You cannot just equal publicly funded study with a job, in any way. I don't think it should be up to universities to impose such restrictions on students. Universities are there to make sure their students can advance as much as possible, not the other way around.
Much innovation is created during university study, if only because it is when people are introduced to a subject and are still open minded on the assumptions of the particular field they are studying. Telling students that they never can really do anything for their own, either during study or during work, means that many off these all important spin-offs won't work.
Just handing the stuff over to professors is obviously even worse. They already get more than enough of the fame and money.
I don't know if there are operating systems out there that support pasting directly into a file. Windows 2K does not support it and neither does Thunderbird. You would have to think about a file name anyway.
IMHO, Word is good enough, even if you don't like it. There is no need for people to learn everything about computers all the time, especially if they at least thought of a smart answer to their picture-mailing-problem.
I hate Word like no other, but opening a Word document for some user supplied pictures should not be a problem. It'll definitely cost you less time than it will cost the user to send you the pictures in another format.
If the administrator of a web site goes to a CA and request a SHA-1 certificate, if possible within a chain that only contains SHA-1 signatures, then the user of the site can be certain that this attack has not been taken place. Of course, the user or the browser still has to check that MD-5 has not been used (possibly outside of the self signed root certificate, where it is rather harmless).
Hoping this description fares better than the previous one.
The only thing worse than using AOL has gotta be supporting the kind of people that use it.
Unlikely. At tech support for Gateway, I had very little problems with most starting or simple users. It's the ones that think they know what to do that are the hardest ones. I bet with most AOL users, you don't have to explain for the *(&%&&*)( X'th time that they should press "have disk" instead of just continuing when trying to install a driver. I bet they would not try and "skip ahead" when copying only a few files from a folder. I bet they would not press F1 instead of F8 at startup - too early.
Of course, I also had persons where copying a single file from one location to the other one was completely impossible. In that case you are stuck. But in my experience those are the odd ones out. That said, I petty the ones doing support at an ISP. There are a damn many reasons why connections don't do what they should do. Gateway EMEA (deceased) had an ISP once, give me OS problems over internet problems any time. I bet anyone here can easily write a full page of connection problems for the simple question: "I can't seem to get any email on my computer".
At least with inexperienced users, you can write off problems like socks proxies, POP3 over SSL, different clients, trying to use IMAP, changing the socket, using a different authentication mechanism, badly installed firewall or router and all the other things an "enthousiast" can come up with.
Ah, and the user should think about that while he is struggling with his computer? Come on, that's a bit harsh, don't you think? I would be happy enough if my relatives knew how to make a screen shot and send it to me (without my help, they are fine otherwise).
Don't forget that this is something that will hit older people more easily. The older TV's and monitors did not complain when you did not supply an input. They just showed static, a black screen (sometime later) and later a blue screen (even later when they decided showing black was not so smart). Only nowadays you get the smart message that there is no signal. Maybe sometime will come that they will add a message for morons like the lady you had to deal with, e.g. check the cables or the input source.
Or maybe she was just looking for somebody to talk to, something easily overlooked nowadays. The last time she called you were not so nice to her, so she went with the next one in line. There are a lot of people that are stupid, but at least as many just act stupid (anyone with kids or pets will know what I'm talking about here).
That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.
Of course, of course, this is true for the *current* browsers. Even then, it is possible for people to check the certificate chain manually. I do this regularly myself (I've got a separate browser instance - Firefox with a different profile - with just the right certificates in there for security means).
In future browsers I would like to see a warning when: - MD5 or other insecure algorithms may have to be used (in the future other algorithms such as SHA-1, RSA-1024 or even TDES may be at risk) - a site I've visited before (suddenly) changes certificates - a CA certificate has been compromised or misused (same as with the current protection against fishing sites)
For now, sites should already go for SHA-1, if only to show to the user that *they* are not the problem. The user can then check the chain to see if there is any MD5. Of course, most users won't do this, but only a single one has to be attacked to find out something is wrong.
Out-phasing the MD5 root certificates (or at least those still signing certificate requests with MD5) should be the next logical step.
Oh, since we have this new thing called USB, I've had this issue myself. I had a MS Natural 4000 keyboard, which is great except that it is so slow starting up that it missed the BIOS "Hit F1/F2/Del key" message to go into setup.
So you hook up another old PS2 keyboard, setup your power safe settings and forget about it. Of course, forgetting about a keyboard brings its own dangers...
