The invention of the Diffie-Hellman key exchange, the first public asymmetric-key cryptosystem, transformed information security in 1976, allowing ciphered communications without a secure initial key exchange and becoming the basic building block that enabled ecommerce on the Internet.  In this video, Whitfield Diffie talks about his protocol and all the surrounding events the lead to the paper New Directions in Cryptography, conjointly written with Martin Hellman.

Unfortunately, there has never been another breakthrough like that one, even though the field of cryptography research has grown by multiple orders of magnitude since them. It seems that imaginative ways to restrict access to information that enable latent markets in information are very hard to come by. Even so, my bets are on the almost current practical schemes to perform Secure Multi-Party Computation, Zero-Knowledge Proofs, Fully Homomorphic Cryptography and Private Information Retrieval, with direct applications to finance.


A list of the best presentations about smartphone security all over the net:

And others about network vulnerabilites:

Note: this post will be expanded in the future.

  • Microsoft Forefront Unified Access Gateway 2010 Administrator’s Handbook and Microsoft Forefront Threat Management Gateway Administrator’s Companion. Detailed tech-guides and reference books about two of the most all-encompassing security solutions. It’s good to know that Microsoft keeps on producing some great tools even if they aren’t going after a billion-dollar market.
  • Oráculo Manual y Arte de Prudencia (Spanish Edition), Baltasar Gracián. An eternal collection of 300 commented aphorisms and maxims, distilled from his previous works, free from argumemtum ad verecundiam, ad antiquitatem & ex silentio. So great that its style inspired later works from Schopenhauer and Nietzsche.

The Python programming language, Guido van Rossum‘s Magnum Opus, is the only surviving and successful programming language not backed by a company. Started in the late 1980s, the discipline of van Rossum was the major factor for its existence through the early years. Its popularity exploded with the 2.0 release, featuring garbage collection and a revamped development process using Sourceforge that provided a significant increase of write accesses to more people than were before allowed with CVS. In this video, we appreciate the deep impact of those decisions starting at 2:50.


An efficient public key traitor tracing scheme

We construct a public key encryption scheme in which there is one public encryption key, and many private decryption keys. If a broadcaster encrypts once with the public key, then each legitimate receiver can decrypt with a different private key. If a coalition of receivers collude to create a new decryption key then there is an efficient algorithm to trace the new key to its creators. Hence, our system provides a simple and efficient solution to the “traitor tracing problem”. Our tracing algorithm is deterministic, and catches all active traitors while never accusing innocent users, although it is only partially “black box”. A minor modification to the scheme enables it to resist an adaptive chosen ciphertext attack. Our techniques apply error correcting codes to the discrete log representation problem.

The most cited traitor tracing crypto-scheme versus… the Black Sunday hack:

Among the countermeasures he says he created was one known among pirates as the “Black Sunday” kill — an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.

Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. “They never expected us to do this,” Tarnovsky says.

Why stop at tracing traitors when you can wipe them out? Very clever.


Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present form infringes on user privacy. The resulting public debate — which includes consumer advocacy organizations, professional associations, and government agencies — is premised on the notion that OBA and privacy are inherently in conflict.

Adnostic is a practical architecture that enables targeting without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the user’s browser. The ad network remains agnostic to the user’s interests.

Our technical paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. One complication is billing; ad-networks must bill the correct advertiser without knowing which ad was displayed to the user. We describe a cryptographic billing system that directly solves the problem. We implemented the core targeting system as a Firefox extension and report on its effectiveness.

If only Google were to implement this crypto-scheme


Simulation of the impact of stop-losses on returns (MSFT stock)

In the investing world, stop-loss orders are the most used risk management device: so simple and intuitive that they confuse reason and common sense. But the hidden costs of stop-losses alter the shape of expected future return distributions, resulting in no inherent edge to be had in using neither stop-losses nor profit-taking stops, or any combination of them; and as volatility of the underlying asset’s returns is increased, the impact of stop-losses increase as well, generating higher portfolio volatility. Precisely, the opposite of what is intended: the perceived benefits of the stop-loss are largely balanced out by the hidden costs.

Note: Trading desks may profit from large quantities of sell orders from client’s stop-loss/profit-taking orders known in advance, so don’t expect them to disappear anytime soon.


The FCC allowed small and rural telcos (local exchange carriers, LECs) in the USA to charge higher access fees to long distance and wireless companies (AT&T, Sprint, Verizon) to subsidize them, under the auspices of the Telecommunications Act of 1996. Abusing the prerogative, they partnered with conference call providers and providers of other shady services, giving birth to traffic pumping: generate high volume of incoming calls above typical rural usage to charge millions of dollars of fees to long distance and wireless companies and split the revenues with the service providers. Fast-forward to the present, technological advances and new business models are having a hard time to operate under this old set of rules, hampering new innovative services like Google Voice.

Every distortion introduced by regulators in the free market and the natural state of technology, however well-intended, sows the seeds of its own self-destruction.


BOM (Bill of Materials) for Mobile Phones

The mobile industry is not like the PC industry, populated by manufacturers that are just component assemblers of the various parts (memory, CPU, HD, …). In the mobile industry, the more vertical integrated mobile manufacturer is Samsung, a market leader in displays, memory and CPUs for mobile phones that also sells its quality components to other OEMs and ODMs (Apple To Buy Components Worth $7.8 Bln From Samsung Electronics This Year).

As shown in the graph above of a typical bill of materials of a mobile phone, those parts are the costlier and more important of a mobile phone: from this point of view, Samsung looks like a vertical mainframe manufacturer from the 60-70s, but with much of its software developed by an external provider (Android). So not only they have an obvious cost advantage on the low end of the smartphone market, they are also the leaders managing component droughts and bullwhip effects, which are very profit destroying in the mobile industry. Finally, note that the first reason Nokia has decided to go the Microsoft’s route is to differentiate enough from Samsung’s Android offerings, the second biggest mobile manufacturer after Nokia.


Addictive Number Theory

In 1996, just after Springer-Verlag published my books Additive Number Theory: The Classical Bases [34] and Additive Number Theory: Inverse Problems and the Geometry of Sumsets [35], I went into my local Barnes and Noble superstore on Route 22 in Springfield, New Jersey, and looked for them on the shelves. Suburban bookstores do not usually stock technical mathematical books, and, of course, the books were not there. As an experiment, I asked if they could be ordered. The person at the information desk typed in the titles, and told me that his computer search reported that the books did not exist. However, when I gave him the ISBN numbers, he did find them in the Barnes and Noble database. The problem was that the book titles had been cataloged incorrectly. The data entry person had written Addictive Number Theory.


The automatic exploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. In this paper we present AEG, the first end-to-end system for fully automatic exploit generation. We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect-5.43 and htget-0.93) are zero-day exploits against unknown vulnerabilities. Our contributions are: 1) we show how exploit generation for control flow hijack attacks can be modeled as a formal verification problem, 2) we propose preconditioned symbolic execution, a novel technique for targeting symbolic execution, 3) we present a general approach for generating working exploits once a bug is found, and 4) we build the first end-to-end system that automatically finds vulnerabilities and generates exploits that produce a shell.

The first step to automatically search for and exploit the most basic vulnerabilities is done, and incremental improvements will surely follow. While this won’t have a deep impact on the computer security industry, since it’s already full of people exploiting software for free, it will surely have a real impact on the programming world: right now, all coders not acquainted with secure code-writing skills should be fired. For more information, visit the following link: Automatic Exploit Generation.

Set your Twitter account name in your settings to use the TwitterBar Section.