Cryptographic backdoors will not work. As a matter of technology, they are deeply incompatible with modern software platforms. And as a matter of policy and law, addressing those incompatibilities would require intolerable regulation of the technology sector. Any attempt to mandate backdoors will merely escalate an arms race, where usable and secure software stays a step ahead of the government.
The easiest way to understand the argument is to walk through a hypothetical. I’m going to use Android; much of the same analysis would apply to iOS or any other mobile platform.
Author Archives: mea
Carnegie Mellon Computer Faces Poker Pros in Epic No-Limit Texas Hold’Em Competition
In a contest that echoes Deep Blue’s chess victory over Garry Kasparov and Watson beating two Jeopardy! Champions, computer poker software developed at Carnegie Mellon University will challenge four of the world’s best professional poker players in a “Brains Vs. Artificial Intelligence” competition beginning April 24 at Rivers Casino.
Over the course of two weeks, the CMU computer program, Claudico, will play 20,000 hands of Heads-Up No-limit Texas Hold’em with each of the four poker pros. The pros — Doug Polk, Dong Kim, Bjorn Li and Jason Les — will receive appearance fees derived from a prize purse of $100,000 donated by Microsoft Research and by Rivers Casino. The Carnegie Mellon scientists will compete for something more precious.
“Computing the world’s strongest strategies for this game was a major achievement — with the algorithms having future applications in business, military, cybersecurity and medical arenas,” Sandholm said.
A New Vulnerability Allows DoS Attacks on iOS Devices
Basically, by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. With our finding, we rushed to create a script that exploits the bug over a network interface. As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide.
via “No iOS Zone” – A New Vulnerability Allows DoS Attacks on iOS Devices ».
This exploit only crashes a device making it unusable. There is no mention of making end to end encrypted communications vulnerable. By moving outside the range of the access point the IOS device automatically connected to should break the connection bringing the phone back to normal.
Devices with wifi left on will try and connect themselves to any open access point. While this shouldn’t be a problem attacks like this can happen. I would classify this attack more of an irritant than anything serious.
Innovation boosts Wi-Fi bandwidth tenfold
Experts say that recent advances in LED technology have made it possible to modulate the LED light more rapidly, opening the possibility of using light for wireless transmission in a “free space” optical communication system.
“In addition to improving the experience for users, the two big advantages of this system are that it uses inexpensive components, and it integrates with existing WiFi systems,” said Thinh Nguyen, an OSU associate professor of electrical and computer engineering. Nguyen worked with Alan Wang, an assistant professor of electrical and computer engineering, to build the first prototype.
via Innovation boosts Wi-Fi bandwidth tenfold.
The electromagnetic spectrum with wifi can be flakey and interconnecting access points using this spectrum can fail frequently and cause significant bandwidth problems. Integrating led tech into devices may take time to develop some kind of standard but using this for point to point wireless communication could prove very useful in certain use cases.
New Theory Leads to Gigahertz Antenna on a Chip
You can see such symmetry breaking in a once-common 20th century technology: the two-wire ribbons used during television’s first few decades to send RF signals from rooftop VHF antennas to television sets without any loss. The electric RF current in the two conductors flow in opposite directions and have opposite phase. Because of the translational symmetry (the two conductors are parallel) the radiation fields cancel each other out, so there is no net radiation into space. But if you would flare the ends of the two conductors at one end of the ribbon, they aren’t parallel anymore and you break the translational symmetry. The two electric fields are no longer aligned and don’t cancel each other out, causing the RF signal to be converted into electromagnetic radiation.
via New Theory Leads to Gigahertz Antenna on a Chip – IEEE Spectrum.
Google Wants To Speed Up The Web With Its QUIC Protocol
On a typical secure TCP connection, it typically takes two or three round-trips before the browser can actually start receiving data. Using QUIC, a browser can immediately start talking to a server it has talked to before. QUIC also introduces a couple of new features like congestion control and automatic re-transmission, making it more reliable that pure UDP.
via Google Wants To Speed Up The Web With Its QUIC Protocol | TechCrunch.
Users who connect to YouTube over QUIC report about 30 percent fewer rebuffers when watching videos and because of QUIC’s improved congestion control and loss recover over UDP, users on some of the slowest connection also see improved page load times with QUIC.
Google says it plans to propose HTTP2-over-QUIC to the IETF as a new Internet standard in the future.
Decertifying the worst voting machine in the US
I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
via Decertifying the worst voting machine in the US.
So how would someone use these vulnerabilities to change an election?
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is “admin” (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
The freedom to tinker blog has been doing research on voting machines for a very long time although in this case they are reporting the results of research done by Virginia IT people in their decertification. In the past most vulnerabilities uncovered required physical access to a voting machine and a bit of skullduggery making it difficult to change votes on a large scale. I simply cannot comprehend for what purpose these voting devices needed to be on a wifi network other than someone thought it was “cool.” This entire report is mind boggling and makes me wonder how many more areas of the country are doing this now.
US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree
A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and compromise them. However, other experts disagree and call the report “deceiving.”
via US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree.
Closing Thoughts
● Nearly every protocol used in aviation is
unsecured
● There is certainly the potential to annoy
ATC and/or small aircraft
● Increasing automation while continuing
with unsecured protocols is problematic
● Airliners are relatively safe (for now)
The above pdf is a good read.
Statistics Will Crack Your Password
This means that the top 13 unique mask structures make up 50% of the passwords from the sample. Over 20 million passwords in the sample have a structure within the top 13 masks.
via Statistics Will Crack Your Password.
Based on analyzing the data, there are logical factors that help explain how this is possible. When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps)
Nokia Agrees to $16.6 Billion Takeover of Alcatel-Lucent
LONDON — The Finnish telecommunications company Nokia said on Wednesday that it had agreed to an all-stock deal to acquire Alcatel-Lucent that valued its French rival at about $16.6 billion.
The combined company is expected to become the world’s second-largest telecom equipment manufacturer, behind Ericsson of Sweden, with global revenues totaling $27 billion and operations spread across Asia, Europe and North America.
via Nokia Agrees to $16.6 Billion Takeover of Alcatel-Lucent – NYTimes.com.