Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Encryption

Aussie Attorney General's War On Encrypted Web Services 151

Bismillah writes "If Attorney-General Brandis gets his way in the process of revising Australia's Telecommunications Interception Act, users and providers of VPNs and other encrypted services will by law be required to decrypt government intercepted data. Because, 'sophisticated criminals and terrorists.' New Zealand already has a similar law, the Telecommunications Interception and Computer Security Act. Apparently, large Internet service providers such as Microsoft and Facebook won't be exempt from the TICSA and must facilitate interception of traffic."
Encryption

Most Tor Keys May Be Vulnerable To NSA Cracking 236

Ars Technica reports that security researcher Rob Graham of Errata Security, after analyzing nearly 23,000 Tor connections through an exit node that Graham controls, believes that the encryption used by a majority of Tor users could be vulnerable to NSA decryption: "About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key," rather than stronger elliptic curve encryption. More from the article: "'Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,' Graham wrote in a blog post published Friday. 'Assuming no "breakthroughs," the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips.' He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That's the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker."
Communications

Use Tor, Get Targeted By the NSA 451

An anonymous reader sends this news from Ars Technica: "Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for U.S.-based communications to be retained by the National Security Agency, even when they're collected inadvertently, according to a secret government document published Thursday. ...The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on U.S. citizens and residents. While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the U.S., they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.'"
Piracy

Kim Dotcom's Mega Fileshare Service Riddled With Security Holes 151

twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.
Privacy

GnuPG Short ID Collision Has Occurred. 110

kfogel writes "Asheesh Laroia now has two GPG different keys with the same short ID (70096AD1) circulating on keyservers. One of them is an older 1024-bit DSA key, the other is a newer 4096-bit RSA key. Oops. Asheesh argues that GPG's short IDs are too short to be the default anymore — collisions are too easy to create: he did it on purpose and openly, but others could do it on purpose and secretly. More discussion (and a patch by dkg) are in this bug report."
Encryption

Ask Slashdot: Is SHA-512 the Way To Go? 223

crutchy writes "When I was setting up my secure website I got really paranoid about SSL encryption, so I created a certificate using OpenSSL for SHA-512 encryption. I don't know much about SHA (except bits that I can remember from Wikipedia), but I figure that if you're going to go to the trouble (or expense) of setting up SSL, you may as well go for the best you can get, right? Also, what would be the minimum level of encryption required for, say, online banking? I've read about how SHA-1 was 'broken', but from what I can tell it still takes many hours. What is the practical risk to the real internet from this capability? Would a sort of rolling key be a possible next step, where each SSL-encrypted stream has its own private/public key pair generated on the fly, and things like passwords and bank account numbers were broken up and sent in multiple streams with different private/public key pairs? This would of course require more server grunt to generate these keys (or we could take a leaf from Google's book and just have separate server clusters designed solely for that job), but then if computing performance was a limiting factor, the threat to security of these hashes wouldn't be a problem in the first place." (Continued below.)
Crime

Convicted Terrorist Relied On Single-Letter Cipher 254

Hugh Pickens writes "The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"
Microsoft

MS Removes HTTPS From Hotmail For Troubled Nations 147

An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google." Update: 03/26 17:08 GMT by T : Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."
Censorship

Egyptians Turn To Tor To Organize Dissent Online 152

An anonymous reader writes "Even as President Obama prepares to follow Mubarak with his own 'internet kill switch', Egyptians were turning to the Tor anonymiser to organise their protests online. The number of Egyptians connecting to the internet over Tor rose more than five-fold after protests broke out last week before crashing when the Government severed links to the global internet. Information security researcher, Tor coder and writer of the bridge that allowed Egypt's citizens to short-circuit government filters, Jacob Appelbaum, told SC Magazine Egyptians were 'concerned and some understand the risk of network traffic analysis.' Appelbaum has himself been the subject of attention from US security services who routinely snatch his electronics and search his belongings when he re-enters the country and who subpoenaed his private Twitter account last December." Which helps explain why Appelbaum is helping to organize a small fundraiser to get more communications gear into Egypt.
Privacy

Swedish ISPs To Thwart EU Data Retention Law 110

aaardwark writes "After a leaked document from the department of justice showed police will be able to demand extensive private information for minor offenses, some Swedish ISPs have decided to fight back (translated article). By routing all traffic through VPN, they plan to make the gathered data pointless. ISP Bahnhof says they will give you the option to opt out of VPN, but giving up your privacy will cost extra."
Cellphones

Windows Phone 7 Marketplace Hack Demonstrated 89

broggyr writes "Seems it didn't take long to hack the Windows Phone 7 marketplace. Quoting WPCentral: 'For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns ... Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released ... It is important to note that this was all done within six hours by one developer.'"
Television

HDCP Master Key Revealed 747

solafide writes "The HDCP Master Key has allegedly been revealed. If true, this information will allow anyone to create their own source or sink keys, essentially making HDCP useless for content protection permanently. No word yet on how it was obtained, but if true, this is a great day for content freedom around the world!"
The Military

NSA and Army On Quest For Quantum Physics Jackpot 110

coondoggie sends this excerpt from NetworkWorld: "The US Army Research Office and the National Security Agency (NSA) are together looking for some answers to their quantum physics questions. ... The Army said quantum algorithms that are developed should focus on constructive solutions [PDF] for specific tasks, and on general methodologies for expressing and analyzing algorithms tailored to specific problems — though they didn't say what those specific tasks were ... 'Investigators should presuppose the existence of a fully functional quantum computer and consider what algorithmic tasks are particularly well suited to such a machine. A necessary component of this research will be to compare the efficiency of the quantum algorithm to the best existing classical algorithm for the same problem.'"
Security

Cryptography Expert Sounds Alarm At Possible Math Hack 236

netbuzz writes "First we learn from Bruce Schneier that the NSA may have left itself a secret back door in an officially sanctioned cryptographic random-number generator. Now Adi Shamir is warning that a math error unknown to a chip makers but discovered by a tech-savvy terrorist could lead to serious consequences, too. Remember the Intel blunder of 1996? 'Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be "trivially broken with a single chosen message." Executing the attack would require only knowledge of the math flaw and the ability to send a "poisoned" encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.'"

Slashdot Top Deals

Congratulations! You are the one-millionth user to log into our system. If there's anything special we can do for you, anything at all, don't hesitate to ask!

Working...