Cryptosmith

Cyber and security architecture, not bitcoins

Powered by
WordPress

  • PDP 1s and Model Trains

    Elsewhere on the Internet last week, people were solving a mystery about a PDP-1 running a model train. People who know about such things acknowledge that the “Tech Model Railroad Club” (TMRC) at MIT used a PDP-1 to operate its layout for a few years. The photo at the left, along with a similar one,…

  • Cities, Disneyland, and Software Security

    I like to think of our modern software infrastructure as being like a large city and posing the same trade-offs between risk and reward. We don’t wander carelessly around cities because of pickpockets, muggers, and crazy drivers. A city’s risks arise from its freedom, as does the city’s lure as a destination. To be a…

  • libhairshirt vs libfootgun

     Peter Gutmann, an interesting crypto-academic from New Zealand, has proposed discussing two crypto libraries, libhairshirt and libfootgun: Gutmann’s comments arose while discussing the relative ease of making mistakes with modern crypto techniques. The discussion took place on the cryptography mailing list. Gutmann says he plans to write more of his observations about this one of…

  • Cloud Security Specialization Launched

    The University of Minnesota now offers a Cloud Security specialization through Coursera. It contains four courses (the fourth should be finished in early 2021). While the University does not offer course credit for completing the specialization, I am using it as the basis for a graduate course this spring, offered as part of the Master…

  • Memory Sizes: Now with zetta and yotta!

    One of the most popular pages on this site provides a simple conversion to map numbers of various sizes to the corresponding memory storage sizes in bits (mathematicians and other geeks often call this “log base 2”). The popular table now includes all of the international standard integer size names. I’ve also expanded the discussion…

  • Selling It: Crypto Edition

    Here is a crypto version of “Selling It,” a long-running back-page column in the magazine Consumer Reports. For those unsure of the acronyms, “SHA-256” stands for a version of the Secure Hash Algorithm yielding a 256-bit output. SHA is not encryption. People have used hash algorithms for encryption, but the results are poor. “Selling It”…

  • Old Story: Leaked Voter Records

    My previous posting on the Proud Boys spam email speculated that voter records were widely available for such purposes. Here’s a story from 2017 reporting that voter data for about 198 million Americans was spilled from a “storage bucket” on Amazon’s Simple Storage Service (S3). The story shines a light on “big data” in elections…

  • “Proud Boys” Emails Are Bogus

    The Proud Boys emails aren’t actual threats. They’re the lowest form of anonymous spam.

  • 2021 MSSE Cloud Security Elective

    UPDATE: This elective will be offered to second-year MSSE students at the University of Minnesota as SENG 5721 in Spring 2021. Members of the University of Minnesota’s MSSE Class of 2021: I am offering a Cloud Security elective based on the Coursera Cloud Security specialization currently under development. The first course, Cloud Security Basics, is already…

  • Krebs’ Three Rules

    Like most people, I’m drawn to those small lists of “rules” that promise to make our lives better. Brian Krebs reposted a list back in May that we all need to share with our older loved ones: three basic rules of online safety.

  • Basic Tech-y Article on Password Hacking

    Here’s an article from last year’s Scientific American: The Mathematics of (Hacking) Passwords. If you remember your logarithms, it’s a decent read. If you don’t, you can skip the math and read the details: why longer passwords are better. (The left-hand diagram comes from Figure 2.6 of Authentication.)

  • Assessing an Email’s Legitimacy

    I recently received an email sporting “Wells Fargo” logos. It asked me to do a survey. It was actually sent from the domain ‘morpace.com,’ which used to belong to a product survey company. When I googled the name ‘morpace’ the first thing I found was that the company had probably changed its name over a…

  • Beware of Phone Phishing

    Just because the email (or letter) directs you to a phone number doesn’t mean you aren’t being phished. The nearby image shows part of a recent phishing email. It claims that I ordered a laptop/tablet from Microsoft for delivery to an unfamiliar address in Las Vegas. I’ve warned readers in other blog posts to always…

  • Solo Studio for Video Lectures

    I’ve been recording video lectures for a Coursera specialization in cloud computing. The first of the four courses is available right now. I’ve been asked to describe how I do this, so here we go. The nearby image shows how the videos appear: I’m on the right, talking, and we have animated diagrams or bullets…

  • FCPX and the Solo Studio

    In other posts I describe how I’m producing videos for a Coursera specialization. This is a solo operation. I don’t have someone to hold the camera or answer the phone while I’m recording. When things go well, I produce exactly two, audio-synced video streams: the slide show presentation and my talking head captured by video…

  • “Eyes Only” Revisited

    I was poking around declassified documents from the National Reconnaissance Office (NRO) and found a reference to “Eyes Only” from when they reorganized their BYEMAN control channel in 1993. They seemed to use it to indicate material “above Top Secret.” In an earlier post I argued that “Eyes Only” meant “above Top Secret” primarily in…

  • Self-teaching a little security thinking

    There’s a particular mindset we call security thinking. I’ve also seen it called ‘reasoned paranoia.’ The National Security Agency (NSA) recently published a survey of Internet conferencing products survey of Internet conferencing products [updated link] that’s interesting for its evaluations. More interesting for me were its recommendations on conducting a secure conference at the endpoints.…

  • About …

    Cryptosmith Institute is a retirement-time enterprise of Dr. Rick Smith, author of Elementary Information Security (Jones and Bartlett, 2011, 2015, 2020), Internet Cryptography (Addison-Wesley, 1997) and Authentication: From Passwords to Public Keys (Addison-Wesley, 2002). Rick is an occasional lecturer for the MSSE program at the University of Minnesota. His 16-week course Cybersecurity in the Cloud is available online.…

  • Detecting a Phish on an iPhone

    In their obsession with simplifying the phone interface, the iPhone designers make it a bit harder to detect dangerous emails. Here is an email claiming to be from “Humana Health” asking me to pay for my COVID-19 insurance, whatever that might be. The structure, layout, and English are convincing. The mail software displays the name…

  • Online Course in Cloud Security Basics

    I now offer an online course on Cloud Security Basics under the auspices of the University of Minnesota and hosted by Coursera. I am still working on three subsequent courses to fill out a 4-part specialization in Cloud Security. I’m looking at online courses as an alternative to writing books.

  • Life Cycle of a Security Bug

    Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can “eradicate” software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw’s spores simply go dormant to…

  • “Eyes Only” Security Marking

    [This post has been UPDATED three times since first published, most recently on Nov 14, 2019] Occasionally in the news (and more often in spy fiction) people pass around super-secret documents marked “Eyes Only.” The United Kingdom and Canada use “Eyes Only” to indicate specific countries with whom a document may be shared. “UK Eyes…

  • WPA2 Packet Frame Format

    Wireless Protected Access, Version 2 (WPA2) is the version of Wi-Fi security used in most cases today. This diagram illustrates the general layout of the security data used by WPA2. There’s a new version coming out, WPA3, but it doesn’t seem to be in any products yet. I put this diagram together several years ago…

  • Ethics and Chatbots

    I was online chatting at a web site to repair my lawn tractor. Once I finished, I said, “So you’re a chatbot. Cool.” I’m sure I was talking to a chatbot program and not a human. The reply was a brief but emphatic “No!” I’m not sure how to interpret that. Will a company be…