An attacker can efficiently factor at least 184 distinct 1024-bit RSA keys from Taiwan's national "Citizen Digital Certificate" database. The big story here is that these keys were generated by government-issued smart cards that were certified secure. The certificates had all the usual buzzwords: FIPS certification from NIST (U.S. government) and CSE (Canadian government), and Common Criteria certification from BSI (German government).
These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.
The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.
Research Group Cracks Taiwan's National "Smart Card" Digital Certificates
Ironically, it is often the ineptitude and incompetence of our security protocols that leave us the most insecure. Is there anyone more vulnerable to attack that the person who thinks they are invulnerable because they have received reassuring platitudes and slogans from those running the security racket? From Smart Facts, a report by a group of international researchers:
Blue Jay: Police Twitter Surveillance App
Ars Technica has a lengthy and interesting piece on Blue Jay, a Twitter live feed scanner intended for use by law enforcement officers, from a company with connections deep inside the US intelligence bureaucracy. From Ars:
. . . the "Law Enforcement Twitter Crime Scanner," which provides
real-time, geo-fenced access to every single public tweet so that local
police can keep tabs on #gunfire, #meth, and #protest (yes, those are
real examples) in their communities. BlueJay is the product of
BrightPlanet, whose tagline is "Deep Web Intelligence" and whose board is populated with people like Admiral John Poindexter of Total Information Awareness infamy.
. . . the "Law Enforcement Twitter Crime Scanner," which provides
real-time, geo-fenced access to every single public tweet so that local
police can keep tabs on #gunfire, #meth, and #protest (yes, those are
real examples) in their communities. BlueJay is the product of
BrightPlanet, whose tagline is "Deep Web Intelligence" and whose board is populated with people like Admiral John Poindexter of Total Information Awareness infamy. BlueJay allows users to enter a set of Twitter accounts, keywords, and locations to scan for within 25-mile geofences (BlueJay users can create up to five such fences), then it returns all matching tweets in real-time. If the tweets come with GPS locations, they are plotted on a map. The product can also export databases of up to 100,000 matching tweets at a time.
Online Learning: Three Free Introduction to Computer Science Courses
These days, with a bit of perseverance and discipline, it is entirely possible to receive a world class education in computer science for free online from the comfort of your own home. Many of the top computer science departments at US universities make their course lectures and materials freely available on the net, providing motivated individuals with a range of choices that is almost unbelievable in its scope. In this post, we'll take a look a three Introduction to Computer Science courses that have been made freely available online from Harvard, MIT and Stanford. The Harvard course provides an introduction to C, PHP and JavaScript. Stanford focuses on Java. And MIT utilizes the Python programming language.
Harvard's Intensive Introduction to Computer Science
Course site and description:
Course site and description:
Course site and description:
Harvard's Intensive Introduction to Computer Science
Course site and description:
This free online computer science course is an introduction to the intellectual enterprises of computer science. Topics include algorithms (their design, implementation, and analysis); software development (abstraction, encapsulation, data structures, debugging, and testing); architecture of computers (low-level data representation and instruction processing); computer systems (programming languages, compilers, operating systems, and databases); and computers in the real world (networks, websites, security, forensics, and cryptography). The course teaches students how to think more carefully and how to solve problems more effectively. Problem sets involve extensive programming in C as well as PHP and JavaScript.Stanford's Introduction to Computer Science and Programming Methodology
Course site and description:
This course is the largest of the introductory programming courses and is one of the largest courses at Stanford. Topics focus on the introduction to the engineering of computer applications emphasizing modern software engineering principles: object-oriented design, decomposition, encapsulation, abstraction, and testing.
Programming Methodology teaches the widely-used Java programming language along with good software engineering principles. Emphasis is on good programming style and the built-in facilities of the Java language. The course is explicitly designed to appeal to humanists and social scientists as well as hard-core techies. In fact, most Programming Methodology graduates end up majoring outside of the School of Engineering.MIT's Introduction to Computer Science and Programming
Course site and description:
This subject is aimed at students with little or no programming experience. It aims to provide students with an understanding of the role computation can play in solving problems. It also aims to help students, regardless of their major, to feel justifiably confident of their ability to write small programs that allow them to accomplish useful goals. The class will use the Python programming language. Many of the problem sets focus on specific topics, such as virus population dynamics, word games, optimizing routes, or simulating the movement of a Roomba.
iPhone Fingerprint ID: More Trouble Than It's Worth?
If you believe the security pronouncements of any of the giant tech firms, please leave your information in the comments, I have a bridge to sell you. Of course, the mainstream media are not nearly so skeptical. Indeed, they're eating it up. From Bloomberg:
Apple’s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords - - and that’s fine with privacy advocates.That latter quote is rather funny, as governments and corporations routinely deny that they are building vast databases on us as they build vast databases on us. Wired is a bit more circumspect:
The introduction coincides with the rise of cybercrime and revelations that the U.S. National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.
Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks -- meaning it wouldn’t be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.
“They’re not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to,” Joseph Lorenzo Hall . . . .
There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints . . .
Technophobic Court Warns Against Open Source Software
From the EFF:
Should we fear open source software? Of course not. But that hasn’t stopped federal courts from issuing bizarre warnings like this:Read the whole thing for all the gory details.
The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or .plug-in. called RECAP … Please be aware that RECAP is “open-source” software, which can be freely obtained by anyone with Internet access and modified for benign or malicious purposes … .To understand this strange edict, we need to review the history of RECAP and why it might be unpopular with court officials . . .
Technologically Illiterate Court Claims Use of Open Wifi Is Wiretapping
While government agencies illegally and routinely spy on our everyday communications without repercussion, a court has ruled that sniffing open wifi signals may be considered wiretapping. From Tech Dirt:
A couple years ago, we were disappointed to see a judge take the technologically wrong stance that data transmitted over WiFi is not a "radio communication," thereby making sniffing of unencrypted WiFi signals potentially a form of wiretapping. Indeed, based on that, the court eventually ruled that Google's infamous WiFi sniffing could be a violation of wiretap laws. This is wrong on so many levels... and tragically, an appeals court has now upheld the lower court's ruling.
There are serious problems with this. Under no reasonable view is WiFi not a radio communication first of all. That's exactly what it is. Second, sniffing unencrypted packets on an open network is a perfectly normal thing to do. The data is unencrypted and it's done on a network that is decidedly open. It's like saying it's "wiretapping" for turning on your radio and having it catch the signals your neighbor is broadcasting. That's not wiretapping. Third, even the court here admits that based on this ruling, parts of the law don't make any sense, because it renders those parts superfluous. Generally speaking, when a court ruling would render a part of a law completely superfluous, it means that the court misinterpreted the law . . .
Coming Soon: Wireless Charging
From Tech Crunch:
Wireless power. It’s less sci-fi sounding than it once was, thanks to induction charging like that based on the Qi standard, but that’s still a tech that essentially requires contact, if not incredibly close proximity. Magnetic resonance is another means to achieve wireless power, and perfect for much higher-demand applications, like charging cars. But there’s been very little work done in terms of building a solution that can power your everyday devices in a way that doesn’t require thought or changing the way we use our devices dramatically. That’s where Cota by Ossia comes in.
The startup is the brainchild of physicist Hatem Zeine, who decided to focus on delivering wireless power in a way that was commercially viable, both for large-scale industrial applications and for consumer use . . .
Subscribe to:
Posts (Atom)