Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. This phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. Cold reboots can be used to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterise the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. New algorithms are available for finding cryptographic keys in memory images and for correcting errors caused by bit decay.

Full research paper [PDF]

Introductory blog post

Frequently asked questions

Experiment guide

Videos and images

According to Wired the Boeing 787 Dreamliner connected the networks for passenger services to critical flight systems:

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Here’s what a Boeing spokesperson had to say:

…it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.

Would it really be that much more costly to create 2 networks. One for the important stuff like navigation and control systems, and another completely independent network for passengers to download porn? Networking gear isn’t that expensive. Internet access at 35,000 feet is high latency anyway.

I’m really not so sure I’d feel comfortable knowing that the same network that’s carrying a Rob Schneider movie to the guy in 11F is also carrying packets intended for the horizontal stabilizer.

Maybe I’m just paranoid. After all, I’m not to comfortable with the Airbus A380 apparently running windows in the cockpit.

Hopefully they get it all figured out quickly.

We start the year in Britain with a challenge to our essential nature, for 2008 might turn out to be the year when we decide to rip up the Magna Carta.

Video: Phil Booth on what the Government isn’t telling us

Among the basic civil rights in this country, there has always been, at least in theory, an inclination towards liberal democracy, which includes a tolerance of an individual’s right to privacy.
We are born free and have the right to decide what freedom means, each for ourselves, and to have control over our outward existence, yet that will no longer be the case if we agree to identity cards.

Britain is already the most self-watching country in the world, with the largest network of security cameras; a new study suggests we are now every bit as poor at protecting privacy as Russia, China and America.

But surveillance cameras and lost data will prove minuscule problems next to ID cards, which will obliterate the fundamental right to walk around in society as an unknown.

Some of you may have taken that freedom so much for granted that you forget how basic and important it is, but in every country where ID cards have ever been introduced, they have changed the relation between the individual and the state in a way that has not proved beneficial to the individual. I am not just talking Nazi Germany, but everywhere.

It is also a spiritual matter: a person’s identity is for him or her to decide and to control, and if someone decides to invest the details of their person in a higher authority, then it should not be the Home Office.

The compulsory ID card scheme is a sickness born of too much suspicion and too little regard for the meaning of tolerance and privacy in modern life.

Hooking individuals up to a system of instantly accessible data is an obscenity - not only a system waiting to be abused, but a system already abusing.

Though we don’t pay much attention to moral philosophy in the mass media now - Bertrand Russell having long been exchanged for the Jeremy Kyle Show - it may be worth remembering that Britain has a tradition of excellence when it comes to distinguishing and upholding basic rights and laws in the face of excessive power.

The ID cards issue should be raising the most stimulating arguments about who we are and how we are - but no, it is not: we nose the grass like sheep and prepare to be herded once again.

It seems the only person speaking up with a broad sense of what this all means is Nick Clegg, the new leader of the Liberal Democrats, who has devoted much of his new year message to underlining the sheer horribleness of the scheme.

He has said he will go to jail rather than bow to this “expensive, invasive and unnecessary” affront to “our natural liberal tendencies”.

I have to say I cheered when I heard this, not only because I agree, but because it is entirely salutary, in these sheepish times, to see a British politician express his personal feelings so strongly.

Many people on the other side of the argument make what might be called a category mistake when they say: “If you’ve nothing to hide, why object to carrying a card?”

Making it compulsory to prove oneself, in advance, not to be a threat to society is an insult to one’s right not to be pre-judged or vetted.

Our system of justice is based on evidence, not on prior selection, and the onus on proving criminality is a matter for the justice system, where proof is of the essence.

Many regrettable things occur as a result of freedom - some teenage girls get pregnant, some businessmen steal from their shareholders, some soldiers torture their enemies, some priests exploit children - but these cases would not, in a liberal society, require us to end the private existence of all people just in case.

If the existence of terrorists, these few desperate extremists, makes it necessary for everybody in Britain to carry an ID card then it is a price too high.

It is more than a price, it is a defeat, and one that we will repent at our leisure. Challenges to security should, in fact, make us more protective of our basic freedoms; it should, indeed, make us warm to our rights.

In another age, it was thought sensible to try to understand the hatred in the eyes of our enemies, but now it seems we consider it wiser just to devalue the nature of our citizenship.

What’s more - it won’t work. Nick Clegg has pointed to the gigantic cost and fantastic hubris involved in this scheme, but recent gaffes with personal information have shown just how difficult it is to control and protect data.

A poll of doctors undertaken by doctors.net.uk has today shown that a majority of doctors believe that the National Programme for IT - seeking to contain all the country’s medical records - will not be secure.

In fact, it is causing great worry. Many medical professionals fear that detailed information about each of us will soon be whizzing haphazardly from one place to another, leaving patients at the mercy of the negligent, the nosy, the opportunistic and the exploitative.

“Only people with something to hide will fear the introduction of compulsory ID cards.”

That is what they say, and it sounds perfectly practical. If you think about it for a minute, though, it begins to sound less than practical and more like an affront to the reasonable (and traditional) notion that the state should mind its own business.

In a just society, what you have to hide is your business, until such times as your actions make it the business of others. Infringing people’s rights is not an ethical form of defence against imaginary insult.

You shouldn’t have to tell the government your eye colour if you don’t want to, never mind your maiden name, your height, your personal persuasions in this or that direction, all to be printed up on a laminated card under some compulsory picture, to say you’re one of us.

You weren’t born to be one of us, that is something you choose, and to take the choice out of it is wrong. It marks the end of privacy, the end of civic volition, the end of true citizenship.

With as much is going on these days to screw with our privacy it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, it’s simply a matter of it not being any of anyone else’s business.

I have for some time now been interested in digitally signing my emails. And if you’ve seen me pop-up on a mailing list or got any emails from me in the last few days you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine, therefore maintaining integrity. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.

I have also started signing and encrypting emails to others that also have a PGP key pair that I have personally trust-signed. I’ll talk about the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.

The GUI Front-End

There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)

First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.

(for gnome)

sudo aptitude install seahorse

or

sudo aptitude install gpa

or (for kde)

sudo aptitude install kgpg

Creating The Key

Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.

Applications > Accessories > Passwords and Encryption Keys

Select “Key” from the File Menu and “Create New Key (ctrl-N)”

This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.

The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.

You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I left it at the default of 2048 as this is plenty powerful in itself.

You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.

When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!

Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.

You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.

Using the Key

For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.

Evolution has PGP support built in which is also very good. You can find this in the Edit>Preferences. Where you should select the email account then go to Edit>Security. Here you should enter the PGP key ID and check all boxes under the PGP header, except “Do not sign meeting requests”.

Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.

Until then I hope this helped a little bit.

Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!

Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.