All posts in Social Network

Attack of the Week: Triple Handshakes (3Shake)

The other day Apple released a major security update that fixes a number of terrifying things that can happen to your OS/X and iOS devices. You should install it. Not only does this fix a possible remote code execution vulnerability in the JPEG parser (!), it also patches a TLS/SSL protocol bug known as the “Triple Handshake” vulnerability. And this is great timing, since Triple Handshakes are something I’ve been meaning (and failing) to write about for over a month now.

But before we get there: a few points of order.

First, if Heartbleed taught us one thing, it’s that when it comes to TLS vulnerabilities, branding is key. Henceforth, and with apologies to Bhargavan, Delignat-Lavaud, Pironti,  Fournet and Strub (who actually discovered the attack*), for the rest of this post I will be referring to the vulnerability simply as “3Shake”.

On a more serious note, 3Shake is not Heartbleed. That’s both good and bad. It’s good because Heartbleed was nasty and 3Shake really isn’t anywhere near as dangerous. It’s bad since, awful as it was, Heartbleed was only an implementation vulnerability — and one in a single TLS library to boot. 3Shake represents a novel and fundamental bug in the TLS protocol.

The final thing you should know about 3Shake is that, according to the cryptographic literature, it shouldn’t exist.

04/24/2014 · No Comments Continue Reading

How do you know if an RNG is working?

Last week, Edward Snowden spoke to a packed crowd at SXSW about the many problems (and limited solutions) facing those of us who want to keep our communications private. Snowden said a number of things — including a shout out to Moxie’s company Whisper Systems, who certainly deserve it. But instead of talking about that, I wanted to focus on (in my opinion) one of Snowden’s most important quotes:

We need all those brilliant Belgian cryptographers to go “alright we know that these encryption algorithms we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them?”

Now it’s possible I’m a little biased, but it seems to me this cuts to the core of our problems with building secure systems in an increasingly hostile world. Namely: most encryption relies on some source of “random” numbers, either to generate keys or (particularly in the case of public key encryption) to provide semantic security for our ciphertexts.

What this means is that an attacker who can predict the output of your RNG — perhaps by taking advantage of a bug, or even compromising it at a design level — can often completely decrypt your communications. The Debian project learned this firsthand, as have many others. This certainly hasn’t escaped NSA’s notice, if the allegations regarding its Dual EC random number generator are true.

All of this brings us back to Snowden’s quote above, and the question he throws open for us. How do you know that an RNG is working? What kind of tests can we run on our code to avoid flaws ranging from the idiotic to the highly malicious? Unfortunately this question does not have an easy answer. In the rest of this post I’m going to try to explain why.

03/20/2014 · No Comments Continue Reading

Formula for Creating Billion-Dollar (Internet) Companies

“We often think of (how) the Internet enables you to do new things,” Ev Williams told a recent XOXO conference in Portland, Oregon. “But people just want to do the same things they’ve always done.”

Williams, in cofounding Blogger, Twitter, and Medium, has helped make much of the Internet we know today, and he has come to the realization that the Internet is “a giant machine designed to give people what they want.”

In this way, he says, organizing your startup around the Next Big Idea isn’t nearly as useful (or profitable) as taking a Very Old Problem and solving it in A New Way

10/04/2013 · No Comments Continue Reading

Twitter Makes Its I.P.O. Plans Known

Twitter has taken the cover off its initial public offering, making public its prospectus and setting the clock on one of the most anticipated stock sales of the year, Vindu Goel and Michael J. de la Merced report.

Twitter’s prospectus — whose filing was initially disclosed in a 135-character post on its own service last month — offers the fullest look yet at the privately held company. But while its growth is as high as had been anticipated in some ways, the document reflects a company that is still relatively small compared to its rivals.

Based on an internal valuation of its shares from Aug. 5, Twitter is worth about $9.7 billion.

10/04/2013 · No Comments Continue Reading

How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA

In August 2007, a young programmer in Microsoft’s Windows security group stood up to give a five-minute turbo talk at the annual Crypto conference in Santa Barbara.

