xkcd - A Webcomic - Security
http://xkcd.com/538/

Xkcd o dlouhem rsa klici a jinem francouzskem...

movement in the banking security industry

Hackers are getting our bank security pin codes!

Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to an investigator behind a new report looking at the data breaches.

Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. But the most sophisticated attacks involve encrypted PINs. Sartin says the latter attacks involve a device called a hardware security module (HSM), a security appliance that sits on bank networks and on switches through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer. The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur. According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed d

Yves & TWA (comments) say this article has some fact checking issues

According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API.

holy shit

Information about artifical itelligence

read later

good to animate

When you want a really strong security on the web, it's a good idea to use SSL. SSL can be used to encrypt your end to end connection to the web server, but you will need a client certificate for the possibility to verify you as who you are. The right way to get a certificate like this is for your browser to generate it! The private key should NEVER get out of the client machine. It should be generated and stored within the browser certificate store.

<form> <keygen name="pubkey" challenge="randomchars"> <input type="submit" name="createcert" value="Generate"> </form>

html <keygen>

When you want a really strong security on the web, it's a good idea to use SSL. SSL can be used to encrypt your end to end connection to the web server, but you will need a client certificate for the possibility to verify you as who you are. The right way to get a certificate like this is for your browser to generate it! The private key should NEVER get out of the client machine. It should be generated and stored within the browser certificate store.

A-E

UTF8Encoding

Professional crypto people don’t even get this stuff right. But if you have to encrypt something, you might as well use something that has already been tested.

Matasano Chargen

"list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations"

Thanks to my background as FreeBSD Security Officer, as a cryptographic researcher, and as the author of the Tarsnap secure online backup system, I am frequently asked for advice on using cryptography as a component in secure systems. While some people argue that you should never use cryptographic primitives directly and that trying to teach people cryptography just makes them more likely to shoot themselves in their proverbial feet, I come from a proud academic background and am sufficiently optimistic about humankind that I think it's a good idea to spread some knowledge around. In light of this, I've put together a list of "Cryptographically Right Answers" -- which is to say, a list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations.

Recommendations about cryptography

For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now. The cryptic message was sent to President Jefferson in December 1801 by his friend and frequent correspondent, Robert Patterson, a mathematics professor at the University of Pennsylvania. President Jefferson and Mr. Patterson were both officials at the American Philosophical Society -- a group that promoted scholarly research in the sciences and humanities -- and were enthusiasts of ciphers and other codes, regularly exchanging letters about them.

Sweet

Advanced Encryption Standard (AES)

good explanation of AES Rijndael.

Timing Attacks

Using a password sniffer to get around full disk encryption.

Encrypt data sentback to a server - quickly

We offer a fast, small symmetric encryption library written in Javascript. Though several such libraries exist, jsCrypto offers several advantages.

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

ink is really cool, though, is that the photo also shows the agent’s worksheet:

German

I know very little about cryptography, but I do find it fascinating. This article seems to have solid, real-world advice, yet it is written in a way that even I can understand it. People who can write like this impress me.

why hash is not security

Interesting, though the codebreaker did use a computer to solve it.

200 anos depois um texto criptografado é decodificado.

WSJ.com is available in the following editions and languages:

A cipher by Mr. Patterson. Simple to use without a computer, hard to crack.

For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.

"Prime Numbers and the Benford's Law | Pyevolve" http://hub.tm/?RHOqX [from http://twitter.com/carreonG/statuses/1747034327]

Pyevolve - A complete genetic algorithm framework written in pure python

Excised

http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB260/index.htm Very interesting history of a once "black" agency.

A tool that forces people to commit a crime if they want to prove an archive contains stolen content. Turning the DMCA against those who try to use it. Cute in a contrarian activist sort of way.

staple is a program that inseparably binds together the data in a file using a cryptographic mechanism known as an All-or-nothing transform. In its most basic form (when executed as staple 0), the transformation is keyless; that is, no key is required to reverse it, however all the data is required. Thus, running unstaple on the output .staple file yields the original file, but running it on any subset of the .staple file yields nothing.

[...]It has been suggested that this scenario occurs if Alice is a content producer/owner, Bob is a content piracy group, and Charlie is a user unconcerned about copyright infringement. Taking their last example: Alice could pretend to have brute-forced the key k rather than recovered from B and r, no? And is all-or-nothing so hard to do? what about making c=k xor H(Ek(m)) | Ek(m) ? You need the full data to compute the hash on the encrypted message to recover the key and decrypt the message. And you can throw away part of the key also in this scheme UPDATE: hum actually it appears that it's precisely what he's doing :-)

all or nothing cryptographic transform

"staple is a program that inseparably binds together the data in a file using a cryptographic mechanism known as an All-or-nothing transform. In its most basic form (when executed as staple 0), the transformation is keyless; that is, no key is required to reverse it, however all the data is required. Thus, running unstaple on the output .staple file yields the original file, but running it on any subset of the .staple file yields nothing. staple can also be asked to do something slightly strange: in the process of executing the All-or-nothing transform, a random key is used for encryption of the data - staple can be instructed to throw away part of that key. (The only argument staple takes is the number of key bytes to throw away; only 0, 2, and 4 are accepted currently.)"

SSL is not expensive

RT @draenews: Del Bitcoin P2P Cryptocurrency | Bitcoin: http://www.bitcoin.org/

Bitcoin is a peer-to-peer network based digital currency. Peer-to-peer (P2P) means that there is no central authority to issue new money or keep track of transactions. Instead, these tasks are managed collectively by the nodes of the network.

Hmm P2P encryption online free banking service, looks very insecure