I had the pleasure of dining with a tableful of cryptographers—the true guests of honor—at the RSA security conference in San Francisco last week.
As we noshed gnocchi at the Four Season’s Hotel, I learned about the group’s work. One researcher, Liron David, a PhD student at Tel-Aviv University, described an improved technique for recovering cryptographic keys from so-called side channel attacks. These attacks entail using weaknesses in the physical implementation of a system (like the sound, heat, and electromagnetic energy emitted by a whirring hard drive), as opposed to algorithmic flaws (like a faulty random number generator), for decipherment. Her method involved complex mathematics (which I will not attempt to muck up in the space allotted here).
Another researcher, Peter Scholl, a cryptographer at the University of Bristol, detailed his work on “oblivious transfer.” First developed in 1981, this privacy-protective mechanism allows one party, like a person or computer server, to relay information to another party without knowing exactly what has been sent. Imagine looking up a contact’s phone number through a messaging service, like WhatsApp for example, without the company behind it (in this case Facebook) knowing which information you sought. That extra privacy might be preferable under certain circumstances, Scholl said.
Cryptography is a vitally important, if opaque, science—the basis of our security in an increasingly digital world. A reminder of that arrived Thursday when researchers at Google and a Dutch research institute sounded what they hope to be the final death knell for a decades-old cryptographic algorithm called SHA-1. Suffice it to say that they achieved a feat—the first “collision” of data supposedly secured by SHA-1—which will have immediate ramifications for the way many businesses operate electronically. (The Wall Street Journal has an excellent summary of the impact here.)
Esoteric mathematics make the world hum, and the academics deserve our praise.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Major CloudFlare-up. A Google researcher—Tavis Ormandy, bug bounty-hunter extraordinaire—discovered a memory leakage issue affecting customers of the content delivery network CloudFlare. The service had been spilling people’s sensitive information—including private messages, passwords, and authentication credentials—across the web since September. The multibillion-dollar startup’s engineers worked around the clock to fix the issue this week, partly by teaming up with search engine developers to wipe their caches of the private data. (Fortune, CloudFlare blog, Google Chromium blog)
Yahoo prepares to tie the knot. Yahoo has agreed to shave $350 million off its acquisition price after the company disclosed a couple of massive data breaches affecting up to 1.5 billion users to Verizon. The aging Internet portal is now set to sell for $4.5 billion, and to share legal costs resulting from consumer class action lawsuits. If an ongoing SEC investigation finds that Yahoo withheld key information about the breaches during the negotiation process, the company could still suffer heavy fines. (Fortune, Fortune)
Inside Palantir’s spy-machine. The big data cruncher privately valued at $20 billion has made no secret of its predilection for intelligence and law enforcement community customers. The company has built tools to assist the United States National Security Agency’s XKEYSCORE program, a key tool in its surveillance mission, according to documents provided by Edward Snowden. In this essay, The Intercept’s Sam Biddle weighs Palantir’s stated concern for civil liberties against the realities of its business model. (The Intercept)
If a breach notification falls in the forest does anybody hear it? Researchers at security firm RSA, a division of EMC (now owned by Dell), uncovered a malware operation that targeted a software supplier used by more than two dozen Fortune 500 companies for two weeks in April 2015. The “Kingslayer” campaign got buried under the madness of the RSA security conference last week, and a notification was quietly tucked away on the affected company Altair Technologies’ website. “As far as breach disclosures go, this one is about the lamest I’ve ever seen,” wrote Brian Krebs, an investigative cybersecurity reporter who has seen more than his fair share. (Krebs on Security, RSA report)
Has your child contracted a case of the hackz0r lulz? You might have a fledgling infosec pro on your hands.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Fortune’s Jeff John Roberts explains how a new AI-powered online moderation tool developed by Google-parent Alphabet may help beat back Internet trolls. Sites such as The New York Times and Wikipedia have been using the software, called “Perspective,” to keep their forums civil.
“Imagine trying to have a conversation with your friends about the news you read this morning, but every time you said something, someone shouted in your face, called you a nasty name or accused you of some awful crime,” Jigsaw founder and president Jared Cohen said. “We think technology can help.” Read more on Fortune.com.
Why Donald Trump Is the One Leader Who Can Stop North Korea, by Markus Bell and Marco Milani
Demystifying the Dark Web: What It Is and Where to Find It, by Robert Hackett
Why the Flynn-Russia Controversy Isn’t Over Yet, by Julianne Smith
Tech Groups Warn of Social Media Collection at the Border, by Jeff John Roberts
ONE MORE THING
Lions, tigers, and drones—oh my! Watch an ambush of tigers swipe a drone out of the sky and tear it apart. Elsewhere in the world, China is outfitting drones with flame-throwers, and France is training eagles to demolish the unmanned aircraft. (Fortune, Wall Street Journal, Fortune)