Steven J. Murdoch

I'm been experimenting with microblogging. You can now see what I'm up to by following my Twitter feed.

Saar Drimer, Ross Anderson, and I have been investigating the security of Chip & PIN terminals. We found significant failings almost everywhere we looked.

Our results are now public, and will be featured on BBC Newsnight, 10:30pm, tonight, BBC2. We have summarized our findings in a brief press release and FAQ. The full details are in our academic paper.

The press is starting to pick up our story, and it is discussed on ZDNet and the BBC wesbite. More media coverage is expected.

As well as my digital compact, I also have a Nikon F65 film SLR, although I use it less often nowadays. This set is from Summer 2004, from when me and my parents visited Ely, taken on Kodak T400 CN B/W film. I used a variety of colour filters for contrast enhancement, for example the one on the right was taken with a deep red or orange filter to emphasise the clouds.

I spent most of my time photographing the cathedral, which is of an interesting design. It's a mixture of styles, since conventions changed over its construction, and bits that collapsed were replaced with new ones more in keeping with the current fashions. One of the later additions was the octagon tower, which you can see close up by climbing onto the roof. There is also a good view of the surrounding countryside, or by looking down into the cathedral.

One advantage of the SLR is that it performs much better in low-light conditions. The T400 film is also quite forgiving of under-exposure. So I was able to take a few shots of the interior, without needing a tripod. The alter turned out quite nicely, as did the photo of the nave with choir in the background (these were with the 28mm wide-angle lens). Within the choir itself, you can see the light coming in from the lantern tower.

Two of the photos, of the octagon tower and West tower are being considered for use in a book (this is what caused me to dig out the CD). It's only a self-published novel, but I'll enjoy seeing them in print.

Finally, I took some photos of a duckling family, in a park near the cathedral. They were surprisingly not bothered with me, and in fact I got more attention from the people nearby, who were wondering why I was slowly crawling around on the grass with a 300mm telephoto lens and filter pack :-)

My second set of photos from Denmark are in Copenhagen where EuroBSDCon was held.

The flights were fine, after I made it past airport security with my dangerous bottle of water and the waiting. From the plane, I got a good view of the impressive bridges linking the Danish islands. I would later see them again on the way to Legoland, which I posted about last week. The airport was good, unless you are a smoker, in which case you get stuck in a small box, while I got the train to the center of town.

I was staying with many of the other speakers at the city youth hostel. It was very good as youth hostels go, and I used Hugin to make a panorama from the great view. Later I tried taking a few night shots. Were my room on the other side, I'd have had a view of Tivoli gardens, and the funfair.

The conference itself was fun and my talk went down well (it won second prize). The (generally friendly) Linux/BSD competition amused me. In fact, Copenhagen was a generally happy placed, the graffiti made me laugh and even the power sockets were happy. :-) Things there were a little different, for example I thought this device was a card skimmer, but I am assured it is entirely legitimate. The street furniture was quite neat, such as the crossing marking to help blind people.

I spent my last day in some of the city gardens, especially the botanic gardens, filled with exotic plants, fascinating ironwork, and statues. Then I went to the Trinity Church, which is complete with pipe organs, both old and new. Finally, at the airport, I noticed an Avro RGJ85. This reminded me of my Manchester trip, where the Avro company was founded. Although this wasn't the plane I took back, I believe this Avro would be much more comfortable than some of their previous museum pieces I saw.

As part of my trip to Denmark in September for EuroBSDCon, many of the attendees visited Legoland in Billund, about 4 hours away by coach from Copenhagen. It was a fascinating place and I took lots of photos, a few of which are now online.

The majority of Legoland consisted of models of famous buildings and places from around the world, such as America, Japan and Africa. There were also rides, such as being flung around on the end of an industrial robot arm, or a more relaxing revolving tower to get a good view of the park. Some however decided to make activities a bit more challenging.

For the more competitive minded, there were suitable activities. One that excited the various operating system hackers present was to build a downhill racing car. We were very proud that with our combined knowledge and experience we could design a marginally faster model than a group of 5 or so year old children. I did at times wonder who were the bigger kids :-)

We were lucky with the weather and it was a fun experience, though the exhibits were not without occasional technical problems, even ignoring the invasion of monster ducks :-)

This set is one from the archives, the wedding of my friends Charlotte Goodburn and Stephen John, in July 2007, but I only just got around to uploading it (I'm still behind, but catching up).

I know the couple through the bride, Charlotte (aka Camille) Goodburn, when we were on the committee of the China Forum. Amazingly she both managed to organize a wedding and a conference at the same time, but apparently the conference was the easier of the two :-)

The wedding was held in St Catherine's college, Cambridge. Following the ceremony we went outside to the garden, then back into the hall for speeches and dinner.

Much dancing happened, and silliness ensued. Overall I think everyone had a good time. By the time people were leaving, it was dark, but fortunately it wasn't far to get home.

