The Electronic Frontier Foundation's SSL Observatory is a research project that gathers and analyzes the cryptographic certificates used to secure Internet connections, systematically cataloging them and exposing their database for other scientists, researchers and cryptographers to consult.
Now Arjen Lenstra of École polytechnique fédérale de Lausanne has used the SSL Observatory dataset to show that tens of thousands of SSL certificates "offer effectively no security due to weak random number generation algorithms." Lenstra's research means that much of what we think of as gold-standard, rock-solid network security is deeply flawed, but it also means that users and website operators can detect and repair these vulnerabilities.
While we have observed and warned about vulnerabilities due to insufficient randomness in the past, Lenstra's group was able to discover more subtle RNG bugs by searching not only for keys that were unexpectedly shared by multiple certificates, but for prime factors that were unexpectedly shared by multiple publicly visible public keys. This application of the 2,400-year-old Euclidean algorithm turned out to produce spectacular results.
In addition to TLS, the transport layer security mechanism underlying HTTPS, other types of public keys were investigated that did not use EFF's Observatory data set, most notably PGP. The cryptosystems that underlay the full set of public keys in the study included RSA (which is the most common class of cryptosystem behind TLS), ElGamal (which is the most common class of cryptosystem behind PGP), and several others in smaller quantities. Within each cryptosystem, various key strengths were also observed and investigated, for instance RSA 2048 bit as well as RSA 1024 bit keys. Beyond shared prime factors, there were other problems discovered with the keys, which all appear to stem from insufficient randomness in generating the keys. The most prominently affected keys were RSA 1024 bit moduli. This class of keys was deemed by the researchers to be only 99.8% secure, meaning that 2 out of every 1000 of these RSA public keys are insecure. Our first priority is handling this large set of tens of thousands of keys, though the problem is not limited to this set, or even to just HTTPS implementations.
We are very alarmed by this development. In addition to notifying website operators, Certificate Authorities, and browser vendors, we also hope that the full set of RNG bugs that are causing these problems can be quickly found and patched. Ensuring a secure and robust public key infrastructure is vital to the security and privacy of individuals and organizations everywhere.
For ten years, Kickstarter
founder former CTO Andy Baio has been compiling his "Pirating the Oscars" reports, which document which Oscar-nominated movies are available as downloads on P2P and other file-sharing services, measuring how effective the studios are at controlling leaks of "screeners" -- DVDs set to members of the Academy for review consideration. This year marks a turning point for the industry, as it ends a three-year-long trend of increased screener leaks.
However, Baio says, the studios have "won the battle and lost the war," as this year also marks the first year that 92 percent of the nominated films were "available as high-quality DVD or Blu-ray rips." As Baio notes, "If the goal of blocking leaks is to keep the films off the internet, then the MPAA still has a long way to go."
But the MPAA may have little to do with the decline. Oscar-nominated films could be coming out earlier in the year, making screeners less important.
Or maybe the interests between the mainstream downloader and industry favorites is diverging? If the Oscars are mostly arthouse fare and critical darlings, but with low gross receipts, they'll be less desirable to leak online. It would be very interesting to track the historical box office performance of nominees to see how it affects downloading. (Maybe next year!)
The continuously shrinking window between theatrical and retail releases may be to blame. After all, once the retail Blu-ray or DVD is released, there's no reason for pirate groups to release a lower-quality watermarked screener.
2600 Magazine's Emmanuel Goldstein writes, "One of the keynote addresses at this year's HOPE conference (July 13-15, NYC) will be given by The Yes Men. They're a natural fit at the biennial hacker conference which will be featuring highly technical along with socially relevant talks. The Yes Men have done a great deal to challenge the system and publicize injustice through the art of social engineering over the years, fooling the mass media into believing they represented the World Trade Organization, Dow Chemical, and the United States Chamber of Commerce, and more. Their words at HOPE ought to give a lot of people ideas on how they might be able to change the world."
