recentpopularlog in

mcherm : cryptography   235

« earlier   later »
Android random number flaw implicated in Bitcoin thefts | Naked Security
There's a flaw in the implementation of SecureRandom on Android. One (of many) of the results is insecure bitcoin wallets that allow money to be stolen.
bitcoin  security  via:HackerNews  cryptography  android 
august 2013 by mcherm
Twitter's Killer New Two-Factor Solution Kicks SMS to the Curb | Threat Level |
Twitter invented this complicated for two factor authentication. Google just used the standard RFC.
blogworthy  twitter  crypto  cryptography  security  wired  via:HackerNews 
august 2013 by mcherm
The Strange Story of Dual_EC_DRBG
Bruce Schneider says the NSA put a backdoor into a standard for random number generation.
cryptography  security  BruceSchneier  nsa  via:reddit 
july 2013 by mcherm
How secure is HTTPS today? How often is it attacked? | Electronic Frontier Foundation
There are several productive ways to attack SSL today and it appears that several of them are in use. Here is some data on the rate at which they are used.
security  ssl  cryptography  internet  via:HackerNews  eff 
june 2013 by mcherm
RaiderSec: How Browsers Store Your Passwords (and Why You Shouldn't Let Them)
The way browsers store your passwords is not secure against a program running under your user, except for Firefox if you use a master password.
browsers  security  cryptography  firefox  chrome  ie  via:HackerNews 
june 2013 by mcherm
Response to "Cryptography is Science, not Engineering"
A well-written response to the previous link: real-world issues get in the way. So it's more engineering than science *in practice*. A good conversation to read.
via:HackerNews  security  cryptography  crypto 
june 2013 by mcherm
Cryptography is a science, not engineering
He claims that in the 1990s cryptography was like engineering: you threw in some margin for safety and hope you haven't missed anything important, but that today it is like a science: you use reliable primitives and combine them in provably reliably fashions. I am skeptical, but I know less than he does.
cryptography  math  programming  crypto  security  via:HackerNews 
june 2013 by mcherm
Errata Security: BitCoin is a public ledger
Simple instructions on how to use BitCoin to prove you had a copy of some document as of a certain date.
bitcoin  cryptography  via:HackerNews 
may 2013 by mcherm
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica
A detailed review of how long it took various password experts to crack a password list. The moral is that any password you can remember can be cracked in almost no time. Also, use bcrypt.
cryptography  security  passwords  ArsTechnica  via:ArsTechnica 
may 2013 by mcherm
You are dangerously bad at cryptography | Happy Bear Software | Web Application Development
Cryptography is HARD and there's no feedback so people don't get better at it. Here are some examples.
programming  cryptography  security 
may 2013 by mcherm
existential type crisis : Wiggle the mouse to fix the test
Interesting bug. Test timed out if run on machine doing no background work because a library it loaded used the secure random generator which needs to collect entropy.
bug  programming  cryptography  testing  via:reddit 
may 2013 by mcherm
Introducing Strongbox, a Tool for Anonymous Document-Sharing : The New Yorker
The New Yorker sets up a mechanism for accepting fully anonymous documents without being able to tell where they are coming from.
journalism  anonyminity  via:HackerNews  cryptography 
may 2013 by mcherm
Recovering Bitcoin private keys using weak signatures from the blockchain / Nils Schneider
If your random number generator isn't generating random numbers, someone could find your private key and steal your bitcoins. In this case, a hardware wallet was doing it wrong.
security  bitcoin  cryptography  via:reddit  bug 
may 2013 by mcherm
How We Learned to Cheat at Online Poker: A Study in Software Security
In 1999 they looked at the algorithm used to shuffle online poker decks and demonstrated that they could "break" it trivially.
security  cryptography  via:EricLippert 
may 2013 by mcherm
Ben Laurie on BitCoin - Boing Boing
A pair of articles (by Ben Laurie) that critique BitCoin. The gist is that to do the checkpointing, the bitcoin protocol relies on agreement between the mining community. If we can get agreement like that, why not abandon proof-of-work (and all the CPU power it demands) and just use cheap-to-check proof of who is "cheating"?
cryptography  security  bitcoin  via:boingboing 
may 2013 by mcherm
The Matasano Crypto Challenges (Pinboard Blog)
A training exercise on security vulnerabilities. Sounds valuable, but requiring a fair amount of effort.
cryptography  via:MaciejCeglowski  security  programming  onlinclasses 
april 2013 by mcherm
I dream of Satoshi Nakamoto : Dragons in the Algorithm
I mention a clever hack that identifies bitcoins mines by the anonymous inventor of bitcoin, and muse on how I hope she doesn't get caught.
