Email and Forum Profiles in IT: Ronald L. Rivest All You Wanted to Know About USB Flash Drives Virus spreading via USB Flash Drive ICANN IPv6 Factsheet ? A Call for Action Math Error Exposes Millions of PCs to Attack Cooking and Simple Food Technology ? Flours Revealed New Seagate Hard Drives Infected with Trojan Google Maps at the Pump Security Consultant Admits to Bot Herding
Email from Sheldon: Dear Tech Talk. Why is it that you have to go through the process of safely removing mass storage devices like thumb drives by clicking down in the corner to remove whatever drive it is instead of just taking them out? And if you do just remove them from the USB port without going through the process, what can happen (if anything) to your computer? Some think damages the drive; others think it may damage the security system in the computer. Have you got an answer? Love the show, Sheldon.
Tech Talk Answers: In a nutshell, it has to do with delayed write caching. Write caching speed performance by using high speed internal RAM for temporary storage of data. The stored data is aggregated and then written to the thumb drive at a later time.
Most storage devices are cached. Unfortunately if the drive is removed before all the data is written, it may be corrupted and not readable. In addition, the computer may lock up if it get stuck in an disk access loop. Activating the disconnect applet, simply writes everything to the disk and severs the electronic connection, so no damage will occur. The mechanical button on the drive is simply a mechanical interlock to make accidentally removal difficult. It has nothing to do with the final software write.
Delayed caching to USB drives was discontinued with the release of XP, so it is no longer a problem. It was a big problem with Windows 95 and 2000 because so many users removed the thumb drive before cached data was written. The same holds for the Mac. The most recent OS do not use delayed caching for USB drives. In the case of Windows click on the USB symbol in the tray, select the device to be removed, and click the stop button. In the case of the Mac, one way is to move the USB symbol to the trash can or right click on the USB symbol and select Eject from the menu.
Email from Jennifer: Hi Dr. Shurtz. I am trying to learn web design, what should I learn first. What is the best way to get a job in this field?
Tech Talk Answers: Jennifer, you must decide whether you want to be front end, back end, or both. Front end web developers focus on layout and look and feel. Back end developers focus on interactive data management, scripting, and security. Those who know both are in demand. Back end developers tend to earn more in the market place. Find website that you like and emulate their look and feel. Do not copy the code. The best way to learn is just by doing it.
Front End Skill Set
HTML (using code generators at first, Macromedia)
XML (using code generators at first, Macromedia)
CSS (Cascading Style Sheets)
Creating Adobe Flash Images
Image Creation and Manipulation (Photoshop)
Back End Skill Set
SQL Databases (MySQL, MSSQL)
Manipulating Data from the web
PHP (PHP Home Page) using PHP Script
ASP (Active Server Page) using Visual Basic Script (VB Script)
JSP (Java Server Page) using Java
Cold Fusion using Cold Fusion Meta Language (CFML)
Visual Design Skill Set
Visual Communication (Fonts, White Space, Graphics, Menus)
Look and Feel
Must communicate a visual message that complements the written message.
Most web designers lack good visual design skills.
Profiles in IT: Ronald L. Rivest
MIT Professor Ronald L. Rivest helped develop one of the world’s most widely used Internet security systems.
Ron Rivest’s achievements have led to the ability of individuals to conduct secure transactions on the Internet.
Rivest’s advances in public-key cryptography, a technology that allows users to communicate securely and secretly over an insecure channel without having to agree upon a shared secret key beforehand.
A native of Niskayuna, N.Y., Rivest attended Yale University, where he earned a B.S. in mathematics in 1969.
After receiving his Ph.D. in computer science from Stanford in 1974, Rivest accepted an offer to join the faculty at MIT.
At MIT he met two colleagues, Leonard Adleman and Adi Shamir, who would become his partners in solving the puzzle of public-key cryptography.
Rivest managed to enlist Adleman and Shamir in his quest to produce what he called an "e-crypto system."
It was a challenge ideally suited to Rivest’s mathematical interests.
In public key cryptography, there are two keys; one known to everyone, and one known only to the recipient.
The public and private keys are paired in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them.
But even if someone knows the public key, it is effectively impossible to deduce the private key.
To design such a system was the challenge. In effect, it was a mathematical puzzle.
The RSA encryption algorithm that Rivest, Shamir and Adleman developed relies on the challenge of factoring large numbers (typically 250 or more digits long), a problem that has stumped the world’s most prominent mathematicians and computer scientists for centuries.
