Cryptographic backdoors will not work. As a matter of technology, they are deeply incompatible with modern software platforms. And as a matter of policy and law, addressing those incompatibilities would require intolerable regulation of the technology sector. Any attempt to mandate backdoors will merely escalate an arms race, where usable and secure software stays a step ahead of the government.
The easiest way to understand the argument is to walk through a hypothetical. I’m going to use Android; much of the same analysis would apply to iOS or any other mobile platform.
Category Archives: Technical
Inside the NSA’s War on Internet Security
The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.
via Inside the NSA’s War on Internet Security – SPIEGEL ONLINE.
Analysis of Erasure Code Patents for everyone
The most prominent prior art invalidating this patent is the RAID6 (one of the most commonly used Erasure Code) implementation of the linux kernel. In an article dated 2004 (i.e. ten years before the patent was granted to StreamScale) it is described to be optimized as follows : For additional speed improvements, it is desirable to use any integer vector instruction set that happens to be available on the machine, such as MMX or SSE-2 on x86, AltiVec on PowerPC, etc. Where SSE2 is the acronym of Streaming SIMD Extensions 2. The patent cites Anvin aticle’s but only to state the problem and does not acknowledge it also contains the solution.
via Erasure Code Patents | Analysis of Erasure Code Patents for everyone.
How a dumb software glitch kept thousands from reaching 911
At first, Intrado thought that the complaints arising from various PSAPs around the country were just isolated, unconnected events — even though alarm bells were going off an hour into the breakdown. Nobody noticed the warnings until it was too late; the server taking note of the alerts categorized them as “low level” incidents and were never flagged for a human, according to the FCC report.
via How a dumb software glitch kept thousands from reaching 911 – The Washington Post.
PSAP = Poor Sucker At Phone
Background Monitoring on Non-Jailbroken iOS 7 Devices
We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
via Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation | FireEye Blog.
Before Apple fixes this issue, the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring.
Yikes! This might be a problem for android devices as well. I have noticed that since a device stays on 24/7 resident apps can build up in the background because even though you think you closed an app it sometimes doesn’t actually close as in terminate until its icon is touched to activate. The proof of concept above got this “keylogger” through Apple’s App Store which is pretty remarkable.
“Honey Encryption” Could Trick Criminals with Spoof Data
“Decoys and deception are really underexploited tools in fundamental computer security,” Juels says. Together with Thomas Ristenpart of the University of Wisconsin, he has developed a new encryption system with a devious streak. It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.
via “Honey Encryption” Could Trick Criminals with Spoof Data | MIT Technology Review.
A new transparent display system could provide heads-up data
The secret to the new system: Nanoparticles are embedded in the transparent material. These tiny particles can be tuned to scatter only certain wavelengths, or colors, or light, while letting all the rest pass right through. That means the glass remains transparent enough to see colors and shapes clearly through it, while a single-color display is clearly visible on the glass.
via Seeing things: A new transparent display system could provide heads-up data – MIT News Office.
Starbucks Mobile App Vulnerability Puts Data At Risk
According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.
In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.
Weaknesses – Bitcoin
An attacker that controls more than 50% of the network’s computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:
- Reverse transactions that he sends while he’s in control. This has the potential to double-spend transactions that previously had already been seen in the block chain.
- Prevent some or all transactions from gaining any confirmations
- Prevent some or all other miners from mining any valid blocks
via Weaknesses – Bitcoin.
With less than 50%, the same kind of attacks are possible, but with less than 100% rate of success. For example, someone with only 40% of the network computing power can overcome a 6-deep confirmed transaction with a 50% success rate.
Malicious advertisements served via Yahoo
Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:
- blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
- slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
- original-filmsonline.com (192.133.137.63)
- funnyboobsonline.org (192.133.137.247)
- yagerass.org (192.133.137.56)
via Malicious advertisements served via Yahoo | Fox-IT International blog.