TIMING ANALYSIS OF KEYSTROKES AND TIMING ATTACKS ON SSH

Richard Smith started off by saying that what he primarily does is " cause problems , " mostly for companies that have not thought through the security implications of products that they have released. They often " discover unin-tended consequences that companies don't like to talk about. " The three main areas they consider are security, privacy, and control. He stated that " consumers care more about the security of cell phones than about Web servers " because cell phones are personal devices with which consumers have immediate connections. Application developers and companies are more concerned with functionality than security. Products such as consumer devices based on real-time operating systems tend to have lower concerns for security. Smith said that DirecTV was the first consumer device that got his interest about privacy issues. It had a phone jack. What information was it sending back? Later, a call to customer service on a different issue revealed that the customer service people were able to send commands (via satellite?) to turn his TV on. Is this a good thing? Still another time the company apparently chose to " advertise " new services by causing the TV to tune to a soft-porn channel which he had not subscribed to or selected. Earlier this year, just before the Super Bowl, the company downloaded a program to all DirecTV boxes. The goal was to disable black market devices used to pirate programming. It succeeded. But what if they had made a mistake? What if they had disabled service for legitimate customers? Who, in fact, owns the boxes? DirecTV clearly did not own the black-market devices. Did the com-pany's actions constitute " hacking " ? Did the terms of service allow them to reprogram the legitimate boxes? It turns out that DirecTV was not sending back " Nielsen " information, just a lot of information about the temperature inside the box. Their competitor Tivo does send in " Nielsen " info. You have to explicitly opt out by calling customer service. We're entering a brave new world of connected devices. A company called Sports Barn sold a strap-on device that monitored your daily exercise...and then uploaded it via phone to their Web site to create a " personal profile " (which, of course, would never be used for marketing or other) purposes. One could have gotten the same effect by uploading to a PC without disclosing …