Once we get past the creep factor of Nazi army uniforms, we see a communications team sending a secret message. They are using the legendary Enigma machine to encrypt the message.
But why, why did that officer allow a photographer to record this highly sensitive activity?
A failure of operational security (OPSEC). Allies in Bletchley Park would have sacrificed lives for this photo, or any photo showing the device in operation.
In June, 1999, Senator John McCain had started his presidential bid and was visiting companies in Silicon Valley, including Secure Computing Corporation, where I worked. He was there to discuss government policies on several tech topics, including the export of cryptographic technologies and products. I had been writing policy statements about crypto exports as part of my job. I’d also published my first book, Internet Cryptography, so they flew me out from Minnesota to meet the Senator.
My textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:
This is a work in progress as I figure out some conceptual ideas.
Quantum computing gives us a way in theory to quickly crack certain types of cryptography. Well-funded startups are working on prototype quantum circuits, as are big guns like Intel, Microsoft, and IBM. Success could render a lot of today’s encryption obsolete. In theory.
Academic and industrial research labs have built basic quantum circuits. If Moore’s Law applies to quantum circuits, they will be the next big thing.
I remain skeptical. Quantum computing seems like perpetual motion machines to me, though I’ve never researched reasons to support my intuition. Researcher Gil Kalai presents an argument based on computational theory and models of noise. He argues that practical computations will lose out to noise effects. I’ll be interested to see more about this.
The big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended to encrypt.
The technique can trick the system into reusing a cryptographic key. To keep encrypted data safe we must avoid encrypting the same data twice (here’s an example of how it fails). While crypto system designs usually account for this, the attack on WPA2 tricks the system into reusing the key.
I sympathize with developers who throw up their hands and say, “I don’t do security stuff.” No matter what you choose, there’s a trade off that could go wrong. It’s especially troublesome if one deploys a “security website.” I’ve deployed security education websites in many environments over the past 20 years, and I rarely achieve the security level I’d like.
I wanted to watch a security webinar today. But the webinar requires Adobe Flash, in which security researchers seem to uncover 1 or 2 vulnerabilities a month. I discarded Flash when upgrading my OS a couple years ago. It’s ironic that a security webinar might tempt it back onto my machine.
I have posted the fifteenth video in the Cryptosmith Series on practical basic cryptography. The video collection falls into three parts: the network crypto introduction, the DVD example, and the public-key certificate discussion.
There are also updates to other series videos. They now use the acronym “SSL” a lot more, since people recognize it more often than “TLS.” The public-key discussions now include elliptic curve algorithms, since they are very popular in state-of-the-art SSL (TLS) deployments.
An overview and notes about the series appear below. If you take the time to look at these videos, please “like” and/or comment as appropriate.
Here are a couple of short videos that describe the basic cryptographic mechanisms used in DVDs. These don’t quite fit into my Cryptosmith series, at least, not right now.
They’re short and interesting, so I went ahead and posted them.
The Cryptosmith video series uses animation to explain well-known crypto techniques. This should help more people understand crypto technology. This is particularly important as people rely more and more on mobile and Internet security mechanisms. Aside from protecting online commerce and financial activities, many professionals are realizing that their daily activities require strong protection.
[UPDATE: See the latest post to summarize the video series.]
After publishing three books on cybersecurity and cryptography I’m looking for a different medium for explaining technical concepts. While there are many online tutorial videos, most are narrated slide presentations. I’m trying something else.
I’m not often a fan of conspiracy theories, except for entertainment value. This one is interesting because it combines international intrigue, the elections, and our world of notoriously poor email security.
The conspiracy arises from foreigners trying to influence the United States election. They spy on unprotected emails and leak the contents to influence US public opinion. This isn’t limited to attacks on the Democratic candidate Hillary Clinton. Some suggest that Fox News and the Trump campaign have also been attacked this way.
We could be blocking this threat, except that pressure groups within the government want to leave as much information unprotected as possible, notably law enforcement and intelligence agencies. I think we face a greater threat from foreign exploitation of our unprotected emails than we face from impeded investigations or even a few terrorist bombs.
