Subscribe to this blog in Radio:
Didn't find what you were looking for?
E-mail this blog's author, Bruce Umbaugh:  |
|
 |
Saturday, February 19, 2005 |
This is way too long to post in full and not at all easy to excerpt. If you're in any serious way interested in this sort of stuff, read Bruce Scheier's Cryptanalysis of SHA-1, teeny teases of which follow. (There's background in Tuesday's post here and this post from the fall.)
. . . . Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography.
. . .
One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value. The cryptographic reasoning behind these two properties is subtle, and I invite curious readers to learn more in my book Applied Cryptography.
. . .
Earlier this week, three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force.
. . .
They can find collisions in SHA-1 in 269 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point.
In 1999, a group of cryptographers built a DES cracker. It was able to perform 256 DES operations in 56 hours. The machine cost $250K to build, although duplicates could be made in the $50K-$75K range. Extrapolating that machine using Moore's Law, a similar machine built today could perform 260 calculations in 56 hours, and 269 calculations in three and a quarter years. Or, a machine that cost $25M-$38M could do 269 calculations in the same 56 hours.
On the software side, the main comparable is a 264 keysearch done by distributed.net that finished in 2002. One article put it this way: "Over the course of the competition, some 331,252 users participated by allowing their unused processor cycles to be used for key discovery. After 1,757 days (4.81 years), a participant in Japan discovered the winning key." Moore's Law means that today the calculation would have taken one quarter the time -- or have required one quarter the number of computers -- so today a 269 computation would take eight times as long, or require eight times the computers.
The magnitude of these results depends on who you are. If you're a cryptographer, this is a huge deal. While not revolutionary, these results are substantial advances in the field. The techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: we learn how to design new algorithms by breaking other algorithms. Additionally, algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there.
For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.
But there's an old saying inside the NSA: "Attacks always get better; they never get worse." . . . .
Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off." [Schneier on Security]
6:02:48 PM 
|
|
Ellen!
The Boss in the Machine. Microsoft researchers now feel confident that they can figure out when it's all right to interrupt me. By ELLEN ULLMAN. [NYT > Opinion]
Great piece both for the particular point it makes about interruptions and multi-tasking and for the more general point about humans modifying our behavior to accommodate -- and resemble -- the machines.
7:44:52 AM
|
|
Windows 2000.
In an earlier post, I had the thought:Maybe Microsofts' main competitor isn't Apple. Maybe it's M.I.T.Microsoft's Robert Scoble responded in the comments:Our real competition? Windows 2000. ...If we don't make better products no one will upgrade. Windows 2000 will...
[gapingvoid]
7:43:24 AM
|
|
Safeway shopper card leads to arson arrest (Richard Smith).
Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards can come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to the KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt.
For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons. Lyons is now back at work after more than 5 months of being on administrative leave from his firefighter job.
The moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down.
Safeway needs to more up-front with customers about the potential downsides of shopper cards. They should also provide the details of their role in the arrest or Mr. Lyons and other criminal cases in which the company provided Club Card purchase information to police investigators.
Here is how Safeway currently describes their Club Card program in the Club Card application:
http://www.safeway.com/app.pdf
We respect your privacy. Safeway does not sell or lease personally identifying information (i.e., your name, address, telephone number, and bank and credit card account numbers) to non-affiliated companies or entities. We do record information regarding the purchases made with your Safeway Club Card to help us provide you with special offers and other information. Safeway also may use this information to provide you with personally tailored coupons, offers or other information that may be provided to Safeway by other companies. If you do not wish to receive personally tailored coupons, offers or other information, please check the box below. Must be at least 18 years of age. Links
7:40:22 AM
|
|
Dear TV execs: You can't control the genie if you're throwing it out of the bottle at the speed of light.
This post, made by "alexwcovington" in the Slashdot discussion of the fact that Brits lead the world in downloading TV shows, is a really pithy piece of advice that TV execs everywhere would do well to heed:
Sorry if I'm stating the obvious, but it's television. Signals broadcast through the air. Sorry to burst the bubbles of the folks in Hollywood, but you can't control the genie if you're throwing it out of the bottle at the speed of light. Accept the fact that people have the right to record their television shows, and don't complain when they trade them.
Link
[unmediated]
7:33:11 AM
|
|
"War is good, becasue state media says it's bad".
I'm absolutely amazed to see how even educated, middle-class Iranians who still live in the country, openly support the toppling of the Islamic regime by the Bush administration. One sound explanation could be that Iranian media have hugely failed to show a true and realistic picture about the meaning and the consequences of US invasion of Iraq and about the current situation in Iraq, especially in Baghdad. Not that they haven't tried to do so, but they have always been so full of regime propaganda, exaggerated and distorted anti-Western content that nobody trusts them anymore. People tend to do the...
[Editor: Myself (English)]
7:27:51 AM
|
|
Understanding what your Windows PC is doing.
I have found very useful a free program Process Explorer, which is often featured among PCWorld's recommended downloads. Procexp shows you more detail about all those mysterious programs, processes and tasks that Task Manager shows running in the background on your Windows PC. Last year LawTechGuru wrote about this topic and recommended two sites that offer descriptions of these inscrutably named procedures, tasklist.org and Answers That Work. I have consulted these two sources and found Answers that Work to be much the better choice. - confirming my earlier decision to include it, and not the other one, in my Radio tips list. This site serves as a valuable adjunct to Process Explorer.
I was trying to find out about wmiprvse.exe, which for a while recently was eating up vast amounts of CPU time on my office PC. Tasklist.org claims that it is a kind of virus or spyware. But then, they claim the same thing about svchost.exe, which I am pretty sure is a benign and essential part of the Windows system. In contrast, the task list program identifer offered by Answers That Work describes it as an element of Windows enterprise networking software, which sounds more plausible to me. I randomly clicked another couple of tasks listed on Tasklist.org and in each case the task was identified as possible spyware or worm and the site recommended the use of software called 'xsoftspy.' Googling xsoftspy produces results that appear credible suggesting that the software is unreliable, see e.g. this thread on Spyware Warrior.
[Life Tenant: Amateur Blogger's Field Notes]
7:27:35 AM
|
|
|
