hírszerzési lehallgatás Adatvédelmi biztonsági technológia

RFC 6189: ZRTP végre egy szabvány!

Április 11, 2011 - 22:54

Végül ZRTP lett hozzárendelve hivatalos RFC megbízás, RFC6189 ZRTP: Media Path legfontosabb megállapodás unicast Secure RTP.

Úgy volt, mint a függőség a SRTP AES kulcs mérete 256bit, hogy most nevezték meg, mint RFC6188 .

Izgalmas látni az RFC végül megjelent, mivel ez egy fontos mérföldkő beállítani ZRTP mint a hivatalos szabvány end-to-end titkosítást akárcsak PGP már az e-maileket.

Most minden olyan szervezet a világon lesz hivatalosan képes végrehajtani ZRTP az end-to-end titkosítást protokoll hang

Jelenleg 3 különböző nyilvános implementációja ZRTP protokoll létezik:

Mindegyikük biztosít különböző funkciók a protokoll, de a legfontosabb ismert, hogy átjárható.

Az új hullám jön a hang titkosítás világ irrupting egy szürke terület, ahol a legtöbb vállalat csinál telefon titkosítási rendszerek már végrehajtási egyedi titkosítást.

Most egy szabvány lett állítva, és van néhány ok, balra végrehajtási valami más.

Hurra Mr. Zimmermann és a közösségi cégek (mint például PrivateWave ) és magánszemélyek (például Werner Dittmann ), hogy dolgozott rajta!

Ma már a nagy nap, az ilyen típusú technológia jelenleg a hivatalos és több meglévő végrehajtási!

Philip, te újra, én tiszteletét a tiszta szellem és meghatározás:-)

Comment (1) Címkék , , , | Comment (1)
lehallgatás Adatvédelmi biztonság

Előrelépés GSM repedések Freiburg egyetemi

Február 23, 2011 - 13:32

Az izgalmas világ mobil protokollok (GSM, GSM-R, TETRA, UMTS, stb.) Hacker kezd hivatalos kutatási tevékenységeket az egyetemekről.

A beruházás, hogy a nyílt forráskódú kód kiadásai csinos szoftver ad lehetőséget, hogy a diákok az egyetemi dolgozni rajta, javítását, és ezt az erős kutatás.

A freiburgi egyetem most megjelent tanulmány a gyakorlati gyakorlat a GSM titkosítás A5 / 1 , valamint egy gsmframencoder támogató eszköz, hogy javítsa a szippantás, dekódolás és elegy.

Nyitva hardver, szoftver megnyitása, megnyitása protokoll bizonyítani gyengesége bármilyen szabadalmazott módszer vagy eljárás a felépülési kommunikációs és biztonsági technológiák.

Meg kell a cél minden tudósok, hogy megpróbálja megnyitni-up és a crack bármilyen védett és zárt technológia kényszeríteni az ipar megy csak átjárható és nyitott hozzáállás tervezése távközlési protokollok.

Comment (0) Címkék , , , , | Comment (0)
Adatvédelmi technológia

Saját TOR exit node tapasztalat próbáljuk kiszűrni zajos forgalom

Január 24, 2011 - 22:14

Az év elején úgy döntöttem, hogy itt az ideje, hogy fut a TOR exit node így hoztam egy VPS a hetzner.de (mert szerepel a jó TOR ISP ), és állítsa be a kilépés-csomópont becenevet privacyresearch.infosecurity.ch a 100Mbit / s csatlakozás első 1TB havi adat, akkor a 10 Mbit / s lakás.

Azt is fut TOR2WEB szoftvert http://tor.infosecurity.ch .

Én beállítás az exit-politika által javasolt futás exit-node minimális zaklatás és készített egy visszaélés válasz sablon .

Az első napon én már fut a csomópont kaptam azonnal panaszt DMCA miatt peer-to-peer forgalom.

Tehát én úgy döntött, hogy kiszűrje, néhány P2P forgalom segítségével OpenDPI iptables modul és DMCA panaszkodnak automatikusan eltűnt:

iptables -A OUTPUT -m opendpi -edonkey -gadugadu -fasttrack -gnutella -directconnect -bittorrent -winmx -soulseek -j REJECT

Aztán, mivel én vagyok olasz, úgy döntöttem, hogy elkerüljék a TOR csomópont csatlakozik az olasz internetes címtartomány csökkentése érdekében az esélye, hogy egy hülye ügyész ébresszen fel reggel, mert nem értették, hogy én futás a TOR csomópontot.

Próbáltam, segítségével hellais hogy írt egy forgatókönyvet, hogy Exit politika elutasítja nyilatkozat , hogy utasítsák el az összes olasz netblocks alapján IOError a blockfinder de azt tapasztaltuk, hogy a torrc konfigurációs fájlok 1000 sor volt, hogy TOR összeomlik.

Mentünk, hogy nyit egy jegyet, hogy jelentse az összeomlás a mi megpróbálják blokkolni a TOR exit politika országonként és talált egy hasonló kísérlet , ahol részt, de még mindig úgy tűnik, hogy egy nyitott kérdés.

A következtetés az, hogy nem lehetséges, hogy egy ország kilépésének politikáját TOR exit csomópont egy tiszta és udvarias módon, úgy döntöttem, hogy menjen a piszkos úton használatával iptables / geoip . Miután harcol annak érdekében, hogy megfelelően lefordítani, ez volt az egyik sor az iptables forgalom blokkolására fog Olaszország:

iptables -A OUTPUT -p tcp -m state -országhatár NEW -m geoip -dst köbcentiméteres IT -j REJECT

Most az én exit-node nincs kapcsolat olasz hálózatokat kell tenni, és én vagyok biztos ellen esetleg hülye ügyészek nem értik TOR (nekem van egy kivétel az összes TOR csomópont IP-cím előtt alkalmazott).

Miután néhány más nap elkezdtem kapni panaszkodik miatt portscan tevékenységek származott az én tor csomópontok.

Az én saját szemszögéből támogatni szeretnék anonimitás hálózat, nem névtelen hacker kísérletet, és így azt akarom, hogy kiszűrje-out portscan és támadások származó node.That én egy bonyolult kérdés, amely szükségessé tanulmány, így az időközben én beiktatott scanlogd és szippantani mert azt akarom, hogy értékelje, milyen sok támadás, mely a fajta támadás kicsúsznak az én TOR exit csomópont.
Később megpróbálom rendezni valamilyen szűrés, hogy biztos, hogy képes kiszűrni nagyobb támadásokat.
Mert mi kapcsolódik portscan úgy tűnik, hogy nincsenek állami eszközök felderítésére és a szűrő kimenő portscan, de csak, hogy kiszűrje a bejövő portscan így valószínűleg kell írni valamit, ad-hoc.
Utalok, hogy hogyan mennek a dolgok, és ha nem lesz valami jó módja annak, hogy végre egy fénysugaras módon felhorkant-inline szelektív kiszűrni-out nagyobb támadási kísérlet származó az exit-node.

A célom az, hogy a kilépési csomópont futó hosszú távon (legalább 1 TB forgalom havonta adományozott TOR), csökkentve az erőfeszítés kapcsolódó ISP panaszt, és próbálják tőlem telhetőt, hogy fut a kijárat-csomópont ésszerű kötelezettség.

Comment (1) Címkék | Comment (1)
hírszerzési lehallgatás biztonság

TETRA hacking jön: OsmocomTETRA

Január 23, 2011 - 10:27

Nagyon izgalmas, hogy a kibocsátás OsmocomTETRA , az első nyílt forráskódú SDR ( szoftver által meghatározott rádió ) végrehajtása TETRA demodulátor, PHY és alsó MAC réteg.

Ez a TETRA verzióját GSM airprobe hogy kinyit az adatokhoz való hozzáférés és a keret a TETRA kommunikációs protokoll, ezáltal kiváló hacker lehetőség!

Most, hogy is TETRA technológia indult meg kell várni, ebben az 2011-ben, hogy opensource TETRA lehallgatását és valószínűleg szintén TEA titkosítás (a Tetra titkosítási algoritmus) repedt!

TETRA használják Rendőrség, Emergency Services és hadseregek alternatív mobil kommunikációs hálózat, amely akkor is működik, anélkül, hogy a rendelkezésre álló hálózati lefedettség (csak a mobil-mobil nélküli bázisállomás), és néhány speciális szolgáltatások magas rendelkezésre állás.

Írtam TETRA én dia Major Voice Security Protocol felülvizsgálata .

A OsmocomBB levelezőlisták volt már vita néhány TETRA hálózat állapota:

  • Belgium rendőrség TETRA ASTRID hálózat: titkosítás nélkül
  • Német rendőrség vizsgálat TETRA hálózat Aachen: titkosítatlan
  • Néhány ex-jugoslawia TETRA hálózat: titkosítás nélkül
  • Hollandia C200 TETRA hálózat: TEA2 titkosítva statikus kulcsok
  • UK Airwave TETRA hálózat: TEA2 titkosítva TEA2

Ez lesz igazán szórakoztató látni, hogy az új rendőrség és a mentőszolgálat a hacker jön vissza a régi analóg kor az új digitális rádiók:-)

Comments (5) Címkék , , , | Hozzászólások (5)
ötletek Kudos

Kormány 2.0, Open Data és a WikiLeaks

Január 15, 2011 - 20:05

A fogalmak mögött Wikileaks, OpenLeaks, GlobalLeaks, BalkanLeaks sokkal több, mint csak felfedi titkait a nyilvánosság számára.

Ez része a forradalom jön a kormányzati szervezés, az átláthatóság és az együttműködés az úgynevezett "web 2.0 / wiki" együttműködési rendszereket.

Vessünk egy pillantást az említett kormány 2.0 - Bevezetés a Anke Domscheit Berg, innovatív kormányprogram vezet a Microsoft Németország és felesége Daniel Berg, társ-alapítója a WikiLeaks alapítója és jelenleg OpenLeaks .

Vessünk egy pillantást Open Data kormány 2,0 kezdeményezés érvényesítése kormányzati átláthatóság, a korrupció csökkentése és a teljesítmény javításához kormányzati szervezet.

Ez forradalom ez csak több, mint egy csoport anarco-libertariánus funky srácok, hogy létre kívánja hozni a káosz elterjedésének titkot, ez csak a kezdete a rohanás elérni az új szervezeti modell a kormányok kihasználva teljes átláthatóság és erős együttműködés a polgárokkal.

Comment (0) Címkék | Comment (0)
Magánélet

ZORG, új C ++ és Java ZRTP végrehajtás nyilvános kibocsátás

Január 12, 2011 - 02:01

Hi all, ma PrivateWave Italia SpA, olasz vállalat, a fejlődő technológiák az adatvédelem és informatikai biztonság hangon távközlés, ahol én vagyok, CTO, akkor engedje ZORG, egy új, nyílt forráskódú ZRTP protokoll implementáció letölthető a http: // www. zrtp.org .

ZRTP [1] előírja end-to-end kulcs csere elliptikus görbe Diffie- Hellmann és 384bit AES-256 titkosítás SRTP.

ZORG került eredetileg kidolgozni és végrehajtani a PrivateWave PrivateGSM hangja titkosító termékek elérhető az alábbi platformokon: Blackberry, Nokia és iOS (iPhone).

Zorg C ++ már integrált PJSIP nyílt forráskódú VoIP SDK [2], és ez tájékoztató integráció folt ellen PJSIP 1.8.5. Azt vizsgálták, iPhone, Symbian, Windows, Linux és Mac OS X

Zorg Java lett integrálva az egyéni változatát MJSIP [3] nyílt SDK a BlackBerry platform és ez magában foglalja a memória használat optimalizáció csökkentéséhez szükséges minimális szemétgyűjtő tevékenység.

Mindkét platformok elválasztott és moduláris kriptográfiai hátsó vége, hogy a kriptográfiai algoritmusok végrehajtására is könnyen cserélhetők más is.

