The 2007 Underhanded C Contest has a marvelous theme — weak crypto.
The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library.
Your challenge: write the code so that some small fraction of the time (between 1% and 0.01% of files, on average) the encrypted file is weak and can be cracked by an adversary without the password. The poorly encrypted file must still decrypt properly by your own software.
Other great comments:
Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C.
Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.
What a great idea.
So we had some random DNS trouble recently. I believe everything should be back to normal, but DNS issues can take a while to propagate and be fixed. So apologies for the non-availability. We’ve made procedural changes to make these less likely in the future.
Oh, and we lost the SSNs of everyone who had included them in their comments. Sorry, Pete and Dennis!
In a week, the US and Canada are changing when they go to Daylight Savings Time. It must also be a slow news time, as well, because I’ve read several articles like this, “Daylight-Saving Time Change: Bigger than Y2K?”
When Y2K came around, a number of us quoted Marvin the Martian (now of the Boston Police Department) on this: “Where’s the kaboom? There was supposed to be an earth-shattering kaboom!” So I think that’s going to be a big “yes” on the question. Any positive number is bigger than zero, so no one’s going to be embarrassed for over-reporting.
Eweek also said, “Our story tries not to turn this into a Chicken Little exercise, but it does lay out the reasons why this could be huge.” Oh, please. Any time someone says they’re not trying to be Chicken Little but — you know they’re being Chicken Little, and so do they.
Might there be problems? Ayup. I have to fly that Sunday, and I’m even less pleased than I would be otherwise. There will be screwups. But really, it’s an hour. There will be people late to things, and we’ll cope.
I think this latest change is monumental stupidity, and I’m someone who thinks we should just go to year-round DST. Before, there was one week difference between Europe and North America in DST. Now there’s — eesh. I don’t know, yet. Regularizing them would have made much more sense, despite my belief that more DST is better. Heck, we ought to stop saving it and invest for the increased return.
Here’s the lead story in this week’s CSO magazine. I’m sure glad we no longer have to worry about breaches or compliance and can focus on whether we’re wearing the right things.
In “Threatening Winds Likely to Close Major Bridges,” the Washington State department of transportation declares:
WSDOT has never closed Tacoma Narrows Bridge for high winds.
I don’t know that I’d be braggin’ about that.
Picture from Wikipedia.
[Update: They did in fact close the bridge. And I’m fine. Never lost power, no trees fell on me, and I had a productive day at the local coffee shop.]
Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting:
More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected ten monster waves in a 1.5 million square kilometer area. Satellites and direct observations have also established that rogue waves can happen anywhere, but they are most numerous in the North Atlantic and off the western shore of South Africa. In spite of their frequency, monster waves rarely meet with sea vessels because they are so short-lived.
He has interesting things to say about the waves and risk management, and I’d like to tie in my current thinking on breach analysis. The wave of reports about how people lose control of data entrusted to them is rocking some boats, and sinking a very few. As we get more and more data, we’ll be able to better analyze it, and focus our risk management techniques better on what matters most.
Speaking of the effects of naval risk management, don’t miss Nick Szabo on Genoa.
Justin Mason has some thoughts in “Google DRM and WON Authentication:”
That’s interesting. In my opinion, given that quote, I’ll bet Google’s DRM is something similar to the copy-protection systems used for many games since about id’s Quake 3 and Valve’s Half-Life; an online “key server” which validates codes, tracks player IDs, and who’s viewing what, “live”, as the video is cued up and played.
Anyway, that’s speculation. It remains to be seen if they’ve come up with something along the lines of WON authentication — and if it’s still easily subvertable or not.
I think Justin (unusually) is missing the point here. Google is famous for being even more tight-lipped than Apple about what they’re doing, but that doesn’t work in contract-land. If I’m paying for a service, I need to understand what that service is, or I won’t contract for it. With Apple, at least they tell you each time they enhance itunes for your enjoyment. Google has, to date, not offered many paid services at all, and none to consumers. Peoples expectations are different when they give you money, and Google is going to need to talk about the restrictions they’re putting in place.
Then again, maybe I’m just bitter.
Since Katrina, I’ve been trying to spend about $25 a week on disaster preparedness. Fortunately, I already own some basic camping gear, so I’m starting out by storing more food and water. My pantry tends to be thin on food that can be eaten without preparations. I have powerbars and snack bars so I’ve been adding canned foods, trail mixes, and I’m going to get a couple of army “meals-ready-to eat.” Each of those tastes about as good as a brick, but is far more nutritious: Each has about 2,000 calories, which is a day’s eating.
Eric Rescorla has two excellent posts on the water side of things: “Arranging for a supply of water” and “Kevin Dick on water preparedness.” I’m guessing that Kevin lives in California, and is concerned with earthquakes. This causes him to have supplies in the car. My disaster model is a little more hurricane focused, and so I expect to have warning. Not that I’ll leave my car empty, but my focus is a five day stay at home.
One of the things I learned from Eric’s posts is to think about water not only as hydration, but also sanitization, and so bought a few 8 oz jugs of hand sanitizer. Another thing I learned, as I was storing the trail mix: Check the ‘best by’ date on it. It turns out that one jar I got has a ‘best by’ date in January 06. And it looked so dehydrated and up-appealing.
The final food question is caffeine. I don’t want to be stressed out, and have withdrawl symptoms at the same time. Nor do I want to be munching coffee beans raw. I did get some ground coffee, which can be made to work if I have heat. I could assume that my (gas) stove will work, and get a French press. I could get a camp stove, or a camp coffee maker. I could get chocolate-covered espresso beans. None of these seem really satisfactory.