without context that may or may not match your needs or requirements. (there is also good healthy debate on fixing problems) • Think of your threat model to your company (or you).
monetary theft that involved breaking SSL/TLS or the math behind modern cryptography. • It's been so successful everything I know has been attacking data at rest.
http://bit.ly/1c3iZCC • Can't find the change • Can't find the bug report • Appears no empirical testing added to source tree. I'm not an Android expert and the source tree is very large. If you know the answers, please let me know!
earlier reports, the flaw affects all versions of Android, not just 4.2 and earlier, Android Security Engineer Adrian Ludwig told Ars." http://arstechnica.com/security/2013/08/google-confirms- critical-android-crypto-flaw-used-in-5700-bitcoin-heist/
goes in tree: https://issues.apache.org/jira/browse/HARMONY-872 • October 2006 tests added https://issues.apache.org/jira/browse/HARMONY-1924 hmmmm.... so before we blame yuri...
• Open specification: ? • Open source reference implementation: ? • Test vectors: ? • Forced to use it: kinda, otherwise you need to find a signed provider. • Code approved in Harmony without tests: yes • Any empirical tests? No. • Any security review in 5+ years: ??
recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.We would like to thank Soo Hyeon Kim, Daewan Han of ETRI and Dong Hoon Lee of Korea University who notified Google about the improper initialization of OpenSSL PRNG." • More details here: http://emboss.github.io/blog/ 2013/08/21/openssl-prng-is-not- really-fork-safe/
people, working very hard, • Probably has to deal with more conflicts of interest, stress, demands, and bullshit than you can imagine • but as human organization • ... it also has human failings too
3 PRNG algorithms specified • within 6 months of publication, research showed it was unusual • 3x slower, possible backdoor. • Standards process clearly got corrupted
there is time to correct for bad releases. • Releases every 4-6 weeks. • Only two version "live" at anytime • Old versions rapidly drop to under 3% of total. • What's going with that 3%?
• At least 3 major versions active at any point in time. • Not in control of release process • Slow adoption • It's only this good since people buy new phones.
VM technology, surely we can do something to speed patching and deployment. • Why does only one version need to be installed? • Can we make it so it's easier to roll back or undo? • Can we get feedback faster from our users if something isn't working?
story • I had custom version of nginx+openssl running • I updated the os ('apt-get' or yum) • over-wrote custom version • My cipher suite changed.. silently.
in real- time. • Sends email when it finds problems, and explains the fix • And sends positive mail when you fix it • I don't know anything about Ruby or RoR (I'm the dumbest guy), but with BrakeMan I'm not going to make rookie mistakes.
the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-10-23, and the last time suspicious content was found on this site was on 2013-10-23. Malicious software includes 4 trojan(s). "1*GPS 3FTFBSDI
of Contents • password_get_info — Returns information about the given hash • password_hash — Creates a password hash • password_needs_rehash — Checks if the given hash matches the given options • password_verify — Verifies that a password matches a hash (SFBU "1*GPS FWFSZPOF
non- cryptographic, insecure PRNG • Leftover from the 1980s and physics simulations and old computer science problems. • Scripting languages unfortunately copied this model. • And so, we get numerous applications using an insecure system for passwords, reset codes, and worse.
OS provides an API for this. • PHP even provides 2 or 3 different ways of doing this making it more confusing. • Since the Toy Randoms aren't random enough, people set seeds. random_set_seed(1); include "poisonedfile.php"
likely link in another library anyways. • You are probably linking in a million other libraries anyways. • You have requirements that probably aren't going to be met by the default PRNG anyways.
high • Perfectly ok to use a secure random • For webapps, if they use a PRNG at all, most will use it only for a few numbers. • Not a performance problem
PRNG will be "slower" • So write your own if it's a problem. • A decent high speed PRNG can be written in a few lines of code if need be. • Every language makes data structure tradeoffs • Why should PRNG be different?
able to quickly integrate into other C infrastructure, including hardware. • Eliminate any performance issue that might be an excuse for not using it. • SWIG-generating bindings exist for PHP, Python, Lua • Or use ctypes or libffi • Let's write one for Ruby at this con!
node.js showing competitive performance • C to LLVM to javascript (??) • PyPy: write a language in RPython and it creates a JIT (whoa) • http://cython.org restricted subset of python that compiles directly to C
lua CFFI - • Now in python lib.cffi • extra C code (either manually written or autogenerated) removed. • Allows for optimization for near native C performance
a problem • We know patching and deploying is a problem • We know developers aren't experts in security • We know developers make mistakes • We know C, while essential, is fragile
Team, I worked with • Roberto Salgado @LightOS of http://www.websec.ca • Custom analysis and fuzzing of libinjection • Embarrassing me daily with new exploits. • This provided rapid acceleration of the quality. • Also checkout his SQLi cheat sheet: websec.ca/kb/sql_injection