Slashdot Mirror
Security Expert Paul Kocher Answers, In Detail
1) Serious Threats?
by Prizm
While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your specialty, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?
Paul:
It depends on the target. If the system you are trying to protect isn't worth an attacker's effort, or if there are easier ways to break in, the chances are small. On the other hand, if you are protecting extremely desirable data (money, data that will affect stock prices, Star Trek episodes, government secrets, etc.) you have to assume that smart people are going to attack your security. We spend a lot of time helping credit card companies and other smart card users build testing programs -- their products need to operate in high-risk environments where DPA, timing analysis, and other sophisticated attacks are a real problem.
2) Worst implementation?
by burgburgburg
In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?
Paul:
To save typing, can I make a list of the systems that don't make me uncomfortable?
A smart, creative, experienced, determined attacker can find flaws in just about any standard commercial product. Our security evaluations find catastrophic problems more than half the time, even though evaluation projects generally have very limited budgets.
The most common situation is where the systems' security objectives could theoretically be met if the designers, implementers, and testers never made any errors. For example, in a quest for slightly better performance, operating systems put lots of complexity into the kernel and give device drivers free reign over the system. This approach would be great if engineers were infallible, but it's a recipe for trouble if all you have are human beings.
What I find most frustrating isn't bad software -- it's situations where we tell a company about a serious problem, but they decide to ignore it because we're under an NDA and therefore the problem won't hurt sales. If your company is knowingly advertising an insecure or untrustworthy product as secure, try to do something about it. Intentionally misleading customers is illegal, immoral, and a gigantic liability risk. (Keywords: Enron, asbestos, cigarettes.)
It's also frustrating that users keep buying products from companies that make misleading or unsupported claims about their security. If users won't pay extra for security, companies are going to keep selling insecure products (and our market will remain relatively small :-).
As for the worst security, I nominate the following password checking code:
gets(userEntry);
if (memcmp(userEntry, correctPassword, strlen(userEntry)) != 0)
return (BAD_PASSWORD);
ROT13 SPOILER: Na rzcgl cnffjbeq jvyy cnff guvf purpx orpnhfr gur pbqr hfrf gur yratgu bs gur hfre ragel, abg gur yratgu bs gur pbeerpg cnffjbeq. Bgure cbgragvny ceboyrzf (ohssre biresybjf, rgp.) ner yrsg nf na rkrepvfr sbe gur ernqre. [Funzryrff cyht: Vs lbh rawbl ceboyrzf yvxr guvf, unir fgebat frphevgl rkcrevrapr, pbzzhavpngr jryy, naq jnag n wbo ng n sha (naq cebsvgnoyr) pbzcnal, ivfvg uggc://jjj.pelcgbtencul.pbz/pbzcnal/pnerref.ugzy.]
3) Internet broken?
by bpfinn
The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?
Paul:
I don't think the core Internet is the problem. While some protocols need upgrading, the Internet does a great job of providing untrusted, unreliable communications. Trying to impose security policies in the network layer would destroy the spontaneity and openness that make the Internet great. In other words, we need to find ways to cope with the fact that the Internet is always going to be dangerous.
The place where I see the real need for improved security is in the protocols, applications, and devices that use the Internet. For example, Moore's Law has made processing power so cheap that there is no reason why web pages aren't all encrypted. Similarly, IPSEC, VPN tunnels, and e-mail encryption should be used much more widely.
Of course, large networks are always going to have unpredictable complex security risks. As a result, if you are dealing with critical systems, they should be as disconnected as possible.
4) Dive Right In
by Accidental Hack
What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsibility is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?
Paul:
You are really asking two questions: how to learn about security, and what to do if you are put in situations where you don't know what to do.
For people wanting to learn about security or cryptography, I'm a big supporter of hands-on experience. When you hear about a security bug, go see what actually went wrong. Implement DES, AES, RSA, and your own big-number library. Set up a couple of poorly-configured Linux boxes and break into them. Install a sniffer and sniff your own network traffic. Observe and modify software programs. Learn C/C++. Study known bugs in open-source crypto code and hunt for new ones. If you have the budget at work, hire a security expert and ask lots of questions. Whatever you do, be careful to follow the laws (even if you disagree with them) and act ethically.
