Category Archives: Security

Security

BlueTOAD (Bluetooth Travel Time Origin and Destination)

Leave a comment

BlueTooth devices have been proliferating to the point where you can make a safe bet that most vehicles have one. That’s why some clever folks are starting to monitor the highways for bluetooth in project BlueTOAD.

Rather than depend on every car carrying a toll tag in plain view, the sensors along highways can read the unique address of a BlueTooth device and then predict traffic flow times. The collection of BlueTooth information then also can be tapped by law enforcement, or at least requested by a court, to prove movement of the devices. I vaguely remember a divorce case where a husband was proved to be cheating on his wife because of his toll tag movements.

The identity of a BlueTooth device, it’s MAC address, is in no way permanently connected to an individual. This makes BlueTooth potentially less sensitive than license plates and toll tags. Likewise, a bluetooth device could in theory cycle its address or duplicate others to make tracking difficult. There are plenty of lessons from the P2P market in how to keep service alive while modifying the MAC. A big difference from P2P, however, is that the portable BlueTooth device market is highly proprietary and unfriendly to user configuration (ever try to setup a BlueTooth PIN other than 0000?)

I leave all my BlueTooth disabled these days; not because I am very worried about being tracked or even because of eavesdropping, but because battery life is so poor. I find it much less hassle and more efficient to use the cord. The extra security and privacy is a secondary benefit.

Frankly I’m more concerned about the MyLocation project and the privacy settings for APIs to Google maps. In a test to compare with BlueTOAD we’ve been able to use a simple query to the Google map traffic data API to monitor the movement of a person’s phone.

I’m not sure Google meant it to be setup this way; it’s a security flaw from a privacy perspective but then again I know departments of transportation and law enforcement investigators already interested in accessing the data.

Security

Podcast: RSA Conference HT-106

Leave a comment

I am co-presenting session HT-106: “There’s No Patch for Social Engineering” at the RSA Conference this March in San Francisco, based on language pattern analysis of email messages:

Urgent/Confidential–An Appeal for Your Serious and Religious Assistance: The Linguistic Anthropology of ‘African’ Scam Letters

A sneak preview of the session can be heard in a podcast just posted to the conference site.

I also am presenting DAS-108: “Top Ten Breaches”, a session that gives an in-depth look at breach data and investigations to illustrate how best to manage security for current threats.

Hope to see you there.

Poetry, Security

Trepidation of the Spheres

2 Comments

Helen Sharman, Britain’s first astronaut.
Source: The Guardian, Alamy Stock Photo
An information security post about poetry today, based on Valediction Forbidding Mourning by John Donne

AS virtuous men pass mildly away,
And whisper to their souls to go,
Whilst some of their sad friends do say,
“Now his breath goes,” and some say, “No.”

So let us melt, and make no noise, [5]
No tear-floods, nor sigh-tempests move;
‘Twere profanation of our joys
To tell the laity our love.

Moving of th’ earth brings harms and fears;
Men reckon what it did, and meant; [10]
But trepidation of the spheres,
Though greater far, is innocent.

The above metaphor gave me pause. The point seems to be that an inter-planetary event has far more significance yet is less stressful than an event on earth. Donne clearly wants it to be this way, to make a point about quiet goodbyes.

I suspect that if you tell someone that a “sphere” event is likely (e.g. meteor strike) they will find as much or more trepidation than events happening on earth. On the other hand, Donne perhaps knew this and was really implying that the greatest impacts are the least frequent and thus should not be feared with the same intensity (profanation) as frequent ones of less severity. He continues:

Dull sublunary lovers’ love
‘Whose soul is sense’cannot admit
Of absence, ’cause it doth remove [15]
The thing which elemented it.

But we by a love so much refined,
That ourselves know not what it is,
Inter-assur’d of the mind,
Care less, eyes, lips and hands to miss. [20]

Our two souls therefore, which are one,
Though I must go, endure not yet
A breach, but an expansion,
Like gold to aery thinness beat.

If they be two, they are two so [25]
As stiff twin compasses are two;
Thy soul, the fix’d foot, makes no show
To move, but doth, if th’ other do.

And though it in the centre sit,
Yet, when the other far doth roam, [30]
It leans, and hearkens after it,
And grows erect, as that comes home.

Such wilt thou be to me, who must,
Like th’ other foot, obliquely run;
Thy firmness makes my circle just, [35]
And makes me end where I begun.

Clever imagery within a poem of managing risk. The legs of the compass — one static as the other one roams and more erect when they are together — is a beautiful metaphor for continuity.