The receiving party’s computer secretly selects two prime numbers and multiplies them to create a "public key" which can be posted on the Internet.
On the other end, the sending party’s computer can take that key, enter it into the RSA algorithm and encrypt a message.
The genius of the scheme is that only the recipient knows the prime factors that went into the creation of the public key–and that is what is required by the RSA algorithm to decipher the message.
Even though others can see the encrypted message and the public key, they cannot decipher the message because it is impossible to factor the number being used in the public key within a reasonable period of time.
The team developed its system in 1977 and founded RSA Data Security in 1983. RSA was acquired in 1996 by Security Dynamics, which in turn was acquired by EMC in 2006.
Rivest has continued his work in encryption and is the inventor of several symmetric key encryption algorithms
All You Wanted to Know About USB Flash Drives
USB flash drives also are called thumb drives, jump drives, pen drives, key drives, tokens, or simply USB drives.
Storage Medium is EPROM, (Erasable Programmable Read-Only Memory)
EPROM is a computer memory chip that retains its data when its power supply is switched off.
It is an array of floating-gate transistors individually programmed by an electronic device that supplies higher voltages than those normally used.
Cell is comprised on Control Gate, Floating Gate, Source, and Drain.
The EPROM was invented by Israeli Intel engineer Dov Frohman in 1971.
Data Transfer Method uses the Universal Serial Port.
Data transfer rate is limited by the EPROM response times.
Use and Application of Flash Drives
Can Be Encrypted to Protect Data in case of Loss
Can be used for a bootable operating system
Mid-range flash drives will support several hundred thousand read/write cycles before failure.
Can be corrupted if removed during a write operation.
Virus spreading via USB Flash Drive
Spread Trojan software that is designed to steal passwords or data
The following flash drive Trojans were found on a college campus this month: W32.Mumawow.F!inf, Infostealer.Gampass, W32.Gammima.AG and Infostealer.Menghuan
There are three ready payloads that can be configured by script kiddies: USB Switchblade, USB Hacksaw and USB Chainsaw.
In the case of Switchblade, download Payload 2.0 and Universal Customizer
Place on USB Drive and run Customizer for email addresses and data sought
According to a recent Secure Network Technologies Inc. audit of a client credit union, 100% of the Trojan-laden, password-collecting, network-compromising USB flash drives they planted outside the client’s building were unwittingly plugged in, used, and infected their respective host machines.
In another experiment, a security firm placed USB drives in 10 separate locations near banks. 6 out of the 10 times, someone at the bank noticed the drive, took it inside and put it into their computer.
The Internet Assigned Numbers Authority (IANA), a function of the Internet Corporation for Assigned Names and Numbers (ICANN), jointly manages allocation of the global IP address pool with the Regional Internet Registries (RIRs).
IPv4 with a 32 bit address field provides four billion separate addresses.
Only 17% of IPv4 addresses remain (as of October 2007)
Within the next five years, and possibly sooner, the ?free pool? of addresses will run out.
In 1996 IETF developed IPv6 with a 128 bit address field. The new protocol will provide 340 trillion trillion trillion separate addresses.
To give an idea of the scale, if all existing four billion Internet addresses were contained inside a Blackberry phone, the new system would fill a container the size of the Earth.
The slow movement to IPv6 has caused increasing concern in the technical community and relaxed expectation of movement has moved to active promotion of IPv6 adoption.
Federal government is scheduled for IPv6 deployment in July 2008
Math Error Exposes Millions of PCs to Attack
Adi Shamir, one of the world’s most prominent cryptographers, circulated a research note about the problem to a small group of colleagues.
He wrote that the increasing complexity of modern microprocessor chips was almost certain to lead to undetected errors.
The risk had been revealed by incidents such as the discovery of an obscure division bug in Intel’s Pentium microprocessor in 1994, and more recently in a multiplication bug in Microsoft’s Excel spreadsheet program.
A subtle mathematical error would make it possible for an attacker to break the protection afforded to some electronic messages by a popular technique known as public key cryptography.
Using this approach, a message can be scrambled using a publicly known number then unscrambled with a secret, privately held number. The technology makes it possible for two people who have never met to exchange information securely, and it is the basis for all kinds of electronic transactions.
Mr Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be "trivially broken with a single chosen message".
An attack would require knowledge only of the math flaw and the ability to send a "poisoned" encrypted message to a protected computer.
It would then be possible to compute the value of the secret key used by the targeted system.