The question of what to do if you are put in a situation beyond your skill level ultimately depends on the risks involved. With ordinary servers (corporate e-mail and the like), occasional problems may not be that catastrophic if you have good backups.
On the other hand, if the chances or consequences of failure are severe, you can't just "give it a try" any more than I should try open heart surgery or piloting a 747. For example, if you are dealing with critical infrastructure, likely fraud targets, pay TV networks (or anything involving piracy), or large customer databases, get help. Even if you are experienced, you need to have someone check your work. When you do hire someone, make sure they will answer questions, educate you, and provide good documentation. Avoid mad scientists, people who have never done serious engineering, and anyone who views security audits as threatening or insulting.
5) Quantum Computing and Cryptography
by Nova Express
Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?
Paul:
Quantum computing is possibly the coolest discovery in theoretical computer science in the last few decades because it completely changes the rules of computation.
As a practical matter, however, it's not a significant security risk compared to the other things we have to worry about. I think it's highly unlikely that quantum computers will overtake regular computers in the next 50 years at (for example) breaking RSA. The reason for my skepticism is that the challenges involved in building a useful quantum computer are staggering. For example, decoherence becomes a much greater problem as the computer gets larger, yet quantum computers have to be huge because they don't operate sequentially. (Imagine hardware design with no flip flops -- just combinatorial logic.) While error-correction techniques have been proposed, these further increase the complexity of the circuit.
If someone did find a way to build arbitrarily large quantum computers, it would be the end of most existing public key cryptographic schemes. Symmetric cryptography, however, would still work, though key lengths would need to be doubled to get the same level of security.
Note: Quantum computing is different from quantum cryptography. The latter is a method for preventing eavesdropping, typically using polarized photons and entanglement. While quantum cryptography is feasible to implement and is also neat research, I don't see any practical use for it because it requires that parties exchange photons directly. As a result, it won't work over packet switched networks. Furthermore, existing algorithms like AES can do all the same things, and much more. As a result, the only scenario I can see where quantum cryptography would be relevant would be unbelievably weird discovery that completely demolished cryptography, such as someone showing that P=NP.
6) SSL and Forward Security
by Effugas
Paul,
First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.
I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.
In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.
More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?
Thanks again for any insight on the matter you may be able to provide!
Yours Truly,
Dan KaminskyPaul:
DoxPara Research
I specifically designed the ephemeral Diffie-Hellman with DSA option in SSL 3.0 to provide perfect forward secrecy (PFS). While it used to be true that DSA's performance was a concern, it shouldn't be a problem anymore.
[*] If you want to avoid DSA, you can also do a normal RSA handshake then immediately renegotiate with an uncertified ephemeral Diffie-Hellman handshake. (SSL 3.0 and TLS 1.0 allow either party to request a renegotiation at any time, with the renegotiation process protected underneath the first handshake.) As your question mentions, short-lived certificates would work if a suitable CA provided them.
Making PFS mandatory wasn't feasible in SSL 3.0 because of performance requirements, the need to maintain compatibility with legacy RSA certificates, and licensing issues. (Back in 1996, RSA was patented and most companies only had limited RSA toolkit licenses, not patent licenses.)
Overall, I'm delighted so see how many ways SSL 3.0 is being used and that it's become the most widely deployed cryptographic protocol in the world. While there are reasons to debate design choices I made, I don't know that the protocol's handling of PFS is one of them. Although some implementations have had bugs and guidelines had to be added to address error-analysis attacks, the overall protocol has held up well.
[*] In 1996 (when the SSL 3.0 spec came out), computers were only 4% of their current speed. (Moore's Law predicts 4.67 speed doublings in 7 years.) Today, any modern CPU should give well beyond 200 2048-bit DSA verifies/second. Averaging 10 handshakes/second (5% load) = 864K connections daily per CPU. Unless you are running one of the largest web sites (or have your server misconfigured to disable session resumption), this isn't likely to be a problem. For really high-volume servers, SSL accelerators are affordable and very fast. In general, it's rare these days to find a situation where the speed of standard cryptographic operations is actually a problem.
7) trust in open p2p communities
by smd4985
as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environment), they lock out 'untrusted' vendors, etc.
what can we do to maintain an open environment and establish trust between peers?
