You have the details with all the prizes at Problogger Birthday Bash competitions, so if you want to win one visit the site frequently as there will be diferent competitons until next Monday.

During wartime, we typically become more aware of the possibilities of information warfare. (Or perhaps not, with 60 million+ people voting on American Idol – but I digress). Anyway, some of us are informed that nations are engaging in ways to disrupt other nation’s information infrastructure and that those methods are becoming increasingly sophisticated. This becomes particularly onerous when we realize just how critical technology is for our everyday activities.

As we know, civilians aren’t the only one’s dependent on technology. Most of the images that we see of Iraq today show troops on the ground – shooting, fighting, etc. What we typically don’t see are the technological tools used to control the military vehicles, weapons systems and communication systems that soldiers must depend on. Imagine those tools being compromised.

Interestingly enough, during the Persian Gulf War in 1991, Saddam Hussein was offered some very hot information, that had he bought, could have possibly changed the outcome of that war. According to some reports, 34 American military sites were breached by hackers from the Netherlands. The computers that they attacked contained important information about Operation Desert Storm, such as the exact location of military troops, weapon details, and the movement of American warships. Imagine what could have happened had Saddam not thought this was a trick?

Within the last few weeks, Russia has been accused of cyber attacks against Estonia (yes, go ahead and dust off that atlas). The websites of Estonia’s government ministries, banks, companies and newspapers have been disabled. Even NATO has sent some of its top cyberterrorism experts to investigate the situation and to help the Estonians augment their electronic defenses.

So, while there a plenty of examples, we should recognize that today, nations must protect their critical infrastructures against cyber attacks. Later on we’ll cover popular attack methods, but for now, realize that our nation’s next war might be more about the rise of the machines and less about human battles.

It’s been a long time since the last post. Lots of things have happened since then and the site has been stalled for the lack of time for updating it.

There are still lots of things to be told about computer security and I would really like this blog to keep on. But as I can’t do it myself I want to search for some people who can.

So if you are interested in computer security and can write in English (no need to be an expert in any of both) apply for this position right now. This is a paid position, so you can even win some money while writing about something you like.

To apply or ask any question, please use the form contact in the about page.

The bank has opted for a low-tech solution to this problem. To avoid someone installing hardware keyloggers they have glued the connectors to the back of the PC with SuperGlue, so it’s not possible to unplug the keyboard and insert the keylogger.

It’s a known problem that to secure a computer where the user has physical access to it is quite difficult, so I would have opted instead for using dumb terminals instead of PCs, so the security only has to be implemented in one place, making it easier to control.

This is not always possible, as some systems can’t be configured to work with dumb terminals or might not be convenient for the business. In this case, the solution is to keep the PC case in a “secure” lock where it cannot be accessed by the users without permission.

From | Threat Chaos.

Yeah, they are a great way to share your videos and find content from other users and I have used them to embed some videos existing videos in my weblogs. But what’s the use of it if you want to share something and you can’t do it for three days?

I’m not talking about YouTube being down for most of the day but about Google Video, where I haven’t been able to get something published in three days. Do you think it has any value by now?

But, let’s get some perspective. I write in a coletive weblog about gadgets. We like to publish fresh news and sometimes we embed some video in the posts to illustrate the gadget we are talking about. Three days ago (March 8th) I tried to upload a video to Google Video. I had never done that so I didn’t know I had to download and install an additional program to do. Is this the Web2.0 era? Doesn’t everything now work in the browser? It’s so difficult to program a web-based uploader? (It isn’t, the rest of video services do it, quite badly but do it).

OK, anyway I install the uploader and upload the video I wanted to share. I didn’t have explicit consent from the owner to upload this video, but as it was downloable from his homepage I think it isn’t a big problem. Once I uploaded it i checked in the site and saw that it was being verified. So far so good, I thought, they have to check the content of the video is legal and all that, in one or two hours I will be able to see it.

After waiting for a long time the video continued in “verification” state. I got tired of waiting and went to YouTube, searched for it and, with the right keywords, I found it ready to use. Some copy and paste of the code they offer and it was all ready.

Three days later this is the message Google Video still gives me:

So I can’t use it and I don’t have any use for it now. It is using space in their servers and I don’t think anyone will ever see it.

What’s the moral of the story? In first place I should have checked it the video was already in YouTube (probably it is, it was in this case). In second place YouTube should improve their upload service. I tried to upload three times and from different browser and I was unable to do it, all I got was a blank screen and no response from the server (I know it usually works, I have uploaded videos other times and it worked). Third, don’t use Google Video if you don’t want to wait for some days to see the video.

