23 November 2010

M-Pesa, SSL snoopsM-Pesa, Cloud Cracking

since 2007, Kenya ... phone technology..
..M-Pesa ...those without a bank account to transfer funds .. a text message.
..Vodafone and Safaricom...Pesa is Swahili for money.
50% use the service to send money to..relatives, to pay for shopping..taxi ride ..
"The bank in my phone"
..register with Safaricom at an M-Pesa outlet... load money onto their phone. ..sent onto a third party by text message.
The recipient takes the phone to their nearest vendor,... pick up the cash.
..Mr Makusi says he no longer has to worry about being mugged while carrying cash.
..Seema Desai, director of the Mobile Money for the Unbanked (MMU)..
..Nick Hughes and Susie Lonie.. M-Pesa. .. Economist Innovation award..
...payment to the thousands of small one or two-cow milk producers.. decided to create a payment system using M-Pesa.
...Smart and Globe were active on a smaller scale in the Philippines in 2002
...March 2010 28.59bn (KES) $351m) was transferred using the service.
..launched in Tanzania, Afghanistan and now South Africa, with trials underway in India.
One company that does let you pay with your mobile is Boku...buy virtual money..??? 65 countries..

Japan and South Korea ..in use for several years
Verizon, AT&T, and T-Mobile.. NFC system called Isis by 2012,
..Google Gingerbread smartphone, will have NFC technology
November 17, 2010

The Bill and Melinda Gates Foundation has committed $500 million (Sh40 billion) over five years
....$4.8 million ..to expand M-Pesa into Tanzania through .. Vodafon..
..helped Kenyans cope with disasters better.
..ShoreBank Int..BRAC Bank .. Bangladesh will receive $10 million..go into introducing bKash..a mobile money ..
SSL snoops

A paper published today by Chris Soghoian and Sid Stamm [pdf] suggests that the threat may be far more practical than previously thought. They found turnkey surveillance products, marketed and sold to law enforcement and intelligence agencies in the US and foreign countries, designed to collect encrypted SSL traffic based on forged "look-alike" certificates obtained from cooperative certificate authorities. The products (apparently available only to government agencies) appear sophisticated, mature, and mass-produced, suggesting that "certified man-in-the-middle" web surveillance is at least commonplace and widespread enough to support an active vendor community. Wired's Ryan Singel reports in depth here.
Law Enforcement Appliance Subverts SSL
marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

Verisign has never issued a fake SSL certificate, and to do so would be against our policies,” said vice president Tim Callan.


Cloud Cracking

..Amazon EC2 "Cluster GPU Instances": ..the power of two NVIDIA Tesla “Fermi” M2050 GPUs....
33.5 EC2 Compute Units (2 x Intel Xeon X5570, quad-core “Nehalem” architecture)2 x NVIDIA Tesla “Fermi” M2050 GPUsAPI name: cg1.4xlarge

GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?

Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs 2.10$ by the way.):
[cracking a hash is 1 thing, cracking a hash with a useful message is another]


arduino "smart card" or smartcard reader
arduino 8 bit controller - toys take over the world
how to read SLE4442 smart card
From 64-bit Hexadecimal Representation To Decimal Floating-Point
Engineers at the University of Kitakyushu have built this red snapper robot. Intended for wildlife surveys, this robot sports an array of sensors as well as a hand painted silicon body. It is decidedly more realistic looking than the Robofish and the Essex University robot fish.
Web Tech
One of the compelling reasons to use JSON instead of XML in current web applications are the imposed security restrictions in modern browsers; JSON can actually be retrieved from remote websites without too much trouble (using jsonp) while XML requires one to jump through a number of loops (such as a local proxy). Go figure!
MasterCard Tap & Go
..New Zealand's first "tap and go" credit cards ..tomorrow..
..ANZ's Rugby World Cup MasterCards ..< $80 ....two seconds....terminals .. in Auckland's Eden Park and Wellington's Westpac Stadium.."corridors" of retailers around the stadiums.. protected by MC's "zero fraud liability" protection, .. ..has already been issuing prepaid and reloadable MasterCards with the embedded antennae, .. not been telling customers about the ..contactless feature. ....83 million MasterCard contactless cards on issue worldwide___________________________ stuff

09 November 2010

Australian Problems, Bangalore and Pune, AES-NI

Australian Problems
seem to have had a few since I tried to get on the bus in 95
The history of implementing public transport smart cards in Australia has seen mixed results. The first attempt to implement a smart card for public transport in NSW failed in 2008 and has since led to long-running legal troubles for the State Government. In Victoria, the Myki smart card system is up and running on trains, buses and trams in Melbourne, but has also had its fair share of troubles. Queensland has experienced less troubles with its go card system. Perth has also managed to implement a smart card system.

South Australia and the Australian Capital Territory are in the midst of roll-outs.

Clark said Visa was currently conducting a trial in New York's transit system with a payWave app on the iPhone
Bangalore and Pune are vying to be the first city in India to deploy a contactless smart card fare system on city buses .. idsuperstore.ca.

Bangalore’s .. nearing completion, ..1,000 buses. Pune, .. a definitive November 14 launch date..
AES on Intel
The Intel® AES New Instructions (AES-NI) Sample Library .. Advanced Encryption Standard (AES) block cipher using the new AES-NI instructions available in Intel Core™ i5, i7, Xeon® 5600 series and newer processors.

.. all new 2010 Intel® Core..Westmere.
28.0 cycles per byte to 3.5 cycles per byte
AES-NI in truecrypt, but note the arguments:
truecrypt apparently doesnt have a "true" free licence - tghe disatinction seems moot to me
truecrypt really doesn't do anything useful that you can't do better with proper open source choices, like dmcrypt/luks.
a lot easier to use, has a simple gui for easy creation of encrypted containers, partitions and drives, supports multiple cores!! and AES-NI, no need to create multiple dmcrypt-devices and a raid above them, to use multiple cores (on slower systems with fast disks/ssds without hadrware acceleration (VIA Eden, AES-NI, ... ) especially on older dual/quadcore-systems where cpu can be a real bottleneck for system-performance if you have your system encrypted, and want copy data on other fast encrypted discs (internal sata/sas or external e-sata/usb3).

From the performance-point of view:

Now I get ~570mb/s on a single core (i7 620M [dualcore]) with dmcrypt [aes-ni-support] and with truecrypt ~1600-1700mb/s on both cores.

Without AES-NI truecrypt (6.0) got about 250mb/s while dmcrypt on one core got about 100mb/s [older kernel/dmcrypt, think 110-120mb/s would be possible on an up2date kernel/dmcrypt]

I will keep my dmcrypt for the operating system (since truecrypt for linux-system encryption isn't supported) and use truecrypt for external drives.
Another thing, truecrypt runs on windows, linux, mac, solaris, ... , especially for external harddrives you want to use on more than operating system, sticking with dmcrypt just doesnt work.
