CODEnza

According to a recent New York Times article:

A study of a widely used system to provide security for Internet shopping, banking and other services showed that it failed to work correctly in a small number of cases.

The problem appears to be a weakness in the way many cryptographic algorithms generate random numbers.  In fact, this has long been known to be a problem in generating keys.  Computers are not capable of generating truly random numbers (a weakness that may change when quantum computing goes mainstream); as a result, implementors are forced to rely on methods which generate pseudorandom numbers (i.e., numbers which “look” random, but really aren’t).

Pseudorandom key generation can be effective, if done with much forethought and in line with best practices.  Some of the pseudorandom paradigms that have been used in the past (and have been found wanting as far as security is concerned) include:

  • Successive digits of the number pi (the ratio of a circle’s circumference to its diameter).  Most people don’t remember more than a handful of pi digits from their high-school algebra class; thus, a security implementor can often get away with creating a function which retrieves, say, digits n through m of pi (where n and m are very large numbers, say around a million or so).  Hackers, however, do know how to compute arbitrarily high-precision pi values (something made even easier by the profusion of websites displaying such values).  Thus, by comparing a key value to strings of digits in pi until a match is found, they can easily predict what the next key value will be (i.e., if the first key was digits n through m, the next key to be generated will be the digits n+(m-n) through m+(m-n).
  • Values that are seeded with an integer based on the number of time units (e.g., milliseconds) from a certain base date, as computed from the system clock.  The weakness here, of course, is that once the hacker realizes that this method of pseudorandom generation is being used, he/she has a means by which to predict successive keys.

Many other methods have been used - but the thing that all weak methods have in common is some kind of pattern which can be exploited and extrapolated upon in order to facilitate the prediction of future keys.

And since anything generated by a conventional computer is by definition not truly random, there always exists the potential for a bright hacker to break the code.

Thus, the future of cryptography lies with methodologies which incorporate data from outside the computing environment (e.g., utilizing random noise detected outside the computer), as well as with computing paradigms which rely on processes which are inherently random.  The latter is a feature of quantum computing - a field still in its infancy - in which certain aspects of the state of electrons (which, according to quantum theory, cannot be measured simultaneously) are used to determine the polarity of bits.  For those interested in this field, a Google search brings back many fascinating articles.

Think you’re fooling email spammers? Think again!

In an attempt to hide from spammers who scrape social websites for email addresses, it is common practice among Twitterers, Facebookers, and discussion-board participants to spell out their email addresses - e.g., “Me at MyDomain dot com”.  Savvy users will even go a step further by inserting extra spaces between the letters, as in “M e    a t    M y D o m a i n    d o t    c o m”.  In so doing, they believe that they have successfully eluded the spam monster.

In reality, however, this is an easy trick for a hacker to get around.  The following Python function, which uses only a few lines of code and took me all of 5 minutes to write, will convert either of the two obfuscated addresses into valid well-formed email links:

def get_real_email(fake_email):

fake_email = fake_email.lower()

import re

return fake_email.replace(re.search(“\s+a\s*t\s+”, fake_email).group(0), ‘@’).replace(re.search(“\s+d\s*o\s*t\s+”, fake_email).group(0), ‘.’).replace(’ ‘, ”)

A more effective way to publish your email address is to create an image file of your spelled-out address (e.g., by using a screen-capture program), and then to insert this image into your posts/etc.  Following is an example:

Although this method isn’t entirely hacker-proof - a serious-duty hacker could retrieve the text via an OCR app or Captcha-breaking code and then use the above-mentioned script to extract the well-formed address - this will at least keep the hands of the vast majority of spammers out of your inbox.