Posted by Jonas Elfström Mon, 09 Jul 2007 21:37:00 GMT
Three weeks ago lightning struck nearby. Today my ISP finally tried to change the switch in the central even though I reported back to them that my VSDL modem worked just fine at a friend’s house only a couple of days after my connection died.
Posted by Jonas Elfström Fri, 25 May 2007 16:31:00 GMT
The Zodiac Killer was a serial killer in the late sixties and maybe early seventies. He sent a number of letters to the press, including four ciphers or cryptograms and only one of them has been solved. The killer's identity remains unknown.
Chris McCarthy has a nice page about the cipher and he also has an ASCII version of the cipher.
Here's a small Ruby hack that calculates the character frequency using the ASCII version of the cipher. Feel free to use it if you like to have a go at cracking it!
EDIT: At this page you can have a go at cracking it real-time. I am not convinced it's really a homophonic substition cipher since the frequency analysis shows that the 340 does not have a flat frequency distribution.
It would be nice to know what cryptographic literature was available for the public in northern California in the late sixties.
Posted by Jonas Elfström Wed, 23 May 2007 05:12:00 GMT
Recently 2^1039-1 were factored. Is this the end of 1024 RSA encryption? Lenstra, one of the researchers, addresses this question: "Last time, it took nine years for us to generalize from a special to a non-special hard-to factor number (155 digits). I won't make predictions, but let's just say it might be a good idea to stay tuned."
2^1039-1 is a special number that the RSA algorithm would never use so 1024 RSA might still be secure for the time being but if you want to be future safe 2048 bits or more would be the way to go.
Posted by Jonas Elfström Mon, 30 Apr 2007 10:54:00 GMT
Recently a friend of mine got problems while trying to book a hotel room online. The JavaScript-driven calendar was IE-only and he is on Mac OS X. My friend then checked the source and saw that the JavaScript actually just set a value to an hidden input field. He fired up Firebug and edited the field manually and then submitted the form. When he got the confirmation of the booking he saw that he accidently had typed 2006 instead of 2007. The only protection against booking at dates in the past, already fully booked or in the year 2100 were the JavaScript that ran the calendar.
When building a web application you can never ever trust that any of the data from the client will be untampered with.
Some problems I've seen in the past:
Relying on JavaScript-validation. JavaScript can be turned off or ran through a debugger.
Having sensitive data in hidden input fields.
Storing sensitive data in cookies.
Posted by Jonas Elfström Fri, 30 Mar 2007 05:33:00 GMT
In an earlier post the example code did find prime numbers. Recently I stumbled over a really cool regexp hack that also deals with primes. This is how you execute that regexp in Ruby:
puts 'Prime' unless ('1' * 43) =~ /^1$|^(11+?)\1+$/Change 43 to whatever you like and you will get Prime as output if it's a prime number. EDIT: As you can see in the comments Neil Kandalonkar explained how the regexp by Abigail works.
Posted by Jonas Elfström Fri, 30 Mar 2007 04:59:00 GMT
Now I've got a .com domain, you can reach this blog at http://alicebobandmallory.com/.
Posted by Jonas Elfström Tue, 27 Mar 2007 20:46:00 GMT
In an earlier post I mentioned that a security token that lets you sign your transactions is one way to go to get more secure Internet banking.
Now a couple of swedish students have shown (by also using the problem I mentioned in this post) that a security token both needs to be used in a secure manner and that it also needs to be simple for the user to know what he is actually signing. According to the press it seems that they did this as a man-in-the-middle attack. This is just speculations but it seems the reason that this were possible were that the user did not have a clear view of what he was signing.
It could have been done something like this:
The bank has solved the problem by adding a 9 before all login codes. I'm not convinced this is simple and obvious enough for the users. One way to make it simple could be a security device with buttons labeled "login", "sign account" and "sign amount" or such.
EDIT: Now it has started to arrive phishing mails that asks the customers of Swedbank to install ssl3.exe...
Posted by Jonas Elfström Tue, 27 Mar 2007 20:30:00 GMT
The phishing attempts against Nordea are still going strong and the mails are now in almost correct swedish.
One might wonder why Nordea still haven't done any major changes. Maybe the've seen Fight Club and calculates just the way Jack does while working as an automotive manufacture recall coordinator...
Posted by Jonas Elfström Tue, 27 Feb 2007 16:01:00 GMT
One-way hash functions takes a message of any length as input and outputs a very large but fixed length number, called message digest or fingerprint. They can be used for "storing" passwords or as a signature that makes it possible to verify that you got the correct message.
MD5 got into problems over 10 years ago and SHA-1 could to be heading the same way. Until the new standard is published I would follow the crowd and recommend SHA-256.
require 'digest/sha2'
quickfox="The quick brown fox jumps over the lazy dog"
Digest::SHA256.hexdigest(quickfox)=> "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"
using System.Security.Cryptography;...
ASCIIEncoding byteConverter = new ASCIIEncoding();
string quickfox="The quick brown fox jumps over the lazy dog";
HashAlgorithm sha256 = new SHA256Managed();
byte[] hash = sha256.ComputeHash(byteConverter.GetBytes(quickfox));
crypt.Text = Convert.ToBase64String(hash); Posted by Jonas Elfström Mon, 26 Feb 2007 16:01:00 GMT
It has recently been reported that by simply opening the wrong web page you could be in trouble if you haven't changed the default password of your home router. The page could contain a JavaScript that changes the DNS-settings. Schneier blogs about it here and today he posted a link to a page containing default passwords for most of the home routers on the market.
Recently I helped a friend to change the password on his router. He knew that he could administer his router with a web interface but he did not know where to point his browser. He's running Windows and if you are in the same situation as my friend you could almost always find out the address by:
