Cryptocat: What is the measure…
What is the measure of a man; what makes one great, and another lesser? What separates success from failure? We all recognize light from dark, but at which point does it go from one to another? If we ask if a person (or company, or product) is successful – do we measure them against their closest competitor, their nearest neighbor, or perhaps the most successful person we know? Where, and how, do you set that bar to measure against?
Read more…Do one thing right…
Everybody’s favorite whipping boy, Cryptocat is back in the news today – and it’s bad. Really bad. Steve Thomas has found a major flaw in the way Cryptocat generated ECC keys. Due to this flaw, the keyspace was only $2^{54.15}$, well below a secure level. Add a meet in the middle attack, and this is further reduced to $2^{27.08}$ – which based on my rough estimates, is just slightly more secure than a paper bag.
Read more…OPSEC, The NSA, and You
It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.
Read more…DEFCAD & Freedom of Information
Freedom of speech is, in my opinion, the single most important and inalienable right that humanity has. This isn’t a privilege granted by a government, it’s an innate right of humanity. It’s a right that is essential to the preservation of many other freedoms – without it, there is no freedom, there is no liberty. Earlier today a friend posted something on Twitter, I started to retweet it, but after some thought decided I needed to say more than I could fit in 140 characters.
Read more…Password Hashing: No Silver Bullets
In the dark days of the web, if a service hashed your password instead of storing it in plain text, they were doing good. As sites were hacked, and credentials stolen, a silver bullet emerged: always hash and salt passwords when storing them. Many, many services were built with this design – LivingSocial is a great example. SHA1 hashing with a 40 byte salt – once upon a time, that was considered reasonable protection.
Read more…The WikiLeaks We Deserve
I’ve been a (fairly quiet) critic of WikiLeaks for a long time, the core of the mission I agree with – information should be free, and should be preserved – but the implementation is deeply flawed. But then, that’s not really news is it? Two and half years ago when I last wrote about WikiLeaks, I pointed out that Julian Assange was the organization’s biggest problem. So what do we have today?
Read more…1Password, PBKDF2, & Implementation Flaws
…or “Crypto Is Hard, Vol. 479” Earlier today a tweet about a new feature for oclHashcat-plus started a truly interesting debate on Twitter over the implications. The new feature is the ability to crack 1Password keychain files – at an impressive 3 million passwords per second. Support added to crack 1Password to oclHashcat-plus, 100% computed on GPU! Plus I found an exploitable design flaw http://t.co/53ZtWggsDz — hashcat (@hashcat) April 16, 2013 To achieve this speed, two optimizations were used – the first is in precomputing ipad and opad for SHA1-HMAC, this effectively cuts the number of SHA1 calls in half.
Read more…Linode: Another Breach Notification Gone Wrong
Last night I received an email from Linode about a possible breach and mandatory password reset that reminded me of another recent email, in some disturbing ways. Dear Linode customer, Linode administrators have discovered and blocked suspicious activity on the Linode network. Not too long ago, I received a similar email from Evernote – not just in it’s text, but in the errors made. Dear Evernote user, Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
Read more…Security Done Wrong: Leaky FTP Server
Update: I’ve just spoken to AMI, and received some very important information; so here are the key points and clarifications: To clarify, the ‘vendor’ I refer to is a customer of AMI; it is this customer’s public FTP server that exposed this information. Per AMI, the signing key included in the ‘Ivy Bridge’ archive is a default test key; AMI instructs customers to change the key before building for a production environment.
Read more…First, Do No Harm: Developers & Bad APIs
Primum non nocere (first, do no harm) – an iconic phrase in modern medicine, yet also applicable to many other fields. This is something I wish more people would think about, developers especially – and primarily when writing new APIs. In general, developers don’t have an impressive history with security – quite frankly, developers suck. Seeing as I consider myself a developer, that’s painful to admit. Chris Andrè Dale posted an interesting article some time ago that got me thinking: Why it’s easy being a hacker: A SQL injection case study – Chris pointed out the problems with educational material that developers are using, and just how bad the examples are.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.