Fourth, YouTube should get a pay-per-view service as Google does. For me the quality and download speed of the videos is enough and if the price is down enough many people would pay to watch them. But don’t get a pay-once view-once service, I want to see the videos I have payed for as much times as I want and from whenever I want.

And the last, these pages try too hard to protect their videos from being downloaded but it doesn’t work, there are video downloaders updated continuosly which allow you to get the video locally. Work harder in improving the user experience and they won’t need to download the videos.

Anybody has had better experiences than me?

I always have Google Talk connected in my computer, so people can reach and talk with me and I never turn it off. But today, after returning from lunch I got a big surprise, the Google Talk window was open in the middle of the desktop and it wasn’t looking as usual, some additional pictures were in the side of each of my contacts, so I had to imagine that a new version of the program had been released and the auto-update functionality had downloaded and installed it.

Surprise, surprise, seems like the promised Google Talk avatars have already been implemented. In January some screenshots had already shown how it worked, but I thought that it wasn’t public yet. Well, as we’ll see at the end of the post it looks like it’s not really public but it was in my computer

Here’s a capture of the main window (names have been deleted to protect the innocent):

When you put the cursor over a contact and additional window is opened with more data:

The avatar can be chosen between a selection of images provided by the program or you can load your own image.

There are 30 different pictures provided with Google Talk.

There have been more changes in the interface of the main window. For example, the Inbox link has disappeared and has been substituted by an icon which tells how many new e-mails there are.

The last change I have seen is in the Configuration options, where there is a new tab called Appearance where, theoretically, you can change the display in your conversations. You can choose between several themes, but sadly none of the options seems to do anything, although I’ll try to investigate it a bit further.

What is more surprising about this is that I haven’t been able to download this version from the official Google Talk page, as I wanted to try the avatars with my brother. The version downloadable from the page is 1.0.0.86 and the version I have is 1.0.0.91. So, when will Google make this official? And why do I have this version in my computer?

By the way, if you need to ask for it, please don’t do it, I won’t send it (unless I get something great in return , only a joke).

Having read all the other Dan Brown’s works I got interested in reading Digital Fortress : A Thriller, especially knowing that it’s background theme is computers and cryptography. In the other books (DaVinci Code, Angels & Demons and Deception Point) most of the facts look to me like they are accurate, perhaps because I’m not an expert in any of the fields they touch (neither art, fossils or the Vatican situation). But I know something more about computers and I have always liked cryptography, so I have been studying it for some time, and having read the book I found some things which don’t really fit.

Some of these things are what we could call “artistic licenses”, where the author has invented something which doesn’t really exist so the novel is plausible, but others are factual errors which look like Dan didn’t get really documented about it. And it’s a pity, because he says two ex-NSA cryptographers contributed to the book and they should know much better what they were talking about. Dan, are you really sure they were ex-NSA members?

Finally, I’m getting a list of some errors not related to computers. As the novel is partly ambiented in Seville, a Spanish southern city, and I’m from Spain I found some gross errors about the city and about the country. I don’t live in Seville, but I have been there on holidays, so I’m sure more errors about the city can be found. Anyways, let’s go with the list.

WARNING: for those who haven’t read the book and have the intention of doing it, this contains all kind of spoilers.

“The notion of a rotating cleartext function was first put forth in an obscure, 1987 paper by a Hungarian mathematician, Josef Harne. Because brute-force computers broke codes by examining cleartext for identifiable word patterns, Harne proposed an encryption algorithm that, in addition to encrypting, shifted decrypted cleartext over a time variant. In theory, the perpetual mutation would ensure that the attacking computer would never locate recognisable word patterns and thus never know when it had found the proper key. The concept was somewhat like the idea of colonising Mars—fathomable on an intellectual level, but, at present, well beyond human ability.”

Although the mentioned mathematician didn’t really exist we could try to believe in the concept of rotating-cleartext but this doesn’t stand. So, an algorithm which produces data that variates over the time so you can’t know whether you got the real data or not. OK, then how does the intended receiver know the data? He will need something more (taking in consideration that this could really work), like the time when it was encrypted and the current time. These will be simply more bits in the keyspace to be brute-forced, so you can always find the original content.

“TRANSLTR had just located a sixty-four-character key in a little over ten minutes, almost a million times faster than the two decades it would have taken the NSA’s second-fastest computer.”