. ZORG licenc alatt GNU AGPL és forráskód elérhető a GitHub a https://github.com/privatewave/ZORG .

Mi oldja azt a nyílt forráskódú és a koherencia a mi biztonsági megközelítése [4] azt nagyon remélem, hogy hasznos lehet a nyílt forráskódú ökoszisztéma, hogy új hang titkosítási rendszerek támogatására szólásszabadság.

Több mint 20 pjsip-alapú nyílt forráskódú VoIP titkosító szoftvert és számos Java-ban írt közvetve részesülhet ZORG kiadás.

Örömmel vennénk, hogy megkapja javaslatára együttműködés, az integráció új, új kriptográfiai back-végek, bug kereső és bármi hasznos, hogy javítsa, és hagyja ZRTP megerősítik a hang titkosítási szabvány.

Zorg elérhető http://www.zrtp.org .

[1] ZRTP: http://en.wikipedia.org/wiki/ZRTP
[2] PJSIP: http://www.pjsip.org
[3] MJSIP: http://www.mjsip.org
[4] A biztonsági megközelítés: http://www.privatewave.com/security/approch.html

Comment (0) Címkék , , , , | Comment (0)
Adatvédelmi biztonsági technológia

Titkosított mobil vezetékes telefonhívásokat Asterisk 1.8

Október 25, 2010 - 12:15

Mi most megjelent technikai howto az , hogyan kell felépíteni Biztonságos mobil a vezetékes VoIP infrastruktúra az:

A következő hetekben mások HOGYAN mint ez jön ki más, szerver platformok, mint például FreeSWITCH, mind az átláthatóság jegyében a nyílt forráskódú és a kiegyenlítő biztonsági technológiák.

Comment (0) Címkék , , , | Comment (0)
biztonság

Nyolc Epic meghibásodása szabályozó kriptográfia

Október 21, 2010 - 14:59

Egy nagyon tanulságos cikket nyolc Epic Tárgy Szabályozó kriptográfia és a közös félreértés kormányzati szabályozók, amely nem rendelkezik a széles kilátás, hogy a technológia működik.

Tudatlan kormányzati szabályozók, nem érthető, hogy a szigorú szabályozás a következő hátrányai:

  1. Ez biztonsági kockázatot teremt
  2. Ez nem fogja megállítani a rossz fiúk
  3. Ez árt az innovációt
  4. Ez kárt okoz az amerikai üzleti
  5. Ez kerül a fogyasztók
  6. Ez lesz alkotmányellenes
  7. Ez lesz a nagy kiadással adó dollárt

Comment (0) Címkék , | Comment (0)
Adatvédelmi biztonsági technológia

PrivateGSM: Blackberry / iPhone / Nokia mobil hang kódolás ZRTP vagy SRTP / sdes

Október 19, 2010 - 09:10

Én teljesen elkerülni, hogy használja a saját személyes blog, hogy promóciós bármilyen termék.

Abban az időben ez nem más, hanem azt akarom mondani tényeket termékekkel dolgozom nélkül képzelet marketing, de marad a technikai.

Ma, PrivateWave hol vagyok CTO és társalapítója , kiadtuk nyilvánosan mobil VoIP titkosító termékek Blackberry, iPhone és Nokia:

  • Az 1. mindig Blackberry titkosított VoIP ZRTP - PrivateGSM VoIP Professional
  • Az 1. elveszett iPhone titkosított VoIP ZRTP - PrivateGSM VoIP Professional
  • Az 1. mindig Blackberry titkosított VoIP kliens SRTP a sdes kulcs csere keresztül SIP / TLS - PrivateGSM VoIP Enterprise

logo-privatewave-colore.png

A PrivateWave használjuk egy másik megközelítés tekintetében a legtöbb hang titkosítási társaság odakint, olvassa el biztonsági megközelítése .

A jelentősége ennek a termékek a technológia és az ipar tájkép alábbiak szerint foglalhatók össze:

  • Ez az első hang titkosítás társaság kizárólag szabványok biztonsági protokollok (és arra számítunk, a piac reagál, mivel egyértelmű, hogy tulajdonosi tech származó örökségét CSD nem nyújt azonos értékű)
  • Ez az első megközelítés hangon titkosítást csak nyílt forráskódú és szabványos titkosítási motor
  • Ez az első hang titkosítás megközelítés, hogy a különböző biztonsági modell a különböző technológiákkal (end-to-end a ZRTP és end-to-site for SRTP )

Ezek a programcsomag Mobile Secure ügyfelek, a professzionális használatra biztonság csak a legjobb telekommunikációs és biztonsági technológiák magas fokú védelmet, valamint a jó teljesítmény is rossz hálózati körülmények:

Az alkalmazások a következők:

icona-pgsm.png

A támogatott mobil eszközök a következők:

Ami ZRTP úgy döntöttünk, hogy a stressz és nyúlik a biztonsági és paranoid jellemzője a jegyzőkönyv egy kis továbbá:

A szigorú címjegyzék integráció túlmutat ZRTP RFC leírás, hogy lehet, hogy érzékeny bizonyos támadások során használt mobiltelefonok miatt a felhasználó viselkedése ne nézd meg a mobil képernyőjén.

A paranoy módja a ZRTP enyhítésére ilyen körülmények fogunk írni erről később, és / vagy a hozzá adott adatait RFC felvétel.

Néhány szó PrivateGSM Professional end-to-end titkosítást ZRTP

Olvassa műszaki adatlapon ott!

A letölthető , kattintson ide, és csak tedd a telefonszám

Ezek az eredmények a kemény munka az én nagyon képzett munkatársak (16 fő dolgozott a 6 projekt 3 különböző platformokon) kihívást jelentő technológiák (hang titkosítás) a nehéz működési környezet (koszos mobil hálózatok és a koszos mobil operációs rendszerek) több mint 2 év.

Nagyon büszke vagyok a munkatársaink!

Mi a következő lépés?

A következő hetekben látni fogja felszabadító jelentős készlet dokumentációk, mint például az integráció csillagokkal, freeswitch és egyéb biztonsági Enabled PBX, valamint néhány izgalmas más biztonsági technológiák a hír, hogy biztos vagyok benne, lesz észre;)

Ez már egy kemény munka, és még meg kell csinálni, de én biztos vagyok benne, hogy a biztonság és a nyílt forráskódú közösség, mint az ilyen termékek és az átlátható megközelítést is nyitott fontos kiadások és a nyílt forráskódú integráció egy nagyon politikailag semleges (backdoor mentes) technológiával .

Comments (2) Címkék , , , , | Hozzászólások (2)
lehallgatás Adatvédelmi biztonsági technológia

Egy pár szép VPN szolgáltató

Október 17, 2010 - 12:39

Van egy csomó ember, miért kellene elérni internet keresztül a VPN.

Például, ha olyan országban élünk, blokkoló bizonyos tartalmak (például anti-helyi-kormány honlapján, pornó, stb.), És / vagy a protokollok (pl skype, voip), akkor valószínűleg szeretné helyezni a internet-kapcsolat kívül az ország csúnya blokkoló használatával titkosított VPN alagút.

Úgy értékelték több házigazdája a VPN-kiszolgáló és egy pár közülük hangzik elég jó között a széles körű kínálatát az ilyen szolgáltatások:

SwissVPN

Kilépés az internetre Svájcból.

Költség 6 CHF / hónap

Választható nyilvános fix IP-cím

Hasznos, ha szüksége van:

  • Csak kitérő helyi ország szűrők jó, nagy sávszélességű
  • Tegye közszolgáltatások keresztül a VPN az opcionális állandó nyilvános IP-címet.

Legyőz

Kilépés az internetre kiválasztásával között 20 különböző országban (minden alkalommal, amikor csatlakoztatja).

Hasznos, ha meg kell csinálni:

  • Üzleti intelligencia a versenytárs (látszólag származik X országban, ha ezeket összekötő)
  • lásd a film / tévéfilm engedélyezett csak a nemzeti IP web terek
  • lásd a google találatok között a különböző országok

Comment (0) Címkék , | Comment (0)
biztonság technológia

Nem minden elliptikus görbe ugyanaz: vályú ECC biztonság

Szeptember 26, 2010 - 01:05 
 Saját ECC görbe a biztonság és a kiválasztás elemzés

 vn9jna1BdgrzDCYNBJHi09q09q.jpg 
  A legtöbb modern crypto használat elliptikus görbe kriptográfiai (ECC), hogy a kisebb méretű kulcsot és csökkenti számítási teljesítmény, hogy a megfelelő biztonsági ereje hagyományos titkosítási rendszer néven ismert DH (Diffie-Hellman), vagy az RSA (Rivest, Shamir és Adleman). 
  Nem mindenki tudja, hogy az ECC titkosítás van kiválasztva a jövőbeli alkalmazásokat és titkosítási, hogy még a TLS / SSL (titkosítást használni biztosítására web) mozog ECC. 
  Találtam sok úgynevezett "egyedi kódolási termék", amely elhagyott RSA és DH megy ECC alternatívákat, amelyek általában önkényes használat ECC bites kulcs méretét anélkül, hogy meghatározza, milyen típusú ECC Crypto szokni. 
  Van azonban egy csomó zűrzavar körül elliptikus görbék, sok különböző nevek és a kulcs mérete nehezítve egy nem titkosított tapasztalt-felhasználó számára, hogy a saját szám értékelésekor egyes titkosítási cucc. 
  Mivel tehát diffúz zavar én úgy döntött, hogy saját elemzést, hogy megtudja, melyik a legjobb ECC titkosítás görbék és jobbra billentyűvel ECC méret használható. 
  Ez az elemzés azt szeretné, hogy egy biztonsági ágazat alapú választás között különböző ívek és kulcs méretek, így a matematikai és kriptográfiai analitikai megfontolásokon, amelyre már megtörtént az évek során, amely összefoglalja a különféle választási hozott számos szabványokat és a biztonsági protokollokat. 
  Először a következtetést. 
  Az én elemzés csak a következő ECC görbéket kell figyelembe venni felhasználásra titkosítási rendszerek, mert az egyetlen kiválasztott a különböző hatóságok (ANSI, NSA, SAG, NIST, ECC BrainPool), a különböző biztonsági protokollal (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS), és az egyetlen megfelelő NSA Suite B biztonsági követelmények (de-facto szabvány a NATO katonai környezet): 
  •   Elliptikus Prime Curve 256 bit - P-256 
  •   Elliptikus Prime Curve 384 bit - P-384 
  opcionális, csak tényleg paranoiás, hogy szeretnénk, hogy minél több kulcsfontosságú méret kicsit, még mindig nem tekintik hasznosnak: 
  •   Elliptikus Prime Curve 521 bit - P-521 
  Szeretném leszögezni, hogy Koblitz görbéket el kell kerülni, hogy bármelyik billentyű méret (163/283/409/571), mivel azok nem elég garancia a kriptográfiai analitikus tevékenység és hatékonyan ezek a következők: 
  •   Nem része az NSA Suite-B kriptográfia kiválasztás 
  •   Nem része az ECC Brainpool kiválasztás 
  •   Nem része az ANSI X9.62 kiválasztás 
  •   Nem része az OpenPGP ECC kiterjesztés kiválasztása 
  •   Nem része a Kerberos kiterjesztése ECC görbe kiválasztás 
  Felkérem az olvasót, hogy kövesse keresztül az elemzés, hogy megértsék az alapjait, ami érthető is, anélkül, hogy mélyen a technikai háttér, de legalább egy jó technológiai hátteret a néhány alapvető kis kriptográfia. 
 Itt vagyunk az elemzést

 

  A célom az, hogy egy elemzést, hogy mit / hogy a nyílt tudományos és biztonsági közösség válassza ECC kriptográfiai rendszer használata a biztonsági protokollok és szabványok által meghatározott IETF RFC (azok, akik meghatározzák Internet szabványok a nyílt és lektorált módon). 
  Az alábbiakban egy sor RFC bevezetésének ECC a meglévő rendszert kap vizsgált megérteni, hogy mit jobb használni, és mi a jobb, hogy kizárják: 
 
