Security

A security researcher has discovered fake profiles for celebrities on LinkedIn that have links to malicious code, according to a blog posting on Trend Micro's site.

The celebrity profiles that are not to be trusted include ones created using the names: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek, and Kate Hudson. They were uncovered by Trend Micro Advanced Threats Researcher Ivan Macalintal.

In its blog posting late on Monday, Trend Micro said it was continuing its investigation. The links on the professional networking site attempt to lure viewers by purporting to be nude shots of the celebrities.

McAfee's Avert Labs Blog has more details and screenshots.

"So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious Web sites trying the classical social-engineering tricks of either the 'missing video codec' or of showing a fake AV scan and telling the user (that) his computer was infected with malware and offering a 'free' AV scanner software, which in fact is the real threat," the McAfee blog says.

Graham Cluley of Sophos also found many other fake celeb profiles and says that as recently as Thursday, the Troj/Decdec-A malicious JavaScript code was being found on them.

"It's a shame that LinkedIn (isn't) keeping a closer eye on obviously bogus profiles being created on (its) site," Cluley writes. "Undoubtedly, spammers, malware authors, and other cybercriminals may be abusing the system to link to their Web pages in the hope that it will generate a higher ranking in search engines like Google."

Representatives from LinkedIn did not immediately return a call seeking comment on Tuesday.

Fake Beyonce LinkedIn profile that contains links to malware.

(Credit: Trend Micro)

(Credit: Topherchris.com)

Some nasty pranksters, likely associated with Web forum 4Chan, have hacked into Apple gossip mainstay MacRumors' live-blog coverage of Tuesday's Macworld keynote. Hosted on a separate domain, MacRumorsLive.com, the site was plagued by offensive messages about Apple CEO Steve Jobs' health and general inanity (i.e. "SEX ME") before finally succumbing to "technical difficulties."

It remains uncertain whether the pranksters actually brought down the site, or whether MacRumors voluntarily took it down to keep things under control.

It's pretty clear, however, that this was the work of 4Chan, which has gained both respect and notoriety (depending on who you ask) over the past year for its persistent protests against the controversial Scientology sect in the form of an offshoot group called "Anonymous."

Over on 4Chan's labyrinthine forums, a couple of threads (warning: contains explicit language) hint at members' collusion to take down MacRumors Live, and the hacked live blog was peppered with declarations of "4CHAN FTW" (that's "for the win," for those who stepped in late).

This year's Macworld Expo has gained particular attention because Apple has announced that it's the last in which it will have a presence. Additionally, iconic CEO Steve Jobs bowed out of the keynote presentation. Marketing executive Phil Schiller took his place.

The 4Chan skulduggery appears to have first been noticed by Twitter users and independent blogs like Topherchris.com, which took the screenshot above.

One Twitter user pointed to rumors on social-news site Digg that 4Chan members had been circulating MacRumors passwords on Monday night.

It's a silly prank, yes. But it could have a big impact on MacRumors: this is likely the site's biggest day of the year, and the event could have an impact on both ad revenues and server costs.

This post was updated at 10:39 a.m. PT.

A standard magnetic trip is based upon a sealed reed switch. Two or three contacts are sealed in a glass envelope containing an inert gas. The sensor is placed on a fixed object such as a door frame, and the magnet on the movable surface. These switches provide the lowest level of security.

(Credit: Marc Weber Tobias)

The U.S. product safety testing organization Underwriters Laboratories has redefined the security requirements for magnetic switches used in many alarm systems because some of these devices can be easily defeated. If your facility employs reed switches or Balanced Magnetic Switches (the high-security version of these devices) you may wish to review the requirements of the new standard. UL 634 has established a second security level (2) to define more stringent requirements to protect against covert attack. Current BMS switches are covered under Level 1.

It appears that only one switch can currently meet the new Level 2 section of the standard. It is produced by Magnasphere in Waukesha, Wis., in conjunction with Harco Labs of Branford, Conn., and is likely to be specified for use in embassies, federal facilities, and other high security applications. The Magnasphere switch was just certified by UL as compliant with Level 2. I became familiar with this technology almost three years ago when I first interviewed the CEO of the company, Rick Kirschman, and documented the ability to bypass (video) current reed switch technology (video) with simple magnets. The issue is especially critical for Sensitive Compartmented Information Facilities (SCIFs) because of the capability of surreptitiously bypassing these devices.

Alarm switches and connectors for use on doors, windows, safes, vaults and other areas are classified and tested by Underwriters Laboratories, in Standard UL 634. The standard was updated to reflect concerns by the Department of Energy, state, and other federal agencies because of the capability of bypassing reed-based switch designs. Prior to release of the new standard, only one level of security was defined for magnetic switches. In the latest edition of Locks, Safes, and Security, a simple method was demonstrated to defeat the Balanced Magnetic Switch (BMS (video)), which is the standard device that is used in high security applications by government agencies, banks, and many commercial facilities.

