Schneier on Security
A blog covering security and security technology.
« REAL-ID Implementation |
| Unsecured IP Security Cameras »
January 25, 2011
A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.
They have also developed a three-tier security fence to encode the data, which may come as welcome news to U.S. diplomats, who have seen their thoughts splashed over the Internet thanks to WikiLeaks.
"Bacteria can't be hacked," points out Allen Yu, another student instructor.
"All kinds of computers are vulnerable to electrical failures or data theft. But bacteria are immune from cyber attacks. You can safeguard the information."
The team have even coined a word for this field -- biocryptography -- and the encoding mechanism contains built-in checks to ensure that mutations in some bacterial cells do not corrupt the data as a whole.
Why can't bacteria be hacked? If the storage system is attached to a network, it's just as vulnerable as anything else attached to a network. And if it's disconnected from any network, then it's just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.
There is cryptography in the project:
In addition we have created an encryption module with the R64 Shufflon-Specific Recombinase to further secure the information.
If the group is smart, this will be some conventional cryptography algorithm used to encrypt the data before it is stored on the bacteria.
In any case, this is fascinating and interesting work. I just don't see any new form of encryption, or anything inherently unhackable.
Posted on January 25, 2011 at 1:40 PM
• 62 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Maybe biosteganography would be more accurate?
Well, the logical next step would be to engineer bacteriophages to "read" and hack biological storage systems. Measure drives countermeasure.
Ugh. The biggest problem with storing information in bacterial genomes is that the fidelity is crap. Mutations, insertions, deletions, and rearrangements happen all the time.
Imagine manipulation of the data using a retrovirus...
"I just don't see any new form of encryption or anything inherently unhackable"
The "encryption" asspect is unclear at best (which does not bode well).
As for "unhackable" naugh, as has been remarked before,
"What man has made man can unmake"
In this case if they are putting data in to bacteria and reading data out, so can anybody who has access to the bugs.
Of course the question arises with bacteria that can divide as and when conditions are correct, how many times a particular bacteria will reproduce, and "escape" into the wild (Who wants a Class 4 bio hazard containment system around their data center ;)
The of course if the bacteria are capable of reproducing the next questio would be about some combination of data producing a harmfull strain...
I wonder what "small pox" would read out as ;)
All amusment asside I have been expecting this for many years, ever since a well known cryptographer showed how to solve the "traveling salesman problem" with DNA. Although I was xpecting it to be RNA not bacteria.
So now your confidential information can leak itsself?
I can already imagine the new big DHS movie plot: terrorist's are stealing our military secerets and smuggling them hidden inside a bacteria so we have to take your stool, blood, saliva, urine, sperm,... samples to check bacteria in them for any information they might contain.
Boss....I just sneezed the key to the Murcheson proposal and now it's a pandemic. WHO wants to talk to you.
"Bacteria can't be hacked," points out Allen Yu, another student instructor.
Amoxicillin and say good bye to the information.
Someone give these guys an award, your choice.
"We've hacked bacteria to store data!!"
"It's awesome cause it's unhackable and immune from cyber attacks."
Well, isn't it just a simple substitution cipher? Pretty primitive encryption, but still encryption.
Bacteria are living things? Right? Bacteria die or can be killed. Goodbye data. But of course you can do that with a disk drive as well (kill it and the data).
Is this really something noteworthy?
"Well, isn't it just a simple substitution cipher? Pretty primitive encryption, but still encryption."
They encoded the data rather than encrypt it. It can't be encryption if there's no secret.
Would you claim that your hard drive is an encryption device? A storage device that encodes data in a DNA no more encrypts the data than a storage device that encodes data in magnetic fields.
Both may encrypt data before encoding it, but that's unrelated.
"so we have to take your stool, blood, saliva, urine have to take your stool, blood, saliva, urine sperm,.."
No worries mate, as the old joke has it just give em yer underpants, it'll be a lot less painfull that way ;)
And now in a cinema near you:
"Johnny Mnemonic 2"
Nah really without further info I would attribute this to a language problem. They may have meant "encoded" not encrypted.
"unhackable and immune?"
Using bacteria for information storage simply leads to a possibility for a new type of computer virus.
OK, Using bacteria for information storage simply leads to a possibility for a very old type of virus to become a computer virus.
See http://en.wikipedia.org/wiki/Bacteriophage for virus types that infect bacteria and http://en.wikipedia.org/wiki/Lysogenic_cycle for one type of viral replication that "in the remaining majority of the bacteria, the phage DNA becomes integrated into the bacterial chromosome and replicates along with it."
Bruce, how about instead of movie plot threat contest you announce movie plot threat skit contest a la Monty Python?
Then I guess I can I securely wipe my bacteria data with bleach or a spray can of Lysol? If I sneeze out my bacteria data is that then a cloud solution?
As you have not provided a "friday squid" thread this week I guess I'll have to "heads up" here instead.
An Icelandic story that may potentialy be as serious as the Greek Government Mobile phone hacking.
It appears that an "unknown" ;" lacking any identifing featurs was found in a dissuesed area directly connected to the Iclandic Parliment computer network.
