Making Android NSA-Proof
As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite! Too extreme? Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.
Read more…Is moving offshore really crazy?
Today ZDNet published an article titled “The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US” – I’m still trying to figure out if the position is naive, or intentionally ignores important facts. In short, the author (Steven J. Vaughan-Nichols) states that your data is safer in the US because outside of the US, the NSA has much less restrictive rules to operate under.
Read more…Hash Storage: Make Attackers Work
So you hash your passwords? Good. Do you salt? That’s good. Do you use a strong hashing algorithm (PBKDF2/bcrypt/scrypt)? Great! But how do you store the hashes? What happens when you get hit with a SQL injection attack? I’m a big believer in defense in-depth – not that marketing garbage about stacking layers of blinky-light boxes, but using techniques to add extra work for an attacker. You might not be able to stop every attack, but the more work they have to do, the better the odds they won’t get everything they want.
Read more…Cryptocat: What is the measure…
What is the measure of a man; what makes one great, and another lesser? What separates success from failure? We all recognize light from dark, but at which point does it go from one to another? If we ask if a person (or company, or product) is successful – do we measure them against their closest competitor, their nearest neighbor, or perhaps the most successful person we know? Where, and how, do you set that bar to measure against?
Read more…Do one thing right…
Everybody’s favorite whipping boy, Cryptocat is back in the news today – and it’s bad. Really bad. Steve Thomas has found a major flaw in the way Cryptocat generated ECC keys. Due to this flaw, the keyspace was only $2^{54.15}$, well below a secure level. Add a meet in the middle attack, and this is further reduced to $2^{27.08}$ – which based on my rough estimates, is just slightly more secure than a paper bag.
Read more…OPSEC, The NSA, and You
It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.
Read more…DEFCAD & Freedom of Information
Freedom of speech is, in my opinion, the single most important and inalienable right that humanity has. This isn’t a privilege granted by a government, it’s an innate right of humanity. It’s a right that is essential to the preservation of many other freedoms – without it, there is no freedom, there is no liberty. Earlier today a friend posted something on Twitter, I started to retweet it, but after some thought decided I needed to say more than I could fit in 140 characters.
Read more…Password Hashing: No Silver Bullets
In the dark days of the web, if a service hashed your password instead of storing it in plain text, they were doing good. As sites were hacked, and credentials stolen, a silver bullet emerged: always hash and salt passwords when storing them. Many, many services were built with this design – LivingSocial is a great example. SHA1 hashing with a 40 byte salt – once upon a time, that was considered reasonable protection.
Read more…The WikiLeaks We Deserve
I’ve been a (fairly quiet) critic of WikiLeaks for a long time, the core of the mission I agree with – information should be free, and should be preserved – but the implementation is deeply flawed. But then, that’s not really news is it? Two and half years ago when I last wrote about WikiLeaks, I pointed out that Julian Assange was the organization’s biggest problem. So what do we have today?
Read more…1Password, PBKDF2, & Implementation Flaws
…or “Crypto Is Hard, Vol. 479” Earlier today a tweet about a new feature for oclHashcat-plus started a truly interesting debate on Twitter over the implications. The new feature is the ability to crack 1Password keychain files – at an impressive 3 million passwords per second. Support added to crack 1Password to oclHashcat-plus, 100% computed on GPU! Plus I found an exploitable design flaw http://t.co/53ZtWggsDz — hashcat (@hashcat) April 16, 2013 To achieve this speed, two optimizations were used – the first is in precomputing ipad and opad for SHA1-HMAC, this effectively cuts the number of SHA1 calls in half.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.