The emergence of the Android Operating System for mobile devices is said to have put the content protection industry in trouble. This is probably true. However, for sake of accuracy, it has not introduced wholly new problems as it worsened existing ones, in an overall situation that was never easy to start with. Let us see what open Operating Systems such as Android have changed, and how the content protection industry may go about to overcome these new-old difficulties.

Among the work I do is the evaluation of research proposals for the Framework Program 7 (FP7), and now H2020, of the European Commission. I review research proposals that are submitted in response to calls that are related to information security. Truthfully, this work is among the more interesting of projects I am involved with.

On account of this occupation of mine, for a few years already, I consider myself authoritative to bring up the following tips to whoever intends to submit a research proposal for European, or other, funding.

A ZDNet article, Cyber-war risk is exaggerated, says OECD study, points to what seems as a thorough study that concluded with the stated result. I never read this study, but from the article one can point one point in which it is probably right and one point in which it is probably wrong.

Cars will soon be (almost) fully automated. News on experiments with cars that drive by themselves, in different scenarios and situations, make it seem obvious that soon enough the role of the driver is to be similar to that of a pilot in a passenger jet. Many people feel some itch of discomfort with this thought; the itch of “we are not there yet”. Let us see if and why we “are not there” yet, and what we can do about it.

Wikileaks did evil. It published stuff that should not have been published. Julian Assange acted carelessly, I think. Still, the impact of Wikileaks is not what we usually think it is. The security of citizens was not affected by Wikileaks, but by the leak itself, and the publicity given to those leaks, in itself, may bring citizen security to a higher standard in the long run. The problem with Wikileaks is that it created a new market for leaked documents; a market which may increase the appeal of low-risk data theft.

A few weeks ago, I wrote about the inherent limitations of the certification model. This model cannot be expected to provide a solution to the binding of entities to public keys, primarily because Certification Authorities (CAs) have no financial incentive in performing thorough investigation on who they issue certificates to; and often on the contrary.

There is probably more than one solution to this problem. Let us examine one of them: External quality enforcement

The attack referred to as the ”Evil Maid Attack”, or the “Cleaning Maid Attack” against full disk encryption (FDE), is considered as one of the serious attacks concerning people who travel with laptops full of confidential information. This attack involves an attacker, who can obtain physical access to an FDE-protected laptop. The attacker boots the laptop from a second drive, and modifies the boot-sector so that subsequent boot-ups, e.g., by the owner, will cause the execution of malicious code that will capture the passphrase and/or key that is used to boot the system. Then, the attacker should get the laptop again to collect his loot. This attack was discussed everywhere, including in the PGP Blog, LWN.net, ZDNet, and the blog of Bruce Schneier.

Some people claimed that there are no feasible countermeasures against this attack, other than making sure your laptop is never left alone for too long. A while ago, I traveled to a place where laptops were not allowed; I had to leave it at the hotel every day for two weeks. This made me devise a practical solution which can be dubbed as: be the cleaning maid yourself.

Many had high expectations from the SSL/TLS certificate model. At least on paper it sounded promising and worthwhile. Keys are used to protect traffic; for this to be effective, keys shall be bound to business entities; for the binding to be trustworthy by the public, binding will be signed by Certification Authorities (CAs), which the public will recognize as authoritative. Once the trusted CA signs the binding between a business entity (represented by a domain name) and a key — every user can tell he is communicating securely with the correct entity.

In practice, it got all messed up. It is difficult to form authorization hierarchies on the global Internet, this is one thing. However, the model failed also due to the economics behind it.

Software as a Service (SaaS) is one of the hot trends in Information Technologies. “SaaS” is the name given to the concept of having applications run on the infrastructure of the service provider, rendering service to the customer over the net.

The SaaS architecture promises lower cost of ownership, better scalability, and ease of maintenance. There are other advantages, and a few limitations as well. One of the key concerns regarding SaaS is about security. Corporate security officers claim that a security risk arises with the storage of corporate data off-site. This is probably true, but to be able to assess the risk accurately, the stakeholder needs to properly understand what the risk is exactly, and where most of this risk comes from. Following is my take on this.

No one in the automotive security industry could miss the recently published news article titled “Beware of Hackers Controlling Your Automobile”, published here, and a similar essay titled “Car hackers can kill brakes, engine, and more”, which can be found here. In short, it describes how researchers succeeded in taking over a running car, messing up with its brakes, lights, data systems, and what not.

As alerting and serious as this is, it should not come by as a surprise.