Tag: random | Page 2

OODA Loop – What You Need To Know About The Internet’s Latest Problem: Repeating Random Numbers!

January 23, 2022/in Internet Security

Digital Certificates are a foundational building block of the Internet. They are used to verify the identity of e-commerce sites, the authenticity of software and encrypt data. Not surprisingly, cyberattackers try to create fake Certificates or get the Private Keys for real ones to steal data or intercept communications. No one really worried about the Certificates themselves – until now. It seems the random numbers used to generate Certificates sometimes are the same.

To understand the problem it’s useful to take a 30 second tutorial on Digital Certificates. For those of you who might have managed to stay awake during math class you’ll remember that Asymmetric Cryptography utilizes 2 prime numbers to create a Public and Private Key for a Digital Certificate. The Public Key maps an input (that you want to keep secret) to a large number field while the Private Key reverses the transaction. The theory goes that since there’s an infinite set of prime numbers, there’s an infinite set of Public/Private key combinations. To make sure the prime numbers are different a Random Number Generator (RNG) is used. Sounds pretty secure. Infinite is a big number. What could go wrong?

Well the real world is a bit different than math class. It seems the random number generators (RNG) on computer devices really don’t generate an infinite set of primes but rather a bounded set that in turn generates a set of Public/Private Key combinations. This new analysis is a result of the dramatic cost reduction in high performance computing that now enables the simulation of a chip’s RNG function and the Certificates they generate.

From an Internet security perspective, the ability of a cyberattacker to know an organization’s Private Key has huge implications. Attackers can potentially impersonate web sites, intercept secure connections or decrypt any piece of data just by looking at the Public Key. Examples of this attack are not just seen in labs. In one case, for instance, on January 7 2019 the University of California Davis sent an advisory of all students visiting China that their “secure” What’sApp messages were being monitored.

For enterprises that rely on Digital Certificates for their…

Source…

Rhode Island Legislators Decide To Introduce Some Random Dude’s First Amendment-Threatening Legislation

March 6, 2020/in Internet Security

Today’s most inexplicable legislative news comes to us from the state of Rhode Island, where legislators are apparently accepting (and submitting!) unsolicited pre-written bills from strangers on the street.

[Rep. Grace] Diaz told The Journal she introduced the legislation at the request of a man named Chris who approached her after a State House hearing, wearing what appeared to be a military uniform.

According to Diaz, Chris told her he had been “accused of something,″ and then found not guilty.

Diaz said the man told her the media reported the accusations, but not his acquittal, so he was left with a damaged reputation and no recourse. Diaz said the man gave her a copy of the bill, which appears to echo a bill filed in Mississippi.

Rep. Diaz asked Senator Sandra Cano to introduce the bill in the Senate, promising to do the same thing on the House side. Diaz did not do this and now Sen. Cano is trying to separate herself from a bill that openly threatens First Amendment protections while citing the enshrined right on its way to tarnishing it shortly thereafter.

The “Stop Guilt by Association Act” [PDF] threatens journalists with punishment if they don’t report on the outcome of court cases, civil and criminal. The incredibly stupid act is pure cognitive dissonance that would fine newspapers up to $ 10,000 for “failing” to report on lawsuit dismissals and dropped charges — supposedly with an eye on maintaining some bizarre level of “fairness” for subjects of news coverage.

In their legislation, the lawmakers acknowledge that the First Amendment of the U.S. Constitution says the government “shall make no law abridging the freedom of the press.”

But they make this argument in their bill:

“The state has a compelling interest to compel the press to promote the objective truth for the sake of the viability of democracy and for the safety, health, and welfare of our communities and in keeping with the spirit of the Due Process Clause of the Fourteenth Amendment and to stop the press from serving as a slander machine.”

For many reasons, legislators shouldn’t accept pre-written bills handed to them by people outside the legislature. They especially shouldn’t accept legislation written by this particular “Chris,” no matter what he’s wearing.

The man who spoke to Diaz was Chris Sevier, an anti-gay and anti-abortion activist who at one point was accused of stalking country music star John Rich.

This is the idiot behind multiple states’ declarations that porn is a “public health crisis.” This is the same man who once sued Apple because its products didn’t prevent him from viewing porn. He has also previously talked Rhode Island legislators into introducing extremely questionable legislation, so perhaps someone should have called bullshit on this before tossing it into the Senate’s inbox.

While it’s understandable people might not recognize Sevier on sight, despite his insistence on thrusting himself uninvited into the legislative limelight, it’s pretty much inexcusable to take a handful of paper from some rando on the street and ask other legislators to damage their own reputations by association.

Rep. Diaz at least appears to be properly horrified by this experience.

“My feeling is beyond what I can express,″ Diaz told The Journal on Thursday, after learning of Sevier’s history. “If I knew, I would run ten-thousand-million miles away from that guy.”

She said she sympathized with the issue Sevier raised in their very brief conversation, but regrets not doing more homework on him — and the legislation.

“I didn’t do my research,″ she said. “This is an experience that will teach me a lot for the future.”

But Senator Cano — despite withdrawing the bill — seems far too sympathetic to First Amendment-threatening legislation. Calling the lack of followup to indictments and lawsuits by journalists “fundamentally unfair,” Cano says she sympathizes with the intent of the bill, even if she realizes it runs afoul of the First Amendment.

No legislator should feel sympathetic to Sevier or his word salad. His bill is an unedited letter to the editor — one that makes its point about as skillfully and subtly as a Larry Klayman lawsuit.

“There has been a growing trend for individuals to abuse process and maliciously prosecute someone they disagree with ideologically by filing spurious cases and controversies in various government venues for ulterior motives, knowing that certain segments of the media that align with their ideology would serve as an accomplice by engaging in a form of defamation … by selectively reporting on the facts of the original case but not on the actual outcome.”

TIL: reporting on facts is defamation if it doesn’t include the facts someone might prefer to be highlighted. OK, then.

Fortunately, the bill is already dead. Unfortunately, this shows how little due diligence legislators do before submitting bills for consideration. A few minutes of Googling would have seen this headed to the trash receptacle, rather than the state legislature’s permanent record. And even the most cursory glance at its contents would have made it clear the bill was unconstitutional. Better late than never, I guess. But in this case, never would have been the much better option.

Permalink | Comments | Email This Story

Techdirt.

Appearing on the ‘Random but Memorable’ podcast

January 3, 2019/in Computer Security

Just before Christmas I was fortunate enough to be invited onto the “Random but Memorable” podcast, hosted by Matt Davey and Michael Fey of 1Password.

Take a listen.

Graham Cluley

Slack Banning Random Iranian Ex-Pats Shows Why Making Tech Companies Police The Internet Is Crazy Stupid

December 21, 2018/in Internet Security

On Thursday morning, I started seeing a bunch of tweets pop up in my feed from people of Iranian backgrounds, who no longer lived in Iran, who were having their entire Slack groups shut down, with the company blaming US laws regarding sanctions on Iran.

Slack closed my account today!

I’m a PhD student in Canada with no teammates from Iran!

Is Slack shutting down accounts of those ethnically associated with Iran?!

And what’s their source of info on my ethnicity?#slack #UsSanctions pic.twitter.com/mY8Ltczq8v

— Amir (@a_h_a) December 19, 2018

So @SlackHQ decided to send me this email. No way to appeal this decision. No way to prove that I'm not living in Iran and not working with Iranians on slack. Nope. Just hello we're banning your account. pic.twitter.com/giqYQcMJYz

— Amir Omidi (@aaomidi) December 20, 2018

Yesterday, @SlackHQ sent me an email. My accounts on various Slack teams had been immediately deactivated, with no prior warning. The reason? I've visited family in Iran and used Slack when there. Only my work's paid-for Enterprise account works still. pic.twitter.com/0GFO3E0oqW

