Information freedom for open source users.

Teppy writes “How’s this for a disruptive technology? Bitcoin is a peer-to-peer, network-based digital currency with no central bank, and no transaction fees. Using a proof-of-work concept, nodes burn CPU cycles searching for bundles of coins, broadcasting their findings to the network. Analysis of energy usage indicates that the market value of Bitcoins is already above the value of the energy needed to generate them, indicating healthy demand. The community is hopeful the currency will remain outside the reach of any government.” Here are the FAQ a paper describing Bitcoin in more technical detail (PDF), and the Wikipedia article. Note: a commercial service called BitCoin Ltd., in pre-alpha at bitcoin.com, bears no relation to the open source digital currency.

Read more of this story at Slashdot.

nickpelling2 writes “In 1918, John F. Byrne invented a truly amazing cipher system, called ‘The Chaocipher’, that fitted inside a small cigar box, could be operated by a ten-year-old, yet produced practically unbreakable ciphertext (arguably even stronger than the Nazi Enigma machine). But now, thanks to the efforts of Chaocipher fan Moshe Rubin and the generous gift of Byrne’s cryptographic effects by his daughter-in-law Pat Byrne to the National Cryptologic Museum, the secrets of the Chaocipher are finally starting to be revealed — it’s a great story. To accompany Moshe Rubin’s excellent textual description of the Chaocipher, I’ve posted a 30-second animation of the Chaocipher in action to YouTube, just in case anyone wants to see the most devious cipher of the 20th century in action (sort of).”

Read more of this story at Slashdot.

In the early hours of June 18 the Electronic Frontier Foundation and the Tor Project released a beta of a Firefox extension dubbed “HTTPS Everywhere” with the intention of providing encryption of user data when visiting certain sites. According to the official announcement, “HTTPS Everywhere” will provide SSL encryption to sites like Google Search, Wikipedia, Twitter and Identi.ca, and Facebook. more>>

For all its promise of revolution, the computing industry often lags behind expectations. After all, your netbook is really just a laptop, only smaller and cheaper. The chip that powers your PC today has a direct lineage back to the Pentiums of yesterday. Your latest hard drive might hold 2TB, but it’s still just a hard drive. Where’s the real innovation?

In the labs, of course.

eldavojohn writes “A method of computing from a 2009 paper allows the computing of data without ever decrypting it. With cloud computing on the rise, this may be the holy grail of keeping private data private in the cloud. It’s called Fully Homomorphic Encryption, and if you’ve got the computer science/mathematics chops you can read the thesis (PDF). After reworking it and simplifying it, researchers have moved it away from being true, fully homomorphic encryption, but it is now a little closer to being ready for cloud usage. The problem is that the more operations performed on your encrypted data, the more likely it has become ‘dirty’ or corrupted. To combat this, Gentry developed a way to periodically clean the data by making it self-correcting. The article notes that although this isn’t prepared for use in reliable systems, it is a quick jump to implementation just one year after the paper was published — earlier encryption papers would take as much as half a decade until they were implemented at all.”

Read more of this story at Slashdot.

Google is facing scrutiny and investigation around the world following revelations that it has been capturing and archiving Wi-Fi data collected by its Google Street View vehicles that drive around capturing the image data used by the Street View service.

Security vendor Symantec is reported to be close to buying Internet infrastructure services vendor VeriSign‘s security business for $1.3 billion.

KentuckyFC writes “Any proof that quantum cryptography is perfect relies on idealized assumptions that don’t always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of ‘intercept and resend attack,’ the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique.”

Read more of this story at Slashdot.

KentuckyFC writes “Physicists have developed a new kind of quantum cryptography that uses position measurements to guarantee the security of a message. The technique is based on triangulation. Alice uses several transmitters to send messages to Bob who returns them immediately at the speed of light. If the return arrives within a certain time period, Alice can be certain that Bob is where he says he is. Physicists proved a few years ago that when the messages are purely classical this method is not secure because Eve can use any number of receivers to work out where Bob is and then use this information to trick Alice. However, the same physicists have now proved that the quantum version of the same position-based scheme is perfectly secure, essentially because Eve cannot easily measure the value of any qubits in the message. Alice and Bob go on to use the qubits to exchange a cryptographic key, a one-time pad, that they use to encrypt a message. The beauty of the technique is that a message encrypted in this way can be read only by somebody at a specific location, something that governments, banks, and the military, not to mention everybody else, may find useful.”

