[SecurityRatty] tag: enigma

The Stigma Enigma, Revisited

Wed, 27 Aug 2008 10:58:56 +0000

Recently my pal Bill Pytlovany (of WinPatrol fame) wrote an article on his blog asking "What's Wrong With Toolbars"?

I wrote something along similar lines way back in 2005, and it's vaguely depressing to see how little has apparently changed. I'm not going to quote myself, but rather compare and contrast Bills experiences (and those of his commentators) with the person who posted a comment to my entry, which I quote below in full:

"Unfortunately, the few 'honest' toolbars have indeed taken the wrath of users as a result of the spyware, parasite, adware and other creepy applications of an otherwise good technology.

What's interesting is that, as far as my own toolbar system goes, I've had offers from clients all over the world to develop different kinds of toolbars -- and without fail -- it is the US-based companies that seem most willing to cross the line and request applications that I simply refuse to develop.

We're talking about features like:

- Forced Install
- Hidden Install
- Report all URLs back
- Report all searches back
- Forcibly and hidden set home page
- Forcibly and hidden set default search engine
- Forcibly generate un-blockable pop-ups
- Install and run hidden executables
- Bypass all security and anti-virus tools
- The list goes on...

What's sad is that I'm able to generate the most powerful and incredibly useful toolbars imaginable. Ones that can save countless hours of time and effort. Ones that can be customized on a per-user basis to make the Internet and use of ones's own computer a pleasure.

However, there will always be people around who's sole motivation is the almighty dollar -- and who will do ANYTHING to get it.

These people don't care about you, your wants, your needs, your security or safety -- as long as they can line their pockets with your money, or by taking advantage of actions you perform (even one lousy click!).

They'll infect your machine, using whatever means necessary, and they won't stop -- EVER."

The "industry" has certainly cleaned up since then, but the insistence on wanting to cram a toolbar on every PC, ever, remains. I must admit to being kind of disturbed that none of these companies seemingly want to take "No" for an answer - instead of leaving alone, they keep coming back every month or so. Of course, given the potential for mass moneymaking that's on offer I can't say I'm entirely surprised...

Decoders Still Trying to Crack Letter Sent to Fermilab

Wed, 16 Jul 2008 16:20:04 +0000

The enigma began last year when a plain envelope with no return address arrived at the world-famous physics laboratory outside Chicago, addressed simply to "Fermilab." Inside was a single sheet marked by pen with a bizarre series of hash marks, numbers and alien-looking symbols.

The Enigma Machine

Mon, 05 May 2008 15:25:56 +0000

The National Security Agency (NSA) had an Enigma machine in their booth at the RSA Conference 2008 in San Francisco. Here's a video that shows the machine and provides some history about it. ...

RSA Day 2: Wednesday with JJ & the Engima

Sun, 13 Apr 2008 21:35:30 +0000

RSA Conference, San Francisco
Day 2: Wednesday, April 9th

I know, I know- it’s late- but better late than never, right?

I really tried my best to take photos as much as possible. A quick note on the photography- because of the size of the rooms, it didn’t make sense to have the flash on, unfortunately it slowed the shutter speed, making some images blurry (sorry).

So Day 2 already felt like day 5 somehow. I had flown in early to be a tourist for a day or so but caught up with partners and other event-goers early, making it an especially long week. Wednesday was an eventful day. I have a great Sins of Our Fathers session to share with you, a day with the Enigmas, and the Security Bloggers Party.

The highlight of the day’s sessions had to be the ‘Sins of Our Fathers’ breakout with an amazingly hilarious geek-filled panel including Daniel Houser, Ben Jun and Hugh Thompson. (Hugh unquestionably won the Most Entertaining Geek Award for the day). I was tweeting live from the session and took some photos of the interactive polls they intertwined in the discussion. They drew some interesting correlations between current security issues, such as SQL injections an ‘previous sins’, likening it to phone whistling. There were random notes about the inherent security risk of mixing data and coding together. View photos from session.

Then they talked about using good technology in a way that made it vulnerable. Examples, the Enigma code machines from WWII. (It was actually broken by the known plain-text gathered from repetition in contact initiation, and the mis-use of one-time-pads). They drew the line from Enigma to WEP and other algorithms that were okay, but mis-implemented.

There were a variety of other anecdotes, accompanied by audience-wide snickers, snorts and laughter. One story of tape backups, encrypted, with the key dutifully stick-noted to the case. Another of the secretary who type-writered all the 5.25” floppies. The story of the unmanned Predator aircraft flying unattended for about 5 minutes during a PC reboot. They were all tied into the topic nicely, and the guys did an outstanding job interacting and playing off one another.

One a more serious note- well, sorta- Hugh showed a clip from his participation in the documentary “Hacking Democracy” about the lack of security of electronic voting.

Here was something amusing… Their crypto list of
If you hear any of these, RUN!
Cryptography is expensive.
We have this guy that’s reallllly smart…
Wired EQUIVALENT encryption… .
It’s “proprietary” security
It’s revolutionary NEW cryptography technology!
It uses DES- so its FIPS 140 compliant

Some of the sins from the session…
Engineering, Development & Management sins
Using a good technology in a bad implementation
Lack of metrics to indicate misuse
Feature/mission creep - using item A for solution B
Not teaching people how to use security
Teaching them, but teaching bad habits
Normalization of deviancy

I’ve spent long enough on that, there’s plenty more to share, but that session was so good, I thought it deserved some special attention. I did stay for the Cyber Storm II Panel, but that left more than ‘a little’ to be desired. I would have liked more anecdotal stories and a little more personality. The panel participants were knowledgeable, and I’m sure they were doing what they had been told, but it made for a very dry session, little content of interest, and much repetition. There’s a little live Tweeting from that session too.

Playing with the Enigma
At the Sins of Our Fathers sessions, I believe it was Ben that mentioned we had at our disposal not one- but TWO Enigma machines on the expo floor here are RSA. And BOTH were for our playing! They had it set so we could set the key and encode a message at the NSA booth, then take the encrypted message to the Cryptographic Research booth and use that Enigma to decypher the message. HOLY COW!!!!!! If their session hadn’t been so great I would have left right then. The only time I’ve seen these beautiful little pieces of crypto history, they’ve been fully encased in glass, and not for the touching. They actually let you set the rotors and punch the code in yourself so my buddy Eric and I ran right over to take full geek advantage of the situation.

YES, that’s me with an Enigma, and I have more photos of the two Engimas.

The big highlight of the evening? The Security Bloggers Party of course! You get a whole post just for this topic, so stay tuned for that. I didn’t take photos here, because I felt pretty sure someone would be walking around with a camera. I need to find @ajolly (Apneet Jolly) and see if he has any- he’s usually fully equipped with a very nice camera…

# # #

NSA on the Enigma

Wed, 09 Apr 2008 09:52:24 +0000

Excellent and well-written article.

Paper Enigma Machine

Mon, 24 Mar 2008 09:44:26 +0000

Build your own paper Enigma machine.