Blog

Position in Algorithms and Complexity at Aachen

Full Professor (W3) in Algorithms and Complexity
RWTH Aachen University

We are seeking qualified applicants for teaching and research in the
area of algorithms and complexity. The starting date is 1st October
2015. The research focus of this professorship should be in one or
several branches of current algorithms research, for example,
algorithmic game theory, approximation algorithms, distributed
algorithms, fixed-parameter tractability, networking algorithms,
online algorithms, randomised algorithms. The successful candidate is
expected to seek collaboration both within the department of computer
science and with other disciplines at RWTH Aachen University. We
expect an active involvement in all informatics curricula, as well as
in courses for other areas.

A Ph.D. degree is required; additionally, Habilitation (post-doctoral
lecturing qualification), an exemplary record of research achievement
as an assistant / an associate / a junior professor or university
researcher and/or an outstanding career outside academia are highly
desirable. Ability in and commitment to teaching are essential. German
is not necessary to begin but will be expected as a teaching language
within the first 5 years. The application should include supporting
documents regarding success in teaching.

Please send a cover letter stating research aims and a CV to: An den
Dekan der Fakultät für Mathematik, Informatik und Naturwissenschaften
der RWTH Aachen, Professor Dr. Stefan Schael, 52056 Aachen, Germany.

The deadline for applications is 14th November 2014.

Informal inquiries may be addressed to
Martin Grohe, grohe@informatik.rwth-aachen.de

UC Santa Barbara students, staff jubilant after professor’s Nobel Prize win

Students and staff at UC Santa Barbara were delighted Tuesday after learning that one of their professors had been awarded a Nobel Prize in physics.

They said it would boost the campus’ academic standing and help them shed their collective grief over last spring’s deadly off-campus shooting in Isla Vista.

Shuji Nakamura, a professor of materials and of electrical and computer engineering at UC Santa Barbara, was named a co-winner with two Japanese scientists for devising a blue light-emitting diode that paved the way for energy-efficient LED lighting.

via UC Santa Barbara students, staff jubilant after professor’s Nobel Prize win – LA Times.

A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?

A former student of mine, Kanishka Goel, has pointed out this interesting article:

Last week I wrote about Apple’s new default encryption policy for iOS 8. Since that piece was intended for general audiences, I mostly avoided technical detail. But since some folks (and apparently the Washington Post!) are still wondering about the nitty-gritty details of Apple’s design might work, I thought it might be helpful to sum up what we know and noodle about what we don’t.

To get started, it’s worth pointing out that disk encryption is hardly new with iOS 8. In fact, Apple’s operating system has enabled some form of encryption since before iOS 7. What’s happened in the latest update is that Apple has decided to protect much more of the interesting data on the device under the user’s passcode. This includes photos and text messages — things that were not previously passcode-protected, and which police very much want access to.

via A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?.

You can read more about Apple iOS Security here.

DES password challenge in COMP424

The password challenge in COMP/IT 424, the “Security” course that I am currently teaching at Channel Islands, was to find the crypt() password corresponding to the hash:

3zLNGMUzkNwak

The winner of the challenge was Jesse Thomas, here is the password:

h7vy09s1

and here is Jesse’s approach in his own words:

I decided to try ocl hashcat to crack the password. Since we were told that the password would be entropic, I figured we'd have to try a brute force attack. At first I was attempting to use all 94 potential characters but after seeing that it was estimated to take around 10 years to search through them all for a password length of 8 characters, I chose to search for only passwords matching lowercase characters and digits (like the previous challenge shown in class). The attempt took 4 hours and 48 minutes to complete, using a single nVidia GeForce GTX 560 Ti, which ran at a speed of 19739 kH/s (hash calculations/sec). At the time the password was cracked, hashCat had checked 341256962048 of 2821109907456 (32^8) potential combinations, so the password was found relatively early in the search algorithm (about 12% exhausted).

I used this command (in Windows, where I had a stronger video card):

cudaHashcat64.ex -m 1500 -a 3 -o cracked.txt "3zLNGMUzkNwak" -1 ?l?d ?1?1?1?1?1?1?1?1

-m specifies the hash type. 1500 is for descrypt/DES.
-a 3 specifies a brute force attack
 "-1 ?l?d" specifies a custom mask with the characteristic of being lowercase and digits only
"?1?1?1?1?1?1?1?1" specifies that there will be 8 characters in the password. Tried after it failed to find anything for length <= 7

cracked_pw

JPMorgan Discovers Further Cyber Security Issues – NYTimes.com

For the second time in roughly three months, JPMorgan Chase is scrambling to contain the fallout from a security breach of its vast computer network, according to several people with knowledge of the investigation.

JPMorgan, the nation’s largest bank, recently found that hackers, with links to Italy or southern Europe, had gained entry to some of the bank’s servers, these people said. The discovery follows an attack that was uncovered in late July and suggests that it was more extensive than first thought. In that attack, hackers obtained entry to dozens of the bank’s servers and reviewed information on more than one million customer accounts. Security experts briefed on the matter had said that the full extent of the July attack was not known and that it could take the bank months to discover all of the fallout.

via JPMorgan Discovers Further Cyber Security Issues – NYTimes.com.

The Economist explains: Why video games are so expensive to develop

WHEN Activision, a big games publisher, released “Destiny” on September 9th, it was not just covered in the gaming press. Many newspapers commented on the game’s eye-watering budget, reported to be around $500m. How could a video game cost half a billion dollars to make? The truth is, it didn’t—Activision hopes that “Destiny” will become the first game in a long-running franchise, and $500m is the amount the firm has set aside to make that happen. But game budgets are, nonetheless, swelling. Developers and publishers are coy about releasing specific numbers, but budgets of tens of millions of dollars are not uncommon. The biggest, most polished games can cost hundreds of millions. “Star Wars: The Old Republic”, an online game released in 2011, is reputed to have cost between $150m and $200m. “Grand Theft Auto V”, which came out two years later, reputedly cost $265m. These are numbers on the same scale as blockbuster Hollywood films. Why have games become so expensive to make?

One reason is Moore’s law. Computer graphics have come on enormously in the past 20 years. The picture above compares the graphics of “Doom”, a seminal shooter released in 1993, developed by a handful of friends, with those of “Destiny”, which was developed by Bungie Software, a firm that employs around 500 people. With a few exceptions (such as “SpeedTree”, a piece of software that automates the creation of realistic-looking trees), all of the art in a video game is hand-crafted. As characters, items, levels and visual effects have become more intricate and detailed, developers have had little choice but to throw more and more artists at the problem. Another reason costs are rising is the increasing professionalism of the industry. These days, Hollywood actors are hired (and paid handsomely) to voice characters. The biggest developers market-test their products to destruction. Like political parties honing a slogan, they offer snippets of gameplay to focus groups. If anything is found to be too difficult, too obscure or simply not fun, it is sent back to be re-done. That kind of quality control costs serious money.

via The Economist explains: Why video games are so expensive to develop | The Economist.

ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect

A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X which is based around Unix. Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability CVE-2014-6271 could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.

via ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect.