How the tech workers of WWII thwarted the Nazis with high-tech sabotage

Comptroller general of the French Army René Carmille "purposely delayed the process by mishandling the punch cards," changing the programming so that the religion field wouldn't be read from them; Adolfo Kaminsky used his dry-cleaning chemical expertise to remove the red "J" (for Jew) stamps from French passports, and could forge 30 identity documents per hour; the Kasharyiot (female couriers) could pass for Aryans and smuggled "secret documents, weapons, underground newspapers, money, medical supplies, news of German activities, forged identity cards, ammunition — and other Jews — in and out of the ghettos of Poland, Lithuania and parts of Russia"; Walter Süskind and his friends used their positions running the nursery where Dutch Jewish children awaited deportation to camps to smuggle 600 children to safety. Read the rest

Information security needs its own National Institutes of Health

Superstar security researcher Dan Kaminsky (previously) wants to create a "National Institutes of Health for computer security" -- a publicly funded research institution that figures out how to prevent and cope with large-scale security issues in networked devices. Read the rest

Apple v FBI isn't about security vs privacy; it's about America's security vs FBI surveillance

Dan Kaminsky, one of the Internet's essential squad of "volunteer fire fighters" who oversaw the largest-ever synchronized vulnerability patching in Internet history, has written a stirring editorial for Wired explaining what the FBI puts at risk when it demands weaker encryption: it's not our privacy, it's the security of finance, health care, roads, and every other piece of tech-enabled infrastructure in the land. Read the rest

The latest DNS bug is terrifying, widespread, and reveals deep flaws in Internet security

Dan Kaminsky is master of all that is terrible and wonderful about the Internet's Domain Name Service, a vital piece of Internet infrastructure dating back to 1983, whose criticality and age make it a source of ongoing problems in Internet securityland. Read the rest

This Day in Blogging History: Kaminsky on Bitcoin; doxxing Scalia; T9 collisions

One year ago today Dan Kaminsky on BitCoin: Bitcoin’s fundamental principle of fraud management is one of denial.

Five years ago today

Scalia Scoffs at Calls for More Data Privacy Protection, Students Surprise Him With Dossier of His Own Data.: The class turned in a 15-page dossier that included not only Scalia's home address, home phone number and home value, his food and movie preferences, his wife's personal e-mail address and photos of his grandchildren.

Ten years ago today Collisions in T9: 46637: GONER, GOODS, GOOFS, HOMER, HOMES, HONER, HONES, HOODS, HOOFS, INNER Read the rest

Dan Kaminsky on BitCoin

Ever since BitCoin appeared, I've been waiting for two security experts to venture detailed opinions on it: Dan Kaminsky and Ben Laurie. Dan has now weighed in, with a long, thoughtful piece on the merits and demerits of BitCoin as a currency and as a phenomenon.

Bitcoin’s fundamental principle of fraud management is one of denial. If we drop our wallet on the street, the U.S. government is not going to compensate us for our lost cash. Bitcoin attempts to make the same deal, to the point where it calls its stores of keys, “wallets.” If we drop our wallet on the street — heck, if someone picks it out of our pockets — the money’s gone.

There have been bitcoin thefts. A few years ago, I tried to break Bitcoin, and failed quite gloriously. The system and framework itself is preternaturally sound. But it too is built on the foundation of buggy technologies we call the internet, and so Bitcoin must experience failures from the code around it. Hackers don’t care whose code they broke on their way to bitcoin, any more than pickpockets care that they’re exploiting the manufacturer of one’s jeans or leather wallet. So they break the server below the money, or the web interface above it. They still win.

At least, that’s the theory. Reality is more complicated. Of all the millions of dollars of purloined bitcoin that’s floating around out there, not one Satoshi of it has been spent. That’s because while most other stolen property becomes relatively indistinguishable from its legitimate brethren, everybody knows the identity of this particular stolen wealth, and can track it until the end of time.

Read the rest

Dan Kaminsky on the RSA key-vulnerability

Dan Kaminsky sez,

There's been a lot of talk about some portion of the RSA keys on the Internet being insecure, with "2 out of every 1000 keys being bad". This is incorrect, as the problem is not equally likely to exist in every class of key on the Internet. In fact, the problem seems to only show up on keys that were already insecure to begin with -- those that pop errors in browsers for either being unsigned or expired. Such keys are simply not found on any production website on the web, but they are found in high numbers in devices such as firewalls, network gateways, and voice over IP phones.

It's tempting to discount the research entirely. That would be a mistake. Certainly, what we generally refer to as "the web" is unambiguously safe, and no, there's nothing particularly special about RSA that makes it uniquely vulnerable to a faulty random number generator. But it is extraordinarily clear now that a massive number of devices, even those purportedly deployed to make our networks safer, are operating completely without key management. It doesn't matter how good your key is if nobody can recognize it as yours. DNSSEC will do a lot to fix that. It is also clear that random number generation on devices is extremely suspect, and that this generic attack that works across all devices is likely to be followed up by fairly devastating attacks against individual makes and models. This is good and important research, and it should compel us to push for new and interesting mechanisms for better randomness.

Read the rest

Coffee Common: roasters roast one other at TED

Last week I was excited to announce the birth of Coffee Common, a project of coffee enthusiasts (one of them being me) coming together to improve the experience of coffee for both industry and consumers. I mentioned that to kick off the launch, the project organizers and a handful of baristas from around the world will be spending this week in conjunction with the TED conference talking about (and serving) a few noteworthy selections from a select group of roasters.

We narrowed our list to the roasters we know have beautiful coffees with clarity and balance on their offering menus—and, who would be able to produce, roast and ship enough coffee to meet the needs of the thirsty TED attendees, at their own expense.

Normally, these roasters would consider each others competition, but the Coffee Common project is about collaboration. So we had an idea. We could write a short introduction for each included roaster, or we could assign each participating roaster the task of writing the intro for one of the others - knowing very well that one of the others would be writing theirs as well. This sounded much more interesting to us. After all, your fans can gush about you, but what your competition says may be more telling. So with that in mind...

Intelligentsia - introduced by James Hoffman of Square Mile Coffee Stumptown - Introduced by Benjamin Kaminsky of Ritual Roasters Has Bean - Introduced by Peter Giuliano of Counter Culture Coffee Square Mile - Introduced by Trevor Corlett of Madcap Coffee Ritual Roasters - Intriduced by George Howell of Terroir Coffee Terroir Coffee - Introduced by Steve Leighton of Has Bean

More introductions will be posted soon. Read the rest

DanKam: mobile app to correct color blindness

Legendary DNS hacker Dan Kaminsky has a new, out-of-left-field project to mitigate color blindness with augmented reality software for mobile phones. DanKam is a mobile app that you calibrate so it knows the specifics of your color blindness (I can't see a lot of greens), and then it automatically color-corrects the world as seen through the phone's lens to compensate for your deficit.

In terms of use cases -- matching clothes, correctly parsing status lights on gadgets, and managing parking structures are all possibilities. In the long run, helping pilots and truckers and even SCADA engineers might be nice. There's a lot of systems with warning lights, and they aren't always obvious to the color blind.

Really though, not being color blind I really can't imagine how this technology will be used. I'm pretty sure it won't be used to break the Internet though, and for once, that's fine by me.

Ultimately, why do I think DanKam is working? The basic theory runs as so:

1. The visual system is trying to assign one of a small number of hues to every surface 2. Color blindness, as a shift from the green receptor towards red, is confusing this assignment 3. It is possible to emit a "cleaner signal", such that even colorblind viewers can see colors, and the differences between colors, accurately. 4. It has nothing to do with DNS (I kid! I kid! But no really. Nothing.)

DanKam: Augmented Reality For Color Blindness

(Thanks, Dan!)

  How Dan Kaminsky broke and fixed DNS - Boing Boing Kaminsky on the net-shaking DNS bug - Boing Boing Boing Boing: Sony infects more than 500k networks, including ... Read the rest

Digital: A Love Story, mystery game set "10 minutes in the future of 1988"

Dan Kaminsky sez, "Digital: A Love Story is set 'five minutes into the future of 1988', and is one of the most fascinating games I've played in years. Set entirely within an Amiga Workbench desktop, the concept of the game is that you are just your average BBS user, when you meet someone...interesting."

Just played this for ten minutes and was overwhelmed with nostalgia for my Amiga 1000. Looks like LOADS of fun.

Digital: A Love Story

(Thanks, Dan!)

Previously: Review: GP2X Wiz runs retrogaming rings around mainstream rivals ... A weekend with Amiga Forever 2008: retrogaming without the hassle ... From Atari Joyboard to Wii Fit: 25 years of "exergaming" Lenslok: proto-DRM from the ZX Spectrum era Andy Warhol paints Debbie Harry on an Amiga Read the rest

How Dan Kaminsky broke and fixed DNS

Wired's Joshua A Davis has a great profile of my pal Dan Kaminsky's work on discovering and then helping to fix a net-crashing DNS bug earlier this year. Davis really captures the excitement of discovering a major security flaw and the complex web of personal, professional and technical complications that come to bear when you're trying to disclose the research in a way that minimizes harm to the net.

Dan does a lot of fun security-related stuff that doesn't get talked about in public. There's this one thing he does --

But that would be telling.

The next morning, Kaminsky strode to the front of the conference room at Microsoft headquarters before Vixie could introduce him or even welcome the assembled heavy hitters. The 16 people in the room represented Cisco Systems, Microsoft, and the most important designers of modern DNS software.

Vixie was prepared to say a few words, but Kaminsky assumed that everyone was there to hear what he had to say. After all, he'd earned the spotlight. He hadn't sold the discovery to the Russian mob. He hadn't used it to take over banks. He hadn't destroyed the Internet. He was actually losing money on the whole thing: As a freelance computer consultant, he had taken time off work to save the world. In return, he deserved to bask in the glory of discovery. Maybe his name would be heralded around the world.

Kaminsky started by laying out the timeline. He had discovered a devastating flaw in DNS and would explain the details in a moment.

Read the rest

Kaminsky on the net-shaking DNS bug

Wired's Danger Room has a good interview with Dan Kaminsky, whose DNS hack has been burning up the wires. Dan figured out a means of disrupting the entire Internet by poisoning DNS. The exploit's existence and scope have been hotly debated ever since, and it all came to a head when details of the exploit leaked:

Well you know, there were people who said, Dan, I wish I could patch but I don't know the bug and I can't get the resources I need to patch it. Well you know the bug now.

You know, Verizon Business has a blog entry where they say that the greatest short-term risk from patching DNS was from the patch itself, from changing such a core and essential element to their systems. I know this. I was a network engineer before I was a security engineer. So that's why we took such extraordinary lengths to try to get people as much time as possible (to patch their systems). There's just a lot of complexity in doing something on this scale. This is something I think a lot of people don't realize. It was difficult to get the patches even written, let alone get them all released on a single day.

But let me tell you, the complete lack of whining from the (DNS software) vendors . . . if I could have gotten as little whining from the security (professionals) . . . no I'm not going to say that. It's so tempting! I'm simply going to say this in positive terms.

Read the rest

Legal code is more like the Windows kernel than Project Gutenberg

Dan Kaminsky has produced slides showing the "information density" of several different blocks of text, including the corpus of Project Gutenberg, the Windows kernel, and the US legal code. The conclusion? The law has more structural similarities to software code than to the prose in Gutenberg's 17,000 books: "Legalese is a massively structured dialect. Symbols appear in very distinct patterns that are more reminiscent of machine code than text."


Read the rest

Short links snacktime

About the 2001-themed images above and below, BB reader Jack says, "Teh astronaut cat inspired me to make them." Best iPod inscription ever: It's time for hoboes to take over the US government. Dave Bullock's snaps from Black Hat hacker con, which ends today: Richard Clarke, Dan Kaminsky, Phil "zphone" Zimmerman. Booze-themed lipgloss/chapstick products seemingly marketed at tweens and kids. Earthlink wants the City of San Francisco to guarantee baseline revenue before it will light up muni wireless project. LOL. San Francisco orders medical weed dispensaries to sell fatter bags. Hey, speaking of stoners! Pro-pot lobbyists are tops on congressional softball team, ahead of teams for DNC, RNC, Sen. McCain, DoJ.

(thanks, brooklyngirl.com, Dave, and anonymous others!)

Reader comment: Anonymous says,

The inscription on apelad's ipod is from John Hodgman's book, on page 123, where he shows the hobo-sign for the coming hobo government take-over. That same hobo sign is hidden in each of the lolcats comics created by apelad. Look for an H in sunrays.

Read the rest

Snakes on a Plane: the aftermath.

This betatted fellow isn't worried about disappointing box office returns or concomitant studio whinery -- or, it would seem, the fact that ink in flesh lasts longer than internet fads.

BoingBoing reader Adam explains,

A gentleman named Jim Dozier ("Doz," or "iBgerd") decided he was so excited about the movie that he would have its logo tattooed on his arm. (Link) Doz has been a cherished member of our site for years now, so we all cheered him on when we realized the tattoo was real. One of our members photoshopped the picture of the tattoo replacing the logo with one from "Howard The Duck" and reminded Doz that he was really going to regret this in a few years.

A few days after getting the tattoo, New Line Cinema announced the "Snakes on a Plane #1 Fan Sweepstakes." (Link) Doz immediately entered the contest, and as of today, he's firmly in second place. Max (of YTMND.com fame) has a commanding lead thanks to his army of followers, but even he has admitted that Doz is clearly the #1 fan.

At this point, it's easy for people to roll their eyes and write Doz off as some creepy old guy living in his mom's basement. Indeed, he's gotten a bit of media exposure because of all this, and has been treated poorly by some. A few mouthbreathing DJ's on some morning show decided to interview Doz, and tried their best to run a bunch of cliche jokes into the ground while embarrassing and demeaning him.

Read the rest

Test for Network Neutrality

Dan Kaminsky, DNS hacker and rootkit infection sleuth, has devised a test for checking to see if your Internet connection is "neutral" -- that is, whether your connection is being filtered, throttled, slowed down, or monkeyed with secretly by your ISP:

Kaminsky calls his technique "TCP-based active probing for faults." He says that the software he's developing will be similar to the Traceroute Internet utility that is used to track what path Internet traffic takes as it hops between two machines on different ends of the network.

But unlike Traceroute, Kaminsky's software will be able to make traffic appear as if it is coming from a particular carrier or is being used for a certain type of application, like VoIP. It will also be able to identify where the traffic is being dropped and could ultimately be used to finger service providers that are treating some network traffic as second-class.

I've suggested that a keystone of any solution to the Net Neutrality problem will be keeping the ISPs honest -- even if we pass a law prohibiting the auction of access to your connection to Internet companies, there's no guarantee that the Bells won't do it, and without a tool like this, it could be very hard to spot. If this works, maybe Google or Alexa (two companies that rely on a neutral net) will put it in their toolbars. It would be very good if there was some public place where data about different ISPs could be aggregated as a real-time Internet health report. Read the rest

Sony rootkit roundup, part II

See Part I, Part III, Part IV, Part V and Part VI of this post for more.

It's been three days since the first roundup post on Sony's rootkit DRM and lots of new stuff has come to light since. Below is a timeline of posts since then, but first, here's the Sony debacle news that came in while I slept:

Immunize Yourself Against Sony’s Dangerous Uninstaller: Princeton DRM researchers Ed Felten and Alex Halderman explain how to miitgate the security vulnerabilities left behind by Sony's incompetent "uninstaller" program. List of infected CDs: Sony finally lists the 52 titles infected with the XCP rootkit. Note that Sony initially claimed that fewer than half that number were infected. (Thanks, Kurt!) US-CERT: Never Install Audio-CD DRM Software. The Department of Homeland Security's Computer Emergency Readiness Team advises that you never install CD DRM: "Do not install software from sources that you do not expect to contain software, such as an audio CD." (Thanks, Kurt!)

Now, all the news that's come in since the initial roundup post on Nov 14:

Nov 14: Sony anti-customer technology roundup and time-line Roundup of Sony's misdeeds to Nov 14.

Nov 14: EFF to Sony: you broke it, you oughta fix it

EFF publishes an open letter to Sony calling on the company to make amends for its misdeeds -- Sony should disclose the risks of its DRM software, it should give customers uninfected CDs, help anti-spyware companies fix the holes, compensate customers for damage to PCs, and package their CDs will full disclosure of any malware contained within. Read the rest

Next page