cryptography
Latest
Defcon 20 badges meld hieroglyphs, circuitry and cryptography for hacker scavenger hunt
Every year, the world's hacker population descends upon Las Vegas to trade notes, sit in on informational talks and compete in friendly contests -- all in the name of Defcon. But this time out, it's the conference's ever-evolving smart badges that've caught our eye, owing mostly to what lurks beneath. Designed by Ryan Clarke -- the mastermind behind the gathering's Mystery Box challenge -- these hackable IDs, issued according to status (Press, Human, Goons, vendors, etc), come embedded with an LED, a multi-core processor, IR transmitter and accompanying hieroglyphic graphic. But that's not all that makes these high-tech tags so special. Turns out, each one contains a game, buried within its open source software, that's encoded with several cryptographic, linguistic and mathematical layers. Shying away from hardware-focused hacks of the past, Clarke built this year's scavenger hunt-like game to be more inclusive of attendee skills, as it'll force conference-goers interested in cracking its code to break down social barriers and collaborate with other highly-specialized nerds. What's the end game, you ask? Well, according to Clarke, the puzzle is a continuation of last year's secret agent story (played out by a real-life actor) involving "a [mysterious] society of computer elites." It's not the sort of payoff we'd be after -- something greener and covered with a certain Ben Franklin's face would suffice -- but it sounds intriguing enough. Click on the source below to read more about the makings of this geek sport. And may the pastiest neckbeard win!
Guitar Hero clone used to teach unknowable, subconscious passwords
We're not entirely sure if this new development in password technology is amazing or terrifying or both, but a group of cryptographers and neuroscientists have developed a method through which a subject can be taught a 30-character password and not even know that they know it. This is all accomplished through repeated play sessions of a keyboard-controlled Guitar Hero clone. I mean, how else would you do it?The "game," developed by Stanford University student Hristo Bojinov, has players pressing the S, D F, J, K and L keys on their keyboards as corresponding symbols fall from the top of the screen to the bottom, as seen above. During a standard 45 minute play session, nearly 4,000 "notes" are generated and entered by the player, 80 percent of which are actually part of a cryptographic sequence. By the time the session is over, the subject has "learned" a 30-character password, though it is supposedly impossible for them to actually know what it is.In order to "enter" the password, the subject plays a round of the game in which their 30 character password is randomly jumbled with other 30-character sequences. The subject subconsciously trained on their specific password would statistically perform better on those sequences rather than the sequences belonging to other passwords, thus verifying their identity.Unfortunately, Bojinov's subconscious encryption engine isn't playable online at present. Maybe that's for the best, though -- we're not sure how ready we are to be implanted with unknowable knowledge.
MIT's got a way of using encrypted data without decrypting it, next stop, traveling without moving
Excepting Jersey Shore participants, people generally value privacy and it's a bigger issue when so much data is stored online. Ethical data controllers will keep it encrypted, but much like leaving food in a fridge, you have to take it out if you wanna use it, which is when it's most at risk. A team from MIT, thinks it's found a solution: a database that allows you to ask it questions without taking it out of the fridge... wait, what? CryptDB works by turning data into "homomorphic" information: strings of numbers, which you can then calculate against one another to get the answers you require. The frankensoftware is comprised of other encryption services, layered like an onion -- but capable of switching between processes instantly. The project was funded by Google and Citigroup and has been so successful that DARPA might be rolling some tanks up Massachusetts Avenue to offer the team a $20 million bounty. Head on down to our source link to read the paper that's so complex it made our eyes go cross-eyed.
Bluetooth keyboard mod resurrects Morse code, offers a helping click to disabled (video)
Morse code may have been pushed aside in the pursuit of higher-tech cryptography, but the old dits and dahs of yore are now finding a repurposed life helping the disabled. Modding outfit Zunkworks has cobbled together an Arduino hack that pairs a Bluetooth-based, dots and dashes approach with wallet-friendly parts. Using the keyboard's two inbuilt push-buttons, users' clicks are decoded by the integrated Arduino and then transmitted via Bluetooth to a nearby computer. And thanks to the mod's HID profile support, you can also enjoy this access solution on smartphones and tablets -- useful for those who can "send code at 25-50 words per minute." Yeah, that's definitely not us. Still, we applaud the group's efforts to make 21st century tech accessible to the handicapped and geek alike. Jump past the break for a video demo of this on / off hackjob.