I don't think banks will be using MD5 at this point in time. RapidSSL does not seem to be a name for a CA that issues to banking sites (I could be wrong here, but I doubt it). At least the client (or an updated browser) will be able to check the certificate chain to see that it does not have the MD5 vulnerability if the chain doesn't have MD5 in it, if the certificate has been updated to hold a SHA-1 signature.
You only need one client that sees a problem with a site for the site to be taken down or put in the malware list used by modern (non-embedded?) browsers. So this might be a solution for some cases.
What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.
Almost correct, it is in fact an intermediate CA certificate. This can be used for certificate trees of 3 certificates in depth (or more). Of course, creating a "root CA" has very little effect, since you will have to include it into the secure store of the browser if you do.
Otherwise you are right on the money. It certainly won't matter to the end user what kind of certificate it is, root or intermediate.
(1) Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?
(2) Or is your point that hashes shouldn't be used at all? (3) If so, what should be used?
(1) Of course there are collisions. The idea about secure hash methods is that it should be impossible to find one. If you brute force a perfect hash, you will have to look to at least 2^(N/2) hashes (in general, or you must be lucky to the extreme, approximately the same amount of luckiness:P ). MD5 is broken in this regard, for certain situations, such as the one in the article.
(2) No, this doesn't seem to be the case. He just - correctly - pointed out to GigsVT that this is not a brute force attack. This can easily be extracted from the paper.
(3) SHA-2 is rather secure, there is no vulnerability other then the fact that it looks too much like SHA-1 to be completely care-free. And there is probably a reason for the SHA-3 competition. There are also people that think any hashing method that is build using Merkle-Damgård is unsafe. There is yet no solution against those (theoretical) problems.
No answer was needed for (3) because (2) was already wrong, but I've added it as a bonus.
Strange bunch of hackers. Don't expect some rouge students here, one is Arjen Lenstra, which is a well known figure in the security scene.
Very interesting to see that not only do they issue certificates using MD5 signatures (a very stupid thing to do) but they haven't even bothered to make sure that only leaf certificates can be issued. Or there are probably other CA certificates already issued under these root CA's, making matters even worse.
The article was very well written and thus easy to read. I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.
Hopefully SHA-1 will hold up a bit longer, because last time I looked (a year ago or somewhere in that order), there were zero (0!) certificates that were self signed using SHA-2, which is not a good indication of the current state at all.
Gosh, that's the second CA I've disabled within Firefox just this week. Interesting times.
Chip & PIN? Doesn't matter much, unless they make it mandatory *or* if you can disable other ways of using your credit card. I've just looked it up for the Netherlands: everybody uses swipe & PIN over here. Not so safe, but better than just handing over the card and "signing" (or drawing a nice puppet, hence the quotes) a bill. Of course, this doesn't matter much because you can STILL use the card in other places in Europe without using the swipe.
As long as you can use your credit card without supplying the PIN, the PIN is more or less useless. The only limit is that the abuser cannot go to shops where they use chip & PIN. Gosh, that 'll stop 'm!
"Nowadays those terminals tend to get upgraded to GPRS/EDGE though, but DECT units are still quite popular. Not for that long I guess."
Oh, yes, now I do feel so much safer. Trust me if I say that at least in the GSM world, security is rather haphazard. There have been many issues, including broken SIM's etc. etc. If I take a look at the specs, I don't feel safe against eavesdropping *at all*. I don't know if GPRS is any better, but my guess is that it is not.
Anyway, even if it is safe, the chances of listening in *after* the stream has been decoded are very high. There is *no* end to end security when using these technologies. For that reason, e.g. the government will never break in using the wireless network because it is much easier to break in elsewhere. Of course, chances of doing this anonymously are much lower than a direct attack on the wireless protocols.
Basically, if you are using things like payment over any wireless network, I agree with you that the implementers must put security at the application level, using end-to-end security. Otherwise the protocol is broken by default. Does anyone here trust that all these wireless access points have been updated to the latest firmware? Because I don't.
Note: I'm agreeing with the parent here, just deepening the discussion a bit.
Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.
No, that's so previous century. I can remember the same issue with virus scanners in the DOS era, where unpacking may have actually saved some space on floppies and hard disks. With a friend, we had a warning about a virus in many.exe's using a heuristic scan, which turned out to be a popular unpacker. To put this in perspective, this was on a 25 MHz 386 DX, 1 MB internal RAM and a 40 MB hard drive - which cost me my entire holiday savings and then some.
As a funny side note, some DOS utilities like format were labeled "trash programming". I heard this was mostly due the fact that the floppy disk was so hard to program for.
