Author: Ajay Ohri

http://about.me/ajayohri

Internet Encryption Algols are flawed- too little too late!

Some news from a paper I am reading- not surprised that RSA has a problem .

http://eprint.iacr.org/2012/064.pdf

Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that di erent random choices are made each time keys are generated.We found that the vast majority of public keys work as intended. A more disconcerting fi nding is that two out of every one thousand RSA moduli that we collected off er no security.

 

Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for multiple-secrets” cryptosystems such as RSA is signi cantly riskier than for single-secret” ones such as ElGamal or (EC)DSA which are based on Die-Hellman.

Keywords: Sanity check, RSA, 99.8% security, ElGamal, DSA, ECDSA, (batch) factoring, discrete logarithm, Euclidean algorithm, seeding random number generators, K9.

and

 

99.8% Security. More seriously, we stumbled upon 12720 di erent 1024-bit RSA moduli that o ffer no security. Their secret keys are accessible to anyone who takes the trouble to redo our work. Assuming access to the public key collection, this is straightforward compared to more

traditional ways to retrieve RSA secret keys (cf. [5,15]). Information on the a ected X.509 certi cates and PGP keys is given in the full version of this paper, cf. below. Overall, over the data we collected 1024-bit RSA provides 99.8% security at best (but see Appendix A).

 

However no algol is perfect and even Elliptic Based Crypto ( see http://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Fast_reduction_.28NIST_curves.29 )has a flaw called Shor http://en.wikipedia.org/wiki/Shor%27s_algorithm

Funny thing is ECC is now used for Open DNS


http://dnscurve.org/crypto.html

The DNSCurve project adds link-level public-key protection to DNS packets. This page discusses the cryptographic tools used in DNSCurve.

ELLIPTIC-CURVE CRYPTOGRAPHY

DNSCurve uses elliptic-curve cryptography, not RSA.

RSA is somewhat older than elliptic-curve cryptography: RSA was introduced in 1977, while elliptic-curve cryptography was introduced in 1985. However, RSA has shown many more weaknesses than elliptic-curve cryptography. RSA’s effective security level was dramatically reduced by the linear sieve in the late 1970s, by the quadratic sieve and ECM in the 1980s, and by the number-field sieve in the 1990s. For comparison, a few attacks have been developed against some rare elliptic curves having special algebraic structures, and the amount of computer power available to attackers has predictably increased, but typical elliptic curves require just as much computer power to break today as they required twenty years ago.

IEEE P1363 standardized elliptic-curve cryptography in the late 1990s, including a stringent list of security criteria for elliptic curves. NIST used the IEEE P1363 criteria to select fifteen specific elliptic curves at five different security levels. In 2005, NSA issued a new “Suite B” standard, recommending the NIST elliptic curves (at two specific security levels) for all public-key cryptography and withdrawing previous recommendations of RSA.

Some specific types of elliptic-curve cryptography are patented, but DNSCurve does not use any of those types of elliptic-curve cryptography.

No wonder college kids are hacking defense databases easily nowadays!!

Predictive analytics in the cloud : Angoss

I interviewed Angoss in depth here at http://www.decisionstats.com/interview-eberhard-miethke-and-dr-mamdouh-refaat-angoss-software/

Well they just announced a predictive analytics in the cloud.

 

http://www.angoss.com/predictive-analytics-solutions/cloud-solutions/

Solutions

Overview

KnowledgeCLOUD™ solutions deliver predictive analytics in the Cloud to help businesses gain competitive advantage in the areas of sales, marketing and risk management by unlocking the predictive power of their customer data.

KnowledgeCLOUD clients experience rapid time to value and reduced IT investment, and enjoy the benefits of Angoss’ industry leading predictive analytics – without the need for highly specialized human capital and technology.

KnowledgeCLOUD solutions serve clients in the asset management, insurance, banking, high tech, healthcare and retail industries. Industry solutions consist of a choice of analytical modules:

KnowledgeCLOUD for Sales/Marketing

KnowledgeCLOUD solutions are delivered via KnowledgeHUB™, a secure, scalable cloud-based analytical platform together with supporting deployment processes and professional services that deliver predictive analytics to clients in a hosted environment. Angoss industry leading predictive analytics technology is employed for the development of models and deployment of solutions.

