I was recently pointed to this post that highlights a "successful attempt" by some students in Germany to crack Microsoft Cardspace.After reading through the post several times, I became convinced that it is NOT what it seems it is and that if the "breach" is what it says it is, there must be some pre-conditions that must be satisfied before it can happen and these criteria are not going to be easy...

Just as I was putting some of my thoughts down that relates to why I think the attempt is somehow "inappropriately glorified":

1. If an end-user would be stupid enough to put and store his/her passwords, credit card information on his PC
2. There must be some sort of DNS compromise on the end-user side, which also means successfully hacking into his/her router
3. There must be some sort of Digital Certificate Store compromise on the end-user side, which also means successfully hacking into his machine with highly-elevated priviledges or saying, the user's machine password has been stolen

Points [2] and [3] relates to the statements from the attempt and I quote from the above post:

 To reproduce the demonstration, you should change your own DNS settings and install an untrusted certificate

If I can do both those points sucessfully, to be honest, I already have control over what the user does on his machine, stealing his Infocard is probably of low priority at that point in time.

Then, the brains behind Cardspace, Kim Cameron, himself, wrote a comprehensive reply, which basically was a detailed answer to my brief thoughts above, to counter the students' attempt and should really put any doubts in anyone's mind to rest.

[Added 02 June 2008]: In this video on his blog, Kim demonstrates how YOU, the end-user, must FIRST POISON your own machine first before the attack can happen: http://www.identityblog.com/wp-content/images/2008/05/Students/Students.html

Some comments standout and I quote:

 The demonstrator shows that if you are willing to compromise enough parts of your system using elevated access, you can render your system attackable. This aspect of the students’ attack is not noteworthy.

 There is, however, one interesting aspect to their attack.  It doesn’t concern CardSpace, but rather the way intermittent web site behavior can be combined with DNS to confuse the browser.  The student’s paper proposes implementing a stronger “Same Origin Policy” to deal with this (and other) possible attacks.  I wish they had concentrated on this positive contribution rather than making claims that require suspension of disbelief.

 However, the students propose equipping browsers with end user certificates so the browsers would be authenticated, rather than the sites they are visiting.  This represents a significant privacy problem in that a single tracking key would be used at all the sites the user visits.  It also doesn’t solve the problem of knowning whether I am at a “good” site or not.  The problem here is that if duped, I might provide an illegitimate site with information which seriously damages me.

While I know the ignorant media will find some ways to sensationalize this unworthy episode, especially when Microsoft is such a big target, this brings to mind a popular joke which I think can be used as an anology:

Q: How do you make 1 million dollars ?
A: Start with 2.

Gosh, I think I am in desparate need for some new empty bookshelves ...

   <-- Click this pic to see a higher resolution for even more details.

...and you havent even seen my other bookshelves containing my other interest, which I wont share for now ...

I am left speechless at this. Really. Simply astounding ...

One cannot run away from understanding infrastructure needs when one is pitching or designing software solutions in the enterprise (which I do a lot of) and it is sometimes strange (in a pleasant way) when the conversation goes like this:

 Please make sure you have failover expertise in your next meeting. I recommend getting Steve to proxy in for William, even though I dont think anyone can impersonate him. At least, I have been able to ascertain that Steven can mirror William quite well and will be able to backup William in the event of a failure 

Lumbar Spine Report (13 February 2008):

• The lumbar spine has a mild lateral curve convex to the right.
• There is minimal slipping forwards of L5 on S1 which is lumbarised on the left side.
• Moderate osteoarthritis is seen in the apophyseal joints beween L5 and S1 segments.
• The bodies of L1, L2 and L4 are slightly wedged anteriorly. These changes may be secondary to the previous trauma.
• The lumbar discs spaces have average heights.

Conclusion:

• Unilateral lumbarisation of S1 segment.
• Lower lumbar spondylosis.

• From playing a lot of competitive basketball back in my varsity days in Canada in the late-80s/early-90s as a point-man to getting the above report in my envelope is somewhat depressing, I am getting old ...

There are not too many movies that will get me rushing onto the web once I get home to find our more about it and the various viral marketing and spins behind it. Blair Witch project was one. This one, which I just caught, is another. Spoilers here.

I am not worthy, JJ Abrams

The movie's creepy monster louse is especially my favourite.

So...Let me start off this New Year 2008 with a rant post.

I am constantly amazed at the technical knowledge of some of the folks manning the shops selling computer peripherals. I was in the market shopping for an external casing for my SATAII HDD and someone recommended for me to use an USB2.0 external interface because, as he simply puts it confidently and points to the marketing material on the box, "it is faster"

I have to correct him that the theoretical speed of USB of 480Mb/s is not faster than the theoretical speed of SATAII, which is pegged at 300MB/s. The astute reader will notice the difference in casings.

A quick glance at this article will show the usual naming and differering configurations and the huge difference between a Byte and a bit.

To do some simple calculations - The max burst transfer rate of SATAII is 3 billion bits per second, which is equivalent 3 Gb/s, via normal conventions not definitions.  This is equivalent to 300 million Bytes per second, or 300 MB/s. Some sites like this states 300Mb/s, which actually means we are moving backwards in technology. Worst, some people state it as 300 GB/s, which means I can transfer the equivalent data of 31 DVDs in 1 single second and overstating it by about 1000 times faster than it really is.

The same applies for USB2.0. Many technical sales people I talked to told me its 480MB/s and I have seen the same marketing collateral on the packaged boxes it comes in. In actual fact, it is 60MB/s.

Now, if you compare apples to apples - it is a no-brainer to compare 300MB/s against 60MB/s, isnt it ? Of course, the arguments will always begin when people start arguing whether is it really a 5 time performance difference, taking into account the costs of USB's overheads and the cache memory that some of the higher-end SATAII HDD offers.

Well, lets just leave those arguments in those other blogs and forum posts for now.