« First...102030...1,8441,8451,8461,8471,848...1,8601,8701,880...Last »

EMC’s Joshua Bernstein on When to Deploy Open Source – Windows IT Pro

Posted on by

"A lot of people are a little shocked and confused to hear about how EMC is contributing to and supporting open source development," Joshua Bernstein said to open his keynote address at last year's MesosCon conference in Denver. "I think that while many of us already understand the benefit of that, convincing large companies to do this sort of thing is a challenge."

Berstein became Dell EMC's vice president of technology in 2015, after a four year stint as manager of Siri development and architecture at Apple. At MesosCon, he talked about some of the things that DevOps should consider when deciding whether to deploy open source or proprietarysolutions.

"The opportunity that I got, to leave Apple and come to EMC to open our open source development team, EMC Code, forced me to reflect on how open source changed the way we ran our data center, and how we changed things from what's well known, from running very large VMware instances to running on Apache Mesos."

He noted in his reflections that not all the software he was using was open source, which brought up several questions. "What things did you buy versus build out in the community?" he asked. "What things did you find value in paying for?"

This led him to define the value of open source in a DevOps environment, and to determine what distinguishes it from traditional closed source software. He came up with a bullet list of four items: freedom, innovation, flexibility and integration.

"[T]hese four really stick out to me," he said.

Freedom: "Freedom is the ability to run the software anywhere for any purpose. If we want to run it on our own on-premises data center, to push it into the cloud, or whatever the case may be, we really value that freedom. We don't want our vendors, our partners, or the people we pull the software from, to tell us what we can and cannot do with it."

Innovation: "We value the ability to innovate and leverage the collaborative community. Everybody here [at MesosCon] is very interested in leveraging everybody else's work. At EMC Code we have 48 projects fully open sourced. Eight of them are driven by my team directly, the rest are driven by the community themselves. I'm very proud of that, I think if you look at the innovation and technology that's come out of this room, it's quite staggering, and arguably overpowers what any single software company can do on their own. As consumers of open source software, we value that innovation."

Flexibility: "This is the idea to deploy the software in any manner that best suits us. If we're a software developer and we want to deploy it on our laptop for a test dev environment, if we want to put it in our own data centers, or if we want to run it on Amazon, we really value this flexibility, this ability to consume it."

Integration: "It's the ability to integrate open source software more easily with existing infrastructure. The interesting thing is that when we were making purchasing decisions about what proprietary software we'd put in our data center, we actually made purchasing decisions not necessarily based on what was cheaper, or what had the fastest performance, but what integrated with the tool sets that were around it."

According to Berstein, the decision to deploy an open source rather than proprietary solution should rarely be made with cost as the leading consideration.

"It's not so much that it's cheaper," he observed, "because ultimately companies have to pay for support."

Go here to read the rest:
EMC's Joshua Bernstein on When to Deploy Open Source - Windows IT Pro

SDN, Blockchain and Beyond: The Spaces Where Open Source Is Thriving Today – The VAR Guy

Posted on by

What are the newest frontiers that open source software is conquering? Black Duck's latest open source "Rookies of the Year" report, which highlights areas like blockchain and SDN, provides some interesting insights.

The report, which Black Duck published Monday, highlights what the company calls "the top new open source projects initiated in 2016." It's the ninth annual report of this type that Black Duck has issued.

The report points to the following as areas where open source developers have been quite active over the past year:

Some of these areas are not surprising. For example, open source network security projects are not especially new. As Black Duck notes, new projects have arisen in this space over the past year, such as Poseidon and Trireme. (These projects also continue the trend set by the Kubernetes folks of naming open source projects after ancient Greeks gods, personages or military technologies, but I digress.) But open source networking platforms like snort and OSSEC have been around for years.

It's also not particularly surprising to see open source leading the way inside the container ecosystem. All of the major projects in the container world -- LXC, Docker, Kubernetes, etc. -- were open source from the beginning. In fact, what would be strange at this point is to see a major platform emerge in the container space that was not open source.

