Welcome to the ninth edition. Two quick public service announcements before we begin:
Next week, I’m celebrating my 15th wedding anniversary somewhere hot and sunny. If I spend the week looking at cybersecurity news, it will likely be my final anniversary. Therefore, there will be no newsletter next Monday 23rd. Normal service will resume from Mon 30th.
I want quality to trump quantity in this newsletter. I aim for five interesting pieces of news each week, but sometimes the world doesn’t comply. This week we have just three. But I think they are worth a read.
Now, back to the main event…
Heads I Win, Tails You Lose
Hot off the press – coin tossing is unfair.
Researchers analysed the results of over 350,000 coin tosses and proved the side facing up wins 50.8% of the time.
So, if you start a coin toss with the heads facing up, it's more than 50% likely heads will be the answer.
Most previous research has ignored the starting position of the coin. In those experiments, the results are almost exactly 50/50.
Cryptography is another area where we care deeply about things being unpredictable. Most cryptographic algorithms assume the presence of perfect randomness.
But, much like with this coin example, it's far harder to find it than you might think.
Link to the paper: https://arxiv.org/abs/2310.04153.
QKD Goes Undersea
Two QKD trials in the UK were announced recently, adding to the global tally of notable experiments to date.
In one experiment, Adtran and Orange demonstrated a three-hop QKD link, with two trusted nodes, spanning 184 kilometres.
On the same day, the University of York and euNetworks announced a successful experiment using a 224-kilometre undersea cable between the UK and Ireland.
While impressive distances, they pale compared to efforts elsewhere in the world. Specifically, China continues to lead the distance records, topping 1,000 kilometres in experiments earlier this year:
Links to the announcements:
Adtran press release: https://www.adtran.com/en/newsroom/press-releases/20231003-adtran-and-orange-demo-400g-transmission-of-qkd-secured-data-across-184km-end-to-end-system.
York press release: https://www.businesswire.com/news/home/20231003629118/en/.
P@ssw0rds Ar3 D00m3D!
Are we getting closer to the death of passwords?
In recent weeks, Microsoft and Google have both publicised their growing support for passkeys - a more secure alternative to traditional passwords.
Unlike passwords, passkeys cannot be reused between websites. Nor can they accidentally be given to the bad guys during a phishing attack.
A passkey is effectively an asymmetric key pair. Your device holds the private key and the website keeps a copy of the public key. To authenticate, the website asks your device to sign a piece of data with your private key.
Because passkeys are unique to a device and a website or application, it is impossible to reuse the same passkey with different services. And because you never have direct access to your passkeys, you can't accidentally give them to the bad guys in a phishing attack.
Microsoft has built support for passkeys into Windows 11. And Google now offers passkeys as the default authentication option for personal accounts. Links to these announcements are below.
Thanks to efforts like these, the days of passwords written on Post-It notes are hopefully fading fast.