Yes, we can validate the Wikileaks emails

DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.

Hillary’s team uses “hillaryclinton.com”, which as DKIM enabled. Thus, we can verify whether some of these emails are true.

Source: Errata Security: Yes, we can validate the Wikileaks emails

I was just listening to ABC News about this story. It repeated Democrat talking points that the WikiLeaks emails weren’t validated. That’s a lie. This email in particular has been validated. I just did it, and shown you how you can validate it, too.

Do you have the brains for cybersecurity?

In the modern day, the ability to work through a problem and decipher it is essential to anyone who works in cybersecurity, partly because a lot of what they do involves working out what is going on with less than perfect knowledge.

The puzzles below have been drawn up with the help of the team behind the UK’s Cyber Security Challenge, which uses similar tests to find people who are good at problem solving who could be of use for attacking and defending computer networks.

Source: Do you have the brains for cybersecurity? – BBC News

Is Blockchain the most important IT invention of our age?

Like records of land ownership. Creating and maintaining incorruptible registers of land titles is a huge – and mostly unsolved – problem for developing countries. So when the government of Honduras launched an investigation into whether a blockchain-based land registry could solve it, the non-geek world sat up and began to take notice. The unmistakable message was that this technology could be much more useful than merely securing cryptocurrencies. It might actually turn out to be one of the biggest IT inventions of our time.

Source: Is Blockchain the most important IT invention of our age? | John Naughton | Opinion | The Guardian

On the Juniper backdoor

To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.

And all because Juniper had already paved the road.

Source: A Few Thoughts on Cryptographic Engineering: On the Juniper backdoor

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

Two More Self-Signed Certs, Private Keys Found on Dell Machines

Dell Foundation Services installs the cert and its purpose is to quicken online support engagements with Dell staff. The certificate, Dell said, allows online support to identify the PC model, drivers, OS, hard drive and more.”

Source: Two More Self-Signed Certs, Private Keys Found on Dell Machines | Threatpost | The first stop for security news

So far, eDellroot has been found on Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops.

“It means attackers are de facto certificate authorities, free to generate man-in-the-middle certs, or just direct phishing sites that won’t get flagged as illegitimate,”

Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

Security experts counter that such arguments ignore the fact that even end-to-end encrypted technology leaves a trail of metadata behind that can be used to parse who is talking to whom, when and where. “Encryption is really good at making it difficult to hide the content of communications, but not good at hiding the presence of communications,” said Matt Blaze, a computer security expert at the University of Pennsylvania.

Source: Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

NSA in P/poly: The Power of Precomputation

Diffie-Hellman is the thing where Alice and Bob first agree on a huge prime number p and a number g, then Alice picks a secret a and sends Bob ga (mod p), and Bob picks a secret b and sends Alice gb (mod p), and then Alice and Bob can both compute (ga)b=(gb)a=gab (mod p), but an eavesdropper who’s listening in only knows p, g, ga (mod p), and gb (mod p), and one can plausibly conjecture that it’s hard from those things alone to get gab (mod p). So then Alice and Bob share a secret unknown to the eavesdropper, which they didn’t before, and they can use that secret to start doing cryptography.

Source: Shtetl-Optimized » Blog Archive » NSA in P/poly: The Power of Precomputation

Newegg vs. Patent Trolls: When We Win, You Win

In this latest round of Newegg vs. the patent trolls, Newegg went against a company that claimed its patent covered SSL and RC4 encryption, a common encryption system used by many retailers and websites. This particular patent troll has gone against over 100 other companies, and brought in $45 million in settlements before going after Newegg. We won. Winning against these trolls has become a national pastime for us.

Source: Newegg vs. Patent Trolls: When We Win, You Win – Unscrambled

Mandating insecurity by requiring government access to all data and communications

We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.

Source: DSpace@MIT: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications

Encryption “would not have helped” at OPM, says DHS official

But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Source: Encryption “would not have helped” at OPM, says DHS official | Ars Technica

A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root.