We focus almost exclusively on software that runs locally on linux because of all the great software that is available. But in this post we’ll take a look at a couple of web based reources for doing some pretty effective image forensics.

We test drove these sites using JPEG and PNG image files with content hidden inside. Our PNG test image had another image hidden inside using LSB steganography – using the least significant bits. We used two JPEG images with the same fairly large image hidden inside, one using the Matroschka program and the other using Steghide.

Read More

Did Google do something amazing, again? Should we even care? Is this the beginning of the end? Do we need to worry about quantum computers breaking our encryption? For the answers to these and a down-to-earth explanation of what it all means, please read on.

First of all we don’t know if Google did indeed achieve quantum supremacy. We won’t know for sure for some time to come. TL;DR – if they did, it really doesn’t change anything that will affect online commerce, cryptocurrency, encrypted communications or anything people are worried about. This is all about proving whether or not there are things can be computed with these machines once we get better at building them that cannot be computed by quantum simulators – a.k.a. conventional computers. That’s the short answer, a slightly longer one follows.

Read More

Let’s now take a look at using cryptographic hashing functions in Python programs. We’ll mainly focus on the hashlib module, that provides all the common hashing functions we’re likely to need. To cover almost every use case you’ll only actually need a handful of these despite your interpreter probably supporting more.

To see the hashing functions guaranteed to be supported on all platforms:
>>> hashlib.algorithms_guaranteed
{'sha512', 'md5', 'blake2s', 'sha256', 'sha224', 'sha3_256', 'shake_256', 'sha1', 'shake_128', 'sha3_512', 'sha3_224', 'sha3_384', 'sha384', 'blake2b'}

Read More

Short or overly simple passwords are insecure. If you are using a short, memorized password then you need to change it often; if you are using a password manager use a long, complex password and you don’t need to change it as often. For short passwords do not use the first character as your required capital letter, and an exclamation mark at the end of the string as your one required non-alphanumeric character – don’t be predictable.

One further comment about passwords length, aside from what was mentioned earlier (length is more important than complexity) is that there is no good excuse for a website to not allow very long passwords. Passwords should never be stored by a site; they should always be storing a salted hash – which is a fixed length, regardless of the password length. Be suspicious of websites that do not allow fairly long passwords!

Read More

There are many hashing algorithms commonly used in cryptography and they have names like SHA1, MD5 and so on. These hashing methods have advanced in the past couple of decades, and although we commonly use the older ones in our everyday lives, it’s worth briefly looking at newer and better alternatives.

We explored the basic properties of hashing functions in the previous post about cryptographic hashing functions, what characteristics made them desirable, what types of programming applications they are commonly used in, and for what purpose.

Read More

How often should you change your password? Should you use a password manager? Should you store passwords in your browser? There are many common questions about passwords and password managers, so let’s take a look at a few of them.

How to choose a password manager? Do you really need one? 22% of 12,500 people surveyed, from 21 countries, said they wrote their passwords down in a notepad, 11% said they wrote it on a sticky note or piece of paper, and 11% said they stored it in a file on dropbox or similar. None of these behaviors is secure in the way that using a password manager is, so go ahead and make the switch.

Read More

Hashing is an essential part of modern software systems, and we’re going to explain what you need to know to use them in your programs. We’ll be focusing mainly on the terrific hashlib module in Python. We also want to stick to the most secure and most widely used cryptographic hashing functions, although there certainly are plenty of others.

This is probably going to be a three part series of posts because I want to first explain what hashing is, why it’s useful and what types of things we would use it for. Hashing functions are widely used in programming and it’s not always clear why things are done the way they are, so a quick intro to the basic ideas will probably go a long way to address that. Slightly different types of hashing functions are useful for different tasks due to the subtle differences in their underlying properties, so it’s useful to compare and contrast specific hashing functions and look at specific progamming use cases.

Read More

Passwords have been the preferred method of authenticating users since the earliest days of the Internet, and they continue to be used to this day to authenticate users. The security issues are well known, but few people consider the privacy pitfalls.

Our most private digital data are protected by passwords, yet people are generally lacking in the skills needed to use passwords effectively. This is due partly to the ever growing number of websites we need to access with credentials, and partly due to the need to use increasingly complex passwords.

Password cracking using common programs is amazingly easy for bad passwords. A best practice is to check a password you’re about to use against a database of compromised passwords, because these lists of common, cracked passwords are often used to try to guess yours – but we’re getting ahead of ourselves.

Read More

Smart cities hold great potential and solve all sorts of problems that our analog cities suffer from. So say the technologists that envision highly connected systems of sensors and devices that are managed by AI systems. How smoothly and efficiently our cities will be run they say, offering us many advantages based on that interconnectivity and alleviating so many current problems.

Smart cities seem to come with some inherent dangers too, such as the risk of security flaws being exploited. Being smart also means having lots of information about what is going on in the city, and this increases the odds of privacy issues arising from the gathering, transmitting, analyzing and storing of so much information including data about the people in a smart city.

Read More

China is pioneering efforts to track and surveil their citizens using AI systems with data from facial recognition systems paired with other tracking technologies. Body movement or gait analysis technology has been deployed already in Shanghai and Beijing, and perfectly complements facial recognition technology for this purpose.

One company, Watrix, has software that can identify people based on physical characteristics from up to 50 meters away, whereas facial recognition technologies require a relatively close view of a person’s face. However once scanned at close range, an identified person can be tracked at a distance using gait recognition software from pretty much any system of cameras.

Read More

The Simple Mail Transfer Protocol (SMTP) has survived to this day due to widespread use, enabling us to send email messages quickly to people all over the planet. Yet email remains a sore spot for privacy advocates and a nightmare for security professionals. Email was the first real application on the Internet, and remained the most popular app even after the web became popular in the 1990s.

In the 1970s when the Internet was still being developed, people read and sent email by logging in to a central computer on a console and used a text-based email program. This basic technique of sending text messages and reading them using simple email programs continued to be the primary method of communicating online through the 1990s. But now, with yearly email messages sent somewhere on the order of one hundred trillion , it has grown into an unrecognizable beast.

Read More

Google filed a patent application for “Smart-home automation system that suggests or automatically implements selected household policies based on sensed observations”. This is a futuristic look at automated systems that monitor “temperature, humidity, lighting, water, power usage, sound signals, ultrasound signals, radio-frequency, other electromagnetic signals or fields, GPS, proximity, motion, light signals, fire, smoke, other gas, etc.”

Google’s smart home vision includes modules to allow setting household policies that are marketed as controls aimed at empowering parents to limit children’s activities; e.g. no television before doing homework. This is accomplished via a household manager module, that infers everything from occupants’ activities to their emotional states.

Read More