Cipherli.st – strong ciphers for Apache, Nginx and Lighttpd

Cipherli.st – provides ready to use cipher configurations for a variety of applications, such as Apache, Nginx, Lighttpd, HAProxy, Exim, Postfix, Dovecot, OpenSSH, and others.  This is a huge time-saver for those of us not well versed in cryptography and security.

Don’t forget to use Qyalis SSL Labs SSL Server Test tool for the complete analysis of where you went wrong.

Bayes theorem history

A fascinating read on the Bayes theorem history:

The German codes, produced by Enigma machines with customizable wheel positions that allowed the codes to be changed rapidly, were considered unbreakable, so nobody was working on them. This attracted Alan Turing to the problem, because he liked solitude. He built a machine that could test different code possibilities, but it was slow. The machine might need four days to test all 336 wheel positions on a particular Enigma code. Until more machines could be built, Turing had to find a way for reducing the burden on the machine.

He used a Bayesian system to guess the letters in an Enigma message, and add more clues as they arrived with new data. With this method he could reduce the number of wheel settings to be tested by his machine from 336 to as few as 18. But soon, Turing realized that he couldn’t compare the probabilities of his hunches without a standard unit of measurement. So, he invented the ‘ban’, defined as “about the smallest change in weight of evidence that is directly perceptible to human intuition.” This unit turned out to be very similar to the bit, the measure of information discovered using Bayes’ Theorem while working for Bell Telephone.

If the whole thing is too much for you, at least read the “Bayes at War” section.

Mind + computer > mind

Obviously, isn’t it?  Well, my brother posted this garbled piece of text, which is supposed to show you how awesome your mind is.

7H15 M3554G3 53RV35 7O PR0V3 H0W 0UR M1ND C4N D0 4M4Z1NG 7H1NG5, 1MPR3551V3 7H1NG5! 1N 7H3 B3G1NN1NG 17 WA5 H4RD BU7 N0W, 0N 7H15 LIN3 Y0UR M1ND 1S R34D1NG 17 4U70M471C4LLY W17H0U7 3V3N 7H1NK1NG 4B0U7 17, B3 PROUD! 0NLY C3R741N P30PL3 C4N R3AD 7H15.
R3-P057 1F U C4N R35D 7H15… !!!

And I agree, it is. But I think that mind with some extra computing power is even better. It took me just a few seconds to instruct my computer how to do a readable translation for me. Much less time than it takes me to read the garbled text.  For those of you with a Linux command line nearby:

$ cat message.txt | tr 715340 TISEAO

For those of you without a shell nearby and not an amazing mind, here is a “deciphered” version of the text:

THIS MESSAGE SERVES TO PROVE HOW OUR MIND CAN DO AMAZING THINGS, IMPRESSIVE THINGS! IN THE BEGINNING IT WAS HARD BUT NOW, ON THIS LINE YOUR MIND IS READING IT AUTOMATICALLY WITHOUT EVEN THINKING ABOUT IT, BE PROUD! ONLY CERTAIN PEOPLE CAN READ THIS.
RE-POST IF U CAN RESD THIS… !!!

How broken is broken?

The Register runs an article with the title “AES crypto broken by ‘groundbreaking’ attack“. Inside the said article they have the following quote:

This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between rounds. They can then perform a smaller search for the full key because they can reuse partial bits of the key in later phases of the computation.

It’s impressive work but there’s no better cipher to use than AES for now.

So, it’s broken, but not really broken? Is that confusing or what? If not, you are probably versed in the field of cryptography. For the rest of us, there is a very useful update at the bottom of the article, which clears up some confusion:

Vulture Central has been deluged with missives from outraged readers complaining about the use of the word “broken” in the headline. “Broken” in cryptography is the result of any attack that is faster than brute force. The biclique technique described here allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it’s broken nonetheless.

Today I’ve learned something new.