Paul:
There certainly are decentralized ways to establish trust (PGP's web of trust comes to mind), but you can't have trust and complete anonymity. The closest you'll be able to do is to evaluate participants based on their past actions and assertions. Before you can begin a design, you'll need to clearly define what you are trying to enable, what you are trying to prevent, and what automated rules can distinguish between legitimate and illegitimate actions.
(Note: While I presume that the question relates to legitimate P2P applications, piracy over P2P systems is driving copyright owners to seek legislative and legal relief. The fact that the Internet can be used to massively violate intellectual property rights doesn't make it moral to do so.)
8) How do you think?
by Charles Dodgeson
When I first read about some discovery of a weakness (for example, I know your name from your work on MD5), I am always struck by the thinking beyond the framework of the designer of the system and of the community to date. The same things strikes me about timing attacks and similar sorts of things. These are things that I wouldn't have thought of in a million years. Can you give any insight into how minds like yours work. And to what extent you think that this might be a trainable skill.
I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.
Paul:
Security work requires understanding systems at multiple levels. For example, differential power analysis involves transistor-level properties affecting logic units affecting microcode affecting CPUs affecting crypto algorithms affecting protocols affecting business requirements. For engineers who are used to working at only a single layer, security results often seem surprising. Broad experience is also important because the vast majority of security problems involve unintended interactions between areas designed by different people.
Two specific subjects that I think are often neglected are low-level programming and statistics. These are essential to understand how things actually work and to assess the likelihood that systems will fail. A skeptical mindset is also important. Try to assume things are bad until you are convinced otherwise.
Some specific questions that are helpful to ask include:
- What information and capabilities are available to attackers?
- What information and capabilities are available to attackers?
- What esoteric corner cases has nobody studied carefully?
- How would a lazy or inexperienced designer have designed the system?
- What states can each participant be in?
- Where is the most complexity in the security perimeter? (Complex parts are the most likely to fail.)
- What unwritten assumptions are being made, and are they correct?
9) Is the Technology ahead of us?
by Coz
Thanks for letting us ask you these questions.
Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.
Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?
Paul:
Validation is by far the most critical unsolved problem in security.
I view security as probabilistic: there is always some chance of failure, and validation is the only way to reduce the odds of failure. For example, a well-tested piece of code is more secure than an identical piece of code that hasn't been tested.
Although innovation is great on the research side, real-world systems should use well-tested techniques wherever possible. For example, on the algorithm side, we use RSA, triple DES, AES, and SHA-1 at Cryptography Research unless we have to use something else. (This is rare.) We use these algorithms because they are well reviewed, making the risk of an unexpected cryptanalytic attack low. In contrast, catastrophic flaws in new schemes are very common.
When you move beyond the basic algorithms, validation unfortunately becomes extremely difficult for many reasons:
- The complexity of software is increasing exponentially, but the number of skilled security experts (and their intelligence and productivity) is staying roughly constant.
- Many designs are so poorly architected or implemented that they are infeasible to validate.
- Validation is much more difficult than writing new code (and it's less fun), so many people avoid it.
- Engineers are cranking out such vast quantities of code that testing can't possibly keep up.
- Existing validation tools are really quite poor.
- The cost of security testing can be hard to justify because most users won't pay extra for better security.
- There is no easy way for users to distinguish between well-tested products and those that aren't.
- Testing takes a long time, slowing down product launches.
- There is no easy way to standardize security evaluations because attackers don't limit themselves to standard attacks.
- Catching 90% of the flaws doesn't help if attackers are willing to look 10 times harder to find flaws.
- Developers don't have much incentive to make painful sacrifices for security because they aren't the ones who incur the risk.
10) Re:fhnlsfdlkm&5nlkd%Bvbcvbc
by Anonymous Coward
0eefa Uv, V'z jbaqrevat vs lbh guvax gurer'f n shgher sbe EBG13. V'ir urneq vg'f cerggl frpher...
Lbh pna ernq guvf? Qnza!
Paul:
Holy cow! Juvyr lbh znl unir svtherq bhg zl fhcre-frperg EBG13 pvcure, abobql jvyy rire penpx *guvf* zrffntr orpnhfr V fjvgpurq gb bhe hygen-frperg cyna O: nccylvat n Pnrfre pvcure 13 gvzrf :-).
