There's been a lot of talk about some portion of the RSA keys on the Internet being insecure, with "2 out of every 1000 keys being bad". This is incorrect, as the problem is not equally likely to exist in every class of key on the Internet. In fact, the problem seems to only show up on keys that were already insecure to begin with -- those that pop errors in browsers for either being unsigned or expired. Such keys are simply not found on any production website on the web, but they are found in high numbers in devices such as firewalls, network gateways, and voice over IP phones.
It's tempting to discount the research entirely. That would be a mistake. Certainly, what we generally refer to as "the web" is unambiguously safe, and no, there's nothing particularly special about RSA that makes it uniquely vulnerable to a faulty random number generator. But it is extraordinarily clear now that a massive number of devices, even those purportedly deployed to make our networks safer, are operating completely without key management. It doesn't matter how good your key is if nobody can recognize it as yours. DNSSEC will do a lot to fix that. It is also clear that random number generation on devices is extremely suspect, and that this generic attack that works across all devices is likely to be followed up by fairly devastating attacks against individual makes and models. This is good and important research, and it should compel us to push for new and interesting mechanisms for better randomness. Hardware random number generators are the gold standard, but perhaps we can exploit the very small differences between clocks in devices and PCs to approximate what they offer.
In the wake of the Permanent Court of Arbitration ruling that China had been stealing islands in the South China, the Xi Jinping administration’s propaganda machine went into overdrive to whip up patriotic sentiment in China, with a massive wave of anti-American and anti-Japanese sentiment.
Encrypted Media Extensions (EME), part of a DRM system that’s being standardized at the World Wide Web Consortium (W3C), marks the first instance in which a W3C standard will fall under laws like the DMCA, which let companies threaten security researchers with criminal and civil liability just for disclosing the defects in these products.
The day that the Permanent Court of Arbitration ruled that China had been stealing islands in the South China Sea, the Chinese Communist Party Youth League shared this viral video of young Chinese patriots saying “South Sea arbitration, who cares?”
Much of what goes into creating an amazing photo happens in the digital darkroom. Here’s your chance to master all things photo editing: the Ultimate Adobe Photo Editing Bundle, now available in the Boing Boing Store for just $29.99.Across 8 courses and over 41 hours of intensive instruction, you’ll learn the fundamentals of Adobe’s suite of photo […]
3D printers are hot, but they’re also pricey. While the prospect of cranking out everything we can dream up is enticing, cost is often one factor that keeps us from jumping onto the 3D printing train.Now, thanks to M3D, that doesn’t have to be the case. You can now get its flagship 3D printer–plus four reels of filaments–for just […]
It’s no secret that technology is changing the way we all work—but it’s also transforming the way we play. The games of today look nothing like those of 10 or even 20 years ago: these days it’s all about mobile and 3D. And now you can learn to design 3D mobile games with the Intro to Unity 3D Game […]