We really, really need more hardware random number generators (RNG's) within CPU's. I think this is one of the more important things for Intel and AMD to work on (VIA and Intel have already working hardware RNG's for x86 as far as I know, with Intel though it is only for an embedded processor).
Otherwise we will have to rely on "commodity" hardware to generate enough randomness to seed our pseudo-RNG's. And since a keyboard, harddisk and video cannot be trusted to be in a machine, and since using the NIC has too big a tie with the outside world, we are quickly running out of entropy sources. So a hardware RNG is definitely a very good idea.
That does not mean that these guys have struck gold. There are already fine RNG's available for use within CPU's. I don't know how secure their device is (what happens when it is underpowered/cooled etc) but speed is not really a problem right now. Of course, if it is easy to implement in current designs: why not?
Ok, there still seems to be confusion on it being "publicly" available. This is payware with a limited trial version. The headline is about that this advanced suite (I presume, I haven't used it myself) has become available *at all*. Previously, I presume, you could not just buy it. Of course, I also presume you could freely download it from some hacking site, but that's beside the point. Law only counts for law abiding citicens.
"However if we postulate a geometry which is so wild that it looks more like a stormy ocean to be the geometry of space-time, then both Einsteinâ(TM)s theory and quantum particle physics will fit in. That is more or less what I have done."
Oh, he has only created the great unification theory. My my, how unfortunate that he hasn't received his Nobel price yet. Gee.
Seems that the "perfect" attack would be a combination of a bad CA and this attack. Of course, that you can reroute traffic from access points is not new. So what *is* actually new? Maybe the notion that it is too easy to get certificates from some CA's, but the article is not directly about that It's a bit of a shame that I still cannot read all the articles, maybe there is more information in there. But the Firefox bug report does not show a perfect attack, so why is it referred to?
Oh well, disabled the capabilities of the Comodo certificates, lets see which web sites use those.
Slashdot Mirror
You cannot just equal publicly funded study with a job, in any way. I don't think it should be up to universities to impose such restrictions on students. Universities are there to make sure their students can advance as much as possible, not the other way around.
Much innovation is created during university study, if only because it is when people are introduced to a subject and are still open minded on the assumptions of the particular field they are studying. Telling students that they never can really do anything for their own, either during study or during work, means that many off these all important spin-offs won't work.
Just handing the stuff over to professors is obviously even worse. They already get more than enough of the fame and money.
The world: yes, societies: no. And the society we are living in is world wide, and world ruining. Lets hope some people will manage to survive.
Hey, come on, what's an army without stupid and abused acronyms for everything?
...always made me laugh.
Yeah, they get you less tense.
You, sir, are of course correct.
I don't know if there are operating systems out there that support pasting directly into a file. Windows 2K does not support it and neither does Thunderbird. You would have to think about a file name anyway.
IMHO, Word is good enough, even if you don't like it. There is no need for people to learn everything about computers all the time, especially if they at least thought of a smart answer to their picture-mailing-problem.
I hate Word like no other, but opening a Word document for some user supplied pictures should not be a problem. It'll definitely cost you less time than it will cost the user to send you the pictures in another format.
If the administrator of a web site goes to a CA and request a SHA-1 certificate, if possible within a chain that only contains SHA-1 signatures, then the user of the site can be certain that this attack has not been taken place. Of course, the user or the browser still has to check that MD-5 has not been used (possibly outside of the self signed root certificate, where it is rather harmless).
Hoping this description fares better than the previous one.
The only thing worse than using AOL has gotta be supporting the kind of people that use it.
Unlikely. At tech support for Gateway, I had very little problems with most starting or simple users. It's the ones that think they know what to do that are the hardest ones. I bet with most AOL users, you don't have to explain for the *(&%&&*)( X'th time that they should press "have disk" instead of just continuing when trying to install a driver. I bet they would not try and "skip ahead" when copying only a few files from a folder. I bet they would not press F1 instead of F8 at startup - too early.
Of course, I also had persons where copying a single file from one location to the other one was completely impossible. In that case you are stuck. But in my experience those are the odd ones out. That said, I petty the ones doing support at an ISP. There are a damn many reasons why connections don't do what they should do. Gateway EMEA (deceased) had an ISP once, give me OS problems over internet problems any time. I bet anyone here can easily write a full page of connection problems for the simple question: "I can't seem to get any email on my computer".
At least with inexperienced users, you can write off problems like socks proxies, POP3 over SSL, different clients, trying to use IMAP, changing the socket, using a different authentication mechanism, badly installed firewall or router and all the other things an "enthousiast" can come up with.
