Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Software To Balance Privacy and Security?

Posted by ScuttleMonkey on from the until-they-build-a-better-reverse-engineer dept.

An anonymous reader writes "Claiming to provide both security and privacy, researchers at UCLA say they have developed a system to monitor suspicious online communication that discards communications from law-abiding citizens before they ever reach the intelligence community." From the article: "The truly revolutionary facet of the technology is that it is a new and powerful example of a piece of code that has been mathematically proven to be impossible to reverse-engineer. In other words, it can't be analyzed to figure out its components, construction and inner workings, or reveal what information it's collecting and what information it's discarding -- it won't give up its secrets. It can't be manipulated or turned against the user."

8 of 82 comments (clear)

  1. Evil potential here by ribuck · · Score: 5, Insightful
    That means lawful U.S. citizens who don't fit the parameters are automatically ruled out.

    It also means that lawful citizens who do fit the parameters are reported on. The same as if the agencies are grepping.

    a savvy person may be able to tell that the program is running in the background ... by distributing this software all over the Internet to providers and network administrators, you can easily monitor a huge data flow

    How will this software be "distributed"? Virus? Payload in a Sony rootkit? Thousands of patriotic sysadmins? Plenty of potential for evil to be done here!

    --
    Paid Q&A/Research
  2. spin doctors by Hakubi_Washu · · Score: 5, Insightful

    So, it collect all data fitting into the criteria set by the agency without any chance of anyone ever knowing what those criteria were? How is the "law-abiding" citizen to know he's not accidentaly fitted one? They say it improves privacy, but it actually removes it, since you can never know you've not been deemed a "terrorist".

  3. What good is this? by NoMoreNicksLeft · · Score: 4, Insightful

    So, when I take my case to court, that they're illegally intercepting my communications just to look for dirt to ruin my political campaign, it's impossible to reverse engineer and prove that they were only looking for terrorists?

    I mean, the captured documents could already have been altered, no way to prove that they didn't, now.

    Not to mention the way it works amounts to what is essentially an eternal wiretap of everyone, guilt, innocence and suspicion matter not.

  4. Mathematical proof of code is a tough business by javaDragon · · Score: 5, Insightful
    Their greping thing is not interesting per itself, but I'd like to see this:
    [...]a new and powerful example of a piece of code that has been mathematically proven to be impossible to reverse-engineer[...]
    I'd like to see the demonstration. Until such time, I call bollocks and I refuse to believe an "impossible to reverse-engineer" piece of code ever exists.
    --
    -- javaDragon is an instance of JavaDragon.
    1. Re:Mathematical proof of code is a tough business by Ckwop · · Score: 4, Interesting

      I'd like to see the demonstration. Until such time, I call bollocks and I refuse to believe an "impossible to reverse-engineer" piece of code ever exists.

      I second your bullshit and raise! The problem with proofs such as this is that they assume broad axioms that in reality might not be true in the hardware. For example, they may well have proved the theorem if they assume all operations of a certain set take the same length but in reality they might not. The processor might take a ten billionth of a second longer to do one operation than it does another, or it might release more heat when it does one operation than it does when it performs another, or it might release a certain magnetic field when it does one operation and not another.

      Side-channel attacks, as these are called, are often totally devastating. There was one attack where simply heating the computer up can cause a system to get owned. If the proof is correct, it's certainly interesting but practically we're a long way from getting to this gold standard.

      Simon

    2. Re:Mathematical proof of code is a tough business by wannabgeek · · Score: 3, Insightful

      I think you misunderstood. They did not prove what the program does. They claim they have proven that the it cannot be determined by other what the program does.

      --
      I'm much more funny, interesting and insightful than the moderators think
  5. It really is possible to stop reverse-engineering by cpeikert · · Score: 3, Interesting

    Many commenters are claiming "it is always possible to reverse-engineer a program!," using such reasons as "you can always watch the processor perform the instructions and eventually figure it out."

    Let me tell you, as a cryptographer, that these claims are false. The recent field of program obfuscation gives surprisingly strong ways to prevent reverse-engineering, in a very rigorous and strong way.

    Not every program can be obfuscated (this has been proven). However, programs that fit a certain template (like: "check if the input string matches the user's password") can be obfuscated. What this means is that you can give the program's entire code to the adversary -- he can run it on his own computer (no DRM required) on whatever inputs he likes, alter it, stretch it, twist it, whatever. After all this he still will not be able to guess the password, any more than if he had some mathematically-perfect black-box that truthfully answered the question: "is [X] the password?" (Actually the definition is even stronger than this, but that's the gist of it.)

    Yes, this seems extremely hard to do -- after all, the adversary has complete and total power over the code that is running. Yet it can be done, rigorously and provably, if you're willing to believe that there are some number-theory problems out there (like RSA) that are hard to solve.

    For the work described in the article, it sounds like the "black-box" does something like the following: if your input string contains some "watch words," then the output is the same as the input, but encrypted under the government's key. If your input string is "benign," then the output is just "THIS WAS A BENIGN INPUT", encrypted in the government's key -- i.e., it ignores any benign input and replaces it with a placeholder. By running the obfuscated program and looking at the output, you can't tell if the input was flagged or not. Even while watching the program run, you can't tell if the program is flagging the input or not (or learn anything about the government's key). When the government collects the output and decrypts it, it only sees the flagged inputs, as the rest have been ignored.

    As I've said, none of this depends on the program requiring any DRM or TPM or any other specialized hardware. It only relies on the mathematics.

  6. Re:Can't be reverse-engineered, eh? by SmurfButcher+Bob · · Score: 3, Insightful

    Oh the funny part - there's no need to reverse engineer it; the guts would be fully described in the resulting Software Patent.

    Worst case, pull an SCO and sue them for violating your stuff, and demand un-obfuscated *everything* during discovery.

    On the fun side, wait until RIAA/MPAA gets their agenda piggybacked into these little boxes.

    --

    help me i've cloned myself and can't remember which one I am