Please help to click 1!

Saturday, 14 January 2023

NIST Retires SHA-1 Cryptographic Algorithm

 In illustration featuring a laptop, text with the letters SHA-1 is crossed out, with check marks next to the letters SHA-2 and SHA-3.

The SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at the National Institute of Standards and Technology (NIST). The agency is now recommending that IT professionals replace SHA-1, in the limited situations where it is still used, with newer algorithms that are more secure.  

SHA-1, whose initials stand for “secure hash algorithm,” has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1. It is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

“We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible,” said NIST computer scientist Chris Celi. 

SHA-1 has served as a building block for many security applications, such as validating websites — so that when you load a webpage, you can trust that its purported source is genuine. It secures information by performing a complex math operation on the characters of a message, producing a short string of characters called a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically.

“We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible.” —Chris Celi, NIST computer scientist

Today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine SHA-1 in recent years. NIST has announced previously that federal agencies should stop using SHA-1 in situations where collision attacks are a critical threat, such as for the creation of digital signatures

As attacks on SHA-1 in other applications have become increasingly severe NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. By that date, NIST plans to:

  • Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
  • Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
  • Create and publish a transition strategy for validating cryptographic modules and algorithms.  

The last item refers to NIST’s Cryptographic Module Validation Program (CMVP), which assesses whether modules — the building blocks that form a functional encryption system — work effectively. All cryptographic modules used in federal encryption must be validated every five years, so SHA-1’s status change will affect companies that develop modules. 

“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” Celi said. “Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that CMVP has time to respond.”

Thursday, 5 January 2023

Microsoft Teams

MS Teams Weakness - personal experience only 

- It is buggy (like you didn't know)...
- It wreaks havoc on non windows systems!
- God forbid if you have multiple multimedia devices, it will not only cease to function, but also do its best to sabotage other running processes!!
- It doesn't work with multiple accounts. I'm obviously not a part of your corporate domain. That means I can only join as a guest with very limited options.
- Its synchronization makes no sense and was most likely designed by a drunk person while snorting cocaine in an effort to look like he's not drunk.
- Calling it slow is an understatement.
- In case you didn't get the above point (which you probably didn't, since you like using it), it is slow and laggy.
- It has no sense of integration (OAuth 2.0 anyone?)...
- Its layout is very difficult to use, especially when using multiple screens (I have 7 running simultaneously).
- Video filters and background effects cause multiple crashes... if you can ever get them to work in the first place, especially as a guest.