Last month I visited Kazimierz Dolny, a small town near Warsaw, Poland. I've put a few of my photos online.

I flew from Luton to Warsaw with the pink themed WizzAir (a Hungarian budget airline) which was generally OK. There was a short delay on the return flight, which was unfortunate as I had to spend more time in the cramped "Etudia" terminal. The main terminal was fine though.

The town is situated on the banks of the Vistula, and is now frequented both by tourists and artists, having some fine examples of Renaissance architecture such as the house pictured above and church. It is also popular for weddings (we saw several), and I noted that one of the brides sensibly chose appropriate footwear for the cobbled streets :-)

Finally, despite the beautiful surroundings, I was was still able to find time for a little geekiness, when I saw a jukebox reboot into SuSE Linux.

When I visited Manchester, for Claire and Mark's wedding, I had a spare day during which I did a bit of geek tourism, by visiting the Museum of Science and Industry. This was among the best of the science museums I've visited, and is free admission, so well worth checking out if you are nearby. I've finally got around to uploading a selection of my photos.

I was staying at the Days Hotel, which was a reasonable hotel, but one of the neat features was the Foucault pendulum in the lobby, mounted on the top floor (Wikipedia describes the operation).

My favourite exhibit at the MoSI was the steam section. In other museums, the engines are either static, or wired up to a slow-running electric motor. In the Manchester museum, they're driven by real steam and, as far as I can tell, at full speed. This makes the experience far more realistic and much easier to appreciate the power behind these machines.

I also liked the computing exhibits, including the Pegasus and a reconstruction of the Manchester Baby. The latter is demonstrated once a week by the enthusiasts who built it, but when I visited the exhibit was closed. However, one of the museum staff was kind enough to allow me and a few other interested visitors to look at it.

Finally, I went to the Air and Space hall, which contained many interesting artifacts, probably the most impressive being the Avro Shackleton bomber. I was also amused at the bright-orange "black-box" (which incidentally is the code-name of a project I was working on at the time).

In early August, I visited Boston, MA, USA for a week, mainly to attend the USENIX security symposium, where my paper was to be presented. I also attended a couple of meetings, visit MIT and had enough time for a quick look around Boston. I've published a selection of the photos I took.

The trip started in Cambridge, and from there me and Robert travelled to Heathrow. Then we flew into Boston Logan.

Our hotel claimed that we would be staying in a "VIP room", but other than the view, was fairly unexceptional. At MIT I took some photos of the Stata Center. The taxi driver didn't know how to find it, until I explained that it was the "really weird building". I could relax about my USENIX paper, since Saar was presenting it, and we even won the best student paper award.

On my final day, I walked to Boston Common, and took a few photos of the wildlife, scenery, and random people. Finally I visited the Museum of Science, taking photos mainly of butterflies but one or two of the other exhibits.

My trip back to the UK was pleasantly uneventful, and I was there for almost two weeks before I travelled to Poland (photos to follow).

Earlier this month I attended the wedding of my friend Claire, who I know from our time at Girton College. This was held in Manchester, and was my first time visiting the town. A good time was had by all, and I've published a selection of the photos, mainly from the reception held in Manchester town hall.

In June I attended the 2007 PET Symposium, held in Ottawa, Canada. I've uploaded a selection of my photos, from the conference itself, the traditional PET hike, and my own travels around Ottawa.

Earlier this month, I visited the COSIC group at K.U. Leuven to present a talk. While I was there I had some spare time, so was able to look around Leuven and Brussels and take a few photos.

My research group has a new blog – Light Blue Touchpaper. From now on, I will be posting my technical-related entries there instead of my LJ. It has a RSS feed as well as a syndicated LJ. I expect the other posts will be of interest, but if for some reason you only want my ones, there is also a restricted feed.

My first post there has now been published, discussing website registration regulations in China.

The 22nd CCC has finished and I greatly enjoyed it. I think my talk went reasonably well and I had some good feedback. The slides (878 KB PDF) and video (77 MB WMV) are now online, with other versions of the video expected soon.

I am giving a talk at 22C3: The 22nd Chaos Communication Congress, on covert channels in TCP/IP. I got interested in the field after hearing (and breaking) a scheme presented by Joanna Rutkowska at the previous CCC, although I was already quite familiar with covert channels in general.

This led onto me writing a paper, which was accepted at the 7th Information Hiding Workshop, but now I am coming back to the CCC to present my results in a slightly less academic context.

For more details on the talk, see the full description. It is scheduled for day 1 (December 27th) at 10pm, but hopefully some people will still be there. Joanna's talk was one of the most popular at 21C3, although based on some comments (english), I wonder whether more people where there to see the speaker rather than hear the speech.

Now I should return to preparing my slides.

