The recent DNS vulnerability has prompted Bruce Schneier to write an essay on the fight against vulnerabilities, and the fact that good design also means defending against unknown vulnerabilities, which concludes by: That’s what a good design looks like. It’s not just secure against known attacks; it’s also secure against unknown attacks. We need more […]
Category Archives: Discussions
Voting machine security
Dan Wallach has published a nice blog post on voting machines, and I would like to comment both as a security evaluator and as a French citizen interested in the electoral process. In the past few years, I have kept a interest in politics and votes, and I have participated to electoral process in my […]
Google is stealing our souls
Some people believe that a photograph may give access to their souls, just like a voodoo doll does. In primitive culture, an identity basically consists of a name and an image, so an image gives direct access to your inner self, your soul. This week-end was Father’s day in France, and I usually take this […]
It’s MY wallet
I recently wrote about privacy, thinking about Internet in general, and a bit about mobile phones, but not really about smart cards. It did not even take a week for privacy to pop up in the smart card world, as a side discussion in a mobile payment discussion. It seems that banks don’t want mobile […]
Viva GlobalPlatform!
Over the past months, I have been looking at applications, sensitive or not, on both smart card and mobile devices, trying to figure out why people would use cards. The most typical argument is security (yes, smart cards are secure, but servers are, too; at least they are secure enough for PC-based internet, so why […]
A message from Orange on NFC
There have been many messages about NFC at SIMposium, and I will certainly write about this in the near future. Nevertheless, one of the speakers, Mung Ki Woo from Orange, gave a very refreshing talk, and managed to shake our neurons a bit. He basically made three statements: NFC in mobiles is much more than […]
Countdown: Which security in Java Card 3?
We are getting very close to the release of Java Card 3, which should be available within a quarter from now. The impact of this release is very significant, and will introduce an entirely new way to work with smart cards. Before the release, I will discuss a few issues about this new spec. Since […]
New Applications, New Threats, New Countermeasures
Everything starts well. I feel more secure when I speak after people that are more junior than I am. Today, I am speaking just after Jacques Stern. Too bad for my assurance. Still, I do believe in my topic, so I will take the opportunity in this entry to discuss a bit what my message […]
Java Card security certification
The certification of smart cards is a recurrent issue. Most issuers have their own requirements, which can vary greatly, even in the same industry. In addition, regulators can also get involved and make additional requirements. Let’s start by one example, the banking industry. Most issuers don’t define specifications, nor do they perform security certifications. Instead, […]
iPhone again
The iPhone is back in the news, this time as the target of an attack. This attack seems to me like a new one on mobile phones. The Safari vulnerability that it exploits also exists in the workstation version of the program. Apple is here falling victim of their “reuse” strategy: by using the same […]