Disqus - Latest Comments for Matt H.

Re: OhGizmo! » Archive » Help Wanted

Matt H. — Mon, 05 Dec 2005 14:10:54 -0000

Now now Ben... Are you really saying that you think it's rude for a publisher / editor to ask writers to contribute texts to a website?

I have to agree with Mr. Paine on this one, it's not a rude offer and even a little generous. I ran a site (cryptonomicon.net) that was a Google news source and in the Alexa top 50,000 for about a year. We were nearly completely focused on cryptography and internet security and we weren't one of those sites that simply republished vulnerability announcements. With such a focused topic, it's not especially easy to get and keep eyeballs. And I hate to say, it wasn't lucrative enough to be my main moneymaker. (BTW, I have since returned to grad school and closed the site.)

So I'm in the position of having neither the time nor the interest in doing the work required to keep a good content site up and running day after day. I am interested in ocassionally publishing a thing or two to a forum that has more eyeballs than cryptonomicon.net right now.

I'm a fan of OhGizmo and the ads don't frighten me away. Is it the only site I look at? Of course not; but I rank it up there with Engadget and Gizmodo.

Re: OhGizmo! » Archive » VectroTel Provides Secure Mobile Communications

Matt H. — Tue, 23 May 2006 20:15:52 -0000

This reminds me a lot of CryptoPhone who did actually publish their crypto source. Users were encouraged to compile the source and verify that the results of the compilation were byte for byte identical with the contents of the firmware.

Also... Tanner/Lane-Smith/Lareau have some things to say about encrypting voice over the data channel in their DefCon presentation from last year [PDF].

My personal experience is that latencies in excess of 350 msec are typical over EDGE, so... get ready to pretend you're GI-Joe by ending every sentence with "Over."

Just remember... The DoD is moving away from DH over a finite field in favor of EQMV and ECDH (more info at http://www.cryptonomicon.net/msh/2006/02/no-dl-or-rsa-in-suite-b.html.)

Finally... When using DH, both parties need to be using the same values for the generator and the modulus. There was some concern in the 90's about insecure values for g and p; if an attacker could force you to use an insecure generator, he might be able to recover the agree'd key by listening in to the key establishment conversation. I seem to recall that Vaudenay published a similar attack for DSA.

In any event, the moral of the story is. Yawn. Another phone that encrypts voice over a high-latency GSM data channel. I'm not the worlds biggest fan of X.509, but it would be awefully cool if you could exchange self signed certs via IR or SMS, then make a non-encrypted call, verify the cert fingerprints, assign "trust" to the local copy of the cert and use this trusted cert as part of the authentication phase before key agreement.

DTLS (SSL for lossy, UDP style connections) was recently published. This might be a good option for people wanting to do this in the future. That way you could just do SIP/RTP over GSM (or WiFi) with DTLS configured to do ephemeral keying.

Just a though.

Re: OhGizmo! » Archive » One Second Iris Scanning Webcam Closer To Market

Matt H. — Tue, 23 May 2006 20:28:48 -0000

Iris scanners can sometimes be fooled by a picture of the eye, depending on the technology. Also... if you really, really want to break one of these things, there's a possibility that the protocol from the reader to the laptop is insecure. So... make sure that no one's using a "usb sniffer" when you enroll your iris-print. Also, someone might want to do a 3rd party review to ensure that the protocol isn't so simple that the iris print is stored in the camera and the camera sends a "yup, that's the right eyeball" message when it sees an enrolled iris. Breaking something like that would be relatively trivial.

Also... insert all the standard disclaimers about biometrics. Somewhere in the system is a copy of your biometric, please make sure it's secure. If the biometric is on the laptop's hard drive, and I steal your hard drive, I can probably dig around until I figure out how to reverse engineer the scanner's control software to get it to think that a teddy bear is the key.

Admittedly, I'm probably not going to do this if the only thing on the protected laptop is your mother's gespacho recipe. But I hope you're not using this to protect the nuclear launch codes. That would be bad.

Re: OhGizmo! » Archive » Patent Filed For PDA With Detachable Cellphone

Matt H. — Mon, 16 Apr 2007 18:59:03 -0000

No... I think it's a NuBus connector on the bottom, so you can plug it into your old Mac II.

But seriously, this reminds me a little of the VisorPhone which was a springboard module for the Handspring Visor. If you didn't want to lug that around, there was a third party that made a very simple interface (12 keys + send / hangup.) The benefit was that the phone wasn't so honkin' huge.

I think that's what these guys are going after... you have a regular small / stylish phone for typical use. When you want to do web browsing or email checking, you plug it in. Sort of like what we were supposed to be able to do with Bluetooth.