What
 · Technology
 · · Security

TLS Wiretap Fear · There is a hot lengthy ar­gu­ment go­ing on in the IETF’s TLS Work­ing Group which has been mak­ing me un­com­fort­able. It’s be­ing al­leged that there is an at­tempt to weak­en Web se­cu­ri­ty in a deep fun­da­men­tal way, which if true is ob­vi­ous­ly a Big Deal ...
 
On Password Managers · It has come to my at­ten­tion that peo­ple are Wrong On The In­ter­net about pass­word man­ager­s. This mat­ter­s, be­cause al­most ev­ery­body should be us­ing one. Here­with back­ground, opin­ion­s, and a de­scrip­tion of my own se­tup, which is rea­son­ably se­cure ...
[24 comments]  
Keybase Client · I got in­ter­est­ed in Key­base.io the day I left Google in March, and I’ve been evan­ge­liz­ing it, but even more the idea be­hind it: Us­ing au­then­ti­cat­ed posts here and there to prove public-key own­er­ship. Al­so I’ve con­tribut­ed Keybase-client code to OpenK­ey­chain (let’s just say “OKC”), a pret­ty good An­droid cryp­to ap­p. I’m more or less done now ...
[6 comments]  
How To Be Secret · Sup­pose you need to ex­change mes­sages with some­one and be re­al­ly, re­al­ly sure that no­body else reads them. Here’s how I’d do it ...
[5 comments]  
Security Problems · The In­ter­net is a dan­ger­ous place. We have tools to make it safer, but they go unloved and un­used; by or­di­nary peo­ple I mean, the ones who aren’t geek­s. How can we fix that? Let’s look through some re­cent ev­i­dence; The con­clu­sion is pret­ty ob­vi­ous ...
[3 comments]  
Making Android Crypto-friendly · Google could tweak An­droid, in a pret­ty sim­ple way, and make it im­mense­ly eas­i­er for any­one, not just geek­s, to do cryp­tog­ra­phy with a nice us­er ex­pe­ri­ence. All the pieces are there ready to go ...
 
Is Encrypting Phones OK? · Start­ing now, more and more phones will have their da­ta en­crypt­ed, so no­body but the phone’s own­er can peek. Ap­ple just start­ed and Android’s fol­low­ing suit. Now we hear howls of out­rage from gov­ern­ment of­fi­cials claim­ing this will pro­tect crim­i­nal­s, doom vic­tim­s, and so on. But they’re com­plete­ly wrong ...
[3 comments]  
OpenKeychain 3 · Re­lease 3.0 of the OpenK­ey­chain An­droid app is out to­day. I’m super-proud to have been a (mi­nor) con­trib­u­tor. It’s get­ting pret­ty slick, if I say so my­self; maybe al­most civilian-ready. Read on for an ex­pla­na­tion, with screen­casts and geek notes too! ...
[4 comments]  
Apple’s Privacy Policy · See A mes­sage from Tim Cook and es­pe­cial­ly Govern­ment In­for­ma­tion Re­quests. It’s good; well-written and clear. Plus, there’s a news sto­ry; as of iOS 8, Ap­ple can’t un­lock a ran­dom iPhone. Mind you, this is al­so an Ap­ple mar­ket­ing piece ...
[6 comments]  
Keys in the Cloud · I just land­ed a nifty new fea­ture for OpenK­ey­chain. It’s sim­ple enough: If you want to com­mu­ni­cate pri­vate­ly with some­one, you need their key. So, just like when you’re look­ing for any­thing else, you type their name or email or what­ev­er in­to a search box and find it on the In­ter­net ...
[1 comment]  
Legal Advice · Hey, are you op­er­at­ing an app or a Web site? If so, are you among the (large num­ber of) peo­ple (for ex­am­ple, In­sta­gram) who con­nect via “http:” in­stead of “https:”? Here’s some ad­vice ...