More interesting, perhaps, are the inroads that open source is making in niches like education. The Black Duck report highlighted Kolibri, a project that aims to make educational resources available to people without reliable Internet access using open source technology.

There's actually a pretty long history of open source folks trying to enable better education through technology. Think of the One Laptop Per Child project, for instance, or MOOCs -- online courses that are usually delivered via open source platforms and are rooted in the idea that educational information should be freely shared and accessible in the same way as open source code.

But what makes projects like Kolibri different is that they do not assume that everyone has access to the Internet. In fact, Kolibri is designed specifically for people who don't have good Internet access. That's an important differentiator -- and a key insight for the open source community, which has perhaps historically not always appreciated the fact that lots of people don't have ultra-fast Internet connections like those available to open source developers.

Open source's activity in the blockchain niche is notable, too. Blockchain initially became widely known thanks to Bitcoin, the somewhat shadowy online currency. Bitcoin is still around, and it's still an open source project. But as blockchain technology makes greater inroads inside traditional industries, open source developers are pushing forward other projects, like Sawtooth Lake and Hyperledger, the distributed ledger project launched under the direction of the Linux Foundation in early 2016.

See the rest here:
SDN, Blockchain and Beyond: The Spaces Where Open Source Is Thriving Today - The VAR Guy

SK Telecom (SKM) and Nokia (NOK) Enter Cooperation Agreement for Quantum Cryptography – StreetInsider.com

Posted on by

Get instant alerts when news breaks on your stocks. Claim your 2-week free trial to StreetInsider Premium here.

SK Telecom (NYSE: SKM) today announced that it entered into an agreement with Nokia to cooperate in the quantum cryptography business.

Under the agreement, SK Telecom and Nokia will conduct joint research and development activities to achieve interworking between SK Telecom's Quantum Key Distribution System (QKD) and Nokia's next-generation optical transport system by the second half of this year.

SK Telecom and Nokia have been working together closely from 2016 for interoperation of SK Telecom's quantum technologies with Nokia's optical transport system. The first prototype of this collaboration, also known as Quantum Transport System, is being demonstrated at Nokia's booth (Hall 3, 3A10) during the 2017 GSMA Mobile World Congress.

The quantum cryptography communication is known as the most secure form of communication encryption that cannot be broken with any existing hacking technology. Quantum cryptography is expected to replace the existing security solutions in all areas at risk of data hacking, including national defense, finance, autonomous vehicle and the Internet of Things (IoT).

Under the agreement, the two companies will also cooperate in the area of Quantum Random Number Generator (QRNG), a technology necessary for applying quantum cryptography technologies to IoT devices.

SK Telecom's QRNG is the world's smallest 5x5mm CMOS Image Sensor (CIS) based all-in-one, single silicon (ASIC) providing non-deterministic true random numbers on demand from quantum-shot noise. SK Telecom plans to tape out engineering samples of QRNG chip (ASIC) in the second quarter of 2017 and commercial launch is planned by the year end. SK Telecom envisions using QRNG for Internet of "secure" Things (IoT).

"Since opening Quantum Tech Lab in 2011, SK Telecom has been making constant efforts to develop quantum cryptography technologies," said Park Jung-ho, CEO and President of SK Telecom. "Based on the cooperation with Nokia, SK Telecom will create a new paradigm and ecosystem in the field of ICT."

"With SK Telecom's quantum cryptography technologies, we have secured the basis for building the most secure network security solution," said Rajeev Suri, CEO of Nokia. "We will respond proactively to rapidly growing demands of the cyber security market with these technologies and solutions."

Read more from the original source:
SK Telecom (SKM) and Nokia (NOK) Enter Cooperation Agreement for Quantum Cryptography - StreetInsider.com

China preparing to launch blockchain-based cryptocurrency – Siliconrepublic.com

Posted on by

China is forging ahead to be the first country to offer its own digital cryptocurrency based on blockchain technology, following successful trials.

Despite instances of enormous fluctuation in price, cryptocurrencies such asbitcoin remain incredibly popular, thanks to its detachment from any nation states bank and its ability for users to trade anonymously.

