From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.
Update:eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.
Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.
[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no proof of concept, or any actual publication of this exploit either. The only thing that’s certain: somebody on Twitter said encrypted email is broken.
The EFF has chimed in on this exploit and advises everyone to immediately disable and uninstall tools that automatically decrypt PGP-encrypted email. It also looks like the EFF came up with a great little logo for eFail as well so kudos on that.
While there are no details whatsoever concerning eFail aside from a recommendation to not use PGP, a few members of the community have seen a pre-press of the eFail paper. [Werner Koch] of GnuPG says eFail is simply using HTML as a back channel. If this is true, PGP is still safe; you just shouldn’t use HTML emails. If you really need to read HTML emails, use a proper MIME parser and disallow access to external links. It should be noted that HTML in email is already an attack vector and has been for decades. You don’t need to bring PGP into this.
Should you worry about a vulnerability in PGP and email encryption? Literally no one knows. European security researchers are working on a publication release right now, but other experts in the field who have seen the paper think it’s not a big deal. There is no consensus from experts in the field, and there is no paper available right now. That last point will change in a few hours, but for now eFail just stands for Fear, Uncertainty, and Doubt.
Although there’s currently no cure for hurricanes, understanding how they work goes a long way in forecasting their intensity. Scientists know that hurricanes are fueled by the ocean’s warmth, but there’s still plenty of mystery to them. By studying what happens where the wind meets the water, they think they’ll figure out how surface factors like sea spray and bubbles affect a storm’s intensity and drag coefficient. Surf the break to catch the wave tank in action.
Parchment might be a thing of the past, but for those of us who still use paper an embossed seal can give everything from your official documents to your love letters a bold new feeling of authenticity. As far as getting your own seals made, plenty of folks will settle for having a 3rd party make them a seal, but not us. [Jason] shows us just how simple it is to raster our own seals with a laser cutter.
As far as the process goes, there are no tricks outside the typical workflow for raster engraving. Here, [Jason] simply creates a positive and (mirrored) negative seal pattern for each side of the seal embosser. The pattern is set for raster engraving, and the notched outline will be vector cut. From here, he simply exports the design, and the laser handles the rest.
This hack turned out so cleanly it almost seems like it could got into professional use–and it already is! Some extra Google-fu told us that it’s actually a fairly standard technique across the embossing industry for making embossing seals. Nevertheless, we couldn’t share our excitement for just how accessible this technique can be to anyone within reach of some time on a laser cutter.
[Jason] is using Delrin as his material to capture the design, which cuts cleanly and nicely handles the stress of being squished against your legal documents a couple hundred times. We’ve had our fair share of love on these pages for this engineering plastic. If you’re looking to get a closer look at this material, have a go at our materials-to-know debrief and then get yourself equipped with some design principles so that you’re ready to throw dozens of designs at it.
It’s not the first time the crafting and hacking communities intermingle and start sharing tools. In fact, if you’ve got yourself a vinyl cutter kicking around, why not have a go at churning out a few pcb stencils?
On the face of it, keeping fluids contained seems like a simple job. Your fridge alone probably has a dozen or more trivial examples of liquids being successfully kept where they belong, whether it’s the plastic lid on last night’s leftovers or the top on the jug of milk. But deeper down in the bowels of the fridge, like inside the compressor or where the water line for the icemaker is attached, are more complex and interesting mechanisms for keeping fluids contained. That’s the job of seals, the next topic in our series on mechanisms.
The pitch to my wife was simple: “Feel like spending the weekend in Seattle?” That’s how I ended up at the inaugural Vintage Computer Festival Pacific Northwest last weekend, and I’m glad we made the five-hour drive into The Big City to check it out. Hackaday is a VCF sponsor, after all, so it seemed like a great excuse to make the trip. That it ended up being two consecutive days of great Seattle weather was only icing on the cake of being able to spend time with fellow retro computer aficionados and their dearest bits of old hardware, in a great museum dedicated to keeping computer history alive and accessible.
The fact that Seattle, home of Microsoft, Amazon, and dozens of other tech companies, has until now been left out of the loop in favor of VCF East in New Jersey and VCF West in Mountain View seems strange, but judging by the reception, VCF PNW is here to stay and poised to grow. There were 20 exhibitors for this go around, showing off everything from reanimated PDP-11 and Altair 8800 control panels to TRS-80s from Model 1 through to the CoCo. Almost every class of reasonably transportable retro hardware was represented, as well as some that pushed the portability envelope, like a working PDP-8 and a huge Symbolics 3640 LISP workstation.
If you’ve made it through the last two posts on quantum computing (QC), then you’ve seen the Quirk simulator, a little of IBM’s web-based offering, and how entanglement and superposition can do strange and possibly wonderful things. However, the superdense encoding I showed you didn’t really feel like a real computer algorithm. This time we will look at Grover’s algorithm which is often incorrectly billed as an “unstructured database search.” In reality, it is an algorithm for making a state — that is a set of qubits — match some desired state without simply setting the state.