[1 comment]  
Privacy Economics · Pri­va­cy is good. Per­fect pri­va­cy is re­al­ly hard, prob­a­bly un­achiev­able. It’s not a bi­na­ry thing, but a big di­al we can turn up or down. So ob­vi­ous­ly, we should be turn­ing it up ...
[3 comments]  
Java Security Hole · Good sol­id cryp­tog­ra­phy is an es­sen­tial foun­da­tion for sound busi­ness us­age of the In­ter­net, and es­sen­tial to pro­vide a sane pri­va­cy lev­el. But the tools for Ja­va pro­gram­mers are in hor­ri­ble shape ...
[4 comments]  
Trusting Browser Code · It would be use­ful if you could re­al­ly trust code run­ning in your browser. It’s not ob­vi­ous that this is pos­si­ble; but it’s not ob­vi­ous that it isn’t, ei­ther ...
[2 comments]  
Privacy Levels · You should be able to ex­change mes­sages pri­vate­ly us­ing the In­ter­net. My pro­fes­sion should be work­ing on mak­ing this easy for ev­ery­one, in­clud­ing non-geek civil­ians who shouldn’t need to un­der­stand cryp­tog­ra­phy ...
[12 comments]  
Where Is Your Data Safe? · You can store it on a USB stick or your mo­bile or your per­son­al com­put­er or your com­pa­ny servers or out there in the cloud. Where is it safe? That’s not a sim­ple ques­tion, but here’s my an­swer: Your own per­son­al com­put­er, if you take a few ba­sic pre­cau­tion­s, can be a pret­ty safe place to store things that mat­ter, in­clud­ing se­crets that mat­ter ...
[4 comments]  
Pervasive Monitoring Is an Attack · That’s the ti­tle of RFC 7258, al­so known as BCP 188 (where BCP stands for “Best Cur­rent Practice”); it rep­re­sents In­ter­net Engi­neer­ing Task Force con­sen­sus on the fact that many pow­er­ful well-funded en­ti­ties feel it is ap­pro­pri­ate to mon­i­tor people’s use of the Net, with­out telling those peo­ple. The con­sen­sus is: This mon­i­tor­ing is an at­tack and de­sign­ers of In­ter­net pro­to­cols must work to mit­i­gate it ...
[8 comments]  
Security Farce · There were these head­lines yes­ter­day, for ex­am­ple in CNET, about a se­ri­ous se­cu­ri­ty flaw in OAuth & OpenID, with gar­ish graph­ics claim­ing that Google and Face­book and Ya­hoo and, well, ev­ery oth­er web­site you ev­er heard of, was vul­ner­a­ble. I’ve been dig­ging a bit and I still don’t know if there’s a there there; at the mo­ment I think not. But I was left nau­se­at­ed by the amateur-hour re­port­ing ...
[3 comments]  
Popular Cryptography · It’s like this: Every­body ought to be able to use strong cryp­tog­ra­phy any time they’re go­ing to send any­thing to any­body. Ideal­ly it should just hap­pen, by de­fault, but let’s take ba­by step­s. This is a messy ram­bling work di­ary on try­ing to put some of the pieces to­geth­er to make that a lit­tle more prac­ti­cal than it is to­day ...
[8 comments]  
Keybase.io · I’ve been fool­ing around with this for the last cou­ple of days; you can find me at key­base.io/­tim­bray. I think it might be point­ing a use­ful way for­ward on private-by-default com­mu­ni­ca­tion and, for what it does, it gets a lot of things right ...
[12 comments]  
Is This Page Safe? · What hap­pened was, Paul Hoff­man, Lau­ren, and I were sit­ting up talk­ing about pri­va­cy, look­ing at a WordPress blog, and this weird thing hap­pened: We typed in its ad­dress with “https:” at the fron­t, and it showed up as locked/HTTPS in some browsers but not oth­er­s. It took quite a bit of pok­ing around to fig­ure out ...