For this reason, traditional banks and governments have been sceptical about its potential for undermining existing currencies.

Yet now, one of the worlds largest economies is throwing caution to the wind by potentially launching the worlds first national cryptocurrency under the Peoples Bank of China.

According to Bloomberg, the Chinese government has been exploring the possibilities of cryptocurrencies for nearly three years, having set up a research team in consultation with digital firms such as Deloitte.

For the end user in China, services such as WeChat or Alipay would remain largely the same but transaction costs would be lower, as a state-run cryptocurrency would mean payments coming directly from the buyer.

This possible launch of a digital currency comes at a time when the number of Chinese people making online payments is continually increasing, from 200m in 2014, to an estimated 630m by 2020.

The core of the digital currency will be based around blockchain, the distributed ledger technology that has made bitcoin what it is today and could possibly revolutionisemodern and future business.

By using blockchain, China will be able to collect vast quantities of data on every transaction in the hope of better predicting monetary forecasts.

Larry Cao, director of content at the CFA Institute in Hong Kong, has described the move as revolutionary.

Cutting costs is an obvious benefit, but the impact of shifting to blockchain-based digital money from the current payment structure goes beyond that, he said.

Theres a potential you can pay anybody in the system, any bank and any merchant directly. Blockchain will change the whole infrastructure.

With plans to launch thiscryptocurrency soon, China will replace a significant amount of its paper tender, with analysts predicting that banks and payment companies will need to radically rethink their business models in the years to come.

Peoples Bank of China tower in Hong Kong. Image: chingyunsong/Shutterstock

The rest is here:
China preparing to launch blockchain-based cryptocurrency - Siliconrepublic.com

IOHK Signs Partnerships with Universities in Scotland and Japan to … – CoinJournal (blog)

Posted on by

Input Output Hong Kong (IOHK), a fintech company specializing in blockchain technology, has signed two partnership deals with the University of Edinburgh and the Tokyo Institute of Technology (Tokyo Tech) to further advance blockchain research.

Last week, IOHK and the University of Edinburgh launched the Blockchain Technology Laboratory. Located within the universitys School of Informatics, the lab aims to bring together academics and students to collaborate on blockchain research and development with a focus on industry inspired problems.

The lab is led by Prof. Aggelos Kiayias, chair in Cyber Security and Privacy at the University of Edinburgh and chief scientist at IOHK. Prof. Kiayias will organize collaborations with fellow academics at the university and oversee researchers and students from undergraduate to PhD level in a broad range of topics related to blockchain systems. Research collaborations will be interdisciplinary and will include beyond cryptography and computer science, economics, game theory, regulation and compliance, business, and law.

Prof. Kiavias said that blockchain and distributed ledgers are upcoming disruptive technologies that have the potential to scale information services to a global level. The academic and industry connection forged by this collaboration puts the Blockchain Technology Lab at Edinburgh at the forefront of innovation in blockchain systems, he added.

Sir Timothy OShea, the principal of the University of Edinburgh, said:

We are delighted to be at the forefront of UK institutions in the field of distributed ledgers and proud to have a dedicated research laboratory for industry inspired research in this important emerging area.

The lab will provide a direct connection between developers and researchers, helping to get projects live faster. It will also seek to pursue outreach projects with entrepreneurs in Edinburghs vibrant local technology community.

Recruiting and outreach will begin immediately, and the full facility will be operational from summer 2017.

The new research lab at the University of Edinburgh will serve as the headquarters for IOHKs growing network of global university partnerships. The company plans to establish further research laboratories in the US and Greece later this year and more in 2018.

Earlier this month, the Tokyo Institute of Technology launched a similar center with IOHK.

The Input Output Cryptocurrency Collaborative Research Chair, within the Tokyo Tech School of Computing, focuses on promoting joint research in cryptocurrencies and blockchain related technologies among teams of researchers and professors of the Tokyo Institute of Technology (Tokyo Tech) and IOHK.

In particular, researchers from IOHK will join Tokyo Tech, while professors and graduate students will tackle industry challenges in this rapidly developing area of research.

Similarly to the Blockchain Technology Laboratory, the Cryptocurrency Collaborative Research Chair aims to nurture talent and develop high-level expertise in cryptocurrencies and blockchain.

Commenting on the launch, Yoshinao Mishima, president of Tokyo Tech, said:

This agreement is important because Tokyo Tech is seeking to enhance the collaboration with industries and universities in Japan and abroad by producing groundbreaking results in research and engineering which will be published in internationally renowned scientific journals and conferences.

The two organizations have committed to produce knowledge via joint activities such as seminars as well as the production of academic papers. Another activity is to open courses related to blockchain technologies like lectures about cryptographic protocols and cryptocurrencies offered to Tokyo Tech students.

Like the Blockchain Technology Laboratory, all research and developments undertaken in the laboratory will be open source and patent-free.

Read more here:
IOHK Signs Partnerships with Universities in Scotland and Japan to ... - CoinJournal (blog)

WikiLeaks’ Assange facing eviction from London’s Ecuadorean embassy in June – Fox News

Posted on by

The die seems cast for WikiLeaks founder Julian Assange as it becomes increasingly likely that the next Ecuadorean president will be Guillermo Lasso, a conservative former banker now holding the lead for the April 2 runoff election.

Lasso has vowed repeatedly that as president he would evict the alleged whistle-blower from their embassy in London, where Assange has lived for the last four and a half years.

The Ecuadorean people have been paying a cost that we should not have to bear, Lasso told The Guardian a few weeks ago. We will cordially ask Mr. Assange to leave within 30 days of assuming a mandate.

'RESTORE MY LIBERTY': ASSANGE PLEADS FOR FREEDOM WHILE HOLED UP IN EMBASSY

Assange, who is Australian, is wanted by U.S. authorities for publishing scores of classified documents back in 2010.

Our staff have been through a lot. There is a human cost, said Ecuadors foreign minister, Guillaume Long. This is probably the most watched embassy on the planet.

After two days of suspense, Ecuador's Electoral Council said a runoff was inevitable because President Rafael Correas handpicked successor failed to get the 40 percent needed to clench a first-round victory win Ecuador's fragmented opposition is now closing ranks around Lasso.

The new president will be installed May 24.

ASSANGE BLASTS 'EMBARRASSING' US INTEL REPORT, INSISTS RUSSIA NOT HIS SOURCE

Over the weekend, a lawyer for Assange admitted there is "great concern" that Lasso could force him out of the embassy.

"We are preparing potential legal remedies should the opposition come to power in Ecuador," said Jennifer Robinson to MSNBC Saturday.

"You don't change asylum protections just because a change of government," she added.

Assange fled to the Ecuadorean Embassy on June 19, 2012, after an unsuccessful legal battle to send him to Sweden, where he remains wanted over an allegation of rape.

The South American country granted him asylum, but British authorities have made clear they would arrest him if he tried to leave.

ASSANGE: DEMOCRATS LOST BECAUSE 'THEY DIDN'T PICK THE STRONGEST CANDIDATE'

After a decade of governance by President Correa, a socialist, many in the country of 16 million say they are tired of his confrontational style and alliances with Cuba and Venezuela.

Should Ecuador move to the right with a second-round victory for Lasso, it would follow on the heels of Argentina, Brazil and Peru which have all swerved away from the left.

Lasso has campaigned on a platform to revive the economy, which is dependent on exports of oil, flowers and shrimp, by slashing taxes, fostering foreign investment and creating a million jobs in four years.

The AP and Reuters contributed to this report.

More here:
WikiLeaks' Assange facing eviction from London's Ecuadorean embassy in June - Fox News

National View: Daniel Ellsberg, who leaked the Pentagon Papers, asks who will be the next Snowden? – SouthCoastToday.com

Posted on by

By Margaret Sullivan

The most dangerous man in America is asking to borrow my scarf.

I've known Daniel Ellsberg for only five minutes but, curious, I unwind it from my neck and give it over. One-handed, with a flick of his wrist, the famous Pentagon Papers whistleblower produces an elegant knot. With another flick, the knot disappears.

