A new paper by well-regarded networking researchers analyzes the spread of the recent Slammer/Sapphire worm. The worm spread at astonishing speed, doubling the number of infected hosts every 8.5 seconds, and infecting 90% of the susceptible machines on the Net within ten minutes. Researchers had predicted that such fast-spreading worms could exist, but this is the first one seen in the wild.

The clear lesson is that a network attack can cause very widespread damage before human network operators can react. Only a widely implemented, automated shutdown procedure can hope to slam the door on a worm like this. Fortunately, Slammer/Sapphire did not carry a malicious payload. The next time we may not be so fortunate.

[Thanks to Sue Ferrara for the link.]

I heard a presentation today by an expert on biometric security devices. He mentioned two new biometric devices under development. The first one uses body odor, detecting the unique combination of chemicals by your body. The second one fits on a chair; you sit on it and it measures the unique shape and weight distribution of your rear end. What will they think of next?

Seth Finkelstein has unearthed two previous mentions of the method used in Matt Blaze’s door-lock attack. It’s clear that this problem was known in some circles. Now the rest of us know too.

I wrote previously that I’m glad the DMCA doesn’t apply to door locks. Chris Smith, over at Mutatron, wonders whether the DMCA does apply to door locks. He seems pretty sure that it does, at least where the locked door is protecting access to copyrighted materials.

This use of the DMCA seems an even bigger stretch than the garage-door-opener case and the toner-cartridge case, but it’s not totally ridiculous. Does a door lock, “in the ordinary course its operation, require[] the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to [a copyrighted] work”? If most doors control access to copyrighted works, then the question boils down to the “authority of the copyright owner” clause, which has been a slippery one in past DMCA cases.

John Schwartz at the New York Times reports on a blockbuster piece of research by cryptographer Matt Blaze. Matt applied the principles of cryptography to good old fashioned door locks and keys, and what he found is pretty horrifying. Given a key to one of the locks in a building, and a small number of key blanks, there is a method by which you can make a master key that opens all of the locks in the building.

Apparently some locksmiths have known this was possible for a long time. The lock manufacturer Schlage has even taught locksmiths how to carry out a version of Blaze’s attack. Yet somehow they never bothered to tell their customers.

This is why we need independent analysis of security technologies. Manufacturers will keep important information from their customers, even information that impacts the basic security decisions of the customers. Bans on security analysis, or bans on the dissemination of results, just help manufacturers keep their customers in the dark. Thank goodness there is no DMCA for door locks.

According to James Grimaldi’s column in Monday’s Washington Post, lawyers at the prominent firm Jones Day are accused of making unauthorized accesses to the password-protected web site of an opposing expert witness. Grimaldi writes,

W. Kelly Stewart, of Jones Day’s Dallas office, testified last month that he entered Egilman’s site after Jones Day attempted and failed to purchase access online. Then, after getting the pass code from co-counsel Behr, who had guessed it, Stewart entered the Web site, Stewart testified. The material gathered was used to discredit Egilman as an expert witness in a high-profile trial.

It remains to be seen whether a court will consider the conduct illegal. Computer law specialist Marc J. Zwillinger of Kirkland & Ellis said guessing a password, getting in and getting information is a technical violation of the Computer Fraud and Abuse Act.

[link credit: GrepLaw]