This Week In Security: Playing Tag, Hacking Cameras, And More

Wired has a fascinating story this week, about the length Sophos has gone to for the last 5 years, to track down a group of malicious but clever security researchers that were continually discovering vulnerabilities and then using those findings to attack real-world targets. Sophos believes this adversary to be overlapping Chinese groups known as APT31, APT41, and Volt Typhoon.

The story is actually refreshing in its honesty, with Sophos freely admitting that their products, and security products from multiple other vendors have been caught in the crosshairs of these attacks. And indeed, we’ve covered stories about these vulnerabilities over the past weeks and months right here on this column. The sneaky truth is that many of these security products actually have pretty severe security problems.

The issues at Sophos started with an infection of an informational computer at a subsidiary office. They believe this was an information gathering exercise, that was a precursor to the widespread campaign. That campaign used multiple 0-days to crack “tens of thousands of firewalls around the world”. Sophos rolled out fixes for those 0-days, and included just a bit of extra logging as an undocumented feature. That logging paid off, as Sophos’ team of researchers soon identified an early signal among the telemetry. This wasn’t merely the first device to be attacked, but was actually a test device used to develop the attack. The game was on. Continue reading “This Week In Security: Playing Tag, Hacking Cameras, And More”

This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

Continue reading “This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive”

This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets

Depending on who you ask, the big news this week is that quantum computing researchers out of China have broken RSA. (Here’s the PDF of their paper.) And that’s true… sort of. There are multiple caveats, like the fact that this proof of concept is only factoring a 22-bit key. The minimum RSA size in use these days is 1024 bits. The other important note is that this wasn’t done on a general purpose quantum computer, but on a D-Wave quantum annealing machine.

First off, what is the difference between a general purpose and annealing quantum computer? Practically speaking, a quantum annealer can’t run Shor’s algorithm, the quantum algorithm that can factor large numbers into primes in a much shorter time than classical computers. While it’s pretty certain that this algorithm works from a mathematical perspective, it’s not at all clear that it will ever be possible to build effective quantum computers that can actually run it for the large numbers that are used in cryptography.

We’re going to vastly oversimplify the problem, and say that the challenge with general purpose quantum computing is that each q-bit is error prone, and the more q-bits a system has, the more errors it has. This error rate has proved to be a hard problem. The D-wave quantum annealing machine side-steps the issue by building a different sort of q-bits, that interact differently than in a general purpose quantum computer. The errors become much less of a problem, but you get a much less powerful primitive. And this is why annealing machines can’t run Shor’s algorithm.

The news this week is that researchers actually demonstrated a different technique on a D-wave machine that did actually factor an RSA key. From a research and engineering perspective, it is excellent work. But it doesn’t necessarily demonstrate the exponential speedup that would be required to break real-world RSA keys. To put it into perspective, you can literally crack a 22 bit RSA key by hand.

Continue reading “This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets”

Quantum Sensor Uses Synthetic Diamond

Diamonds are nearly perfect crystals, but not totally perfect. The defects in these crystals give the stones their characteristic colors. But one type of defect, the NV — nitrogen-vacancy — center, can hold a particular spin, and you can change that spin with the correct application of energy. [Asianometry] explains why this is important in the video below.

Interestingly, even at room temperature, an NV center stays stable for a long time. Even more importantly, you can measure the spin nondestructively by detecting light emissions from the center.

Continue reading “Quantum Sensor Uses Synthetic Diamond”

Neopixels? Try Liquid Nitrogen To Color Shift Your LEDs Instead

If you’re like us, you’ve never spent a second thinking about what happens when you dunk an ordinary LED into liquid nitrogen. That’s too bad because as it turns out, the results are pretty interesting and actually give us a little bit of a look at the quantum world.

The LED fun that [Sebastian] over at Baltic Lab demonstrates in the video below starts with a bright yellow LED and a beaker full of liquid nitrogen. Lowering the powered LED into the nitrogen changes the color of the light from yellow to green, an effect that reverses as the LED is withdrawn and starts to warm up again. There’s no apparent damage to the LED either, although we suppose that repeated thermal cycles might be detrimental at some point. The color change is quite rapid, and seems to also result in a general increase in the LED’s intensity, although that could be an optical illusion; our eyes are most sensitive in the greenish wavelengths, after all.