Angoss’ deep analytics and domain expertise guarantees effectiveness – all solutions are back-tested for accuracy against historical data prior to deployment. Best practices are shared throughout the service to optimize your processes and success. Finely tuned client engagement and professional services ensure effective change management and program adoption throughout your organization.

For businesses looking to gain a competitive edge and put their data to work, Angoss is the ideal partner.

—-

Hmm. Analytics in the cloud . Reduce hardware costs. Reduce software costs . Increase profitability margins.

Hmmmmm

My favorite professor in North Carolina who calls cloud as a time sharing, are you listening Professor?

Understanding Indian Govt attitude to Iran and Iraq wars

This is a collection of links for a geo-strategic analysis, and the economics of wars and allies. The author neither condones nor condemns current global dynamics in the balance of power.

nations don’t have friends or enemies…nations only have interests

In 2003

The war in Iraq had a unique Indian angle right at the beginning. Some members of the US administration felt they needed more troops in Iraq, and they started negotiating with India. Those negotiations broke down because the Indians wanted to fight under the UN flag and on MONEY!!

India wanted-

  • More money per soldier deployed,
  • more share in post War Oil Contracts,
  • better diplomatic subtlety
Govt changed in India due to elections in2003 (Muslim voters are critical in any govt forming majority party), and the Iraq war ran its tragic course without any Indian explicit support.
In 26 Nov 2008, Islamic Terrorists killed US, Indian and Israeli citizens in terror strikes in Mumbai Sieze- thus proving that appeasing terrorist nations is just riding a tiger.

http://articles.timesofindia.indiatimes.com/2003-06-13/india/27203305_1_stabilisation-force-indian-troops-pentagon-delegation

NEW DELHI: There will be a lot a Iraq on the menu over the weekend before the Pentagon team arrives here on Monday to talk India into sending troops to the war-torn nation.

http://articles.timesofindia.indiatimes.com/2003-07-28/india/27176989_1_troops-issue-stabilisation-force-defence-policy-group

Jul 28, 2003, 01.28pm IST

NEW DELHI: Chairman of the US Joint Chiefs of Staff Gen Richard B Myers, who is arriving here on Monday evening on a two-day visit, will request India to reconsider its decision on sending troops to Iraq.

and

Jul 29, 2003, 07.00pm IST

NEW DELHI: Though Gen Myers flatly denied his visit had anything to do with persuading India to send troops to Iraq, it is evident that the US desperately wants Delhi to contribute a division-level force of over 15,000 combat soldiers.

http://articles.timesofindia.indiatimes.com/2003-09-10/india/27176101_1_stabilisation-force-force-under-american-control-regional-dialogue

Sep 10, 2003, 05.34pm IST

NEW DELHI: Even as the US-drafted resolution on Iraq is being heatedly debated in many countries, American Assistant Secretary of State for South Asia Christina Rocca held a series of meetings with External Affairs Ministry officials on Wednesday.

Though it was officially called “a regional dialogue”, the US request to contribute a division-level force of over 15,000 combat soldiers to the “stabilisation force” in Iraq is learnt to have figured in the discussions.

The penny wise -pound foolish attitude of then Def Secretary Rumsfield led to break down in negotiations.

“Those who fail to learn from history are doomed to repeat it.” Sir Winston Churchill

In 2012

Indian govt again faces elections and we have 150 million Muslim voters just like other countries have influential lobbies.

and while Israelis are being targeted again in attacks in India-

India is still seeking money-

India has struck a defiant tone over new financial sanctions imposed by the United States and European Union to punish Iran for its nuclear programme, coming up with elaborate trade and barter arrangements to pay for oil supplies.

