Sunday, September 13, 2015

Encryption will not save you and I pimp Trojan Horse and Ghost Fleet again - What I am reading 9/13/2015

Good Morning All,

I know it's been a couple weeks since I posted anything substantial.  I apologize.  I am trying to enjoy the remaining nice weather before the promised El Nino Grande destroys all life here on the West Coast, and of course all the day to day stuff that comes with being a member of the oppressive patriarchy in good standing.  I promise to try and get some better content up in the coming days.  

Stuff that you will be proud to show your mother, and say "See these are the types of sites I visit on the web.  Eat it you old hag."

Okay, that may be overselling it a bit, unless your mom is really into @LindseyPelas and random tech stories stolen from other sites.  I'm not judging if she is, I can use the readership.

Alright I justified myself enough to you, my non-existent readers who may or may not have horrible harridan mothers with girl crushes on @LindseyPelas.

----------------------------------------------------------------------------------------------------------------------


When the Ashley Madison hackers leaked close to 100 gigabytes' worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them.
...
The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data. The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.
The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 212, or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault. At the time this post was being prepared, the blunders allowed CynoSure Prime members to positively crack more than 11.2 million of the susceptible passwords.
Even when companies try and do the right thing and encrypt sensitive data, it is not a simple process to implement it correctly.  (Say's the guy who can't tie his own shoes)  In theory encryption should form an impenetrable wall behind which your data is safe.  That turns out, more often than not, not to be the case.  Don't get me wrong, I am not saying don't encrypt, I am saying have a realistic appreciation of what that likely gets you.  

Boing Boing - My novel "Utopia" will hit shelves in 2017 -
 Here's my editor in Publishers Weekly:
 The novel, which marks Doctorow’s first solo adult fiction effort since 2009’s Makers, is set in the latter part of this century; Hayden described it as a “big, sprawling story” about what happens when advancements in technology make peace and abundance for all a possibility, allowing humans to “simply walk away from the systems of work and coercive authority that have run the world since agriculture began.” 
Obviously we are not talking about me, but about the most overhyped writer in Science Fiction - Cory Docotrow.  Fair warning to prepare for a never ending series of Oh I am so great posts ending with plugs for his new book.

Defense One - The Next Wave of Cyberattacks Won’t Steal Data — They’ll Change It -
... America’s top spies say the attacks that worry them don’t involve the theft of data, but the direct manipulation of it, changing perceptions of what is real and what is not.
Mark Russinovich wrote about this in his excellent novel Trojan Horse and to a lesser extent in Ghost Fleet 

and just for your horrible mothers, bonus Lindsey Pelas -




Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...