“A recent research paper tackles the idea of security by obscurity. The basic idea is that you can improve system security by making it hard to find out how it works…
As a code protection principle, obfuscation has always seemed obvious, but there are two general principles of security that suggests it is probably a waste of time.
- Kerckhoffs’ Principle that there is no security by obscurity,
- Fortification Principle that the defender has to defend all attack vectors, whereas the attacker only needs to attack one.
These two principles are more generally applied to systems, and not just software, but it gives us a cause for concern – after all systems are mostly accumulations of software…
The new research suggests that security is a game of incomplete information and you can learn a lot by examining your attacker’s behaviors and algorithms – his “type” and that obscuring your game really does bring an advantage and improves your odds of winning. In short, obfuscation is a good general principle – i.e. make it hard for your attacker to find out how best to attack you.
The paper, which is well worth reading for its presentation of the general security problem, presents a “toy” security game of incomplete information where the best strategy is to try to characterize the attacker’s type while giving away as little as possible about the defender’s type. The idea of logical complexity is also used to characterize the amount and nature of the obscurity involved.”
“Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust.
Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS.
“Teagueduino is an open source electronic board and interface that allows you to realize creative ideas without soldering or knowing how to code, while teaching you the ropes of programming and embedded development (like arduino).
Teagueduino is designed to help you discover your inner techno-geek and embrace the awesomeness of making things in realtime — even if you’ve only ever programmed your VCR…
Just plug in a sensor to one of the input ports (for example, a knob), hook up an output device (a speaker, perhaps?), and use the awesomely simple Teagueduino user interface to make it work (a single line of code can map the knob’s rotation to a musical tone on the speaker)!
And since everything changes in realtime, there’s no waiting for things to compile or the device to reset.”