Not a bad feat, although it hardly measures up to his copying and leaking thousands of pages of classified documents on the Vietnam War to the New York Times an act that eventually changed the course of history.

Henry Kissinger, Richard Nixon's national security adviser and later secretary of state, dubbed Ellsberg "the most dangerous man in America," which became the title of an award-winning 2009 documentary.

Almost five decades after the first Pentagon Papers story was published in 1971, revealing the secret history of the Vietnam War, the 85-year-old Ellsberg still isn't done making trouble. That was clear on a Georgetown University stage earlier this month, shortly after the scarf encounter.

"Something like the Pentagon Papers should be coming out several times a year," Ellsberg told journalist and scholar Sanford Ungar, who organized the two-day symposium, "Free Speech Legacies: The Pentagon Papers Revisited."

If Ellsberg had had access to the Senate Intelligence Committee report on CIA torture, a summary of which was released in 2014, "I would have put that out," he said.

There's plenty more, he's sure.

"The secrecy system operates overwhelmingly to keep important information from the American public," he said.

Whistleblowers are the best defense, he believes but there aren't enough of them.

An admirer of two other major leakers, Chelsea Manning and Edward Snowden, Ellsberg wants more.

"Is three whistleblowers of this scale about right in 45 years?" he demanded.

He knows, though, that they have paid a big price and the legal troubles of other Obama-era leakers, such as Thomas Drake and John Kiriakou, underscore his point.

Manning, a former Army intelligence analyst, leaked a huge tranche of classified information including a video showing a U.S. airstrike killing Iraqi civilians through WikiLeaks. Court-martialed, the transgender woman formerly known as Bradley Manning went to prison for seven years. President Barack Obama commuted her sentence in his final days in office.

Snowden, a former National Security Agency contractor who revealed shockingly widespread electronic surveillance of U.S. citizens by their government, will never return to the United States, Ellsberg said. Exiled in Russia, Snowden would not be allowed to explain his motivations during trial because he is charged under the Espionage Act, which allows no public-interest defense.

Ellsberg entertained the Georgetown crowd with spot-on impressions of Nixon and Kissinger, and tales about failing to master Twitter and digital encryption.

"I had to rely on Xerox I used the cutting-edge technology of my day," he quipped.

The government case against him ended in a mistrial, sparing him what he expected would be life in prison.

Now, with President Trump threatening to prosecute government leakers, he said, "we're coming full circle."

"We're back with Nixon, as we have been all along." All presidents lie, Ellsberg said and both Nixon and Trump have stated that when the president does something, it is, by definition, legal.

When Nixon said it to TV interviewer David Frost, he was referring to government agents' break-in at the office of Ellsberg's psychiatrist an effort to find material to blackmail him.

That crime, top Nixon aide John Ehrlichman later said, was "the seminal Watergate episode" the original sin leading to Nixon's eventual demise.

But Ellsberg said that "the things that were crimes under Nixon are no longer crimes," after post-9/11 PATRIOT Act legislation.

"Even killing people is something Obama has proclaimed the right to do," he said, referring to Anwar al-Awlaki, an American citizen and radical Islamic cleric assassinated by a U.S. drone strike in Yemen.

Ellsberg thinks Trump whose associates are already under FBI investigation for Russian connections will avoid Nixon's fate.

"If he were facing a Democratic Congress, he'd be in great trouble. If he were facing a Republican Congress that had any principle, any conscience, any shame ... but he doesn't have that," Ellsberg said. "It won't be a problem. And I'm sorry to say that."

His own leak didn't accomplish its purpose, he said.

"The Pentagon Papers didn't shorten the war by a day," he said. But Ellsberg's leak did reveal the government's longtime cynicism about the war: that President Lyndon Johnson had believed it was unwinnable, even as more bombs fell and as more troops and civilians died.

What's more, it established an important press rights precedent: that the government can't use "prior restraint" to prevent publication, which Nixon tried and failed to do when he attempted to enjoin the Times and The Washington Post from publishing the papers.

