Prof Avery's weblog
doddering docent to the museum of misanthropy


CSU Fullerton Perl Powered Python vi Hacker

Geek News

del.icio.us bookmarks


Thu, May 19, 2005

Class Cancelled
Well... actually, you probably knew that. I was, like some of the rest of you folks, stuck in traffic on the 57. Incident Response and Forensics will, of course, not be covered in the Final Exam. If you haven't turned in Assignment 8, you may do so on the day of the final.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Sun, May 15, 2005

Full-Disclosure Weekend

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Fri, May 13, 2005

Final Review
The review sheet for the final exam is ready.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Tue, May 10, 2005

Symantec Worm Simulator
Symantec has released a Worm Simulator. I can't tell whether this is just a sales tool ("Oooh, look at the scary worm! Buy stuff from us or the worm will get you!") or if it could be useful as a research tool.

If you're running Windows, download it and let me know.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Fri, Apr 08, 2005

Stupid Spammer Tricks
You've all seen those spam messages with subject lines like "Make $$$ Fast! libertarian expiation gonzo (xyzzy)". The spammers include nonsense words in an attempt to fool Bayesian filters. It doesn't work very well, but they still do it.

But here's a new twist. The other day I got a spam e-mail whose subject line included the word "quadric." Since we'd been talking about quadric surfaces in my graphics class just the other day, they almost got me to read their stupid advertisement.

I figured it was just a coincidence until yesterday I got one whose subject line contained "cryptanalysis." I gather they've taken to scraping web pages: when they decide to spam whomever@example.com, they first check to see if there's a www.example.com, then grab a statistically significant word from that page and use it in the subject line, hoping to fool you into opening it.

Clever, but not clever enough. Did I mention that both of the e-mails had already been automatically filed under "Spam?"

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

The DNS Poisoning Attacks
As of this post, the latest update from SANS was here.

The attacks are serious enough that the Internet Storm Center has raised their Infocon level to "Yellow." I know this because the icon in my system tray has turned yellow and started flashing.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Wed, Mar 30, 2005

For those of you who are interested in spy-stuff, I recommend the new book Chatter: Dispatches from the Secret World of Global Eavesdropping by Patrick Radden Keefe.

To quote Scott McNealy (CEO of Sun Microsystems): "You already have no privacy. Get over it."

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Tue, Mar 29, 2005

The Secret Service and Distributed Computing
The Washington Post has an article on the Secret Service's internal system for cracking encrypted files. Sort of their own distributed.net.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Sat, Mar 19, 2005

E-mail address encryption
Ok, this is kind of neat: a program that takes your e-mail address, encrypts it using 10-bit RSA, then generates a JavaScript program to decrypt it and generate a mailto: link in a web page. Why do such a thing? Because if you post an e-mail address as plaintext on a web page (like, say, that link to spool@kenytt.net over on the left), it'll be a matter of minutes before some lowlife scrapes it and spams you.

So I was setting up an autoresponder for homework assignments, and figured I'd give it a shot.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Tue, Mar 15, 2005

Paper Summary 4
As promised, I've moved the due date for Paper Summary 4 until after Spring Break. Notice, though, that Paper Summary 5 is due at the very next class meeting -- I recommend that you do not put it off until then.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Mon, Mar 14, 2005

Midterm Review
The review sheet for the midterm is available.

Note that I've revised the course outline slightly, dropping Chapter 15 from the midterm, paring down a few chapters into individual sections, adding a section (6.4), and adding a second reading to the section on Kerberos.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Sun, Mar 06, 2005

New NSA Security Standard
The National Security Agency has released a new, recommended set of cryptographic standards for securing sensitive and unclassified data. The standard, called "Suite B," specifies Elliptic-Curve algorithms for public-key cryptography along with the existing AES and SHA standards for symmetric cryptography and hashing.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

If you're not at least a little paranoid by the time you finish this class, then I haven't been doing my job: from our friends at CAIDA comes "Remote physical device fingerprinting."

Every computer clock has a bit of skew caused by tiny differences in the hardware. This causes the clock to be slightly different from every other clock, and it could be used to uniquely indentify your computer. It turns out that you can measure this skew from almost anywhere on the Internet, even from behind a firewall. Which means that, potentially, your computer can be tracked even if connects to the Internet through different networks...

Paranoid yet?

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Wed, Feb 23, 2005

An Illustrated Guide to Cryptographic Hashes
I've added a link to Steve Friedl's An Illustrated Guide to Cryptographic Hashes to the course outline. I'll say about this page what I said about the Kerberos paper: if you have trouble following the book, see if this helps.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Cracking DES
For the full story on DES, see Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Tue, Feb 22, 2005

Assignment Update
I've updated the assignment sheet with a more detailed list of guidelines, based on common problems with the first set of summaries. Please take a few moments to read them prior to turning in Assignment 2.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Wed, Feb 16, 2005

Big Crypto News
From Bruce Schneier's weblog: SHA-1 has been broken. Two weeks from now we'll be talking about hash functions. By that time it may be confirmed, and we'll talk about the implications.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Tue, Feb 15, 2005

More reading material
I've added another article to the March 10 reading on Kerberos: "Designing an Authentication System: a Dialogue in Four Scenes."

I know, I know, yet more reading; but if you run into trouble while reading Section 14.1, try this article and see if it clears things up.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Wed, Feb 09, 2005

Linear and Differential Cryptanalysis Tutorial
On Thursday, we'll be talking about cryptanalysis. I'll give you an overview of the linear and differential techniques, but if you want to know more, check out A Tutorial on Linear and Differential Cryptanalysis by Howard M. Keys.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

The Two-Page Limit
I received an e-mail asking how firm I intend to be about the two-page limit for Thursday's assignment. The short version of the answer is "pretty firm."

The long version of the answer is that you should consider two pages to be a firm lower limit -- go much more than a paragraph under two pages, and you're not likely to get full credit for having completed the assignment.

The upper limit is slightly more flexible. Take three pages, if you feel like you need the space. But I do not want more than that -- I don't grade by volume. If you can't get it in three, get some help editing. If you can't find someone to help you edit, come by during office hours (I am available Wednesday afternoon) and ask for help, or send me e-mail.

/var/spool/courses/csuf/2005/spring/cpsc433 #

Sun, Feb 06, 2005

Handbook of Applied Cryptography
Another reference book available free on the Internet is the Handbook of Applied Cryptography from CRC Press.

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Sat, Feb 05, 2005

Army Cryptanalysis Field Manual
This is interesting... a copy of a US Army Field Manual for Cryptanalysis. (via Slashdot)

/var/spool/courses/csuf/2005/spring/cpsc433/misc #

Tue, Feb 01, 2005

Reading Updates
I've added readings for May 3 and May 5 to the outline that do not appear on the version handed out in class.

May 3
Dhanjani, N., "Installing and Configuring Nessus," ONLamp.com, April 2004.

Dhanjani, N., "Writing Nessus Plugins," ONLamp.com, June 2004.

McNab, C., "IP Network Scanning," Chapter 4 of Network Security Assessment, O'Reilly and Associates, March 2004.

May 5
Aleph One, "Smashing the Stack for Fun and Profit," Phrack, Vol. 7, No. 47, November 1996.

/var/spool/courses/csuf/2005/spring/cpsc433 #

CpSc 433, Data Security and Encryption Techniques
Click here for the syllabus, outline, and other resources.

Please note that the outline is incomplete -- I have not yet decided on readings for May 3, 5, 12, and 19. When they become available, I will post a notice here.

/var/spool/courses/csuf/2005/spring/cpsc433 #



March 2021
Sun Mon Tue Wed Thu Fri Sat