether your password is changed or not. What you want to do its revoke the authorizations, not change your authentication credentials.
Monday 4th February 2013 11:38 GMT 
I Don't Think You've Quite Understood This...
Let's see, the point of OAuth is that you can authorise services to access your Twitter account without needing your password. Logically, I don't see any reason that this should change just because you change your password; you might change your password every month for security reasons (yeah, right!) but that shouldn't mean you've stopped trusting the services you said you trusted before.
There's some wrong-headed thinking here, that "change my password" should be the same thing as "reset all the security decisions I've ever made". If you think your account may have been breached, there are several other things you should do (like checking what spam has been posted in your name) as well as changing your password and revoking any inappropriate authorizations.
Silly gits upload private crypto keys to public GitHub projects
Friday 25th January 2013 12:55 GMT
More detail is needed
Before I believe this is a major security cock-up, I want to know how many of those private key files were actually password protected. While it's still inadvisable to post your private keys publicly, even if they're encrypted, there's a world of difference between that and posting just the plan key. All the formats found by the sample searches quoted can, and should be, password protected.
Cloudy admin? Here's how to ward off Call of Duty-playing teens
Free Android apps often secretly make calls, use the camera
Thursday 1st November 2012 17:32 GMT 
I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?
Caltech shrinks optical accelerometers
Thursday 18th October 2012 15:25 GMT 
> They're probably about to ****ing buy some washing powder anyway.
Yes, but the supermarket knows which brand you normally buy, and now has the opportunity to influence you to buy a different brand that's more profitable for them. *That's* why they would do it on a mobile (tied to a specific person and their buying habits) and not on a TV screen; also if you normally buy the profitable brand anyway then they can save money by not offering you the discount.
You're just not thinking evil enough.
Nokia pumps up Lumia browsing with Xpress
Thursday 4th October 2012 12:00 GMT
What About the Security?
Rendering the HTML on a server means breaking the end-to-end security model of SSL/TLS browsing. Opera Mini is great and I use it a lot for reading public web sites, but I'd never do any payment transactions with it. Even if you trust Opera/Nokia/whoever-else, what happens when they get hacked?
Password hints easily snaffled from Windows PCs
GCHQ to encrypt your tweets with Enigma - for science
Friday 8th June 2012 09:54 GMT
Where are they going to get the cribs?
To use a Turing Bombe to crack an Enigma message, you require a "crib" (some known plaintext of the message). Are they going to add a fixed preamble to every message to provide that crib, then? (e.g. "Cheltenham Science Fair: ...") I think it's only fair to disclose that, as otherwise the educational point is missed, i.e. that the Bombes weren't magic and weren't even computers, they just tested all the possible rotor orders and positions.
Researchers propose ‘overclock’ scheme for mobiles
FTC tears into Apple, Google over kids' privacy - or lack of
Tuesday 21st February 2012 12:49 GMT
re "any app updates can't ask for more permissions in the future"
Assuming we're talking about Android, then yes, they can. The difference is that if you don't ask for more permissions then the update can happen invisibly in the background, but if you do then the user has to explictly permit the update. Seems like a reasonable model.
Tuesday 21st February 2012 12:49 GMT
"go back to symbian" Re: Winds me up this corporate bullshit...
To be fair, Symbian OS doesn't allow you to selectively grant permissions either. I think there are other reasons for preferring Symbian over Android, but I'm afraid the permissions model isn't one of them (Symbian's implementation is arguably better but the design is essentially the same, app gets all permissions at install time or it doesn't get installed).
Facebook password reset coming to phone near you
PlayStation Network credit cards protected by encryption
Mobile Trojan mimics Android clean-up tool
Thursday 10th March 2011 13:06 GMT
> As a soon to be Android owner, what am I missing here?
The original malware (downloaded from the legitimate Android Market) rooted the device, and was able to install other software from places other than the Android Market. Google can remove the original malware, but not any of the other software it may or may not have installed in the meantime.
LG comes to the NFC party
Experts rubbish iPhone for health use
Nokia: go straight to Symbian 3, skip Symbian 2
Crypto pioneer and security chief exits Sun
Thursday 19th November 2009 13:29 GMT
Pioneer, yes, but Inventor?
I have nothing against Whit, who is a friend-of-a-friend and by all accounts a very affable gentleman and deserving of his place in the history of computer security, but he doesn't have exclusive claim to inventing public key cryptography. James Ellis et al. in the UK reportedly got there first (although it was classified at the time) and Diffie and Hellman's work was apparently based on Ralph Merkle's.
Biting the hand that feeds IT