However, the president of the All India Rice Exporters’ Association, said Monday’s attack on the wife of an Israeli diplomat in the Indian capital will damage trade with Iran and may complicate efforts to resolve an impasse over Iranian defaults on payments for rice imports worth around $150 million.

http://timesofindia.indiatimes.com/india/Unfazed-by-US-sanctions-India-to-step-up-ties-with-Iran/articleshow/11887691.cms

India buys $ 5  billion worth of oil from Iran. Annually. Clearly it is a critical financial trading partner to Iran.

It has now gotten extra sops from Iran to continue trading-and is now waiting for a sweeter monetary offer from US and/or Israel to even consider thinking about going through the pain of unchanging the inertia of ties with Iran.

There are some aspects of political corruption as well, as Indian political establishment  is notoriously prone to corruption by lobbyists (apparently there   is a global war on lobbyists that needs to happen)

http://timesofindia.indiatimes.com/india/Unfazed-by-US-sanctions-India-to-step-up-ties-with-Iran/articleshow/11887691.cms

 Feb 14, 2012, 05.54PM ISTUnfazed by US sanctions, India to step up ties with Iran
India is set to ramp up its energy and business ties with Iran. (AFP Photo)
NEW DELHI: Unfazed by US sanctions and Israel linking Tehran to the attack on an Israeli embassy car here, India is set to ramp up its energy and business ties with Iran, with a commerce ministry team heading to Tehran to explore fresh business opportunities. 

The team is expected to go to Tehran later this month to discuss steps to expand India’s trade with Iran, part of a larger strategy to pay for Iranian oil, said highly-placed sources. 

Despite the US and European Union sanctions on Iran, India recently sealed a payment mechanism under which Indian companies will pay for 45 percent of their crude oil imports from Iran in rupees. 

So diplomats with argue over money in Israel, Indian and US while terrorists will kill.

Against Stupidity- The Gods Themselves -Contend in Vain

Cyber Cold War

I try to write on cyber conflict without getting into the politics of why someone is hacking someone else. I always get beaten by someone in the comments thread when I write on politics.

But recent events have forced me to update my usual “how-to” cyber conflict to “why” cyber conflict. This is because of a terrorist attack in my hometown Delhi.

(updated-

http://www.nytimes.com/2012/02/14/world/middleeast/israeli-embassy-officials-attacked-in-india-and-georgia.html?_r=1&hp

Iran allegedly tried  (as per Israel) to assassinate the wife of Israeli Defence Attache in Delhi using a magnetic bomb, India as she went to school to pick up her kids, somebody else put a grenade in Israeli embassy car in Georgia which was found in time. 

Based on reports , initial work suggests the bomb was much more sophisticated than local terrorists, but the terrorists seemed to have some local recce work done.

India has 0 history of antisemitism but this is the second time Israelis have been targeted since 26/11 Mumbai attacks. India buys 12 % of oil annually from Iran (and refuses to join the oil embargo called by US and Europe)

Cyber Conflict is less painful than conflict, which is inevitable as long as mankind exists. Also the Western hemisphere needs a moon shot (cyber conflict could be the Sputnik like moment) and with declining and aging populations but better technology, Western Hemisphere govts need cyber conflict as they are running out of humans to fight their wars. Eastern govt. are even more obnoxious in using children for conflict propaganda, and corruption.

Last week CIA.gov website went down

This week Iranian govt is allegedly blocking https traffic on eve of Annual Revolution Day (what a coincidence!)

 

Some resources to help Internet users in Iran (or maybe this could be a dummy test for the big one – hacking the great firewall of China)

News from Hacker News-

http://news.ycombinator.com/item?id=3575029

 

I’m writing this to report the serious troubles we have regarding accessing Internet in Iran at the moment. Since Thursday Iranian government has shutted down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won’t work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible. There are almost no official reports on this and with many websites and my email accounts restricted I can just confirm this based on my own and friends experience. I have just found one report here:

Iran Shut Down Gmail , Google , Yahoo and sites using “Https” Protocol

The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.

I just wanted to let you guys know about this. If you have any solution regarding bypassing this restriction please help!