— Sareh (@Sareh88) December 20, 2018

Dear #Slack, instead of kicking out Iranians from your platform you could follow other disgusting solutions like what #Oracle and #Google do; return an error for every request with an Iranian IP. I'm NOT even in Iran!!!
This is literally #Racism pic.twitter.com/sbfjKDd9Jv

— Reza Bigdeli (@rezabigdeli6) December 20, 2018

@SlackHQ closed my account linked to my @TU_Muenchen email with workspaces related to university and research in Germany! This is both sad and stupid…#slack pic.twitter.com/DlUoKmjM7U

— Mahdi Saleh (@mahdi_slh) December 19, 2018

Hey @SlackHQ – my account was just deactivated "in order to comply with economic sanctions, etc"…is this because I took a HOLIDAY to Iran?!

— James Lambie (@jimlambie) December 20, 2018

There are a lot more reports like this, but that was just the first batch I found with a quick search. Slack’s explanation to the press seems… lacking:

“We updated our system for applying geolocation information, which relies on IP addresses, and that led to the deactivations for accounts tied to embargoed countries,” the representative said. “We only utilize IP addresses to take these actions. We do not possess information about nationality or the ethnicity of our users. If users think we’ve made a mistake in blocking their access, please reach out to [email protected] and we’ll review as soon as possible.”

All of the blocked people talking about it on Twitter note that they don’t live in any sanctioned country — though many admit to having visited those countries in the past (often years ago) and probably checking in on Slack while they were there. That… is not how the sanctions system is supposed to work. In another press statement Slack tries to pin the blame on the US government:

“Slack complies with the U.S. regulations related to embargoed countries and regions. As such, we prohibit unauthorized Slack use in Cuba, Iran, North Korea, Syria and the Crimea region of Ukraine. For more information, please see the US Department of Commerce Sanctioned Destinations , The U.S. Department of Treasury website, and the Bureau of Industry and Security website.”

But that’s bullshit. The sanctions rules don’t say you have to cut off completely anyone who ever connected from a sanctioned country. The Verge (linked above) spoke to an Oxford researcher with knowledge in this area:

“They are either incompetent at OFAC interpretation or racist,” said Oxford researcher Mahsa Alimardani, who specializes in communication tools in Iran.

[….]

“Detecting an Iranian IP address on a paid account (which is presumed to be for business) login as a violation of sanctions is a wrong interpretation of these regulations,” Alimardani says. “At best it’s over-regulation to prevent any sort of misunderstanding or possible future hassle with OFAC.”

Of course, as former Facebook Chief Security Officer Alex Stamos notes in his own tweet on this topic, this is exactly what happens when you have vague rules with strong punishment, and expect internet platforms to magically police the web:

This is a warning of what you get with regulation that:
1) Puts enforcement responsibility on a tech platform
2) Without real guidelines/safe harbor of how to interpret
3) Over-penalizes false positives
4) Has no appeals process in the actual legal system

Get ready for more! https://t.co/vBUar6Nnap

— Alex Stamos (@alexstamos) December 20, 2018

And of course, we’re seeing more and more and more of that. FOSTA does that in the US. The GDPR is doing that around the globe. The EU Copyright Directive will do that. The EU Terrorist Content Regulation will do it. And a bunch of other regulations targeting the internet as well. That’s why some of us keep warning that these laws are going to lead to widespread censorship and suppression of free speech. Because that’s how it always works out. If you threaten internet platforms with huge penalties for failing to block content, but leave the details pretty vague, they’re going to make decisions like that and simply kick people off their services entirely, rather than face liability. It’s a recipe for disaster — and one that seems to be favored by tons of clueless regulators, politicians, and plenty of people who just don’t realize how much harm they will cause.

Permalink | Comments | Email This Story

Techdirt.

Tag Archive for: random