Someone took a password-guessing program and ran it on EC2. Big freaking deal.
EC2 now offers GPUs. Someone took a GPU-based password-guessing program and ran it on EC2. Big freaking deal.
True, raw SHA-1 used all by itself is not the thing to generate password hashes with, but this is not a weakness in SHA-1. As the researcher says, it shows merely that SHA-1 is efficient.
SHA-1 is not weakened, broken, or exploited in this research (it is significantly broken in other ways though).
Teams were guessing passwords with GPUs Defcon last year. They were guessing passwords with EC2 last year, too. The combination is not novel or innovative.
I'm that mad. I'd been disgusted with Sony since they started infecting people with malware on purpose but this is over the top.
If somebody wanted to organize a destruction of Sony products which they legally own and paid for, I'd donate a few pieces of classic early-70's Sony hifi gear. I'd also throw in a 2 week old purchased PS3. The games themselves might be better simply dumped in used game stores.
A 'burning' probably wouldn't be very good to the environment friendly with all the plastic. You could burn cardboard boxes that the products came in, or perhaps there's some industrial-strength trash compactor that makes a dramatic image to get the point across.
Clearly PR is the only language these people understand.
It's in the video at 54:45. Dan Geer references an exchange with an anonymous party.
There are utilities who really want to ship meters with dozens of MB of firmware images, all compressed, all actually used, no partial update, while having under 10 kbits of bandwidth to the meters. Note carefully that the rationale for doing this as currently designed is that it is all conforming to industry standard protocols that have been tested and vetted.
Unfortunately, Usenix wants registration for the actual video. It's a really interesting talk for those who are interested in big picture of network protocol security (I give part of it:-) If people really care, perhaps I could smuggle an excerpt on YouTube or something. Track down my email and email me.
So you propose something of a litmus test of meter designer competence. Let's dig into some published protocols. If:
The meter protocol _requires_ implementation of a multicast firmware update capability, then the system may be competently designed and is plausibly as secure as any such system is likely to be.
On the other hand, if no multicast firmware update facility is defined or it is not actually implemented in some deployment of millions of meters, then you will have to agree that the current process of designing and qualifying smart meters is horribly broken
My money's on (2). Who's willing to help dig up some hard info?
My guess is that there are already products I could install on my own if I wanted to monitor my power consumption. That device doesn't needs serve as a remote-controlled kill switch on my electricity at the same time.
My main objection is from the security angle. The more I learn about data security, the more clear it is just how inevitable it is that complex systems will get pwned. Imagine that if the Stuxnet developers, instead of targeting a few thousand centrifuges in Iran, had decided to target a few hundred million electrical customers in the US and Europe.
This is not a far-fetched, paranoid, or crazy scenario in the least. It's the kind of thing that is simply inevitable unless we can get some more cluefulness and rational discussion going into the decision making process.
This is not just, say, somebody's e-commerce business model we're talking about here. It's the freaking power grid, the #1 thing that day-to-day separates us from being a third-world country. Some things are to big to be allowed to fail.
just because something is "by computer", or "online", or "in space" does not change what has happened.
I agree, it doesn't change what happened.
But it is different in the sense that no other objects in familiar use are under the remote control of outside parties. Except, say, your cable TV box but that's something you rent as part of their service. It's not a piece of hardware you buy.
if you sent your car in for a scheduled service (as required to keep warranty) and when you got it back the stereo was gone, you'd absolutely have legal recourse.
I think that's by far the best analogy we've heard. It's even a required "maintenance" that destroyed the stereo.
The work of the CCC guys made a good case that mainly Sony didn't want you to be able to run your own content. So it was as if you got your car back from a required maintenance and the dealership had used a small amount of thermite to turn the inside of the CD player into slag because they get kickbacks from selling satellite radio.
As I have heard it, "bait-and-switch" has meant to advertise one thing and then when you go to buy it, you're told that that thing isn't available but you could buy something else that's supposedly a great deal. The key factor here is that all of that takes place before any sale has even occurred.