The multi-processor computer is able to find a 64-bit key in approximately ten minutes, but runs almost 18 hours trying to find the key for Digital Fortress. What the hell is it doing? If, in average, it spends 10 minutes we can suppose it has tried at least half the possible keys, so to try all of them it will spend 20 minutes. So, what has the computer been doing the rest of the time? Testing the keys again and again?

Leave apart the fact that an algorithm designed to work with data ends up executing some of it. It has happened sometimes in commercial software, these are called bugs and they sometimes get into software and become security flaws, but in a NSA designed algorithm in a NSA computer? No way they would let it slip into the software.

Another strange thing is they never take into consideration that the encrypted code they download might be junk, random characters which don’t make any sense and that can’t be decrypted. This would also exhaust the keyspace and not be able to find a correct key.

“Susan had learned about the Bergofsky Principle early in her career. It was a cornerstone of brute-force technology. It was also Strathmore’s inspiration for building TRANSLTR. The principle clearly stated that if a computer tried enough keys, it was mathematically guaranteed to find the right one. A code’s security was not that its pass-key was unfindable but rather that most people didn’t have the time or equipment to try.”

OK, another invented name. Nobody has ever heard about Bergofsky Principle outside this book and for a reason. It says “mathematically guaranteed to find the right one”, but it would be only correct if it said “mathematically guaranteed to test the right one”. That is the concept behind brute-force: try all the possible keys, so it’s sure one of them will be the correct one. The difficult part is how to know if the one we tested was the correct one.

But, let’s talk about One-time pad, an encryption algorithm “which has been proven, from theoretical first principles, to be unbreakable when properly deployed”. It works because the key-length is the same as the length of the data, so a lot of different keys will give results which might look like plausible. From a message encrypted with this algorithm you can find the original text you want simply by variating the key used. So, when trying to decode one of this messages TRANSLATR is guaranteed to test the correct key, what is not guaranteed is to be able to know it’s the correct one.

“Susan had created, in effect, a directional beacon disguised as a piece of E-mail. She could send it to the user’s phony address, and the remailing company, performing the duty for which it had been contracted, would forward it to the user’s real address. Once there, the program would record its Internet location and send word back to the NSA. Then the program would disintegrate without a trace. From that day on, as far as the NSA was concerned, anonymous remailers were nothing more than a minor annoyance.”

There’s no way the tracer can work with the current state of e-mail. E-mail is just data, not executable, so the user is the one who has to execute it, it can’t execute itself to know where it is and even less make itself disappear. The only way something like this can work is with web bugs, attaching a link to the email which will be visited when the recipient receives the email and opens it, but it needs the cooperation of the recipient and can’t delete itself (well, maybe if there’s a bug in the e-mail software used to open it, highly doubtable)

“She knew mutation strings were programming sequences that corrupted data in extremely complex ways. They were very common in computer viruses, particularly viruses that altered large blocks of data.”

This really doesn’t make any sense, so I’m considering it simply another artistic license. Even Dan himself doesn’t seem to know what he wants to represent with mutation strings, so even less do I.

“After we make the switch,” Strathmore added, “I don’t care how many pass-keys are floating around; the more the merrier.” He motioned for her to continue searching. “But until then, we’re playing beat-the-clock.”

So Strathmore’s intention is to replace the file with Digital Fortress code with an altered version of it with a backdoor so the NSA can read all messages encrypted with it. But, what if someone downloaded it previously? He will be able to get the original version without any backdoor, so the plan completely fails. Even more, he can get also the other version with the backdoor, so he will be able to compare both and find the backdoor in it.

“Now Susan was even more doubtful. Encryption algorithms were just mathematical formulas, recipes for scrambling text into code. Mathematicians and programmers created new algorithms every day. There were hundreds of them on the market—PGP, Diffie-Hellman, ZIP, IDEA, El Gamal. TRANSLTR broke all of their codes every day, no problem. To TRANSLTR all codes looked identical, regardless of which algorithm wrote them.”

When he says scrambling text into code I hope he’s not meaning executable code… But, what I don’t like about this paragraph is that he confuses different kinds of algorithms: public-key (El Gamal) and private-key (IDEA), with encryption systems, like PGP which uses the other two in combination to work. PGP is not an algorithm and neither is ZIP, this is a compression system, which can, optionally, encrypt the data, originally with a propietary protocol and nowadays using AES, an standard for encryption.

““I don’t understand,” she argued. “We’re not talking about reverse-engineering some complex function, we’re talking brute force. PGP, Lucifer, DSA—it doesn’t matter. The algorithm generates a key it thinks is secure, and TRANSLTR keeps guessing until it finds it.””