So why does this happen? [Sebastian] goes into some detail about that, and this is where quantum physics comes into it. The color of an LED is a property of the bandgap of the semiconductor material. Bandgap is just the difference in energy between electrons in the valence band (the energy levels electrons end up at when excited) and the conduction band (the energy levels they start at.) There’s no bandgap in conductive materials — the two bands overlap — while insulators have a huge bandgap and semiconductors have a narrow gap. Bandgap is also dependent on temperature; it increases with decreasing temperature, with different amounts for different semiconductors, but not observably so over normal temperature ranges. But liquid nitrogen is cold enough for the shift to be dramatically visible.

We’d love to see the color shift associated with other cryogens, or see what happens with a blue LED. Want to try this but don’t have any liquid nitrogen? Make some yourself!

Continue reading “Neopixels? Try Liquid Nitrogen To Color Shift Your LEDs Instead”

Royal Navy Tests Quantum Navigation

GPS has changed the way we get around the globe. But if you command a warship, you must think about what you would do if an adversary destroyed or compromised your GPS system. The Royal Navy and Imperial College London think a quantum navigation system might be the answer.
Of course, Heisenberg says you can’t know your speed and position simultaneously. But at the real-world level, you can apparently get close enough. The quantum sensors in question are essentially accelerometers. Unlike conventional accelerometers, though, these devices use ultracold atoms to make very precise measurements using a laser optical ruler, which means they do not drift as rapidly as, say, the accelerometer in your phone. Navigating with accelerometers is well understood, but the issue is how often you have to correct your computed position with an actual reference due to drift and other error accumulation. You can see a Sky News report on the trial below. Continue reading “Royal Navy Tests Quantum Navigation”

Quantum Inspired Algorithm Going Back To The Source

Recently, [Jabrils] set out to accomplish a difficult task: porting a quantum-inspired algorithm to run on a (simulated) quantum computer. Algorithms are often inspired by all sorts of natural phenomena. For example, a solution to the traveling salesman problem models ants and their pheromone trails. Another famous example is neural nets, which are inspired by the neurons in your brain. However, attempting to run a machine learning algorithm on your neurons, even with the assistance of pen and paper would be a nearly impossible exercise.

The quantum-inspired algorithm in question is known as the wavefunction collapse function. In a nutshell, you have a cube of voxels, a graph of nodes, or simply a grid of tiles as well as a list of detailed rules to determine the state of a node or tile. At the start of the algorithm, each node or point is considered in a state of superposition, which means it is considered to be in every possible state. Looking at the list of rules, the algorithm then begins to collapse the states. Unlike a quantum computer, states of superposition is not an intrinsic part of a classic computer, so this solving must be done iteratively. In order to reduce possible conflicts and contradictions later down the line, the nodes with the least entropy (the smallest number of possible states) are solved first. At first, random states are assigned, with the changes propagating through the system. This process is continued until the waveform is ultimately collapsed to a stable state or a contradiction is reached.

What’s interesting is that the ruleset doesn’t need to be coded, it can be inferred from an example. A classic use case of this algorithm is 2D pixel-art level design. By providing a small sample level, the algorithm churns and produces similar but wholly unique output. This makes it easy to provide thousands of unique and beautiful levels from an easy source image, however it comes at a price. Even a small level can take hours to fully collapse. In theory, a quantum computer should be able to do this much faster, since after all, it was the inspiration for this algorithm in the first place.

[Jabrils] spent weeks trying to get things running but ultimately didn’t succeed. However, his efforts give us a peek into the world of quantum computing and this amazing algorithm. We look forward to hearing more about this project from [Jabrils] who is continuing to work on it in his spare time. Maybe give it a shot yourself by learning the basics of quantum computing for yourself.

Continue reading “Quantum Inspired Algorithm Going Back To The Source”