Read more of this story at Slashdot.

Removable storage vendor Imation today announced a new line of products ranging from hard drives and flash drives to Blu-ray Discs and removable tape cartridges, all with a range of encryption and security management tools.

Imation’s new Defender Collection consists of seven products including four flash drives, two hard drives, and an optical line of disc drives.

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. “I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we’re rather reluctant to allow the hospital’s IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwords, on both Macs and Windows machines — ranging from severe/total data loss or frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn’t have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?”

Read more of this story at Slashdot.

CryoStasis writes in with this question, which likely resulted from the new Massachusetts data security law. “I work for a major hospital in the Northeast. Recently the hospital has taken it upon itself to increase its general level of computer security. As a result they now require full-disk encryption on any computer connected to their network on site. Although I think this stance is perhaps a little over-exuberant, most of these computers are machines that have been purchased with hospital funding. In the department that I work in, however, many of the employees (myself included) bring their own personal machines to work every day. For obvious reasons we’re rather reluctant to allow the hospital’s IT staff to attempt installation of the encryption software. Those who have allowed the installation have had major problems afterwards, on both Macs and Windows machines — ranging from severe/total data loss to frequent crashes to general slowness — which the hospital does very little to remedy. To make matters worse, the hospital is now demanding that any machine that is used to check email (via email clients or webmail directly) be encrypted, including desktop-style machines at home, which must be brought in to the IT department, as they refuse to distribute the encryption software to the employees for install. By monitoring email access they have begun harassing employees who check email from off campus, stating that their email/login access will be disabled unless they bring in their computers. I have no intention of letting these people install anything on my machine, particularly software of which their IT staff clearly doesn’t have a solid grasp. Have other Slashdot readers come across this kind of a problem? Do I have any recourse, legal or otherwise, to stop them from requiring me to install software on my personal machines?”

Read more of this story at Slashdot.

Symantec will acquire encryption specialist PGP and endpoint security vendor GuardianEdge Technologies for $300 million and $70 million respectively, the company said on Thursday.

Both are privately held companies. Symantec said the deals are subject to regulatory approval but are expected to close by June.

Windows 7 has been warmly received and swiftly adopted by businesses, with the result that many IT admins are now struggling with the platform’s new security features. In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of security capabilities that businesses will want to take advantage of.

Storage has always been a passion of mine. In 2000, I was a card-carrying SNIA member and worked on an SNIA committee regarding certification paths for IT pros to prove their storage know-how. That was during my SAN/NAS days at CommVault Systems when I wrote “Enterprise Storage Solutions for Sybex” with Chris Wolf, a noted virtualization expert at The Burton Group.

cremeglace sends in news of a major advance in the speed of quantum key distribution. “Researchers at the Cambridge Lab of Toshiba Research Europe have solved the problem of transferring highly sensitive data at high speed across a long distance network. The team were able to demonstrate the continuous operation of quantum key distribution (QKD) — a system that allows the communicating users to detect if a third party is trying to eavesdrop on the data communication — at a speed greater than one megabit/sec over a 50 km fibre optic network, thanks to the use of a light detector for high bit rates and a feedback system which maintains the high bit rates during data transfer. … The faster one megabit/sec data handling will allow the one-time pad to be used for the encryption of video — a vast step forward over the current ability to only encrypt voice data.”

Read more of this story at Slashdot.

At least once a month, it seems some vendor or techie claims to have broken a version of a hard drive full-disk encryption (FDE) program scheme, whether it’s from Microsoft (my full-time employer), BitLocker, open source favorite TrueCrypt, or some other variant. All the stories and the hype are enough to make one wonder if FDE is dead.

grassy_knoll writes “Related to the Wikileaks video recently released and discussed here, the NY Times reports: ‘Somehow — it will not say how — WikiLeaks found the necessary computer time to decrypt a graphic video, released Monday, of a United States Army assault in Baghdad in 2007 that left 12 people dead, including two employees of the news agency Reuters. The video has been viewed more than two million times on YouTube, and has been replayed hundreds of times in television news reports.’
The article is light on details; what encryption algorithm was used? Was this a brute force attack? Did someone pass the decryption keys to Wikileaks along with the video? Something else?”

Read more of this story at Slashdot.

FutureDomain writes “Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers’ private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens.”

Read more of this story at Slashdot.

HipToday writes “As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: ‘Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new “netcat mode,” many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.’”

Read more of this story at Slashdot.