Archive for February, 2006

Protected: Ca(non)ical v-day posting

This content is password protected. To view it please enter your password below:

Protected: …Mr. Anderson, what good is a phone call if you are…unable…to speak.

This content is password protected. To view it please enter your password below:

Your cellphone battery implements SHA-1, film at 11.

I read an article in EDN yesterday that came as a mild shocker, hashing and cryptography chips designed for embedding in….batteries.

Yes, batteries. Specifically, rechargeable battery packs used in cellphones, laptops, cameras and similar consumer devices, allowing the device to reject “unauthorized” replacement batteries. Yes folks, slapping in a replacement battery pack for some discontinued gadget can now be a DMCA violation*.

Read it here.

The official claim they make, as claimers often do, is that such methods are intended for consumer safety. An inferior Li-Ion cell could have a lower maximum charging rate and go *pow* when the device tries to charge it at the expected rate for the original cells, so the rhetoric goes.

Modern battery charging circuitry carefully monitors the state of the cells, measuring the current drawn by each cell over time and even the surface temperature. While it is theoretically possible for an aftermarket battery pack to be produced with low-rate cells that don’t match the original spec, the gadget to not notice, and the cells to go *pow*, the immediate result would be that that aftermarket manufacturer is going to get spanked. Severely. A much less hostile solution to implementing SHA-1 in a battery-pack lockout chip would be to, you know, publicly document the charging current given out by the device (although if a manufacturer wants to be secretive, it’s easy enough to just measure it with a decent multimeter). In light of the fact that any idiot with a $25 multimeter can measure the charge current required for any gadget without even opening it, all this whining about batteries requiring a cryptographic handshake for consumers’ own good seems suspect at best.

* The DMCA’s (Digital Millenium Copyright Act of 1998) official wording forbids any tool that defeats a technological measure which “effectively controls access to a copyrighted work”, e.g. a CD or movie. However, that has not stopped various gadget makers suing under the Act (sometimes successfully) claiming that the firmware on the gadget (being “accessed” in the sense that the consumer gets to use the gadget), or even the crypto key in their lockout chip, is the “copyrighted work” they are trying to protect.

Woo, sneaky… and countersneaky

Some web servers send a site navigation page or other response page with a “HTTP 200 OK” response instead of a “HTTP 404 Not Found” result for page-not-found conditions. To check on web server handling of page-not-found conditions, Slurp will occasionally send deliberately odd URLs built from random words to sites from which no 404 results have been seen.

http://help.yahoo.com/help/us/ysearch/slurp/slurp-10.html

I’m keeping this in mind when/if I finally start coding LiVE [the Link Integrity Verification Engine]. No more links leading to porn spam, thanks…

I love, hate, love the wall street journal

Some gems from today and yesterday:

“Then on Jan. 10, 2001, a deranged catfish farmer went on a rampage in a small Northern California town, killing three people and igniting public outrage.”

(Nothing wrong with the sentence [& it was actually a serious article], I just found the mental image amusing [er…except for the people dying part]. Come to think of it, I actually can’t imagine such a thing as a non-deranged catfish farmer.)

“To calculte the total power generated over a storm’s lifetime, Dr. Emanuel multiplied each hurricane’s maximum sustained wind speed by itself and then multiplied that result by the wind speed again, a calculation known as cubing.”

(If someone doesn’t know what a number cubed means, I can recommend some alternative reading material to the morning paper.)

Woo, cexx is back in vogue

The Bricemaster (one of my TSU buddies) pointed me to this tonight.

CEXX.org (Counterexploitation) also has excellent forums, is ad free and somewhat broader than Spywareinfo, with links to the anti-spam community.

Google to combat spyware – Newsday

(Ha, I feel all famous again. Now, if only I had time to actually maintain the darned thing…)