"money, data that will affect stock prices, Star Trek episodes, government secrets, etc"
This made me laugh; good to see the guy has a sense of humour. Then I realised that you can probably get all this stuff on Kazaa, anyway.
--
jc
Let's go with ROT1 and build a company named eBooks around it.
Anybody care to play ROT13 translator???
Stop by my site where I write about ERP systems & more
What struck me reading this was he mentioned that he has worked under the terms of an NDA and the company decided not to fix thier software. How can this be discovered? If he goes to the police surly this goes beyond the NDA. If anyone could clarify this I would appreciate it.
Here's the ROT13 message decoded:
This was courtesy of ROT13 JavaScript coder/decoder
You say
I'm never going to figure this out---damn those encryption experts!
Karma: Marginal (mostly due to the border around the website)
so, for instance, you would decode his hint above with the command
Of course, you can also go to http://www.rot13.com/ and enter your text thar.
It may not be enough, but I perfer to believe that cryptography study should begin with books.
Here are 81 cryptography books I've reviewed.
With most I've included an associated set of prerequisite book reading, math, and computer language skills necessary to understand the book. Hopefully this will help the beginner hit the ground running, and the more experienced should discover a few hard-to-find books to start tracking down for their personal collections.
I put the 'fun' in fundamentalism
About 2/3 of the way down, someone forgot to close an tag, and the rest of the article is in all italics. I just wanted to give a heads up to whoever didn't bother to read the article before posting.
http://www.alliancestudio.com/tk/rot13.html
"definitely one of the most fun interviews I've ever done." ... He obviously doesn't get out much.
As for the worst security, I nominate the following password checking code [snipped]
I really hate it when head stuck so far up their own arses their head sticks out of their head security types assume most programmers are stupid.
Most programmers AREN'T that stupid, and you will never come across this code in the wild.
Just like the SQL injection attacks that security types get off on. Doesn't happen.
An empty password will pass this check because the code uses the length of the user entry, not the length of the correct password. Other potential problems (buffer overflows, etc.) are left as an exercise for the reader. [Shameless plug: If you enjoy problems like this, have strong security experience, communicate well, and want a job at a fun (and profitable) company, visit http://www.cryptography.com/company/careers.html.]
:-).
10) Re:fhnlsfdlkm&5nlkd%Bvbcvbc
by Anonymous Coward
0rrsn Hi, I'm wondering if you think there's a future for ROT13. I've heard it's pretty secure...
You can read this? Damn!
Paul:
Holy cow! While you may have figured out my super-secret ROT13 cipher, nobody will ever crack *this* message because I switched to our ultra-secret plan B: applying a Caeser cipher 13 times
Anyone care to decrypt the last question for us lazy folk?
The GeekNights podcast is going strong. Listen!
Look again, dillwad. Maybe you meant first post in zero-base counting system?
http://www.rot13.com/index.php
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
Clearly the solution to ROT13 insecurity is to use dual rounds of ROT13!
http://www.rot13.com/index.php gives you the awesoma powa of rot13.
A smart, creative, experienced, determined attacker can find flaws in just about any standard commercial product.
And if your determined enough, you probably don't even need the other 3 qualities.
And don't call me Surly.
EVERYBODY who doesn't support bush's imperialistaic policies and bloodlust for oil POST HERE and we'll clog the article!!!!
WE WILL BE HEARED!
hi, my cock is huge, and I want to blather on about crytography issues that I don't really understand because I will sound 'l33t' to my friends.
what are some of the key buzzwords that i need to employ in conversation so that my friends will know and understand that my cock is huge, without me actually having to say, 'hey, my cock is huge'?
btw, it is really huge, but i can't show anybody, that would be illegal.
naq urer V jnf, guvaxvat gung abobql rira erzrzorerq ebg13, lrg nybar hfrq vg nalzber. nu, gur tbbq byq qnlf bs pelcgbtencul. naq abj, cenvfr gur yynzn! :) irel vagrerfgvat negvpyr. V jnf whfg jbaqrevat : vf gurer fhpu guvat nf n zbber'f ynj sbe vaabingvbaf? 50 lrnef gb tb sbe n jbexvat dhnaghz pbzchgre frrzf n ovg ybat gb zr.
Karma
I always ROT13 my secret messages twice.