There have been a few more updates on my last hotlinking re-education attempts. A few have noticed, and one even retaliated. See my old post for the details.

I found a new person using my background. This time a Rock/Metal/Post Hardcore band called "Five & a Half Hours". Based on their current page, I am not sure if a shock image would be out of place. So instead I give you Julie Andrews.



Update 20 Dec 2005:
Less than 2 hours and 14 hits later, they have noticed and removed the background image.

Update 20 Dec 2005:
It's back. They have switched to a smaller version of my desktop background (1024x768), which if they opened in a new window would look fine. However now that they hotlink to it, other visitors will see Julie. Due to caching, it probably looked normal to them the first time. I now know their IP addresses, so have added them to a exclusion list, so it will keep on looking fine to them, but not to the rest of the world.

I am making some diagrams for my thesis and have not been able to find a drawing tool I like. The main lack seems to be versatile alignment functions, does anyone have suggestions for something that might do what I like?

Dia is probably the closest to what I want, but it is buggy and unstable. It still can't do everything I need, for example I couldn't make it vertically centre text in an ellipse. Inkscape doesn't appear to do lines connected to objects well, so I would have to manually make sure that arrows join up with what they should. Xfig is my usual diagram tool, but it is very limited. Finally, MetaPost can do what I want, but is quite laborious to use

What do other people use, is there anything better? Linux would be preferred, but I would consider using Windows if needed. I had a quick try at Adobe Illustrator, but I can't see how to make it do something like automatic connectors. Can it?

I used to have a website, murdomedia.net, which I designed in 1997. With the white text on black background, neon-effect buttons and spinning animated GIFs, it truly was a site of the nineties and that is where it should stay. I decommissioned the site last week, but arranged for it to record which URLs which were requested. As expected for an essentially dead site, other than robots, there were practically no hits, with the exception of one set of files.

In 2001, I made a desktop background, called Eye of the Code, which I submitted to themes.org. It has been reasonably popular, and someone even based a Fluxbox theme on it. What I didn't know was that 9 blogs and homepages were hotlinking to this image, so I was getting several hits per hour, downloading the 500kB image.

Now, tradition dictates replacing it with a suitable shock images, which due to captain_aj's valiant efforts I am very familiar with. However, I thought something more creative was called for.

( Read more... )

I hope you will agree that this is a significant improvement. I will wait and see if the web page owners concur.

Update 6 Dec 2005:
Yuppie Killer is the first one to spot the change. As predicted by captain_aj, Yuppie Killer says:

To whoever hacked my account and changed my background picture....You are a fucking piece of shit

He has changed his user page to be white text on a white background, but if you highlight it then you can read his ranting.

Update 7 Dec 2005:
Yuppie Killer has updated his message:

To whoever hacked my account and changed my background picture, is that all you got?....You fucking piece of shit

Myself and captain_aj are working on the answer.

Update 7 Dec 2005:
Tabatha has updated her page (still has music). She now hotlinks to a painting called "Mushroom People". She hasn't made any comments about the change, and doesn't have a blog.

Update 8 Dec 2005:
Avril 13 has changed her background. This time not hotlinking &ndash perhaps she is learning.
Clompy has taken her journal offline. Perhaps she thinks it has been hacked and will bring it back later.

Update 10 Dec 2005:
h_e_x_o_n has noticed. In his blog post, he says:

who made the new background for me :P i really like that......

It is still set to my image. Any suggestions on what I should do?

Update 11 Dec 2005:
A fine suggestion from captain_aj was to make h_e_x_o_n's background a screamer, albeit without the scream. You need to wait for 8 seconds.

Update 12 Dec 2005:
h_e_x_o_n doesn't like the screamer as much as the previous image. He now hotlinks to a 1275×1753 JPEG from Barb's Bunker. Tasteful, but makes the text unreadable. Probably for the best.

Update 15 Dec 2005:
h_e_x_o_n has found my journal, thanks to his (anti-)stalking script, and retaliated.

Since October 2004 I have been investigating the security of tamper evident laser-printer PIN mailers. These are sheets of paper with a special patch where you print the PIN using a normal laser printer. The intention is that you can't read the PIN until you peel off a bit of plastic or scratch off a coating, depending on the technology. For example, probably the most widespread type is Hydalam. Then you shouldn't be able to put patch back to its previous state, without leaving some evidence of tampering. This is so someone can't intercept your PIN in the mail, read it and put it back, without the legitimate recipient noticing.

The project started when Mike Bond noticed that he could read one of his PINs without tampering it, just by looking carefully. Later Jolyon Clulow and myself got involved and found new ways to reveal the PIN, ranging from shining a bright light at the PIN from an angle to scanning the PIN mailer and using the GIMP to enhance the image.