Details are limited and appear to be contradictory but you can read a bit on this page,
Due to Icelands precarious financial state, and the "suspect bank fraud" I suspect quite a few people would have an interest in getting a ring side seat on what Parliment is discussing.
Thanks for the pointer.
Strangely enough I blogged on the Icelandic mystery computer subject the other day. Birgitta Jónsdóttir had been tweeting about it a lot & my bullshit detectors were going into overdrive on some of the claims being made.
Unfortunately I didn't find the grapevine.is article you've referenced as it makes some of the same observations I did, but more succinctly. I could have done a better job if I'd had that first.
"But bacteria are immune from cyber attacks"
Then someone will find a biological attack. Anybody have an idea of the life expectancy of these bacteria, or would they have to be permanently put in cryostasis ?
Interesting PoC, but I think there's still gonna be a lot of work to make this a viable commercial solution.
Calling this 'news' is ludicrous hype. That DNA encodes information is known for about 70 years (Avery–MacLeod–McCarty experiment). One can consider that same experiment as the first instance of storing data in the bacteria, even if poorly understood at the time.
Why, just last week I stored the following text in E.coli: DDYVAAVTSGLVADARVLVDFARISAQQEKVTYGSLVNIE
As to hackability, the entire field of molecular biology is nothing but one long (started in early 80's) hack fest of bacteria and other living organisms. It's fun, come and join us!
If we're talking webcomics, there's a similar idea involving spammers: http://dresdencodak.com/2009/07/12/...
It reminds me somewhat of the MacGuffin from one of William Gibson's books: a mobile, offline, biological storage device capacious enough to store "an approximation of everything."
The "encryption" is something like this: break up the message into pieces at specific locations, randomly reverse a fraction of those, and reassemble the message. Essentially a very limited random transposition applied to the message. How do you decrypt a random function? Their answer is to append a checksum (computed by some formula known only to the encryptor); then you try all possible permutations until the checksum matches.
Before: restricted access: no removable storage media, writable cd's etc.
After: restricted access: no removable storage media, writable cd's, Petri dishes.
"Bacteria can't be hacked"...?
Uh... *you just did*.
look! we created a new word!
we got the definition wrong, so someone will either have to co-opt it back, or come up with *another* word to mean what bioencryption seems to mean.
there are plenty of encryption mechanisms in biological systems. just because we don't understand them, or can't decypher them, doesn't mean we should get all excited about mangling one of them to store mp3s :D
[i can see the ipod of the future. a *real* 'pod', like a triffid, with tentacles/roots that grow into the back of your skull - direct sensory transfer. :D]
While this may not be encryption - it does hide data in an obfuscated way that most people are not searching for. It reminds me of when spies would shave their heads and tattoo messages on their head and then grow their hair back so the enemy wouldn’t spot them delivering some secret message.
As most security professionals know today, they should be searching for and denying users from using devices like IPod’s and USB Flash drives that may be used to sneak out confidential data. But now tell those individuals that you may have to scan bacteria?
How do you do that?
Most likely this won't ever happen for a long time to come. But maybe it is being exploited already. How would you know? If you figure it out – would it be too late?
My worry is that news such as this may increase occurrences such as the wiki Leaks or other types of industrial espionage.
But the concept to the non-biologist is intriguing to say the least.
Now you can get a virus from a bacteria.
@Some dude in NY at January 25, 2011 10:12 PM
"As most security professionals know today, they should be searching for and denying users from using devices like IPod’s and USB Flash drives that may be used to sneak out confidential data. But now tell those individuals that you may have to scan bacteria?
How do you do that?"
That is probably the last thing you want to suggest to airport security, "Yes sir, we're concerned that you may be harbouring illegal information in bacteria upon your person so we are going to have to boil you for three minutes"
@Clive Robinson at January 25, 2011 2:35 PM:
"The of course if the bacteria are capable of reproducing the next questio would be about some combination of data producing a harmfull strain..."
The SQL injection attack that finally kills us all :-)
"I wonder what "small pox" would read out as ;)
All amusment asside I have been expecting this for many years, ever since a well known cryptographer showed how to solve the "traveling salesman problem" with DNA. Although I was xpecting it to be RNA not bacteria."
Did the X-Files (I was too young to realise how bad it was at the time) not do a story line where the US population were tagged using the small pox vaccine... that was in the 90s, so the idea at least isn't new.
A long time ago, I read an SF story in which life was put onto this planet by an alien race as a way of leaving a message for future alien races encoded within DNA of single celled organisms here.
After humans became a space faring race, a human crew member of a rocket heard of the story from an alien he met in a bar on some distant planet. When he asked for more details, he was told the message had be read, back before humans had evolved, so there was really no longer any need for life on planet earth.
IMHO the real security will come from HOW you can read the data from the bacteria, i'm sure no sata, usb, ide cable will help you. Specific and tailored chemical compounds required will be hard enough to figure out so security will be inherent.
Independent of the cryptography, this opens up a new area of research: error correcting codes specifically designed to resist the kind of errors that the DNA copying system makes.
