You are here

Example of KISS

Ok, this is a backwards observation.

One of my hot buttons is to spot "cyber security principles," that is, general but pointed observations on how to improve cyber security. 

A long-held principle is "Keep it Simple, Stupid." Thanks to Moore's Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.

Wordpress tag: 
Post category: 

Phishing email from the Adobe Compromise

Malicious email from Adobe database

This email arrived yesterday. It was sent to an address that only exists in the databases of Adobe and of my email provider. Given that Adobe's customer databases were looted earlier this fall by hackers, I suppose it was a matter of time.

For the uninitiated, I strongly warn you NOT to try to follow the link in that email. If it's only slightly malicious, then the web page will try to tease me out of personal information. After all, this is a job offer, and employers are obliged to collect SSNs and other personal information. 

If it's seriously malicious, then the web page will send me a malicious MS Word or Acrobat file, or perhaps just some web-based scripts, that poke around on my machine looking for weaknesses. 

Wordpress tag: 
Post category: 

My Revised Backup Mechanism

RAID towerI've posted a lot of now-obsolete descriptions of how I used RAID to do multiple off-site backups of my computer. Originally my process was built around my now-obsolete Mac Pro computer with its rack of removable hard drives.

My new computer does not contain such a rack, so I bought a USB-3 drive bay that holds up to 4 hard drives and provides built-in RAID and drive mirroring. 

I've also signed up with CrashPlan to do off-site backup. I like CrashPlan because the backups are encrypted and they don't think it's their business to keep a copy of my backup's encryption key. This isn't because I have some mania for secrecy. It's to keep the backup compnay honest. If they can't possibly look at my information then they won't be tempted to do so. A "free" backup service, on the other hand, may examine your files and sell the information they find to market research firms.

Wordpress tag: 
Post category: 

RC4, SSL, and deck chairs on the Titanic

ChromeChrome has sensibly increased the key sizes it expects in public-key transactions (see here and here). However, Chrome still silently accepts RC4 encryption, even though RC4 has been vulnerable to attack for over a decade. 

This is like putting a heavy padlock on a cardboard box.

Even so, 7 out of the top 10 US web sites still use RC4. This includes sites with a lot to lose like Amazon and eBay as well as Google itself. The other weaklings in the Top 10 are LinkedIn, Wikipedia, Twitter, and Google's Youtube (as weak as their owner).

Wordpress tag: 
Post category: 

Internet crypto cracking is no real surprise

Old Lock LogoThe Guardian has recently published a report on how the NSA and the UK's GCHQ have been routinely cracking cryptography used on the Internet. Seriously, this is no surprise. Lots and lots of sites routinely use "RC4" encryption, whose vulnerablility has been well known for over a decade

I also hadn't realized the extent to which American citizens in general are considered "the enemy" by the NSA. Their duplicitous role in Internet standards is breathtaking. It may be the grandest example of social engineering. Ever.

Post category: 

A gentle crypto introduction

Grade School CryptoLast week I produced an introductory crypto video. It uses animation to illustrate simple substitution ciphers. The 10-minute video introduces the concepts of algorithm, key, key sharing, modular arithmetic, cipher disks, and code cracking via frequency analysis.

I used a 3D modeling package to produce cartoon characters for Bob, Alice, and Eve. In the back story they are school children, and only Eve has a cell phone. Bob and Alice use simple ciphers to share texts via Eve's cell phone, and the ciphers keep Eve from reading the texts first.

Wordpress tag: 
Post category: 

Practical Cryptography: Science or Engineering?

There are comments flying around as to whether cryptography should be approached as a science or as engineering. It apparently started on Twitter. Bruce Schneier has weighed in and linked to an interesting essay by Colin Percival

The actual border lands might not be surveyed yet, but I believe there's a distinct field of cryptographic engineering, just as computer architecture can be independent of circuit design. In both cases we try to establish design rules so that engineers can build things with predictable properties. In both cases we can push the envelope of those rules and yield disaster. 

We establish an engineering discipline by trying to codify the design rules, teach them, build with them, and assess the results. That's what we see in security/cryptographic engineering these days. It's healthy even though we end up with occasional vulnerabilities.

Post category: 

Trying Disqus

I am tired of doing site maintenance - it gets in the way of things I ought to be doing instead.

The only reason I want users to log in is to post comments. I've decided to try one of these all-in-one comment management sites. I tripped over Disqus a while back and now I'm giving it a try.

Post category: 

Von Neumann Explains Computers, 1946

Jon von Neumann

John von Neumann published the earliest and most influential discussions of how to build electronic digital computers. His earliest known publication on computer design was actually a draft report he created in June, 1945, that was widely distributed among the infant community of computer developers. 

On May 15, 1946, von Neumann gave a detailed talk about the general principles of computer design. He was addressing the US Navy's Mathematical Computing Advisory Panel, a group that oversaw the Navy's computing R&D progams. Like the earlier draft, this talk was quickly transcribed, mimeographed, and distributed. The resulting paper was titled "The Principles of Large-Scale Computing Machines."

My father was about to be discharged from the Navy as this was taking place. He had spent World War II working on classified electronics in Boston. The Navy offered him a civilian job overseeing computer research projects. Thus, a copy of von Neumann's "Principles" paper ended up in his archives. 

I have made a PDF copy of this paper and posted it here. This is a sort of companion to Whirlwind block diagrams I posted earlier. 


Wordpress tag: 
Post category: 

Odd new form of malicious spam

Malicious email

 I received the email displayed at the right. While Larry Grinnell is indeed a friend of mine who sends me email, the sender's email address was not his. This is one of several emails I've received, all extremely brief, and all with the exact same, format. The Subject line contains an exclamation. The body text contains my name and a single URL. I started saving them and experimenting with the URLs.

The first URL led to a place in Russia that displayed a weight-loss ad. I used a VM running Chrome to open it. When I used the same VM to open the more recent one (shown above) the VM crashed. I expected that. What I didn't expect was for it to take my whole desktop down, too. 

Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer