Well, I had hoped for a nice quiet discussion of wave/particle duality again because there are new developments that are worthy of note or perhaps a good chuckle at Homer Simpson predicting the GeV of the Higgs Boson to within experimental error because I’m just a sucker for the intricacies of Quantum Physics, BUT…
The big news of the day is on the technology front and particularly NSA v. Encryption.
Now I’ll take it as a given that you know thanks to Ed Snowden and Thomas Drake and subsequent public testimony that the NSA is obsessed as an organization by collecting every communication you have. What you may not know is how far back that goal goes and why it compromises all of our security.
Way back in the days of the Big Dog when all we had to worry our pretty little heads about was blowjobs and blue dresses the Internet started gaining steam as a place to buy things. People were rightly concerned about personal information and credit card numbers falling into the hands of thieves (though I’ll tell you quite frankly that you’re in much more danger from your food server if you’re a bad tipper because they have plenty of time alone with your card to write down all your imprint numbers as well as the ones that are just printed which is sufficient for ruining your credit by telephone, let alone computer).
Anyhow the major Internet Retailers and the companies that served them started demanding an encryption scheme to bolster public confidence that it was safe to buy things. Thus Secure Sockets Layer (SSL).
Even this paltry (and believe me it is, though I recommend the study of The Reichenbach Fall because not everything is complicated and mysterious) level of security was deemed by the NSA “too dangerous for export” so they made an even weaker one with 40 bits of encryption instead of 128 (too hard, my brain hurts) for use overseas.
Well, Moore’s Law and all, and today even 128 bit encryption is somewhat passe and 40 bit can be cracked in 7 hours using Amazon Cloud computers.
The reason this is important is because websites, in order to be compatable globally, are designed to accept ‘export’ keys as valid along with ‘domestic’ keys. A switch in the site software allows them to be forced into ‘export’ key mode via a third party who is not a valid client and once that is done it’s easy to conduct man-in-the-middle attacks that compromise the connection by appearing as the host site to the client and a valid client to the host.
Now I’ve been very careful to try and make it clear that this is not a bug or a flaw. The NSA deliberately influenced the design of the standard to make this possible.
Since then there have been new standards adopted that are not subject to this type of spoofing, but adoption inertia being what it is over a third of websites worldwide are vulnerable including the NSA’s.
So what is the solution? For a user nothing much, browsers are rightly designed to be compatible with as many sites as possible. If you are paranoid enough you can get software plugins that ‘protect’ you from vulnerable sites, but ‘protect’ in this case means you can’t use them. Secure browsers like Tor already do this and as I’ve said before what’s notable about them in action is how many things you used to do that you can’t anymore.
For sites there is a minor code fix that won’t allow a third party to force ‘export’ mode and we will see a rush of them implementing it.
What makes it interesting politically is context. In recent months tech companies have been forced by public demand to implement more secure encryption schemes. The NSA in turn has been petulantly stamping its feet and holding its breath in a tantrum insisting that these be designed with backdoors that can be accessed by State Spy Services. They claim that this can be done so that only ‘responsible’ parties acting under the rule of law will have these abilities.
There are at least 2 problems with this. First, a backdoor is a backdoor and anyone can use it. It doesn’t care if you’re a White or a Black Hat, it’s just a door. Second, other governments are demanding the same thing. Governments like China. If you’re the NSA it’s pretty hard to make the case that our computer communications should be less secure so that China can spy on them.
In the long run either our Representatives will put a stop to this or Engineers will make it technically impossible. Mr. Market will be served. In a positive sign this will happen the NSA was forced to give up crypto restrictions in 2000 because it was ruining the export business of the tech titans. Given what we are aware of today I don’t think it will be nearly that long before the blowback begins.
FREAK: Another day, another serious SSL security hole
by Steven J. Vaughan-Nichols, ZDNet
March 3, 2015 — 22:19 GMT
It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read “secured” web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it’s come back to bite us.
The Washington Post reported today that cryptographers from IMDEA, a European Union research group; INRIA, a French research company; and Microsoft Research have found out that “They could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Websites themselves by taking over elements on a page, such as a Facebook ‘Like’ button.”
…
Nadia Heninger, a University of Pennsylvania cryptographer, told the Post, “This is basically a zombie from the ’90s… I don’t think anybody really realized anybody was still supporting these export suites.”Heninger, who has been working on cracking the obsolete 40 to 512-bit RSA encryption keys, found that “she could crack the export-grade encryption key in about seven hours, using computers on Amazon Web services.” Once done, this enables hackers to easily make “man-in-the-middle” attacks on the cracked websites.
Guess what? Over a third of “encrypted” websites, according to tests made by University of Michigan researchers J. Alex Halderman and Zakir Durumeric, are open to FREAK attacks. Specifically, OpenSSL and Apple TLS/SSL clients such as the Safari Web browser are vulnerable to FREAK. When using these programs, it’s relatively simple to downgrade their “secure” connections from “strong” RSA to the easy-to-break “export-grade” RSA.
All of this has happened because as Matthew Green, a cryptographer and research professor at Johns Hopkins University, succinctly put it, the NSA made sure that the early “SSL protocol itself was deliberately designed to be broken.”
And, now, it has been. It’s just that it’s now open to being broken by anyone with basic code-breaking smarts and easily available computer resources. The key problem is that OpenSSL and Safari both contain bugs that cause them to accept “RSA export-grade keys even when the client didn’t ask for export-grade RSA.”
Websites, generally speaking only create a single export-grade RSA key per session. They, like Apache with mod_ssl, will then re-use that key until the web server is rebooted. Thus, if you break a site once, chances are you’ve broken into it for days, weeks, even months.
Many of the websites that are “FREAKable” seem to be on Content Delivery Networks (CDN)s such as Akamai. That’s the reason why, for example, the NSA site is vulnerable. Akamai is working on fixing its web servers.
Encryption Backdoors Will Always Turn Around And Bite You In The Ass
by Mike Masnick, Tech Dirt
Wed, Mar 4th 2015 10:50am
As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like “golden keys,” pretending that it’s somehow possible to create something that only the good guys can use. Many in the security community have been pointing out that this is flat-out impossible. The second you introduce a backdoor, there is no way to say that only “the good guys” can use it.
As if to prove that, an old “golden key” from the 90s came back to bite a whole bunch of the internet this week… including the NSA. Some researchers discovered a problem which is being called FREAK for “Factoring RSA Export Keys.” The background story is fairly involved and complex, but here’s a short version (that leaves out a lot of details): back during the first “cryptowars” when Netscape was creating SSL (mainly to protect the early e-commerce market), the US still considered exporting strong crypto to be a crime. To deal with this, RSA offered “export grade encryption” that was deliberately weak (very, very weak) that could be used abroad. As security researcher Matthew Green explains, in order to deal with the fact that SSL-enabled websites had to deal with both strong crypto and weak “export grade” crypto, — the “golden key” — there was a system that would try to determine which type of encryption to use on each connection. If you were in the US, it should go to strong encryption. Outside the US? Downgrade to “export grade.”
…
(T)he lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys.
…
Whether it’s creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a terrible idea which should be relegated to the dustbin of history.
The law that entropy always increases holds, I think, the supreme position among the laws of Nature. If someone points out to you that your pet theory of the universe is in disagreement with Maxwell’s equations – then so much the worse for Maxwell’s equations. If it is found to be contradicted by observation – well, these experimentalists do bungle things sometimes. But if your theory is found to be against the second law of thermodynamics I can give you no hope; there is nothing for it but to collapse in deepest humiliation.
–Sir Arthur Stanley Eddington, The Nature of the Physical World (1927)
Science News and Blogs
- In Net Neutrality Fight, Both Sides Gear Up for Long Haul, by Nadia Prupis, Common Dreams
- Why McDonald’s Announcement on Chicken Is Important for Everyone’s Health, by Andrea Germanos, Common Dreams
- Oldest Human Fossil Found, Redrawing Family Tree, by Jamie Shreeve, National Geographic
- Computing without a Computer, by Joey Bernard, Linux Journal
- History Repeats Itself: Ancient Cities Grew Much Like Modern Ones, by Megan Gannon, Live Science
- 8 possible explanations for those bright spots on dwarf planet Ceres, by Eric Mack, CNet
- Comet-orbiting spaceship glimpses its own shadow (+video), by Paul Sutherland, Christian Science Monitor
- Astronomers Find a Dusty Galaxy That Shouldn’t Exist, by Michael D. Lemonick, National Geographic
- Exclusive: Lost City Discovered in the Honduran Rain Forest, by Douglas Preston, National Geographic
- Could This Alien Cell Thrive on Titan?, by Ian O’Neill, Discovery News
- Arctic Sea Ice ‘Thinning Dramatically,’ Study Finds, by Laura Geggel, Live Science
- International scientists question rush to build Nicaragua canal, by Justin Beach, National Monitor
- The Keurig K-Cup’s inventor says he feels bad that he made it – here’s why, by Drake Baer, Business Insider
- Fireworks at Chile’s Villarrica Volcano Light Up Night Sky, by Becky Oskin, Live Science
Science Oriented Video
Obligatories, News and Blogs below.
Recent Comments