Weekly Edition
Return to the Security page
| |||||||||||||
Security quotes of the week
Because of their proprietary nature and narrowly-specified license and
approval guidelines, medical devices are actually more at risk of catching
computer viruses because they are often outdated, unprotected, and unable
to be modified or upgraded.
-- NaturalNews
learns that not just the patients in a hospital have viruses
Criminals no longer need to stake out a home or a business to monitor the
inhabitants' comings and goings. Now they can simply pick up wireless
signals broadcast by the building's utility meters… Because energy usage often drops to near zero when a house is empty, the readings could be used to identify which owners are at work or on holiday.
-- New
Scientist
We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon's EC2 Java library and all cloud clients based on it; Amazon's and PayPal's merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; Java Web-services middleware - including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android - and all applications employing this middleware. Any SSL connection from any of these programs is insecure against a man-in-the-middle attack.
-- From a paper by M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov(Log in to post comments)
Security quotes of the week Posted Oct 25, 2012 9:40 UTC (Thu) by ortalo (subscriber, #4654) [Link]
The following quote from the third source (ACM article) is also pretty nice:
"In general, disabling proper certificate validation appears to be the developers’ preferred solution to any problem with SSL libraries." (sect.10)
Security quotes of the week Posted Oct 25, 2012 12:50 UTC (Thu) by tpo (subscriber, #25713) [Link]
I am surprised, that the paper cited here - "The most dangerous code in the world: validating SSL certificates in non-browser software" [0] - gets a mere "Security quotes of the week" mention.
I think its findings are devastating.
Also I found Adam Langley's recent article "NIST may not have you in mind" [1], especially the papers from 2005(!) [2][3] mentioned there, earth shattering. Until I read that article I was under the impression that AES is secure and did not know that there are practical attacks against AES(' implementations).
Not being a crypto expert myself, this leaves me with the feeling, that the crypto currently in use in mainstream software is mainly security theater: we - or maybe rather the experts among us - know it doesn't work but are still relying on the attacker not being very clever.
[0] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Security quotes of the week Posted Oct 25, 2012 13:53 UTC (Thu) by jake (editor, #205) [Link]
> gets a mere "Security quotes of the week" mention
we just spotted it after the edition was already "put to bed" for the week, so that seemed like a quick and easy way to get something in for the weekly. more coverage does seem required as you note. stay tuned ...
jake
Security quotes of the week Posted Oct 25, 2012 15:36 UTC (Thu) by wahern (subscriber, #37304) [Link]
Timing attacks are well known and popular crypto libraries like OpenSSL take them into account. Newer algorithms and implementations are designed with timing attacks in mind. (They were known before DJB's paper, but it wasn't until around that time that public proof of concepts were published.)
The fact that cryptographic protocols can be commonly circumvented by bugs and laziness in the employing applications is also not new. But it usually takes proofs of concepts to catch people's attention.
I wouldn't call common protocols security theater. Security theater usually refers to tactics and procedures which are fundamentally insecure, or at least not based in any rigorous methodological science. The characteristics of cryptographic algorithms and protocols, OTOH, are quantifiable, and you can reason about them, including making assessments about the difficulty of their use.
Security quotes of the week Posted Oct 25, 2012 15:43 UTC (Thu) by wahern (subscriber, #37304) [Link]
Also, FWIW, newer Intel and AMD chips have instructions for implementing GCM in hardware.
Security quotes of the week Posted Oct 25, 2012 18:04 UTC (Thu) by tpo (subscriber, #25713) [Link]
> FWIW, newer Intel and AMD chips have instructions for implementing GCM in hardware.
As far as I understand Langley's article GCM is only one part of the problem. Is the other part of the problem also resolved by those machine instructions?
In case it would be, would that mean that as long as your SW runs on "newer" machines and actually uses those instructions for AES, you're safe and protected against known sidechannel attacks in software?
Also, as far as I understood OpenSSL is *still* doing table lookups but have reduced the table sizes so as not to cause that much cache churn. Would that have made the attack harder or impossible? Harder by several orders of magnitude or by several factors?
And what about the current typical SW stack? If I do a "cat /proc/memory | grep AES", how many of the typical processes running there actually use safe AES implementations? Does the kernel?
Security quotes of the week Posted Oct 25, 2012 20:48 UTC (Thu) by wahern (subscriber, #37304) [Link]
All of those concerns--if borne out--fall short of security theater. OpenSSL probably still has buffer overflows, like most other complex crypto stacks, lurking somewhere. Granted, that's different than the timing attacks, which arguably could be considered design flaws in the algorithm. But none of those mean that they're unusable, they're just far from perfect.
On the other hand, the process of checking people's shoes at the airport isn't merely suboptimal. It's not like we're doing it wrong. It's that we have no evidence its worthwhile at all, and it may even be counterproductive. It's a stretch to argue that ripping out AES and similar algorithms would improve the state of network security.
Security quotes of the week Posted Oct 25, 2012 16:45 UTC (Thu) by DrMcCoy (subscriber, #86699) [Link]
A quote by NaturalNews? Seriously? The name alone should tip one off that it's a crackpot site.
And looking at the content, you got the usual suspects: anti-vacc articles, "Microwaves kill food, plain and simple", homeopathy peddling, etc..
Hell, even your subtitle to the quote is wonky, since NaturalNews has articles arguing against the germ theory.
Security quotes of the week Posted Oct 25, 2012 16:58 UTC (Thu) by jake (editor, #205) [Link]
> A quote by NaturalNews? Seriously? The name alone should tip one
> off that it's a crackpot site.
