Using BitCoin as a Public Ledger

Using BitCoin as a Public Ledger

Interesting way to document “prior art”: create a one-way SHA256 hash of some work, then send the smallest Bitcoin amount possible to that address (use it as a wallet destination). Your hash is in the public blockchain, so you can give your document to someone else and tell them to hash it themselves, then compare to your record of the time and date.

Update: Not quite right; it’s actually a bit more more complex than that:

The document is certified via embedding its SHA256 digest in the Bitcoin blockchain. This is done by generating a valid bitcoin transaction to two specially crafted addresses which encode/contain the hash. The hash is cut in two fragments, each fragment contained in one of these addresses. The hash fragment is used as a replacement for the RIPEMD-160 hash of the public ECDSA key in the bitcoin address generation algorithm. This is why the bitcoins sent in this special transaction are unspendable, as the addresses are being generated from the document’s hash fragments instead of from a private ECDSA key.

U.S. cyber plan calls for private-sector scans of Net

U.S. cyber plan calls for private-sector scans of Net

The Department of Homeland Security will gather the secret data and pass it to a small group of telecommunication companies and cybersecurity providers that have employees holding security clearances, government and industry officials said. Those companies will then offer to process email and other Internet transmissions for critical infrastructure customers that choose to participate in the program.

By using DHS as the middleman, the Obama administration hopes to bring the formidable overseas intelligence-gathering of the NSA closer to ordinary U.S. residents without triggering an outcry from privacy advocates who have long been leery of the spy agency’s eavesdropping.

Chinese Elite Hacking Unit 61398

Chinese Elite Hacking Unit 61398

As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”

Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.

“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.

The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”

Silent Circle’s privacy-enhancing service expected to launch later this year

The need for privacy-enhancing technologies continues. If all our communications are routinely intercepted and scrutinized, some of us will need the assurance that our good work is done without observance. Certain countries don’t like human rights workers “poking around,” for instance, or want to closely observe the movements of aid agency observers.

With that in mind, Phil Zimmermann, the original brain behind PGP, expects to launch Silent Circle later this year. The company’s main offering is a $20-a-month encryption service for voice, SMS, videoconference and e-mail traffic.

Drupal Security Team response to bogus 7.12 CSRF issues

“The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a ‘Man In the Middle’ attack or sniffing software, which is outside of Drupal and presents a much bigger problem.

The Drupal Security team provides an easy way to report issues by sending emails to, and we will credit researchers with all issues they report in this manner. No formal report of this issue was filed directly with our team. We encourage all researchers to follow the practice of responsible disclosure, and report directly to our team to ensure both that we can provide public credit for authentic vulnerabilities, and keep our users as secure as possible.”

Well, there ya go.

Passwords are like underwear

Have you ever heard the saying, “passwords are like underwear?” Yep. That’s because

  • you shouldn’t leave them lying around;
  • you should change them often; and
  • it’s best if you don’t share them with your friends.

You’ve heard the advice about choosing good passwords. They should be long — like sixteen characters (!) — contain at least one number, a mixture of capitals and lowercase, and at least one symbol. They shouldn’t contain the name of your pet or loved one, or the date of your anniversary of starting at your place of employment, et cetera.

Then there’s the other bits of advice. For one thing, you’re supposed to use different passwords for different accounts. Your Yahoo e-mail password should never be the same as your bank password, for example.

Also, you’re not supposed to write out your password and put it on a piece of paper in your drawer, or worse, on a sticky note on your monitor.

So, you might ask, “If they tell me to make my passwords basically unreadable and difficult to memorize, change them every 45 days or so, use different passwords for everything I ever sign up for, and never write any of them down in a visible place, will I be spending my life memorizing and creating passwords?”

The answer is… yes, you will.

At present I have over 400 passwords, and actively use maybe twenty or thirty of those. How am I supposed to remember all of them?

The answer: I don’t. I use a password manager to keep all my passwords in one place, and keep them secure. I have created a strong password to protect that database, so I don’t have to remember 400 passwords, I just have to remember one.

Try this out. I can recommend several good utilities if you’re interested.

I personally like KeePass Password Safe. This generates secure passwords for me and allows me to categorize them in an encrypted database. I synchronize that password database between several different computers by saving it in my Dropbox. Dropbox gives you a synchronized folder. When you save files to your Dropbox folder, you can access any of those files, from any of your devices. You can install a 2GB Dropbox for free from (or get an extra 250MB by using my Dropbox referral link).

A buddy of mine at work recommends RoboForm, and has used it for years with success. They have a Pro version (very affordable at $9.95 for unlimited devices), or a free trial you can use. I heard from her recently that with your purchase, they also offer a sync service, which you can use to keep all your passwords synchronized between different devices.

Another friend of mine likes LastPass, the online password manager and form filler. You’ve no doubt heard about their widely publicized security breach earlier this year. However they appear to have remedied the issue quite promptly, and to have learned from the issue.

Swedish Man caught splitting atoms in his home

"Richard Handl told The Associated Press that he had the radioactive elements radium, americium and uranium in his apartment in southern Sweden when police showed up and arrested him on charges of unauthorized possession of nuclear material."

Google Datacenter Security

Just saw what basically amounts to a marketing video for Google’s Apps customers, discussing some of the features of their datacenters. They’ve put more thought than you’d expect for these facilities, specifically the “sustainability” aspect — which may involve a little bit of greenwashing, but I suppose it’s a start. To recap:

Very interesting.

A drive crusher: Drive crusher

SSH postponed authentication (publickey)

An interesting syslog message!

sshd[xxx]: 'Postponed publickey for oracle from ::ffff: port 9264 ssh2'

As Tom explains,

ssh is just stepping through the client-configured authentication types (enabled in either ssh_config or ~/.ssh/config) and trying them in turn, but acknowledging that a publickey was presented, and postponing its use until after trying the first auth type.

User-friendly PKI: not yet

Public-key infrastructure is great. When it works, you can be quite sure that you are communicating with whom you want to communicate, and you can even communicate securely if you wish. Alice and Clare can send each other mail, and Bob won’t be able to sneak in there and read it.

It’s supremely easy for Alice to create a private key, and publish her public key to a keyserver. “That’s it?” she thinks, with a leap of her heart. “Wow! It’s so easy!”

Let’s fast-forward a bit.

For a while, Alice and Clare have fun sending encrypted messages back and forth. They find a plug-in to send encrypted mail through their GMail accounts (FireGPG), and that’s useful for a while, although oops, the developer discontinues GMail support. But they can still use other clients, and they do so.

Things are hunky-dory for a while.

Then one day Alice upgrades her computer, and she forgets to migrate her private key over to the new box. She doesn’t have her passphrase at hand, of course, because she had her e-mail client save it for her; she had it on a sticky note so she only had to look it up once in a while.

“Oh, well,” thinks Alice. “I’ll just create a new public key.”

Oops. Is this user-friendly?

Now Alice has a PGP key sitting out there on a keyserver. She can’t use it because she doesn’t have the equivalent private key. She can’t revoke it because she didn’t think it was that important to create a revocation certificate at the time and save it. Someone told her to do that once. “Don’t save it in the cloud, but on a disk that would never lose its data and could never be compromised. Then lock it away in a safe in your basement. You did make sure your basement was a Faraday cage, didn’t you?”

PKI is such a useful, powerful tool. But… it’s still very easy to screw up and cause lasting damage, though. I guess it’s like a “Hole Hawg,” an apt comparison to other powerful technologies, as noted by Neal Stephenson.

There IS an option for Alice. She can create a new key, with a user ID like: “only use this key. That other one is bad,” and then get all her friends to sign the new key. There are other techniques, but that’s pretty much as close as she’s going to get.

Questions like this in security-related topics interest me: If it’s easier to use, will more people use it? And if it’s more widely used, will that increase its relevance?