Archive for December, 2010

Chaos Communication Congress Gathers In Berlin

Monday, December 27th, 2010

So good to be back in Berlin, a place that respects hacker culture. Tickets are sold out here for this year’s Chaos Communications Congress (CCC), the annual hacker gathering where Wikileaks founder Julian Assange announced the Icelandic Modern Media Initiative (Immi) last year. Launched by Birgitta Jonsdottir, a member of the Icelandic parliament, Immi is a collection of source-protection, freedom of information and transparency laws that would make Iceland a legal base for the coming wave of Wikileaks-like organizations. Iceland appreciates Wikileaks because it revealed the corrupt loans that destroyed the country’s largest bank, an act of vast corruption that strapped Iceland with $128 billion in debt - about $400,000 per capita.

The opening speaker at the CCC this morning was Rop Gonggrijp, who helped to write Immi and played a central role this year in uncovering flawed electronic voting machines in India and Brazil. Gonggrijp reminded CCC attendees that they’re a community that supports free speech. He condemned efforts by Anonymous to attack Paypal and other sites that cut off Wikileaks. “Yes we could do damage to Paypal,” said Gonggrijp, “but we understand that no good comes of that.” Gonggrijp noted that that the CCC motto is “we come in peace,” and that during a time of financial crisis when politicians were “quietly pocketing the silverware and making their way to the lifeboats,” there is increasing need for people who know how to reverse engineer and reengineer and do more with less.

Gonggrijp still he stands behind his 2005 CCC pronouncement that the war for privacy has been lost, an position which he says was spawned in the grump of a midlife crisis. I don’t agree with Gonggrijp that this battle is over. But I do share his following observation that due to mass use of antidepressants, we are below the threshold on smart, resourceful, unhappy people that harness their dissatisfaction to push for reforms that are painful or costly, but healthy in the long run. While no one should deny pharmaceuticals to people who suffer, Gonggrijp observes that unhappiness has become socially unacceptable at just the time when we need a bit more righteous anger.

Here in Berlin this evening, there’s no lack of focused, purposeful response to a world in need of more transparency. A hacker sitting nearby just handed me a map of a tag cloud that lets you search the Wikileaks cables by geographic location. Next she’s working on a searchable database of critical and creative responses to the cables. “If someone wants to create epic poetry or science fiction from this data, we should know,” she said. “This is a first Amendment test, I want to see what people actually do next.”

USB storage can never be securely erased

Saturday, December 25th, 2010

USB devices that implement the Mass Storage command set don’t provide a standard way to securely erase the contents of the storage. People often want to do this, for example before giving the storage device to someone else (without compromising your personal or business records that used to be on it), or before crossing an international border where normal legal protections against intrusive searches or “fishing expeditions” do not apply.

The lack of a standard command for this prevents USB-attached disk drives from being erased using the ATA Secure Erase command. (Sometimes you can open the plastic, extract the SATA drive from inside the USB disk drive case, attach that drive to a computer via SATA, and then erase it securely, but this is painful). It also means that there’s no reliable way to remove information from a USB flash memory stick, which is more serious.

If you merely delete a file from such a memory stick, its contents probably still exist in the flash chips, and it can be read out by anyone who pops open the plastic and connects to the flash chip itself. An upcoming paper from the USENIX FAST conference details how 14 different conventional attempts to securely erase a file all failed to erase the contents of the file from a variety of USB memory sticks. (See the slides.)

Clearly this oversight in the USB Storage command set should be remedied. Who knows somebody who’s on the relevant standards committee?