Ellsberg stands by what he did just as he fully approves of Snowden and Manning because they brought light to government deception and malfeasance.

Despite the threats that such leakers will endanger national security and have "blood on their hands," he said, no such harm has been proved.

Now it's time to bring more to light.

"I would like others, like Snowden, to think about their oath to the Constitution and whether they are obeying it" by keeping silent, he said.

He offered another subversive thought:

"Manning and Snowden and I all thought the same words, which I heard them say: 'No one else was going to do it, someone had to do it so I did it.' "

Margaret Sullivan is the media columnist for The Washington Post.

The rest is here:
National View: Daniel Ellsberg, who leaked the Pentagon Papers, asks who will be the next Snowden? - SouthCoastToday.com

Google shifts on email encryption tool, leaving its fate unclear – PCWorld

Posted on by

Thank you

Your message has been sent.

There was an error emailing this page.

Google is asking developers to take over its effort to make end-to-end email encryption more user-friendly, raising questions over whether itll ever become an official feature in the companys browser.

On Friday, the search giant said its email encryption tool, originally announced in 2014, was no longer a Google product. Instead, its become a full community-driven open source project, the company said in a blog post.

The tool is designed to work as an extension to Googles Chrome browser that uses the OpenPGP standard to encrypt emails, ensuring that only the recipient can read themand not the email provider or a government.

The main goal of Googles project was to make OpenPGP easier to use. It was announced amid growing scrutiny over U.S. surveillance efforts following disclosures from noted leaker Edward Snowden.

However, the search giant hasnt made the extension officially available on its Chrome Web Store. Instead, the projects source code has only been made available on GitHub, a software collaboration site, making the extension harder to install, especially for non-technical users.

The GitHub page also hasnt been frequently updated, so its unclear how serious the search giant has been about the effort, or if others will take up the project.

Google didnt immediately respond to a request for comment. But the GitHub page is offering the source code to whats called E2EMail, a Chrome extension that works with Gmail. At this stage, we recommend you use it only for testing and UI feedback, the page says.

A screenshot of the E2EMail extension.

Back in Dec. 2014, Google also said that its end-to-end encryption tool still wasnt as usable as it needs to be, pointing to the problem of managing the public keys used in PGP encryption. Often, the keys necessary to exchange secure messages are held on a public server or sent via email, but the authenticity of the user providing them is never verified.

Last month, Google announced a separate open-source project, called Key Transparency, that tries to solve this problem. It essentially works as a lookup service for public keys. However, as a safeguard, all the logs can be audited to track for any suspicious activity.

In Fridays blog post, Google said the Key Transparency project was crucial to the development of its end-to-end email encryption efforts.

Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, it said.

Although Googles email encryption tool is no longer a company-led product, Google is still hoping to integrate it with its Key Transparency project, according to the blog post.

In the midst of Googles effort, others are also developing new email encryption protocols, too. Last month, the developer behind Lavabit, an email service Edward Snowden used, released its own open-source encrypted email standard for surveillance-proof messaging.

Michael Kan covers security for IDG News Service.

Read more from the original source:
Google shifts on email encryption tool, leaving its fate unclear - PCWorld

Germany, France lobby hard for terror-busting encryption backdoors Europe seems to agree – The Register

Posted on by

The technology industry has hit back at proposed plans by France and Germany to force EU member states to backdoor encryption for the police.

Last week, Thomas de Maizire and Bruno Le Roux, respectively the German and French ministers of the interior, sent a letter to the European Commission calling for measures to stem what they see as a tide of terrorism sweeping the land.

These proposed measures include allowing the greater sharing of people's personal information between nations' police forces to fight crime; more reliance on biometrics; and depressingly predictable these days demands for technology companies to come up with impossible encryption systems that are secure, strong, and yet easily crackable by law enforcement on demand. The German-French letter [PDF] calls for new legislation, to implement these changes, to be considered in October, after both countries have had their national elections.

