Oxygen doesn't grow on trees.

Posts tagged ‘Security’


Our inability to understand the Exponential function

I was reminded of this quote, due to the discussions triggered by the Bitcoin private key database troll website about the feasibility of brute-force searching for the private key of a Bitcoin address.

The greatest shortcoming of the human race is our inability to understand the exponential function.

– Albert Allen Bartlett

A reddit user made some calculations:

So, if you could use the entire planet as a hard drive, storing 1 byte per atom, using stars as fuel, and cycling through 1 trillion keys per second, you’d need 37 octillion Earths to store it, and 237 billion suns to power the device capable of doing it, all of which would take you 3.6717 octodecillion years.

– PSBlake (reddit)


Google developers have confirmed a cryptographic vulnerability in the Android operating system that researchers say could generate serious security glitches on hundreds of thousands of end user apps, many of them used to make Bitcoin transactions.
(via Ars Technica)

The generation of random numbers is too important to be left to chance.

Robert Coveyou, Studies in Applied Mathematics, III (1970)

Security risk in Chrome with HTTPS Everywhere combined with Incognito

I recently noticed that when I log in to two Twitter accounts, one from Google Chrome’s main window and one from an Incognito one, the session would sometimes mysteriously “leak” to the main window. I suspected this may be caused by a faulty extension, and it seems I was right. The faulty extension is, ironically, HTTPS Everywhere by the Electronic Frontier Foundation.

It seems that cookies set in normal browsing mode cannot be seen in Incognito, but that (some?) cookies set in Incognito are visible to normal browsing mode. Unfortunately this means that your incognito sessions can leak data into your normal browsing sessions.

According to a 4 months old HTTPS Everywhere bug report, it’s a Chrome API bug: “We’re getting the onCookieChanged event, and the cookie we get in that event has a storeId of 0 regardless of where it comes from (Incognito or not). We then turn right around and set the secure flag on the cookie and issue a cookies.set(cookie). Since the storeId is still the default store, the cookie leaks to normal mode.

The only other report I could find was a very minor Google+ post by Todd Vierling (with reproduction instructions) from more than half a year ago, and it seems like nothing was done to mitigate the issue since.

Reproduced in Chrome version: 28.0.1500.72 m, HTTPS Everywhere version: 2013.7.10