I’m skeptical of NAND mirroring

Many have proposed "NAND mirroring" as the solution to the FBI's troubles in recovering data from the San Bernadino shooter's iPhone. Experts don't see any problem with this approach, but that doesn't mean experts know it will work, either. There are problems.

The problem is that iPhone's erase the flash after 10 guesses. The solution is to therefore create a backup, or "mirror", of the flash chips. When they get erased, just restore from backup, and try again.

The flaw with this approach is that it's time consuming. After every 10 failed attempts, the chips need to be removed the phone, reflashed, and reinserted back into the phone. Then the phone needs to be rebooted.

For a 4-digit passcode, this process will need to be repeated a thousand times.This is doable in a couples of days. For a 6-digit passcode that is standard on iOS 9, this needs to be repeated 100,000 times, which will take many months of nonstop effort 24-hours a day. Presumably, you can make this more efficient by pipelining the process, using multiple sets of flash chips, so that a new fresh set can be swapped in within a few seconds, but it still takes Continue reading

NASA competition could net you $1.5M for next great airship

NASA this week said it was considering a new Centennial Challenge: Build and airship capable of long duration flight for scientific missions.The agency issued a Request For information to see if there was enough industry interest in the challenge and to further develop rules for the competition. You may recall that NASA’s Centennial Challenges Program sets up challenging contests for the public, academia, and industry with an eye towards developing innovative technologies.To read this article in full or to leave a comment, please click here

US accuses 7 Iranians of hacking US banks, New York dam

The U.S. government says seven Iranians working for the country's Islamic Revolutionary Guard Corps are responsible for 187 denial of service attacks aimed at banks across the U.S. between 2011 and 2013.It also says one of the individuals gained access to the control system for the Bowman Avenue Dam, a small dam north of New York City, and would have been able to control flow of water through the system had it not been disconnected for repairs.The accused worked for two Iranian computer companies, ITSecTeam and Mersad, and were contracted by the Iranian government to conduct the attacks, according to a Department of Justice indictment unsealed on Thursday.To read this article in full or to leave a comment, please click here

Book Winners!

Lots of good suggestions in my inbox—thanks to all who gave me some great design ideas to blog about. I eventually chose two winners, as I uncovered another copy of the book to give away! The two winners are Patrick Watson and Matthew Sabin. I’m going to try and run something like this every three or four months, so look for another one in the future.

LinkedInTwitterGoogle+FacebookPinterest

The post Book Winners! appeared first on 'net work.

Justice Department indicts Iran hackers in massive financial cyberattack

The U.S. Department of Justice has indicted seven Iranian hackers in connection with cyberattacks on U.S. banks, the New York Stock Exchange, AT&T and a water facility in New York.The seven live outside the U.S. and it’s questionable whether they will ever be apprehended and tried, according to reports by Reuters, the New York Times and the Washington Post.To read this article in full or to leave a comment, please click here

Baremetal cloud using Packet

Typical Opensource demo applications comes packaged as a Vagrant application which starts a bunch of VMs and does automatic provisioning. I have a Windows machine with Virtualbox and VMWare player installed. Since Virtualbox does not support nested virtualization with 64 bit VMs(More details can be found in my previous blogs on Virtualbox and VMWare player), … Continue reading Baremetal cloud using Packet

IDG Contributor Network: User-controlled, private clouds could help with security, think scientists

One of the problems with smartphone apps is that one has no control over where often sensitive permissions and personal content is stored. While we’re allowed a certain amount of input when it comes to downloading the app and installing it: agree to the permissions or else, we have no control over where or how all the data is stored. We know that it’s probably in the cloud somewhere, but it could be anywhere, even on the phone itself. And each app developer has its own idea about how to handle the stuff. That is a problem for security—not the app developers’ but ours. And it doesn’t stop at phones. Anyone know where the password for an IoT oven is located, and how securely? The answer is no and maybe not very.To read this article in full or to leave a comment, please click here

Emergency Java update fixes two-year-old flaw after researchers bypass old patch

Oracle has released an emergency Java security update to fix a critical vulnerability that could allow attackers to compromise computers when they visit specially crafted websites.The company has assigned CVE-2016-0636 as the identifier for the vulnerability, which suggests that it is a new flaw discovered this year, but that's not really the case.Polish security firm Security Explorations confirmed via email that the new Java update actually fixes a broken patch for a vulnerability that was originally reported to Oracle by the company in 2013.Earlier this month Security Explorations announced that a patch released by Oracle in October 2013 for a critical vulnerability tracked as CVE-2013-5838 was ineffective and could be trivially bypassed by changing only four characters in the original exploit. This meant that the vulnerability was still exploitable in the latest versions of Java.To read this article in full or to leave a comment, please click here