Can the fellow who asked it please clarify what is meant by 'trust' in a Gnutella environment -- what features are being thought about?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
E.g. (for "How do you think?")
states can each participant be in?
e is the most complexity in the security perimeter? (Complex parts are the most likely to fail.)
and (for "Is the Technology ahead of us")
dation is much more difficult than writing new code (and it's less fun), so many people avoid it.
Anyway, thanks for the interesting answers.
echo "Grkg" | tr [A-Za-z] [N-ZA-Mn-za-m]
--
Anonymous Coward:
:-).
Hi, I'm wondering if you think there's a future for ROT13. I've heard it's pretty secure...
Paul:
While you may have figured out my super-secret ROT13 cipher, nobody will ever crack *this* message because I switched to our ultra-secret plan B: applying a Caeser cipher 13 times
http://www.rot13.com/index.php
-Bill
Can we get some names of "companies that make misleading or unsupported claims about their security" that people keep buying (other than Microsoft, which is too obvious to list)?
Note: While I presume that the question relates to legitimate P2P applications, piracy over P2P systems is driving copyright owners to seek legislative and legal relief. The fact that the Internet can be used to massively violate intellectual property rights doesn't make it moral to do so.
Uh oh, sounds like he thinks there will actually come a day when people don't copy stuff over the Internet, just because it's "wrong mmkay".
He's got it backwards: Because technology today can be used to make copies easily, copyright infringment will occur on a massive scale, no matter what. Technology today is exposing the fundamental flaws of copyright, which have always been there under the surface (when I was in HS, I owned one CD for every five copies I had, but the **AA couldn't track it as easily as they can P2P).
The only solution is to immediately and loudly proclaim that copying is okay and that we have to tailor our laws to that reality. Leave the statements of "morality" to RMS and the like.
uggc://jjj.pelcgbtencul.pbz is /.ed
Nuke Gay Whales for Jesus.
What he says about quantum computing sounds reasonable. Though there exists a known algorithm to factorise primes in polynomial time, which would certainly make almost all cryptographic systems obsolete (of course there are others which will still work but ...), there's almost no decent working quantum computer that can approach the number of bits that a practical application of this sort will involve.
a ta_trunc_sys.shtml ) is a link for starters). And because quantum entanglement allows u to transfer bits across in total secrecy (at least u definitely know if somebody eavesdrops), quantum cryptography involving just a few bits is also important.
;-)
However, the stuff about quantum cryptography is too pessimistic, imho. Quite recently scientists have achieved quantum entanglement over decently usable distances - this (http://www.scienceagogo.com/news/20030126213558d
Anyway, it's one hot field for theoretical research right now, so that probably implies that practical applications are years away.
sorry for the plain text.
This sig is empty.
The Microsoft/Netscape/Mozilla/Verisgn "conspiracy"(for lack of a better term) made the cost barrier far, far too high by requiring that certificates be issued only by "trusted" authorities for encrypted web pages. (And requiring that if the website owner doesn't fork out the cash, the user gets prompted with an ugly/annoying dialog suggesting that something may be wrong, causing confusion.)
/. :-), and then authenticated SSL for banks, porn, etc important things.
It's unfortunate that MS/NS (and now Mozilla) went along with this. A better system would allow for unauthenticated SSL (with no CA warning), for sites you just don't care so much about, like
I very much liked reading the interview.
I noticed that something is going unsaid, though. Breaking a cipher through cryptographic analysis only works if the attacker knows or can guess the algorithm. If data is encrypted and then encrypted again with another algorithm, and in between the bytes are scrambled, no mathematical attack can ever be successful.
This method of encryption does not allow public-key encryption, of course, but it is 100% secure if only the sender and receiver know the encryption and byte-scrambling algorithms.
Everybody has brainfarts, no matter how good they are.
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
It has the added advantage of appearing to be cleartext, thus making the attacker think they've decoded the message!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Yippee! Yahoo! He picked my question and answered it! (does happy joy dance)
Now that that's over with... I think his answer makes projects like OpenSSL more important. We can all look over the implementations, they're thrashed by the community at large, and they've proven to be quite responsive when someone does find a vulnerability.
Now, off to my next assignment - writing an access rights repository using the M$ Foundation Classes Crypto API. *sigh*
I love vegetarians - some of my favorite foods are vegetarians.