  •   RFC5639 : ECC Brainpool Szabványos Curves-görbe Generation 
  •   RFC4869 : NSA Suite B kriptográfiai Suites IPsec 
  •   RFC5430 : NSA Suite B profil Transport Layer Security (TLS) 
  •   RFC5008 : NSA Suite B in Secure / Multipurpose Internet Mail Extensions (S / MIME) 
  •   RFC3766 : meghatározása Erősségek A nyilvános kulcsok cseréje használható, szimmetrikus kulcsok 
  •   RFC5349 : elliptikus görbe Kriptográfia (ECC) támogatása nyilvános kulcsú titkosítást kezdeti hitelesítés Kerberos (PKINIT) 
  •   RFC4492 : elliptikus görbe Kriptográfia (ECC) számsorok a Transport Layer Security (TLS) 
  •   ZRTP hang titkosítás Philip Zimmermann ECC görbe 
  •   ECC OpenPGP (draft d úszó-jivsov-OpenPGP-ECC-06 ) 
  •   ECC Curves kiválasztott Microsoft Smartcard Kerberos bejelentkezés 
  Fogjuk használni a döntését meghatározó tudós Internet Security protokollok hogy része értékelés. 
  Emellett meg kell érteni, hogy a görbe kiválasztás származik különböző hatóságok tette saját kiválasztását Curves érdekében, hogy elmondja, hogy az ágazat milyen használni, és mit kell kihagynia: 
  Fogjuk használni a döntését meghatározó tudós biztonsági követelmények szabványosítási szervek, hogy része értékelés. 
  Továbbá, amit a legtöbb ember nem tudja, de hogy ez nagyon fontos a mi elemzés, hogy vannak másfajta ECC görbe kriptográfia és a "méret" ez eltérő attól függően, hogy milyen görbe: 
  •   ECC Curves felett Prime Field (gyakran nevezik elliptikus görbe és képviselő P-keysize) 
  •   ECC Curves át bináris Field (gyakran nevezik Koblitz Curve és képviseli: K-keysize) 
  Mivel a biztonsági erő ekvivalencia az elliptikus görbe és a görbe Kobliz különböző kulcs méretű, például amikor azt olvassuk, ECC 571 utalunk Koblitz Curve egy azonos erőt ECC 521 Prime görbe. 
  Összehasonlítása erő között elliptikus görbék és Kotbliz Curves látható az alábbiakban (az ECC internetes Mikey Draft ): 
 | Koblitz | ECC | DH / DSA / RSA
 | 163 | 192 | 1024
 | 283 | 256 | 3072
 | 409 | 384 | 7680
 | 571 | 521 ​​| 15360

  Az alábbiakban egy összehasonlítás az összes kiválasztott görbék által a különböző szervezetek és azok nevét (az IETF RFC4492 ECC forgalmi TLS ): 
 Curve neveket választott különböző szabványügyi szervezetek
 ------------ + + --------------- -------------
 SECG | ANSI X9.62 | NIST
 ------------ + + --------------- -------------
 sect163k1 | | NIST K-163
 sect163r1 | |
 sect163r2 | | NIST B-163
 sect193r1 | |
 sect193r2 | |
 sect233k1 | | NIST K-233
 sect233r1 | | NIST B-233
 sect239k1 | |
 sect283k1 | | NIST K-283
 sect283r1 | | NIST B-283
 sect409k1 | | NIST K-409
 sect409r1 | | NIST B-409
 sect571k1 | | NIST K-571
 sect571r1 | | NIST B-571
 secp160k1 | |
 secp160r1 | |
 secp160r2 | |
 secp192k1 | |
 secp192r1 | prime192v1 | NIST P-192
 secp224k1 | |
 secp224r1 |​​ | NIST P-224
 secp256k1 | |
 secp256r1 | prime256v1 | NIST P-256
 secp384r1 | | NIST P-384
 secp521r1 | | NIST P-521
 ------------ + + --------------- -------------

  Mi azonnal megjelenik az, hogy már csak két görbe által kiválasztott valamennyi hatóság, és hogy van egy általános dömping Koblitz görbék által ANSI.The csak a közösen megállapított között 3 hatóságok a következő két ECC görbe: 
  •   secp192r1 / prime192v1 / NIST P-192 
  •   secp256r1 / prime256v1 / NIST P-256 
  Azok kiválasztása ECC görbe TLS az RFC5430 átugorja Koblitz görbék és kiválasztott használat esetén: 
  •   P-256, a P-384, a P-521 
  Az ECC Brainpool átugorja Koblitz görbék és kiválasztott használat az alábbi ECC Curves: 
  •   P-160, P-192, P-224 P-256 P-320 P-384, P-512 (ez az egyetlen különleges, mert ez nem a P-521, de a P-512, az egyetlen kulcs méretű által előterjesztett ECC brainpool. Tnx Ian Simons származó Athena SCS ) 
  Az OpenPGP internet tervezete ECC használat PGP d úszó-jivsov-OpenPGP-ECC-06 átugorja Koblitz görbék, és a kiválasztott az alábbi ECC görbék 
  •   P-256, a P-384, a P-521 
  A Kerberos protokoll kiterjesztése ECC felhasználásra, meghatározott RFC5349 és meghatározott Microsoft smartcard bejelentkezéshez átugorja Koblitz görbék, és a kiválasztott az alábbi ECC görbék: 
  •   P-256, a P-384, a P-521 
  Tehát egyértelmű, hogy a hangok megfelelő kiválasztása ECC P-256, P-384 és P-521, míg a görbe Koblitz már kimarad a Top Secret használható, és minden biztonsági szempontból érzékeny protokoll (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS). 
  Miért csináltam ezt az elemzést? 
  Én megtettem ezt az elemzést követően a vitát én már azon egyes hang titkosító termékek, mind alapuló egyedi és saját protokollokat, amelyek mind a Hellman elliptikus görbe Diffie 571 bit / ECDH 571/571 bites ECDH / Koblitz 571 bit. 
  Minden azokat használja a K-571, hogy a fent leírtak szerint, eltávolították az összes biztonsági szempontból érzékeny környezet és protokollok, és hogy magamnak egy tervező hang titkosítás dolog azt hiszem, hogy a titkosítási választás egyáltalán nem a legjobb választás a biztonság. 
  Valószínűleg ez megtörtént csak marketing célra, mert a K-571 (Koblitz görbe) úgy tűnik, erősebb, mint a P-521 (elliptikus görbe alapján Prime szám).  Ha "több bit" marketing fiúk azt állítják, hogy "biztonságosabb".  Koblitz elliptikus görbe gyorsabb, mint a titkos engedélyezett elsődleges elliptikus görbe és így adja a termék menedzsere egy esélyt, hogy a "több bit" benne a saját termék, miközben a kulcs csere gyors. 
  Ez a kérdés a filozófiai választás. 
  Én inkább követi a trendet a tudományos közösség az alázat az nem, hogy figyelembe véve magam kriptográfiai szakértő, knowledgable több, mint a teljes biztonság és a tudományos közösség is. 
  Inkább ehelyett csak algoritmusok használatra engedélyezett az igen érzékeny környezetben (titkos osztályozás), hogy a már kiválasztott valamennyi hatóság és a munkacsoport elemzése titkosítási algoritmusok jelenlegi out-ott, és képviselik a választás szinte minden standard biztonsági protokollok (IPSec, OpenPGP, ZRTP, Kerberos, SSL / TLS, stb.). 
  Én inkább számolni az összeg agy dolgozik a crypto én használ, hogy ellenőrizze, hogy tényleg biztos, hogy értékelik, hogy van valami gyengeség. 
  Száma Brais dolgozó Crypto széles körben elterjedt szempontjából nagyságrenddel több, mint ahány agy dolgozik crypto használják csak kevesen (mint Koblitz görbe). 
  Tehát én nem démonizálása, akik ECDH 571 segítségével Koblitz görbe, de az biztos, én is azt állítják, hogy ők nem veszik a legjobb választás a biztonság, és hogy a biztonsági szakemberek csinál egy biztonsági benchmarking tartaná, hogy az elliptikus görbe Diffie Hellman 571 bit történik Koblitz görbe nem széles körben elterjedt, ez dömpingelt standard biztonsági protokollokat, és ez nem hitelesített titkos használatra. 
  Comments (5) Címkék  ,  ,  | Hozzászólások (5) 
  biztonság technológia 
  ESSOR, európai Secure szoftver által meghatározott rádió (SDR) 
  Szeptember 25, 2010 - 21:18 
  Volt egy pillantást az Európai Védelmi Ügynökség honlapján, és megállapította, a ESSOR projekt egy működő finanszírozott projekt a 106mln euró, hogy a stratégiai védelmi kommunikáció alapuló termékek új szoftver által meghatározott rádió megközelítés. 
  SDR megközelítés egy forradalmian új rendszer, amely teljesen megváltoztatja a tudós és az ipar megközelítés bármilyen vezeték nélküli technológia. 
Basically instead of burning hardware chip that implement most of the radio frequency protocols and techniques, they are pushed in “software” to specialized radio hardware that can work on a lot of different frequency, acting as radio interface for a lot of different radio protocols. 
 For example the USRP (Universal Software Radio Peripheral) from Ettus Research that cost 1000-2000USD fully loaded, trough the opensource GnuRadio framework, have seen opensource implementation of: 
 And a lot more protocols and transmission technologies. 
 That kind of new approach to Radio Transmission System is destinated to change the way radio system are implemented, giving new capability such as to upgrade the “radio protocol itself” in software in order to provide “radio protocol” improvements. 
 In the short terms we have also seen very strong security research using SDR technologies such as the GSM cracking and the Bluetooth Sniffing . 
 We can expect that other technologies, weak by design but protected by the restriction to hardware devices to hack the low level protocols, will be soon get hacked. In the first list i would really like to see the hacking of TETRA, a technology born with closed mindset and secret encryption algorithms, something i really dislike ;-) 
 Tags  ,  | Comment (0) 
  üzleti menedzsment 
  A termék és szervezés 
 12 September 2010 – 8:52 pm 
 I had to better understand the concepts, roles and duties related to Product management and Product marketing management in software companies, why are needed, which are the differences and how they fit inside an organization structure. 
  A legtöbb ember, akit ismerek nem érdekel, ezen a speciális területen a munka, de ha azt akarjuk, hogy a termék társaság (és nem a tanácsadó vagy oldat társaság), elkezd, különböző termékek különböző platformokon különböző megcélzott ügyfeleknek eladott különböző csatornákon keresztül, különböző árképzés a telepítés / más szállítási folyamat és az összetettséget kell kezelni, a megfelelő módon. 
  Rájössz, hogy annak érdekében, hogy hagyja, hogy a termék vállalat növekedését a helyes irányba, meg kell szervezni a termék menedzsment tevékenységek formálisan, nem zár a fejedben merev szervezeti szerepeket, mint a marketing, értékesítés, a K + F. 
 When we speak about Product Management i recommend the reading of the illuminating The strategic role of Product Management (How a market-driven focus leads companies to build products people want to buy) that clarify a lot of things, even if it outlook net separation of roles in product management, something t hat’s too heavy for a small company like a startup . 
 Still it provide a differentiation of duties between Product Management and Product Marketing . 
  Egy jó megértése a termékmenedzsment kapcsolódó üzembe i s mivel a cikk készítése Product Management Startup felbukkan különböző eljárás tárgya az a szerepe a termék látnok a cég. 
 It introduce the terms ceo of the product in the sense that the product management duties jump around into the various organization function by providing focus and effort where it's needed, independently from the fact that the internal function requiring more effort is Development, Marketing, Sales or Communication.  Ez azt jelenti, hogy gyakorlatilag fokozza a termék látomás, mert szükség van rá az összes fő termék összefüggő funkciók, hogy a látás vállalati szintű koherens. 
 A good representation of product management and product marketing activities is well described with the differentiation of between Strategical, Technical and Marketing sector and is not clearly separated between Management, Marketing(and Sales) and R&D : 
Triad.jpg
  Azt olvastam, hogy a termék manager háttér és tudás különböző attól függően, hogy a társaság középpontjában ( hol termék kezelése tartozik a szervezet? ): 
  •  B2C -> Marketing experience 
  •   B2B -> Technikai tapasztalat 
 An illuminating (for me) and very important differentiation regarding product management duties is the differentiation between: 
  •   Product Management 
  •  Product Marketing 
 The specific duties belonging to Product Marketing vs Management are greatly explained in Role Definitions For Product Management and Product Marketing that i suggest to read, letting you to better define tasks and responsibilities across your organization. It also provide a good definition of job requirements if you need to look for that figure! 
  Ugyanakkor fontos, hogy megértsük, mi NEM termékmenedzsment, hatékonyan termék kezelése nem csak jellemző fontossági sorrend . 
  Ugyanakkor fontos, hogy mely szakmai szám maga nem termék menedzser: 
  •  Product manager is not a marketing manager – while product management is usually seen as a marketing discipline, marketers are focused on the marketing plan and are usually not driving the overall product direction.  Ebben az összefüggésben kell ugyanakkor talált termék marketing menedzser, hogy ez az ága a termék forgalomba hozatalát illetően, különösen a kis szervezet. 
  •  Product manager is not a sales manager – sales manager are about finding out how to sell a product, following which sales methodology, technique and channels and they could drive the company from a market oriented company ( product) to a customer oriented company (solution and consulting) 
  •   A termék menedzser nem egy fejlesztő - A fejlesztők elsősorban a technológia és nem a teljes termék.  Néhány jó termék vezetők korábbi fejlesztők, de nehéz mindkettőt egyszerre.  Van egy természetes feszültség a fejlesztők és a termék vezetők, hogy fenn kell tartani, hogy egy kiegyensúlyozott termék. 
  •  Product manager is not a software manager – the software manager is a functional manager and usually not focused on the product or the customers. 
  •  Product manager is not a project manager – project managers are about how and when, while the product manager is about what.  Projekt menedzserek szorosan együttműködik a termék vezetők a sikeres befejezését különböző fázisok a termék életciklusa. 
  A tipikus termék menedzsment tevékenységek lehetnek extrém szintézis össze az alábbiak szerint: 
  •  Strategy: Planning a product strategy 
  •  Technical: leading product developments 
  •   Marketing: a termék biztosítása és a műszaki tartalom 
  •  Sales: provide pre sales support and work effectively with sales 
 Product management so it's not precisely development, is not precisely marketing, it's not precisely sales, so typically it's difficult to identify “where it should stay” inside the organization structure (it's even difficult to understand that's needed)? 
  A Szilícium-völgy Termékcsalád egy szép betekintést Termék Szervezeti struktúra rámutatva, melyek az előnyöket és kockázatokat, több választás.  Még mindig a házsártos termékmenedzsere azt mondják, hogy nem számít, ha a termék menedzser él a szervezetben . 
 It's relevant to be careful not to have persons that are too much technical or too much sales oriented in order to fill the gap among different organization.  Túl sok töredezettsége a rábízott feladatokat az egész szervezetet vezethet bürokrácia, túl sok adója egy személy vezethet hatékony végrehajtásához szükséges feladatok egyes területen, és egy belső verseny felfogás tekintetében a hagyományos szerepeket. 
  Ellenőrizze, van egy nagyon szép Folytatás a szakmai gyakorlati tapasztalattal rendelkezik a termék kezelése (ez egy félig techie / félig marketing fiúk). 
 Ah!  Egy másik nagyon gyakori félreértés, hogy megzavarja marketing kommunikáció, ahol ai találtam egy olyan jó meghatározását marketing, hogy én nagyon szeretem, és értem szigorú kapcsolat Product Management: 
  Marketing tudják a piac olyan jól, hogy a termék eladja magát 
  De mi történik, ha nem kezelik a termékmenedzsment és termék marketing menedzsment folyamat egy meghatározott módon? 
 A nice story is shown as example in The strategic role of Product Management : 
 Your founder, a brilliant technician, started the company years ago when he quit his day job to market his idea full time. He created a product that he just knew other people needed. And he was right.  Hamarosan ő szállított elég a termék és bérelt a legjobb barátnője a VP értékesítési.  És a cég nőtt. But before long, the VP of Sales complained, “We're an engineering-led company.  Meg kell, hogy legyen az ügyfél-központú. "És ez hangzott jól.  Kivéve ... minden új szerződést úgy tűnt, hogy szükség bérmunka.  Ön aláírt egy tucat ügyfelek tucatnyi piaci szegmensben, és a legújabb fogyasztó hangja mindig uralta a termék terveket.  Azt állapította meg, hogy "ügyfélközpontú" jelentett "hajtja a legújabb ügyfél", és hogy nem lehet igaz. 
  Ha azt szeretné, hogy a termék valóban megfelel társaság pontosan követi a stratégia által vezérelt termék marketing és menedzsment, nem pedig az értékesítés. 
 Confusion between duties of product management/marketing and sales could lead to unsuccessful product company that are not able to proceed within their strategy, simply because they getting opportunities that drive the business out-of-scope. 
  A termék társaságnak kell befektetni, saját termékek fejlesztése és értékesítése, azért hogy az értékesítési tevékenység koncentrált maradni, és garantálja, hogy a szervezet minden nap hatékonyabb a piacon. 
  Ezután olvasás, a megértés, hogy ez fontos, hogy meghatározza azt, hogy hozzon létre egy sor rugalmas üzleti folyamat, hogy hogyan kell kezelni a különböző termék menedzsment és marketing feladatok termék elválasztja őket az értékesítésből. 
 Tags  ,  ,  | Comment (0) 
 interception Privacy security 
  Távolról elfogó snom VoIP telefonok 
 10 September 2010 – 11:08 am 
 I suggest reading remotely tapping VoIp phones ” on VoIP Security Alliance Blog by Shawn Merdinger . 
 A concrete example on how current telephony infrastructure are getting more vulnerable to cyber attacks. 
 Tags  ,  ,  | Comment (0) 
 interception Privacy security technology 
  Hang kommunikáció biztonságát műhely 
 26 August 2010 – 12:04 pm 
  Szia, 
 i made a talk about voice communication security technologies at University of Trento following an interesting information exchange with Crypto Lab managed Professor Massimiliano Sala . 
 I suggest interested people to read it, especially the second part, as there is an innovative categorization of the various voice encryption technologies that get used in several sectors. 
 I tried to explain and get out from this widely fragmented technological sector by providing a wide overview on technologies that usually are absolutely unrelated one-each-other but practically they all apply to voice encryption following that categorization: 
  •  Mobile TLC Industry voice encryption standards 
  •  Government and Military voice encryption standards 
  •  Public safety voice encryption standards 
  •  IETF voice encryption standards 
  •  Misc proprietary voice encryption technologies 
 It's a huge slideware, 122 slides, i suggest to go reading the 2nd part skipping interception technologies overview already covered by my presentation of 2009. 
 Voice communication security 

  Részletek bemutatók származó Fabio Pietrosanti . 
 Especially i like the concept of Chocolate grade encryption that want to provide some innovation on the Snake Oil Encryption concept. 
 But i need to get more in depth about the Chocolate grade encryption context, will probably do before end-of-year by providing an applied course on understanding and evaluating practically the real security context of various voice encryption technologies. 
 Tags  ,  ,  ,  | Comment (0) 
 Kudos security technology 
  27C3 - CCC Congress CFP: We come in peace 
 15 August 2010 – 8:39 am 
 We come in peace 
189322778_8cb9af1365_m.jpg
 We come in peace, said the conquerers of the New World. 
 We come in peace, says the government, when it comes to colonise, regulate, and militarise the new digital world. 
 We come in peace, say the nation-state sized companies that have set out to monetise the net and chain the users to their shiny new devices. 
 We come in peace, we say as hackers, geeks and nerds, when we set out towards the real world and try to change it, because it has intruded into our natural habitat, the cyberspace… 
Call for paper for participation to 27C3 CCC congress is open, and i never saw a so exciting payoff :-) 
 See you on 30 December 2010 in Berlin! 
 Tags  | Comment (0) 
 intelligence interception Privacy security technology 
  GSM repedés penetrációs vizsgálati módszerek (OSSTMM)? 
 23 July 2010 – 8:16 am 
 As most of this blog reader already know, in past years there was a lot of activities related to public research for GSM auditing and cracking. 
 However when there was huge media coverage to GSM cracking research results, the tools to make the cracking was really early stage and still very inefficient. 
 Now Frank Stevenson , norwegian cryptanalyst that already broke the Content Scrambling System of DVD video disc, participating to the A51 cracking project started by Karsten Nohl , released Kraken , a new improved version of the A51 cracking system. 
 It's interesting to notice that WiFi cracking had a similar story, as the first WiFi wep cracking discovery was quite slow in earlier techniques but later Korek, an hacker working on cracking code, improve the attack system drammatically. 
 That's the story of security research cooperation, you start a research, someone follow it and improve it, some other follow it and improved it and at the end you get the result. 
 Read more on the Kraken GSM Cracking software release . 
 And stay tuned as next week at Blackhat Conference Karsten Nohl will explain the details of the required hardware setup and detailed instructions on how to do it :-) 
 I would really like to see those tools incorporated into Penetration Testing Linux Distribution BackTrack with OSSTMM methodology enforcing the testing of GSM interception and man in the middle :-) 
 If things proceed that way and Ettus Research (The producer of USRP2 software radio used for low cost GSM signal receiving) will not be taken down, we can still see this. 
 Tags  ,  ,  ,  | Comments (3) 

			 üzleti menedzsment Adatvédelmi biztonsági technológia 
 Snake-oil security claims on crypto security product 
  19 július 2010 - 21:33 
 Security market grow, more companies goes to the market, but how many of them are taking seriously what they do? 
  Tudod, ezzel biztonsági technológiát jelenti azt, hogy személyesen felelős a védelmét a felhasználó adatait. You must make them aware of what they need, exactly what your are doing and which kind of threat model your product protect. 
  Tipikus probléma az a termék biztonsági jellemzőit képviseli képtelen a felhasználó számára, hogy értékelje a biztonsági igényeinek a termék maga. 
  Tehát van egy csomó cég csinál egy nem túl etikus marketing biztonsági funkciók, tények alapján, hogy nem a felhasználó képes lesz értékelni azt. 
 The previously explained situation reside in the security topic of Snake Oil Encryption , an evolution in the scientific cryptographic environment that let us today use best of breed information protection technologies without having to worry too much about backdoors or insecurities. 
 Let's speak about Snake Oil Encryption 
  Snake Oil rejtjelezés : A kriptográfia , kígyó olaj egy kifejezés írja le a kereskedelmi kriptográfiai módszereket és termékeket minősülő hamis vagy csalárd.  Megkülönböztető biztonságos kriptográfia nem biztonságos kriptográfiai nehéz szemszögéből a felhasználó.  Sok kriptográfusok, mint például Bruce Schneier és Phil Zimmermann , vállalják, hogy a nyilvánosságnak az, hogy mennyire biztonságos kriptográfia történik, valamint kiemeli a félrevezető marketing egyes kriptográfiai termékek. 
 The most referenced crypto security guru, Philip Zimmermann and Bruce Schneier, was the 1st to talk about Snake Oil Encryption: 
 Snake Oil by Philip Zimmermann 
  Snake Oil Bruce Schneier 
  A Michigan Távközlési és Technológiai Law Review szintén egy nagyon jó elemzés kapcsolatos biztonsági jellemzői Security Products, kígyó OIL biztonsági igényeinek "rendszeres hamis TERMÉK BIZTONSÁGI . Ezek magyarázzák a csúnya marketing trükk használt csípés felhasználók képtelenek értékelni az biztonsági funkciókat, beleértve a gazdasági és jogi felelősséget vonzata. 
  Very famous is the sentence of Russ Nelson : Több kígyó olaj biztonsági termék cégek nem ad magyarázatot, és nem egyértelmű, a fenyegető modellt, amely a termék alkalmazandó. Nagyon híres a mondata Russ Nelson : 
 “Remember, crypto without a threat model is like cookies without milk.  ... .. Titkosítás nélkül veszélyt modell olyan, mint az anyaság nélkül almás pite.  Nem lehet azt mondani, hogy elég idő.  Általánosabban, biztonság nélkül fenyegetést modell definíció szerint nem megy. " 
  Szóval, hogyan lehet észrevenni kígyó olaj biztonsági termékek? 
 Check a guideline of to spot Snake Oil Encryption Products: Snake Oil Warning Signs, Encryption Software to Avoid by Matt Curtin . 
  Láthatjuk ezt a nagyon jó kriptográfiai Snake Oil példák által Emility Ratliff (IBM Linux Security Architect at), amely megpróbálta egyértelművé tenni, például hogyan helyszíni kriptográfiai Snake Oil. 
 Here represented the basic guideline from Matt Curtin paper: 
 
  Ellenőrizze, hogy rámutat, hogy lehetséges, hogy értékelje, milyen komoly a titkosítási technológia vagy termék. 
  De összességében hogyan kell rögzíteni, hogy az etikátlan biztonsági megközelítést? 
 
 It's very significative and it would be really useful for each kind of security product category to make some strongly and independent evaluation guideline (like OSSTMM for Penetration testing) , to make this security evaluation process really in the hands of the user. 
 It would be also very nice to have someone making analysis and evaluation of security product companies, publishing reports about Snake Oil signs. 
 Tags  ,  ,  ,  ,  ,  ,  | Comments (3) 
 intelligence Privacy security technology 
  Web2.0 magánélet szivárgás a mobil alkalmazások 
 17 July 2010 – 9:02 am 
  Tudod, hogy web2.0 világban rengeteg szivárgás bármilyen (profilalkotás profilalkotás profil) kapcsolatos adatvédelmi és felhasználói kezd , hogy az érintett róla. 
  A felhasználók folyamatosan letölthető alkalmazásokat látatlanban, hogy mit csinálnak, például iFart csak azért, mert a hűvös, szórakoztató és néha hasznos. 
  A mobiltelefon felhasználók telepíteni 1000% akár 10.000% több alkalmazás, mint a PC-n, és az alkalmazások is tartalmazhatnak kártékony vagy más váratlan funkciókkal. 
  Legutóbb infobyte elemezte UberTwitter kliens és felfedezte, hogy az ügyfél és a küldő szivárog a szerverre sok személyes és érzékeny adatokat, mint például: 
 - Blackberry PIN 
 - Phone Number 
  - E-mail cím 
 - Geographic positioning information 
  Olvassa el UbertTwitter "spyware" funkciók felfedezése itt a infoByte . 
 It's plenty of applications leaking private and sensitive information but just nobody have a look at it. 
 Should mandatory data retention and privacy policies became part of application development and submission guideline for mobile application? 
  IMHO a felhasználóknak nem csak figyelmeztetni a alkalmazási lehetőségek és API-használat, de mit fog csinálni, milyen fajta információkat fog kezelni belül a mobiltelefon. 
  Képességek jelenti engedélyezéséről az alkalmazást egy bizonyos funkciókat, például használható térinformatikai API, de mi az alkalmazás fog tenni, és aki ezeket az információkat, ha a felhasználó által engedélyezett ez? 
 That's a security profiling level that mobile phone manufacturer does not provide and they should, because it focus on the information and not on the application authorization/permission respect to the usage of device capabilities. 
  ps igen! ok!  Egyetértek! This kind of post would require 3-4 pages long discussion as the topic is hot and quite articulated but it's saturday morning and i gotta go! 
 Tags  ,  ,  ,  | Comment (0) 
 Privacy security technology 
 AES algorithm selected for use in space 
 8 July 2010 – 12:37 pm 
 I encountered a nice paper regarding analysis and consideration on which encryption algorithm it's best suited for use in the space by space ship and equipments. 
 The paper has been done by the Consultative Committee for Space Data Systems that's a consortium of all space agency around that cumulatively handled more than 400 mission to space . 
topban.jpg
 Read the paper Encryption Algorithm Trade Survey as it gives interesting consideration and comparison between different encryption algorithms. 
 Obviously the finally selected algorithm is AES , while KASUMI (used in UMTS networks) was avoided. 
 Tags  ,  | Comment (0) 
 business intelligence interception Privacy security technology 
 Blackberry Security and Encryption: Devil or Angel? 
 7 July 2010 – 10:39 pm 
 Blackberry have good and bad reputation regarding his security capability, depending from which angle you look at it. 
 This post it's a summarized set of information to let the reader the get picture, without taking much a position as RIM and Blackberry can be considered, depending on the point of view, an extremely secure platform or an extremely dangerous one . 
 bblock.jpg 
 Let's goes on. 
On one side Blackberry it's a platform plenty of encryption features, security features everywhere, device encrypted (with custom crypto), communication encrypted (with custom proprietary protocols such as IPPP), very good Advanced Security Settings, Encryption framework from Certicom ( now owned by RIM ). 
 On the other side they does not provide only a device but an overlay access network, called BIS ( Blackberry Internet Service ), that's a global worldwide wide area network where your blackberry enter while you browse or checkmail using blackberry.net AP. 
 When you, or an application, use the blackberry.net APN you are not just connecting to the internet with the carrier internet connection, but you are entering inside the RIM network that will proxy and act as a gateway to reach the internet. 
 The very same happen when you have a corporate use: Both the BB device and the corporate BES connect to the RIM network that act as a sort of vpn concentration network . 
 So basically all the communications cross trough RIM service infrastructure in encrypted format with a set proprietary encryption and communication protocols. 
 Just as a notice, think that google to provide gtalk over blackberry.net APN, made an agreement in order to offer service inside the BB network to the BB users. When you install gtalk you get added 3 service books that point to GTALKNA01 that's the name of GTALK gateway inside the RIM network to allow intra-BIS communication and act as a GTALK gateway to the internet. 
 The mobile operators usually are not even allowed to inspect the traffic between the Blackberry device and the Blackberry Network. 
 So RIM and Blackberry are somehow unique for their approach as they provide a platform, a network and a service all bundled together and you cannot just “get the device and the software” but the user and the corporate are always bound and connected to the service network. 
 That's good and that's bad, because it means that RIM provide extremely good security features and capabilities to protect information, device and access to information at various level against third party . 
 But it's always difficult to estimate the threat and risk related to RIM itself and who could make political pressure against RIM. 
 Please consider that i am not saying “RIM is looking at your data” but making an objective risk analysis: for how the platform is done RIM have authority on the device, on the information on-the-device and on the information that cross the network. (Read my Mobile Security Slides ). 
 For example let's consider the very same context for Nokia phones. 
 Once the Nokia device is sold, Nokia does not have authority on the device, nor on the information on-the-device nor on the information that cross the network. But it's also true that Nokia just provide the device and does not provide the value added services such as the Enterprise integration (The RIM VPN tunnel), the BIS access network and all the local and remote security provisioned features that Blackberry provide. 
 So it's a matter of considering the risk context in the proper way when choosing the platform, with an example very similar to choosing Microsoft Exchange Server (on your own service) or whether getting a SaaS service like Google Apps. 
 In both case you need to trust the provider, but in first example you need to trust Microsoft that does not put a backdoor on the software while in the 2nd example you need to trust Google, as a platform and service provider, that does not access your information. 
 So it's a different paradigm to be evaluated depending on your threat model. 
 If your threat model let you consider RIM as a trusted third party service provider (much like google) than it's ok. If you have a very high risk context, like top-secret one, then let's consider and evaluate carefully whether it's not better to keep the Blackberry services fully isolated from the device or use another system without interaction with manufacturer servers and services. 
 Now, let's get back to some research and some facts about blackberry and blackberry security itself. 
 First of all several governments had to deal with RIM in order to force them to provide access to the information that cross their service networks while other decided to directly ban Blackberry usage for high officials because of servers located in UK and USA, while other decided to install their own backdoors. 
 There's a lot of discussion when the topics are RIM Blackberry and Governments for various reasons. 
 Below a set of official Security related information on RIM blackberry platform: 
 And here a set of unofficial Security and Hacking related information on RIM Blackberry platform: 
 Because it's 23.32 (GMT+1), i am tired, i think that this post will end up here. 
 I hope to have provided the reader a set of useful information and consideration to go more in depth in analyzing and considering the overall blackberry security (in the good and in the bad, it always depends on your threat model!). 
  Egészségére 
 Fabio Pietrosanti (naif) 
 ps i am managing security technology development (voice encryption tech) on Blackberry platform, and i can tell you that from the development point of view it's absolutely better than Nokia in terms of compatibility and speed of development, but use only RIMOS 5.0+ ! 
 Tags  ,  ,  ,  ,  | Comments (3) 
 Kudos security 
 Celebrating “Hackers” after 25 years 
 1 July 2010 – 8:25 am 
 A cult book , ever green since 25 years. 
201007010924.jpg
 It's been 25 years since “Hackers” was published. Author Steven Levy reflects on the book and the movement. 
http://radar.oreilly.com/2010/06/hackers-at-25.html 
 Steven Levy wrote a book in the mid-1980s that introduced the term "hacker" -- the positive connotation -- to a wide audience. In the ensuing 25 years, that word and its accompanying community have gone through tremendous change. The book itself became a mainstay in tech libraries. 
 O'Reilly recently released an updated 25th anniversary edition of "Hackers," so I checked in with Levy to discuss the book's development, its influence, and the role hackers continue to play.

 Tags  | Comment (0) 
 Privacy security technology 
 Botnet for RSA cracking? 
 30 June 2010 – 2:29 pm 
 I read an interesting article about putting 1.000.000 computers, given the chance for a serious botnet owner to get it, to crack RSA. 
 The result is that in such context attacking an RSA 1024bit key would take only 28 years, compared to theoretical 19 billion of years. 
 Reading of this article , is extremely interesting because it gives our very important consideration on the cryptography strength respect to the computation power required to carry on cracking attempt, along with industry approach to “default security level”. 
 I would say a must read . 
 Tags  ,  | Comment (0) 
 technology 
 Patent rights and opensource: can they co-exist? 
 27 June 2010 – 12:11 pm 
 How many of you had to deal with patented technologies? 
 How many of the patented technologies you dealed with was also “secrets” in their implementation? 
 Well, there's a set of technologies whose implementation is open source ( copyright) but that are patented ( intellectual property right) . 
 A very nice paper about the topic opensource & patents that i suggest to read is from Fenwick & West and can be downloaded here (pdf) . 
 Comment (0) 
 business cyberwarfare intelligence Privacy security technology 
 China Encryption Regulations 
 16 June 2010 – 1:11 pm 
 Hi all, 
 i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US. 
 It's strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future. 
 Read here Decrypting China Encryption's Regulations (form Bakernet website) . 
 Tags  ,  ,  ,  ,  | Comment (0) 
 security 
 IOScat – a Port of Netcat to Cisco IOS 
 13 June 2010 – 3:25 pm 
A porting of famous netcat to Cisco IOS router operating system: IOSCat 
 The only main limit is that it does not support UDP, but that's a very cool tool! 
 A very good txt to read is Netcat hacker Manual . 
 Tags  | Comment (0) 
 cyberwarfare intelligence interception security 
 The (old) Crypto AG case and some thinking about it 
 7 June 2010 – 6:40 pm 
 In the '90, closed source and proprietary cryptography was ruling the world. 
 That's before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff. 
 I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure , making also some consideration on this today in 2010. 
caq63crypto.t.jpg
 That's called The Crypto AG case , an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG . 
 Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications. 
 Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government. 
 You can read some other facts about Crypto AG backdoor related issues: 
 The demise of global telecommunication security 
 The NSA-Crypto AG sting 
 Breaking codes: an impossible task? By BBC 
 Der Spiegel Crypto AG (german) article 
 Now, in 2010, we all know and understand that secret and proprietary crypto does not work. 
 Just some reference by top worldwide cryptographic experts below: 
 Secrecy, Security, Obscurity by Bruce Schneier 
 Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto) 
 Security Through Obscurity by Ceria Purdue University 
 Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec 
 Time change the way things are approached. 
 I like very much the famous Philip Zimmermann assertion: 
 “Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.” 
 Any scientist today accept and approve the Kerckhoffs' Principle that in 1883 in the Cryptographie Militaire paper stated: 
 The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret. 
 
 It's absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle. 
 So, what we should think about closed source, proprietary cryptography that's based on security trough obscurity concepts? 
 I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website. 
 I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below: 
 The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer's security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works. The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture . 
 I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor . 
 However there is still something missing: 
 T he overall cryptographic concept is misleading, based on wrong encryption concepts . 
 You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts , it would legitimate to ask ourself: 
 Why they are still doing security trough obscurity cryptography with secret and proprietary algorithms ? 


 Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement). 
 
 Tags  ,  ,  ,  | Comment (0) 
 cyberwarfare intelligence security 
 Missiles against cyber attacks? 
 7 June 2010 – 5:40 pm 
 The cyber conflicts are really reaching a point where war and cyberwar merge together. 
 NATO countries have the right to use the force against attacks on computer networks . 
 Tags  ,  | Comment (0) 
 business interception Privacy security technology 
 Mobile Security talk at WHYMCA conference 
 2 June 2010 – 7:56 pm 
 I want to share some slides i used to talk about mobile security at whymca mobile conference in Milan. 
 Read here my slides on mobile security . 
 The slides provide a wide an in-depth overview of mobile security related matters, i should be doing some slidecast about it putting also audio. Maybe will do, maybe not, it depends on time that's always a insufficient resource. 
 Tags  ,  ,  ,  ,  ,  ,  | Comment (0) 
 Privacy security technology 
 iPhone PIN: useless encryption 
 1 June 2010 – 2:53 pm 
 I recently switched one of my multiple mobile phones with which i go around to iPhone. 
 I am particularly concerned about data protection in case of theft and so started having a look around about the iPhone provided protection system. 
 There is an interesting set of iPhone Business Security Features that make me think that iPhone is moving in the right path for security protection of the phone, but still a lot of things has to be done, especially for serious Enterprise and Government users. 
201006011551.jpg
 For example it turned out that the iPhone PIN protection is useless and it can be broken just plugging the iPhone to a Linux machine and accessing the device like a USB stick. 
 That's something disturbing my paranoid mindset that make me think not to use sensitive data on my iPhone if i cannot protect my data. 
 Probably an iPhone independent disk encryption product would be very useful in order to let the market create protection schemas that fit the different risk contexts that different users may have. 
 Probably a general consumer is not worried about this PIN vulnerability but for me, working within highly confidential envirnonment such as intelligence, finance and military, it's something that i cannot accept. 
 I need strong disk encryption on my mobile phone. 
 I do strong voice encryption for it , but it would be really nice to have also something to protect the whole iPhone data and not just phone calls. 
 Tags  ,  ,  ,  ,  | Comment (0) 
 security Uncategorized 
 Who extract Oil in Iran? Business and UN sanction together 
 1 June 2010 – 9:21 am 
 I like geopolitic and i am following carefully iran issues. 
 I went to National Iranian Oil Company website and have seen “ Exploration & Production ” section where are listed all the companies and their country of origin that are allowed to make Exploration of oil in Iran. 
 On that list we find the list of countries along with the data of signing of exploration agreement: 
  •  Norway/Russia (2000) 
  •  Australia/Spain/Chile (2001) 
  •  India (2002) 
  •  China (2001) 
  •  Brazil (2004) 
  •  Spain (2004) 
  •  Thailand (2005) 
  •  China x 2 (2005) 
  •  Norway (2006) 
  •  Italy (2008) 
  •  Vietnam (2008) 
 Those countries's oil companies are allowed to do oil extraction in Iran and i would like to point out that Iran is the 2nd world Oil Reserve just after Saudi Arabia. 
 As you can see there's NO USA company doing extraction. 
 Of European Countries the only one doing business with IRAN are: 
 IRAN Norway Relationship 
 IRAN ITALY Relationship 
 IRAN SPAIN Relationship 
 While of the well known non-US-simpatizing countries, the one doing Oil business with Iran are: 
 IRAN RUSSIA Relationship 
 IRAN BRAZIL Relationship 
 IRAN China Relationship 
 Don't missing some Asian involvement. 
 IRAN India Relationship 
 IRAN Vietnam Relationship 
 As you can see Iran is doing Oil business with most big south America and Far Asia countries, with some little exception in Europe for what apply to Norway, Italy and Spain. 
 To me it sounds that those European countries are going to face serious trouble whether they will accept and subscribe UN sanction against Iran. 
 Or some of them, like Italy, are protected by the strenghtening cooperation they are doing with Russia on Energy matters? 
 Well, i don't know how things will end up, but it's possible the most hypocrit countries like the European ones doing business in Iran while applying Sanctions will be the only European winning in the international competition for Iran Oil (Unless France did not drop a nuclear bomb on theran ;) ). 
 Tags  ,  | Comment (0) 
 Kudos Privacy security technology 
 Exploit code against SecurStar DriveCrypt published 
 25 May 2010 – 5:00 pm 
 It seems that the hacking community somehow like to target securstar products, maybe because hacking community doesn't like the often revealed unethical approach already previously described in this blog by articles and user's comments. 
In 2004 a lot of accusation against Hafner of SecurStar went out because of alleged intellectual property theft regarding opensource codes such as Encryption 4 the masses and legal advert also against the Free and opensource TrueCrypt project . 
 In 2008 there was a pre-boot authentication hacking against DriveCrypt Plus posted on Full-Disclosure. 
 Early 2010 it was the time of the fake infosecurity research secretly sponsored by securstar at http://infosecurityguard.com (that now they tried to remove from the web because of embarrassing situation, but backup of the story are available, hacking community still wait for apologies) . 
 Now, mid 2010, following a research published in December 2009 about Disk Encryption software vulnerabilities made by Neil Kettle (mu-b), Security researcher at digit-labs and Penetration tester at Convergent Network Solutions , DriveCrypt was found to be vulnerable and exploitable breaking on-device security of the system and exploit code has been just released. 
 Exploit code reported below (thanks Neil for the code release!): 
  •  Arbitrary kernel code execution security exploit of DriveCrypt: drivecrypt-dcr.c 
  •  Arbitrary file reading/writing security exploit via unchecked user-definable parameters to ZxCreateFile/ReadFile/ WriteFile: drivecrypt-fopen.c 
 The exploit code has been tested against DriveCrypt 5.3, currently released DriveCrypt 5.4 is reported to be vulnerable too as it has just minor changes related to win7 compatibility. Can anyone make a double check and report a comment here? 
 Very good job Neil! 
 In the meantime the Free Truecrypt is probably the preferred choice for disk encryption, given the fact that it's difficult to trust DriveCrypt, PGP has been acquired by Symantec and there are very bad rumors about the trust that people have in Symantec and there are not many widely available alternatives. 
 Rumors say that also PhoneCrypt binaries are getting analyzed and the proprietary encryption system could reveal something fun… 
 Tags  ,  ,  ,  | Comment (0) 
  lehallgatás Adatvédelmi biztonsági technológia 
 Quantum cryptography broken 
 20 May 2010 – 8:15 pm 
 Quantum cryptography it's something very challenging, encryption methods that leverage the law of phisycs to secure communications over fiber lines. 
 To oversimplify the system is based on the fact that if someone cut the fiber, put a tap in the middle, and joint together the other side of the fiber, the amount of “errors” that will be on the communications path will be higher than 20% . 
 So if QBER (Quantum Bit Error Rate) goes above 20% then it's assumed that the system is intercepted. 
 Researcher at university of toronto was able to cheat the system with a staying below the 20%, at 19.7% , thus tweaking the threshold used by the system to consider the communication channel secure vs compromised. 
 The product found vulnerable is called Cerberis Layer2 and produced by the Swiss ID Quantique . 
 Some possibile approach to detect the attack has been provided but probably, imho, such kind of systems does not have to be considered 100% reliable until the technology will be mature enough. 
 Traditional encryption has to be used together till several years, eventually bundled with quantum encryption whether applicable. 
 When we will see a quantum encryption systems on an RFC like we have seen for ZRTP , PGP and SSL ? 
 -naif 
 Tags  ,  ,  | Comment (0) 
  biztonság 
 FUN! Infosecurity consideration on some well known films 
 18 May 2010 – 8:48 pm 
Please read it carefully Film that needed better infosec . 
 One the the review, imho the most fun one on film Star Wars : 
 The scene 
 Death star getting blown up 
 Infosec Analysis 
 Darth Vader must be heralded as the prime example of a chief executive who really didn't care about information security. The entire board was unapproachable and clearly no system testing was undertaken. The network security was so poor that it was hacked into and the designs for the death star were stolen without anyone knowing. 
 Even worse than that, the death star had a major design flaw where by dropping a bomb thingy into a big hole on the outside, it actually blew up the entire thing! 
 Darth Vader needed to employ a good Security Consultant to sit on the executive board and promise not to force choke him. Should have commissioned a full risk assessment of the death star followed by a full penetration test. Only then should the death star have been released into the production environment. 
 Comment (0) 
 Privacy security technology 
 great point of view 
 20 April 2010 – 6:50 pm 
 Because security of a cryptographic system it's not a matter of “how many bits do i use” but using the right approach to do the right thing to mitigate the defined security risk in the most balanced way. 
 security.png 
 Tags  ,  ,  | Comment (0) 
  Adatvédelmi biztonsági technológia 
 Encryption is not scrambling: be aware of scrambler! 
 20 April 2010 – 5:50 pm 
 Most of us know about voice scrambler that can be used across almost any kind of voice based communication technology. 
 Extremely flexible approach: works everything 
 Extreme performance: very low latency 
 but unfortunately… 
 Extremely weak: Scrambling cannot be considered secure. 
 Only encryption can be considered secure under the Kerckoff's principle . 
 So please don't even consider any kind of analog scrambler if you need real security. 
 Read deeply the paper Implementation of a real-time voice encryption system ” by Markus Brandau, especially the cryptoanalysis paragraph. 
 Tags  ,  ,  ,  ,  | Comment (0) 
 business interception Privacy technology 
 SecurStar GmbH Phonecrypt answers on the Infosecurityguard/Notrax case: absolutely unreasonable!  :-) 
 1 February 2010 – 6:04 pm 
 UPDATE 20.04.2010: http://infosecurityguard.com has been disabled. Notrax identity became known to several guys in the voice security environments (cannot tell, but you can imagine, i was right!) and so our friends decided to trow away the website because of legal responsibility under UK and USA laws. 
 UPDATE: Nice summary of the whole story (i know, it's long and complicated to read at 1st time) on SIPVicious VoIP security blog by Sandro Gauci . 
 Following my discoveries, Mr. Hafner, SecurStar chief exec, tried to ultimately defend their actions, citing absolutely unreasonable excuses to The Reg instead of publicly apologizing for what they have done: creating a fake independent security research to promote their PhoneCrypt product . 
 He tried to convince us that the person behind IP 217.7.213.59, used by the author of infosecurityguard.com and pointing to their office DSL line, was this hacker Notrax, using their anonymous surfing service and not one of their employees at their office: 
 “SecurStar chief exec Wilfried Hafner denied any contact with Notrax. Notrax, he said, must have been using his firm's anonymous browsing service, SurfSolo, to produce the results reported by Pietrosanti” 
 Let's reflect a moment on this sentence… Would really an hacker looking for anonymity spend 64 EUR to buy their anonymity surfing service called surfsolo instead of using the free and much more secure TOR (the onion router) ?Then let's reflect on this other piece of information: 
  •  The IP 217.7.213.59 is SecurStar GmbH's office DSL line 
  •  On 217.7.213.59 they have installed their VoIP/Asterisk PBX and internet gateway 
  •  They promote their anonymous proxy service for “Anonymous p2p use” ( http://www.securstar.com/products_ssolo.php ). Who would let users do p2p from the office dsl line where they have installed their corporate VoIP PBX ? If you do VoIP you can't let third party flood your line w/ p2p traffic, your phone calls would became obviously unreliable (yes, yes, you can do QoS, but you would not place an anonymous navigation proxy on your company office DSL line…). 
  •  Which company providing an anonymous navigation service would ever use their own office IP address? Just think how many times you would have the police knocking at your door and your employees as the prime suspects. (In past i used to run a TOR node, i know the risks…). Also think how many times you would find yourself blacklisted on google as a spyware bot. 
  •  Mr. Hafner also says “We have two million people using this product. Or he may have been an old customer of ours”. 2M users on a DSL line, really? 
  •  I don't use Surfsolo service, however their proxies are probably these ones: 
 surfsolo.securstar.net – 67.225.141.74 
 surfsolo.securstar.com – 69.16.211.133 
 Frankly speaking I can easily understand that Mr. Hafner is going do whatever he can to protect his company from the scandal, but the “anonymous proxy” excuse is at the very least suspicious. 
 How does the fact that the “independent research” was semantically a product review of PhoneCrypt, along with the discovery that the author come from the SecurStar GmbH IP address offices, along with the anonymity of this Notrax guy (SecurStar calls him a “well known it security professional” in their press release..) sound to you? 
 It's possible that earth will get an attack from outer space that's going to destroy our life? 
 Statistically extremely difficult, but yes, possible. More or less like the “anonymous proxy” story told by Mr. Hafner to cover the fact that they are the ones behind the infosecurityguard.com fake “independent security review”. 
 Hey, I don't need anything else to convince myself or to let the smart person have his own thoughts on this. 
 I just think that the best way for SecurStar to get out of this mess would probably be to provide public excuses to the hacking community for abusing the name and reputation of real independent security researches, for the sake of a marketing stunt. 
  Üdvözlettel, 
 Fabio Pietrosanti 
 ps I am currently waiting for some other infos that will more precisely confirm that what Mr. Hafner is saying is not properly true.  Stay tuned. 
 Tags  ,  ,  ,  ,  ,  | Comment (0) 
 business interception Privacy security 
 Evidence that infosecurityguard.com/notrax is SecurStar GmbH Phonecrypt – A fake independent research on voice crypto 
 1 February 2010 – 12:32 am 
 Below evidence that the security review made by an anonymous hacker on http://infosecurityguard.com is in facts a dishonest marketing plan by the SecurStar GmbH to promote their voice crypto product. 
 I already wrote about that voice crypto analysis that appeared to me very suspicious. 
 Now it's confirmed, it's a fake independent hacker security research by SecurStar GmbH, its just a marketing trick! 
 How do we know that Infosecurityguard.com, the fake independent security research, is a marketing trick from SecurStar GmbH? 
 1) I posted on http://infosecurityguard.com a comments to a post with a link to my blog to that article on israelian ministry of defense certification 
 2) The author of http://infosecurityguard.com went to approve the comment and read the link on my own blog http://infosecurity.ch 
 3) Reaching my blog he leaked the IP address from which he was coming 217.7.213.59 (where i just clicked on from wordpress statistic interface) 
 4) On http:// 217.7.213.59/panel there is the IP PBX interface of the SecurStar GmbH corporate PBX (openly reachable trough the internet!) 
 5) The names of the internal PBX confirm 100% that it's the SecurStar GmbH: 
 6) There is 100% evidence that the anonymous hacker of http://infosecurityguard.com is from SecurStar GmbH 
 Below the data and reference that let us discover that it's all but a dishonest marketing tips and not an independent security research. 
 Kudos to Matteo Flora for it's support and for his article in Debunking Infosecurityguard identity ! 
 The http referral tricks 
 When you read a link going from a website to another one there is an HTTP protocol header, the “Referral”, that tell you from which page someone is going to another webpage. 
 The referral demonstrated that the authors of http://infosecurityguard.com read my post, because it was coming from http://infosecurityguard.com/wp-admin/edit-comments.php that's the webpage you use as a wordpress author/editor to approve/refuse comments. And here there was the link. 
 That's the log entry: 
 217.7.213.59 – - [30/Jan/2010:02:56:37 -0700] “GET /20100129/licensed-by-israel-ministry-of-defense-how-things-really-works/ HTTP/1.0″ 200 5795 “ http://infosecurityguard.com/wp-admin/edit-comments.php ” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 The PBX open on the internet tell us that's SecurStar GmbH 
 The SecurStar GmbH PBX is open on the internet, it contains all the names of their employee and confirm us that the author of http:/infosecurityguard.com is that company and is the anonymous hacker called Notrax. 
 Here there is their forum post where the SecurStar GmbH guys are debugging IPCOPfirewall & Asterisk together (so we see also details of what they use) where there is the ip 217.7.213.59 . 
 SecurStarproof.png 
 
 
 That's also really fun! 
 They sell secure telephony but their company telephony system is openly vulnerable on the internet .  :-) 
 I was thinking to call the CEO, Hafner, via SIP on his internal desktop PBX to announce we discovered him tricks.. :-> 
 They measured their marketing activity 
 Looking at the logs of my website i found that they was sensing the google distribution of information for the following keywords, in order to understand how effectively they was able to attack competing products. It's reasonable, if you invest money in a marketing campaign you want to see the results :-) 
 They reached my blog and i logged their search: 
 infosecurityguard+cryptophone 
 infosecurityguard+gold-lock 
 217.7.213.59 – - [30/Jan/2010:02:22:42 -0700] “GET / HTTP/1.0″ 200 31057 “http://www.google.de/search?sourceid=navclient&ie=UTF-8&rlz=1T4SKPB_enDE350DE350&q=infosecurityguard+cryptophone” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 
 217.7.213.59 – - [30/Jan/2010:04:15:07 -0700] “GET /20100130/about-the-voice-encryption-analysis-phonecrypt-can-be-intercepted-serious-security-evaluation-criteria/ HTTP/1.0″ 200 15774 “http://www.google.de/search?sourceid=navclient&ie=UTF-8&rlz=1T4SKPB_enDE350DE350&q=gold-lock+infosecurityguard” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)” 
 
 The domain registration data 
 The domain have been registered on 1st December 2009, just two months to start preparing the dishonest marketing campaign: 
 Domain Name: INFOSECURITYGUARD.COM 
 Registrar: GODADDY.COM, INC. 
 Updated Date: 01-dec-2009 
 Creation Date: 01-dec-2009 
 The domain is anonymously privacy protected trough a whois privacy service: 
 Administrative Contact: Private, Registration INFOSECURITYGUARD.COM@domainsbyproxy.com , Domains by Proxy, Inc. DomainsByProxy.com 
 Notrax hacker does not exist on google 
 As you know any hacker that get public usually have presence of it's activity on google, attending mailinglists, forum, homepage, past research, participation to conferences, etc, etc. 
 The fake hacker that they wanted us to to think was writing an independent blog does NOT have any trace on google. Only some hit about an anonymous browser called Notrax but nothing about that hacker. 
 Maybe when SecurStar provided the anonymity tool to their marketing agency, to help them protecting anonymity for the fake research, their provided them the anonymous browser notrax.So the marketing guy thinking about the nickname of this fake hackers used what? Notrax! :-) 
 
 
 The “independent review”completely oriented in publicizing PhoneCrypt 
 Of the various review don the phonecrypt review is only positive and amazing good feedback, while the other are only bad feedback and no single good point. 
 As you can imagine, in any kind of independent product evaluation, for all products there are goods and bad points. No. In this one there are only product that are good and product that are bad. 
 They missed to consider the security of the technology used by the products 
 They completely avoided to speak about cryptography and security of the products. 
 They do not evaluated basic security features that must be in that kind of products.That's in order not to let anyone see that they did not followed basic security rules in building up their PhoneCrypt. 
 The technology is closed source, no transparency on algorithms and protocols, no peer review.Read my new comparison (from the basic cryptographic requirement point of view) About the voice encryption analysis (criteria, errors and different results) . 
 The results are somehow different than their one . 
 UPDATE: Who's Wilfried Hafner (SecurStar founder) ? 
 I got a notice from a reader regarding Wilfred Hafner, SecurStar founder, CEO and security expert. 
 He was arrested in 1997 for telephony related fraud (check 2nd article on Phrack) earning from telephony fraud 254.000 USD causing damages to local telcos trough blueboxing for 1.15 Million USD. 
 He was not doing “Blueboxing” for the pleasure of phreaking and connecting with other hackers, but to earn money. 
 Hacking for profit (and not for fun) in 1997… brrr…. No hacker's ethic at all! 
 All in all, is that lawful? 
 Badmouthing a competitor amounts to an unfair competition practice in most jurisdictions, so it is arguable (to say the least) that SecurStar is right on a legally sound ground here. 
 Moreover, there are some specific statutes in certain jurisdictions which provide for a straightforward ban on the practice we are talking about. For example in the UK the British Institute of Practitioners in Advertising - in compliance with the Consumer protection from Unfair Trading regulation – ruled that: 
 ”falsely claiming or creating the impression that the trader is not acting for the purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer” is a criminal offense . 
 We have no doubt that PRPR (which is the UK-based *PR company for SecurStar GmbH, led by Peter Rennison and Allie Andrews as stated in SecurStar Press Release ) did provide their client with this information. Heck, they *are* in the UK, they simply cannot ignore that! 
 
 IANAL, but I would not be surpised if someone filed a criminal complaint or start civil litigation for unfair competition against SecurStar GmbH. 
 Whether this is going to be a matter for criminal and/or civil Courts or not is not that important. However, it is clear enough that SecurStar GmbH appears to be at least ethically questionable and not really worth of trust. 
 Nice try, gentlemen… however, next time just do it right (whether “right” for them means “in a honest manner” or “in a fashion not to be caught” I will let them choose)” 
 
 Fabio Pietrosanti (naif) 
 Tags  ,  ,  ,  ,  ,  | Comments (7) 
 business interception Privacy security 
 Dishonest security: The SecurStart GmbH Phonecrypt case 
 1 February 2010 – 12:30 am 
 I would like to provide considerations on the concept of ethics that a security company should have respect to the users, the media and the security environment. 
 SecurStar GmbH made very bad things making that infosecuriguard.com fake independent research. 
 It's unfair approach respect to hacking community. 
 It's unfair marketing to end user. They should not be tricking by creating fake independent review. 
It's unfair competition in the security market. 
 Let's make some more important consideration on this. 
 Must be serious on cryptographic products. They are not toys 
 When you do cryptographic tools you should be really aware of what you are doing, you must be really serious. 
 If you do bad crypto people could die. 
 If you don't follow basic security rules for transparency and security for cryptography you are putting people life at risk. 
 You are taking the responsibility of this. (I want to sleep at night, don't think SecurStar CEO/CTO care about this…) 
 Security research need reference and transparency 
 Security research have to be public, well done, always subject to public discussion and cooperation. 
 Security research should not be instrumentally used for marketing purpose.Security research should be done for awareness and grow of the knowledge of the worldwide security environment. 
 Hacking environment is neutral, should not be used instrumentally 
 Hackers are considered neutral, nerds, doing what they do for their pleasure and passion. 
 If you work in the security market you work with hackers. 
 If you use hackers and hacking environment for your own marketing purposes you are making something very nasty. 
 Hackers give you the technology and knowledge and you use them for your own commercial purpose. 
 Consideration on the authority of the information online 
 That's something that pose serious consideration on the authority of information online.An anonymous hacker, with no reference online, made a product security review that appear like an independent one. I have to say that the fake review was very well prepared, it always posed good/bad things in an indirect way. It did not appeared to me at 1st time like a fake. But going deeply i found what's going on. 
 However Journalists, news media and blogger went to the TRAP and reviewed their fake research. TheRegister, NetworkWorld and a lot of blogs reported it. Even if the author was completely anonymous. 
 What they have done is already illegal in UK 
 SecurStar GmbH is lucky that they are not in the UK, where doing this kind of things is illegal . 
 Fabio Pietrosanti (naif) 
 Tags  ,  ,  ,  ,  | Comment (0) 
 business interception Privacy security technology 
 About the SecurStar GmbH Phonecrypt voice encryption analysis (criteria, errors and different results) 
 30 January 2010 – 2:02 am 
 This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation. 
 This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view. 
 Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard . 
 Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it's not properly a security research but there is are concrete elements that's a marketing campaign well done in order to attract public media and publicize a product. 
 Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!). 
 But if you go deeply… you will understand that: 
 - it's a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research 
 - they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!) 
 - they do not consider any basic security and cryptographic security criteria 
 
