Posts tagged hacking

Sony’s Fatal Flaw

0

In recent weeks, everyone has become aware of the massive attack that Sony incurred.  The exploitation of a commercial network like that is very noteworthy.  Many people are angry that they can’t play their games online, some are upset that their usernames, passwords, and other identifiable information have been exposed.  Obviously something like this can hardly be considered a good thing, however I think this brings to light some issues that will become increasingly relevant in years to come.  I honestly believe there are some valuable lessons can be taken away from this.

Sony, I’m sure, has learned the value of pen-testing.  While the nature of the exploit hasn’t exactly been clearly revealed, most accounts point to a simple exploit.  Careful pen-testing might have revealed this.  Hopefully, Sony has learned a valuable lesson about the responsibility a company has to protect their customer’s information.

From most accounts Sony will have to spend billions to rectify this situation.  While I would like to be quick to point the finger at Sony, I’m not entirely convinced it’s warrented.  I think that perhaps that it is fortunate that this happened to a company that can likely withstand the backlash that this will create.  I sincerely hope that this has opened the eyes of company executives everywhere.  This could have been any company.  I’m not entirely convinced that Sony’s infrastructure was inherently less secure than any other retail operation on the internet.  While this is certainly a large security breach, I’m relatively surprised that there haven’t been more.  The scale of this breach serves to make it more visible, which I think will lead people to take these issues more seriously.  If it happened to a smaller firm that could more scarcely afford the monumental cost that this will incur, it may not have been more than a foot-note on the back of the news paper, and a 30 second new spot on some local news channel.

The Play Station Network is a relatively closed thing.  Typically most of the network is only accessible from a few types of devices.  While I probably should do some FAQ checking on this, presumably transmitted over SSL.  There seems to be some question whether the credentials are hashed properly prior to transmission, however, there is a clear effort toward security.  Mal-ware and viruses are difficult to develop for game consoles, and are exceedingly rare if existant.  A key-logger would be next to useless on a PS3, being that most people don’t connect a keyboard and mouse, so it would take a long time to map key presses to meaningful information.  So they had a right to believe that the client end was relatively secure.  They were right here.

Now we can debate the effectiveness of those meaures, however, my purpose is not to dictate that their measures were sufficient, as they clearly weren’t, but to compare them with a traditional web vendor.  There are a lot of web applications with weak authentication mechanisms, vulerabilities to SQL injection, or all manner of other nasty vandalism.  In Sony’s case, it appears that the failure was server side.  Most Windows based machines are prone to all of the threats that game consoles are specifically resistant to, but I don’t think most PC based vendor’s are much better secured.  Ecommerce, contrary to predictions of many analysts in the 90’s is not a fad, and is not going anywhere.  I would bet there are a large number of web-based vendors who have not put sufficient thought in their security strategies.  It would greatly benefit them if they were proactive in their efforts rather than reacting to a breach.  What does client security have to do with it, you might ask.  Well, simply put if one account on the site is comprimised (ahem…like a developer account, admin account, or just an account with a credit card number) it’s often possible to use that account to get others.  Examining their service’s weaknesses, not only for the benefit of their clients, but to hedge legal liability only makes sense.  Please don’t mis-understand me, obviously there needs to be a balance between security and functionality, however this does not mean that security should be cast to the wind.

Ok, so I’ve talked about web-based vendors, and their role.  Are they solely responsible?  I really don’t think so.  I think this should be taken as a cautionary tale to users, shoppers, and web-service subscribers alike.  I think this is a call to consciousness about what we authorize to keep on file for us.  Maybe it’s worth the extra minute and a half to enter your credit card again.  One-click purchasing is certainly convenient, however, I think consumers need to balance the value of this convenience against the value of what it would cost if their information were compromised.  Once again, that balance needs to be struck between security and functionality, however I have to wonder how cognizant people are of the information they put out there.

The Arduino Band-Wagon

0

I am finally hopping on the arduino band-wagon. I purchased my first Arduino. I went with the duemilanove, because it is standard and cheap.Arduino Duemilanove Almost all of the available shields are designed to fit on top of it. Most of the documentation that I’ve read for Arduino projects assume this is the model that you have. While I am not arguing this is the best model, it is definately worth the $15 investment that I have in it.

I have been working with a Boarduino with the same Atmega328 processor on it for a couple of weeks now.Boarduino Atmega 328 It has a couple of cumbersome points that make it a lot less convenient than it’s Duemilanove counterpart.  For one, it does not have auto reset.  This means that every time I want to load a new program on it you must time the reset so that it is ready to accept the new instructions once  it has come back up.  The Duemilanove doesn’t have this dis-advantage.  It is smart enough to accept the new sketch (arduino program) and then automatically reset.  As far as I can tell they both have the same pin-out.  The Duemilanove just has it built in and the Boarduino has to sit atop a bread-board to have the same functionality.  I can potentially see this as an advantage as you could put the Boarduino directly on top of another prototype board and have it run the show.  The other drawback that the Boarduino has over it’s counterparts is the expensive TTL cable that is required to interface with your PC.  Most of the other arduino counterparts I’ve worked with thus far have utilized a standard USB cable to upload new sketches to them.

Overall, I’m very excited about all of the exciting project opportunities that this new investment will present for me.  I am very exited to see the size of the development community that seems to surround the arduino project, and all of it’s derivatives.  I foresee myself, and my fledgling hackerspace (Cow-Town Capacitor) developing with this platform for a long time to come.

I love the idea behind the prototyping system. Build cool stuff, and don’t worry about the integrated circuits until production time. At that time, you will already pretty much have the firmware ready for your project and all you have to do is make it.

Go to Top