Posts tagged with 'Security'

CryptoParty and Trust as a Tool

  • Posted on October 28, 2012 at 11:00 am

You have probably heard of the CryptoParty events spreading all over the world. The idea is to meet, have experts explain cryptography and tools using it to beginners, and to have some fun in the process. For someone using PGP (and now GPG) since its early days 20 years ago this is not very ground-breaking news. It’s long overdue and should have happened much earlier. Cryptography has been around for thousands of years, long before the Caesar cipher. Secrets are even older. The rise of PGP got cryptography going on „ordinary“ computers in 1991. The Cypherpunks would have been happy to have CryptoParty events, too.

Getting to grips with cryptography happens in stages. Your starting point depends on your interests and background. Some start at the mathematics, others start with the tools first. It really doesn’t matter, and there is no One True Way™ (a fact often lost to fanatics). Once you understand the basics, you can go on. There’s no requirement to do so, but when it comes to cryptography and its tools my recommendation is to dig a little deeper after mastering the threshold. The best opportunity is asking questions about levels of trust and the importance of keys. At this point you will realise that cryptography alone will get you anywhere if there is no solid level of trust between the communicating parties and if others have access (think copies) of the keys securing the communication. This is also the point where it gets complicated and uncomfortable.

Cryptography is hard to understand. Understanding trust, how to establish it and how to maintain it is even harder. True, there are a lot of tools that can help you to encrypt and decrypt stuff on your cell phones (the smart ones probably). Unless you are the only one having access to your cell phone, you will never be able to trust this device. The same is true for devices that aren’t properly secured and managed by third parties such as hardware/software vendors or application stores (or for the younger generation „app stores“).
You can think of your apartment as an example. You’ve got your keys, but if someone else has a copy of these keys or has build a second door to your apartment with separate keys, then your apartment cannot be trusted any more.

So if you dive into the Wonderful World of Cryptography™, please take time and patience to have a look behind the scenes. It’s not meant as an recipe to acquire paranoia, it really helps to understand trust. Your local CryptoParty experts will help you. Ask them.

Sony „hacked“? Und?

  • Posted on April 27, 2011 at 10:29 am

Das Playstation Netzwerk wurde attackiert und (teilweise) kompromittiert. Ein Aufschrei geht durch die Medien. 75 Millionen Nutzer sollen auf ihre Kreditkartenabrechnungen aufpassen, weil Karteninformationen kopiert wurde. Mir fehlt jegliche Sympathie für die Empörung. Wir reden hier über eine Firma, die nicht mal in der Lage ist den Master Key für die PS3 zu schützen und Anwälte damit beauftragt Hacker zu verfolgen, die mathematische Gleichungen lösen können. Wie wär’s den damit das Legal Department etwas zu verkleinern und dafür mehr Techniker und Sicherheitsexperten einzustellen?

Aber das braucht man ja nicht, die Anwälte werden’s richten. Viel Spaß!

Post-It Phone Record Tapping

  • Posted on January 21, 2010 at 1:52 pm

Did you notice that government agencies crave for more and more data concerning its citizens? Of course you did, you are already under surveillance. Every time an agency calls for more powers it assures that all means necessary are taken to avoid abuse of data and procedures. When it comes to the harsh reality all of these promises falter like wooden houses in a tsunami. All you need is a post-it and talking to the right people.

The FBI was so cavalier — and telecom companies so eager to help — that a verbal request or even one written on a Post-it note was enough for operators to hand over customer phone records, according to a damning report released on Wednesday by the U.S. Department of Justice Office of the Inspector General.

We’re surrounded by kind beings and everyone wants to help. Unfortunately the Road to Hell is paved with Good Intentions™. The report from the US-of-A Department of Justice has all the details. This is illegal, plain and simple. Law enforcement breaks rules and promises about privacy. The danger of the many laws against terror clearly outweigh the benefits of these laws. It seems that no one is willing to think before acting (this is equally true for law enforcement and companies dealing with requests for data extraction). All it takes is to demand proper authentication and forms. If you run a business you will need records to keep track of when and why you violated the rights of your customers. If you fail to do this, then you are as guilty as the FBI offices in question.

Edle Malware – nur für Macs

  • Posted on November 7, 2009 at 2:30 pm

Derzeit lese ich viele Medien, primär online, und komme aus dem Staunen nicht heraus. Wenn man es mal an den Schlagzeilen und dem ganzen Prominentenklatsch vorbeischafft, dann findet man tatsächlich einige obskure Meldungen. Der letzte Fund ist die Diskussion einer bösartigen Software mit Video von Symantec. Es handelt sich um ein Videospiel, welches umso mehr Benutzerdaten löscht je erfolgreicher man es spielt. Klingt ganz nach dem Geschäftsmodell der Finanzbranche, hat aber damit eigentlich nichts zu tun. Das Schärfste daran ist aber die Meldung, daß ein Obstkultist nun die Sicherheitsexperten als Kunstbanausen darstellt. Das Spiel sein kein trojanisches Pferd, vielmehr müsse man es als Kunstprojekt mit intellektuellem Anspruch sehen.

