Tripping up on security

In the 1980s we had great fun breaking a number of commercial encryption products. In a recent paper I described the ignorance and incompetence of vendors at that time but concluded that since then, with the growth of cryptology as an academic discipline and the emergence of standard encryption algorithms, “cryptology has grown up”.

This paper on the failures of Microsoft’s XBox security shows how wrong I was.

The XBox is essentially a PC with special-purpose hardware added. It is sold at a loss, with the aim of making back the money from the profits made on selling XBox games. Many people would like to have a cheap PC (never mind the games) and so the Linux community, in particular, had a strong interest in finding a way of breaking through Microsoft’s security measures and running programs other than games on the XBox.

The paper is detailed and in parts it is technical, but from a cryptologic point of view it shows that the old-fashioned errors can still be made, especially when changes are made at the last minute without realising the effect they can have on security. (For example, a late change from the RC5 to the RC4 encryption algorithm completely invalidated most of the protection that had been designed into the XBox). Still more, it shows that hurried corrections of security holes usually cause more trouble than they are worth.

(more…)

Cardbox/S3 photographic archive

The Amazon S3 discussion forum has a thread on using S3 for photographic archiving. Cardbox and S3 make an ideal match for this.

You can have a Cardbox database on your computer that indexes all your photographs (on as many criteria as you like) and contains a low-resolution copy of each photograph (“low-resolution” means whatever you want it to mean – thumbnail, or 320×200 or 640×480 or 800×600) so that you know exactly what you’re talking about. Each record will also have a link to your original high-resolution picture stored on Amazon S3: the link can be of a kind that is inaccessible to anyone but you. Our previous post tells you more about using Cardbox in conjunction with S3.
Basically, to do this you’d need nothing more than Cardbox plus your own Amazon Web Services / S3 account.

A few bonuses:

• If you want one of your customers to be able to download a photograph, you can give them a link to the high-res version: the link can expire automatically at a set time.
• If it’s appropriate, you can even give your customers read-only access to one of the databases. This will let them view your low-resolution pictures and identify exactly the ones you want.

We’ve created a simple sample database that will show this in action. This page has a link that lets you download the database, and it has full instructions on how to get going with your own photogaphic archive.

Amazon S3 and Cardbox

The project to add Amazon S3 facilities to Cardbox has been completed. (If you’re not familiar with Cardbox then you can read about it here and get a free 1-month trial licence here).

Amazon S3 is storage for the Internet. Secure, reliable and cheap, it can be used to store any amount of data, at any time, and retrieve it from anywhere on the web. There is no sign-up fee and you pay only for the storage you actually use.

In the new build of Cardbox that is released today, we have incorporated the following features to make use of S3:

The Cardbox Server (used in multi-user and networking systems) can be configured to back up your databases automatically, at specified intervals, to your S3 storage space. There is no interruption in service during a backup, because the Cardbox Server can back up a database even if it is in use. You can have a single backup copy of the latest version of each database, or you can have a separate backup made each time that the database has changed.

Cardbox itself has a new command that lets you view your S3 storage space and upload, download or delete files. Apart from managing the Cardbox Server’s backups, this also allows you to make backups of files on your own computer.

Cardbox’s VBScript macro system has been expanded to allow you to manage your S3 storage space programmatically. This offers interesting prospects for the future: for instance, a photographic database that stores and displays each photograph at a reasonable screen resolution while the original full-resolution images are held in an archive on S3.