3 min read

Suggested readings week 31/2023

Suggested readings week 31/2023

Pioneering Hacker Kevin Mitnick Dead at 59

Kevin Mitnick was radio amateur since his early age, also known as "Condor" from a famous film. This was not his only passion: when he was 12, he started using and then deeply studying and explaining what's today widely known as Social Engineering. He used to ride buses for free after having conviced a bus driver to help him doing so.

Social Enrineering: when coupled with information security, it has the special meaning of (ab)using human relations for stealing secrets and critical information. This can be a strong and effective starting point for computer based attacks, that very often require a human intervention for being deployment. Protecting from misbehaviour of humans is very difficult and often impossible.

Think of someone convincing you that's good to give away the secret code and number of your credit card, and imagine scaling this up to a corporate information security system for a bank or military products manufacturer. By reading Kevin's books you will discover how easy and widely used are these methods, a few countermeasures and the sad opinion that nothing will stop this.

Kevin Mitnick was born in 1963, right at the beginning of the middle of Computer Sciences revolution in United States. He suffered an irreversible disease since months and died in a few days ago. That's why this newsletter speaks cybersecurity only.

An introduction to Zero-knowledge proofs

You can prove you know something without giving it away, thanks to a set of algorithms belongs to the category of interactive proofs.

Interactive proofs first showed up in a paper by the computer scientists Shafi Goldwasser, Silvio Micali and Charles Rackoff (1985). The paper was the result of two of them speculating on how to play poker over a network.

As reported by Matthew D. Green (Associate Professor at John Hopkins University, formerly staff member at AT&T Laboratories and author of interesting blog posts and essays), in the late 2000s cryptographers started to realize that those algorithms were reaching a point of usability and usefulness in practical situations.

Today researchers can prove their knowledge without divulging the knowledge itself, and communication protocols can leverage this realm of technologies, thanks also to publications like the paper cited here.

Removing Public Key Infrastructure with Self-certified Public Keys

Public Key Infrastructure or PKI is the core of security on the Internet, and it's a way for distributing cryptographic keys by leveraging a hierarchy of reliable entities.

But this is not the only way for communicating over insecure media without previsously exchanging secrets and proving identity in person. The idea of self-certified public Keys dates back to 1984 thanks to Adi Shamir.

In this paper we introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and to verify each other's signatures without exchanging private or publickeys , without keeping key directories, and without using the services of a third party.

Should be a must for the Internet of Things, Connected Cars, and all sorts of private communication across devices.

Shamir Secret Sharing and an incident at PayPal

The same Adi Shamir of the previous suggestion for reading was the mathematical genious behind Secret Sharing algorithms, that sometimes can save business continuity.

Ingenious vulnerability in Large Language Models

Coupled with this paper this is an interesting explanation of how Large Language Models like ChatGPT from OpenAI and many others although very useful can represent a totally new class of problems for automated ethical hacking. This is how researchers at Carnegie Mellon University, a venerable private research university in Pittsburg Pasadena since 1900, have uncovered a new vulnerability that causes aligned language models to generate "objectionable behaviors" with high success rate: answers to questions, that contain ethically questionable information to users.

Hottest day (again)

Temperatures records unfortunately are no fake news.