This isn't the first time the pair have called for such measures, but this time they received support from the European Commission. "Encryption technology should not prevent law enforcement agencies or other competent authorities from intervening in the lawful exercise of their functions," an EC spokesman said in response to the letter, according to Politico.

The remarks brought a swift bite back from the Computer & Communications Industry Association, the non-profit think tank that lobbies for the technology industry. Christian Borggreen, its director of international policy in Brussels, slammed the idea as counterproductive late last week.

"Any backdoors to encrypted data would pose serious risks to the overall security and confidentiality of Europeans' communications, which seems inconsistent with existing legal protections for personal data," he said.

"Weakened security ultimately leaves online systems more vulnerable to all types of attacks, from terrorists to hackers. This should be a time to increase security not weaken it."

It looks as though the encryption wars have moved to Europe. For years now in the US, the FBI and others have been banging on about the need for crimefighters to have secret backdoors into encryption, or even a front door, as the director of the Feds likes to call it.

There may be British readers who are feeling rather smug about this latest European proposal, and think that Brexit UK will be immune from such silliness. Not so Blighty already has legislation that paves the way for mandatory backdoored encryption, it just hasn't worked out how to force the issue yet.

As has been pointed out many times, it isn't mathematically or technologically possible to build a backdoor into encryption that is completely exclusive to a select set of people, and can't be found and exploited by others. The only way under today's technology would be to have a key escrow system, and that would fall down if someone with access to the keys were to be bribed or coerced into handing them over.

Continued here:
Germany, France lobby hard for terror-busting encryption backdoors Europe seems to agree - The Register

Stop using SHA1 encryption: It’s now completely unsafe, Google proves – PCWorld

Posted on by

Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible.

SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made.

However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.

A hash function such as SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible.

If a weakness is found in a hash function that allows for two files to have the same digest, the function is considered cryptographically broken, because digital fingerprints generated with it can be forged and cannot be trusted. Attackers could, for example, create a rogue software update that would be accepted and executed by an update mechanism that validates updates by checking digital signatures.

In 2012, cryptographers estimated that a practical attack against SHA-1 would cost $700,000 using commercial cloud computing services by 2015 and $173,000 by 2018. However, in 2015, a group of researchers from Centrum Wiskunde and Informatica (CWI) in the Netherlands, Nanyang Technological University (NTU) in Singapore and Inria in France devised a new way to break SHA-1 that they believed would significantly lower the cost of attacks.

Since then, the CWI researchers have worked with Google, using the company's massive computing infrastructure, to put their attack into practice and achieve a practical collision. It took nine quintillion SHA-1 computations, but they succeeded.

According to Google, it was one of the largest computations ever completed: the equivalent processing power of 6,500 years of single-CPU computations and 110 years of single-GPU computations. It was performed on the same infrastructure that powers Alphabet's AlphaGo artificial intelligence program and services like Google Photo and Google Cloud.

Does this mean that achieving SHA-1 collisions is now within the grasp of most attackers? No, but it's certainly within the capabilities of nation-states. In less than three months, the researchers plan to release the code that made their attack possible so other researchers can learn from it.

"Moving forward, its more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3," Google said in a blog post Thursday. "In order to prevent this attack from active use, weve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public."

Starting with version 56, released this month, Google Chrome will mark all SHA-1-signed HTTPS certificates as unsafe. Other major browser vendors plan to do the same.

"Hopefully these new efforts of Google of making a real-world attack possible will lead to vendors and infrastructure managers quickly removing SHA-1 from their products and configurations as, despite it being a deprecated algorithm, some vendors still sell products that do not support more modern hashing algorithms or charge an extra cost to do so," saidDavid Chismon, senior security consultant at MWR InfoSecurity. "Whether this happens before malicious actors are able to exploit the issue for their benefit remains to be seen."

More information about the attack, which has been dubbed SHAttered, is available on a dedicated website and ina research paper.

Excerpt from:
Stop using SHA1 encryption: It's now completely unsafe, Google proves - PCWorld


« First...102030...1,8441,8451,8461,8471,848...1,8601,8701,880...Last »