Really? Natural and News somehow == crackpot? -- I guess I don't quite see that ...
It may well be a crackpot site, I have no real idea, but the quote (and the concept) seem pretty sub-crackpot to me ...
YMMV,
jake
Security quotes of the week Posted Oct 25, 2012 17:23 UTC (Thu) by DrMcCoy (subscriber, #86699) [Link]
"Natural" is a widely used code word by people promoting "alternative medicine" (homeopathy, energy healing, acupuncture, ...) while badmouthing actual medicine as "unnatural" (for example, vaccines).
Just 5 minutes on the site and you see all those things:
Linking to such a site in this context and this uncritically is dangerous; it gives it an appearance of approval and endorsement, making it look like a valid resource for information.
Security quotes of the week Posted Oct 25, 2012 17:49 UTC (Thu) by jake (editor, #205) [Link]
> Linking to such a site in this context and this uncritically is
> dangerous
I'm sorry you think so, but the quote of the week is not meant to be an endorsement ... we often put up quotes of things we don't agree with, necessarily ... they are meant to just air a view of one sort or another, or alert folks to a threat they perhaps hadn't thought of, etc.
btw, "Natural" is used by lots of folks in lots of different ways ... I don't think you can pigeonhole it to the extent you seem to want to ...
jake
Security quotes of the week Posted Oct 25, 2012 18:15 UTC (Thu) by DrMcCoy (subscriber, #86699) [Link]
> I'm sorry you think so, but the quote of the week is not meant to be an endorsement
I just don't like having those quacks shown in any good light whatsoever, since with their eschewing of science, they produce a net gain in human suffering.
> btw, "Natural" is used by lots of folks in lots of different ways ... I don't think you can pigeonhole it to the extent you seem to want to ...
Well, at least the term "natural medicine" (NaturalNews is a "medical" site after all, "Natural health news") is pretty well defined as crackpottery on the internet:
Security quotes of the week Posted Oct 26, 2012 13:35 UTC (Fri) by njwhite (subscriber, #51848) [Link]
I find it very interesting to see how ideas important to us in the free software community spread outside of it. Karen's work on the dangers of proprietary software in medical devices is exactly the sort of concrete, quite easy to understand thing which spreads widely, and it's very useful and interesting to see how it does.
The site hosting the article may well have lots of articles that most of us find dangerous, but that doesn't diminish from the good of seeing how somewhat shared interests are represented there.
And yes, 'natural' is a particularly overloaded term. In my circles, in England, using the term natural in relation to health or medicine is generally going to refer to this sort of 'alternative medicine' stuff. I suspect it varies a great deal according to location and social circle.
Security quotes of the week Posted Oct 29, 2012 16:26 UTC (Mon) by faassen (subscriber, #1676) [Link]
NaturalNews is a rather odd source to be running into on lwn.net. As far as I understand it, they will mine any source whatsoever to show their point that conventional (science-based) medicine is bad in just about all cases (which is harmful if believed).
The quote might give some people the impression that this is a reputable site, like, say, New Scientist, the next quote. I doubt that many readers of lwn will be mislead by this for long however.
What if a creationist site had come up with a statement supportive of free software, or a truther site backed open source? Or a place selling free energy machines (invest now!). I'm not suggesting to know the answer, but it's one for lwn folks to think about.
P.S. Your quote is somewhat ironic: "NaturalNews learns that not just the patients in a hospital have viruses" - some of their articles claim that AIDS is not caused by a virus, such as http://www.naturalnews.com/027922_AIDS_David_Icke.html
(David Icke also believes reptilian alien illuminati are controlling the world or something like that)
Mike Adams, the editor of the site itself, also has written something like that:
http://www.naturalnews.com/027354_AIDS_immune_system.html
Security quotes of the week Posted Oct 29, 2012 19:06 UTC (Mon) by nix (subscriber, #2304) [Link]
David Icke is weirder than that. He thinks Queen Elizabeth II has actual power.
Clearly completely out of touch.
Security quotes of the week Posted Nov 1, 2012 9:13 UTC (Thu) by ledow (guest, #11753) [Link]
"Criminals no longer need to stake out a home or a business... because energy usage often drops to near zero when a house is empty, the readings could be used to identify which owners are at work or on holiday."
Or they could just ring the doorbell.
Yet another "security" thing that has absolutely no concept of how a malicious agent would actually act. Hell, it'd be easier to just wait outside the house in the morning in that case.
I'll let you into a little secret. Most people work 9-5, plus travelling. Chances are that most houses in your street are empty at those times except for those with stay-at-home parents (who are likely to be out of the house when school is starting / finishing on a school day, if you'd like to try that too).
Sure, maybe you could tell REMOTELY (i.e. from working at the energy provider) who is in and who is not. But the accuracy of someone who uses gas (without a smart meter) instead of electric (with a smart meter) for heating in the same house, or someone who has their own solar panels but doesn't feed back to the grid, or someone who actually prefers a colder house, has energy saving bulbs, etc. is no better than those who will / will not answer the door when they are in.
Hell, even the "burglar's broadcaster" of a light that comes on or goes off at the same time every night is useless and NOT used as a signal to a burglar (my front porch does it, whether I'm in or not) even though if you monitored the property enough it would be quite a good indicator.
If you wanted to burgle houses en masse, you wouldn't mess around with meters. What you'd do would be to phone the property, ring the doorbell and/or collect lists from things like airport car parks (who often require your home address and where that could be accessible to someone willing to sell that list for some quick, untraceable money).
|
|||||||||||||