A Balanced Magnetic Switch (BMS) is used in high security applications. The device incorporates five reed switches, as shown in the X-ray view. Proper placement of three magnets, shown inserted between the reed element and activator, can defeat this switch.

(Credit: Marc Weber Tobias)

Magnetic switches, or "trips," are an essential element in virtually all electronic alarm systems. They are utilized to secure perimeter and interior doors, windows, safes, and vaults. They are often the first line of protection in residential, commercial, and government facilities. Their operation relies upon the presence or absence of a magnetic field to determine whether they are in a closed or open condition, indicating a normal or "tripped" state. Switches have two components: the sensor and activating magnet. Normally, the sensor is mounted on the fixed door frame, and the magnet is placed in close proximity on the moving door, window, or other element. As long as the sensor is captured by the magnetic field, the electrical circuit is completed. When the field is broken, the alarm is tripped.

Reed switches are not secure, and can be easily defeated, as demonstrated in the accompanying videos. These switches can be bypassed by electrical, magnetic, or mechanical tampering, and should not be relied upon for any measure of security, especially against attack from within an organization.

The revised UL 634 standard establishes two levels of security for magnetic switches in sections 49-65. Level 1 covers the current BMS designs, and Level 2 has been added for a higher security switch that is immune from several forms of tampering, nuisance alarms, and foreign magnetic field compromise. The new switches also require extended endurance testing for reliable operation after 1,000,000 cycles.

The Magnasphere high security switch is impervious to normal methods of attack that can be used to defeat traditional reed switches.The design was just certified by UL as complaint with Level 2 of UL 634.

(Credit: Magnasphere Corporation)

The Magnasphere switch (video) operates on a different principle than the reed, and is infinitely more reliable and secure. It is immune to magnetic tampering, as demonstrated in the video. It took the company more than three years to complete the Standards process, but now it appears they are the only technology that can comply with the Level 2 requirements. Look for these switches to be incorporated in residential, commercial and government installations. They can be embedded within Balanced Magnetic Switches where the higher security requirements for SCIFs and other locations are mandated. According to Rick Kirschman, the Magnasphere switch is virtually tamper-proof because of its unique spherical design.

There's a scam spreading through Twitter. Direct messages (DMs) are showing up in Twitter accounts with appealing come-ons to visit a site on blogspot.com. The text is, "hey! check out this funny blog about you..." The URL in the message then redirects to a page that looks like the Twitter login page, but is actually not on Twitter--it's a site, twitter.access-logins.com, that masquerades as Twitter to steal your login credentials instead.

If you need to log in to Twitter, do it on Twitter.com itself. And to play it safe, double-check your browser address bar to make sure that's where you are.

The phishing site in question also appears to support the theft of Facebook IDs.

I have not received this bogus Twitter message, but the Twittersphere is abuzz over this scam.

This is not Twitter.

Read more on the Twitter Status blog, Chris Pirillo's blog, VentureBeat, or Mashable. Related: Koobface virus hits Facebook

Update: If you are logged in to the real Twitter.com, you'll now see an update about this scam on the page. No warning appears if you use another Twitter client, like Twhirl.

Update 2: The effect of getting taken in by this scam seems to be that affected accounts send messages to their followers with the original phishing message. To date, no other effect of falling victim to the scam has been reported. However, since many people use the same user ID and password for multiple online services, it's possible that credentials collected from this scam could be used to log in to other services, including financial sites.

As Twitter recommends on its blog: "If this has you feeling a bit weirded out, feel free to change your Twitter password."

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0, and 3.1 devices are not able to receive any more SMS or MMS messages. The S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia representative told CNET News sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the representative. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."

Products running S60 3rd edition, feature pack 2, are unaffected, said the representative, who added that the issue can be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the representative.

F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday the security vendor said the vulnerability will "most likely be used by jealous boyfriends," but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.

Tom Espiner of ZDNet UK reported from London.

The industry side of the military industrial complex is on the scent of the federal government's cybersecurity dollars.

Bloomberg has a year-end rundown on the efforts of the big defense contractors to tap into a market that could swell to $11 billion by 2013. Boeing and Lockheed, for instance, both set up new cyberdefense business units in the last six months, the news agency says, while Raytheon in the last 18 months has acquired a trio of network security providers and is looking to boost the number of its certified security engineers by 50 percent in 2009.

"The whole area of cyber is probably one of the faster-growing areas" of the U.S. budget, Lockheed executive Linda Gooden told Bloomberg.

Whether that is money well spent, however, is a separate question, as CNET News' Declan McCullagh pointed out recently in a look at the efforts of the U.S. Department of Homeland Security. Formed in 2002, the DHS has always had a stated mission of combating cyberterrorism.

