Blog

UC Santa Barbara students, staff jubilant after professor’s Nobel Prize win

Students and staff at UC Santa Barbara were delighted Tuesday after learning that one of their professors had been awarded a Nobel Prize in physics.

They said it would boost the campus’ academic standing and help them shed their collective grief over last spring’s deadly off-campus shooting in Isla Vista.

Shuji Nakamura, a professor of materials and of electrical and computer engineering at UC Santa Barbara, was named a co-winner with two Japanese scientists for devising a blue light-emitting diode that paved the way for energy-efficient LED lighting.

via UC Santa Barbara students, staff jubilant after professor’s Nobel Prize win – LA Times.

A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?

A former student of mine, Kanishka Goel, has pointed out this interesting article:

Last week I wrote about Apple’s new default encryption policy for iOS 8. Since that piece was intended for general audiences, I mostly avoided technical detail. But since some folks (and apparently the Washington Post!) are still wondering about the nitty-gritty details of Apple’s design might work, I thought it might be helpful to sum up what we know and noodle about what we don’t.

To get started, it’s worth pointing out that disk encryption is hardly new with iOS 8. In fact, Apple’s operating system has enabled some form of encryption since before iOS 7. What’s happened in the latest update is that Apple has decided to protect much more of the interesting data on the device under the user’s passcode. This includes photos and text messages — things that were not previously passcode-protected, and which police very much want access to.

via A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?.

You can read more about Apple iOS Security here.

DES password challenge in COMP424

The password challenge in COMP/IT 424, the “Security” course that I am currently teaching at Channel Islands, was to find the crypt() password corresponding to the hash:

3zLNGMUzkNwak

The winner of the challenge was Jesse Thomas, here is the password:

h7vy09s1

and here is Jesse’s approach in his own words:

I decided to try ocl hashcat to crack the password. Since we were told that the password would be entropic, I figured we'd have to try a brute force attack. At first I was attempting to use all 94 potential characters but after seeing that it was estimated to take around 10 years to search through them all for a password length of 8 characters, I chose to search for only passwords matching lowercase characters and digits (like the previous challenge shown in class). The attempt took 4 hours and 48 minutes to complete, using a single nVidia GeForce GTX 560 Ti, which ran at a speed of 19739 kH/s (hash calculations/sec). At the time the password was cracked, hashCat had checked 341256962048 of 2821109907456 (32^8) potential combinations, so the password was found relatively early in the search algorithm (about 12% exhausted).

I used this command (in Windows, where I had a stronger video card):

cudaHashcat64.ex -m 1500 -a 3 -o cracked.txt "3zLNGMUzkNwak" -1 ?l?d ?1?1?1?1?1?1?1?1

-m specifies the hash type. 1500 is for descrypt/DES.
-a 3 specifies a brute force attack
 "-1 ?l?d" specifies a custom mask with the characteristic of being lowercase and digits only
"?1?1?1?1?1?1?1?1" specifies that there will be 8 characters in the password. Tried after it failed to find anything for length <= 7

cracked_pw

JPMorgan Discovers Further Cyber Security Issues – NYTimes.com

For the second time in roughly three months, JPMorgan Chase is scrambling to contain the fallout from a security breach of its vast computer network, according to several people with knowledge of the investigation.

JPMorgan, the nation’s largest bank, recently found that hackers, with links to Italy or southern Europe, had gained entry to some of the bank’s servers, these people said. The discovery follows an attack that was uncovered in late July and suggests that it was more extensive than first thought. In that attack, hackers obtained entry to dozens of the bank’s servers and reviewed information on more than one million customer accounts. Security experts briefed on the matter had said that the full extent of the July attack was not known and that it could take the bank months to discover all of the fallout.

via JPMorgan Discovers Further Cyber Security Issues – NYTimes.com.

The Economist explains: Why video games are so expensive to develop

WHEN Activision, a big games publisher, released “Destiny” on September 9th, it was not just covered in the gaming press. Many newspapers commented on the game’s eye-watering budget, reported to be around $500m. How could a video game cost half a billion dollars to make? The truth is, it didn’t—Activision hopes that “Destiny” will become the first game in a long-running franchise, and $500m is the amount the firm has set aside to make that happen. But game budgets are, nonetheless, swelling. Developers and publishers are coy about releasing specific numbers, but budgets of tens of millions of dollars are not uncommon. The biggest, most polished games can cost hundreds of millions. “Star Wars: The Old Republic”, an online game released in 2011, is reputed to have cost between $150m and $200m. “Grand Theft Auto V”, which came out two years later, reputedly cost $265m. These are numbers on the same scale as blockbuster Hollywood films. Why have games become so expensive to make?

One reason is Moore’s law. Computer graphics have come on enormously in the past 20 years. The picture above compares the graphics of “Doom”, a seminal shooter released in 1993, developed by a handful of friends, with those of “Destiny”, which was developed by Bungie Software, a firm that employs around 500 people. With a few exceptions (such as “SpeedTree”, a piece of software that automates the creation of realistic-looking trees), all of the art in a video game is hand-crafted. As characters, items, levels and visual effects have become more intricate and detailed, developers have had little choice but to throw more and more artists at the problem. Another reason costs are rising is the increasing professionalism of the industry. These days, Hollywood actors are hired (and paid handsomely) to voice characters. The biggest developers market-test their products to destruction. Like political parties honing a slogan, they offer snippets of gameplay to focus groups. If anything is found to be too difficult, too obscure or simply not fun, it is sent back to be re-done. That kind of quality control costs serious money.

via The Economist explains: Why video games are so expensive to develop | The Economist.

ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect

A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X which is based around Unix. Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability CVE-2014-6271 could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.

via ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect.

CS50 Logs Record-Breaking Enrollment Numbers

Nearly 12 percent of Harvard College is enrolled in a single course, according to data released by the Faculty of Arts and Sciences Registrar’s Office on Wednesday.The course, Computer Science 50: “Introduction to Computer Science I,” attracted a record-breaking 818 undergraduates this semester, marking the largest number in the course’s 30-year history and the largest class offered at the College in the last five years, according to the Registrar’s website. Including non-College students, the enrollment number totals 875.

via CS50 Logs Record-Breaking Enrollment Numbers | News | The Harvard Crimson.

Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

At no time in history has there been a greater need to hire security professionals to protect and defend infrastructures from an inexhaustible onslaught of organized crime, industrial espionage, and nation-state attacks.A small talent pool, an inflated wage bubble and the high tensions of a virulent attack landscape have made cybersecurity’s hiring crisis the “billion dollar” problem.

via Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem | ZDNet.