blogentry  cryptography  bitcoin 
april 2013 by mcherm
Show HN: Anonymous Bitcoin Lottery | Hacker News
How to do a bitcoin lottery which is provably fair.
mypostings  cryptography 
april 2013 by mcherm
A Few Thoughts on Cryptographic Engineering: Zerocoin: making Bitcoin anonymous
A proposal for a way to make the use of bitcoins anonymous, which is backward compatible with the existing bitcoin blockchain. Nice, but I'm curious to know HOW their zero-knowledge proof works.
via:HackerNews  bitcoin  cryptography  anonymity 
april 2013 by mcherm
Ripple - a Bitcoin competitor
It is proposed as an alternative to Bitcoin, but really it's a different but closely related beast.
bitcoin  cryptography  via:HackerNews 
february 2013 by mcherm
ImperialViolet - Lucky Thirteen attack on TLS CBC
An example of trying to write constant-time functions to defeat timing attacks. Short version: it's hard.
cryptography  programming  via:HackerNews 
february 2013 by mcherm
Direct use value of Bitcoin - Oleg Andreev
Observation: bitcoin can be used to create a cryptographic record that is practically impossible for anyone to delete. Just transfer money to an ID which is the hash of the document you want to record, and the block chain will preserve it forever.
bitcoin  cryptography  via:HackerNews 
february 2013 by mcherm
Javascript Cryptography Considered Harmful
A really good (and readable) article explaining why any and all attempts to write cryptography that runs in JavaScript within a browser is necessarily doomed. I predict it will happen anyway... and will be insecure (compared to real crypto) but better than plain text.
via:HackerNews  javascript  cryptography  crypto  security 
january 2013 by mcherm
MegeFail :: fail0verflow
A textbook example of "don't do your own crypto".
cryptography  security  hash  mega 
january 2013 by mcherm
Crack in Internet’s foundation of trust allows HTTPS session hijacking | Ars Technica
A genuine attacck on SSL by using chosen plantext that interacts with part of the message (like the session cookie) to give differing amounts of compression. Rather like timing attacks, the only real defense is to disable compression (which major browsers have done).
security  cryptography  internet  ssl  ArsTechnica  via:ArsTechnica 
october 2012 by mcherm
Schneier on Security: When Will We See Collisions for SHA-1?
sha-1 is close (a few years) from being breakable with reasonable computing power. Move to sha-2 or sha-3.
cryptography  via:HackerNews  BruceSchneier  programming  security 
october 2012 by mcherm
Did NSA Put a Secret Backdoor in New Encryption Standard?
Bruce Schneier says there's something weird about a certain random number generator that NIST standardized, and it may have an NSA backdoor in it.
nsa  security  cryptography  via:HackerNews  BruceSchneier 
september 2012 by mcherm
Storing Passwords Securely
Some GOOD advice on how to correctly hash and store passwords.
via:reddit  security  cryptography  crypto  programming  useful 
august 2012 by mcherm
tarcieri/cryptosphere · GitHub
A less-secure (but perhaps less overhead?) version of freenet.
freenet  security  cryptography  via:HackerNews 
july 2012 by mcherm
Unbreakable crypto: Store a 30-character password in your brain’s subconscious memory | ExtremeTech
Not actually a good idea, but an amazing feat. Store a short password in subconscious memory where the person has no access to it.
via:reddit  brain  cryptography  security 
july 2012 by mcherm
A better way to store password hashes?
Fairly good idea. Don't store hash of password with each user. Instead, keep big table of valid hashes. Add a lot (millions?) of fake entries. Now someone with the table can't even crack an individual's password! Requires proper salting practices.
security  cryptography  via:reddit  programming 
july 2012 by mcherm
Scientists crack RSA SecurID 800 tokens, steal cryptographic keys | Ars Technica
Physical dongles, designed to keep their keys secret even if physically probed, fell to a clever crypto padding attack.
via:HackerNews  cryptography  security  ArsTechnica 
june 2012 by mcherm
Storing Passwords Securely
Really good advice for storing passwords in an application. Don't just store a hash: use a salt, use multiple rounds (make it easy to increase the number of rounds, better yet do rounds that don't lose entropy, in fact, just use bcrypt. Also, encourage passphrases, use exponential backoff for repeated attempts, have a nonce outside the DB, and perhaps have client use assymetric to avoid sending the password over wire.
cryptography  security  programming  python  hash  salt  via:HackerNews 
june 2012 by mcherm
Bitcoin War: The First Real Threat to Bitcoin? | Privacy Online News
If someone controlled 51% of bitcoin they could break it. Someone owns 15%.
bitcoin  cryptography  hacking 
march 2012 by mcherm
Why doesn't anyone use client certs in SSL?
