Category Archives: Cryptography Research
Somewhere between right away and also never ever.
Security, it seems, at lengthy last is winning. End-to-end encrypted communication systems are shielding more of our private communication compared to ever before, making interception of delicate content as it takes a trip over (insecure) networks like the Internet less of a risk compared to it as soon as was. All this readies news, unless you remain in the service of intercepting sensitive content over networks. Denied accessibility to network traffic, crooks as well as spies (whether on our side or theirs) will consider various other techniques to obtain access to information they look for. In method, that typically means making use of safety vulnerabilities in their targets’ phones and also computers to install surreptitious “spyware” that documents discussions as well as text prior to they could be secured. To puts it simply, wiretapping today significantly involves hacking.
This, as you may picture, is not without controversy.
WHY are you using Bitcoin? – 3min Survey
my Name is Philipp I am doing a research about Bitcoin and it would be great if you can fill out my survey and pass it on to all the people in your community who are using Bitcoin Thank you for your Help !
Peter G. Klein answers a viewer’s question, and discusses a critical battle between technology and ideology. Klein is the Mises Institute’s Executive Director and Carl Menger Research Fellow.
Has the TSA created it less difficult for terrorists to game the technique?
It’s been a frighteningly confusing week for frequent flyers (and confirmed cowards) like me. First we had the Underpants Bomber, his Christmas-day attempt to take down a Detroit-bound flight thwarted by slow-acting chemistry and fast-pondering passengers. Next — inside a day — came inexplicable new regulations that seemed developed much more to punish the rest of us than to discourage future acts of terrorism. The new rules have been unsettling not just because they seemed as laughably ineffective as they had been inconvenient, but due to the fact they suggested that the authorities had no idea what to do, no real approach for analyzing and reacting to possible new threats. As the Economist was moved to create, “the individuals who run America’s airport safety apparatus appear to have gone insane”.
A few days later the TSA, to its credit, rolled back some of the much more arbitrarily punitive restrictions — in-flight entertainment systems can now be turned back on, and passengers are, at the airline’s discretion, again permitted to use the toilets in the course of the last hour of flight.
But whilst a degree of sanity could have returned to some of the rules, the TSA’s new security philosophy seems to yield considerable benefit to attackers. The current approach might in fact make us much more vulnerable to disruption and terror now than we were just before. See the rest of this (rather extended) entry…
Matt Blaze’s Exhaustive Search
Are SSL certificates even more broken than we believed?
A decade ago, I observed that industrial certificate authorities defend you from anyone from whom they are unwilling to take income. That turns out to be incorrect they do not even do that significantly.
SSL certificates are the major mechanism for making certain that secure web internet sites — these displaying that reassuring “padlock” icon in the address bar — truly are who they purport to be. In order for your browser to show the padlock icon, a web website have to very first present a “certificate”, digitally signed by a trusted “root” authority, that attests to its identity and encryption keys.
Unfortunately, by way of a confluence of sloppy design, naked commercial maneuvering, and poor user interfaces, today’s net browsers have evolved to accept certificates issued by a surprisingly massive quantity of root authorities, from tiny, obscure organizations to various national governments. And a certificate from any 1 of them is usually sufficient to bless any net connection as becoming “secure”.
What this signifies is that an eavesdropper who can acquire fake certificates from any certificate authority can effectively impersonate each and every encrypted internet internet site someone might go to. Most browsers will happily (and silently) accept new certificates from any valid authority, even for web web sites for which certificates had already been obtained. An eavesdropper with fake certificates and access to a target’s internet connection can thus quietly interpose itself as a “man-in-the-middle”, observing and recording all encrypted web targeted traffic traffic, with the user none the wiser.
But how significantly of a threat is this in practice? Are there actually eavesdroppers out there — be they criminals, spies, or law enforcement agencies — making use of bogus certificates to intercept encrypted net visitors? Or is this merely idle speculation, of only theoretical concern?
A paper published these days by Chris Soghoian and Sid Stamm [pdf] suggests that the threat may possibly be far a lot more sensible than previously believed. They located turnkey surveillance products, marketed and sold to law enforcement and intelligence agencies in the US and foreign countries, made to gather encrypted SSL visitors primarily based on forged “appear-alike” certificates obtained from cooperative certificate authorities. The goods (apparently accessible only to government agencies) seem sophisticated, mature, and mass-created, suggesting that “certified man-in-the-middle” internet surveillance is at least commonplace and widespread sufficient to support an active vendor neighborhood. Wired’s Ryan Singel reports in depth here.
It really is worth pointing out that, from the perspective of a law enforcement or intelligence agency, this sort of surveillance is far from ideal. A central requirement for most government wiretapping (mandated, for example, in the CALEA requirements for phone interception) is that surveillance be undetectable. But issuing a bogus net certificate carries with it the risk of detection by the target, either in true-time or soon after the truth, particularly if it is for a net internet site currently visited. Despite the fact that current browsers don’t ordinarily detect uncommon or suspiciously changed certificates, there’s no fundamental purpose they could not (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that). In any case, there is no reliable way for the wiretapper to know in advance regardless of whether the target will be alerted by a browser that scrutinizes new certificates.
