Blog Archives

Attack of the Week: Triple Handshakes (3Shake)

The other day Apple released a major security update that fixes a number of terrifying things that can happen to your OS/X and iOS devices. You should install it. Not only does this fix a possible remote code execution vulnerability in the JPEG parser (!), it also patches a TLS/SSL protocol bug known as the “Triple Handshake” vulnerability. And this is great timing, since Triple Handshakes are something I’ve been meaning (and failing) to write about for over a month now.

But before we get there: a few points of order.

First, if Heartbleed taught us one thing, it’s that when it comes to TLS vulnerabilities, branding is key. Henceforth, and with apologies to Bhargavan, Delignat-Lavaud, Pironti,  Fournet and Strub (who actually discovered the attack*), for the rest of this post I will be referring to the vulnerability simply as “3Shake”.

On a more serious note, 3Shake is not Heartbleed. That’s both good and bad. It’s good because Heartbleed was nasty and 3Shake really isn’t anywhere near as dangerous. It’s bad since, awful as it was, Heartbleed was only an implementation vulnerability — and one in a single TLS library to boot. 3Shake represents a novel and fundamental bug in the TLS protocol.

The final thing you should know about 3Shake is that, according to the cryptographic literature, it shouldn’t exist.

04/24/2014 · No Comments Continue Reading

How do you know if an RNG is working?

Last week, Edward Snowden spoke to a packed crowd at SXSW about the many problems (and limited solutions) facing those of us who want to keep our communications private. Snowden said a number of things — including a shout out to Moxie’s company Whisper Systems, who certainly deserve it. But instead of talking about that, I wanted to focus on (in my opinion) one of Snowden’s most important quotes:

We need all those brilliant Belgian cryptographers to go “alright we know that these encryption algorithms we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them?”

Now it’s possible I’m a little biased, but it seems to me this cuts to the core of our problems with building secure systems in an increasingly hostile world. Namely: most encryption relies on some source of “random” numbers, either to generate keys or (particularly in the case of public key encryption) to provide semantic security for our ciphertexts.

What this means is that an attacker who can predict the output of your RNG — perhaps by taking advantage of a bug, or even compromising it at a design level — can often completely decrypt your communications. The Debian project learned this firsthand, as have many others. This certainly hasn’t escaped NSA’s notice, if the allegations regarding its Dual EC random number generator are true.

All of this brings us back to Snowden’s quote above, and the question he throws open for us. How do you know that an RNG is working? What kind of tests can we run on our code to avoid flaws ranging from the idiotic to the highly malicious? Unfortunately this question does not have an easy answer. In the rest of this post I’m going to try to explain why.

03/20/2014 · No Comments Continue Reading

Can Hackers Decrypt Target’s PIN Data?

Slightly longer answer: it depends on whether they have access to the encryption key, or to a machine that contains the encryption key.

In case you have no idea what I’m talking about: there was recently a massive credit card breach at Target. If you’re like many people you probably heard about this three times. First in the news, then again in your email when Target notified you that you were a victim, and finally a third time when you checked your credit card bill. Not a proud day for our nation’s retailers.

The news got a bit messier today when Target announced the thieves had also managed to get their hands on the PIN numbers of unfortunate debit card customers. But this time there’s a silver lining: according to Target, the PIN data was encrypted under a key the hackers don’t have.

12/28/2013 · No Comments Continue Reading

What to Expect From Surveillance Politics in 2014 (Hint: It’s Not Reform)

One would think that a federal judge calling an NSA program “almost Orwellian” would be a good sign for surveillance and privacy in 2014. Especially when coupled with his observation that the founding fathers would be “aghast” at the NSA’s bulk warrantless collection of telephone metadata, and his view that it’s therefore likely unconstitutional under the Fourth Amendment…

And even though the findings released by President Obama’s surveillance review panel this week were more “a set of guidelines than a set of restrictions”, the more than 40 recommendations will no doubt compel major changes to the nation’s surveillance apparatus, right?

Well, hold on. None of these things necessarily signals a turning point in the debate about surveillance. If you’re holding out hope for an act of political courage to end bulk surveillance and improve transparency, such as passage of the Leahy-Sensenbrenner USA Freedom Act to curb the NSA: Abandon hope, all ye whose data is indiscriminately collected here. Instead, here are some things to expect from the government, tech companies, and investors regarding surveillance and privacy this coming year.