Robert Morris, man who helped develop Unix, dies at 78
We have some somber news to bring you this morning: Robert Morris, the cryptographer who helped create Unix, has died at the age of 78. Morris began his work on the groundbreaking OS back in 1970 at AT&T's Bell Laboratories, where he played a major role in developing Unix's math library, password structure and encryption functions. His cryptographic exploration continued into the late 1970s, when he began writing a paper on an early encryption tool from Germany. But the paper would never see the light of day, thanks to a request from the NSA, which was concerned about potential security ramifications. Instead, the agency brought Morris on board as a computer security expert in 1986. Much of what he did for Uncle Sam remains classified, though he was involved in internet surveillance projects and cyber warfare -- including what might have been America's first cyberattack in 1991, when the US crippled Saddam Hussein's control capabilities during the first Gulf War. Morris stayed with the NSA until 1994, when he retired to New Hampshire. He's survived by his wife, three children and one, massive digital fingerprint. [Image courtesy of the New York Times]
Android 3.0 'Honeycomb' can encrypt all your data, needs a full hour's charge
Diving through the Motorola Xoom's sweet, sweet blend of Android 3.0, we found an interesting perk -- there's an "Encrypt Tablet" option buried in the settings page, intended to secure all your personal data with a password or PIN. While a handy Google rep couldn't tell us which cryptographic standards the OS uses, he did tell us the feature is part of Honeycomb as a whole, not a Motorola exclusive, so we're sure to see the option in other business-minded Android slates to come. Oh, and Google asks that all you sysadmins stay tuned, as the company's whipped up an API that lets you enforce policy restrictions upon your peons as far as encryption is concerned. Just make sure they remember to keep the tablet charged. See a close-up after the break. Update: Google pinged us to clarify that the device policy manager API was actually introduced in 2.2. What's new here is that the API can now support enforcement of encrypted storage in 3.0 (as well as password strength).
PS3 custom firmware lets you 'Install Package Files,' piracy not allowed
Well, that didn't take long! Just one week after hacking collective (and chr0nic misspellers) fail0verflow revealed a hack that delivered the PS3's private cryptography key on a platter, another hacker going by the MoNiKeR "KaKaRoToKS" has taken the next step, delivering tools that will convert your plain ol' vanilla PS3 firmware (yup, even the latest security-minded 3.55 patch) into a fancy new custom firmware. One capable of running signed and encrypted executable .PKG files ... not unlike the ones that Sony itself uses to distribute PSN games. But this custom firmware isn't all about piracy. KaKaRoToKS writes, "Since the kernel is left unmodified, this means that this custom firmware is really meant for future homebrew installation, and it will not allow piracy. I plan on keeping it that way." We suspect that myriad other, less scrupulous hackers don't share that sentiment. If you want an "Install Package Files" option the Game section of your XMB, PS3-hacks.com has a guide just for you. Peep a video of a custom firmware installation after the break.
Hackers obtain PS3 private cryptography key due to epic programming fail? (update)
The 27th annual Chaos Communication Conference already hacked encrypted GSM calls with a $15 cellphone, but there was a second surprise in store this morn -- the souls who unlocked the Nintendo Wii's homebrew potential (and defended it time and again) claim to have broken into the PlayStation 3 as well. Last we left the black monolith, Sony had won a round, forcing the community to downgrade their firmware for any hope at hacking into the console. Well, the newly formed fail0verflow hacking squad says that won't be a problem any longer, because they've found a way to get the PS3 to reveal its own private cryptography key -- the magic password that could let the community sign its very own code. So far, the team hasn't provided any proof that the deed's been done, but they have provided quite an extensive explanation of how they managed the feat: apparently, Sony didn't bother generating any random numbers to secure the blasted thing. (We don't really know how it works, but we have it on good authority that dead cryptography professors are rapidly spinning in their graves.) The group intends to generate a proof-of-concept video tomorrow, and release the tools sometime next month, which they claim should eventually enable the installation of Linux on every PS3 ever sold. Catch the whole presentation after the break in video form, or skip to 33:00 for the good stuff. Update: The proof-of-concept vid is a bit underwhelming -- fail0verflow had to SSH into a PS3 over ethernet -- but it's here nonetheless. See it after the break, and find the team's full set of presentation slides at our more coverage link. [Thanks, Paolo S.]
