Some curious students have built a robot that mechanically cracks electronic safes.

It is worth noting that the standard lock for classified documents has since been upgraded to an even more advanced electronic lock, so our machine is not a national security threat. I’m going to be describing our process under the assumption that the lock really is “manipulation-proof” and that the only way to open the safe is to try every possible combination.

Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, we reduced the number of possible combinations by about an order of magnitude. Again, read the paper mentioned above for details. Grant implemented our algorithm in Java and was able to test it far before we started constructing the dialer.

They say their “auto dialer” robot, run by a laptop, successfully opened the safe in only a couple hours.

The fourth edition of the ITGI Global Survey Results has been posted by ISACA.

A total of 834 surveys were completed, of which 704 were received through the online survey and 130 were gathered by telephone. The surveys were conducted in the native language of the interviewees, and included Chinese, Czech, Dutch, French, German, Japanese, Polish, Portuguese, Russian and Spanish.

Cloud is a murky term, but here are some highlights I found in the report.

Service providers already run, or will soon have, mission-critical technology for almost half of the executives surveyed:

60 percent use or are planning to use cloud computing for non-mission-critical IT services, and more than 40 percent use or are planning to use it for mission-critical IT services. For companies that do not have plans to use cloud computing the main reasons are data privacy and security concerns.

A whopping two-thirds do not see legacy infrastructure as an obstacle.

More than one-third of the survey respondents reported significant legacy infrastructure investments that are inhibiting their cloud computing plans

On the other hand, there are still areas of concern. Some applications are considered too risky by four-fifths of executives!

The use of Facebook or Twitter at work is not highly prized; only one out of five respondents believes that the benefits of employees using social networking outweigh the risks.

The report also differentiates responses by size of company.

Cloud computing-related concerns about security, data privacy and legacy infrastructure investments are generally higher in large enterprises than in small ones.

Although large enterprise concern about cloud are higher than in small, the survey also shows that IT “innovation” is more likely in a large enterprise.

Slightly more than half of large enterprises have implemented or plan to implement initiatives to promote IT innovation, compared with 40.3 percent of small enterprises.

Infrastructure and Platform (IaaS and PaaS) seem to be getting the green light, but Software (SaaS) services such as social networking still has not overcome privacy concerns for the vast majority of executives — more red than yellow. That makes sense to me. SaaS is the least transparent of the three levels and has a history of mistakes.

Wired has raised further concern about a security researcher who disappeared.

A well-known security researcher and cybercrime foe appears to have gone missing in Bulgaria and is feared harmed, according to a news organization that hosts a blog the researcher co-writes.

Bulgarian researcher Dancho Danchev, who writes for ZDNet’s Zero Day blog, is an independent security consultant who’s garnered the enmity of cybercriminals for his work tracking and exposing their malicious activity. He has often provided insightful analysis of East European criminal activity and online scams.

His last Twitter update was October 20th, 2010, and hislast blog entry was September 11th, 2010.

A big clue in the case is that Danchev supposedly sent an “insurance” letter with photos to a friend before he disappeared. The letter accuses the Bulgarian government of monitoring him. The wiring in the photos, however, are exposed and easy to see; it does not look like professional surveillance work, which I would suspect Danchev also knew.

Metasploit gave Google a bit of a roast yesterday.

They accuse the software giant of failing to protect users by delaying a fix for a vulnerability (announced last November) and putting it only into Android 2.3 (the “Gingerbread” release).

A fix for what, you may ask:

Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.

Android 2.3 is currently only on 0.4% of Android phones.