About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

18 September 2013

NSA and Cryptography Attacks

There have been a few excellent articles on the NSA "breaking encryption", as reported in The Guardian and New York Times. In the talk 2 weeks ago Vint Cerf commented that we should use stronger keys - but as per the articles, key length may not be the issue at all. To summarise there are a few ways encryption can be broken:
  1. Brute force the keys
  2. Bugs in the software/hardware implementation
  3. Bugs in the algorithm
  4. Interception before encryption (in the case of network encryption specifically)
  5. Steal the key
For point 1,  I think the maths of brute forcing the keys still hold out, we may be close - but I don't think we are there yet. But still, the advice of stronger keys always helps.

For point 2, there have been bugs in encryption libraries before and there are potentially still bugs in these libraries. Both Bruce Shneier and Matthew Green comment on the possibility that there are bugs in the Microsoft crypto library (which is closed source) and even Open SSL. Another possible attack vector, as noted by Ed Felten, is buggy components that make up crypto components, such as bad random number generators - which can then lead to weak keys etc. Faulty hardware (including deliberate backdoors) is also a possibility explored by Ed Felten.

For point 3, in most cases the maths in encryption algorithms seem to be right, and strong. But there have been cases were crypto algorithms have been broken (sometimes after years in operation) and cases where weak algorithms have been submitted for consideration in standards. I think most of the modern algorithms, such as AES are strong - but perhaps there are flaws that just haven't been published.

Point 4 raises an interesting attack vector, which I have seen being carried out by pentesters - basically a proxy service where a network call is intercepted at the initiation of a network session, and then network encryption is easily eavesdropped by the middle party. If the NSA is intercepting huge amount of traffic, it is possible to create such an attack - but automating this in a large scale is surely difficult?

The last point, of stealing keys - or rather forcing companies to hand over their keys under Prism is probably the easiest way for the NSA. There is some commentary on the possibility that the NSA had access to compromised keys at certificate authorities - which would assist this type.

Overall, I don't think there has been fundamental break in cryptography - but there has certainly been weak implementations followed by exploitation by the NSA.

17 September 2013

The best form of defence is active defence

Over the past couple of years, Dave and I have had numerous discussions on various legal concepts around IT. As a noted privacy expert, and a IT professor at UNISA, the topics have been varied, and often straying to the esoteric.

Over the weekend, Dave and I recorded a podcast with Tony Olivier for the DiscussIT Pubcast on IT Security, covering the concept of active defence/hacking back. Dave and I previously presented the topic at a closed forum? And thought it would make it interesting to make it available to a wider audience. Tony is an excellent host, and managed to steer the discussion to additional points we had previously not covered. The podcast is a bit rough - it picks up a bit of the ambient noise, and is mostly unedited so all the umms and stutters are included for special effect :)

15 September 2013

Car Guard Insights

When M & I got to my car after lunch at 44 Stanley, we noticed that the car behind us was parked funny; which I commented to the car guard. To that he replied, that the driver ran out of petrol, and thus had to park it as best as he could. 

But it was the ensuing short conversation, that made me think. The guard proceeded to comment  - "Us black brothers just don't seem to plan ahead - after all the petrol station is just there" (pointing to the other end of Stanley road). "He and another guy went to get petrol some time ago - no idea where they are".

"Have you heard about our president and his fight with the media" (pronounced as Med-ia) he continued - "and it's not the media's fault that they are talking about bad things. If Zuma had done good things, they would be talking about good things; instead he fights the media".

Auckland Park is the centre of two of SA's biggest media organisations - SABC and Media24 - so the comment is not completely out of place. But what made me think is, that even the ANC's traditional supporters - such as the car guard - are not accepting the spin. The question is, as with service delivery protests, are the disaffected going to vote for opposition; or are they just going to not bother voting. 

Interesting times ...

Movie: The Mortal Instruments: City of Bones

M wanted to watch the movie based on the trailer - neither of us had read the books, nor did we expect much. Based on a similar premise as Harry Porter and the excellent Night Watch series - there is a hidden world where the supernatural exists, and similar to Night Watch, this is constant fight between good and evil. 

In this particular series, the good is represented by Shadow Hunters (assisted by werewolves), while the evil is represented by demons (with vampires and a few others). The shadow hunters are constantly hunting demons - thought their ranks are small and dwindling further; and the main plot in the movie revolves around internal conflicts within the shadow hunters; with a character similar to that of Voldemort in Harry Potter.

The movie starts of promisingly; but devolves into cliches, predictability, and illogical plot development. It is visually great, with ok acting, but is not really as compelling a story as Harry Potter or as complex as Night Watch. It's a fun movie - just not a stimulating one; and I doubt I will watch any other future adaptations.