To be (encrypted) or not to be? That was the question.

Yesterday was an eventful day in British news, as far as computer security is concerned always. No, I am not talking about the ‘Windows random number generator is so not random’ [1, 2] by which all cryptographic systems using Windows Operating System’s (here Win. 2000) pseudo-random number generator (PRNG) are vulnerable.

Update: Computerworld.com reported [5] that Windows XP contains the bug and a fix will be provided with SP3 (out next year). Also…

‘…Windows Vista, Windows Server 2008, and Windows Server 2003 SP2 are not affected… ‘

‘Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.’

I am talking about the 25 million records [3] that was stored on two disks and were lost while on transit (by unrecorded delivery) to the National Audit office. The disks included names, addresses, date of birth, national insurance numbers and bank accounts. They did mention they where protected by a password. Nice one!

The second interesting news from yesterday was that of the animal rights activists [4] having to surrender (Section 51) any cryptographic keys they know or make the encrypted information ‘intelligible’ (Section 49) under RIPA. This is of special interest as it is the first case by which the new sections of Regulation of Investigatory Powers Act (RIPA) are being used.

An interesting mention by the BBC News [4] site is that: ‘The BBC news website talked to one animal rights activist who had their computer seized in May and has received a letter from the CPS.’. Poor employee, think the BBC will think twice before interviewing an activist again?

Future watch: Let see what happens when pharmaceuticals start producing ‘acute Alzheimer’s disease for a year pill’. Oh rightâEUR¦ encryption will be so weak with bad implementations we wont need the keys anyway.

Links Used:
[1] ‘Windows random number generator is so not random’ – http://www.theregister.co.uk/2007/11/13/windows_random_number_gen_flawed/

[2] Leo Dorrendorf and Zvi Gutterman and Benny Pinkas, ‘Cryptanalysis of the Random Number Generator of the Windows Operating System’, ACM CCS 2007 conference – http://eprint.iacr.org/2007/419

[3] ‘Darling says 25m records ‘lost” – http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm

[4] ‘Campaigners hit by decryption law’ – http://news.bbc.co.uk/2/hi/technology/7102180.stm

[5] ‘Microsoft confirms that XP contains random number generator bug’ – http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9048438

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to To be (encrypted) or not to be? That was the question.

  1. Drew says:

    Intresting thing is, the activists are not yet subject to a RIPA order, they have been “invited” to hand over the keys (volunterilly).

    This is obviously done before they are subjected to 51, so the local plod cant say they are being heavy handed with the gerbil loving people) After that they cant talk to be bbc because telling people you have been made the subject of a 51 is a breach of 54 (or whatever).

    excellant bit of legislation that, i wonder how many urqhart responses will come out of those interviews[1]

    [1] http://en.wikipedia.org/wiki/Francis_Urquhart

  2. Konstantinos Xynos says:

    It would seam that the HM Revenue and Customs have more disks (CDs, I think) missing!

    http://news.bbc.co.uk/1/hi/uk_politics/7111056.stm

  3. Smock says:

    “They did mention they where protected by a password”

    I heard that they had the habit of using a cd pen to write the password on the disk.

Leave a Reply

Your email address will not be published. Required fields are marked *