Comments

MaxNovember 17, 2011 1:08 AM

Pity about this: '... "black hats." These hackers terrify the public by announcing their triumphs through the media, and then ransom their intelligence to panicked companies.'

Not only does this not make sense (how can you ransom information after publishing it?) -- it also makes public disclosure seem like prime evil.

WhitmanNovember 17, 2011 2:40 AM

Article was weak. This, for example, is simply incorrect: "In the high-definition DVD format war, HD DVD lost to Blu-ray largely because the consortium of companies that developed the HD DVD format had not invested sufficiently to secure it." That's not why BluRay won.

AC2November 17, 2011 3:06 AM

Hmmph..

Was going well until the mention of "leading technology-licensing company Rambus Inc"...

And then the invention of SSL

MuffinNovember 17, 2011 5:01 AM

@Max: "Not only does this not make sense (how can you ransom information after publishing it?)"

announcing != disclosing.

But yeah, it's scaremongering.

Alan KaminskyNovember 17, 2011 6:33 AM

Like all good readers of Bruce's blog, I have NoScript installed in Firefox, with scripts inhibited for all but a few sites. When I clicked on the article link, I got a page that said, "Sorry, we are unable to supply content for this web page, either because the Internet security on your browser is set to high, or because you have disabled Javascript." Whew, I dodged a bullet, I guess . . .

Dirk PraetNovember 17, 2011 8:34 AM

@ Alan Kaminsky

I second that emotion. Requiring JS for a written content only page is just as daft as treating an ordinary cold with antibiotics.

LouisNovember 17, 2011 11:59 AM

I was just at the Cartes conference in Paris, they had a booth where they were showing an original Enigma machine (3 rings)

Nick PNovember 17, 2011 2:07 PM

I was actually disappointed by what I learned in the article. Aside from its inaccuracies, I found that Kocher's DPA countermeasures are patented and licensed. Had someone else invented it, we might have been able to use them for free like so many other security engineering techniques. Just imagine if someone had patented formal code reviews or unit testing. Patents for fundamental technologies are a bad thing.

LaurentNovember 18, 2011 2:23 AM

@Nick P
Not only patenting but actually getting royalties from people who simply implement hardware-based DPA countermeasures, no matter what the countermeasures are... terms like "racket" come to mind.
So yes the Rambus association makes a lot of sense.

RobertTNovember 18, 2011 8:26 AM

It appears the guy has no shame. wonder if he also invented the internet?
he talks about DPA like it is his invention, that is complete BS, I can personally attest to having seen Power analysis methods used in 1980, and guess what anti PA techniques were not far behind that.

Clive RobinsonNovember 18, 2011 10:19 AM

@ Robert T,

"I can personally attest to having seen Power analysis methods used in 1980,"

Likewise I can show that in the 1980's I developed similar power analysis methods, and more importantly went on to develop RF injection attacks that worked better than DPA.

I then went on to develop active fault injection attacks using modulated RF.

The problem back in the 80's for non accademic researchers was the "killing the Golden Goose" issue. Often the company you worked for would do almost anything (including sacking) people to keep security faults secret. The story behind the development of "smart cards" and later "SIMs" would make many peoples eyes open very wide.

I emailed Paul when I first saw the DPA paper and told him he could do better with RF, however his reply was notable for all the wrong reasons.

And it still goes on today we see the likes of "custom solutions" such as MiFare etc getting broken into followed by the usual round of denials, legal action, and other less savoury forms of intimidation.

I had the same "don't kill the goose" issue with showing fingerprint readers were very susceptable to simple fakes using the red wax from Edam cheese and copydex rubber solution glue long long before "gummy fingers" (and I got the idea for faking fingerprints when eight from a Sherlock Holmes story). Likewise when I came up with a way to frig DNA forensic test results I was told "it can't possibly work" but that all changed when an australian researcher did pretty much the same thing and actuall did the work instead of neigh saying as many others in the field had.

And several other things all of which "nobody want'd to know about" for mainly commercial but sometimes status reasons. Call it "rocking the boat", "killing the goose that lays golden eggs" etc it's the same old story "change the percieved wisdom and thus the status quo and fear says "our free lunch will get snatched away".

Am I upset because I've lost fame and glory, no, I'm upset because people even people who should know a lot better want to push "snake oil" to their benifit and others loss.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..