Gawker has a profile of "Martin," a "mercenary hacker" who provides IT security consulting to millionaires, crooks, cheating spouses (or spouses who suspect their other halves of cheating) and so on. Martin's tradecraft -- rotating SIM cards using pill-sorters labelled for each day of the week and the like -- would be moderately effective against an unskilled attacker, but it seems to me that it wouldn't survive an advanced persistent threat like a government or a major spy agency. For example, he instructs his clients to use "dumb" candybar phones instead of smartphones, which, on the surface, has some logic to it (smartphones are more complex, so they have more attack-surface). But the crypto in wireless telephony is junk, so anyone with a little smarts and the capacity to follow a recipe they find on the Internet can build interception equipment that would allow them to listen in on the calls from such a phone. On the other hand, a smartphone allows users to overlay their own, industry-grade crypto for voice and SMS communications.
Likewise, Martin has his customers rotate SIMs every day, but reuses the SIMs every 14 days. This does require adversaries to acquire fourteen times more numbers and intercept them, but that, in and of itself, is not that challenging (if you can wiretap one number, you can wiretap 14, too). Especially as the phones maintain the same IMEI -- the hardcoded serial number that is sent along with the phone signalling information, which uniquely identifies a handset regardless of what number it's using. Again, this is where a smartphone would help, as a sufficiently rooted phone can be instructed to spoof its IMEI with each call, or on some other rotating basis.
Martin also provides "search-engine optimization" -- gaming FourSquare to boost the apparent popularity of a club, gaming YouTube falsely increment the view-counter, and he'll install a keylogger on a phone or computer for you, or sell you hidden wireless mics and cameras.
With Martin's system, each crewmember gets a cell phone that operates using a prepaid SIM card; they also get a two-week plastic pill organizer filled with 14 SIM cards where the pills should be. Each SIM card, loaded with $50 worth of airtime, is attached to a different phone number and stores all contacts, text messages and call histories associated with that number, like a removable hard drive. This makes a new SIM card effectively a new phone. Every morning, each crewmember swaps out his phone's card for the card in next day's compartment in the pill organizers. After all 14 cards are used, they start over at the first one.
Of course, it would be hugely annoying for a crewmember to have to remember the others' constantly changing numbers. But he doesn't have to, thanks to the pill organizers. Martin preprograms each day's SIM card with the phone numbers the other members have that day. As long they all swap out their cards every day, the contacts in the phones stay in sync. (They never call anyone but each other on the phones.) Crewmembers will remind each other to "take their medicine," Martin said.
Not only does Martin's system make wiretapping difficult, Martin claims it can protect the group if a phone gets compromised. If authorities snatch or tap a phone from Martin's system, they'll have access to only 1/14th of the entire network. The crew can just replace their SIM cards from that day in the pill organizer, assured that the other 13 of their SIM cards are still secure
A federal judge in Colorado recently handed down a ruling that forced a defendant to decrypt her laptop hard-drive, despite the Fifth Amendment's stricture against compelling people to testify against themselves. The Electronic Frontier Foundation's Marcia Hoffman has commentary on the disappointing ruling:
In the order issued yesterday, the court dodged the question of whether requiring Fricosu to type a passphrase into the laptop would violate the Fifth Amendment. Instead, it ordered Fricosu to turn over a decrypted version of the information on the computer. While the court didn't hold that Fricosu has a valid Fifth Amendment privilege not to reveal that data, it seemed to implicitly recognize that possibiity. The court both points out that the government offered Fricosu immunity for the act of production and forbids the government from using the act of production against her. We think Fricosu not only has a valid privilege against self-incrimination, but that the immunity offered by the government isn't broad enough to invalidate it. Under Supreme Court precedent, the government can't use the act of production or any evidence it learns as a result of that act against Fricosu.
The court then found that the Fifth Amendment "is not implicated" by requiring Fricosu to turn over the decrypted contents of the laptop, since the government independently learned facts suggesting that Fricosu had possession and control over the computer. Furthermore, according to the court, "there is little question here but that the government knows of the existence and location of the computer's files. The fact that it does not know the specific content of any specific documents is not a barrier to production." We disagree with this conclusion, too. Neither the government nor the court can say what files the government expects to find on the laptop, so there is testimonial value in revealing the existence, authenticity and control over that specific data. If Fricosu decrypts the data, the government could learn a great deal it didn't know before.
In sum, we think the court got it wrong.
Matt Richtel's recent NYT article on teenagers who share their Facebook passwords as a show of affection has raised alarms with parents and educators who worry about the potential for bullying and abuse.
But as danah boyd points out the practice of password-sharing didn't start with kids: it started with parents, who required their kids to share their passwords with them. Young kids have to share their passwords because they lose them, and older kids are made to share their passwords because their parents want to snoop on them. Basically, you can't tell kids that they must never, ever share their passwords and require them to share their passwords.
There are different ways that parents address the password issue, but they almost always build on the narrative of trust. (Tangent: My favorite strategy is when parents ask children to put passwords into a piggy bank that must be broken for the paper with the password to be retrieved. Such parents often explain that they don’t want to access their teens’ accounts, but they want to have the ability to do so “in case of emergency.” A piggy bank allows a social contract to take a physical form.)
When teens share their passwords with friends or significant others, they regularly employ the language of trust, as Richtel noted in his story. Teens are drawing on experiences they’ve had in the home and shifting them into their peer groups in order to understand how their relationships make sense in a broader context. This shouldn’t be surprising to anyone because this is all-too-common for teen practices. Household norms shape peer norms.
There’s another thread here that’s important. Think back to the days in which you had a locker. If you were anything like me and my friends, you gave out your locker combination to your friends and significant others. There were varied reasons for doing so. You wanted your friends to pick up a book for you when you left early because you were sick. You were involved in a club or team where locker decorating was common. You were hoping that your significant other would leave something special for you.
Inspired by Rebecca Hains' harrowing tale of cupcake confiscation by the Las Vegas TSA, Providence, RI's Silver Spoon Bakery is selling "TSA-compliant cupcakes." These have exactly three ounces of frosting, and come in a ziplock baggie with a boarding card and a little Richard Nixon badge bearing the legend, "I am not a gel."
Here's a good brief look at the state of CyanogenMod, a free/open fork of the Android operating system that lets you do a lot more with your tablet/phone. I really like the way that CyanogenMod exerts force on the Android ecosystem: back when Google was unwilling to ship a tethering app (even for "Google Experience" phones like the Nexus One), CyanogenMod gave users the choice to tether. I think that the number of users who went to the fork freaked out both Google and the carriers, and in any event, tethering quickly became an official feature of Android.
Now CyanogenMod is toying with the idea of a Banned Apps store, consisting of apps that were banned from Google Marketplace for "no good reason" (generally because they threatened Google or the carriers in some way). It's hard for users to get upset about functionality restrictions that they don't know about, but once their friends get the ability to do more, they'll clamor for it, too.
And Google has a strong incentive to keep up with CyanogenMod's functionality: once you've rooted your device and installed a new OS on it for the first time, it's pretty easy to keep on doing it for future devices. I know I worried a lot the first time, and laughed through subsequent installs -- and the process just keeps getting easier. It's really in Google's interest that Android users not get the CyanogenMod habit, and the best way to prevent that is to keep up with CyanogenMod itself, even if it means sacrificing a little profitability, and that's good for users.
Given the success of CyanogenMod, it should be no surprise that the project is continuing to evolve and grow into new areas. Koushik Dutta, one of the CyanogenMod team members, would like to see an App Store for root apps and apps that are "getting shut down for no good reason." The idea seems pretty handy from a user perspective, and as Dutta points out, could even help fund the CyanogenMod project.
Apparently, Dutta approached Amazon with his idea of bundling their AppStore in CyanogenMod with the provision that Amazon would give CyanogenMod a portion of the sales. Sadly, Amazon brushed Dutta off, so it would appear that this isn't going to happen in the short term. Still, it appears there are a number of users on Google+ that are excited about the project, so hopefully it will come to fruition. Dutta's proposed store would be open-source so it would be available to any custom ROM, not just CyanogenMod.
Bruce Sterling received a phishing email purporting to be a followup to a report of a phishing email. Coming soon: a phishing email purporting to be a phishing email purporting to be a followup to a report of a phishing email.
US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing.
Please check attached report for the details and email source
US-CERT has opened a ticket and assigned incident number PH0000005007349. As your investigation progresses updates may be sent at your discretion to firstname.lastname@example.org and should reference PH0000002359885.
Okay, yes. This is an ad for a Delta "track your luggage" app. And, yes, it blacks out the part where your luggage goes through security.
But it's also a nifty little video that reminds me of the how's-it-made genre of Sesame Street videos that I loved as a child. There's just something about stuff riding on conveyer belts, know what I mean?
It was also interesting to get a reminder that luggage is loaded into and unloaded from the airplane by hand. So all the times I've stood around getting cranky at waiting for my luggage to show up on the carousel ... there's some people doing their best to get it to me fast and without throwing it around everywhere. I think, next time, I'll have a little more patience.
(Thanks, Andrew Balfour!)
Researcher: T-Mobile UK is secretly disrupting secure communications, leaving customers vulnerable to spying
Mike Cardwell claims that T-Mobile UK are silently disrupting VPNs and secure connections to mail-servers, using packet-injection techniques more often found in the Great Firewall of China. He documents his findings in detail, and has found someone on the T-Mobile customer forums who claims that a senior technician there stated that it was a deliberate policy decision at T-Mobile to keep mail from being sent through any servers apart from their own.
The consequence of this is that you must communicate over T-Mobile's 3G network in a way that allows them to snoop on you and read your email. And since 3G security has been compromised for years, it also means anyone within range of your cell tower can also snoop on you. Mike borrowed techniques from those who fight the Great Firewall of China to build a system that lets him tunnel securely and keep his sensitive data secret, but unless you run your own servers, you're screwed if you're a T-Mobile customer.
Mike's SIM is a pay-as-you-go SIM, and his previous SIM, which came with a contract, didn't experience this filtering. Either this is the result of different filtering schemes for different customers or it's a new policy. I hope T-Mobile clarifies (and terminates) this policy soon.
I run my own Linux server, and self-host several services. I use SSL whenever possible. If I connect to my mail submission service with immediate encryption on port 465, T-Mobile instantly sends a spoofed RST TCP packet to both my server and my client in order to disrupt/disconnect the connection. I ran tcpdump on both ends of the connection to verify that this was happening. They also do the same for mail submission port 587. This time, they let you connect, but as soon as you send a STARTTLS command, the RST packets appear, and the connection drops. This isn't just for my mail server, I experienced the same problems using smtp.gmail.com as well...
I route all of my Internet traffic over an OpenVPN to my Linode.com VPS. This has always worked fine with my original SIM. With the new SIM, no matter which port I configure OpenVPN on, the RST packets appear. IMAP over SSL on port 993 works fine, but if I switch that off and configure OpenVPN to listen on port 993, it is blocked. So the blocks aren't even port based. They've got some really low level deep packet inspection technology going on here. The Great Firewall of China uses the exact same technique of sending RST packets to disrupt connections.
KolotiBablo, a Russian service, pays workers in China, India, Pakistan, and Vietnam to crack CAPTCHAs -- it's a favorite of industrial scale spammers. This company's fortunes represent an interesting economic indicator of the relative cost of labor (plus Internet access and junk PCs) in the poorest countries in the world, versus skilled programmer labor to automate CAPTCHA-breaking (or automating a man-in-the-middle attack on CAPTCHAs, such as making people solve imported Gmail account-creation CAPTCHAs in order to look at free porn).
Paying clients interface with the service at antigate.com, a site hosted on the same server as kolotibablo.com. Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve. The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,’” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.
Illustration: Kurt Caesar (?)