Ah, and the user should think about that while he is struggling with his computer? Come on, that's a bit harsh, don't you think? I would be happy enough if my relatives knew how to make a screen shot and send it to me (without my help, they are fine otherwise).
Don't forget that this is something that will hit older people more easily. The older TV's and monitors did not complain when you did not supply an input. They just showed static, a black screen (sometime later) and later a blue screen (even later when they decided showing black was not so smart). Only nowadays you get the smart message that there is no signal. Maybe sometime will come that they will add a message for morons like the lady you had to deal with, e.g. check the cables or the input source.
Or maybe she was just looking for somebody to talk to, something easily overlooked nowadays. The last time she called you were not so nice to her, so she went with the next one in line. There are a lot of people that are stupid, but at least as many just act stupid (anyone with kids or pets will know what I'm talking about here).
That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.
Of course, of course, this is true for the *current* browsers. Even then, it is possible for people to check the certificate chain manually. I do this regularly myself (I've got a separate browser instance - Firefox with a different profile - with just the right certificates in there for security means).
In future browsers I would like to see a warning when:
- MD5 or other insecure algorithms may have to be used (in the future other algorithms such as SHA-1, RSA-1024 or even TDES may be at risk)
- a site I've visited before (suddenly) changes certificates
- a CA certificate has been compromised or misused (same as with the current protection against fishing sites)
For now, sites should already go for SHA-1, if only to show to the user that *they* are not the problem. The user can then check the chain to see if there is any MD5. Of course, most users won't do this, but only a single one has to be attacked to find out something is wrong.
Out-phasing the MD5 root certificates (or at least those still signing certificate requests with MD5) should be the next logical step.
Oh, since we have this new thing called USB, I've had this issue myself. I had a MS Natural 4000 keyboard, which is great except that it is so slow starting up that it missed the BIOS "Hit F1/F2/Del key" message to go into setup.
So you hook up another old PS2 keyboard, setup your power safe settings and forget about it. Of course, forgetting about a keyboard brings its own dangers...
I don't think banks will be using MD5 at this point in time. RapidSSL does not seem to be a name for a CA that issues to banking sites (I could be wrong here, but I doubt it). At least the client (or an updated browser) will be able to check the certificate chain to see that it does not have the MD5 vulnerability if the chain doesn't have MD5 in it, if the certificate has been updated to hold a SHA-1 signature.
You only need one client that sees a problem with a site for the site to be taken down or put in the malware list used by modern (non-embedded?) browsers. So this might be a solution for some cases.
What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.
Almost correct, it is in fact an intermediate CA certificate. This can be used for certificate trees of 3 certificates in depth (or more). Of course, creating a "root CA" has very little effect, since you will have to include it into the secure store of the browser if you do.
Otherwise you are right on the money. It certainly won't matter to the end user what kind of certificate it is, root or intermediate.
(1) Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?
(2) Or is your point that hashes shouldn't be used at all? (3) If so, what should be used?
(1) Of course there are collisions. The idea about secure hash methods is that it should be impossible to find one. If you brute force a perfect hash, you will have to look to at least 2^(N/2) hashes (in general, or you must be lucky to the extreme, approximately the same amount of luckiness :P ). MD5 is broken in this regard, for certain situations, such as the one in the article.
(2) No, this doesn't seem to be the case. He just - correctly - pointed out to GigsVT that this is not a brute force attack. This can easily be extracted from the paper.
(3) SHA-2 is rather secure, there is no vulnerability other then the fact that it looks too much like SHA-1 to be completely care-free. And there is probably a reason for the SHA-3 competition. There are also people that think any hashing method that is build using Merkle-Damgård is unsafe. There is yet no solution against those (theoretical) problems.
No answer was needed for (3) because (2) was already wrong, but I've added it as a bonus.
Strange bunch of hackers. Don't expect some rouge students here, one is Arjen Lenstra, which is a well known figure in the security scene.
Very interesting to see that not only do they issue certificates using MD5 signatures (a very stupid thing to do) but they haven't even bothered to make sure that only leaf certificates can be issued. Or there are probably other CA certificates already issued under these root CA's, making matters even worse.
The article was very well written and thus easy to read. I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.
Hopefully SHA-1 will hold up a bit longer, because last time I looked (a year ago or somewhere in that order), there were zero (0!) certificates that were self signed using SHA-2, which is not a good indication of the current state at all.