12/21/2013 · No Comments Continue Reading

700 Domains Seized as Part of Anti-Counterfeit Crackdown

Law enforcement agencies from three continents seized more than 700 domains on Tuesday for selling counterfeit goods. US Immigration and Customs Enforcement (ICE), Europol, and Hong Kong Customs worked together on the project, which was called “In Our Sites, Project Cyber Monday IV” in the US. The agencies were coordinated by the National Intellectual Property Rights Coordination Center.

The US government is now targeting PayPal accounts used by the websites for seizure, and $175,000 of criminal proceeds. eBay is cooperating with the investigation, and made a statement in support of the efforts of law enforcement to protect its customers and brand.

12/09/2013 · No Comments Continue Reading

The Daunting Challenge of Secure E-mail

When users of Lavabit, an encrypted e-mail service, logged on to the site this past August, they found a bewildering letter on the site’s main page. Ladar Levison, the founder and sole employee of Lavabit, had shut down his business rather than “become complicit in crimes against the American people.” Lavabit subscribers would later discover that Levison had walked away because federal investigators had asked him to hand over his master decryption key, which would have granted them unfettered access to most of Lavabit’s data. Shortly afterward, the encryption provider Silent Circle followed suit, summarily deleting its users’ stored mail and mothballing its e-mail servers. In the wake of the Snowden revelations, which should have driven demand for their services, encrypted e-mail providers were, in the United States at least, rapidly becoming an endangered species. This leads to a question that has received relatively little attention: Why is encrypted e-mail so rare in the first place?

11/08/2013 · Comments Off on The Daunting Challenge of Secure E-mail Continue Reading

UN Team to Begin Syria CW Site Inspections ‘Within Next Week’

The Organisation for Prohibition of Chemical Weapons (OPCW) is reviewing additional information received from Syria about its chemical weapons stockpiles, a United Nations spokesperson has said, ahead of onsite inspections and initial disabling of equipment which could start as early as next week. The OPCW Technical Secretariat, which together with the UN forms the team tasked with overseeing the destruction of Syria’s chemical weapons production facilities, received information that was “additional to the disclosure on its chemical weapons program which Syria submitted on September 21,” UN spokesperson Martin Nesirky told reporters at UN Headquarters in New York on Friday.

10/05/2013 · No Comments Continue Reading

Not Even NSA Can Crack State Department’s Totally Anonymous Network

A far-flung group of geeks, supported by the U.S. State Department, has built a tool for anonymous communication that’s so secure that even the world’s most sophisticated electronic spies haven’t figured out how to crack it.

That’s the takeaway from the latest revelations from National Security Agency leaker Edward Snowden. The NSA has used aggressive computer attack techniques to monitor people using the Tor network, a service that’s funded by the U.S. government and allows users to remain anonymous when they’re connected to the Internet. But the agency has not been able to undermine the core of the Tor system, which was developed by the U.S. Naval Research Laboratory in 2002. It remains a viable means for people to connect to the Internet anonymously. Although Tor’s complete reliability has been called into question in light of the NSA’s efforts — which may have begun as early as 2006, according to the Washington Post — for now it’s State Department 1, NSA 0, in the anonymity wars.

10/04/2013 · No Comments Continue Reading

3D Printed Smart Phone Nanocopter

Hex is a completely open source nanocopter kit made by a community of makers from around the world. It’s also the world’s first consumer electronic product that uses 3D printing technology to achieve personalization.

10/04/2013 · No Comments Continue Reading

Formula for Creating Billion-Dollar (Internet) Companies

“We often think of (how) the Internet enables you to do new things,” Ev Williams told a recent XOXO conference in Portland, Oregon. “But people just want to do the same things they’ve always done.”

Williams, in cofounding Blogger, Twitter, and Medium, has helped make much of the Internet we know today, and he has come to the realization that the Internet is “a giant machine designed to give people what they want.”

In this way, he says, organizing your startup around the Next Big Idea isn’t nearly as useful (or profitable) as taking a Very Old Problem and solving it in A New Way

10/04/2013 · No Comments Continue Reading
← Older Entries
Newer Entries →