I approve of the message, but not the tactic.
www.wavefront-av.com
SQL injection *does* happen. I've seen it and plenty of web developers are not very SQL-savvy.
:)
Try these two phpnuke sql injection vulnerabilities (1,2) for example from this week's securityfocus.com vulnerability list. Those are just a couple from the open source world.
In early 2000, my dotcom would allow points to be redeemed for Flooz (remember them?) which could then be used at among other place, Tower Records. Throw a single quote in the search page, it dumped SQL statements including tables, columns, and database names. Turns out the search function was vulnerable to TRUNCATE TABLE -- not that I ran it mind you
That doesn't even count the fact that the folks who handled the conversion of points to Flooz through their Java application forgot to check if you had the point you were converting in your account -- I converted 100,000 points ($1000) into real cash (well, real Flooz) from an account with 10 points in it.
No no, you're right. None of these problems are out there in the real world. Sure they aren't.
Vim will rot13 for you with g?{Motion} or {Visual}g?.
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
"As for the worst security, I nominate the following password checking code:
gets(userEntry);
if (memcmp(userEntry, correctPassword,
strlen(userEntry)) != 0)
return (BAD_PASSWORD);
"
I just want everyone to know I wrote that code years ago and would never do something like that again. Really!!
-Thomas
talk about being redundant..
$ cat <<EOT | perl -lpe 'tr/A-Za-z/N-ZA-Mn-za-m/;'
# Cut'n'paste away.
He Said ...The fact that the Internet can be used to massively violate intellectual property rights doesn't make it moral to do so.
I would assert that Intellectual Property is immoral, and that people trade freely on p2p networks and the internet, in part, to undo the damage caused by immoral copyright monopolies.
The moral and historical foundation of property derives from the fact that property has tangable limits - not from a King who granted publishers monopolies in return for not publishing bad things about the monarchy. Incentive does not a property right make.
Just because an institution calls something a property, does not mean that it is - any more that it did in 1850, where if you freed a slave you were called a thief - and could even be hanged.
As society enters the information age it is becomming apparent that the right to copy is a moral right that exists above government, like freedom of speech, religion, and the right to bear arms.
DAMNIT
The fact that the Internet can be used to massively violate intellectual property rights doesn't make it moral to do so.
I'm sure Paul doesn't remember me, but I remember Paul. When I was all of 13 (this was arround '90) Paul Kotcher and I both lived in Corvallis, OR. IO didn't know Paul, met him only once (knew his brother Scott a bit better though) but he was the geek star of Corvallis, the only teenager we even knew about who could program assembler and crack copy protection. I remember playing a 'warezed' (didn't have that word back then) version of Test Drive cracked by Paul.
Anyway, each time I see Paul's name come up in the news, it reminds me of those days and it brings a smile to my face.
The problem with one-time keys is that they must be as long as the data to be encrypted.
The encryption chaining with byte-scrambling in between allows unbreakable encryption with only 3 passwords of perhaps 50 digits each. That's much more practical for people who have gigabytes to encrypt.
If data is encrypted and then encrypted again with another algorithm, and in between the bytes are scrambled, no mathematical attack can ever be successful.
Crikey! You've cracked it! You're going to make a fortune!
Either you mean 'one-time pad' when you say 'byte-scrambling algorithm', or you are the sort of layman for each of which cryptanalysts wish they had a penny.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
I am most likely a gay homosexual faggot,
what, was the test inconclusive or something? let me help you out: it is very, very, very "most likely"
Good thing you posted your follow-up anonymously, or I'd have thought it was really ergo98 posting it. Or something.
Thanks, I'm heading out to the bookstore to grab a book based on one of your reviews. Is it possible for you to list various favourable higher-level mathematics textbooks (i.e. course books that universities would use)? I never did well in university mathematics but would like to teach myself all over because I find myself actually loving math and appreciating its elegance!
We're fortunate that cryptography is a mathematical discipline. That way, whenever anyone makes claims about "no mathematical attack can ever be successful", we can say "great--prove it."
There is only one cipher out there nowadays which has been formally proven to be totally immune to mathematical attack: the Vernam Cipher, which is conceptually brilliant but too impractical to use.