Gosh, that's the second CA I've disabled within Firefox just this week. Interesting times.
Chip & PIN? Doesn't matter much, unless they make it mandatory *or* if you can disable other ways of using your credit card. I've just looked it up for the Netherlands: everybody uses swipe & PIN over here. Not so safe, but better than just handing over the card and "signing" (or drawing a nice puppet, hence the quotes) a bill. Of course, this doesn't matter much because you can STILL use the card in other places in Europe without using the swipe.
As long as you can use your credit card without supplying the PIN, the PIN is more or less useless. The only limit is that the abuser cannot go to shops where they use chip & PIN. Gosh, that 'll stop 'm!
"Nowadays those terminals tend to get upgraded to GPRS/EDGE though, but DECT units are still quite popular. Not for that long I guess."
Oh, yes, now I do feel so much safer. Trust me if I say that at least in the GSM world, security is rather haphazard. There have been many issues, including broken SIM's etc. etc. If I take a look at the specs, I don't feel safe against eavesdropping *at all*. I don't know if GPRS is any better, but my guess is that it is not.
Anyway, even if it is safe, the chances of listening in *after* the stream has been decoded are very high. There is *no* end to end security when using these technologies. For that reason, e.g. the government will never break in using the wireless network because it is much easier to break in elsewhere. Of course, chances of doing this anonymously are much lower than a direct attack on the wireless protocols.
Basically, if you are using things like payment over any wireless network, I agree with you that the implementers must put security at the application level, using end-to-end security. Otherwise the protocol is broken by default. Does anyone here trust that all these wireless access points have been updated to the latest firmware? Because I don't.
Note: I'm agreeing with the parent here, just deepening the discussion a bit.
Yes, some virus scanners label anything that is runtime packed as malware, mostly because malware writers have been using packers as a cheap and easy disguise. But c'mon, that's so 2006.
No, that's so previous century. I can remember the same issue with virus scanners in the DOS era, where unpacking may have actually saved some space on floppies and hard disks. With a friend, we had a warning about a virus in many .exe's using a heuristic scan, which turned out to be a popular unpacker. To put this in perspective, this was on a 25 MHz 386 DX, 1 MB internal RAM and a 40 MB hard drive - which cost me my entire holiday savings and then some.
As a funny side note, some DOS utilities like format were labeled "trash programming". I heard this was mostly due the fact that the floppy disk was so hard to program for.
We really, really need more hardware random number generators (RNG's) within CPU's. I think this is one of the more important things for Intel and AMD to work on (VIA and Intel have already working hardware RNG's for x86 as far as I know, with Intel though it is only for an embedded processor).
Otherwise we will have to rely on "commodity" hardware to generate enough randomness to seed our pseudo-RNG's. And since a keyboard, harddisk and video cannot be trusted to be in a machine, and since using the NIC has too big a tie with the outside world, we are quickly running out of entropy sources. So a hardware RNG is definitely a very good idea.
That does not mean that these guys have struck gold. There are already fine RNG's available for use within CPU's. I don't know how secure their device is (what happens when it is underpowered/cooled etc) but speed is not really a problem right now. Of course, if it is easy to implement in current designs: why not?
Well, it didn't learn you to recognize sarcasm, so I think the 400 hours per year were rather wasted.
Ok, there still seems to be confusion on it being "publicly" available. This is payware with a limited trial version. The headline is about that this advanced suite (I presume, I haven't used it myself) has become available *at all*. Previously, I presume, you could not just buy it. Of course, I also presume you could freely download it from some hacking site, but that's beside the point. Law only counts for law abiding citicens.
Don't bother with Dutch, unless you want to offend us :)
According to himself:
"However if we postulate a geometry which is so wild that it looks more like a stormy ocean to be the geometry of space-time, then both Einsteinâ(TM)s theory and quantum particle physics will fit in. That is more or less what I have done."
Oh, he has only created the great unification theory. My my, how unfortunate that he hasn't received his Nobel price yet. Gee.
Source:
http://www.el-naschie.net/el-naschie-physicist-details.asp?site=248
Seems that the "perfect" attack would be a combination of a bad CA and this attack. Of course, that you can reroute traffic from access points is not new. So what *is* actually new? Maybe the notion that it is too easy to get certificates from some CA's, but the article is not directly about that It's a bit of a shame that I still cannot read all the articles, maybe there is more information in there. But the Firefox bug report does not show a perfect attack, so why is it referred to?
Oh well, disabled the capabilities of the Comodo certificates, lets see which web sites use those.