Google ChromeOS: Computer as a Service

Google has announced it's Chrome OS. They claim that they will take full central control over any computer running Chrome OS. This should be well-known to people who use vendor-branded cell phones: no hassle, quick and simple operation, but restricted functionality.

It seems reasonable to me that a tightly controlled system should be able to defeat malware. However, I don't think tat this level of control is necessary here. The reason to want this level of control should not be security, but the wish to have a computer that "just works", as another vendor of more or less malware-resistant computers calls that.

Also note that Google wants to get into the service business.

"Anomalies" in Spain Speed up EMV Transition

It's not really clear what has happened there. It seems that massive amounts of credit card data were lost at a spanish credit card processor. New cards are sent to customers. At least some of these actually have an EMV chip. Another nail in the coffin of the obsolete magnetic stripes.

Update: Tonight it was in the news: more than 100 000 cards have been exchanged.

Shreddered Stasi Documents Reconstructed

In the November 1989, the agents of the east german secret police Stasi, had a problem: On the streets there was revolution that would soon take over the government and in the archives there was a precise documentation of what they did in the last 40 years. So, they hurriedly shreddered as much documents as they could.

In the years to follow, people hat to accept the fast that it was just not feasible to reconstruct these documents.

One engineer of Fraunhofer Gesellschaft didn't accept that and developed a program that can reconstruct shreddered documents. The trick is to categorize the shreds before making an attempt to match them. Otherwise, the number of possible combination would grow exponentially with the number of shreds.

The security lesson? Shredding documents no longer keeps them secret.

PhoneSnoop Turns BlackBerries into Bugs

A simple BlackBerry program called PhoneSnoop will turn your BlackBerry into a bug. The attacker will install it on a BlackBerry he found lying around. Then calling the BlackBerry from a preconfigured telephone number will put the Balckberry into SpeakerPhone mode and all conversations near the affected BlackBerry can be overheard at the remote end of the call.

This is not a security issue of the BlackBerry operating system, because the root cause here is that the attacker had full control over the phone when he installed the software. For a minimum level of security, the BlackBerry should be configured to require a password ofter a short period of inactivity.

However, the morale here is that you shouldn't think "I don't have sensitive information on my telephone, so I don't need to secure it".

Amazon PayPhrase

Amazon has announced a new payment system, Amazon Payphrase. It has two interesting security properties:

• Participating websites will not obtain the credit card information
• Deliveries will only be sent to the address set up at Amazon

Stealing the passphrase or the PIN used for authorizing the checkout won't help cybercriminals so much because they cannot trigger a delivery of the goods to an address of their choice. It seems to me that the system is as secure as Amazon itself. As Amazon has my credit card data anyway I gain a little security because the other websites don't get my credit card number.

Small websites might be happy to be relieved from the burden of credit card handling.

Centralizing the sensitive information will also help when security is to be added to the handling of sensitive information, like using a hardened browser, for example.