"Millions of PCs can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually", Mr Shamir wrote.
The research note was significant because of Mr Shamir’s role in designing the RSA public key algorithm, software widely used to protect e-commerce transactions from hackers.
The remarkable thing about this note is that Adi Shamir is saying that RSA is potentially vulnerable. Mr Shamir is the "S" in RSA; he, Ronald Rivest and Leonard Adleman developed it in 1977.
Because the exact workings of microprocessor chips were protected by laws governing trade secrets, it was difficult, if not impossible, to verify that they had been correctly designed.
Mr Shamir has said he had no evidence that anyone was using an attack of the kind he had described.
Cooking and Simple Food Technology ? Flours Revealed
All Purpose Flour for bread or cake (not that good for either)
Reference: On Food and Cooking: The Science and Lore of the Kitchen by Harold McGee.
New Seagate Hard Drives Infected with Trojan
Investigators say the tainted Maxtor portable hard disc, made by Seagate, uploads information saved on the computer automatically to Web sites in Beijing.
A shipment of Maxtor external HDDs, produced in Thailand by US-based Seagate and sold in Taiwan, has been found to be infected with Autorun trojans designed to gather sensitive data from machines connected to the storage devices.
The Taiwanese government suspects Chinese involvement, as the devices are commonly used in government operations to provide data storage.
Large amounts of sensitive government data are thought to have been harvested and passed on to web-sites based in China.
Notification of the Seagate Site
If you have purchased a Maxtor Basics Personal Storage 3200 product since August 2007 the product may be infected with a virus.
Kaspersky Lab, a maker of anti-virus software, has alerted Seagate to the existence of a virus found on at least one Maxtor Basics Personal Storage 3200 drive.
Seagate has traced this issue to a small number of units produced by a Maxtor sub-contract manufacturer located in China.
All units now leaving the facility in question have been cleared of the virus and units in inventory are being reworked before being released for sale.
To determine if the Maxtor Basics Personal Storage 3200, please call Seagate customer support. Have the serial number of your drive ready.
The effects of this virus are minimal. According to Kaspersky, the virus is the Virus.Win32.AutoRun.ah. This virus that searches for passwords to online games and sends them to a server located in China. All of the known games affected are Chinese with the exception of World of Warcraft.
Google Maps at the Pump
As part of a partnership to be announced last week, Google will dispense driving directions at thousands of gasoline pumps across the United States beginning early next month.
The pumps, made by Gilbarco Veeder-Root, include an Internet connection and will display Google’s mapping service in color on a small screen.
Motorists will be able to scroll through several categories to find local landmarks, hotels, restaurants and hospitals selected by the gas station’s owner.
After the driver selects a destination, the pump will print out directions. Eventually, Gilbarco Veeder-Root hopes to enable motorists to type in a specific address and get directions.
Greensboro, N.C.-based Gilbarco Veeder-Root will initially offer the service in about 3,500 gas pumps and expand based on retailer demand.
Making maps available at gas pumps appealed to Google because the company wants to make its services available whenever and wherever people need them.
Calling up a map at a gas pump should be particularly popular among men who are too stubborn or embarrassed to ask for directions.
Security Consultant Admits to Bot Herding
A Los Angeles man entrusted with making personal computers safer has admitted to hacking into them to create a rogue network of as many as a quarter-million PCs, which he used to steal money and identities.
Federal prosecutors said that John Kenneth Schiefer, a 26-year-old computer security consultant, used an army of hijacked computers, known as a "botnet," to carry out a variety of schemes to rip off unsuspecting consumers and corporations.
Schiefer agreed to plead guilty to four felony charges in connection with the case and faces up to 60 years in prison and a $1.75-million fine, according to court documents filed earlier this month.
The vast number of computers that Schiefer compromised — as many as 250,000 — highlights a stealthy online crime spree on the rise.
These botnets, short for "robot networks," remotely harvest personal information, including user names and passwords, to give their operators access to credit card information and online bank accounts.
Schiefer, who on the Internet went by the handles "acidstorm," "acid" and "storm," is the first person to be accused under federal wiretapping law of operating a botnet.
By intercepting electronic communications, Schiefer stole user names and passwords for EBay Inc.’s PayPal online payment service to make unauthorized purchases. He also passed the stolen account information on to others.
Schiefer’s indictment caps a federal investigation that began in 2005 and uncovered a variety of schemes.
3G Communications, where Schiefer worked, could not be reached for comment.