Category Archives: Discussions

Various discussions about Java Card technology, and more generally about smart card technology.

Resilience for Connected Objects

Attacks occur, especially on IoT. While it is very hard to avoid an attack altogether, we can minimize its consequences. The first factor to consider is the impact of an attack; there are many ways to analyze such impact, for instance from a financial or technical point of view. In a very simple analysis, we […]

Beyond Java Card

When Java Card was created, the market for smart cards was quite simple: chip vendors would design specific chips, chip vendors would develop an operating system for the chips and produce cards embedding the chip. Since then, this market has become much more complicated. For traditional payment and ID, changes are minimal, as card vendors […]

Java Card, a farewell

My Oracle story has ended, and with it my Java Card story, at least for now. I started working on the technology in February 1997, and I have never been very far from the technology for almost 20 years. However, Java Card is not in the scope of my next job, as I will focus […]

Did Apple just boost mobile security?

I have been working on mobile security for many years, and things haven’t moved much: justifying mobile security is always painful. Whyshould Ispend more money? There aren’t that many attacks! Some business use cases seemed like a good justification, but the economics are unclear and remain in the order of “if youget hacked, it could […]

The Off-Card Bytecode Verifier is fine, thank you!

REWRITTEN on 23 Nov. 2013. A few weeks ago, a friend sent me a link to the Cardis program, with the message “A bug in the verifier?”. Looking at the program, I saw a paper entitled Manipulating frame information with an Underflow attack undetected by the Off-Card Verifier, by Thales Communications and Security. This sounded […]

Google sucks, or why it is nice to pay sometimes

I just spent two hours being upset at my daughter’s school, Google, American law, and a few more people. Let me tell the story. Two hours ago, my 12-year old daughter received an e-mail from her school inviting her to Google+. She accepted the invitation, and Google asked for her age. She told the truth, […]

Who inherits your data?

I was pointed this morning by HBR to an interesting article about inheritance and iTunes. The basic story is that, since you only purchase licenses to use content from Apple or Amazon, and since these licenses are not transferable, things don’t look very good. However, apparently, there may be some kind of a void in […]

Protecting your contactless card

As I mentioned in NFC Payments 101, current contactless cards aren’t protected against the simple attack that consists in performing a transaction while your card is in your pocket. Since some models don’t require anything else than tapping the card, the attack is workable. Well, that may change. researchers for the University of Pittsburgh’s RFID […]

No memory, no chocolate!

There has been some excitement lately about the fact that more and more phones are now getting embedded SE’s (eSE’s), associated to a NFC interface. Some of this excitement came from the ability to manage third-party applications on this embedded SE, as enabled by a whole range of GlobalPlatform specifications, and by the emergence of […]

Best wishes and post-holiday rant

First, since this is my first post of the year, let me wish you all the best for 2012, hoping that it will bring a lot of interesting things around mobile security, Java Card, and all these things. My first post will be a rant about something that is very-much holiday-related for me: package deliveries. […]