Everything else (so far) has been proven susceptible.
I would suggest reading Knuth's The Art of Computer Programming, where he does basically exactly what you suggest except with random numbers. And yes, he successfully cryptanalyzes the output.
Whenever /. has a crypto story, someone posts something like this:
there exists a known algorithm to factorise primes in polynomial time
which is perfectly true. Even better, it works in constant time:
def factor(prime):
return (prime, 1)
(translation into languages other than Python is left as an exercise to the reader)
Factorizing composites efficiently is how you break RSA and related cryptographic algorithms.
The memcmp() bug in the interview seems simple enough. May I ask a novice question? What is unchecked buffer size problem? How can you take over a system because of an unchecked buffer? Is it a C/C++ specific problem? Thanks for enlighting me.
tr A-Za-z N-ZA-Mn-za-m
<paste text to console>
070F00335427494C12525E57463D031751570B05591B450407 080849091258466331252631316E5552270609125248060502 150C4E526D2D253A276E2E3648002A1D0C11051A441B535302 0152551846071600060902450E434D03422870222733743620 5B5430100005165447061B471E030945313137742227285C4A 350D105A01622825373761372D3548412A170717001006100A 1C1C5A12555A01481C1D522661323D332C3D434223120B5352 3E1F5B08014E2633742A48532F4F1946411C04000B04074517 1308064C160F004E47545300241E02510B0A5B527B24141D1F 5218000346420615071A5D00221C00191146002B0E02420D11 00420017520E0E455901190B00131A56024953011C1C11540F 080B42223570323339265F56300441064B1A1D105601000952 0D0150213B2E3B5B5629011252480B041C59424F4E02194104 0D044754010004171D560711454E4D12030400510114034311 0B1E13472D2E2D21130038235A2B2F41246D0021374858490E 5B4949633A2F2F6A6A6A2E70656C63676274656E63756C2E70 627A2F70627A636E616C2F706E65727265662E75677A792E5D
Which, of course, decodes the message to:
In A.D. 2101 War was beginning. CAPTAIN: What happen? MECHANIC: Somebody set up us the bomb OPERATOR: We get signal CAPTAIN: What! OPERATOR: Main screen turn on CAPTAIN: It's You!! CATS: How are you gentlemen !! All your base are belong to us. You are on the way to destruction CAPTAIN: What you say !! CATS: You have no chance to survive make your time CATS: HA HA HA HA.......
A devious one indeed, that Paul Kocher!
My next license plate will read (only 6 char's)
"shpx h"
yeah, it's an obscene turn of the phrase, but nobody will understand it.
the new fad in custom licenses!
or maybe l33t-speak? Oh, wait, no special chars..
1]4m!+ !!
Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
Comment removed based on user account deletion
MY HERO!
When I first saw that comment, I thought "Hah, of course not. It's exactly as secure, since it's identical code.". But after a moment or two of thinking, I realized that he's right.
A good working definition of "Secure" can be "does what the user expects it to do (and nothing else)".
With this definition, well-tested does mean more secure, simply because a well-tested bit of code is much less likely to surprise you.
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas
For those who enjoy solving simple substitution
cyphers, the following command will encypher a file for you:
perl -0777pe'$a="a";s/[a-z]/$b{lc$&}||=$a++/gei' filename
I also have a program to help solve these cyphers, but it is too long to fit into the margin of this post.
(And if you don't like solving alphametics problems (e.g. SEND+MORE=MONEY), I have a program that will do it for you in 135 bytes.)
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Your other statement is just completely untrue, although there is a big market selling dubious encryption software employing such techniques. Well, I guess there's a big market for dubious encryption software of all types.
Meganet (www.meganet.com) is one of my favourites.
Enjoy your job, make lots of money, work within the law. Choose any two.
There is no way to verify that a peer is running some genuine/particular client or other (at least, not without DRM hardware).
The only way to make sure that you're not uploading fies to RIAA dupes is to have a real-life web-of-trust amongst your users. Unless your web of trust is a serious conspiracy, it's unlikely to be effective.
It *is* (theoretically) possible to detect misbehaving clients, though. Imagine you require all participants to sign each of their transactions, and there are particular pairs of transactions which are inconsistent (such as, reply to a search for file X, but then claim not to have X when a download is requested). Nodes which see such behaviour can compile cryptographicaly secure evidence that a node has bisbehaved (the node can then be temporarily blacklisted).
