Dec 30 2008
So scary
This is so scary.
Basically what the article is saying, to those who don’t have the appropriate number of geek points, is that the entire infrastructure that secure websites are based on (like credit card companies, banks, online shopping, etc) can be spoofed so that you could be viewing a valid secure site, but it is under the control of someone who is trying to steal your information. And, you would have no idea that you aren’t viewing a valid site because your web browser would tell you that the site is secure and trusted (the little padlock on the browser).
The thing that I don’t get is, why do companies write these incredibly complicated algorithms to hack through infrastructures that are well in place only to publish the vulnerabilities online where all the hackers can get wind of exactly how to exploit these issues? I’m one for open information, but I would have a solution in place before pointing out that PKI has a big-ass hole in it and writing the program that can make your fake certificate authority so that the identity theft can ensue. Seems a little backwards to me, but what do I know?
I do know that in the linux server world, having people work hard to break through security protocols has resulted in very fast security updates that are released at the same time as the vulnerability itself. This method has resulted in the generation of a VERY secure system. Apple and Microsoft have also adopted this methodology. My problem with this case is that they released the vulnerability with no fix ready to be implemented. I think this is a bit like lighting off fireworks over your super-secret army camp in Baghdad, hoping that none of the enemy will see where your super-secret encampment is, then asking them not to hurt you because you’re cute and lit off pretty fireworks. It is a little silly.
Still though, the problem that they pointed out is scary as hell. I no longer trust the internets.
Oh, and this:
2 Responses to “So scary”
Leave a Reply
You must be logged in to post a comment.
Hey Ari,
It’s not really that scary, according to Bruce Schneier, a cryptography/computer security/general security expert. Seems to be old hat – check this out:
http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
but he also addresses your more general question about why publishing stuff like this is useful:
http://www.schneier.com/crypto-gram-0205.html#1
Hey, I find this kind of stuff interesting. Don’t know how many geek points that gets me. But if you like this kind of stuff you should subscribe to the newsletter these links are from; it’s free, and has a lot of stuff related to more general security issues as well.
I’ve been a semi-regular reader of your blog for a while now, but never bothered to register before – sorry. It’s always fun to see what you and Rachel and now Sasha are up to. Speaking of which, yeah, that erg piece you did sounds pretty f-ing hard. You basically matched my 2k erg score from last year, except you did it 4 times! Crap. I’m pretty sure I couldn’t do it even twice.
Glad to see that you and the family are doing well. Happy new year!
Peter
Hum, an interesting link. I’ve heard of this guy and know he knows his stuff, but it still worries me for several reasons that I won’t go into. I suppose that when it comes to cryptography and security, there is a little bit of the blind leading the blind, since we are always trying to be one step ahead of the hackers and identity thieves, but, in the end, we’re all just guessing.
Thanks for posting a comment though! You’re the first since July.
I have no idea who reads this blog since next to no one comments. I guess I need to post more discussion provoking material in the future.
Yeah, that erg piece was brutal, but I was happy with the result. Remember that I’m a bit younger than you. A 2K score of 1:49 in your age category is pretty damn good! I’m hoping to get sub 6:50 for my 2K’s this year, which would be below 1:42. We’ll see how that goes. See you at the Heart of Texas!