Actually buying something and not getting what you paid for is a much more general concept.
But "bait-and-switch" is a legal term with a reasonably precise definition. Look it up. I don't think it really applies here.
Sure, the word "steal" is overloaded. Sony's entertainment industry seems to have a great fascination with the concept of people "stealing", and in that case many disagree with that use of the word.
But what's your point? Are you arguing some point of US law?
Normal people (i.e., non-lawyers) understand that the very fabric of commerce is based on "yours", "mine", "not yours", "not mine", "buying", "selling", "vendor", and "customer", etc.
There's not a lot of subtlety in these terms, because normal people are able to conduct their commerce without concepts like "stealing", "swindling", "crooked dealing", "cheating", or "screwing over your customer" even coming into question 99.9% of the time.
"Bait-and-switch" doesn't fit, neither does "planned obsolescence". Actually, Sony is breaking new ground here. I don't think normal people ever needed to invent a term for a vendor selling something and then intentionally breaking it by remote control years later.
So maybe you think it's significant that Sony presented some EULA on the TV and made the user press the green button before they could play the game they just bought.
But normal people don't. They see it for exactly what it is.
Nothing particularly subtle or complicated about it at all.
I think the really important question is whether or not this is the same John Ioannidis who wrote the original IPsec stack used in OpenBSD. Perhaps he is trying to tell us something?:-)
Then, you'll probably explain how India managed to launch 30+ rockets successfully in the past, and launched one rocket successfully to the moon as well?
Oh come on. You can't possibly expect everyone to know that.
Those aren't nearly as interesting as the one that exploded on YouTube.
People everywhere are short-sighted, mistake-making, bozos if you expect too much of them. We Americans have spent the last century parading around the globe talking about how high our ideals are. Often I've been in agreement with them, but we shouldn't be surprised if people hold us to some kinds of standards.
See, this is what I detest about Americans.
Detest, hate, these are very strong words. LIfe's too short to feel that way about anyone, if you can help it.
These guys make the "corporate mission statement" style home page look downright informative.
You know, it's almost as if they're afraid to commit to concrete definitions or something...hmm...do you suppose that perhaps even they don't have a clear idea of what the thing is?
Perhaps they could hire the "help I've fallen and I can't get up" ad agency. They are in desperate need of an identifiable problem (e.g. a broken hip) on which to hang their solution.
So I read this and think "Well its on Slashdot, this Dropbox thing must be really important". I wonder what it is?
I click on the link...
The new version comes with hundreds of bug fixes, including invalid file names on Windows, weird Unicode normalizations, Word and Excel file locking, abnormal symlinks hierarchies, and case sensitive file systems on Mac
Oh, so are invalid file names a bug or a feature? Why would I want to lock Word and Excel files? I know what they are but I don't use them. I don't use abnormal symlinks hierarchies or a Mac either.
So I click the first link 'Dropbox' which goes to (wait for it...) "The Dropbox blog"
Hey everyone!
We’re super excited to announce the new hotness that we’ve been cooking up for the past few months: Dropbox 1.0! In addition to hundreds (yep, hundreds) of bug fixes, vastly reduced resource usage (think of it as the Prius model of Dropbox), Dropbox 1.0 (“Rainbow Shell”) also offers support for extended attributes, selective sync, and a shiny new installation wizard. Those are just the CliffsNotes though — here’s the true story behind Dropbox 1.0:
You get the idea. It goes on and on. How can these people talk so much and say so little?
The first link from this page: Dropbox Home. This looks promising, it goes to https://www.dropbox.com/
Oh, ok. So from this I gather that it's some sort of file sync application which needed a major rearchitecture before it could be released at version 1.0.
