Wednesday, February 15, 2012

NYT: Researchers Find Flaw in an On

Quoted from http://mobile.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.xml:

NYT: Researchers Find Flaw in an On

TECHNOLOGY

Flaw Found in an Online Encryption Method

By JOHN MARKOFF

Published: February 15, 2012

SAN FRANCISCO - A team of European and American mathematicians and cryptographers have discovered an unexpected weakness in the encryption system widely used worldwide for online shopping, banking, e-mail and other Internet services intended to remain private and secure.

The flaw - which involves a small but measurable number of cases - has to do with the way the system generates random numbers, which are used to make it practically impossible for an attacker to unscramble digital messages. While it can affect the transactions of individual Internet users, there is nothing an individual can do about it. The operators of large Web sites will need to make changes to ensure the security of their systems, the researchers said.

The potential danger of the flaw is that even though the number of users affected by the flaw may be small, confidence in the security of Web transactions is reduced, the authors said.

The system requires that a user first create and publish the product of two large prime numbers, in addition to another number, to generate a public "key." The original numbers are kept secret. To encrypt a message, a second person employs a formula that contains the public number. In practice, only someone with knowledge of the original prime numbers can decode that message.

For the system to provide security, however, it is essential that the secret prime numbers be generated randomly. The researchers discovered that in a small but significant number of cases, the random number generation system failed to work correctly.

The importance in ensuring that encryption systems do not have undetected flaws cannot be overstated. The modern world's online commerce system rests entirely on the secrecy afforded by the public key cryptographic infrastructure.

The researchers described their work in a paper that the authors have submitted for publication at a cryptography conference to be held in Santa Barbara, Calif., in August. They made their findings public Tuesday because they believe the issue is of immediate concern to the operators of Web servers that rely on the public key cryptography system.

"This comes as an unwelcome warning that underscores the difficulty of key generation in the real world," said James P. Hughes, an independent Silicon Valley cryptanalyst who worked with a group of researchers led by Arjen K. Lenstra, a widely respected Dutch mathematician who is a professor at the École Polytechnique Fédérale de Lausanne in Switzerland. "Some people may say that 99.8 percent security is fine," he added. That still means that approximately as many as two out of every thousand keys would not be secure.

The researchers examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges. The researchers employed the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, to examine those public key numbers. They were able to produce evidence that a small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.

They said they "stumbled upon" almost 27,000 different keys that offer no security. "Their secret keys are accessible to anyone who takes the trouble to redo our work," they wrote.

To prevent this, one of the organizations that had collected the public keys has removed the information from the Internet and taken steps to protect it from theft.

To perform their study, the researchers used several databases of public keys, including one at the Massachusetts Institute of Technology and another created by the Electronic Frontier Foundation, a Internet privacy rights group. The foundation's database results from a project, known as the SSL Observatory, originally intended to investigate the security of the digital certificates that are used to protect encrypted data transmitted between Internet users and Web sites.

"We were very careful: we did not intercept any traffic, we did not sniff any networks," Mr. Hughes said. "We went to databases that contained public information and downloaded public keys."

The researchers said they were not able to determine why the random number generators had produced imperfect results, but they noted that the problem appeared in more than the work of a single software developer.

They also stated that if they had been able to discover the flaw, it was also possible that it had been previously uncovered, perhaps by organizations or individuals with malicious intent: "The lack of sophistication of our methods and findings make it hard for us to believe that what we have presented is new, in particular to agencies and parties that are known for their curiosity in such matters," they wrote.

While they said that the publication of results that potentially undermine the security of encryption keys was inappropriate unless the parties were notified first, the researchers noted that the way they discovered the flaw made identifying potentially vulnerable parties a challenge.

"The quagmire of vulnerabilities that we waded into makes it infeasible to properly inform everyone involved, though we made a best effort to inform the larger parties and contacted all e-mail addresses recommended or specified in still-valid affected certificates," they wrote. "The fact that most certificates do not contain adequate contact information limited our options. Our decision to make our findings public, despite our inability to directly notify everyone involved, was a judgment call."