Susan says the TRANSLATR can find the key even if it doesn’t know what algorithm was used. This is impossible, as you need the algorithm to test whether the key works or not.

“Four-bit alpha groupings,” she puzzled. “They’re definitely not part of the programming.”
[...]
PFEE SESN RETM MFHA IRWE OOIG MEEN NRMA
ENET SHAS DCNS IIAA IEER BRNK FBLE LODI

Sorry, Dan, but a bit is either 0 or 1, so these are not four-bit alpha groupings. These are simply 4-character groups, where each character (if using standard codification) uses 8 bits.

“Primes were the fundamental building blocks of all encryption algorithms”

Sorry, but no. There are a lot of encryption algorithms which don’t use prime numbers as its basis, and to put it easy I’ll repeat myself in the example: “one-time pad”.

“Public-key encryption was a concept as simple as it was brilliant. [...] The only way to unscramble the message was to enter the sender’s “pass-key”—a secret series of characters that functioned much like a PIN number at an automatic teller.”

Sorry, but again: NO!. this is not how public-key encryption works. If it was better explained it would be how private-key encryption works. But Dan, you need to read the Wikipedia and not say this kind of things.

“With a few quick keystrokes, she pulled up a program called ScreenLock. It was a privacy utility. Every terminal in Node 3 was equipped with it. Because the terminals stayed on around the clock, ScreenLock enabled cryptographers to leave their stations and know that nobody would tamper with their files. Susan entered her five-character privacy code, and her screen went black. It would remain that way until she returned and typed the proper sequence.”

Five character passwords in a computer managed by a NSA member? Not long enough to be credible. The most paranoid of my friends use twenty characters passwords, so I imagine NSA should use something a bit longer than 5 chars.

Oh, and Greg manages to install a keylogger in all these computers, so I should say the system operator is not very efficient in keeping the systems secure. At least, lock the computer case inside a box so nobody can access it directly.

To finish this list, how did they plan to decipher the Digital Fortress code if they didn’t have the decryption code? OK, you get the passkey but you need the decryption code, which is encrypted with itself. Mmmm, a no-no…

Let’s get with the errors not related to computers.

“The phone began to ring. Becker guessed five rings was all it would take. It took nineteen.”

I don’t know how it works in United Stated, but in Spain a telephone never rings nineteen times. If nobody picks it up it cuts the call in, at most, fifteen calls, so nineteen seems highly improbable.

“Cranberry juice was a popular drink in Spain, but drinking it alone was unheard of.”

I never heard anyone in Spain asking for cranberry juice. I highly doubt you can find this kind of juice in any bar in Spain, so let alone the possibility of having it mixed with alcohol.

“Becker’s Vespa was no doubt the smallest vehicle ever to tear down the Seville runway. Its top speed, a whining 50 mph, sounded more like a chainsaw than a motorcycle and was unfortunately well below the necessary power to become airborne. In his side mirror, Becker saw the taxi swing out onto the darkened runway about four hundred”

In no airport is it possible to get into the runway with a motorcycle or a taxi, only authorised vehicles can enter it, so this doesn’t make any sense.

“He’d forgotten: Getting an international connection from Spain was like roulette, all a matter of timing and luck. He’d have to try again in a few minutes.”
“A punctured lung was fatal, maybe not in more medically advanced parts of the world, but in Spain, it was fatal.”

Dan Brown says he was some time studying in Seville, but I don’t know what he was doing, because almost everything he says about the city is wrong. It’s almost impossible to find punks in Seville, no hospital has people lying on the floor,… But these two last sentences really struck me. He makes Spain look like some kind of 19th century country. I have to say that spanish medical system is really efficient, I’ve got four operations, one of them really severe which had me one month in hospital, and they did work really good. Also spanish telecommunications system is good, it’s not difficult to get an international conference, only pick up the phone and call. Maybe this could happen like 50 years ago, but it’s not true anymore.

Apart from all this, I should say I didn’t enjoy this book as much as the other one’s from Dan Brown. In the middle of the book it began to get boring and the final was really previsible. I also didn’t like the final part where “hackers” are trying to enter into the computer and they can see them in a monitor, like black lines attacking the datacenter and walls disappearing… This works good for a Hollywood film, but you don’t need it in a book.

If you like this kind of thrillers, from the same author I would recommend (in these order):

More info | Wikipedia.
More info | MathFiction.