mancalablog

posts to days old
of topics
with text
post

Security

m (5 Sep 2012 12:50): It gets worse. Institutional pressures have a way of crowding out the small-scale phenomena they are meant to mimic; "cooperation" starts to mean compliance with institutional demands, and that alone. People ask themselves what's illegal instead of what's immoral. Airport security agents put following procedure and box-ticking ahead of human judgments about safety. Students lose interest in material that won't appear on the test.
[From a wsj review of Bruce Schneier's new book, Liars and Outliers (which, great title)]
m (6 Sep 2013 7:41): Hey, Bruce Schneier has joined team Glen Greenwald on all this NSA hoo-ha! Two articles over at the guardian. Best!
m (6 Mar 2015 21:28): TYPING OF THE DEAD
G (8 Mar 2015 23:39): So good!
They made another one. It was... less good.
R (15 Apr 2015 2:01): Scalability of the Great Cannon
m (16 Apr 2015 11:34): Missed it at the time. Schneier re Great Cannon: It's kind of hard for the US to complain about this kind of thing, since we do it too.
R (8 Oct 2015 1:15): So, there's malware out there that protects vulnerable routers from further exploitation? Looks like the future is going to be far more futuristic than previously predicted.
m (8 Oct 2015 15:29): Wow
R (16 Oct 2015 1:53): Speculation that the NSA has broken Diifie-Hellman
m (16 Oct 2015 7:53): I saw that!
m (16 Oct 2015 8:12): Schneier responds -- and I guess points out that he's been saying this since back in May when the paper making this news was first published:

(quoting from the paper) We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

and Schneier has this quaint line at the end (tongue-in-cheek?):
The good news is now that we know reusing prime numbers is a bad idea, we can stop doing it.

I wonder how to ask SSH to build me a new prime?
R (21 Oct 2015 21:22): "Just heard from a Google Chrome dev, antivirus trying to inject itself into Chrome is a PRIMARY source of issues and crashes they see."

:C
m (13 Feb 2016 14:22): Good article on how the NSA subverted the Dual EC DRBG standard during the NIST adoption process. (Though the NSA has been helpful in the past, tweaking DES to make it resistant to differential cryptanalysis back in the 70s, when that method of attack wouldn't become public knowledge until the early 90s)