Friday, February 25, 2005
Encryption: SHA-1 broken. (Be afraid, be very afraid!)
The news broke out last week at slashdot.
Essentially, SHA-1 is a (One way) Hash Algorithm used in many electronic communications.
Two of the most commonly used are MD5 and SHA-1. The accepted differences between these two algorithms is that MD5 are faster but has a lesser amount of security than SHA-1 (lesser amount of security means that it can be broken in less time)
Other secure Hash algorithms are MD2, MD4, HAVAL, REPIMD-128/160/256/320, HAS160, Tiger, etc.
Before going further, let's just differentiate a bit between some of these encryption jargons...
Hash algorithms are computations/operations that converts a message to produce hash values, but only one way. Meaning, [F(m) = H ] a message applied by a hash function will produce H, but you can't derive m from the hash value (H) and the hash function (F)...(Well, now we now that you can)
Encryption or Cryptographic algorithms like RC4, Blowfish, DES, 3DES, AES are typically more complex algorithms which are reversible and uses secret keys.
[Tidbits]
Blowfish, DES, 3DES (Triple DES) and AES (Advanced Encryption Standard) are block ciphers, as opposed to stream ciphers like RC4 and A5 (A5 by the way is the algorithm used to encrypt GSM communications)
Now the bad news is, SHA-1 is used in many cryptographic protocols like SSH (secure remote access), in SSL (secure HTTP), in S/MIME (secure email), in PGP (Public key encryption), IPSec, VPNs, Database passwords, etc.
So Be afraid, be very afraid!?...well, not really. at least not for now. SHA-1 hashes are usually just part of these cryptographic protocols and session lifetimes of these types of communications are just too short. The initial recommendation is to switch to SHA-256.
You can check out the details of this crypto algorithm biting the dust at
http://www.itnetcentral.com/pcworld/article.asp?id=14299
(Yey! It's a holiday tomorrow!) :)
Essentially, SHA-1 is a (One way) Hash Algorithm used in many electronic communications.
Two of the most commonly used are MD5 and SHA-1. The accepted differences between these two algorithms is that MD5 are faster but has a lesser amount of security than SHA-1 (lesser amount of security means that it can be broken in less time)
Other secure Hash algorithms are MD2, MD4, HAVAL, REPIMD-128/160/256/320, HAS160, Tiger, etc.
Before going further, let's just differentiate a bit between some of these encryption jargons...
Hash algorithms are computations/operations that converts a message to produce hash values, but only one way. Meaning, [F(m) = H ] a message applied by a hash function will produce H, but you can't derive m from the hash value (H) and the hash function (F)...(Well, now we now that you can)
Encryption or Cryptographic algorithms like RC4, Blowfish, DES, 3DES, AES are typically more complex algorithms which are reversible and uses secret keys.
[Tidbits]
Blowfish, DES, 3DES (Triple DES) and AES (Advanced Encryption Standard) are block ciphers, as opposed to stream ciphers like RC4 and A5 (A5 by the way is the algorithm used to encrypt GSM communications)
Now the bad news is, SHA-1 is used in many cryptographic protocols like SSH (secure remote access), in SSL (secure HTTP), in S/MIME (secure email), in PGP (Public key encryption), IPSec, VPNs, Database passwords, etc.
So Be afraid, be very afraid!?...well, not really. at least not for now. SHA-1 hashes are usually just part of these cryptographic protocols and session lifetimes of these types of communications are just too short. The initial recommendation is to switch to SHA-256.
You can check out the details of this crypto algorithm biting the dust at
http://www.itnetcentral.com/pcworld/article.asp?id=14299
(Yey! It's a holiday tomorrow!) :)
Friday, February 18, 2005
Internet: Phil. Narrowband Industry news
(what? you don't have broadband yet?) At home, Yes. I don't have broadband yet because from where I live, the only option is Satellite connectivity.
[Tidbits]
(For the entire Phils., internet penetration is roughly around 4.2%. source: internetworldstats.com)
Before moving to our new home, Dial-up and pre-paid cards are the ones I used for the last few months....When you've been in the internet industry for almost 10 years (since 1995), paying for internet connection at home seems weird.
Now,... not that I can be optimistic that Digitel or other Cable broadband companies can soon have their lines in our area, but there seems to be quite a development on Narrowband scene...
Feb 5, 2005
SOME LOCAL PROVIDERS CLUELESS
PLDT quietly raises wholesale price of dial-up
http://news.inq7.net/infotech/index.php?index=1&story_id=26500
The article stated that PLDT jacked up the prices of dial-ups sold to ISPs and dropped retail prices of it... Haven't heard any follow up on this news yet.
