Are CAPTCHA selections audience-maturity rated? Regardless of rating, this was especially odd: “them urethras”
The folks at Offensive-Security dot com published an information advisory regarding a security vulnerability associated with usage of Google gadgets. According to Offensive-Security,
The real vulnerability lies in the ability of a malicious user to add their own Gadgets on a separate domain space, without Google’s authorization…
Apparently the vulnerability STILL hasn’t been repaired, based on this Google Gadget Group posting I saw yesterday, and dated June 17 with no response by anyone in the group yet, particularly no response by an Google staff…. to be continued.
This post is about alternatives to the java.util.Random class, the most commonly used method to generate random numbers in Java.
This class generates “random enough” values, which are described as having an informal level of randomness. Such numbers have a superficial appearance of randomness to an observer, usually a human observer, not a machine. These are considered low-quality random numbers. They should never be used in any security application.
True randomly-generated numbers must have the following characteristics:
Neil Coffey of Javamex describes three alternative random number generation methods. Each approach continues to use class java.util.Random, while replacing the underlying algorithm. The first, called the XORShift generator, produces medium-quality random numbers very quickly, with only a single state variable and very simple code. This method is very well suited to J2ME games.
The next algorithm generates much higher-quality random numbers. It is a combined generator, using two XORShift generators of the sort described above. Mr. Coffey provides the code and explanation for the algorithm. This combined XORShift yields good-quality random numbers. It is suitable for non-gambling games and simulations, although it runs slightly slower than java.util.Random.
A cryptographic quality random number generator should have the following properties:
A cryptographically secure random number generator is appropriate for security applications such as producing a web-server session id or picking encryption keys. Very high-quality random numbers are generated using java.security.SecureRandom as the replacement for java.util.Random. The trade-off in quality versus CPU cycle consumption is hardly surprising. java.security.SecureRandom runs 20 to 30 times slower than any of the other algorithms.
Here is a very simplified way of understanding the difference between each algorithm.
Let’s say that we need to generate a 128-bit encryption key. java.security.SecureRandom actually picks from a pool of 2 raised to the 127th power number of possible keys. Of course java.util.Random can also be used to generate a 128-bit key. However, the values will be selected from a smaller pool of numbers, on the order of 2 raised to the 47th power number of possible keys. This is because java.util.Random has a much shorter period, equal to 2 raised to the 48th power.
The single XORShift generator method falls between the two, as it has a slightly longer period, of 2 raised to the 64th power. The combined XORShift generator approach extends the period a bit further.
Note than neither java.util.Random nor either of the XORShift generators are seeded randomly. This is why java.security.SecureRandom, with a machine-generated and much more truly random random seed, is superior.
* The machine-generated random seed is what is called entropy in random number generators.
The New Scientist, May 2010 features an article titled “New Cars Vulnerable to Malicious Attacks”. Two researchers were able to plug a laptop into the socket under the dashboard with very little change. Using the laptop they were able to control various controls on the car!
Today I step out from under my dark cloud of foreboding to bring glad tidings! It seems that the consumer is finally able to avail herself of effective and affordable protection from identity theft and collateral loss. Mine arrived in a small securely wrapped parcel from www.PayPal.com a few weeks ago: an ICT Display Card. After a ten-year wait, this form of the long-anticipated “Smart Card” finally debuts.
What does it do, and is it really anything special? Yes, because the ICT Display card appears to offer the first instance of double password protection (dual factor authentication) for the average consumer’s online transactions. Let me describe the process, although I cannot fathom how it works. The account holder logs in to PayPal servers via secure https connection using her established account name and password. After gently depressing the small rubbery nub, the ICT Display Card generates a six to eight digit security key.It appears on a (possibly LED) display, flush with the surface of the card, on the upper corner. The user then keys in the numeric code, no other process nor hardware needed. After a 6 to 10 second pause (the instructions are contrite, asking for the user’s patience during that nearly imperceptible interval), the key is authenticated and account access is granted. A different randomly generated security key is created for every session, according to the instructions. One could also use a security token delivered via a text message, instead of the card-based security key.
This nifty little card is the size of an ATM or credit card. It is thinner and lighterthan most office building entrance card readers. The only cost associated is a one-time charge of $5.oo, including shipping and handling. Remarkable technical innovation was required, as the card is powered by a super lightweight, paper-thin, very long-life battery, which emits a low-power radio frequency transmitting the security code. But where is the receiver? The card is not location-dependent, and may be used with any login, with any IP address. I am very curious how it works!
The developers are a privately-held company, with numerous overseas retail banking customers, and a very low profile website, probably due to this extremely valuable proprietary technology. PayPal offered this option for a more secure connection to customers as a bullet point update on the login screen, as opposed to a more visible email distribution to customers. In fact, I recall seeing it announced only once, with minimal promotion. Instructions are given for users in the USA, Australia, Canada, Great Britain, Germany and Austria. though I believe that PayPal offers the double password option solely to US-domestic customers at present. Actually, I am intrigued by the lack of fanfare as much as the capability of the card itself!
Some very special treats have floated by as I idle away my unemployed days.
Farewell, Pathfinder Linden! I enjoyed happy hours rummaging through your bookshelves, playing your harpsichord, dredging through the copy-mod-transferable sheet music, personal RL photos and CD cases you thoughtfully left strewn on the floor of your in-world office. Although rumored to be aloof, Pathfinder did appear to be a critical thinker, successful advocate of educational applications for Second Life, and contributor in the RL healthcare field. It would’ve been prudent for Linden Lab to keep him on staff, rather than eliminating his job.
Perhaps Not-so-full-of-Crap Mariner’s Vinnie Linden could be a SL eulogy for Pathfinder? Fly-in-the-ointment with that theory is the timing discrepancy. “Ode to Vinnie” was released in 2008.
On the Viewer War frontlines, many have noted the passing of young Master 5050, noted by NexisONLINE Status blog and at SLUniverse General Discussion. Advisory to all native and non-native speakers of the English language: the Notorious 5050 has risen and blogs again. I personally hearken more to Mr. Poenta’s campaign to “avenge the banning of the innocents”.
To end on an equally somber note, I was saddened to read of the demise of Luna viewer, discontinued on Agni and no longer running anywhere else as of March 22. Nexis ONLINE experienced no end of complications, ranging from Linden Lab’s viewer policies to the negative impact of copybot activity on Nexis’s SLX-type product FlexMarket.
Memento mori. I dedicate this post to the deities of the internet and transformation. Horus and Hermes, Legba and Shiva, you are having quite a field day in our little corner of virtual reality. T.S. Eliot always says it best, excerpted from The Four Quartets:
In my beginning is my end. In succession
Houses rise and fall, crumble, are extended,
Are removed, destroyed, restored, or in their place
Is an open field, or a factory, or a by-pass…
The only wisdom we can hope to acquire
Is the wisdom of humility. Humility is endless.
What we call the beginning is often the end
And to make and end is to make a beginning.
The end is where we start from.
Here are my favorite exploit-themed Flash videos of the moment. The first is very G-rated: “Copying is fun!” (courtesy of youtube’s 33×3 sketch). It is entirely English-language, although the Russian translation may be counter-intuitive.
The second is an excellent exposition, set to an emotionally charged soundtrack, of a commercial website’s security vulnerability and of the discoverer’s attempts, and eventual success, at enlightening said enterprise of the situation. I’d love to share with the Computer Information Security group on LinkedIn.com, but suspect that this is a more appropriate venue.