Friday Security Roundup – December 11, 2015


This week’s Friday Security Roundup is pleased to note that today is the birthday of Max Born. A world-class theorist and Nobel laureate for his work in quantum physics, Born was a lifelong friend of Albert Einstein – it was in a letter to Born that Einstein famously noted (in so many words) that “God does not play at dice“.

Born was also a perceptive and gifted teacher (his students and assistants Max_Born_young included Robert Oppenheimer, Enrico Fermi and Edward Teller), a refugee from the Nazis, and Olivia Newton-John’s grandfather.

However, we like to remember him as the young grad student who flooded his lab testing the “black body” hypothesis with crude early 20th century equipment (he later acknowledged that he “was not very gifted” as an experimenter). Born’s professor at the time, possibly standing in ruined shoes, told him forcefully to forget about physics as a line of work. Thankfully he ignored this advice and went on to became a major force in the field of quantum mechanics – so remember Max Born the next time some Mrs. Grundy suggests you pursue a different line of work.

It’s Friday, so kick back and consider your own career options while we present some of the security issues that’s been following this week.


Presented, by NASA and Google: A functioning quantum computer. The D-Wave 2X is admittedly an early research example, but has the potential to solve some problems much faster than current technology. Security professionals are watching this and other developments in quantum computing closely, because success in this field will have a huge impact on cryptography. (A plausible theory as to why groups like the NSA collect and retain mountains of encrypted, currently-unreadable data: it’s held against the day quantum computing can unlock it.)

Status: Watching closely, as above. A minor kerfluffle arose when the NASA PR folks punted security questions at the reveal for “discussion at another time”, but the real issue to quantum computing cognoscenti relate to D-Wave’s design decisions for their hardware and the kind of problems which can be attacked with their equipment. The ballyhooed and oft-repeated figure that NASA’s new box is “100 million times faster” than current computers is wreathed with conditions and caveats – because it’s all about the stoquastic Hamiltonians, baby.


Reported, by researchers at IOActive Labs: Fraught security practices for voyage data recorders (VDRs), the maritime equivalent of a plane’s black box. VDRs are designed to collect and preserve crucial data – the speed and position of the vessel, audio recordings from the bridge, radar images and so forth. As you might imagine, this can be very useful or very embarrassing – VDR information helped examiners determine what happened to the Costa Concordia in 2012, and ‘mysteriously corrupted’ VDR data has contributed to international tensions between India and Italy in the Enrica Lexie case. IOActive examined one commonly-used VDR (the Furuno VR-3000) in some detail and found “that security is not one of its main strengths of this equipment” – the several instances of poor security design including hardcoded passwords, numerous avenues for remote attacks and even the potential to tap into VDR-connected microphones in real time.

Status: Lookouts posted for further developments. IoT-at-Sea is clearly as susceptible to security issues as any other network, and given the criminal and environmental global impact of the shipping industry, devices like VDRs are definitely worth deeper study by security researchers. What gave us and others the most pause here was that although the VR-3000 itself is built on the QNX OS, Windows XP turns out to be alive and well and living in several models of VDR – waaaay more than we’re comfortable with.


Busted, in Port St. Lucie, Florida: Driver Cathy Bernstein, who allegedly committed two hit and run accidents in a row, then fled the scene. Bernstein herself was apparently quite willing to leave it at that – however, her Ford’s in-car SYNC system had other ideas and automatically dialed 911 on her behalf. The ensuing conversation led directly to a visit to Bernstein’s house by local law enforcement, to her car (with paint from one of the hit vehicles, front end damage and a deployed airbag) – and to her arrest.

Status: William Huskisson is usually cited as the first person killed by a train – he was really just the first one to make the news. (The dozen-odd victims who preceded him didn’t make good copy – sorry, “blind beggar woman from Eagleston”!)

Similarly, Cathy Bernstein’s probably not really the first person to get grassed on by their car – just the first we’ve heard about (and we imagine the first whose 911 call got played on the news). Networked vehicle security is a hot topic circa now. In this case, there was no hack – everything worked exactly as expected, and the result put a hit-and-run suspect in jail. However, we’re in an era that includes hackable Jeeps and international swatting, and we (sadly) expect that the craziest, most out-there attack you can think of today (say an automotive equivalent of planting heroin on a target and then calling the cops) is likely to be attempted tomorrow or the day after – and old hat by next Thursday.

As always, will be here to report what we’re following in the security field next Friday. Thanks for reading these words, and remember what we truly believe here at – a safer internet is a better internet.

Image: Wikimedia Commons