security

How broken is broken?

The Register runs an article with the title “AES crypto broken by ‘groundbreaking’ attack“. Inside the said article they have the following quote:

This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between rounds. They can then perform a smaller search for the full key because they can reuse partial bits of the key in later phases of the computation.

It’s impressive work but there’s no better cipher to use than AES for now.

So, it’s broken, but not really broken? Is that confusing or what? If not, you are probably versed in the field of cryptography. For the rest of us, there is a very useful update at the bottom of the article, which clears up some confusion:

Vulture Central has been deluged with missives from outraged readers complaining about the use of the word “broken” in the headline. “Broken” in cryptography is the result of any attack that is faster than brute force. The biclique technique described here allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it’s broken nonetheless.

Today I’ve learned something new.

Sony security problems could take years to fix

Obviously, I’m not the only one thinking that Sony’s security problems are architectural. Here is a quote from a New York Times article.

“Microsoft used to be the laughing stock of security and now they are now the shining example of good security,” said Mr. Gula. “It’s going to take a while for Sony to fix this, I think this will take years.”

On the other hand, some people are reporting that PlayStation Network is recovering. Let’s see for how long…

Sony hacked again. Should go open source

Sky reports that Sony got hacked and lost some of its customers data:

Sony has once again been targeted by a group of hackers who claim they gained access to details of one million customers.

By now, I think it is obvious that Sony’s security issues are architectural. It is not a matter of firewall misconfiguration or missed out input validation check. That would have been closed and forgotten months ago. Repeated attacks and extensive downtimes of PlayStation Network indicate that the problems are much deeper and much harder to find and fix.

I think the best option for them now is to go open source. If they open the protocols they use and server software they have – plenty of people will jump on it and create alternative servers and networks. All that will be needed after that is a firmware update that would allow gamers to connect to those alternative networks.

Cyprus Hack Day

I got a message today via an almost non-existing mailing list of Cyprus LUG (Linux User Group) about the following event (please forgive my reformatting, translation, and interpretation):

Event: Cyprus Hack Day
Date: Wednesday, June 1st, 2011
Time: 16:30
Location: University of Nicosia (used to be known as Nicosia campus of Intercollege)
Price: Free
Registration: Online, via Cyprus Computer Society website.
Agenda:

Presentation “Chaos in the cloud” by Dr Mike Chung, KPMG Netherlands

Presentation “The emperor has no clothes: Remote Access Trojans (RAT) – A Unique Danger” by Andreas Constantinides and Angelos Printezis, Odyssey Consultants Ltd.

Demonstration “Hack-Jutsu 101” by Demetris Papapetrou, Information security researcher.

Organizers:

Cyprus Computer Society

Cyprus InfoSec

Does Microsoft Internet Explorer really hate Google Chrome?

The other day I wanted to install Google Chrome browser on the nearby Windows PC. Here is what I saw when I opened the download page in Microsoft Internet Explorer.

To help protect security, Internet Explorer blocked this site from downloading files to your computer.

I know, it’s probably a generic protection against downloading executable files, but it’s still funny. Especially, the bit about MSIE protecting security by blocking Google Chrome. Yeah, right.