768-bit RSA key factored

The paper is here.

The very sane opening paragraph is:

On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago (cf. [7]) it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours or the one in [7]. Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.

It’s an interesting read if factoring fascinates you.

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house.
The email explains that the display was taken down after two days in large part because so many people were stopping to help, in some cases at risk to themselves.
After pausing a moment to reflect on the evil genius behind this idea, I immediately wondered how the willingness of passers-by to assist might vary according to the amount of traffic on the road passing the house. The notion, exemplified in the infamous Kitty Genovese murder, is that the willingness of people to “get involved” decreases as the (individually-perceived) number of possible interveners increases. If a passer-by knew the route was well-travelled, she would (so one theoretical formulation goes) be less likely to stop, whereas on an infrequently-used byway, she would be more likely to assist. (I later realized that the “cul-de-sac”scenario is more complex, in that drivers/walkers on such a road are much more likely to (think they) know the victim AND to think that their action or inaction will become known by others).
After having these thoughts, I was left chuckling at myself. Would most sane people have analyzed a prank in these terms? Maybe it was because I was reading Luce and Raiffa before breakfast…

Mini Metricon 4.5 Call for Participation

[Posting this here to help get the word out – Chris ]
Mini MetriCon 4.5 will be a one-day event, Monday, March 1, 2010, in San Francisco, California. Through the cooperation of RSA, the workshop will be held at the University of San Francisco, within walking distance of the Moscone Center, the location of the RSA Conference, to be held during the same week. Mini MetriCon attendees are eligible for free RSA exhibit passes.
Like its predecessors, Mini Metricon 4.5 is an informal workshop designed to facilitate exchange of new ideas as well as practical experience in using metrics to drive better security, compliance, and risk management. The day will be divided between open/moderated exchange and short presentations. Participants are expected to come prepared to actively interact as either presenters or active listeners (or both).
Place: University of San Francisco (walking distance to the Moscone Center)
Time: 8:30am to 4:30pm
Participation: by invitation.
Attendance: Limited to 80 people
Additional details, including links to past workshops, presentations, and digests, as well as a calendar with important dates and instructions for submitters is available at securitymetrics.org

July 20, 1969

The Apollo program took place at just about the right time for me. I was six (or, as I would quickly have pointed out at the time, six *and a half*) when the first lunar landing occurred, and barely ten when Apollo 17 splashed down. This was old enough to be fascinated by the technology and the sheer coolness (I would not have known the words “audacity” or “chutzpah”), and too young to question the wisdom of the project given the pressing alternative terrestrial uses for the funds. It’s funny that what my brain decided to remember, and what society made iconic or controversial do not really coincide. I distinctly remember the Apollo 8 launch, but nothing of the reading from the book of Genesis. I watched the Apollo 11 launch, but I don’t specifically recall Armstrong’s first steps. In all cases, I was glued to the TV for the launch and splashdown. Oddly, these more than the flight to (or activities on) the moon brought to mind the vast scale of the project. Launches always included references to tracking stations in Australia — a vast distance away for the 6-8 year-old mind. Splashdowns involved a whole aircraft carrier! This truly was big stuff.
Skylab and Apollo-Soyuz held my interest, but the shuttle never did. Viking, with actual color pictures of Mars, got things back on track, but it was clear that no human would set foot on Mars for some time. The sense of purpose just was not there the way it was for Apollo, and it hasn’t been since. It’s hard to know whether the undertone of loss I feel when thinking about Apollo is an effect of time — I am no longer the wide-eyed boy — or of a recognition of what might have been, but was not, due to the disintegration of the consensus that allowed Apollo to succeed.

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN:

Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them.
On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to play smartass, and I’m not going to play your f**king game.”
Bierfeldt is director of development for the Campaign for Liberty, an outgrowth of the Ron Paul presidential campaign.
Unbeknownst to the TSA agents, Bierfieldt had activated the record application on his phone and slipped it into his pocket. It captured the entire conversation.
An excerpt:
Officer: Why do you have this money? That’s the question, that’s the major question.
Bierfeldt: Yes, sir, and I’m asking whether I’m legally required to answer that question.
Officer: Answer that question first, why do you have this money.
Bierfeldt: Am I legally required to answer that question?
Officer: So you refuse to answer that question?
Bierfeldt: No, sir, I am not refusing.
Officer: Well, you’re not answering.
Bierfeldt: I’m simply asking my rights under the law.
The officers can be heard saying they will involve the Federal Bureau of Investigation and the Drug Enforcement Administration, and appear to threaten arrest, saying they are going to transport Bierfeldt to the local police station, in handcuffs if necessary.
Near the end of the recording an additional officer enters the situation and realizes the origins of the money.
Officer: So these are campaign contributions for Ron Paul?
Bierfeldt: Yes, sir.
Officer: You’re free to go.