The idea behind the project is to use game mechanics to call into question the idea of mindless killing for fun. Are gamers so obsessive they must kill aliens at any cost? In the game, each alien is based on a random file on the players computer. If the player kills the alien, the file it is based on is deleted.

Das ist wahrlich beeindruckend. Eigentlich unterstreicht diese Aussage den Begriff trojanisches Pferd mehr als jeder Sicherheitsberater es je besser darstellen könnte. Liebe Malware Autoren, laßt euch diese Chance nicht entgehen. Das könnte eine Revolution in der neuzeitlichen Kunst auslösen. Kontext, Kontext und nochmals Kontext heißt die Devise. Mit etwas Glück könnten wir so die Antivirus-Firmen zu Kunstkritikern degradieren.

Der Spion, der mit dem Update kam

  • Posted on October 4, 2009 at 7:44 pm

Yours Truly war übrigens am 29. September frisch vom Boot gleich auf einer Bühne. Die quintessenz hat im Rahmen ihrer q/talks immer mal wieder verschiedene Gäste geladen. Beim q/talk mit dem Titel „Der Spion, der mit dem Update kam” habe ich meinen Senf zum Thema beigetragen (zumindest hoffe ich das). Die Veranstaltung wurde so angekündigt:

Stell Dir vor Du kaufst so ein nettes kleines technisches Helferlein, die
in den letzten Jahren zu ständigen Begleitern unseres Alltags geworden
sind, damit sie eine Funktion, eine Aufgabe für Dich erledigen. Zum
Beispiel ein Handy um zu telefonieren, oder ein Navigationssystem um
leichter ans Ziel zu kommen. … Der Sündenfall einer ganzen Branche geschah im Juli
dieses Jahres, als die staatliche Telekom der Vereinigte Arabische Emirate
alle bei ihnen eingeloggten Blackberry in Spyware umprogrammiert haben –
betroffen waren natürlich auch die Handys aller Urlauber, ohne dass die je
einen Vertrag mit Etisalat unterschrieben hätten oder dem Update in
irgendeiner Form zugestimmt hätten.

Ich bezweifle, daß die Diskussion unsere Bequemlichkeitsgesellschaft aus ihrer Lethargie reißt, aber man muß ja periodisch versuchen den Wecker zu stellen. Wer noch schläft, der/die/das sollte sich die Aufzeichnung via (nicht vernetztem) Audioplayer reinpfeifen. Jetzt sofort!

  • Comments are off for Der Spion, der mit dem Update kam
  • Filed under

The Joys of Implementing Secure Protocols

  • Posted on July 23, 2009 at 12:47 am

I get a lot of spam. I also have a lot of measures to defend against it. One method consists of a feedback loop that trains the spam filter with nice and nasty emails (often called ham and spam). Said method is implemented by means of two tiny Perl scripts. Basically the scripts do some mailbox inspection and shove all collected emails destined for training into two IMAP boxes. So far, so good. The problem is that the scripts stopped working, because I enforced the Secure Socket Layer (SSL) protocol at the IMAP server while doing an upgrade a few weeks ago. Encryption is always good in times like these, right? Well, yes, but the Perl scripts didn’t know how to use SSL. Let’s dive into the little hack and look for the problem.

I use the module Mail::IMAPClient for the IMAP stuff. Its documentation says that everyone wishing for SSL should use their own sockets and supply them to the IMAP object. In non-SSL mode the object likes to have the address of the IMAP server, an username and a password when being created. If SSL is used, then you can create the object and tell it about the SSL socket later. So that’s what I tried. While coding I also implemented the parameters for the key, its certificate and the certificate of the Certificate Authority. Using encryption without checking identities is pointless. It’s just a few lines anyway. There, done. Testing. Drumroll…and…it…doesn’t…work!

Ok, no problem. Let’s peek into the client/server conversation by using the tool ssldump. I have the key, so I can decrypt the data stream. The dump basically says that there is no connection. Ok, I used the option RawSocket instead of Socket; my fault. Corrected. Testing. No connection. Ok, I used the wrong selection of ciphers; my fault. Corrected. Testing. The layer 3 works, SSL works, but IMAP doesn’t. Mail::IMAPClient complains about an uninitialised variable called $server in its module. But that’s correct, I supplied the socket handle instead. Checking, testing. Doesn’t work. Ok, well, maybe I put back the server’s address into the object creation call. I have a socket, the module says it only needs the socket, so why not supply the server’s address a second time. It’s good to have a backup. Testing again – and it works!

Either I am getting old, it’s still too hot or some documentations aren’t meant to be parsed by human brains. Don’t get me wrong, Mail::IMAPClient does the job and I like it, but I could have done fine without this experience.

Let’s deploy the well-tested code on the production systems. Famous last words.

  • Comments are off for The Joys of Implementing Secure Protocols
  • Filed under

Top