IronKey boasts 'world's most physically and cryptographically secure' thumb drive
This isn't the first time we've seen one of IronKey's encrypted USB thumb drives 'round these parts, but if you're an enterprise user, government contractor, or some sort of renegade corporate spy you'll want to take note of this next item. The S200 is being touted as the world's first and only USB flash drive certified for FIPS 140-2, Security Level 3, and features: hardware-based AES 256-bit encryption in CBC mode, a tamper-resistant and tamper-evident rugged metal case, hardware-based malware protection, trusted network restrictions (which prevent the device from unlocking on untrusted PCs), and all the other goodies you expect from the company. Of course, this level of protection doesn't come cheap -- with their consumer grade products starting at $79.99 and ascending pretty quickly from there, we can only imagine what enterprise customers are shelling out. Then again, if you have to ask what it costs, this one is probably not for you. PR after the break.
Quantum cryptography: now ready for space travel
It's been awhile since we've heard of any major advancements in the world of quantum cryptography, but at long last the silence is being broken by a squad of jubilant Austrian physicists. As the story goes, a team from Austria's Institute for Quantum Optics and Quantum Information (IQOQI) managed to send "entangled photons" 90 miles between the Spanish islands of Las Palmas and the Balearics. Calling the ephemeral test successful, the crew has boldly asserted that it's now feasible to send "this kind of unbreakable encrypted communication through space using satellites." Funny -- last we remember, quantum cryptography still had a few kinks to work through here beneath the stratosphere.
PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies
Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.[Via ZD Net]
Researchers demo "unbreakable encryption" based on quantum cryptography
Call us devilish, but we just can't help but love these types of stories. Here we have yet another overly confident group of researchers grossly underestimating the collective power of the hacking underground, as gurus from all across Europe have joined together to announce "the first commercial communication network using unbreakable encryption based on quantum cryptography." Interestingly enough, quantum cryptography has already been cracked in a kinda-sorta way, but that's not stopping these folks from pushing this claim hard to government agencies, financial institutions and companies with distributed subsidiaries. We've no doubt this stuff is pretty secure, but the last time we heard someone utter a claim similar to this, we saw him uncomfortably chowing down on those very words merely months later.[Via Physorg]
Pentagon presents hypothetical terrorist plot in WoW
A number of readers wrote in to tell us about a 'hypothetical WoW-hatched terror plot' from the Pentagon, which Wired posted just last night. The scenario detailed in the presentation given by Dr. Dwight V. Toavs is meant to display how terrorists could potentially use the pseudonymity of an MMO combined with the obscure gamer lingo to hide a terrorist plot within the massive, mostly unmonitored (by them) playerbase. This isn't the first time we've heard about the government looking to virtual worlds for potential terrorist hideouts, but it's the most ridiculous.The presented scenario is as follows (summarized; full version at Wired): Two WoW players, WAR_MONGER and TALON238 meet up to plot. WAR_MONGER lays out the plan: They will approach via the South East of the Zoram Strand, and assault the 'White Keep' using a 'Dragon Fire' spell in their inventory. They will kill all of the 'castle guards' and when they've entered the keep, they will acquire their treasure of 110 gold, 234 silver.Translation: These two terrorists will meet South East of the White House (the White Keep) and take out all of the security before sneaking a weapon of some sort through. The 'treasure' is the coordinates for their attack.
Toshiba creates fastest random number generator
The über crypto-geeks in the house just raised all kinds of eyebrows with the announcement of Toshiba's new physical random-number generator, which can pump out 2 megabits per second of random output in a 1,200 square micron circuit size. You're a unique kind of person if this stuff gets your motor running -- or if you actually need 2Mbps of random data on the go. May we suggest Kabbalah, or perhaps a game of Go?
Cryptography Research looking to curb ink cartridge piracy
Granted, we've never had too much luck with those knockoff ink cartridges ourselves, but that doesn't mean that printer (and therefore, ink) manufacturers aren't looking to halt sales of the profit stripping units in any way possible. Aiding them in their quest is Cryptography Research Inc., which is currently developing "chip technology aimed at helping printer manufacturers protect this primary source of profit." Essentially, the CryptoFirewall chips would make it harder for printers to utilize counterfeit or "off-brand" substitutes, which leaves consumers stuck sans a choice and left to pony up whatever they must in order to get that essay turned in the next morning. The company claims that its technology will be ready to cripple new printers sometime next year, but hey, the hackers in the crowd are just salivating for yet another challenge.[Via Slashdot]
Quantum cryptography kinda sorta hacked
It's always only a matter of time. A little less than a year after the first quantum cryptographic network was demoed, a group of researchers at MIT have announced a working implementation of a hack that's been around in theory since 1998 but never implemented. Skirting around ol' Wernie Heisenberg and that Principle of his, the team exploited quantum entanglement to read the encryption keys encoded in photon polarizations from their momentums, avoiding detection by either end -- in other words, doing what was once thought impossible by cryptographers. The system isn't perfect, however -- in this early incarnation it can only nab 40% of transmitted data before giving itself away, and more importantly, it requires the invention of a "quantum non-demolition box" before the attacker can be anywhere but the same room as the receiver, since right now both attacker and receiver need to be using the same photon detector. Sounds like that might put a damper on that whole "undetectable" thing. Still, the researchers sound upbeat -- they're saying the work proves that no secret is truly safe. We're just wondering if they're pushing MIT to rename their department SETEC ASTRONOMY.