"What man has made man can unmake"
just had to take it out of context and ask you to unmake an omelette ;)
Diffe was famous for thinking about unmixing paint, of course.
let's try to revert an sha1 hash to an unknown plain text
"What man has made man can unmake"
epic fail at understanding thermodynamics...
Movie plot time: in a world where others will stop at nothing to obtain secrets, one man finds himself the unwitting defender of a grave secret that cpuld destroy everything, after he is infected with info bacteria meant for a secret agent. Now he must deliver the information within 24 hours before the bacteria kills him, while fighting those who will stop at nothing to take it from him.
You made my day! That's awesome! I'd go to buy the ticket right now if such a movie was in theaters!
And for the sake of freedom... I injected a copy of the insurance.aes256 file into myself... :)
@ Gianluca Ghettini
"epic fail at understanding thermodynamics..."
Possibly true depending on your viewpoint. BUT man did not make thermodynamics he just found it one day ;)
However if you consider entropy to be moving from the "ordered to disordered" state then "making" something can be shown as moving from the disorganised to the organised (refining etc) and "unmaking" something is applying entropy "forcefully" (via a tonne of Dynamite if you like visual effects).
"just had to take it out of context and ask you to unmake an omelette ;)"
I do it all the time or more correctly (and appropriatly for this post) I let the bacteria in my gut do the real "unmaking" of an omelette 8)
@ Peter Maxwell,
"The SQL injection attack that finally kills us all :-)"
Maybe I should change my name to "little boby tables" as advance protection 8)
With regards to,
"... so we are going to have to boil you for three minutes"
Reminds me of the old seaside postcard of a man rything around in pain and the doctor saying to the nurse standing beside him,
"Nurse I said prick his boil not..."
They mean "bioencoding". Lots of people mix up encoding and encrypting.
There is really no problem to extract DNA from bacteria and sequence it.
What will we do if we check human DNA and find a user manual and product demo?
"Possibly true depending on your viewpoint. BUT man did not make thermodynamics he just found it one day ;)"
you are absolutely true! :)
I mean "right".. sry... ;)
"What will we do if we check human DNA and find a user manual and product demo"
Check for a warranty and return address and apply for a returns number...
Pandemic beings killing millions and millions of people. Chinese students study genetic code of virus only to discover that the virus appears to be 'formatting' our genetic makeup. The students begin to study other viruses and realize their sole purpose is to alter our genetic makeup and store data, sometimes with dire consequences. A Chuck Norris lookalike devises a plan to decrypt the data that these viruses have been encoding in human beings and realizes the truth... The planet earth is a cloud storage service for an alien website.
"Would you claim that your hard drive is an encryption device?"
Yes, I would. Then again, I have a Full Disk Encryption drive. With a normal drive I wouldn't.
But there is one who can.
A computer that is to come after me,
one that I will design.
A computer to calculate the Ultimate Question,
one of such infinite complexity that life itself will form part of its operational matrix.
And you yourselves shall take on new more primitive forms and go down into the computer
to navigate its ten million year program.
I shall design this computer for you.
And it shall be called ... the Earth.
@ BF Skinner,
"A computer to calculate the Ultimate Question one of such infinite complexity that life itself wil form part of its operational matrix."
You being a "closet Brit" could probably name who's voice was used for deep thought in the original BBC radio program (which for my sins I'm not only old enough to have heard but record on reel2reel as well ;)
Something that might amuse as you are aware the answer is 42, but in London many of the churches are running a "christianity marketing campaign" called the "alpha course" and believe it or not the tag line is,
"The meaning of life is ________?"
You have no idea how hard it is to resist the temptation write,
"42 (c) Douglas Adams"
In the blank.
@Clive "closet brit"
And that sound you're hearing is Parnell and my dad turning in their graves. In sync.
Something tells me that "bioencryption" will be the yeast of our problems.
Whilst it might be the yeast of our problems, it might well be fermenting up trouble, have you ever had that gut feeling that casually brewing up such things produces an ill wind that blows nobody any good?
Then of course there are other puns on human body processes caused by bacteria that I could list but many really are to gross to mention.
Star Trek:TNG , Season 4 Episode 21 "The Drumhead", already used DNA sequencing to contain encrypted information.
If it can be used, it can be hacked.
I love how every new technology is an 'unhackable' 'breakthrough' while its looking for venture capital.
Remember the old saying that "felgerkarb (BS) is the grease for the skids upon which technology slides into the future".
As fascinating as this is, I think this is a big waste of time and research.
Trying to use something in the macro world to store information which is already being done on the nano-scale, is honestly working backwards for no good reason. There is no practical use for this.
They should be researching bacteria for what they are really useful for: cleaning up chemical messes, fighting diseases, prevention of bio-warfare attacks, etc.
I hate to be cynical (especially when it comes to science), but it seems time could be much more well-spent towards developing something along those lines, or dropping the whole DNA computer/bacteria scene.
Time would be better spent assisting research in the quantum computing, FTL comm, or nano-tech research fields.
This research is more promising, and the results would be a drastic leap in technology.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.