 

The boys at Tor think they can help-

but its not so elegant, as I prefer creating a  batch file rather than explain coding to newbies. 

this is still getting to better and easier interfaces

https://www.torproject.org/projects/obfsproxy-instructions.html.en

Obfsproxy Instructions

client torrc

Step 1: Install dependencies, obfsproxy, and Tor

 

You will need a C compiler (gcc), the autoconf and autotools build system, the git revision control system, pkg-config andlibtoollibevent-2 and its headers, and the development headers of OpenSSL.

On Debian testing or Ubuntu oneiric, you could do:
# apt-get install autoconf autotools-dev gcc git pkg-config libtool libevent-2.0-5 libevent-dev libevent-openssl-2.0-5 libssl-dev

If you’re on a more stable Linux, you can either try our experimental backport libevent2 debs or build libevent2 from source.

Clone obfsproxy from its git repository:
$ git clone https://git.torproject.org/obfsproxy.git
The above command should create and populate a directory named ‘obfsproxy’ in your current directory.

Compile obfsproxy:
$ cd obfsproxy
$ ./autogen.sh && ./configure && make

Optionally, as root install obfsproxy in your system:
# make install

If you prefer not to install obfsproxy as root, you can instead just modify the Transport lines in your torrc file (explained below) to point to your obfsproxy binary.

You will need Tor 0.2.3.11-alpha or later.

Step 2a: If you’re the client…

 

First, you need to learn the address of a bridge that supports obfsproxy. If you don’t know any, try asking a friend to set one up for you. Then the appropriate lines to your tor configuration file:

UseBridges 1
Bridge obfs2 128.31.0.34:1051
ClientTransportPlugin obfs2 exec /usr/local/bin/obfsproxy --managed

Don’t forget to replace 128.31.0.34:1051 with the IP address and port that the bridge’s obfsproxy is listening on.
 Congratulations! Your traffic should now be obfuscated by obfsproxy. You are done! You can now start using Tor.

For old fashioned tunnel creation under Seas of English Channel-

http://dag.wieers.com/howto/ssh-http-tunneling/

Tunneling SSH over HTTP(S)
This document explains how to set up an Apache server and SSH client to allow tunneling SSH over HTTP(S). This can be useful on restricted networks that either firewall everything except HTTP traffic (tcp/80,tcp/443) or require users to use a local (HTTP) proxy.
A lot of people asked why doing it like this if you can just make sshd listen on port 443. Well, that might work if your environment is not hardened like I have seen at several companies, but this setup has a few advantages.

  • You can proxy to anywhere (see the Proxy directive in Apache) based on names
  • You can proxy to any port you like (see the AllowCONNECT directive in Apache)
  • It works even when there is a layer-7 protocol firewall
  • If you enable proxytunnel ssl support, it is indistinguishable from real SSL traffic
  • You can come up with nice hostnames like ‘downloads.yourdomain.com’ and ‘pictures.yourdomain.com’ and for normal users these will look like normal websites when visited.
  • There are many possibilities for doing authentication further along the path
  • You can do proxy-bouncing to the n-th degree to mask where you’re coming from or going to (however this requires more changes to proxytunnel, currently I only added support for one remote proxy)
  • You do not have to dedicate an IP-address for sshd, you can still run an HTTPS site

Related-

http://opensourceandhackystuff.blogspot.in/2012/02/captive-portal-security-part-1.html

and some crypto for young people

http://users.telenet.be/d.rijmenants/en/onetimepad.htm

 

Me- What am I doing about it? I am just writing poems on hacking at http://poemsforkush.com

Self Driving Cars , Geo Coded Ads, End of Privacy

Imagine a world in which your car tracks everywhere you go. Over a period of time, it builds up a database of your driving habits, how long you stay at particular kinds of dining places, entertainment places (ahem!) , and the days, and times you do it.  You can no longer go to massage parlours without your data being checked by your car software admin (read – your home admin)

And that data is mined using machine learning algols to give you better ads for pizzas, or a reminder for food after every 3 hours , or an ad for beer every Thursday after 8 pm .

Welcome Brave New World!

