Tag: public key encryption

The Conficker April Fool

Tomorrow is April Fools Day. There will be plenty of jokes played, and many people bamboozled. Be ready, and believe nothing you hear. Well, almost nothing.

The Conficker worm (a.k.a Downup, Downadup and Kido), is a nasty piece of computer malware that has been on the move (i.e. spreading) since late last year, infecting Windows machines far and wide. It calls out to website domains, looking for payloads, and utilizes encryption/signing technology (to prevent its little gifts from being hijacked) which is some of the most sophisticated around. It connects around like your internet browser does (via HTTP), and on April 1st one of its variants is going to massively expand the size of it’s seek-and-infect scope. That may create some network congestion.

But other than the possibility of being infected, there’s actually not a heck of a lot more to say about Conficker (except that if your at-work Facebook browsing gets slow on Wednesday, you may want to just keep mum about it). Microsoft, ICANN, Verisign and many others have been working on the problem for more than a month. Further, Microsoft released a patch for the vulnerability the virus exploits back in October, before Conficker was released. So if you’ve kept your system updated, you probably don’t have much to worry about anyway. That is, unless, you’re CBS’s 60 Minutes.

But what’s the real joke of all this? Well it’s not that Conficker isn’t actually doing anything right now – it’s just waiting for further instructions. Meanwhile researchers are working diligently on solutions. No, what’s hilarious is that there is an entirely different threat lingering – one that has received much less attention, and could potentially be much much more damaging.

Researchers are calling it GhostNet, and it’s already stolen vast amounts of data from government and private offices around the world. It ran completely undetected until the office of the Dalai Lama suspected foul play, and asked Toronto researchers to investigate. Some are blaming the Chinese, but they are denying all.

By the way, GhostNet, which runs via another piece of malware called gh0st RAT (RAT stands for ‘Remote Access Tool’), isn’t waiting around for instructions; it’s still digging away. I conclude that the media is steering info-tech security priorities in the wrong direction – generating fear for headlines belays no crisis.

Within a few years, every bit of data on every computer on the planet will be encrypted. And every bit of data circulated the web (including email, instant messaging, and even select portions of the web sites you view daily) will be encrypted. Dig all you want, boogieman.

“What they can’t read won’t hurt you.” – MG 3/31/09

Encrypt the whole disk, or just the parts?

RFO (Request for Opinions) on PGP Whole Disk Encryption:

Interestingly, it is hard to find any negative articles on PGP, probably because most of them are written by IT pros who are only focused on the security, and not usability. I therefore ask the Slashdot community, what are the disadvantages of PGP in terms of performance, Linux, and high-performance computational research?

I’m not sure about the performance aspects, but I’ve always been a fan of virtual disk (image) encryption. It’s a usability issue, centered primarily on portability.

Secondarily, I was always wary about relying on one piece of third-party software that I was constantly forced to upgrade along with OS’s. During my last OS upgrade (from OS X 10.4 to 10.5) I bagged PGP altogether – I’m now using regular old disk images and encrypting them with 10.5’s resident AES-256 functionality. As for email, usability (centered on the relative complexity of public key encryption in available email clients) really stinks all around, which is probably why so few have adopted it. But I suspect a solution to that issue will present itself forthwith.

A Public Key for the Public

Encryption startup Voltage Security has just received $15M in second round financing.

The Company makes a public key encryption mechanism call Identity Based Encryption, that greatly simplifies the use of public keys.