Martin Geisler Online

Today at the lecture on System Security I asked the lecturers and teaching assistants (Germano Caronni, Stefan Frei, and Senn Diana) if they would sign my GnuPG key.

And they agreed and promptly brought out their wallets to show me some legitimation and to give me their key fingerprints. I had brought my fingerprint with me as a bunch of paper slips with the output from gpg --fingerprint 7E45DD38 — they had their fingerprints as part of their business cards! Very cool!

So now I expect to become part of the strongly connected set of OpenPGP keys. This set contains 30,552 keys according to the status (see the bottom) latest keyanalysis report.

Another good source of information about this set is Web of trust statistics and pathfinder (Wotsap) by Jörgen Cederlöf, which makes nice graphs showing the trust relationship between the keys. Unfortunately the server is out of service at the moment — I hope they get it back online again soon. The PGP pathfinder & key statistics service by Henk P. Penning is a good way to trace paths to and from keys, but without the fancy graphics.

The System Security course that I’m currently taking always manages to make my Fridays interesting. Yesterday we heard about security in filesystems, most of which I already knew. But afterwards in the exercise hour we told about skimming, an attack on your credit card when you use an ATM (automated teller machines, those machines where you can withdraw cash from your credit card).

The exercises are actually often more interesting than the lectures themselves, for there we hear some real-world stuff. Yesterday Stefan Frei showed us a presentation about attacks on ATMs, both skimming attacks and other more brute-force attacks where people run away with the entire machine!

Skimming attacks are a relative new form of fraud where people snatch the information stored in the magnetic stripe on credit cards, together with the PIN code. They do this by installing a small camera and a small card reader in the ATM. The fake card-reader is put infront of the real card reader, and the bad guys will thus get hold of the information in the magnetic strip when you insert your card in the ATM. An example taken from a British ATM is shown on the right: at the top you see the original ATM, and at the bottom the ATM with the card reader installed.

See how those fake card readers look very professional and similar to the rest of the machine? We’re not talking about something held together with dutch tape here…

When you input your PIN the camera captures that — with both the magnetic strip and the PIN there’s nothing that prevents them from making a duplicate of your card and then simply walk op to the nearest ATM and withdraw money from your account. A rather scary scenario!

In the presentation we saw some photos of the next generation of skimming devices. The “funny” thing about those is that you cannot see them! They measure just a tiny bit more than your credit card, which means something like six centimeters wide, five milimeters height, and four milimeters deep. And that includes batteries, the card reader, radio antenna, and the circuits to make the whole thing run!

One could think that this is just some weird trick which only occurs in countries far, far away, but no — it happens right here in Switzerland! The first case of skimming has just been discovered in Wallis… So if you still have a magnetic stripe on your credit card, then watch out where you stick it into.

The newer card which uses a chip are not in danger from skimming attacks, since the data stored on the chip cannot be read out without interacting with the chip. The chip uses digital signatures to ensure that it’s really talking with an authorized ATM and not just some rouge skimming device. Of course most of these chip-enabled credit cards still have a magnetic strip on them to be compatible with legacy ATMs, so one still has to be careful…

Today I saw the first incident of WikiVandalism here at GimpsterDotCom. Some guy couldn’t find anything better to do than delete the contents from the PHP Tutorial and write ”I’m gay” instead.

This is exactly the kind of thing people have been worried about when I’ve told about how my WikiWikiWeb works. They would ask something along the lines of: But wont someone just come and delete your pages? And I would say: ”Probably, but I have backups and they’ll soon discover that it isn’t that much fun to destroy other peoples work when it’s this easy…”. I still believe this to be true because of the reasons that can be seen here: Wiki:WhyWikiWorks.

I just have to figure out how to delete a single revision of a page instead of deleting everything in one go as I just did with the PHP Tutorial page…

gimpster.com is in the middle of a move to another server at Netsite. I’m moving because of the very poor security there is on a Cobolt RaQ. On the new server I’ll be able to use PHP4 — I can’t wait to check out the new session-management-stuff they have added.