Slashdot

I Don't Believe in Imaginary Property writes "Professor Johannes Skaar's Quantum Hacking group at NTNU have found a new way to break quantum encryption. Even though quantum encryption is theoretically perfect, real hardware isn't, and they exploit these flaws. Their technique relies on a particular way of blinding the single photon detectors so that they're able to perform an intercept-resend attack and get a copy of the secret key without giving away the fact that someone is listening. This attack is not merely theoretical, either. They have built an eavesdropping device and successfully attacked their own quantum encryption hardware. More details can be found in their conference presentation."

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

theodp writes "Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."

An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"

An anonymous reader writes "The Register reports that the proprietary document format used by the Amazon online store and Amazon's Kindle has been successfully reverse engineered, allowing these DRM-protected documents to be converted into the open MOBI format. Users of alternative e-book readers rejoice." Here are the hacker's notes on the program he is calling "Unswindle," and here is the (translated) forum where the Kindle challenge was posed and answered.

adeelarshad82 writes "About two months ago Nokia sued Apple for infringing Nokia patents in its iPhone. The 10 patents in the lawsuit, filed in the US state of Delaware, relate to technologies fundamental for devices using GSM, UMTS and/or local area network (LAN) standards. The patents cover wireless data, speech coding, security and encryption and are infringed by all Apple iPhone models shipped since the iPhone was introduced in 2007. In the latest development to the case, Apple said Friday that it had filed its own suit against Nokia, countering Nokia's claims of patent infringement with its own."

ericatcw writes "Barnes & Noble, Sony and other e-book vendors may have the manufacturing muscle, but the brains directing the challenge against Amazon.com's Kindle eBook Reader is Adobe Systems. Like Microsoft, Adobe has built a formidable ecosystem of partners to whom it supplies software such as its encryption/DRM-creating Adobe Content Server. Adobe paints Amazon as being like Apple: secretive and playing badly with others. Amazon argues it just ain't so, and takes a jab, along with other critics, at Adobe's alleged open-ness."

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"

Lexta writes with an interesting tidbit from IEEE Spectrum: "'Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system.' The intended approach is to create an open source project to spread the computation of a giant look-up table across more than 80 machines. Interestingly, they've openly stated that nVidia's CUDA technology will be used to execute parallel elements of the problem on GPUs as well."

MBCook sends word on a possible solution to the mystery of the Voynich Manuscript, which we last visited nearly 6 years ago. "The Voynich Manuscript has confounded attempts to decode it for nearly 100 years. A person named Edith Sherwood, who has previously suggested a possible link to DaVinci, has a new idea: perhaps the text is simply anagrams of Italian words. There are three pages of examples from the herb section of the book, showing the original text, the plaintext Italian words, and the English equivalents. Has someone cracked the code?"

CWmike writes "Apple wants a federal judge to shut down Psystar's Mac clone operation and order the company to pay more than $2.1 million in damages, according to court documents. The move was the first by Apple since US District Court Judge William Alsup ruled that Psystar violated Apple's copyright and the Digital Millennium Copyright Act when it installed Mac OS X on clones it sold. Alsup's Nov. 13 order, which granted Apple's motion for summary judgment and quashed Psystar's similar request, was a crushing blow to the Florida company's legal campaign. In a motion filed Monday, Apple asked Alsup to grant a permanent injunction that would force Psystar to stop selling any computer bundled with Mac OS X; using, selling or even owning software that lets it crack Apple's OS encryption key to trick Mac OS X to run on non-Apple hardware; and 'inducing, aiding or inducing others in infringing Apple's copyright.'" Groklaw has summarized Apple's request as well, and noted that Apple has also filed a motion to dismiss Psystar's litigation in Florida (or transfer it to California, where the above injunction was filed).

aaaaaaargh! writes "I'm using a laptop with Ubuntu 8.04 for work, a netbook with Ubuntu 9.10 when I'm outside, Mac OS X 10.5 for hobby projects, and Windows XP for gaming. For backups, I'm currently using Jungle Disk and Apple's Time Machine, and I use a local svn repository for my work data. Now I need to frequently exchange and synchronize OpenOffice and Latex files and source code in various cross-platform programming languages between one machine and another. Options range from putting everything online (but Jungle Disk disks seem to be too slow for anything else than backup), storing my data on external media like USB sticks or SD cards, or working with copies by synchronizing folders over the network. I don't want to give my data away to some server outside without strong encryption (controlled by me, including the source code) and external media like USB sticks are a bit too fragile according to my taste. The solution should be reliable, relatively failsafe, as simple as possible, and allow me to continue to use Jungle Disk for backup. So what would you recommend?"

Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."

Norsefire writes to mention a Register piece reporting that early adopters are having a tough time with Karmic Koala, Ubuntu's latest release. "Ubuntu 9.10 is causing outrage and frustration, with early adopters wishing they'd stuck with previous versions of the Linux distro. Blank and flickering screens, failure to recognize hard drives, defaulting to the old 2.6.28 Linux kernel, and failure to get encryption running are taking their toll, as early adopters turn to the web for answers and log fresh bug reports in Ubuntu forums." What has been your experience if you've moved to Karmic?

pariax writes "So you wanna build your own massively distributed password cracking infrastructure? Electric Alchemy has published a writeup detailing their experiences cracking PGP ZIP archives using brute force computing power provided by Amazon EC2 and a distributed password cracker from Elcomsoft."

A new format specification has reached consensus among web and type designers and is being backed by Mozilla. Dubbed Web Open Font Format (WOFF), it is an effort to bring advanced typography to the Web in a much better way. Support for the new spec will be included as a part of Firefox 3.6 which just recently hit beta. "WOFF combines the work Leming and Blokland had done on embedding a variety of useful font metadata with the font resource compression that Kew had developed. The end result is a format that includes optimized compression that reduces the download time needed to load font resources while incorporating information about the font's origin and licensing. The format doesn't include any encryption or DRM, so it should be universally accepted by browser vendors — this should also qualify it for adoption by the W3C."

Frequent Slashdot contributor Bennett Haselton writes "A federal judge rules that government can obtain access to a person's inbox contents without any notification to the subscriber. The pros and cons of this are complicated, but the decision hinges on the assertion that ISP customers have lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.' Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' — but then what are the consequences for the rest of the argument?" Read on for the rest of Bennett's analysis.

David Gerard writes "Lord Peter Mandelson has carefully ignored the Gowers Report and the Carter Report, instead taking the advice of his good friend David Geffen and announcing that 'three strikes and you're out' will become law in Britain. The Open Rights Group has, of course, hit the roof. Oh, and never mind MI5 and the police pointing out that widespread encryption will become normal, hampering their efforts to keep up with little things like impending terrorist atrocities. Still, worth it to stop a few Lily Allen tracks being shared, right?"