No one uses them because the UI is terrible. I wonder, could we (the bank) use them as one option for 2-factor authentication as the article suggests?
security  internet  ssl  via:HackerNews  cryptography 
march 2012 by mcherm
Message to Certificate Authorities about Subordinate CAs at Mozilla Security Blog
Mozilla puts certificate authorities on notice about misbehaving. They'd better not be issuing sub-certs that give global approval for anything, no matter how good their reason.
cryptography  security  firefox  mozilla  ssl  via:HackerNews 
february 2012 by mcherm
Convergence - SSL without a list of trusted roots
An attempt at building a PKI infrastructure that is not dependent on a list of trusted root certificates.
security  ssl  cryptography  pki  blogworthy  firefox 
february 2012 by mcherm
[tor-talk] Help users in Iran reach the internet
All secure connections are being blocked from in Iran. Here is Tor trying to do what they can (which isn't much).
cryptography  security  tor  internet  via:HackerNews 
february 2012 by mcherm
Burn Note - Technical Information
Here's how someone implemented no-records-left-behind messages. Not technically innovative, but interesting nevertheless.
cryptography  security  via:reddit 
february 2012 by mcherm
Paswords - You Can't Do It Right
Why passwords are no longer an acceptable security mechanism. (1) people are dumb with them, (2) people who TRY to be smart with them fail, (3) cracking is amazingly fast. My current scheme takes only 4 yrs to crack w/ just one machine.
security  programming  hacking  encryption  cryptography  via:JamesIry  blogworthy 
december 2011 by mcherm
Long Term Privacy with Forward Secrecy | Electronic Frontier Foundation
Intercepted SSL traffic can be decrypted later if the server's private key is ever exposed. There's a way to protect against that and Google just implemented it.
security  google  ssl  https  eff  internet  cryptography  via:boingboing 
december 2011 by mcherm
Sovereign Keys: A Proposal to Make HTTPS and Email More Secure | Electronic Frontier Foundation
The EFF proposes a replacement for the SSL cert infrastructure: a single, global append-only list of certs for every DNS domain would be built and cached by the browser. Entries would be verified by a proof the DNS is owned.
security  https  ssl  cryptography  programmming  internet  via:eff 
november 2011 by mcherm
Why isn't all internet traffic encrypted? - Super User
A really good answer to "Why not encrypt everything". Because key management is hard and expensive, and some people WANT to snoop. Notice that performance really ISN'T the issue any more.
internet  cryptography  via:HackerNews 
october 2011 by mcherm
Commit History for vog/beautify_git_hash - GitHub
Interesting little tool. It messes with the precise commit time (and also author time) to try to make the hash start with a particular prefix.
cryptography  git  dvcs  via:HackerNews 
october 2011 by mcherm
Iran has been Man-in-the-Middle hacking Gmail with a fraudulent cert
This is real. This is serious. I want Firefox and other browser makers to be MUCH more careful who is allowed to produce a trusted root cert. Single failure leads to permanent removal is the ONLY acceptable choice.
security  cryptography  via:reddit  firefox  google 
september 2011 by mcherm
Experimental Defense for Website Traffic Fingerprinting | The Tor Blog
Attackers can (barely) tell what site is visited with Tor by observing the pattern of packet sizes, timing, etc. Here is a defense Tor is testing.
security  tor  cryptography 
september 2011 by mcherm
DigiNotar Removal Follow Up at Mozilla Security Blog
Mozilla explains how badly DigiNotar screwed up: not only did they sign evil certs, they kept it secret.
security  cryptography  ssl  mozilla  firefox 
september 2011 by mcherm
Iran forged the wrong SSL certificate
An enterprising government could forge an SSL certificate for google analytics. The they could inject JavaScript onto almost every page on the internet.
security  ssl  cryptography  via:HackerNews 
september 2011 by mcherm
Behind Intel's New Random-Number Generator - IEEE Spectrum
New Intelligence CPUs have a digital circuit for generating random numbers.
via:reddit  hardware  random  cryptography 
september 2011 by mcherm
Deep packet inspection used to stop censorship in new "Telex" scheme
Very clever scheme. Countries that control the internet to suppress their citizens can't inspect an SSL session, they can only block who you connect to. So put routers in the middle (at backbone providers) that re-direct to a different place. To signal them undetectably, generate the nonce for the SSL in a way that's detectable only by the holder of a certain private key.
security  cryptography  censorship  steganography  privacy  ArsTechnica  via:ArsTechnica  encryption 
july 2011 by mcherm
BCrypt Library for Java
Here is a java library for an acceptable hash function (bcrypt). SHA-1 is already weakening, and will be broken before too long. SHA-2 doesn’t exist yet. Use this (it might even win SHA-2).
via:BruceSchneier  cryptography  hash  java  programming  security 
july 2011 by mcherm
Lifetimes of cryptographic hash functions
Some comments on the state of hash functions, including a look at how long previous hash functions lasted.
