The US Federal Bureau of Investigation's 2008 code breaking challenge is at
http://www.fbi.gov/page2/
The page also has a link to a nice intro to analysis of simple ciphers and codes, "Analysis of Criminal Codes and Ciphers" by Daniel Olson.
NOTE: I found a problem with the FBI page's display in Firefox 3 (both on Linux and Windows). By looking at the HTML, I found out that the ciphertext is presented via a Flash file. Going directly to the Flash file worked.
http://www.fbi.gov/page2/
The page also has a link to a nice intro to analysis of simple ciphers and codes, "Analysis of Criminal Codes and Ciphers" by Daniel Olson.
NOTE: I found a problem with the FBI page's display in Firefox 3 (both on Linux and Windows). By looking at the HTML, I found out that the ciphertext is presented via a Flash file. Going directly to the Flash file worked.
Cryptically yours,
J.D. Abolins
- Mood:
accomplished
I'm working on some things on the computer and have the TV playing in the background. "My Own Worst Enemy" is on now. A few minutes ago, I caught a snippet where some spy agency people are talking about gaining accessing to the "bad guys'" computers and noting that the data on the computers is encrypted. One character says that they'll have to use a coolant to break the encryption.
Ah! The script writers must have heard about the "Lest We Remember: Cold Boot Attacks on Encryption Keys" research. Now, the TV show did not go into depth and it appeared that the col boot attack concept was a convenient plot device. Still it was interesting seeing that reference.
Ah! The script writers must have heard about the "Lest We Remember: Cold Boot Attacks on Encryption Keys" research. Now, the TV show did not go into depth and it appeared that the col boot attack concept was a convenient plot device. Still it was interesting seeing that reference.
J.D. Abolins
The Scientific American is giving special coverage of privacy in its September 2008 issue. Among the articl;es in the issue are the following:
- Whitfield Diffie and Susan Landau: Internet Eavesdropping: A Brave New World of Wiretapping,
- Katherine Albrecht: How RFID Tags Could Be Used to Track Unsuspecting People,
- Simson L. Garfinkel: Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles,
- Daniel J. Solove: Do Social Networks Bring the End of Privacy?, and
- Esther Dyson: How Loss of Privacy May Mean Loss of Security.
J.D. Abolins
- Mood:
groggy
This afternoon, Dark Reading reports:
Related reference: Truecrypt's explanation of its Plausible Deniability approach.
UPDATE (17 July 2008):
Bruce Schneier & UW team's research paper "Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications" is now available at
http://www.cs.washington.edu/research/se
and
http://www.schneier.com/paper-truecrypt-d
Although Schneier has not yet mentioned the paper on his blog, some comments about Truecrypt and plausible deniability appear under his recent post "Using a File Erasure Tool Considered Suspicious".
Schneier, Team Hack 'Invisibility Cloak' for FilesQuite interesting. I am looking forward to the presentation whenever it becomes available on the USENIX Conference Proceeding site.
Researchers break 'deniable file system' steganography feature that conceals the existence of sensitive files from hackers
JULY 16, 2008 | 5:35 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
[...]
The researchers were able to get around DFS in versions 5.0 and below of TrueCrypt’s encryption-on-the-fly tool, and will present their findings on the hack at the Usenix HotSec ’08 summit next week in San Jose, Calif.
[...]
Schneier, who has studiedthe viability of the so-called “deniable” file system model in the past, says DFS is actually easier to hack than encryption, and that there may be no way to make files truly undetectable on a drive. “Deniability is a much harder security feature to enable than secrecy,” he says. [...]
The researchers were able to crack DFS without decrypting it. “Breaking the security of a DFS does not require decrypting the data; it only requires proving that (or in some cases simply providing strong evidence that) the encrypted data exists,” according to the report, which was co-authored by Schneier and University of Washington researchers Alexei Czeskis, David St. Hilaire, Karl Koscher, Steven Gribble, and Tadayoshi Kohno.
The researchers found that Windows Vista shortcuts can give away the existence of a hidden file. Vista, which automatically creates shortcuts to files that get used, then stores the shortcuts in the Recent Items folder. And the auto-save feature in Word, meanwhile, saved versions of the hidden files.
[...]
“Modern applications and operating systems are very complicated, and interact with each other in many different ways,” Schneier says. “Hiding the existence of something means controlling all those interactions, which turns out to be a very hard problem.”
Related reference: Truecrypt's explanation of its Plausible Deniability approach.
UPDATE (17 July 2008):
Bruce Schneier & UW team's research paper "Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications" is now available at
http://www.cs.washington.edu/research/se
and
http://www.schneier.com/paper-truecrypt-d
Although Schneier has not yet mentioned the paper on his blog, some comments about Truecrypt and plausible deniability appear under his recent post "Using a File Erasure Tool Considered Suspicious".
I sometimes slip in "deniable plausibility"; it's hard to believe,
J.D. Abolins
- Mood:
chipper
I had mentioned Security & Privacy Day @ Stony Brook University in an earlier post and I attended the conference. The slides from most of the presentation are now online on the event's speaker schedule.
One of the more interesting (to me) sessions was "Information Leakage in Encrypted Network Traffic" by Fabian Monrose of Johns Hopkins University. The presentation showed how variable bit rate (VBR) compression in VoIP carries over some hints of the audio wave forms before compression. The packet sizes vary in some resemblance of the wave forms and, from the packet sizes, it is possible to get clues about the encoded communications. It is possible to have a good go at identifying the language spoken in the VoIP communications and, in some cases, spot certain phrases. Interestingly, spoken Hungarian (Magyar) can look like Arabic, Czech, Turkish, and several other languages in the VBR analysis. Monrose said that some linguists are looking into why.
Unfortunately, the slides from this talk are not on the Security & Privacy Day 2008 site. But you can lean about the VoIP VBR analysis from Prof. Monrose's home page. Look under the papers for Encrypted Traffic.
Speaking of professors' home pages and their papers, I was checking out the home page for Prof. Rebecca Wright of Rutgers University. She was scheduled to speak on "Incentives for honestly announcing paths in BGP" but, instead, spoke on network privacy and some ways to maintain soem privacy in the course of data mining. Prof. Wright's home page has links useful for people learning about the mathematics of cryptography and application of cryptography. (The emphasis is heavy on the maths; not the place if you are merely looking to learn day-to-day practical applications, such as how to use GnuPG.) Besides her papers, check out out the syllabi for her courses if you are trying to get an idea of how to study the underlying workings of modern cryptography.
 A chart from the paper "Spot me if you can: recovering spoken phrases in encrypted VoIP conversations" linked from Prof. Monrose's home page. The chart shows the overlap of Hungarian with some other languages. |
Unfortunately, the slides from this talk are not on the Security & Privacy Day 2008 site. But you can lean about the VoIP VBR analysis from Prof. Monrose's home page. Look under the papers for Encrypted Traffic.
Speaking of professors' home pages and their papers, I was checking out the home page for Prof. Rebecca Wright of Rutgers University. She was scheduled to speak on "Incentives for honestly announcing paths in BGP" but, instead, spoke on network privacy and some ways to maintain soem privacy in the course of data mining. Prof. Wright's home page has links useful for people learning about the mathematics of cryptography and application of cryptography. (The emphasis is heavy on the maths; not the place if you are merely looking to learn day-to-day practical applications, such as how to use GnuPG.) Besides her papers, check out out the syllabi for her courses if you are trying to get an idea of how to study the underlying workings of modern cryptography.
J.D. Abolins
From the xkcd site:
For a serious overview of the bug, see Bruce Schneier's post on the Random Number Bug in Debian Linux and an explanation at the Metasploit site. (By the way, I like the Dilbert comic at the Metasploit link.)
For a serious overview of the bug, see Bruce Schneier's post on the Random Number Bug in Debian Linux and an explanation at the Metasploit site. (By the way, I like the Dilbert comic at the Metasploit link.)
Randomly predictable,
J.D. Abolins
- Mood:
geeky
Much has been reported about the Princeton University research paper Lest We Remember: Cold Boot Attacks on Encryption Keys [pdf] and related matters. For now, I don't see much that I can add to the discussions. I hope to try some experiments with RAM data recovery as part of my ongoing education.
Meanwhile I came across the McGrew Security site and the msramdmp RAM imaging tool that looks useful for some RAM and cold boot experiments. There are some other interesting items on the site, including U3 thumbdrive hacking info and the GooSweep Python code for using Google for vulnerability security checks.
Meanwhile I came across the McGrew Security site and the msramdmp RAM imaging tool that looks useful for some RAM and cold boot experiments. There are some other interesting items on the site, including U3 thumbdrive hacking info and the GooSweep Python code for using Google for vulnerability security checks.
Do RAM chips dream of electric sheep while the PC hibernates?
J.D. Abolins
- Mood: geeky
Cute fake news story Dept.Of Homeland Security: 'Has Anybody Seen A Blue Folder?'
For my cryptography interests, the following was especially hilarious:
For my cryptography interests, the following was especially hilarious:
Though he maintained that the folder itself was not of the utmost importance, Chertoff claimed the contents within had "sentimental value" to the DHS. He insisted that any person or persons who came upon the folder would not be interested in any of the documents anyway, since most are encoded with the U.S. military's most advanced encryption technology.I am waiting for somebody to ask what size, shape, and colour is an advanced encryption key.
Chertoff also asked citizens to be on the lookout for the DHS' encryption key, which went missing last October.
J.D. Abolins
- Mood: cheerful
The device is a Hebern rotor cryptography machine, circa 1917.I took the photo at the US National Cryptological Museum at Ft. Mead, MD several years ago..
More information about the Hebern rotor machines:
J.D. Abolins
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