Almost all of the viewable area of the page is taken up by a giant video play button. Well, believe it or not I actually use my computer for computing and not as a television. I also like it to be halfway secure, so I don't have any Adobe products such as Flash installed. I do know how to read and it is several times faster. I'm not watching some video made by people who can't complete the sentence "Dropbox is...".
I still don't get it, except that it syncs files and the people who made it should probably cut back on the Red Bull and talk to someone outside the office who hasn't been making and eating their own dog food for eighty hours a week for the last year.
Right. So is Intel now in the business of deciding who gets shut off, like Amazon and DynDns? Or will they hand out kill switch codes to the top 250 computer manufacturers? Will they have a legal team on call 24/7 to ensure that kill switch requests meet even the minimum legal criteria? Will they argue on your behalf, or will they just go with whoever pays the most money? Will there be any prior notice and will you be able to appeal a kill switch order on your CPU? Will Intel do any better than YouTube at rejecting illegitimate requests submitted by parties that just want to screw with you?
Now that the US DHS has found out how much fun it is to play with the kill switch VeriSign gave them on.com websites, is there any reason to think that they won't order CPU shutdowns as well? Would they not have jumped at the chance to have killed Wikileaks' overseas PCs?
Why would any foreign government, non-US user, or multi-national corporation buy a system with Intel CPUs now?
How dumb can this company be?
Note to Intel: Ways to kill your product or reduce its performance are failings, not features.
Actually, if true, it would be quite the compliment. That OpenBSD was selected to handle sensitive traffic _and_ the FBI had to go out of its way to monitor it.
The remaining question is, did the CIA, NSA, KGB, FSB, and MI5 all add backdoors too, or do they have cross-licensing agreements...
So for SHA-256 the starting constants are the "first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19" and "first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311".
That only takes a few words to explain, and most of it is dictated by the design (e.g., "32 bits"). The hash designer is signaling that he only had freedom to select a few general concepts here and there.
You can be sure that the people who approve these kinds of things are pretty paranoid about the possibility of someone sneaking a back door in there. If the constants had been proposed as "bits from the base-2 representation of pi starting at bit position 2364826687681" there would have been some serious eyebrow raising.
Still, it's a pretty cool find. I can't wait for the upcoming holiday party, I will surely impress the ladies with that!
Slashdot Mirror
Someone took a password-guessing program and ran it on EC2. Big freaking deal.
EC2 now offers GPUs. Someone took a GPU-based password-guessing program and ran it on EC2. Big freaking deal.
True, raw SHA-1 used all by itself is not the thing to generate password hashes with, but this is not a weakness in SHA-1. As the researcher says, it shows merely that SHA-1 is efficient.
SHA-1 is not weakened, broken, or exploited in this research (it is significantly broken in other ways though).
Teams were guessing passwords with GPUs Defcon last year. They were guessing passwords with EC2 last year, too. The combination is not novel or innovative.
This reads like Marketing placement to me.
I'm that mad. I'd been disgusted with Sony since they started infecting people with malware on purpose but this is over the top.
If somebody wanted to organize a destruction of Sony products which they legally own and paid for, I'd donate a few pieces of classic early-70's Sony hifi gear. I'd also throw in a 2 week old purchased PS3. The games themselves might be better simply dumped in used game stores.
A 'burning' probably wouldn't be very good to the environment friendly with all the plastic. You could burn cardboard boxes that the products came in, or perhaps there's some industrial-strength trash compactor that makes a dramatic image to get the point across.
Clearly PR is the only language these people understand.
I read that Samsung was starting to lock down the firmware and kernel updates.
No thank you Samsung.
Would you buy a laptop you couldn't install your own kernel updates on? Why should a mobile be any different?
I heard it mentioned in the "Vulnerable Compliance" talk mentioned here: http://www.usenix.org/events/sec10/tech/
It's in the video at 54:45. Dan Geer references an exchange with an anonymous party.
Unfortunately, Usenix wants registration for the actual video. It's a really interesting talk for those who are interested in big picture of network protocol security (I give part of it :-) If people really care, perhaps I could smuggle an excerpt on YouTube or something. Track down my email and email me.