It was a Tuesday evening, part of the conference’s traditional rump session, when a hodge-podge of short talks are presented outside of the conference’s main lineup. To draw attendees away from the wine and beer that competed for their attention at that hour, presenters sometimes tried to sex up their talks with provocative titles like “Does Bob Go to Prison?” or “How to Steal Cars – A Practical Attack on KeeLoq” or “The Only Rump Session Talk With Pamela Anderson.”

Dan Shumow and his Microsoft colleague Niels Ferguson titled theirs, provocatively, “On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng.” It was a title only a crypto geek would love or get.

09/24/2013 · No Comments Continue Reading

The Great Shift in Search

Search is evolving to fit the needs of users who don’t just want a web site, but the actual answer to the question driving the search. To stay on top semantic search technologies are key.

The ongoing list of failed search engine companies is deep and wide. Remember the likes of Excite, Lycos, or AskJeeves? Search companies that have evolved with the times and requests of their users, have thrived while those long-dead companies failed due to lost profits or because of acquisitions that changed the framework of their original offerings.

Did you know that Google’s founders were willing to sell the company to Excite’s CEO at the time for less than $1 million? An offer he happened to refuse. Would search have transitioned to a primary topic in the board room had that offer gone through?

Although Google is one of the world’s largest companies with close to a 70 percent market share in search, it must still continue to evolve lest it join the search dead pool. Looking at it and at Microsoft, we can clearly see where search technology is going from here.

09/23/2013 · No Comments Continue Reading

Users Sue LinkedIn Over Harvesting of E-Mail Addresses

Four LinkedIn users have filed a lawsuit accusing the business-oriented social network of accessing their e-mail accounts without permission, harvesting the addresses of their contacts and spamming those people with repeated invitations to join the service.

LinkedIn is “breaking into” external e-mail accounts, like Gmail or Yahoo Mail, by pretending to be the account owner

In their most explosive claim, the plaintiffs say that LinkedIn is “breaking into” external e-mail accounts, like Gmail or Yahoo Mail, by pretending to be the account owner, although the legal complaint offers no details about that assertion. Larry Russ, a lawyer for the plaintiffs, declined to comment beyond the suit.

The lawsuit, which is seeking damages on behalf of all LinkedIn users, revives a longstanding issue about the service: Does LinkedIn adequately inform its users about how it uses sensitive information, including e-mail addresses of everyone they know, and get their consent to do so?

09/21/2013 · No Comments Continue Reading

Data Protection: This Tweet Will Self-Destruct In…

The permanence of social media such as tweets presents an important challenge for data protection and privacy. This is particularly true when social media is used to communicate during crises. Indeed, social media users tend to volunteer personal identifying information during disasters that they otherwise would not share, such as phone numbers and home addresses. They typically share this sensitive information to offer help or seek assistance. What if we could limit the visibility of these messages after their initial use?

09/06/2013 · No Comments Continue Reading

The Real Reason You’re Mad at the NSA

“What’s really going on here?” That’s the question I typically ask students to kick-start a discussion about some aspect of American intelligence at the Johns Hopkins School of Advanced International Studies, where I teach a graduate course on the subject.

This same question might fairly be asked about the controversy dominating the news since the leak that revealed the intelligence community’s highly classified electronic surveillance program. Why are we so fascinated with this case? Why are some Americans outraged at the government while others are outraged at the leaker? Why do so many of us have such firm and passionate views about all of this?

At one level, the answer is simple: Intelligence is a sexy subject, particularly in the post-9/11 era. And the surveillance program was a secret, so who wouldn’t be interested? But this controversy taps into deeper cultural strains that go to the very heart of the intelligence community’s role in America, and perhaps our maturation as a nation. The bottom line is that intelligence, as a profession, still does not sit comfortably in our polity. There are a number of reasons for this.

06/17/2013 · Comments Off on The Real Reason You’re Mad at the NSA Continue Reading