Defeating keyless entry front door locks.

I’m the least mathey person I know. My bio will attest to that – my skills are terrible but my curiousity is high. There’s a certain magic to numbers that I get a glimpse of every now again when I manage to win a struggle with them and it’s compelling to me. Math is a representation of data and while me and Math don’t along very well, me and Data are best bros. I spend my days mucking about in log files on other people’s systems looking for reasons, root causes, and footprints. The trails become clear once you tame the data and turn thousands of unruly log lines into succint sorted output. These same techniques are used by good guys and bad guys alike and from them we learn that some things are truly hard. We also learn that some things only look hard, but really aren’t.

Four digit numbers crop up repeatedly in our society. In the late 1990’s I had a TD bank account and my bank card had a 6-digit PIN. That did not last long because the international consortium of bankey people standardized on 4-digits for PINS which is too bad because that exponentially decreased the security of my PIN. Overnight the odds of guessing my PIN plummeted from 1 in 1,000,000 to 1 in 10,000. But, hey, the bankey heads know what they’re doing, right? But I digress…

I’m not sure how we landed on 4 digits, but that frequency turns up all over the place. My bank card PIN is 4-digits, my credit card PINs are 4 digits, even my front door lock is 4 digits. That begs the question: how long would it take to guess the code to open my front door? Let’s ask math.

Continue reading “Defeating keyless entry front door locks.”

Jon Watson – PGP Key

For email to me@jonwatson.ca

The fruit decision: how low should your website hang?

Probably the most significant decision people will make when building their website is the decision about what software to use. A lot of people choose existing CMS or ecommerce apps like WordPress or Magento which makes for a quick setup and reasonable support. Others choose to build their site from scratch or use one of many lesser deployed apps like the Ghost blogging platform or x-commerce. It’s nice to think that everyone evaluates the features of each offering and chooses the one that best fits their needs, but that is not what happens.

Most websites are owned by non-technical people without IT support so the software they end up using is whatever has the lowest cost of entry. That means whatever is in their control panel that can be installed with one click is what gets used.

Please use the back door sign

This situation is what leads to lopsided software deployment statistics such as massive WordPress footprints and, to step away from the Internet for a second, the global market share of Windows. The web software that is best at getting into one-click installers like Scriptaculous or pre-installed on desktop computers become the most popular. These large deployments of identical software provide a good selection of attack vectors for bad actors. If a vulnerability is exposed in WordPress, for example, a bad guy has literally millions upon millions of WordPress websites to attack using that exploit.

Continue reading “The fruit decision: how low should your website hang?”