Also, it really is not clear how internet interception would be particularly useful for several of the most frequent law enforcement investigative scenarios. If a suspect is acquiring books or creating hotel reservations online, it really is generally a basic (and legally comparatively uncomplicated) matter to just ask the vendor about the transaction, no wiretapping needed. This suggests that these goods could be aimed less at law enforcement than at national intelligence agencies, who may be reluctant (or unable) to receive overt cooperation from internet web site operators (who may be situated abroad).
Whether this kind of surveillance is at the moment widespread or not, Soghoian and Stamm’s paper underscores the deeply flawed mess that the web certificate model has become. It is time to design one thing better.
Matt Blaze’s Exhaustive Search
Has pc security changed in 15 years?
Back in 1995, Bruce Schneier asked me to write an “afterword” for the second edition of Applied Cryptography. Maybe to his chagrin, I could not consider of any better way to sum up a book about cryptography than to dismiss what was then a well-liked delusion about the subject: that it, above all else, held the secret for securing computer systems.
1995 now appears like a long time ago, technically and culturally. The Internet was barely about. Very connected people had fax lines at home. The Soviet Union had only not too long ago dissolved. I could see the Globe Trade Center from my bedroom window.
Essays written that lengthy ago, specifically those about rapidly changing technology, can be a bit embarrassing to read — conspicuously oblivious to some rapidly approaching meteorite that would shortly make the author’s simple assumptions extinct. Or they may look retrospectively clear and trite: war is bad, puppies are cute, and computer systems are insecure.
And so it was with some trepidation that I not too long ago dusted off my copy of Bruce’s book and located myself staring at my thoughts on cryptography from the prior century. See the rest of this (rather lengthy) entry…
Matt Blaze’s Exhaustive Search
A brief taxonomy of wiretapping esoterica.
Recent news stories, notably this story in USA These days and this story in the Washington Post, have brought to light extensive use of “Stingray” devices and “tower dumps” by federal — and nearby — law enforcement agencies to track cellular telephones.
Just how how does all this tracking and interception technology work? There are really a surprising number of diverse approaches law enforcement agencies can track and get details about phones, every of which exposes distinct info in distinct approaches. And it’s all steeped in arcane surveillance jargon that is evolved more than decades of changes in the law and the technologies. So now appears like a great time to summarize what the numerous telephone tapping techniques truly are, how they operate, and how they differ from one another.
Note that this post is concerned specifically with telephone tracking as accomplished by US domestic law enforcement agencies. Intelligence agencies engaged in bulk surveillance, such as the NSA, have distinct requirements, constraints, and resources, and normally use various strategies. For example, it was not too long ago revealed that NSA has access to international phone “roaming” databases utilised by phone organizations to route calls. The NSA apparently collects vast amounts of phone “metadata” to learn hidden communications patterns, relationships, and behaviors across the globe. But, as fascinating and important as that is, it has small to do with the telephone tracking methods employed by regional law enforcement, and it really is not what we’re talking about here.
Phone tracking by law enforcement agencies, in contrast to intelligence agencies, is intended to support investigations of particular crimes and to gather evidence for use in prosecutions. And so their interception technology — and the underlying law — is supposed to be focused on getting information about the communications of distinct targets rather than of the population at massive.
In all, there are six major distinct telephone tracking and tapping methods utilised by law enforcement in the US: “get in touch with detail records requests”, “pen register/trap and trace”, “content wiretaps”, “E911 pings”, “tower dumps”, and “Stingray/IMSI Catchers”. Each reveals somewhat diverse info at diverse times, and every has its personal legal implications. An agency might use any or all of them more than the course of a provided investigation. Let’s take them 1 by a single.
Hearing on “ECPA Reform and the Revolution in Location-Primarily based Technologies and Solutions”.
I will be the very first witness at this morning’s (six/24/10) Home Judiciary Committee hearing on ECPA Reform and the Revolution in Place-Based Technology, which, for DC locals, will begin at 10am in space 2233 of the Rayburn building.
My testimony [pdf] will concentrate on the technical: how contemporary cell phones and wireless services calculate place, and how accurately they can track and record users’ positions and movements. This is all in the context of surveillance: when the government gets a pen register order against a cell telephone, for example, what details do (or must) they get about the target’s place and movements compared with other types of tracking technologies?
Other witnesses will consist of (amongst other individuals) a unique agent (from the Tennessee Bureau of Investigation) who does electronic surveillance, and a federal magistrate judge who has to sort out the legal troubles when the government requests tracking information about a suspect. The hearing promises to be an fascinating glimpse into how place tracking really performs in criminal investigations.
No notion if the hearing will be shown by way of a webcast or C-SPAN coverage.
Update six/28/ten: The hearing was intriguing, and I particularly enjoyed Chairman Nadler’s line of concerns to me about how the technologies operates and about the records kept by carriers. Regrettably, video of the hearing does not appear to be obtainable on the web anyplace, at least at the moment.
Update five/16/12: An updated version of my testimony is accessible at http://www.crypto.com/papers/blaze-gps-20120517.pdf, as a statement for the record at a residence hearing on the “GPS Act”.
Matt Blaze’s Exhaustive Search
George Noory and his guest David Seaman discuss the rise of Bitcoin, with a special phone in by a Megacoin supporter.