Yesterday’s post regarding quantum cryptography got me thinking about the interesting privacy concerns quantum cryptography could potentially brings up.

The reason being is that quantum computers, although not practical at the moment, seem more and more realistic based upon research and developments in the lab. The hardware needed is big and expensive though. The first quantum computers must be invented in the lab…manipulating a photon is not like creating the first light bulb.

It is certain that people in the research labs, and government, will get the quantum crypto first (if ever) – and all of the possible advantages that come with it. It also means, laws and restrictions can be put in place to keep quantum technology where it was born – in the lab.

It would provide a huge advantage against people who are still using traditional crypto (aka. everyone else) – no matter the what key size or encryption algorithm people are using.

The threshold is about 100 qubits to break the best modern crypto as I recall. Last I checked, scientists could only get about 20 or so in order. When we’ll hit 100 (maybe never) is debatable, but what is certain is that quantum machines need very sophisticated hardware to operate.

Eventually technology will catch up and perhaps we can ditch AES for some photonic miracle. I wonder how much resistance governments around the world will put up before that happens though?

As an avid follower of quantum cryptography, I believe the technology will eventually be feasible and in the hands of the common person. It is the gap in between I wonder about. Many countries imposed key restrictions on current encryption algorithms and some still do. It is reasonable to assume similar restrictions will be placed on quantum technology as well.

What do you think? Are my concerns valid, or is this just what happens with every new piece of modern technology?

Seen in Jon Erickson’s Blog and on Science Daily – Northwestern University and BBN Technologies have collaborated to demonstrate a truly quantum cryptographic data network.

By integrating quantum noise protected data encryption (quantum data encryption or QDE for short) with Quantum Key Distribution (QKD), the researchers have developed a complete data communication system with extraordinary resilience to eavesdropping.
...
This QDE method, called AlphaEta, makes use of the inherent and irreducible quantum noise in laser light to enhance the security of the system and makes eavesdropping much more difficult. Unlike most other physical encryption methods, AlphaEta maintains performance on par with traditional optical communications links and is compatible with standard fiber optical networks.

As soon as quantum computing moves out of the theoretical and into the practical, most cryptography we use today will become useless. (With a big enough quantum computer, you could theoretically try all possible keys in linear time, rather than tediously brute-forcing in exponential time.)

Fortunately, quantum cryptography is also making great advances, so we’ll have something to move to!

Via lifehacker, found these 10 Top Tips for Protecting Yourself at Hot Spots. Some good suggestions in there:

1. Disable Wi-Fi ad-hoc mode
2. Use a wireless Virtual Private Network (VPN)
4. Use a personal firewall
5. Turn off file sharing
6. Make sure the hotspot is a legitimate one
10. Don’t leave your laptop alone.

There are also some suggestions that will give you a false sense of security:

3. Use an encrypted USB flash drive
7. Disable or remove your wireless adapter if you’re working offline
8. Use email encryption
9. Look over your shoulder

An encrypted flash drive could help… if most flash drive encryption programs weren’t so dumb (once it’s unlocked, anyone on the system can read the drive.). Email encryption could help… but as I’ve mentioned before you are still likely going to give up a password due to an insecure protocol. Giving guidance to disable your wireless adapter makes no sense to me—to use the hot spot safely, don’t use it! And looking over your shoulder? That will just make you paranoid. I can happily hack your system from across the room without bothering to make eye contact or shoulder-surf for a password.

The Washington Post is running a story called Unlocking Fingerprints detailing how the Government’s PIV cards might be the catalyst to have fingerprints on the most ubiquitous form of identification in America—the driver’s license.

OK, let’s see… that’s 10 years to come up with a plan of how to do it, 5 years to bicker over which companies will be able to implement the new IDs and start issuing them en masse, and at least another 10 years to wait until all existing issued IDs expire. After those 25+ years, we might be able to expect everyone to have a driver’s license with biometrics.

Until that time, it will be far simpler to counterfeit older driver’s licenses. Oh, and remember that four of the 19 hijackers on September 11th had completely legal driver’s licenses. So, how will adding my fingerprint to my driver’s license help fight terrorism?

You lock your house, car, and desk at night. But how many of us lock our laptops up?

We’ve seen and heard a string of recent laptop thefts, leading to major “privacy” breaches. After a few recent high-profile arrests, it makes me wonder, what were the thieves after?

Seems that in many cases they were after the hardware, and didn’t know a thing or two about decrypting hard drives. Now I know, they could go on to sell these items to folks who knew how to crack such security measures, but our innocent laptops don’t have to be put in this situation to begin with.

Companies spend lots of money to buy locks for everything else, why not laptops? An encrypted hard drive is not going to protect you from a broken window and two fast feet. Laptop locks are cheap, and putting one away in your locked desk is even cheaper.

Not only good advice for work and home, but all of those college kids out there with open dorm room doors.

As Bruce Schneier points out in this blog post some “clever” folks decided to use an old phone scam to steal credit card numbers.

A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.

Pizza orders are thus routed by AT&T to the fraudster’s line. When a call comes in, the fraudster pretends to take the customer’s order but says payment must be made in advance by credit card.

Makes me think of something that happened to me last week –
I called our local cable company to get some Internet service set up for some relatives. I called from my cell, and all I had to do was give the first name of someone in the house and the address.

I was also able to cancel other services this way. Nice for me because it saved me some hassle getting the call done, but just imagine if I were in a grumpy mood and decided to do this to Uncle Joe I’m not fond of.

Or, cancel the cable, then call later on and say,

“Hi, I’m Cable Provider X. We put your account on hold because we were worried someone might be making fraudulent charges on the card you provided. Do you have another card we can use?...”

You get the idea. Old tricks still work – and old defenses against them do too. Don’t trust incoming calls, even caller IDs can be spoofed.

Every software developer has done this at one point in time… You fix a bug but in the process, introduce a new one.

Well, it sucks when the bug you are fixing is actually a cumulative patch for eight security vulnerabilities, and the bug you introduce is a security vulnerability that is as severe as worst of the eight you fixed.

Oh well, here’s hoping they get this one worked out before exploits show up in the wild.

The Washington Post had an article in yesterday’s paper called E-Mail at Risk? Cover It With Encryption.

“Current e-mail technology does not provide any confidentiality,” said Peter Hesse, president of Gemini Security Solutions, a Chantilly-based firm specializing in security audits and installations. “In fact, the e-mail standards include routing messages between mail servers . . . each transmission and each server offer opportunities to read messages.”

Read the article for that and many other brilliant comments by yours truly!

Actually, the premise of the article is interesting. It’s in the Sunday paper, which means it’s going to be read by many average people over coffee and donuts. I wonder if it will lead to any more adoption of PGP or other email encryption technologies?

Via CNN: the NSA eavesdropping program has been ruled unconstitutional by U.S. District Judge Anna Diggs Taylor. Taylor’s complete 44 page ruling is here. It includes an order to end the domestic wiretapping immediately, which she said violates the rights to free speech and privacy.

...this court is constrained to grant to Plaintiffs the Partial Summary Judgment requested, and holds that the TSP violates the APA; the Separation of Powers doctrine; the First and Fourth Amendments of the United States Constitution; and the statutory law.

Hopefully it will stand up to appeal. Score one for your privacy.

If you hadn’t already seen, the Department of Homeland Security is strongly recommending the patch related to Microsoft’s MS06-040 bulletin.

The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.

Kind of gives me the creeps. They don’t normally recommend specific patches, so why this one?