When we realised this was a problem, we contacted the manufacturers and users of these products and helped them develop new PIN mailers which were resistant the these attacks. We sent them a vulnerability report in November 2004 which was privately circulated in the banking community. We planned to publicly release information about the vulnerability 6 months later, but by this stage it was clear that manufacturers were still working on fixing this problem, so we delayed the release another 3 months.

On the 31 July 2005 we put the report on our websites, but not much happened for a while. Then SA Mathieson picked the story up and wrote an article for Infosecurity Today on 24 August 2005. Soon after, the BBC picked it up, followed by The Register and PC Pro. Today some other journalists have been phoning Mike and he was interviewed on the Simon Mayo show on Radio Five Live at about 2pm.

Laser-printed PIN Mailer Vulnerability Report (PDF 676Kb)

The original report which sparked it all off – released on 31 July 2005

Also mentioned in the author's blog

Infosecurity Today: UK banks sent out vulnerable PIN mailers

First news article – 24 August 2005

BBC News online: Poor print exposing Pin numbers

More information on the vulnerability, including a response from APACS, the banking industry trade association – 25 August 2005

Also published in Turkish Weekly and The News (Pakistan)

Commented on by Digital Silence, Addict3ed and Schneier on Security

There was a post to the cryptography mailing list about this article and while our report does not deal with lottery-style scratchcards (where the data is covered by a coating over the toner, rather than being disguised by a coating on the other side of the toner), a followup post describes a fairly high-tech but apparently feasible attack on these too.

The Register: The GIMP threatens PIN number security

Article with a slightly different spin – 25 August 2005

Also published in IT Observer, SecurityFocus and NewsForge

PC Pro: Cambridge team reveals PIN vulnerability

Brief summary of the vulnerability – 26 August 2005

Also published in Computer Shopper

Slashdot: Graphics Programs Uncover Secret PINs

Brief summary along with many comments, much of which are of dubious value

The Sydney Morning Herald Technology: Razor - Is your PIN secure?

Comparison with Australian practices

Update: (26 August 2005) Slashdot added.

Update: (27 August 2005) Turkish Weekly, Digital Silence, IT Observer, SecurityFocus, NewsForge, Addict3ed and Sydney Morning Herald added from Google News.

Update: (28 August 2005) Computer Shopper and The News added..

Update: (30 August 2005) Schneier on Security added.

Update: (31 August 2005) Cryptography mailing list added.

I sometimes wonder if the black helicopters are coming to take me away. While I was browsing logs of people who have looked at my web pages, I noticed these entries. If the black helicopters ever do come - they may have been sent by these people:


cifagb01.cifa.mil - - [21/Jul/2005:18:04:28 +0100] "GET /users/sjm217/talks/ccc04_counterfeiting.pdf HTTP/1.1" 200 21759
cifagb01.cifa.mil - - [21/Jul/2005:18:04:28 +0100] "GET /users/sjm217/talks/ccc04_counterfeiting.pdf HTTP/1.1" 206 21703
cifagb01.cifa.mil - - [21/Jul/2005:18:04:32 +0100] "GET /users/sjm217/talks/ccc04_counterfeiting.pdf HTTP/1.1" 206 1969151


CIFA (Department of Defense Counterintelligence
Field Activity) was established in February 19, 2002. They don't appear to have a web page, but there is some information about them on military.com:

Quietly created post-September 11, CIFA has a broad charter to provide counterintelligence and security support to the Defense Department around the world and within the United States.

"Worldwide, more than 400 civilian and military employees work for CIFA with the ultimate goal of detecting and neutralizing the many different forms of espionage regularly conducted against the United States by terrorists, foreign intelligence services and other covert and clandestine groups," according to the Defense Security Service.

"The threats posed by these adversaries include actions to kill or harm U.S. citizens; to steal critical information or assets (military or civilian); or destroy critical infrastructures."

They appear to got someone else's tinfoil hat rattling by showing up in their web logs. And there are a few more people with similar stories.

The PDF they looked at was my slides from the talk I gave at 21C3 on The Convergence of Anti-Counterfeiting and Computer Security (PDF 1.4Mb). I suppose it could be mildly controversial but I don't quite see the link between it and the CIFA mission.

Of course, it could just be an CIFA employee who was curious about anti-counterfeiting measures (that was how I came about to write the talk), or perhaps someone unconnected who is spoofing their reverse DNS. The latter is quite easy to do as the I believe the Computer Lab web server does not do double reverse-DNS lookups.

If it really is from CIFA, perhaps someone should tell them about Tor.

While I am at it, someone who appears to be from the US Air Force Kirkuk Airbase looked at my Area 51 satellite photo, which I linked to from my Shadowconflict blog comment.


krab-n.krab.aorcentaf.af.mil - - [09/Aug/2005:07:45:43 +0100] "GET /users/sjm217/volatile/area51col.jpg HTTP/1.0" 200 70118


So if I ever disappear in mysterious circumstances one day, you know who to ask.