Quite recently there have been a number of articles talking about how the KeeLoq cipher encryption has been cracked and this by using a new method to speed up the processing to crack a key 500 times. Basically what Eli Biham, Orr Dunkelman, Sebastiaan Indesteege, Nathan Keller and Bart Preneel has proven is that by sniffing the communication between the remote key and the car they can collect the needed data to crack the cipher. In their case all the need is access to the key token for one hour to send challenge/response question to it and with the collected data it took them around one day to crack the key.

KeeLoq is a cipher used in several cars manufactures anti-theft mechanisms distributed by Microchip Technology Inc. It may still protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or Jaguar. The cipher it self is included in the remote key control for the car and similar solutions can be found as well in garage ports and security gates, etc. It has been used quite widely due to that the needed hardware to produce this kind of key token is really cheap.

The biggest issue here is also that when finding one KeeLoq key it also leaks the master key and by that this cipher is now damaged severely due to that sooner or later there will be code in the public to perform this kind of trick yourself. Microchip Technology has so far not chosen to comment on this yet and the team behind the discovery will not release the full report before they’ve talked to Microchip.

I wonder what the car insurance companies has to say about this if the car gets stolen without any trace (I’m already smelling car fraud attempts).

Kim Haverblad

Note: For more readings there are several sources to download papers from so here is a range of suggestions: www.cosic.esat.kuleuven.be/keeloq/ and cryptanalysis by Andrey Bogdanov and Nicolas Courtois.

Bookmark to:

Dagens Nyheter has a quite interesting article about the Swedish Department of Justice has received a report from a one man committee where it’s suggested that ISP’s should either close down broadband subscription for an individual or be forced to pay the fine for copyright infraction.

According to an interview with Cecilia Renfors who wrote the document and quoted by Dagens Nyheter, this won’t lead to that Swedish ISP’s are forced to participate in the hunt for broadband customers who downloads music or films ; but if the ISP don’t act up on an indication from the copyright holder, they would then stand responsible and will be taken to court. This would then mean that local Swedish ISP can actually be taken to court on behalf of how their customers use their product? Does this mean that we will have future similar laws for:

• Car industry so that they can be charged if their cars has been used in a bank robbery?
• Telecom industry since their phone lines could be used to fraud or threaten people?

And finally; should a person actually be able to be pre-convicted without taken to court? File sharing itself isn’t illegal as long you share legal material. But there is a high risk that this suggestion would have negative impact on privacy.

Kim Haverblad

Bookmark to:

Tomorrow is the big OOXML day since the international community will cast their vote in the ballot. As some of you already taken notice about is that the campaigns has been far from clean and Microsoft has really manage to gather loads of negative PR around in Europe.

Sweden will abstain to vote due to that The Swedish Standards Institute (SIS) has declared its recent vote in favour of Microsoft Corp.’s Office Open XML format invalid. Swedish media has as well, for once, shown a greater interest for story than one might expect since one of Sweden’s largest newspaper, DN, posted an article about it as well.

This entire story involving SIS and as well Microsoft Sweden might be forgotten in couple of month by most Swedes. But for SIS the damage might be more severe than admitted at first. Quite a few organisations have raised an eyebrow or two due the bad handling of OOXML ballot here in Sweden. Sweden has for quite a few other countries been looked at as neutral and objective for this kind of questions. Sadly it has been proven that we are not even close to that vision. SIS as an organisation should stand out as a quality actor and they have just showed that you can not count on them and they even admitted to that the OOXML voting process is normal procedure!

Kim Haverblad

Note: There are few more lines posted about this topic at Dagens Nyheter, OS2 World.Com, IDG.se and Computer World.

Bookmark to:

It’s seems that Germany are willing to legalize malicious software such as spyware and trojan horses according to an article posted by Herald Tribune as a necessary measure against terrorism. Question is just who will define what and when a crime would fall under terrorism and since this could eventually be hard to guarantee that it won’t be potential invasion of citizens’ privacy if this bill is passed. Interior Minister Wolfgang Schaeuble defended the tactic in an interview with n-tv television, calling the ongoing debate “completely exaggerated,” underlining that judicial approval would be required before the measures could be used. “It’s about a few isolated cases”.

Further more a verdict from Hamburg regional court, Germany last year stated that as an individual you have full responsibility for the activities going on via your wireless network that you have at home. Fair enough - but is it also fair that I have to be responsible for other peoples activities that goes on via my wireless network or my local network as well? That’s a really good question, in most cases I think that we all agrees to that one has the responsibility for ones own actions as a private person and when it comes to a company the company has to take responsibility for it’s employees. But what if some one downloads for example mp3 files via my network; would I still be responsible for this 3rd persons activities? Well, in Germany you would. According to German magazine Heise who had a story about this case the verdict from 2006.07.26 is built up around that approximately 244 mp3 files was downloaded during the end of 2005 via Gnutella peer network. This was obviously noticed by a music company who took the case to court and where the judge verdict was in favour for the music company. The judges states that as an individual is responsible and has to take legal measures to make sure that personal wireless access point is password protected and by that then make use of some kind of encryption to secure it.

So the big question now is when is an access point secured? Quite few users are still running with equipment that only supports WEP (Wired Equivalent Privacy or Wireless Encryption Protocol) encryption and this has been proved to be cracked in matter of minutes. Based on that, would the verdict still be the same if they’ve been using WEP-encryption to protect their network? Hopefully not, but quite a few would state that WEP encryption isn’t secure enough any more and since of that shouldn’t be used. To what extend do have to go to protect our self before we can feel safe against the law?

Using utilities to check the security status on it’s on network and from the outside would for the most people be recommended action. Problem is that Germany recently passed a law that defines this kind of activities as hacking and by that definition it’s not legal to use any kind of tools to scan for vulnerabilities and analyse system for weaknesses. Hacking has and is criminalized by the most countries one way or another; the definition might distinguish from country to country. But as Germany passed the law to avoid hacking attempts my humble question is then to German authorities and the people who wrote the bill; how do you plan to secure your own IT-infrastructure? German Chaos Computer Club says in an article published by IDG.se that this new law makes it really problematic on how to define what is a hacking tool or not; the ping command for some is a great tool to check if there is a system in the other end when scanning a network segment and for other it’s just a tool to ping local system. So where do we draw the line for what is hacking tools?

What Germany ends up with is a catch 22 when it comes to security; you have to secure you own network, but your not able to use any utilities to check the security status. And about the suggested law regarding legalizing virus and trojan horses for spying on terror suspects - isn’t that a violation to the earlier passed laws - that it’s illegal to hack system?

Kim Haverblad

Note: Also Sweden has similar plans (Swedish article) to criminalise denial of service attacks. The bill that was issued by Swedish Department of Justice and was released March 2005 for circulation for comments. The bill was forwarded March 2007 as a proposition to the Swedish government for decision and this hasn’t been taken yet.

Bookmark to: