USENIX gives the finger to Volkswagen’s attempt to silence disclosure


The High Court of Justice in the UK judged that researchers who found potential weaknesses in the Megamos cryptography that car maker Volkswagen and many luxury car makers use for their wireless key entry systems could not publish their research.

Since this court does not have jurisdiction here in the USA and such a judgment would be a violation of our Constitutions’ 1st Amendment anyway, the Advanced Computing Systems Association aka USENIX decided they would allow the researchers to present their findings at the next USENIX “HotSec” information security conference later this month on August 13 in the District of Criminals  Washington, DC.

Good on them!  I am definitely proud to be a long-time member of USENIX and even more so after hearing of this news.

On a more sardonic note, lots of people note that Volkswagen was a product of a Nazi organization as a direct result of a fervent request by Hitler himself to produce a car that everyone (in Germany) could afford.

For those that argue against full disclosure and for security by obscurity alone, particularly the kind enforced by crony capitalism and its thuggish protection rackets, this is what happens when you try to hide the truth.

Photo credits: GDF – S2 – 2011


Geography of cybercrime of Western Europe and North America

Leave a comment

I am a “geo-geek” and love maps of all types, as well as visual representations of data.

Here’s a detailed analysis of the geography of cybercrime in Western Europe and North America. While it has more graphs than maps, it’s a very informative presentation on who’s hackin’ from where and how.

Potential new TLS compromise involving compression

Leave a comment

Thomas Ponin gives a thorough answer about an upcoming disclosure of a vulnerability in TLS that involves cookies in a TLS connection that is using compression (gzip and zip) and then submitting additional blank cookies with malicious Javascript code that hits the victims machine – the added cookies are all the same size due to compression except for the cookie containing the secret, which due to the compression algorithm gets compressed just a bit more. The secret can possibly be guessed by reconstructing it in this way.

Bottom line: Don’t login to your investment account on a public wifi and if you do, don’t leave it open for very long. Shouldn’t do that, anyway…

Update: ARS Technica put out an article about this today.