DASH (Digital Cash) and Bitcoin see record highs this week. Cloudflare bleeds sensitive user data from many sites for months. (CHANGE YOUR PASSWORDS!) The SHA-1 cryptographic hashing algorithm is done, son! These internet-connected teddy bears will let anyone spy on your kids & capture biometric voice data. The nine most popular password management apps had some serious security flaws. OPEC’s recent restrictions cost oil producers $2 trillion. Will “DNA computing” blaze past quantum computing?
All this and more on the Neocash Radio podcast, episode 196 — Wednesday, March 1st, 2017!
We’ve written out short overviews of the topics discussed on today’s show below! Be sure to listen in to the whole podcast to get more information, insights, and thoughts on each of them from JJ, Darren, and Randy!
Stream this podcast episode:
or Direct Download the podcast as an MP3 – Neocash Radio episode 196
Tune in to Neocash Radio every Wednesday night and
RETWEET ALL THE THINGS @NeocashRadio!
|Traditional Financial Markets||Cryptocurrency Markets|
|Gold $1,249||Bitcoin (BTC) $1,224|
|Silver $18.39||Ethereum (ETH) $16.89|
|Oil $53.67||DASH $45.00|
|Dow Jones 21,115 points||Zcash (ZEC) $41.09|
|30Y UST Yield 3.071%||Monero (XMR) $12.36|
Tavis Ormandy from Google’s Project Zero contacted web content provider Cloudflare to report a security problem with Cloudflare’s servers earlier this month. Corrupted web pages were being returned by some HTTP requests run through Cloudflare that contained private information such as HTTP cookies, private keys for cryptocurrency wallets, authentication tokens, HTTP POST bodies, and other sensitive data. And it’s been doing it since September. Worse yet, some of that data had been cached by search engines.
Large tech companies such as Uber and Fitbit, as well as several cryptocurrency exchanges like Coinbase, Poloniex, Bitstamp, and Bitfinex advised their users to change their passwords immediately. Likewise, users who have two-factor authentication (2FA) on their accounts, it’s possible that the 2FA secret was leaked. Users of affected sites are also advised to disable and re-enable 2FA.
Researchers using a technique called “SHAttered” have demonstrated a “collision” in the 20-year-old SHA-1 crypto hashing algorithm — whereby two PDFs with different content put out an identical hash, which shouldn’t happen.
“The attack required nine quintillion (9,223,372,036,854,775,808) SHA-1 computations and took the equivalent of 6,500 years of single-CPU computations to complete phase one of the collision, and 110 years of single-GPU to finish phase two. Although that process sounds long, it’s 100,000 times faster than a brute-force attack on SHA-1.”
The researchers calculate that the estimated cost of a SHA-1 collision attack has fallen significantly in the past few years, which is why it’s being phased out for HTTPS security certificates. The researchers also highlight that Linus Torvald’s code version-control system Git “strongly relies on SHA-1” for checking file integrity. Now that a SHA-1 collision has been found, the researchers warned: “It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one.”
However, Torvalds played down concerns: “Git doesn’t actually just hash the data, it does prepend a type/length field to it”, making it harder to attack than a PDF. Torvalds continued, “Put another way: I doubt the sky is falling for Git as a source control management tool. Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not.”
Want to learn more about cryptographic hashing, Bitcoin, mining cryptocurrencies, and blockchains? Check out our intro video: “Decrypting Bitcoin: Blockchain Technology Explained”
Smart Teddy Bear Security Hazard — The Internet of Unsecure Things
Spiral Toys has a teddy bear that connects with the internet and allows parents and children to exchange voice messages. These CloudPets toys store these messages and customer data on a database that isn’t behind a firewall or even password-protected. 800,000 customer login credentials and two million recorded messages are exposed for all to see. The news gets worse. Security researcher Paul Stone found that the toys could be remotely controlled by anyone in range with a smartphone. The toys use no encryption or bluetooth pairing security measures, just connect with the free app. Once connected you can send a message that will silently turn on recording and once you’re done you can also download the recorded audio to your smartphone.
Just a few days before the news of CloudPets, Germany’s telecommunications watchdog—the Federal Network Agency—warned parents that My Friend Cayla dolls could be used to remotely spy on homes. The doll has been banned in Germany. The issues mirror that of the Smart Teddy Bears, the app uses no security protocols and anyone in range can take control of the dolls. The dolls are made by Genesis Toys and distributed by the Vivid Toy group. The doll is also being scrutinized in the United States, this past December advocacy groups (The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy, and Consumers Union) filed a complaint with the Federal Trade Commission.
The complaint details how the voice data is sent to Nuance Communications, Inc. where it is converted from audio to text. The report goes on to explain how the User Terms and conditions allow for Nuance to use the voice and data for improving company products and services. And finally the report points out that, “Nuance services and products include voice biometric solutions sold to military, intelligence, and law enforcement agencies.” The service they mention is called Nuance Identifier a “highly accurate voice biometric solution that allows public security officials to quickly and easily identify known individuals through their voice within large audio data sets.” and “Nuance claims to have over 30 million voiceprints enrolled in its voice biometric system.“
Also from the complaint: “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us.”
Team [SIK] has published a report detailing the numerous flaws in the top nine password apps available for Android on Google Play. The apps examined: LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords and a total of 26 security flaws was found by the security firm. The good news is that as of this report all of the vulnerabilities have been fixed by the vendors so users are strongly advised to update their apps.
Talking to the media in Egypt, the cartel’s director general Mohammed Barkindo said that about half is caulked up to lost revenue while the rest is lost due to failed capital investments and cancelled projects.
Imagine a computer based on biological molecules rather than silicon. Researchers at the University of Manchester in the United Kingdom have demonstrated the feasibility of engineering a non-deterministic universal turing machine. A machine that grows as it computes. The study will be published in the Journal of the Royal Society Interface.
Professor King, from Manchester’s School of Computer Science, explains why the potential speed could be vast: “Imagine a computer is searching a maze and comes to a choice point, one path leading left, the other right. Electronic computers need to choose which path to follow first. But our new computer doesn’t need to choose, for it can replicate itself and follow both paths at the same time, thus finding the answer faster.”
Rather than a binary alphabet, a one or zero, the DNA computer would use the four-character genetic alphabet – A [adenine], G [guanine], C [cytosine], and T [thymine].
- Check out a bonus ~5 minute editorial podcast from JJ: “Blockchains Will Become the DNA of Our Future Society”
- A bonus episode released this week with our special guest Andy: “Bitcoin Blocksize Rants & Raves: Long Waits & High Fees”
- Will the Winklevoss Twins’ “Winklevoss Bitcoin Trust” ETF get approved by the SEC this month?
- What does Ethereum’s 2017 road map look like?