Slashdotted.
The project I've spent nearly all of the past two months working on has been released. We made a nice web page to tell the world about it: http://citp.princeton.edu/memory/
I think my one-sentence summary is something like "We broke your disk encryption system under the security model it was designed to be used in, and it was easy."
It's been a fascinating process all the way through.
The web site went up around 9 am. It was posted on Slashdot and BoingBoing within a couple of hours, then C|Net and Wired, and now the NY Times. To illustrate how much traffic that is, our site has been mirrored to deal with the load (and was still up and down in the afternoon), but the web site for the Center for IT Policy has been overloaded just by the fraction of visitors clicking through from the project page.
The universal experience of being slashdotted includes the inevitable frustration at reading dozens (hundreds) of comments that were quickly dashed off by people who didn't bother to read any further than a one-paragraph summary, although I'm encouraged that a good fraction of them are followed by rebuttals from people who did read further and think our results are interesting. The thing that really bewilders me, having not really looked much at slashdot since I was in high school, is the apparent disappearance of that strange underworld of trolling and "first post" that used to be visible when you chose a moderation threshold of -1. Where did they all go? YouTube? (Although currently even the YouTube comments on our video are generally on-topic.)
Comments
Congratulations on being the voice of doom.
Posted by: Ping | February 22, 2008 05:40 AM
Thanks! I'm proud to have edged out my co-authors' more authoritative male voices. (And also glad that there haven't been any weird comments about my voice.)
Posted by: Nadia | February 22, 2008 01:39 PM
I had read the article on wired and a little of the actual report and thought it was incredibly interesting. I had googled your name and found your blog (really hope that doesn't sound creepy lol) When you set out on the research were you trying to break only disk encryption or other types of encryption also?
I'd love to ask you more about the project, as I am just finishing my IT degree and looking into the security field as a profession.
Posted by: Slevin | February 22, 2008 06:09 PM
I'm glad to hear you appreciated our research.
My web logs tell me several hundred people have taken the trouble to google me since we went public, so you're not alone.
When we started this project the intent was to do a more rigorous exploration of the phenomenon of memory remanence and illustrate it by showing how encryption programs might be vulnerable.
Disk encryption is a natural target because the keys necessarily reside in RAM for as long as a volume is mounted. In the paper we also discuss finding SSL private keys from Apache.
I am likely the wrong person to ask about the security aspects of this project, as I'm mostly interested in the algorithmic and theoretical aspects.
Posted by: Nadia | February 22, 2008 11:00 PM
Good work, will have a minutes thru it for sure ..
Keep up the sense.
P.S, naida is a western name? or you are not actually westie !
Posted by: Stranger | February 23, 2008 03:46 AM
Ah, all my hard work encrypting my laptop drive is so easily defeated. :(
Well I guess total disk encryption is better than nothing so long as I am aware what the vulnerabilities are.
Posted by: Russell O'Connor | February 23, 2008 12:39 PM
Good work. :P
Posted by: Phillip | June 21, 2008 09:29 PM