By analogy, consider a web service where you guess a number. Most discussions of Grover’s algorithm will tell you that the service will only tell you if the number is correct or not. If the number was from 1 to 16, using traditional computing, you’d have to query the values one at a time to see which is correct. You might get lucky and hit the first time. Or it might take 16 times. With qubits you can get the same result in only four attempts. In fact, if you try more times, you might get the wrong answer. Of course, what you really get is an answer that is probably correct, because that how QC works.
What must it be like to devote your life to answering a single simple but monumental question: Are we alone? Astronomer Jill Tarter would know better than most what it’s like, and knows that the answer will remain firmly stuck on “Yes” until she and others in the Search for Extraterrestrial Intelligence project (SETI) prove it otherwise. But the path she chose to get there was an unconventional as it was difficult, and holds lessons in the power of keeping you head down and plowing ahead, no matter what.
Endless Hurdles
To get to the point where she could begin to answer the fundamental question of the uniqueness of life, Jill had to pass a gauntlet of obstacles that by now are familiar features of the biography of many women in science and engineering. Born in 1944, Jill Cornell grew up in that postwar period of hope and optimism in the USA where anything seemed possible as long as one stayed within established boundaries. Girls were expected to do girl things, and boys did boy things. Thus, Jill, an only child whose father did traditional boy things like hunting and fixing things with her, found it completely natural to sign up for shop class when she reached high school age. She was surprised and disappointed to be turned down and told to enroll in “Home Economics” class like the other girls.
She eventually made it to shop class, but faced similar obstacles when she wanted to take physics and calculus classes. Her guidance counselor couldn’t figure why a girl would need to take such classes, but Jill persisted and excelled enough to get accepted to Cornell, the university founded by her distant relation, Ezra Cornell. Jill applied for a scholarship available to Cornell family members; she was turned down because it was intended for male relatives only.
Undeterred, Jill applied for and won a scholarship from Procter & Gamble for engineering, and entered the engineering program as the only woman in a class of 300. Jill used her unique position to her advantage; knowing that she couldn’t blend into the crowd like her male colleagues, she made sure her professors always knew who she was. Even still, Jill faced problems. Cornell was very protective of their students in those days, or at least the women; they were locked in their dorms at 10:00 each night. This stifled her ability to work on projects with the male students and caused teamwork problems later in her career.
No Skill is Obsolete
Despite these obstacles, Jill, by then married to physics student Bruce Tarter, finished her degree. But engineering had begun to bore her, so she changed fields to astrophysics for her post-graduate work and moved across the country to Berkeley. The early 70s were hugely inspirational times for anyone with an eye to the heavens, with the successes of the US space program and leaps in the technology available for studies the universe. In this environment, Jill figured she’d be a natural for the astronaut corps, but was denied due to her recent divorce.
Disappointed, Jill was about to start a research job at NASA when X-ray astronomer Stu Boyer asked her to join a ragtag team assembled to search for signs of intelligent life in the universe. Lacking a budget, Boyer had scrounged an obsolete PDP-8 from Berkeley and knew that Jill was the only person who still knew how to program the machine. Jill’s natural tendency to fix and build things began to pay dividends, and she would work on nothing but SETI for the rest of her career.
SETI efforts have been generally poorly funded over the years. Early projects were looked at derisively by some scientists as science fiction nonsense, and bureaucrats holding the purse strings rarely passed up an opportunity to score points with constituents by ridiculing efforts to talk to “little green men.” Jill was in the thick of the battles for funding, and SETI managed to survive. In 1984, Jill was one of the founding members of the SETI Institute, a private corporation created to continue SETI research for NASA as economically as possible.
The SETI Institute kept searching the skies for the next decade, developing bigger and better technology to analyze data from thousands of frequencies at a time from radio telescopes around the world. But in 1993, the bureaucrats finally landed the fatal blow and removed SETI funding from NASA’s budget, saving taxpayers a paltry $10 million. Jill and the other scientists kept going, and within a year, the SETI Institute had raised millions in private funds, mostly from Silicon Valley entrepreneurs, to continue their work.
Part of the Allen Telescope Array. Source: SETI Institute
The Institute’s Project Phoenix, of which Jill was Director until 1999, kept searching for signs of life out there until 2004, with no results. They proposed an ambitious project to improve the odds — an array of 350 radio telescopes dedicated to SETI work. Dubbed the Allen Telescope Array after its primary patron, Microsoft co-founder Paul Allen, the array has sadly never been completed. But the first 42 of the 6-meter dishes have been built, and the ATA continues to run SETI experiments every day.
Jill Tarter retired as Director of SETI Research for the Institute in 2012, but remains active in the SETI field. Her primary focus now is fundraising, leveraging not only her years of contacts in the SETI community but also some of the star power she earned when it became known that she was the inspiration for the Ellie Arroway character in Carl Sagan’s novel Contact, played by Jodie Foster in the subsequent Hollywood film.
Without a reasonable SETI program, the answer to “Are we alone?” will probably never be known. But if it is answered, it’ll be thanks in no small part to Jill Tarter and her stubborn refusal to stay within the bounds that were set for her.
