Recently in Cryptography Category

There's an interesting story at The Register about the recent leaking of embassy credentials amongst others, by an individual in Sweden.

The story is that someone set up some Tor exit nodes and then sniffed the traffic that came out over them.

There's several interesting points that come out from this, I think.

• Understand the type of security provided by a system. Tor is not end-to-end encryption and you are trusting the exit node as you would trust an ISP router.
• What was done here can be done by any ISP employee. A Tor exit node is essentially like an ISP router. Anything that can be gained by sniffing a TOR exit node could also be gained by any employee of an ISP for the traffic that that ISP handles.
• Embassy users are logging on to their services in the clear!? The main problem here seems to be that embassy staff are logging on to e-mail systems in the clear over an untrusted network (the Internet). It seems odd that they'd go to the trouble of using Tor to anonymise their traffic but not go to the trouble of using SSL or an equivalent to protect their logon credentials end-to-end...

How The Anti-Virus Industry Is Turning A White Hat Black, or (at least) Gray

Some interesting information about some work done to create an encrypted rootkit for winodws.. The worrying bit is that three months after it was put out, the main anti-virus still can't find it...

more information here.

Adventures of the White Rabbit

Financial Cryptography: Cryptographers have a Responsibility to Explain Results

An interesting post over at financial crpytography looks at the practical implications of a recent paper on collisions in MD5 and possible effects on the security of certificates.

I'd agree that the paper has been taken out of context in a lot of stories, but then that seems to happen a lot when the journalists covering something aren't maybe experts in that field, also I suppose there must be a temptation for the researchers to talk up their findings...