Tag Archives: privacy

Timing Side Channel Attacks

I had an interesting discussion with Bob McMillian of IDG yesterday about the potential for timing attacks in the cloud. Timing attacks are a kind of side channel attack that is based on observed behavior of a cryptographic system when fed certain inputs. Given enough determinism in the response time of the system, it may be possible to crack the cryptosystem based on a statistical sampling of its response times taken over many transactions.

Bob was interested in my thoughts about the threat this attack vector represents to cloud-resident applications. It’s an interesting question, because I think that the very characteristics of the cloud that people so often criticize when discussing security—that is, multi-tenancy and the obfuscation of actual physical resources by providers—actually work to mitigate this attack because they add so much non-deterministic jitter to the system.

Bob’s excellent article got picked up by a number of sources, including ComputerWorld, LinuxSecurity, InfoWorld. It’s also been picked up by the mainstream media, including both San Francisco Chronicle and the New York Times.

On Twitter, Social Media, and Privacy

The greatest threat to our own privacy remains ourselves. CNET reports that a twitter user believes that his home was robbed because he tweeted about being on vacation. Couldn’t see that one coming…

This is a huge problem with social media. So much of it is a thinly veiled conceit, and few think about how this information could be used against them. Sometimes the exploits can be quite subtle. The article on CNET makes some really good points about determining someone’s location through geotagged flickr photos, including where they live and when/where they are out of town.

We spend a lot of time with legislation around privacy (e.g. HIPAA) and infrastrcture that enforces privacy policy, but in the end we are our own worst enemies.

Right now, I’m at home. Sharpening my knives.