via:BruceSchneier  cryptography  hash  programming  security 
july 2011 by mcherm
Cheap GPUs are rendering strong passwords useless | ZDNet
GPU (a highly parallel computer) allows incredibly rapid brute-force attempts at cryptography. It's no longer safe to use 5, 6, even 7-character random-letter-and-digit strings. In fact, it's probably no longer safe to allow people access to the hashed (and salted) form of your password.
via:slashdot  security  cryptography  hacking 
june 2011 by mcherm
Bitcoin is not decentralized : Inside T5
An interesting argument: Bitcoin is decentralized, but it relies on cryptography so it will eventually become obsolete and have to move to newer crypto algorithms. The *process* of replacing it with a new algorithm doesn't exist and is hard.
cryptography  bitcoin  p2p  via:HackerNews 
june 2011 by mcherm
Eureka! Google breakthrough makes SSL less painful • The Register
Google introduces a way to start ssl with 1 fewer round trips. It works today with no changes needed on servers so they implemented it in chrome.
security  ssl  google  cryptography  via:HackerNews 
may 2011 by mcherm
Phantom, a system for generic, decentralized, unstoppable internet anonymity : opensource
I post to Reddit about "Phantom", a securely anonymous network protocol from Google.
cryptography  anonyminity  via:reddit  security 
may 2011 by mcherm
Think file-hosting sites guard your private data? Think again • The Register
Someone did a research study (this article links to the actual study) which found that filesharing sites don't use unguessable IDs for "share via URL" services. Honeypot files proved people are actually abusing this vulnerability to look for private files.
security  hosting  file_sharing  cryptography  via:slashdot 
may 2011 by mcherm
Bug 647959 – Add Honest Achmed's root certificate
A gag bug to add a root certificate for "Honest Achmed's Used Cars and Certificates".
via:HackerNews  security  funny  cryptography  firefox 
april 2011 by mcherm
Copy of It's Time to Fix HTTPS
The current HTTP certificate web is broken. Browsers can and do include just about anybody as a valid root, and certificate authorities don't do any due diligence. This person says the solution is to just trust the first time and alert on CHANGE of certificate. (I use Certificate Patrol plugin for Firefox.)
security  via:HackerNews  internet  cryptography  browsers 
march 2011 by mcherm
PS3 'jailbreak code' retweeted by Sony's Kevin Butler, no punchline needed -- Engadget
Company's (fake) spokesman accidentally tweets the very code that Sony is trying to suppress.
security  twitter  cryptography  sony  via:HackerNews 
february 2011 by mcherm
Vanish: Increasing Data Privacy with Self-Destructing Data (pdf)
How do you build something that will reliably destroy your data after a time limit, even if the FBI grabs your hard drive? Encrypt with a random key, then Shamir secret share the key to a P2P network but without guaranteeing long-term storage.
computerscience  cryptography  privacy  encryption  p2p  via:reddit  blogworthy 
january 2011 by mcherm
Squaring the Triangle: Secure, Decentralized, Human-Readable Names (Aaron Swartz's Raw Thought)
A clever way to allow a system like DNS (one which assigns human-readable names to some sort of machine IDs) to be decentralized. I'm not 100% sure it would work (when scaled).
cryptography  dns  security  via:boingboing 
january 2011 by mcherm
AKS primality test - Wikipedia, the free encyclopedia
There is a deterministic, polynomial-time algorithm for testing primality. I hadn't known that before.
cryptography  math  algorithms  via:Wikipedia 
january 2011 by mcherm
ImperialViolet - Overclocking SSL
Some details about how to make SSL faster, from experts at Google who work on this kind of stuff. Key quote: "you only need to remember one thing: SSL/TLS is not computationally expensive any more."
security  cryptography  google  networking  ssl 
december 2010 by mcherm
Dmitry Sklyarov and co. crack Canon's "image verification" anti-photoshopping tool - Boing Boing
Cannon has an image signing thing built into their cameras. It has been cracked. I say they could have used a revocation list.
via:boingboing  mypostings  cryptography  photography 
november 2010 by mcherm
Dear Starbucks: The skinny on how you can be a security hero | Naked Security
He says everyone providing free wifi should use WPA2 with a password of "free". If everyone really DID do this, could I join in?
security  cryptography  wifi  via:slashdot 
november 2010 by mcherm
An interesting academic language: "fabric" it incorporates some security guarantees into the language itself and allows computations to be passed around to different machines that may have various levels of trust in each other. Runs on the JVM.
cryptography  languagedesign  via:reddit  programming 
october 2010 by mcherm
« earlier      later »
per page:    204080120160

Copy this bookmark:

to read