Upcoming VC releases
Thus far, Nintendo has decided to keep the exact releases of Virtual Console Mondays a secret until the day-of, leaving us gamers biting our nails in mind-numbing suspense. Sega's official website and a major in cryptology have given us three gleaming glimpses in the future.First, from Sega's camp, the classic space-shooter Space Harrier II (1989) will see the light of day next Monday, the 18th of December. Furthermore, on Christmas Day, they'll drop cult-favorite and this blogger's most anticipated VC title, Toe Jam & Earl. Awesome.From Hudson, their website left the internet-at-large with this little clue:WHICH GAME COMES NEXT? This one is a doosy. Truly a classic. Here's your first clue:VGCE0590PG46Yes, I know. that's freakin cryptic. If no one can figure it out, I may drop another clue tomorrow.Good luck!Brilliant minds came together, formulas were solved, chemicals were mixed, and lo, the secret was revealed. VGCE0590PG46 stands for Video Game and Computer Entertainment, May 1990, Page 46. Dig up a couple of old magazine scans, and voilà! The game is Military Madness, a turn-based strategy game with a fairly large following.Couldn't they have just told us right out?
Britons build working replica of the Turing Bombe
Just in case Al Qaeda or other "evildoers" du jour decide to start communicating in code via the WWII-era Enigma code -- we'll have the Turing Bombe on our side. This working replica of the machine used by British cryptologists at Bletchley Park, the epicenter of the counter-Enigma effort was unveiled at that site earlier this week. According to an article by The Register: "The Bombes used 108 electromagnetic spinning drums to test combinations of letters and reveal the likely keys to the Enigma code used in a particular message." The article goes on to say that Churchill ordered the 200 Bombes that had been built dismantled by the end of the war, and that it wasn't until the 1970s that the classified nature of these devices was lifted. Unlike the shrouded secrecy that its original was wrapped in, this replica will be open to the public -- from September 23-24, there will be a reunion of Bletchley Park veterans and a special demonstrations with war re-enactors in period dress. No word on who will play Alan Turing, though, but our own England bureau chief, Conrad Quilty-Harper, is a likely candidate.[Via The Register]
"Diamond Crypto Smartphone" for the rich and paranoid
Thought we admire diamond encruster extraordinaire Peter Aloisson and his previous work, it suffered the same problem as other million-dollar cellphones have in the past: not enough cryptography. Happily, Russian firm JSC Ancort has developed a Windows CE-based smartphone ready for Aloisson's bejeweling that employs "powerful encryption technology" to "provide secure protection of information against kidnapping, technological blackmail, financial racketeers and corrupted state officials" -- sounds like marketing speak for a password-protected wallet app, but who are we to judge? Of course, with its $1.3 million price tag and 50 diamonds (10 of which are blue) we think you might start to have more trouble with mugging than with "technological blackmail," but there's only one way to find out for certain -- anyone want to donate the cash for a hands-on?[Via textually.org]
SecureGSM SP crypto software for WM5 smartphones
Windows Mobile Smartphone users now have a new way to conduct their shady business in secret, thanks to a newly-released version of Australian developer SecureGSM's "military-grade" crypto software. Designed to incorporate seamlessly with the WinMo UI, SecureGSM SP delivers on-the-fly data encryption for communicating with other SecureGSM-enabled devices, and promises voice quality that's "comparable to standard mobile communication." Processor requirements for the ~$190 app are pretty light, with any device running faster than 175MHz making the cut, but system requirements are a bit stricter, as you'll need the MSFP-sporting WM5 AKU2 installed if you want to enjoy conversations free of eavesdropping.
