Skip to main content

Posts

Showing posts with the label encryption

Electromagnetic eavesdropping is cheap & easy - so why doesn't anyone believe it exists?

Below, I've included what would have been the first post in a series of posts I wrote about the  badBIOS  controversy in October 2013. I found the evidence in support of badBIOS to be unconvincing and I was concerned by how popular badBIOS became despite those obvious shortcomings. This wasn't a situation where an overexcitable press ran with a story that turned out to be inaccurate; the most early and adamant believers in  badBIOS  weren't reporters, they were ITSEC professionals. How were so many of us publicly duped by what was essentially a conspiracy theory? This post doesn't address badBIOS directly. However, badBIOS was presumed to somehow involve the manipulation of computers using acoustic transmissions. This post provides some historical context behind a strain of computer science research in this field and shows how commonly held beliefs about the feasibility of these attacks were generally inaccurate at the time of writing. In future posts I would have explo

Can Keybase.io save the internet?

When used correctly, encryption works really well. It works so well that most people can't wrap their brain around how powerful it is. The biggest gains we can make in improving online security and privacy won't be the result of making encryption better. Most of our problems are the result of how encryption is used. At the moment, using encryption is complicated. Its not complicated to the point where you need special training to use it, but its complicated enough that its a pain in the ass for non-technical people to adopt. So non-technical people don't adopt encryption. That's a real problem - because most people are non-technical. Actually, its worse than that, because it means only communications between technical people can be secured with any regularity. Even technical people can't communicate securely with non-technical people. Encryption can only be truly successful with massive levels of adoption. Even with all of its problem, HTTP-based SS

Secure your Apache server against LOGJAM

Some time ago I wrote a post about the dismaying history of US government attempts to regulate encryption out of existence . I had to omit quite a bit; it was a post and not a book after all. One of the details left out of the story was the DHE_EXPORT cipher suites. During the 90's, developers were forced by the US government to us deliberately insecure ciphers when communicating with entities in foreign countries (readers will remember from the last post that law makers were convinced that encryption should fall under the same rules as weapons technology, and thus could not be shared with anyone outside the Father Land). These insecure ciphers became DHE_EXPORT. The DH stands for Diffie-Hellman; the key exchange system that bears their name was first published in 1976. Along with the cipher suite was a mechanism to force a normal encrypted transaction to downshift to a lower-bit DHE_EXPORT cipher. As so many short-sighted technology regulations have done in the past, this silly

Chess, Encryption and Comic Books (Mind MGMT)

Lately, I've been hooked on a brilliant comic book from genius Matt Kindt , called Mind MGMT . In a nutshell, Mind MGMT follows a cold war era intelligence service based on the conceit that Men Who Stare at Goats -style ESP spook tactics work, and have silently and secretly played a role in the machinations of world politics throughout the 20th century. Mind MGMT is really clever, the art is striking and the whole business is worth a read on its own. Part of the fun of the comic book is that the creators seamlessly weave the sort of subliminal messaging they use in the plot, into the layout of the comic itself. Fake advertisements in the back of issues contain hidden text, while the margins themselves are formatted like Scantron documents with little limericks where the dotted "fold here" lines usually go. Just today I read through issue 23, which opens with a tale of a man gifted with the fore-mentioned spying super-powers; a reclusive Bobby Fischer type who commun

Why is the Washington Post Publishing Pro-Surveillance Propaganda? Can Government Surveillance Revelations Decrease Encryption Adoption?

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is. Keep in mind the camera adds 10 pounds Dan Froomkin and Natasha Vargas-Cooper over at The Intercept  exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction. In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files  and demonstrated some inter-agency cooperation they could very likely have prevent

Congress to Comey: Leave Encryption Alone

Congress appears to have abandoned FBI Director James Comey's bungled attacks on consumer adoption of encryption . Its a rare glimmer of sanity from Capitol Hill; press reports quoting congressional officials using language not ripped from the pages of an Orwell novel. Readers may remember that in a recent post we mentioned some danger signs indicating that the executive wanted to take some more aggressive action to ensure that the commoners and foreign-folk don't have access to encryption tools that would help keep their data free from snooping. Top brass from the FBI and the Attorney Generals Office were telling anyone who would listen that unless tech companies stopped trying to protect their customer's data, law enforcement would be powerless in the face of modern "cyber" criminals. Congress has refused to jump on this alarmist bandwagon. Darrell Issa, a member of that rarest of species - California Republicans - had this to say about federal law enforcem

Is Encryption Becoming Illegal Again?

Way back in 1993, the Internet was a very different place. SSL would not be released for another two years; it would take some time after that until it was used commonly. The Clipper Chip project had just been announced, threatening to offer an explicit, physical back door to all electronic communications devices for the US Justice Department and anyone with a basic understanding of computer science. In 1993, Encryption was a weapon . Washington viewed encryption's only function as a wartime tool to protect military and intelligence communications. The notion that encryption could or should be used as a foundation of protecting online commerce and banking simply did not occur to Big Brother. Into this situation came Phil Zimmerman. Phil had designed and programmed an encryption application called Pretty Good Privacy in 1991. Before that time, cryptography tools were almost entirely the purview of those with the biggest of Smarty Pants: mathematicians, logicians, researchers,

Decrypting Data That Has Been Encrypted by ASP.NET

A colleague of mine let me know about an easy way to use .NET's decryption mechanism from the command line. From the directory of the framework version, issue the following command (replace filename and path where appropriate): C:\WINDOWS\Microsoft.NET\ Framework\v2.0.50727>aspnet_ regiis -pdf "filename" D:\path\ Encrypting configuration section... Succeeded! Neat!

More Fun With PCI

I received a notification from a large security auditing firm that of the ciphers currently available, only RC4 ciphers will be considered PCI compliant. My assumption based on the notification is that this move is intended as a rejection of CBC (Cipher Block Chaining). Well, that's fine as far as I am concerned. CBC has some serious issues as implemented in SSL v3 / TLS v1.0. In a nutshell, you can time responses for applications using the block cipher to get ranges of possible data in SSLv3 and partial payload decryption in TLS. So-called "stream" ciphers like RC4 are immune to this particular attack vector. You don't get private keys from the attack, its by no means a fast attack (minimum of three hours), and you need access to monitor the session . Further, patches for CBC exist to over-ride the timing exploit (for example the NSS libraries used by Mozilla have been patched). I will save debunking the man in the middle hysteria for a later post. What frustrate

Phil Zimmerman's Latest Project

Phil Zimmerman of PGP Encryption fame is launching a new project, Silent Circle -  The idea is an application suite complete with encrypted VOIP, email and IM. Exciting stuff! Lets hope it works out better than Hushmail !

Random Number Generation

Latest Update from Basement Dweller News: A great primer on random number generation from a few smart cookies at Intel, by way of IEEE: http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator/0 On a very related note, let's keep our eyes on systemic issues with encryption keys in the wild: http://eprint.iacr.org/2012/064.pdf I have yet to formalize an opinion as to the validity of any systemic key issues intrinsic to RSA (because I was a "D" math student I have to wait for the grown-ups to weigh in on these Deep Thoughts. I would like to see larger keys in use standardized and don't see any good reason not to) A compelling critique of the survey, urging for additional data before judgment is reached: http://dankaminsky.com/2012/02/14/ronwhit/