Re: Crypto Craft Knowledge
Stephan Neuhaus wrote: Yes, there's a need for a crypto practices FAQ to which one can refer. I disagree because you cannot force developers to read (and understand) these FAQs. Instead, there is a need for APIs that are difficult to use in an insecure way. For example, Peter Gutmann's cryptlib makes it intentionally hard to get at private key material because of precisely this issue. Also, I believe, cryptlib does not allow RSA in anything but ECB mode, because doing so means the developer is seriously on the wrong track here. This is a good point, and it reminds me of this presentation from Rusty Russell on levels of Linux kernel interfaces. See http://ozlabs.org/~rusty/ols-2003-keynote/img39.html and following. The main issue I see is how do you force the developer to adopt your library and corresponding API? A secondary issue is what do you do if there isn't a suitable library and API yet available? In cases where you can't (yet) provide a simple use cryptlib response, a crypto practices FAQ would be helpful for pointing out common problems and explaining them well. I've started a wiki in case anyone wants to hack on such a FAQ: http://www.cryptohygiene.org/ -David Molnar signature.asc Description: OpenPGP digital signature
Re: Crypto Craft Knowledge
Ben Laurie wrote: [snip discussion of bad crypto implementation practices] Because he is steeped in the craft knowledge around crypto. But most developers aren't. Most developers don't even have the right mindset for secure coding, let alone correct cryptographic coding. So, why on Earth do we expect them to follow our unwritten rules, many of which are far from obvious even if you understand the crypto? Yes, there's a need for a crypto practices FAQ to which one can refer. In addition to individual education, it'd be helpful to have something when pointing out common mistakes. For example, I was involved recently in a discussion about MAC'ing prices returned by a shopping cart web application: http://news.ycombinator.com/item?id=477398 There's at least two gotchas here to consider: 1) The choice of MAC (i.e. why use HMAC instead of H(s||m) or H(m||s) ?) 2) replay attacks if the MAC'd item is not bound to the transaction or the rest of the web page I can point out these issues, but I don't usually have time to write fully detailed examples. Having such examples goes a long way towards increasing one's credibility in this kind of discussion. Ideally they would be from deployed applications, but that's tough. -David Molnar signature.asc Description: OpenPGP digital signature
Re: Security by asking the drunk whether he's drunk
Ben Laurie wrote: I can't find discussion of Perspectives - hint? Service from a group at CMU that uses semi-trusted notary servers to periodically probe a web site to see which public key it uses. The notaries provide the list of keys used to you, so you can attempt to detect things like a site that has a different key for you than previously shown to all of the notaries. The idea is that to fool the system, the adversary has to compromise all links between the target site and the notaries all the time. Paper, code, and Firefox extension: http://www.cs.cmu.edu/~perspectives/ signature.asc Description: OpenPGP digital signature
Re: street prices for digital goods?
transaction prices. 3) One of the complicating factors in drug data is the lack of standardized units. For example, Caulkins notes that 16% of all meth data reported in the STRIDE data was sold in units other than grams...and a few early analyses of the data didn't notice, yielding bogus results. A more serious issue is purity, again; the same $10 bag of pot may have wildly different amounts of THC. Similarly, as others have pointed out here, it is hard to do an apples to apples comparison of compromised online banking accounts if the lots of compromised accounts come in different sizes, from different banks, etc. 4) Finally, the sheer amount of money spent on drug enforcement and market disruption is huge. The NBER paper cites $8.3 billion expended by the federal government for the purpose of disrupting illicit drug markets, and $13 billion overall. How much do you think is spent, total, by everyone everywhere, on disrupting markets for illegal digital goods? -David Molnar signature.asc Description: OpenPGP digital signature
street prices for digital goods?
Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? The Symantec Threat Reports do seem to report advertised prices for a basket of goods, starting in Volume XI (March 2007) and running through the present. For example, Volume XI Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, etc. These are interesting, but it's hard to see changes since they're reported as a band of prices presumably aggregated from many different sources. I've also seen price anecdotes from Team Cymru. Plus of course the Nature and Causes of the Wealth of Internet Miscreants paper from CCS 2007. Is there a continuous feed of prices published anywhere (besides the underground servers, of course), or is this still something where you have to go gather data yourself if you want it? I'm curious because it would be interesting to look at the street price for a specific online bank's logins before and after the bank makes a change to its security practices. (One not particularly great example of a change: adopting EV certs.) Alternatively, look at the price of some good before and after a prosecution. If this has already been done, my apologies, I'd appreciate the pointer. finally, does anyone happen to know of a good review of how the focus on street price has performed as a metric for drug interdiction? that is, I could imagine cases where some specific intervention causes street price to rise but this doesn't lead to a corresponding improvement in things like deaths from drug overdose, number of people using, etc. Does that happen in practice so far as we know or not? -David Molnar signature.asc Description: OpenPGP digital signature
Re: security questions
Peter Saint-Andre wrote: [list of security questions snipped] *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... You might enjoy reading Ari Rabkin's recent paper at SOUPS 2008 on this issue: Personal knowledge questions for fallback authentication: Security questions in the era of Facebook Ariel Rabkin http://www.cs.berkeley.edu/~asrabkin/bankauth.pdf He has slides as well: http://www.eecs.berkeley.edu/~asrabkin/rabkin.pdf -David Molnar signature.asc Description: OpenPGP digital signature
