Last.fm launches developer gallery

Last.fm have launched a new website promoting the various third-party add-ons, widgets and applications created using their API.

It has made me seriously think about creating an add-on for my Twonkyvision UPnP server which I use to listen to music on my Netgear MP101.

I have discovered that the newer versions of the server creates a RSS/XML file showing the last played tracks. It is apparently buggy as it seems to only update the last entry, but it a way into getting the data required to create the application.

Does this mean I have my first project? Keep watching!

Chip and Pin Vulnerabilities

BBC Newsnight last night had a report on the vulnerability of Chip and Pin to fraud. The video segment is currently available on Google Video.

A number of academics at the University of Cambridge have published a report online describing the weaknesses. Steven Murdoch and Saar Drimer, have found a number of ways that the criminally-minded could modify PED devices and extract your account number and PIN and all the details needed to create a cloned card. The full pdf is available here

The vulnerabilities they describe have actually been known for a while, and the responses from the various banking authorities and card companies acknowledge this. The attacks are possible because the UK banking industry chose to deploy Chip & PIN cards with the smart chips in a mode that does not encrypt the data exchanged between the card and the PED during a transaction. By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad.

Newsnight presenter Jeremy Paxman was on top form literally taking apart the APACS Director of Communications Sandra Quinn as she arrogantly and naively claimed the system was completely safe while at the same time accepting the frauds were possible.

Cold Boot attacks on disk encryption

The Centre for Information Technology Policy at Princeton University has released research which shows a potential way of breaking encryption systems by reading DRAM contents even after power has been removed.

The Abstract reads

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

Their website contains a video demonstration of the technique as well as a link to the full research document (pdf)

Obviously this isn't limited just to breaking disk encryptions as all manner of information could be held in RAM at any one time. DRAM is composed of capacitors that need to keep being refreshed dynamically while being used it is this capacitance that is being exploited in this hack.

From the Freedom To Tinker Blog

Microsoft to allow homebrew games on XBox Live

With its Gaming Developers Conference 2008 opening keynote, Microsoft has unveiled a service called Xbox Live Community Games.

The service will allow XNA developers to upload their creations to be played by any of the 10 million Xbox Live members, without the previous need for a Creators Club subscription or PC link, in effect creating a 'homebrew' and independent game development and delivery system.

Just over 18 months ago, Microsoft took the bold step of allowing bedroom coders to develop games for the Xbox with it's free XNA development system.

A more detailed outline of their plans can be found on the Develop Magazine's news.