More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal....

Along the way, DHS was regularly receiving poor grades--including an F--on computer security report cards released by a congressional oversight committee.

In fiscal 2008 alone, the federal government spent $115 million on the department's National Cybersecurity Division.

And that, of course, is just a drop in the bucket of Washington's monetary outpouring. Altogether this year, the U.S. government is expected to spend $7.4 billion to secure military, intelligence, and other agency computer networks, Bloomberg reported, citing market researcher Input.

Wired's Threat Level blog says that the outlays -- and defense contractors' need to acquire expertise --

will only be good news for computer security firms that have been struggling to stay afloat the last few years when the government and private sector showed little interest in spending money to secure computer networks.

In December, a commission established by the Center for Strategic and International Studies urged that President-elect Barack Obama create a National Office for Cyberspace. "America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009," the cybersecurity policy report says. "It is a battle we are losing."

Over the summer, when he was still a candidate, Obama said he would make national cybersecurity policy and leadership a top priority.

The prototype SSL crack in action: It's a supposedly secure Web site (note "https:" in the menu bar). But the SSL certificate is issued by MD5 Collisions Inc.

(Credit: Jonathan Stray)

By Jonathan Stray

Updated at 3:30 p.m. PST with Microsoft comment, at 1:50 p.m. PST with VeriSign comment, at 10 a.m. PST with comment from cryptography expert Paul Kocher, and at 9 a.m. PST to reflect that presentation has taken place and include comment from cryptography expert Bruce Schneier.

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.

The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years.

Yet if one group can do it today, others eventually will. "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.

Molnar and six other researchers presented their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov.

Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://". SSL certificates essentially stand for the claim that, for instance, etrade.com actually belongs to E-Trade Inc., and is not being operated by a thief hoping to steal account passwords.

Most browsers indicate that SSL is active by displaying a small padlock icon. An attack using a forged authentication certificate--which is what the researchers say they have done--is insidious because the browser can't detect it and the padlock icon would still appear.

Talk announcement on the CCC schedule in Berlin.

(Credit: Jonathan Stray)

Unlike most security issues, this problem cannot be fixed with a simple software update. "The bug is not in anyone's software," Sotirov said. "It's not the browser that's at fault. The browser does exactly what it's supposed to do... The problem is that what it's supposed to do is wrong."

The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.

An SSL certificate is a small file that ties a real-world corporate identity to a Web site address and a corresponding public encryption key. This is presented to a private certificate authority firm, which is supposed to verify the link between identity and domain name and then cryptographically "sign" the certificate to vouch for it.

The problem arises when someone else is able to forge the same signature.

VeriSign, which operates the largest certificate authority in the world, learned of the vulnerability early on Tuesday and acted quickly to close the hole in its certificates, according to Tim Callan, vice president of product marketing at the company.

"We went into our systems and removed the MD5 algorith and replaced it with SHA-1 (Secure Hashing Algorith)," he said. "You can not get an SSL certificate from VeriSign now that is subject to this attack." More information from VeriSign is available on Callan's SSL blog.

VeriSign was in the process of phasing out MD5 before the issue came up and is now on track to have it entirely out of commission in January, Callan said. "On balance, public key infrastructure works extraordinarily well," he said when asked if the vulnerability illustrated a need to change the trust model.

Microsoft, while noting that the issue wasn't a vulnerability with one of its products, tried to downplay the threat to users in a security advisory Monday.

"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," the advisory said.

A 1991-era protocol, but modern problems
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.

As CNET News reported in 2004, flaws discovered at that time "could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure algorithm is used." Then, in 2007, Arjen Lenstra of Bell Laboratories Switzerland, with Marc Stevens and Benne de Weger of TU Eindhoven, demonstrated a technique to construct two new certificates with different content but the same fingerprint.

Although security researchers had been worrying, and recommending that other alternatives be considered, nobody had yet demonstrated how to exploit this theoretical flaw in a practical attack.

The researchers who attacked SSL authentication. Left to right: David Molnar, Alexander Sotirov, Marc Stevens, Arjen Lenstra, Jacob Appelbaum. Not pictured: Benne de Weger and Dag Arne Osvik.

(Credit: Jonathan Stray)

Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.

The process amounted to transferring a photograph from a real ID to a fake by carefully matching the holographic security markers.

The rogue certificate can then be used to sign any other certificate of the attacker's choosing--such as one which assures Web browsers that a malicious phishing site is actually the legitimate etrade.com or bankofamerica.com.

After three unsuccessful attempts, each of which required approximately three days of compute time on a cluster of 200 PlayStation 3s, the researchers obtained a forged certificate authority in early November, at which time they notified browser developers and certificate authorities, or CAs, about the security flaw. Molnar estimates that the same processing time could be purchased from Amazon for about $1,500.

