Schneier’s Law

Something fun about cryptography. Enjoy.

“Schneier’s Law”

by Bruce Schneier on Friday, April 15, 2011 at 12:45pm

Back in 1998, I wrote:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.

In 2004, Cory Doctorow called this Schneier’s law:

…what I think of as Schneier’s Law: “any person can invent a security system so clever that she or he can’t think of how to break it.” Read the rest of this entry »

CUHK Bioencryption – Just storage, no encryption?

It was interesting to read about a team of students and their advisors from Chinese University of Hong Kong (CUHK) School of Life Sciences won gold with their bioencryption project (see more news) at the International Genetically Engineered Machine (iGEM) 2010 competition organized by the Massachusetts Institute of Technology (MIT).

While the team has certainly made some interesting progress, security technologist and author Bruce Schneier has questions about the team’s “bioencryption” claims (emphasis),

“Why can’t bacteria be hacked? If the storage system is attached to a network, it’s just as vulnerable as anything else attached to a network. And if it’s disconnected from any network, then it’s just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.“

And Bruce even started his article with, “The article talks about how secure it is, and the students even coined the term “bioencryption,” but I don’t see any encryption. It’s just storage.“

I can’t find a full technical paper to read but after reading the above press reports and the team’s iGEM project description, project principle, and project results, I have to say, like Bruce, I also don’t see any encryption and it looks like just storage to me.

And reading scientist’s quotes like the following in popular press,

“Bacteria can’t be hacked. All kinds of computers are vulnerable to electrical failures or data theft. But bacteria are immune from cyber attacks. You can safeguard the information.“

just don’t exactly give me confidence that the scientist fully appreciate/understand computer security/cryptography.

I don’t mean to be too critical of some of the CUHK team’s achievements. I think they have done well. At the same time, I think it is very important for serious scientists to know the limits of their scientific claims and don’t overextend without proper justified support.

Of course, I might be wrong, and it will be wonderful if someone can explain to me what I missed so that I can learn and understand. If I am mistaken, it will be my pleasure to correct this article.

The Price of RIM averting BlackBerry ban in UAE

On the surface, it seems nice that RIM averts BlackBerry ban in UAE. For those who actually knows more about security like Bruce Schneier, here he talked about the possible price RIM might have paid in detriment to RIM users’ secure communications. Have a read of this telling excerpt,

“Am I missing something here? RIM isn’t providing a file storage service, where user-encrypted data is stored on its servers. RIM is providing a communications service. While the data is encrypted between RIM’s servers and the BlackBerrys, it has to be encrypted by RIM — so RIM has access to the plaintext.

In any case, RIM has already demonstrated that it has the technical ability to address the UAE’s concerns. Like the apocryphal story about Churchill and Lady Astor, all that’s left is to agree on a price.”

Without transparency of the compromises made, reading the following gives me no additional confidence of RIM’s “promise”,

“In a response to news of the agreement with the UAE, a RIM spokesperson e-mailed CNET the following statement dated today:

“RIM cannot discuss the details of confidential regulatory matters that occur in specific countries, but RIM confirms that it continues to approach lawful access matters internationally within the framework of core principles that were publicly communicated by RIM on August 12.”"

The following excerpted opinion makes sense to me,

“I’m actually sympathetic to the need for government to engage in surveillance where appropriate. But even if you think you can trust the government not to abuse this access—and I don’t think you can—backdoors in systems like RIM’s Blackberry e-mail may become available to other parties, including criminal enterprises.”

Quantum Cryptography Cracked

Interesting “Quantum Cryptography Cracked“.

GSM Mobile phone security cracked, says German hacker

UK Guardian is reporting (emphasis added),

A German computer scientist has cracked the codes used to encrypt calls made from more than 80% of the world’s mobile phones.

Karsten Nohl [K: Nohl's U of Virginia page] and his team of 24 hackers began working on the security algorithm for GSM (Global System for Mobiles) in August.

[...] Nohl claims that armed with the code, which has been published online, and a laptop with two network cards, an eavesdropper could be recording phone calls within 15 minutes.

“This shows that existing GSM security is inadequate,” Nohl told the Chaos Communication Congress, an international annual meeting of hackers taking place in Berlin this week.

Nohl insisted that he had deciphered the code to force the global telecommunications industry to upgrade its security.

Nohl told the Guardian that important negotiations involving politicians or business leaders could easily be intercepted and they should invest in further encryption software to protect their privacy. “If there is anything secret going on using GSM, this should be of concern.”

More report in NYT and The Register.

Anyone who cares about our communication security based on Cryptography should know that the only way to keep our communication secure is to conduct open and active research in the field where weakness and problems are dealt with in a prompt and appropriate manner. Security through obscurity is NOT an option, and if I were less diplomatic, I would say it is plain stupid to rely our treasured security on obscurity.