Check this out: http://www.educause.edu/content.asp?page_id=7103&bhcp=1

This is a Security Awareness Video contest and there are some cool, freaky videos. Some of them just use analogies that are interesting

Roger

Sometimes it is interesting how certain themes keep popping up again and again. But let's start at the beginning:

For example in the field of public key cryptography we make use of so-called hash functions. A hash function is a function which turns data into a number of limited size. For example SHA-1 returns a 160-bit number. These functions (especially SHA-1) are heavily used to digitally sign messages. The core problem with those functions is collision: How likely is it that two (meaningful) messages get the same hash value? This is especially problematic as SHA-1 has only 2^160 possible results. If you need more information about hashes, look at Wikipedia at http://en.wikipedia.org/wiki/Hash_function

Now, a brief look at the theory of statistics: There is something called the Birthday Paradox (the birthday paradox states that given a group of 23 (or more) randomly chosen people, the probability is more than 50% that at least two of them will have the same birthday. For 60 or more people, the probability is greater than 99%, although it cannot actually be 100% unless there are at least 366 people. quote from http://en.wikipedia.org/wiki/Birthday_problem). If you apply this to SHA-1, you reduce the number of attacks to get a collision with more then 50% to 2^80.

Now, this was the basics. On February 13th, a team of Chinese researchers published a paper showing a weakness of SHA-1 that reduces the number of attacks needed to 2^69 (http://theory.csail.mit.edu/~yiqun/shanote.pdf)

This caused certain discussions in the crypto space. But at the end, well, we (the IT pros) have to change the hash algorithm - over time. But not now and not by tomorrow. I think that over time, it is clear that we have to move away from SHA-1 but before we do this, there has to be a consensus what the next standard shall be. Is it Nessie, is it SHA-256 or SHA-384 or SHA-512? I personally think that the situation is similar to the one regarding 3DES. It was decided to move to another symmetric algorithm and then it took some time until Blowfish was selected (and is now called AES) and now the software vendors started to migrate.

99.999% of all the applications, in my opinion, will be able to live even with the risk for a collision of 1:2^69. If you are within the remainder, then you should probably think about migrating

Roger

Since a long time (at least 9/11) there is a lot of discussion about the way terrorists use/will use the Internet,

It is clear that the Internet is used for publicity and communication. There are experts saying that the Internet itself will not be a target for an attack for terrorists because of this fact - they would destroy one of the most important communication channel.

Will they use the Internet as an attack channel to critical infrastructure? Well, I hope that we will not see that ever happen.

What I never thought of is, that they seem to use the Internet for "fund raising". Read yourself: http://www.zone-h.org/content/view/14508/30/

Roger

With 4 days to go until Windows Vista General Availability launch, Jim Alchin wrote a pretty interesting (and very long) blog post with regards to security vs. convenience at the example of Windows Vista.

Look at it yourself: http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

Windows Vista Rocks!!!

Roger

As you probably know, I am based in Switzerland. Since quite some time, Swiss ISPs are mandated to retain their IP-logs for a few months in order to support Law Enforcement.

It seems that the US is now going down this road as well and it will be interesting to see, what kind of data have to be logged an retained. As always the big issue is the delicate balance between privacy, the requirements of the industry, and the need of Law Enforcement.

http://www.businessweek.com/ap/financialnews/D8MQJU880.htm

Roger