How to learn to be a hacker easily

1) Are you sure. It is tough to be a hacker. And football players get all the attention.

2) Really? Read on

3) Read Hacker’s Code

http://muq.org/~cynbe/hackers-code.html

The Hacker’s Code

“A hacker of the Old Code.”

  • Hackers come and go, but a great hack is forever.
  • Public goods belong to the public.*
  • Software hoarding is evil.
    Software does the greatest good given to the greatest number.
  • Don’t be evil.
  • Sourceless software sucks.
  • People have rights.
    Organizations live on sufferance.
  • Governments are organizations.
  • If it is wrong when citizens do it,
    it is wrong when governments do it.
  • Information wants to be free.
    Information deserves to be free.
  • Being legal doesn’t make it right.
  • Being illegal doesn’t make it wrong.
  • Subverting tyranny is the highest duty.
  • Trust your technolust!

4) Read How to be a hacker by

Eric Steven Raymond

http://www.catb.org/~esr/faqs/hacker-howto.html

or just get the Hacker Attitude

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.
5) If you are tired of reading English, maybe I should move on to technical stuff
6) Create your hacking space, a virtual disk on your machine.
You will need to learn a bit of Linux. If you are a Windows user, I recommend creating a VMWare partition with Ubuntu
If you like Mac, I recommend the more aesthetic Linux Mint.
How to create your virtual disk-
read here-
Download VM Player here
http://www.vmware.com/support/product-support/player/
Down iso image of operating system here
http://ubuntu.com
Downloading is the longest thing in this exercise
Now just do what is written here
http://www.vmware.com/pdf/vmware_player40.pdf
or if you want to try and experiment with other ways to use Windows and Linux just read this
http://www.decisionstats.com/ways-to-use-both-windows-and-linux-together/
Moving data back and forth between your new virtual disk and your old real disk
http://www.decisionstats.com/moving-data-between-windows-and-ubuntu-vmware-partition/
7) Get Tor to hide your IP address when on internet
https://www.torproject.org/docs/tor-doc-windows.html.en
8a ) Block Ads using Ad-block plugin when surfing the internet (like 14.95 million other users)
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
 8b) and use Mafiafire to get elusive websites
https://addons.mozilla.org/en-US/firefox/addon/mafiaafire-redirector/
9) Get a  Bit Torrent Client at http://www.utorrent.com/
This will help you download stuff
10) Hacker Culture Alert-
This instruction is purely for sharing the culture but not the techie work of being a hacker
The website Pirate bay acts like a search engine for Bit torrents 
http://thepiratebay.se/
Visiting it is considered bad since you can get lots of music, videos, movies etc for free, without paying copyright fees.
The website 4chan is considered a meeting place to meet other hackers. The site can be visually shocking
http://boards.4chan.org/b/
You need to do atleast set up these systems, read the websites and come back in N month time for second part in this series on how to learn to be a hacker. That will be the coding part.
END OF PART  1
Updated – sorry been a bit delayed on next part. Will post soon.

Sanskrit for Human Resource Management

So I picked up more Sanskrit on my stay at Goa at the Tantra http://www.decisionstats.com/tantra-anjuna/

Things to do- or Aims of Human Life

Dharam– Planning, Duty and Responsibilities
Karam– Executing Actions
Artha-Monetary Gains through Planning and Executing
Kama-Desires and Pleasure Seeking
Moksha- Achieving Self Actualization

Things to Control-

http://en.wikipedia.org/wiki/Five_Evils

instead of 7 sins in Western thought, there are only 5 evils in Sanksrit. Also these evils are correlated, if you control one too much, the other evils will rise.
Kam – Your Lusts or Desires
Krodha-Your Anger
Madh-Your Pride
Lobh-Your Greed for Monetary Satisfaction
Moh-Your affection and love and attachments

 

Also related-

Sanskrit for Motivation

http://www.decisionstats.com/strategic-tactics-in-sanskrit/

Indian Societal Hierarchy

http://www.decisionstats.com/economic-indian-caste-system-simplification/