Because it's a computer system designed by multiple committees of differing interests.
Simple is much much harder than complex in these processes.
So you propose something of a litmus test of meter designer competence. Let's dig into some published protocols. If:
My money's on (2). Who's willing to help dig up some hard info?
My guess is that there are already products I could install on my own if I wanted to monitor my power consumption. That device doesn't needs serve as a remote-controlled kill switch on my electricity at the same time.
My main objection is from the security angle. The more I learn about data security, the more clear it is just how inevitable it is that complex systems will get pwned. Imagine that if the Stuxnet developers, instead of targeting a few thousand centrifuges in Iran, had decided to target a few hundred million electrical customers in the US and Europe.
This is not a far-fetched, paranoid, or crazy scenario in the least. It's the kind of thing that is simply inevitable unless we can get some more cluefulness and rational discussion going into the decision making process.
This is not just, say, somebody's e-commerce business model we're talking about here. It's the freaking power grid, the #1 thing that day-to-day separates us from being a third-world country. Some things are to big to be allowed to fail.
Personally, I think "smart meters" are an exceedingly dumb idea.
But your comment is completely ambiguous and content-free, so I cannot discuss it with you.
Not much. But consider what happens when a security hole is found. Say it requires a 2MB firmware update on all 10M of your customers' meters.
(smart meter firmware size)*(installed base)/bandwidth = (minimum number of days the attacker has blinkenlights capability over your grid)
I can't take credit for this observation. I can dig up the reference if you'd like.
I agree, it doesn't change what happened.
But it is different in the sense that no other objects in familiar use are under the remote control of outside parties. Except, say, your cable TV box but that's something you rent as part of their service. It's not a piece of hardware you buy.
I think that's by far the best analogy we've heard. It's even a required "maintenance" that destroyed the stereo.
The work of the CCC guys made a good case that mainly Sony didn't want you to be able to run your own content. So it was as if you got your car back from a required maintenance and the dealership had used a small amount of thermite to turn the inside of the CD player into slag because they get kickbacks from selling satellite radio.
Haha, what an elite group they're in. Somebody should make a list of this stuff and get credit for coining a term.
As I have heard it, "bait-and-switch" has meant to advertise one thing and then when you go to buy it, you're told that that thing isn't available but you could buy something else that's supposedly a great deal. The key factor here is that all of that takes place before any sale has even occurred.
Actually buying something and not getting what you paid for is a much more general concept.
But "bait-and-switch" is a legal term with a reasonably precise definition. Look it up. I don't think it really applies here.
Sure, the word "steal" is overloaded. Sony's entertainment industry seems to have a great fascination with the concept of people "stealing", and in that case many disagree with that use of the word.
But what's your point? Are you arguing some point of US law?
Normal people (i.e., non-lawyers) understand that the very fabric of commerce is based on "yours", "mine", "not yours", "not mine", "buying", "selling", "vendor", and "customer", etc.
There's not a lot of subtlety in these terms, because normal people are able to conduct their commerce without concepts like "stealing", "swindling", "crooked dealing", "cheating", or "screwing over your customer" even coming into question 99.9% of the time.
"Bait-and-switch" doesn't fit, neither does "planned obsolescence". Actually, Sony is breaking new ground here. I don't think normal people ever needed to invent a term for a vendor selling something and then intentionally breaking it by remote control years later.
So maybe you think it's significant that Sony presented some EULA on the TV and made the user press the green button before they could play the game they just bought.
But normal people don't. They see it for exactly what it is.
Nothing particularly subtle or complicated about it at all.
I think the really important question is whether or not this is the same John Ioannidis who wrote the original IPsec stack used in OpenBSD. Perhaps he is trying to tell us something? :-)
Oh come on. You can't possibly expect everyone to know that.
Those aren't nearly as interesting as the one that exploded on YouTube.
Meh.
People everywhere are short-sighted, mistake-making, bozos if you expect too much of them. We Americans have spent the last century parading around the globe talking about how high our ideals are. Often I've been in agreement with them, but we shouldn't be surprised if people hold us to some kinds of standards.
Detest, hate, these are very strong words. LIfe's too short to feel that way about anyone, if you can help it.
Lol, choosing not to install a nonstandard closed source plugin to watch some marketing video isn't anything like disabling text on Wikipedia.
If you don't see the difference, you should probably stay away from text and go back to watching infomercials.
That's it?! Seriously?!
"Stripped-down hosted commercial Rsync with folder metaphor given version number 1.0"
This is a Slashdot headline?
You know, it's almost as if they're afraid to commit to concrete definitions or something...hmm...do you suppose that perhaps even they don't have a clear idea of what the thing is?
Perhaps they could hire the "help I've fallen and I can't get up" ad agency. They are in desperate need of an identifiable problem (e.g. a broken hip) on which to hang their solution.
I click on the link...
Oh, so are invalid file names a bug or a feature? Why would I want to lock Word and Excel files? I know what they are but I don't use them. I don't use abnormal symlinks hierarchies or a Mac either.
So I click the first link 'Dropbox' which goes to (wait for it...) "The Dropbox blog"
You get the idea. It goes on and on. How can these people talk so much and say so little?
The first link from this page: Dropbox Home. This looks promising, it goes to https://www.dropbox.com/
Here is the text of the page:
Oh, ok. So from this I gather that it's some sort of file sync application which needed a major rearchitecture before it could be released at version 1.0.
Almost all of the viewable area of the page is taken up by a giant video play button. Well, believe it or not I actually use my computer for computing and not as a television. I also like it to be halfway secure, so I don't have any Adobe products such as Flash installed. I do know how to read and it is several times faster. I'm not watching some video made by people who can't complete the sentence "Dropbox is ...".
I still don't get it, except that it syncs files and the people who made it should probably cut back on the Red Bull and talk to someone outside the office who hasn't been making and eating their own dog food for eighty hours a week for the last year.
Right. So is Intel now in the business of deciding who gets shut off, like Amazon and DynDns? Or will they hand out kill switch codes to the top 250 computer manufacturers? Will they have a legal team on call 24/7 to ensure that kill switch requests meet even the minimum legal criteria? Will they argue on your behalf, or will they just go with whoever pays the most money? Will there be any prior notice and will you be able to appeal a kill switch order on your CPU? Will Intel do any better than YouTube at rejecting illegitimate requests submitted by parties that just want to screw with you?
Now that the US DHS has found out how much fun it is to play with the kill switch VeriSign gave them on .com websites, is there any reason to think that they won't order CPU shutdowns as well? Would they not have jumped at the chance to have killed Wikileaks' overseas PCs?
Why would any foreign government, non-US user, or multi-national corporation buy a system with Intel CPUs now?
How dumb can this company be?
Note to Intel: Ways to kill your product or reduce its performance are failings, not features.
It's not you.
The remaining question is, did the CIA, NSA, KGB, FSB, and MI5 all add backdoors too, or do they have cross-licensing agreements...
Back when we imagined it might be necessary for an attacker to actively insert remote 0-days into MS Windows...
http://en.wikipedia.org/wiki/SHA-2
So for SHA-256 the starting constants are the "first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19" and "first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311".
That only takes a few words to explain, and most of it is dictated by the design (e.g., "32 bits"). The hash designer is signaling that he only had freedom to select a few general concepts here and there.
http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number
You can be sure that the people who approve these kinds of things are pretty paranoid about the possibility of someone sneaking a back door in there. If the constants had been proposed as "bits from the base-2 representation of pi starting at bit position 2364826687681" there would have been some serious eyebrow raising.
Still, it's a pretty cool find. I can't wait for the upcoming holiday party, I will surely impress the ladies with that!