The team decided to disclose the vulnerability at the Berlin conference in hopes that the news will encourage everyone involved to fix the problem quickly. "The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)

By itself, the MD5-certificate-forging vulnerability wouldn't be too worrisome. That's because it relies on criminals being able to capture Web traffic to display a fraudulent Web site. But setting up a fake wireless access point to lure unsuspecting neighbors or business travelers is trivial, and a program released earlier this year to attack the domain name system (DNS) provides another way to direct Internet traffic for malicious purposes.

While only a few CAs currently sign certificates with MD5, Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement."

In an interview on Tuesday morning, cryptography expert Bruce Schneier praised the research but downplayed the real-world consequences of the findings.

"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," he said.

"This is good work, great cryptography. I love the research, but this doesn't matter a whit," Schneier added. "There are half a dozen ways to forge certificates and nobody checks them anyway."

Paul Kocher, president of Cryptography Research and an architect of the SSL 3.0 protocol, said the exploit highlights the need for a new universal hash function "that everyone is comfortable with."

"The paper is not a surprise, but at the same time it's the crispest demonstration for why it's necessary to remove this broken algorithm everywhere it is being used," he said, before adding "there are bigger things to worry about, like browser bugs and operating security bugs."

The researchers have created a Web site signed with a forged certificate which can be viewed here. The forged certificate was backdated so that it could not be used maliciously even if stolen from researchers, so you have to reset your system clock to August 2004 to view it.

Even though their work may be controversial, the researchers view their efforts as fundamental to creating a more secure Internet. "I don't want to be hit by this type of attack either," Sotirov said. "I use the Internet too."

The author is a freelance contributor to CNET News and is not an employee of CBS Interactive. His Web site can be found at jonathanstray.com.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11. Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to create a denial of service, and included a proof-of-concept code.

Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.

The company said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2.

A network administrator will stand trial for allegedly hijacking the network he designed and maintained for the city of San Francisco.

A superior court judge ruled Wednesday that there was enough evidence to hold Terry Childs for trial on four felony charges of tampering with a computer network, denying other authorized users access to the network, and causing more than $200,000 in losses, according to a report in the San Francisco Chronicle. Childs, who has been in custody since July 13, had worked at San Francisco's Department of Telecommunication Information Services for five years. Childs, 44, is being held on $5 million bail and is scheduled to be arraigned on January 13.

Childs is accused of tampering with the city's Fiber Wide Area Network after allegedly being disciplined for poor performance. He was also accused of electronically spying on his supervisors and their attempt to fire him.

Childs allegedly denied other administrators access to the system, which maintains law enforcement, payroll, and jail-booking records. Childs reportedly refused to surrender secret codes that would allow access to the system.

However, after a week in the city's jail, Childs agreed to give the access codes to San Francisco Mayor Gavin Newsom during a secret jail house visit. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.

Childs' attorney has claimed that there was no destructive intent and that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.

"Mr. Childs had good reason to be protective of the password," Erin Crane argued in an unsuccessful attempt to lower his client's bail. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."

Ari Juels' fascination with numbers is the stuff of fiction, literally.

Ari Juels

(Credit: ZDNet Asia)

The chief scientist and director of RSA Laboratories recently completed a novel in which the protagonist is hired by the U.S. government to counter the efforts of Pythagoreans, a Greek group that believed in the supremacy of numbers--subscribing to the notion that by mastering numbers, one could understand and control the forces of the universe.

That concept, he told ZDNet Asia during a recent visit to Singapore, had been "a little silly" until cryptography developed to a stage where "mastery of certain mathematical problems could in principle lead to considerable power over computing resources and consequently over our lives."

The book, which will be launched at the RSA Conference 2009 in San Francisco in April, was in essence, the coming together of two of Juels' interests--computer security and classical literature. He graduated from Amherst College in 1991 with degrees in Latin Literature and Mathematics.

Thirty-eight-year-old Juels, who joined RSA in 1996, shed some light on recent RFID (radio frequency identification) issues in e-passports, identity documents, and transport-related systems, as well as how to balance security and privacy.

Q: What are you currently working on?
Juels: With the acquisition of RSA by EMC, we've turned our attention to some of the special security problems that storage systems present. In particular, we've looked at...the ability of a client to verify that a file that is stored on remote servers is still there--intact. We've been able to develop a protocol which accomplishes the seemingly paradoxical property of enabling a client to verify that a file is completely intact--that every bit is there, not a single bit has been changed--without downloading the file. In fact, the archiving service can send a very short proof--some tens of bytes--and that's enough for the client to establish that the file is completely retrievable. That's been a major area of research for us.

Is there a name for this concept?
Juels: There've been several names. I guess the most recent is an acronym called HAIL, for High Availability and Integrity Layer.