Dan Kaminsky finally outlined the DNS vulnerability that was reported about 4 weeks ago (article on The Register). It appears to be a DNS forgery variant of DNS cache poisoning. If an attacker of a DNS server can quickly and correctly guess a 16-bit transaction ID, then the attacker will be able to replace DNS entries with their own spoofed ones. There has been one confirmed attack so far, where the attacker caused AT&T subscribers to be re-routed to fake Google pages.
For the curious, you might want to see how safe your ISP's DNS servers are. Try the "Check My DNS" button on Dan Kaminsky's site; or the "Test My DNS" link here. The key here is to see the amount of randomness of transaction IDs and query source ports in your ISP's DNS servers.
In case you didn't know, the image for this group is of a 3-rotor Enigma, the cipher machine created by Nazi Germany for use in World War II.
As luck would have it, I just watched that Matthew McConaughey movie U-571 on NHK Satellite TV the other night. Can't believe the tomatometer for this stinker is leaning towards the fresher side. History was re-written in order to sell this movie. Argh, I am only sorry that I tuned in too late to see Jon Bon Jovi get decapitated by flying debris. Seriously.
By the way, one of the major historical inaccuracies: the British Navy scored the first Enigma machine when they captured U-110 in May of 1941. But even before that, Polish mathematicians in Poland's cipher bureau had figured out the internal wirings of the Enigma machine, and at great risk, managed to pass this information along to the Allies in 1939 just before the German invasion.
The advanced encryption used by Germany led to the development of cryptanalysis at Britain's Bletchley Park, and of course paved the way for modern computing.
Hey Brooke - I love that the description of the group is encoded :-) I see from your ROT13 widget you are getting into Laszlo. Thats great!
Re: Writing the enigma machine's cipher in Javascript.
I just finished writing a wiki sytax -> html converter that runs on the client for ooi. I wrote it in Java and converted it to Javascript using GWT's compiler. You are limited to classes available in the JRE emulation environment, but it beats writing complex logic in Javascript (at least for me), and the compiler emits highly optimized code. You might want to try this approach.
Yeah, I do like the GWT, I would love to try out the 1.5 release. Regarding writing the enigma machine in GWT, I wonder: are <script> tags allowed? I would need to use that to load the entry point...
I was looking into the classic XOR method of encrypting data for transfer and it occurred to me that there is actually a way to use that method but without the need to share the key between the sender and recipient. I wrote up a little program to verify the idea, and it does indeed work. Now, maybe this is already a tried and true approach, but I haven't come across anything about it on the Internet.
So, is there any member of the Crypto & Security group who would be willing to take a look at my approach and let me know whether or not it seems viable?
Brooke Fujita
For the curious, you might want to see how safe your ISP's DNS servers are. Try the "Check My DNS" button on Dan Kaminsky's site; or the "Test My DNS" link here. The key here is to see the amount of randomness of transaction IDs and query source ports in your ISP's DNS servers.
Aug 6, 2008
Brooke Fujita
As luck would have it, I just watched that Matthew McConaughey movie U-571 on NHK Satellite TV the other night. Can't believe the tomatometer for this stinker is leaning towards the fresher side. History was re-written in order to sell this movie. Argh, I am only sorry that I tuned in too late to see Jon Bon Jovi get decapitated by flying debris. Seriously.
By the way, one of the major historical inaccuracies: the British Navy scored the first Enigma machine when they captured U-110 in May of 1941. But even before that, Polish mathematicians in Poland's cipher bureau had figured out the internal wirings of the Enigma machine, and at great risk, managed to pass this information along to the Allies in 1939 just before the German invasion.
The advanced encryption used by Germany led to the development of cryptanalysis at Britain's Bletchley Park, and of course paved the way for modern computing.
Aug 21, 2008
Daniel Leuck
Re: Writing the enigma machine's cipher in Javascript.
I just finished writing a wiki sytax -> html converter that runs on the client for ooi. I wrote it in Java and converted it to Javascript using GWT's compiler. You are limited to classes available in the JRE emulation environment, but it beats writing complex logic in Javascript (at least for me), and the compiler emits highly optimized code. You might want to try this approach.
Sep 9, 2008
Brooke Fujita
Yeah, I do like the GWT, I would love to try out the 1.5 release. Regarding writing the enigma machine in GWT, I wonder: are <script> tags allowed? I would need to use that to load the entry point...
Sep 12, 2008
Daniel Leuck
Sep 18, 2008
Brooke Fujita
Nov 14, 2008
Brooke Fujita
Feb 13, 2009
Brooke Fujita
Mar 2, 2009
Roger Garrett
So, is there any member of the Crypto & Security group who would be willing to take a look at my approach and let me know whether or not it seems viable?
Nov 2, 2010