Tell me the difference between these two pieces of text.Read the rest
One of the most mind-blowing presentations at this year's Chaos Communications Congress (28C3) was Ang Cui's Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to a printer that contained a malicious version of the OS that caused it to copy the documents it printed and post them to an IP address on the Internet; in the second, he took over a remote printer with a malicious document, caused that printer to scan the LAN for vulnerable PCs, compromise a PC, and turn it into a proxy that gave him access through the firewall (I got shivers).
Cui gave HP a month to issue patches for the vulnerabilities he discovered, and HP now has new firmware available that fixes this (his initial disclosure was misreported in the press as making printers vulnerable to being overheated and turning into "flaming death bombs" -- he showed a lightly singed sheet of paper that represented the closest he could come to this claim). He urges anyone with an HP printer to apply the latest patch, because malware could be crafted to take over your printer and then falsely report that it has accepted the patch while discarding it.
Cui's tale of reverse-engineering is a fantastic look at the craft and practice of exploring security vulnerabilities. The cases he imagined for getting malware into printers were very good: send a resume to HR, wait for them to print it, take over the network and pwn the company.
Cui believes that these vulnerabilities are likely present on non-HP printers (a related talk on PostScript hacking lent support to his belief) and his main area of research is a generalized anti-malware solution for all embedded systems, including printers and routers.
Just in case this has scared the hell out of you (as it did me), be assured that there are many lulz to be had, especially when Cui described his interactions with HP, who actually had a firmware flag called "super-secret bypass of crypto-key enabled."
State of the arms race between repressive governments and anti-censorship/surveillance Tor technology (and why American companies are on the repressive governments' side)
Last night's Chaos Computer Congress (28C3) presentation from Jacob Applebaum and Roger Dingledine on the state of the arms race between the Tor anti-censorship/surveillance technology and the world's repressive governments was by turns depressing and inspiring. Dingledine and Applebaum have unique insights into the workings of the technocrats in Iranian, Chinese, Tunisian, Syrian and other repressive states, and the relationship between censorship and other human rights abuses (for example, when other privacy technologies failed, governments sometimes discovered who was discussing revolution and used that as the basis for torture and murder).
Two thirds of the way through the talk, they broaden the context to talk about the role of American companies in the war waged against privacy and free speech -- SmartFilter (now an Intel subsidiary, and a company that has a long history of censoring Boing Boing) is providing support for Iran's censorship efforts, for example. They talked about how Blue Coat and Cisco produce tools that aren't just used to censor, but to spy (all censorware also acts as surveillance technology) and how the spying directly leads to murder and rape and torture.
Then, they talked about the relationship between corporate networks and human rights abuses. Iran, China, and Syria, they say, lack the resources to run their own censorship and surveillance R&D projects, and on their own, they don't present enough of a market to prompt Cisco to spend millions to develop such a thing. But when a big company like Boeing decides to pay Cisco millions and millions of dollars to develop censorware to help it spy on its employees, the world's repressive governments get their R&D subsidized, and Cisco gets a product it can sell to them.
They concluded by talking about how Western governments' insistence on "lawful interception" back-doors in network equipment means that all the off-the-shelf network gear is readymade for spying, so, again, the Syrian secret police and the Iranian telcoms spies don't need to order custom technology that lets them spy on their people, because an American law, CALEA, made it mandatory that this technology be included in all the gear sold in the USA.
If you care at all about the future of free speech, democracy, and privacy, this is an absolute must-see presentation.
How governments have tried to block Tor
Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January 2011 and September 2011. Bluecoat tested out a Tor handshake filter in Syria in June 2011. China has been harvesting and blocking IP addresses for both public Tor relays and private Tor bridges for years.
Roger Dingledine and Jacob Appelbaum will talk about how exactly these governments are doing the blocking, both in terms of what signatures they filter in Tor (and how we've gotten around the blocking in each case), and what technologies they use to deploy the filters -- including the use of Western technology to operate the surveillance and censorship infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other countries. We'll cover what we've learned about the mindset of the censor operators (who in many cases don't want to block Tor because they use it!), and how we can measure and track the wide-scale censorship in these countries. Last, we'll explain Tor's development plans to get ahead of the address harvesting and handshake DPI arms races.