On Paul's comment that copyright infringement is unethical, here is the (usually neglected) rule-of-thumb:
1. If, absent piracy, you would have bought it anyway, then you owe the artist (and maybe the publisher?) some money.
2. If you wouldn't have shelled out to purchase a copy, then copyright infringement is ethical.
Fixing copyright
Every decryption article I've seen involved knowing what you are looking for. Every cryptographer seems to look for mathematical shortcomings that would not be valid if several algorithms were mixed. Mixing algorithms (say AES and DES) prevents attacking using a knowledge of the underlying mathematics of each algorithm.
It is still possible to try a statistical attack, on anything, of course. But, with mixed algorithms you are preventing an attack using some mathematical weakness that may be discovered in the future.
This is what I'm saying: Mixed algorithms prevent the success of any kind of mathematical analysis that is based on a knowledge of the underlying algorithms.
I was doing a bit of security consulting at a hospital once a long time ago and they had a system in place to prevent people from logging in. Unfortunately, I didn't notice it.
/etc/profile to figure out if you were authorized based on an entry in a text file somewhere...all written in bourne shell. It had the appropriate traps in place to prevent ^C and stuff working.
It turns out, the security system used
The reason I didn't notice it, however, was that I had requested my account be created using tcsh.
After discovering this, I had them create me a bourne shell account and was still able to bypass the system by hitting ^C soon enough after entering my password that it could break out of the profile before getting to the trap line (helped that it was still paging in at the time).
-- The world is watching America, and America is watching TV.
The chimp's so scared of North Korea, there's no chance he'd piss China off - he's just happy that China is best mates with India rather than Pakistan, 'cause if the Pakis got hold of an ICBM platform, the US would be under a death sentence.
Still, our poodle might be more mad - I think he's nearly lost it.
First I post it in a beer-fuelled moment to the questions thread...
:o(
Then it makes question 10...
Now I'm a terrorist?
Qnza!
Ross,
Here is a better explanation:
#5610902, Mixed algorithms prevent mathematical attacks.
The method I mentioned prevents attacks based on knowing the mathematics of the algorithm.
That's what I thought too, but then I checked the answer (see why I'm posting anonymously, don't want the phone cops at my door...) I wanted to smack my forehead. Think way way wayyy dumber than that.
#!/usr/bin/perl
while(<>)
{
tr/a-zA-Z/n-za-mN-ZA-M/;
print $_;
}
Enjoy.
To decode/encode ROT13 save the text in a file called foo. Open your Mac OS X terminal an type:
tr A-Ma-mN-Zn-z N-Zn-zA-Ma-m < foo
No need to mess with Google and other fancy things.
You can do other fun things with tr, like if you want to be the 1337357 dude on the block, type your text and save it in a file called foo, then run:
tr aeios 43105 < foo
Have fun!
Early VMS (I'm thinking VMS 1.0, circa '80?) had a similar problem. The login was done by a DCL script. Wander up to your friendly VT100, hit Return to wake it up and them hammer it with ^Y (==^C). With a few tries you'd break into the login script and be dumped at a root prompt.
The Uni got an upgrade PDQ once us young 'uns had discovered that...
I am not answering you in the thread where I read your post, because I'm moderating that thread. So, go buy a new Alpha here
The company has government contracts that say it must produce the alpha untill 2006. It is alive and well. In fact it is 10% faster than HP's Itanium offering, the superdome line of servers.
Since HP's intent is to comply with the government contract but not reduce sales of their high margin, larger investment and similar contract with intel Itanium systems, they are not advertising it, posting benchmarks or supporting it (theoreticly they are supporting the hardware mut their support for TRU-64 is minnimal at best).
Prices of the 8 processors at 1224 mhz w/256 GB of ram start at 1/4 million dollars. The DS20E is a desktop workstation running dual 833mhz EV 68 processors.
The 8p version will finish a seti@home work unit every 4 minutes.
If you have the cash, enjoy the power.
If voting were effective, it would be illegal by now.
Not when you are scrambling the bytes in between encryptions. That destroys any possibility of a mathematical attack.
Each different password has a different scrambling, anyway.