Dept. of Pre-Blogging: Swine Flu edition

In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on:

  • Increased speculation, coupled with a spike in Twitter activity.
  • Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this is actually the result of an experiment by the CIA/NSA/World Bank/Freemasons/etc).
  • Rapid adoption of irrational coping mechanisms, perhaps including a run on N95 respirators and surface disinfectants.
  • Reassuring releases from the Pork Council that in addition to being the Other White Meat(tm), yummy bacon cannot transmit influenza unless it has previously been used as a handkerchief.
  • An upcoming Schneier blog item on swine flu hysteria being related to confirmation bias.
  • Mo-mentum on centralized breach reporting?

    A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
    As reported in the St. Louis Business Journal on April 1:

    Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
    f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
    The legislation needs a second vote of approval before moving to the House for similar consideration.

    St. Louis Business Journal
    Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.

    Metricon 4.0 Call for Papers

    I suspect at least some EC readers will be interested in the Call for Papers for Metricon 4.0, to be held in Montreal, August 11.

    Metricon 4 – The Importance of Context

    MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
    It is a forum for quantifiable approaches and results to problems afflicting information security
    today, with a bias towards practical, specific approaches that demonstrate the value of security
    metrics with respect to a security-related goal. Topics and presentations will be selected for their
    potential to stimulate discussion in the workshop.
    MetriCon 4.0 will be a one-day event, Tuesday, August 11, 2009, co-located with the 18th
    USENIX Security Symposium
    in Montreal, Quebec.
    Beginning first thing in the morning, with meals taken in the meeting room, and extending into the
    evening. Attendance will be by invitation and limited to 60 participants. All participants will be
    expected to “come with findings” and be willing to address the group in some fashion, formally or
    not. In keeping with the theme of The Importance of Context, preference will be given to the
    authors of position papers/presentations who have actual work in progress that demonstrates the
    value of security metrics with respect to a security-related goal.
    Topics that demonstrate the importance of context include:

    • Data and analyses emerging from ongoing metrics efforts
    • Studies in specific subject matter areas
    • Time and situation-dependent aspects of security metrics
    • Long-term trend analysis and forecasts
    • Measures of the depth and breadth of security defenses
    • Metrics definitions that can be operationalized
    • Incorporating unknown vulnerabilities into security metrics
    • Security and risk modeling calibrations
    • Security measures in system design
    • Software assurance initiatives
    • Security metrics relationship to security assessments

    The program committee will also consider any innovative security metrics related work
    How to Participate
    Submit a short position paper or description of work done or ongoing. Your submission must be
    brief — no longer than two pages including both text and graphical displays of quantitative
    information. Author names and affiliations should appear first in the submission. Submissions
    may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to
    metricon4@securitymetrics.org. These requests to participate are due no later than noon GMT,
    Monday, May 25, 2009 (a hard deadline). You should receive an email acknowledgment of your
    submission within a day or two of posting; take action if you do not.
    The Program Committee will invite both attendees and presenters. Participants of either sort will
    be notified of acceptance quickly — by June15, 2009. Presenters who want hardcopy materials to
    be distributed at the Workshop must provide originals of those materials to the Program
    Committee by July 27, 2009. All slides, position papers, and what-not will be made available to
    all participants at the Workshop. No formal academic proceedings are intended, but a digest of
    the meeting will be prepared and distributed to participants and the general public. (Digests for
    previous MetriCon meetings are on the past event pages mentioned above.) Plagiarism is
    dishonest, and the organizers of this Workshop will take appropriate action if dishonesty of this
    sort is found. Submission of recent, previously published work as well as simultaneous
    submissions to multiple venues is entirely acceptable, but only if you disclose this in your

    Brad DeLong on the bailout

    Brad DeLong has a FAQ up about Geithner’s plan to purchase toxic assets on the theory that the market has undervalued them, and will in time price them properly. Among the items:

    Q: What if markets never recover, the assets are not fundamentally undervalued, and even when held to maturity the government doesn’t make back its money?
    A: Then we have worse things to worry about than government losses on TARP-program money–for we are then in a world in which the only things that have value are bottled water, sewing needles, and ammunition.

    This response reminded me of a conversation I had over a beer with a banking regulator back in August 2006 or thereabouts. He reported on a IM conversation he had had with a colleague whose expertise lay in the area which subsequently imploded. After jokingly asking “Time to buy gold, huh?”, there was a pregnant pause. Then came the response: “Buy ammunition”.
    I ordered another beer.

    Happy Sunshine Week

    March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as

    a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.

    The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
    Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
    By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
    The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
    So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.