There have been previous failures of random number generators that have undermined Internet security. For example, in 1995, two researchers at the University of California, Berkeley, discovered a flaw in the way the Netscape browser generated random numbers, making it possible for an eavesdropper to decode encrypted communications. Last year a group of computer hackers revealed that Sony had made a crucial mistake in not using a random number in the algorithm used by the security system of the PlayStation 3, making it possible to discover the secret key intended to protect digital content on the system.

The researchers whimsically titled their paper "Ron Was Wrong, Whit Is Right," a reference to two pioneers in public key cryptography, Ron Rivest and Whitfield Diffie.

Mr. Diffie was a developer of the first method for two people who had not previously physically met to share a secret message safely. However, what became known as the R.S.A. algorithm, created by and named after three mathematicians, Mr. Rivest, Adi Shamir and Leonard Adleman, ultimately became the dominant standard. (They later helped found the security company RSA.) The so-called Diffie-Hellman method, developed by Mr. Diffie, Martin Hellman and Ralph Merkle, required only a single secret number.

Tuesday, June 23, 2009

Communication 2009, how do you communicate?


I know it has been awhile since my last posting but I must admit that I have been VERY VERY busy with family, work, school, and work! With today's technology there is no reason on this earth that you are unable to communicate with someone. I think must people now a days enjoy to send a text or Twit on Twitter, just for the simple fact that they don't have to hear that other person's voice. The funny thing is I am working on a paper for class about Process Improvement and I found myself taking a break to search for old friends on LinkedIn; does this mean I will pick up the phone and call them to chat? I doubt it, what on earth would I say? "hey it is Q from back in the day, how have you been?" Nine times out of ten I will probably communication via an email or a short message on LinkedIn, or Twitter. I even find myself sending my wife a text message instead of caller her on the phone. Now when I was in the Navy I enjoyed our phone conversations, but as I have grown a little older :) and technology has grown even faster than I; it is much easier to send her a quick SMS or an IM on one of her many messenagers. :) Sometimes, I find myself thinking back when I was little and my parents would tell me to sit back from the T.V. or my eyes will turn into squares from sitting so close. I think technology can be the root all miscommunication in the world today, how many emails have you misread and replied back with a response that made no sense, or better yet was a nasty response? I know I have done that quite a few times. I will leave you with this one last thought. Will you improve your communication? or will you hide behind technology and communicate digitally?

Wednesday, April 22, 2009

When is enough ENOUGH?

Here I am again sitting in my Accounting class where my Instructor just rambles on and on about nonsense. How is it I am paying thousands of dollars for my MBA to hear stupid Irish jokes before my class starts?

Once class begins we go over our homework which a hand full of students turned in but we were ALL confused as hell on it. Why not make an Accounting class make sense, or better yet have an Instructor you really gives a damn about us learning what we are doing versus bringing some brownies and cookies to class?

Wednesday, April 15, 2009

Two Weeks Left in Hell

Have you ever had an Instructor that does not explain the topic they are teaching well at all? Or in a way that our class can understand, he does use PowerPoint slides however, just reading each slide does not mean he is teaching us Accounting by any means. He stated that he has been an Instructor at UOP since 95 and holds a Masters in Accounting but fails to explain what Accounting really is? If I am paying for an Instructor to just repeat the same material I spent a week to read what is the point? I really wonder if UOP actually reads the reviews of the classes because in my mind there is no way possible that my Accounting Intructor would have been employed this long at UOP. To make things worse, we do in class exercises and he confuses the class more than making us learn it?

