hashes – WindowsTechs.com

Good Essay on the History of Bad Password Policies

Posted on November 15, 2024 by Bruce Schneier

Stuart Schechter makes some good points on the history of bad password policies:

Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.

First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be something strong. After implementing a requirement that password have multiple characters sets or more total characters, they wrote:…

Continue reading Good Essay on the History of Bad Password Policies→

Linux Fu: Roll with the Checksums

Posted on June 22, 2022 by Al Williams

We are often struck by how often we spend time trying to optimize something when we would be better off just picking a better algorithm. There is the old story …read more Continue reading Linux Fu: Roll with the Checksums→

More on Apple’s iPhone Backdoor

Posted on August 20, 2021 by Bruce Schneier

In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here.

Apple says that hash collisions in its CSAM detection system were expected, and not a concern. I’m not convinced that this secondary system was originally part of the design, since it wasn’t discussed in the original specification.

Good op-ed from a group of Princeton researchers who developed a similar system:

Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser…

Continue reading More on Apple’s iPhone Backdoor→

Apple’s NeuralHash Algorithm Has Been Reverse-Engineered

Posted on August 18, 2021 by Bruce Schneier

Apple’s NeuralHash algorithm — the one it’s using for client-side scanning on the iPhone — has been reverse-engineered.

Turns out it was already in iOS 14.3, and someone noticed:

Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.

We also have the first collision: two images that hash to the same value.

The next step is to generate innocuous images that NeuralHash classifies as prohibited content.

This was a bad idea from the start, and Apple never seemed to consider the adversarial context of the system as a whole, and not just the cryptography…

Continue reading Apple’s NeuralHash Algorithm Has Been Reverse-Engineered→

On the Insecurity of ES&S Voting Machines’ Hash Code

Posted on March 16, 2021 by Bruce Schneier

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system:

It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error. It’s simultaneously shocking and unsurprising that ES&S’s hashcode checker could contain such a blunder and that it would go unnoticed by the U.S. Election Assistance Commission’s federal certification process. It’s unsurprising because testing naturally tends to focus on “does the system work right when used as intended?” Using the system in unintended ways (which is what hackers would do) is not something anyone will notice…

Continue reading On the Insecurity of ES&S Voting Machines’ Hash Code→

Brexit Deal Mandates Old Insecure Crypto Algorithms

Posted on December 31, 2020 by Bruce Schneier

In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:

The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:

the sequence of the operations is: first encryption and then signing,
…

Continue reading Brexit Deal Mandates Old Insecure Crypto Algorithms→

Cryptanalyzing a Pair of Russian Encryption Algorithms

Posted on May 10, 2019 by Bruce Schneier

A pair of Russia-designed cryptographic algorithms — the Kuznyechik block cipher and the Streebog hash function — have the same flawed S-box that is almost certainly an intentional backdoor. It’s just not the kind of mistake you make by accident, not in 2014…. Continue reading Cryptanalyzing a Pair of Russian Encryption Algorithms→

Mandatory update coming to Windows 7, 2008 to kill off weak update hashes

Posted on February 19, 2019 by Peter Bright

Microsoft is phasing out SHA-1 hashes on its patches. Continue reading Mandatory update coming to Windows 7, 2008 to kill off weak update hashes→

Hash Hunting: Why File Hashes are Still Important

Posted on November 12, 2018 by Travis Smith

According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable intelligence. When security research teams or government agencies release threat intelligence reports, some of… Continue reading Hash Hunting: Why File Hashes are Still Important→

Change Your Twitter Passwords Now, Security Bug Revealed

Posted on May 4, 2018 by Martin Beltov

Twitter announced a critical security bug that has been identified in the service and is now prompting users to change their passwords. The problem lies in the way the account login passwords are stored in the internal database. Change Your…Read more… Continue reading Change Your Twitter Passwords Now, Security Bug Revealed→