Month: March 2005

“Bumping” lock-picking paper

Bruce Schneier links to a paper on refinements to bumping, a lockpicking technique for pin-and-tumbler locks where you insert a specially filed-down key and give it a quick whack to bounce the top pins out of the way. The principle is the same as a lockpick gun, though the authors claim it works better.

I haven’t played with lockpicks since my undergrad days, but I’ll probably play around with their method and see how well it works. The biggest question I have is how much wear and tear this method causes to the lock vs. other methods — the paper suggests some ways to limit damage to the lock but it still seems like it’d be worse than the lockpick gun since the driving force is side-long (into the lock) rather than straight up. Still, it’s got to be better than raking the lock. (I remember back when I was an undergrad at MIT there was one door in particular that needed its locks replaced every couple years due to the number of people raking it — most of the better pickers didn’t rake for just that reason.)

Device fingerprinting using clock skew

This is a cute hack — these guys are able to “fingerprint” a networked device just by looking at how quickly its clock loses or gains time compared to the true time (its clock skew).

Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

Link by way of Mitch Kapor, who unlike me isn’t so enamored by the elegance of their technique to ignore the obvious security and privacy implications.

Moon-Mars mission a poison pill?

Bob Parks over at What’s New suggests it is…

So what’s really behind “The Vision”? Why is the administration pushing so hard for a science initiative that scientists scorn, and which won’t take place on Bush’s watch? Ah, but that’s the plan. It will be up to the next administration, stuck with a huge deficit, to decide whether to go ahead with a meaningless but staggeringly expensive program to see if humans can do what robots are already doing. As one well-informed NASA watcher put it, “Moon-Mars is a poison pill. It hangs responsibility for ending the humans-in-space program on the next administration.”

Of course, the same could be said of Bush’s tax cut on the one hand and all his red-ink on other — it might just be a mixed blessing to the Republicans to not have at least one Democrat majority to blame by the time all the chickens are back home to roost.

ACLU and Human Rights First Sue Rumsfeld Over U.S. Torture Policies

The ACLU and Human Rights First are suing Defense Secretary Donald Rumsfeld, seeking “a court order declaring that Secretary Rumsfeld’s actions violated the U.S. Constitution, federal statutes and international law.”

“We believed the United States could correct its policy without resort to the courts. In bringing this action today, we reluctantly conclude that we were wrong.”

A few months ago I attended a panel discussion about the rule of law in light of recent prisoner abuses a few months ago, sponsored by the Stanford Law School and the International Red Cross, Human Rights Watch and Amnesty International. After the legal experts detailed abuse after abuse things looked pretty bleak, so I asked the obvious question: With all the egregious abuses you’ve listed, is the rule of law dead? I was surprised to hear the three panelists (law professors from the U.S. Naval War College, Santa Clara University and Stanford) all agree the answer was “no.” Their assessment was that the President and his administration was clearly abusing the law and Congress had rolled over and played dead, but the Judicial Branch was still doing its job to interpret the law. It’s just that the judicial branch is slow, they explained, and so when the other branches abuse their power it takes a while to rectify.

It looks like this, plus the ruling that the government must either charge or release Jose Padilla, are both small steps showing that slow progress at work.

Case against Rumsfeld Timeline

Complaint against Rumsfeld

Google Auto-link

Google’s Auto-Link feature is generating all sorts of commentary, most of it the perennial “have they crossed the line into scary all-your-base-are-belong-to-us mode yet” type.

I’ve not seen the interface yet (it’s Windows-only, and I’m, well, not). But assuming (a) it’s easy to turn on or off and (b) users can tell what’s an auto-link and what’s original to the webpage I see the application itself as just one more shift in power from the author to the audience, just like TiVo, ad blocking, style-sheet overrides, those DVD-reediting kits for people who don’t like the dirty bits, the remote control and the highlighter pen. I’m in favor of all of them.

There is one thing that does concern me though, and it’s not the application itself, but the bundling of the information source with the Google Desktop app itself. There’s not much they could do about that (and I trust Google a lot more than I trusted Microsoft when they tried this same trick), but I would feel much better if this were a generic open API in my Firefox, where I could pick and choose who handles each of my rewrite rules. Even a benevolent hegemony is dangerous, both in case it stops being benevolent and because it lacks genetic diversity.

So, who’s up for writing an auto-link Firefox plug-in?