And then after a little more than a week...
Feb 14, 2005
PLDT set to dominate narrowband
http://news.inq7.net/infotech/index.php?index=1&story_id=27428
PLDT offers 99 hours for 99 pesos. (Even Tri-Isys can't beat that!... well, let's see)
and the Coup de Grace...
PLDT launches own unlimited call plan
http://news.inq7.net/infotech/index.php?index=1&story_id=27430
Hey, I could now make NDD dial-up connections??!!?
It really looks like it's PLDT's time again? (hasn't it been always?)
(....I WANT MY BROADBAND!)
[Tidbits]
(For the entire Phils., internet penetration is roughly around 4.2%. source: internetworldstats.com)
Before moving to our new home, Dial-up and pre-paid cards are the ones I used for the last few months....When you've been in the internet industry for almost 10 years (since 1995), paying for internet connection at home seems weird.
Now,... not that I can be optimistic that Digitel or other Cable broadband companies can soon have their lines in our area, but there seems to be quite a development on Narrowband scene...
Feb 5, 2005
SOME LOCAL PROVIDERS CLUELESS
PLDT quietly raises wholesale price of dial-up
http://news.inq7.net/infotech/index.php?index=1&story_id=26500
The article stated that PLDT jacked up the prices of dial-ups sold to ISPs and dropped retail prices of it... Haven't heard any follow up on this news yet.
And then after a little more than a week...
Feb 14, 2005
PLDT set to dominate narrowband
http://news.inq7.net/infotech/index.php?index=1&story_id=27428
PLDT offers 99 hours for 99 pesos. (Even Tri-Isys can't beat that!... well, let's see)
and the Coup de Grace...
PLDT launches own unlimited call plan
http://news.inq7.net/infotech/index.php?index=1&story_id=27430
Hey, I could now make NDD dial-up connections??!!?
It really looks like it's PLDT's time again? (hasn't it been always?)
(....I WANT MY BROADBAND!)
Saturday, February 05, 2005
Softwares: Free MS Tools
Let's talk more about softwares....how about these relatively new 'FREE' softwares from Microsoft......(ok, some are not that new).
MS Port Reporter [Network Port Monitoring]
MS AntiSpyware (beta) [spyware/adware]
MS Log Parser [especially for IIS logs]
Malicious Software Removal Tool [Malware]
Windows XP Video Decoder Checkup Utility [video codec]
Microsoft Best Practices Analyzer for MS SQL server 2000 and Exchange server [For SQL/Exchange server Admins]
Tweakomatic ['nuf said]
Update for Windows XP Service Pack 2 (KB884020) [update]
Codec Installation Package [video codecs update]
Microsoft ActiveSync 3.8 [update]
I haven't personally tried some of these softwares (I use other third party apps) , But I believe it's a must have for regular to intermediate users.
[Tidbits]
Did you know that Windows 2003 servers automatically logs IP Addresses of ALL 'failed' authentication requests? (that login pop-ups, even for web access).
MS Port Reporter [Network Port Monitoring]
MS AntiSpyware (beta) [spyware/adware]
MS Log Parser [especially for IIS logs]
Malicious Software Removal Tool [Malware]
Windows XP Video Decoder Checkup Utility [video codec]
Microsoft Best Practices Analyzer for MS SQL server 2000 and Exchange server [For SQL/Exchange server Admins]
Tweakomatic ['nuf said]
Update for Windows XP Service Pack 2 (KB884020) [update]
Codec Installation Package [video codecs update]
Microsoft ActiveSync 3.8 [update]
I haven't personally tried some of these softwares (I use other third party apps) , But I believe it's a must have for regular to intermediate users.
[Tidbits]
Did you know that Windows 2003 servers automatically logs IP Addresses of ALL 'failed' authentication requests? (that login pop-ups, even for web access).
Tuesday, February 01, 2005
Security: Tsunami fund hacking 'boo-boo'
A Londoner was arrested for 'allegedly' trying to hack into the donation site for a Tsunami relief fund. BT (British Telecoms) misread access logs coming from a non-identifying browser (which apparently was a lynx browser on Sun OS) and alerted the site owners...and the poor guy was just trying to make a donation through the site.
Check out the BBC news here.
Now the inside story, according to this site.
Check out the BBC news here.
Now the inside story, according to this site.
gs