 However a lot of important website reported it: 
 This article is quite long, if you read it you will understand better what's going on around infosecurityguard.com research and research result. 
 I want to to tell you why and how (imho) they are wrong. 
 The research missed to consider Security, Cryptography and Transparency! 
 Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones. 
 Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology. 
Yes, it's true that most of the product described by SecurStar in their anonymous marketing website called http://infosecurityguard.com have some weakness. 
 But the relevant weakness are others and PhoneCrypt unfortunately, like most of the described products suffer from this. 
 Let's review which characteristics are needed basic cryptography and security requirement (the best practice, the foundation and the basics!) 
 a – Security Trough Obscurity does not work 
 A basic rule in cryptography cames from 1883 by Auguste Kerckhoffs: 
 In a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm. 
 Modern cryptographers have embraced this principle, calling anything else “security by obscurity.” 
 Read what Bruce Schneir, recognized expert and cryptographer in the world say about this 
 Any security expert will tell you that's true. Even a novice university student will tell you that's true. Simply because that's the only way to do cryptography. 
 Almost all product described in the review by SecurStar GmbH, include PhoneCrypt, does not provide precise details about their cryptographic technologies. 
 Precise details are: 
  •  Detailed specification of cryptographic algorithm (that's not just saying “we use AES “) 
  •  Detailed specification of cryptographic protocol (that's not just saying “we use Diffie Hellman ” ) 
  •  Detailed specification of measuring the cryptographic strenght (that's not just saying “we have 10000000 bit key size “) 
 Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing. 
 It means that scientific community should be able to play with the technology, audit it, hack it. 
 If we don't know anything about the cryptographic system in details, how can we know which are the weakness and strength points? 
 Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” . 
 Cerias Purdue University tell this . 
 b – NON peer reviewed and NON scientifically approved Cryptography does not work 
 In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion. 
 That's exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win). 
 A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks. 
 That's called “peer review”. 
 If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it's secure… 
 Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it's secure. 
 How a private company can even think to invent on it's own a secure communication protocol when it's scientifically stated that it's not possible to do it in a “proprietary and closed way” ? 
 IBM tell you that peer review it's required for cryptography . 
 Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.” 
 Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.” 
 c – Closed source cryptography does not work 
 As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource. 
 There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability. 
 Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it's plenty of bugs. 
 Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it's own had a piece of technology “that works safely” . 
 Google release opensource crypto toolkit 
 Mozilla release opensource crypto toolkit 
 Bruce Schneier tell you that Cryptography must be opensource . 
 Another cryptographic point of view 
 I don't want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better. 
 When you do secure products, if they are not done following the proper approach people could die. 
 It's absolutely something irresponsible not to use best practice to do crypto stuff. 
 To summarize let's review the infosecurityguard.com review from a security best pratice point of view. 
 Product name  Security Trough Obscurity  Public peer review  Open Source  Compromise locally? 
 Caspertec  Obscurity  No public review  Closed   Igen 
 CellCrypt  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Cryptophone  Transparency  Limited public review  Public   Igen 
 Gold-Lock  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Illix  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 No1.BC  Obscurity  No public review 
 		 Closed 
 		  Igen 
 PhoneCrypt  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Rode&Swarz  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Secure-Voice  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 SecuSmart  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 SecVoice  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 SegureGSM  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 SnapCell  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Tripleton  Obscurity 
 		 No public review 
 		 Closed 
 		  Igen 
 Zfone  Transparency  Public review 
 		 Open   Igen 
 ZRTP  Transparency  Public review 
 		 Open   Igen 
 *Green means that it match basic requirement for a cryptographic secure system 
 * Red / Broken means that it does not match basic requirement for a cryptographic secure system 
 That's my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless. 
 However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto ( transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc). 
 I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it. 
 But those are really the basis of security to be matched for a good voice encryption system! 
 Read some useful past slides on security protocols used in voice encryption systems (2nd part). 
 Now read below some more practical doubt about their research. 
 The security concept of the review is misleading: any hacked device can be always intercepted! 
 I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED 
 Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone? 
 Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run. 
  •  If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised. 
  •  If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised. 
  •  If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised. 
 No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised. 
 Like i explained above how to intercept PhoneCrypt. 
 The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly. 
 For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there's no chance to really protect a software. 
 On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially) 
 That's the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue. 
 It's just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed. 
 If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt. 
 On that subject also Dustin Tamme l, Security researcher of BreakPoint Systems , pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts . 
 The PhoneCrypt can be intercepted: it's just that they don't wanted to tell you! 
 PhoneCrypt can be intercepted with “on device spyware”. 
  Miért? 
 Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile. 
 Windows Mobile does not use Trusted Computing and so any software can do anything. 
 The platform choice for a secure telephony system is important. 
 How? 
 I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform). 
 a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself. 
 In Windows Mobile any software can be subject to DLL code injection. 
 What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio. 
 It's a matter of “hooking” only 2 functions, the one that record and the one that play audio. 
 Read the official Microsoft documentation on how to do DLL injection on Windows Mobile processes. or forum discussing the technique of injecting DLL on windows mobile processes. 
 That's simple, any programmer will tell you to do so. 
 They simply decided that's better not to make any notice about this. 
 b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt 
 In Windows Mobile you can create new Audio Drivers and new Audio Filters. 
 What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-) 
 Here there is an example on how to do Audio driver for Windows Mobile . 
 Here a software that implement what i explain here for Windows “Virtual Audio Cable” . 
 The very same concept apply to Windows Mobile. Check the book “Mobile Malware Attack and Defense” at that link explaining techniques to play with those techniques. 
 They simply decided that's better not to make any notice to that way of intercepting phone call on PhoneCrypt . 
 Those are just 2 quick ideas, more can be probably done. 
 Sounds much like a marketing activity – Not a security research. 
 I have to tell you. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”. 
 The only “software version” in competition with: 
SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore. 
rohde-schawarz – A company that have in his list price and old outdated hardware secure phone . No one would buy it, it's not good for genera use. 
 Does it sounds strange that only those other products are considered secure along with PhoneCrypt . 
 Also… let's check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive: 
 Application  Screenshots of application  Video with demonstration of interception  Network demonstration 
 PhoneCrypt  5  0   1 
 CellCrypt  0   2  0 
 GoldLock   1   2  0 
 It's clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other. 
 Too much difference between them, should we suspect it's a marketing tips? 
 But again other strange things analyzing the way it was done… 
 If it was “an impartial and neutral review” we should see good and bad things on all the products right? 
 Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative. 
 Application  Number of paragraphs  Positive paragraphs  Negative paragraphs  Neutral paragraphs 
 PhoneCrypt  9  9  0  0 
 CellCrypt   12  0   10   2 
 GoldLock  9  0   8   1 
 
 
 Detailed paragraphs opinion analysis of Phonecrypt 
 Paragraph of review  Opinion expressed 
 From their website  Positive Marketing feedback 
 Apple iPhone  Positive Marketing feedback 
 Disk Encryption or voice Encryption  Positive Marketing feedback 
 PBX Compatibility? Really  Positive Marketing feedback 
 Cracking <10. Not.  Positive Marketing feedback 
 Good thinking!  Positive Marketing feedback 
 A little network action  Positive Marketing feedback 
 UI  Positive Marketing feedback 
 Good Taste  Positive Marketing feedback 
 Detailed paragraphs opinion analysis of Gold-Lock 3G 
 Paragraph of review  Opinion expressed 
 From their website  Negative Marketing feedback 
 Licensed by The israeli Ministry of Denfese  Negative Marketing feedback 
 Real Company or Part Time hobby  Negative Marketing feedback 
 16.000 bit authentication  Negative Marketing feedback 
 DH 256  Negative Marketing feedback 
 Downad & Installation!  Neutral Marketing feedback 
 Cracking it <10  Negative Marketing feedback 
 Marketing BS101  Negative Marketing feedback 
 Cool video stuff  Negative Marketing feedback 
 Detailed paragraphs opinion analysis of CellCrypt 
 Paragraph of review  Opinion expressed 
 From their website  Neutral Marketing feedback 
 A little background about cellcrypt  Negative Marketing feedback 
 Master of Marketing  Negative Marketing feedback 
 Secure Voice calling  Negative Marketing feedback 
 Who's buying their wares  Negative Marketing feedback 
 Downad & Installation!  Neutral Marketing feedback 
 My Demo environment  Negative Marketing feedback 
 Did they forget some code  Negative Marketing feedback 
 Cracking it <5  Negative Marketing feedback 
 Room Monitoring w/ FlexiSpy  Negative Marketing feedback 
 Cellcrypt unique features..  Negative Marketing feedback 
 Plain old interception  Negative Marketing feedback 
 The Haters out there  Negative Marketing feedback 
 Now it's clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way. 
 No single good point. Strange? 
 All those considerations along with the next ones really let me think that's very probably a marketing review and not an independent review. 
 Other similar marketing attempt from SecurStar 
 SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage. 
 Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography. 
 They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote. 
 Read about their marketing tricks of 2007 
 They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists. 
 The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan): 
 “This makes you wonder if this is just a marketing thing.” 
 Now, let's try to make some logical reassignment. 
 It's part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don't have all the skills to do in depth security evaluation and find the truth behind their marketing trips. 
 Who is the hacker notrax? 
 It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building. 
 Read about his bio: 
 ¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can't figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don't, well you don't. 
 There are no information about this guy on google. 
 Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity. 
 For notrax, nothing is available. 
 Additionally let's look at the domain… 
 The domain infosecurityguard.com is privacy protected by domainsbyproxy to prevent understanding who is the owner. 
 The domain has been created 2 months ago on 01-Dec-09 on godaddy.com registrar. 
 What's also very interesting to notice that this “unknown hacker with no trace on google about him that appeared on December 2009 on the net” is referred on SecurStar GmbH Press Release as a “An IT security expert”. 
 Maybe they “know personally” who's this anonymous notrax?  :) 
 Am i following my own conspiracy thinking or maybe there's some reasonable doubt that everything was arrange in that funny way just for a marketing activity? 
 Social consideration 
 If you are a security company you job have also a social aspects, you should also work to make the world a better place (sure to make business but “not being evil”). You cannot cheat the skills of the end users in evaluating security making fake misleading information. 
 You should do awareness on end users, to make them more conscious of security issues, giving them the tools to understand and decide themselves. 
 Hope you had fun reading this article and you made your own consideration about this. 
 Fabio Pietrosanti (naif) 
 ps Those are my personal professional opinion, let's speak about technology and security, not marketing. 
 pps i am not that smart in web writing, so sorry for how the text is formatted and how the flow of the article is unstructured! 
 Tags  ,  ,  ,  ,  ,  ,  | Comments (4) 
  Következő oldal » 
  Következő oldal »