Wednesday, August 20, 2008

Education In The United States

I know it has been sometime since my last blog, however I have recently enrolled to pursue my Masters of Business Administration (MBA) degree. In this endeavor I plan to not only launch my Consulting business full time, but also continue as an adjunct educator. I leave you with this one important thought, why do people in the United States feel so entitled? Why do our children here in the U.S. not want to work hard at education? Is it because of the No child left behind ACT? Hey, leave them behind!! If you look at children overseas that walk 10 miles to school bare foot uphill to and from school, and are able to obtain the highest of grades even with their adversities. Why is it so hard for little Timmy, that lives in a big house, with every toy, game made for man at his feet, not able to say all the Cities in the United States. Or for that matter know where Asia is on the map. The point that I am trying to get across is that learning does not stop after potty training. Our learning must continue throughout our entire lives!! So when you say, “I am tired, why should I study for this class”, or “what do I need algebra for” STOP and think about those who don’t have a home and live on the street and very excited to be able to have a school to attend. Remember, Knowledge is power, however knowledge is not given you must earn it.

Sunday, October 14, 2007

How to Make French Toast | eHow.com

Every Sunday I cook breakfast for my family. I usually cook sausage, eggs, and toast. But, this Sunday I wanted something different. French Toast was my all time childhood favorite. I googled how to cook french toast and came across this recipe below. My kids ate it ALL! to my amazement I really enjoyed it as well. so if you are like me and enjoy French Toast. I recommend trying this one out and let me know how you like it?

Quoted from http://www.ehow.com/how_13820_make-french-toast.html:

How to Make French Toast eHow.com

French toast is an easy yet tasty breakfast. It's also great for using up bread that's on the verge of becoming just a little too old. Makes 5 or 6 slices.

Instructions

Difficulty: Easy

Things You'll Need

Steps

Step One

Put the oven on to Warm.

Step Two

Beat eggs, milk, vanilla and cinnamon in a shallow bowl or small baking pan.

Step Three

Dip bread into egg mixture and coat both sides.

Step Four

Melt butter in skillet over medium heat. Add bread in batches and cook 2 to 3 minutes on each side, or until golden brown. Add more butter as needed.

Step Five

Keep the cooked slices warm in the oven until all the toast is ready.

Step Six

Serve the toast warm with syrup, jam, or powdered sugar.

Tips & Warnings


Tuesday, October 9, 2007

NFL - Ruling says Falcons entitled to nearly $20M

 

   

Yet, again another Pro Afro-American fallen to the crime of ignorance.  Why is it when Afro-Americans make something of themselves end up lossing it becuase of IGNORANCE?

FOX Sports on MSN - NFL - Ruling says Falcons entitled to nearly $20M


ATLANTA (AP) - The Atlanta Falcons are entitled to recover nearly $20 million in bonus money paid to disgraced quarterback Michael Vick, an arbitrator ruled Tuesday. The players' union vowed to appeal. Stephen B. Burbank, the University of Pennsylvania law professor and special master who led last week's arbitration hearing, sided with the team after hearing from Falcons president and general manager Rich McKay and attorneys from the NFL Players Association, which represented Vick.

The Falcons argued that Vick, who pleaded guilty to federal charges for his role in a long-running dogfighting operation, knew he was in violation of the contract when he signed a $130 million deal in December 2004.

The team said he used proceeds from the contract to fund his illicit activities and sought the repayment of $19,970,000 in bonuses he was paid out of a total of $22.5 million in 2005 and '06.

Any money the Falcons recover from Vick would be credited to its future salary cap, a huge step in recovering from the loss of the team's franchise player. Atlanta (1-4) is off to a dismal start with Joey Harrington at quarterback.

"We are certainly pleased with today's ruling," the Falcons said in a statement. "It is the first step in a process that our club has undertaken in an attempt to recoup significant salary cap space that will allow us to continue to build our football team today and in future years."

Vick was suspended indefinitely without pay by the NFL after entering into his plea agreement. He also lost millions in lucrative endorsement deals.

"We have reviewed the decision handed down by Special Master Stephen Burbank and believe it is incorrect," the NFLPA said in a statement. "We will now appeal his ruling."

The case goes to U.S. District Court Judge David Doty in Minneapolis, who still has jurisdiction over the antitrust suit filed by players following the 1987 strike