[5 comments]  
Counter-Surveillance · Surveil­lance on the In­ter­net is per­va­sive and well-funded; it con­sti­tutes a planetary-scale at­tack on peo­ple who need the Net. The IETF is grap­pling with the prob­lem but the right path for­ward isn’t clear ...
[11 comments]  
HTTP Encryption Live-blog · The IETF HTTP Work­ing Group is in a spe­cial place right now. It held a meet­ing this morn­ing at IETF 88 on en­cryp­tion and pri­va­cy; the room was packed and, just pos­si­bly, nee­dles that mat­ter were moved ...
[10 comments]  
Not the Softest on the Block · We moved in­to our cur­rent place in ear­ly 1997 and, al­most im­me­di­ate­ly, were bad­ly bur­gled. Last week, Mat Ho­nan got bad­ly hacked. We took home-security mea­sures and haven’t had any prob­lems since. I pro­tect my on­line pres­ence, with sim­i­lar re­sult­s. Some lessons ap­ply to both cas­es ...
[1 comment]  
On the Deadness of OAuth 2 · Wow, did Eran Ham­mer ev­er go off. His noisy slam­ming of the OAuth 2 door be­hind him has be­come a news sto­ry. I have opin­ions too ...
[8 comments]  
Unserious About Security · Our de­vices all touch the In­ter­net all the time. There are many peo­ple on the In­ter­net who are ex­treme­ly smart and ex­treme­ly bad and want to steal your mon­ey. We need to take se­cu­ri­ty very se­ri­ous­ly. The tech community’s writ­er­s, both pro­fes­sion­al and am­a­teur, are do­ing an in­ad­e­quate job; ar­guably guilty of both reck­less­ness and lazi­ness ...
[6 comments]  
Dangerous Gems · Maybe I’m just be­ing para­noid here, but I’m start­ing to get a lit­tle wor­ried that RubyGems could be a nasty at­tack vec­tor, giv­en cer­tain com­bi­na­tions of mal­ice and stu­pid­i­ty ...
[19 comments]  
Tab Sweep · As usu­al, there isn’t a uni­fy­ing the­me. In this is­sue: lumpi­ness, stuff, mi­cro­for­mat­s, eye can­dy, metapro­gram­ming, beard­s, and psy­chol­o­gy ...
[1 comment]  
Telnet SNAFU from the Inside · Wel­l, yes, there was that em­bar­rass­ing mile-wide hole in tel­net (I haven’t used tel­net in years ex­cept to de­bug Web pro­to­col­s, but I guess some­one must; seems to me any­one who leaves tel­netd fac­ing the In­ter­net is ex­hibit­ing, uh, ques­tion­able judg­men­t; but stil­l.) Nasty se­cu­ri­ty gotchas are noth­ing new in this world, but here’s some­thing that is new: a first-hand re­port from the guy who got the call you don’t want to get, and then got the patch in­to the sys­tem. Ac­tu­al­ly, I don’t un­der­stand quite a bit of the jar­gon: “patch gate”, “RTI logging”, and so on; but it’s still a com­pelling sto­ry.
[2 comments]  
PHP Security · Per­haps some­one who knows this sub­ject can ex­plain. Giv­en some of the com­ments here (yeah, there are lots of mo­ron­s, but some savvy-sounding hands-on PHP­folk too), and sto­ries like this, I have a ques­tion: why isn’t this part of this?
[10 comments]  
Web Application Security · A pret­ty fierce de­bate has bro­ken out on how to do se­cu­ri­ty for Web-applications (REST, WS-*, what­ev­er). I’m grat­i­fied that it seems to have start­ed in the com­ments to S for Sim­ple. The pro­po­nents are Gun­nar Peter­son and Pete Lacey, and what they have to say is in­ter­est­ing. I think Gun­nar didn’t do a good enough job of fill­ing in one of the bases of his po­si­tion, al­though in pri­vate email he sent me a link to a PDF from eBank­ingSe­cu­ri­ty.­com which is worth a look. The point is that a sig­nif­i­cant pro­por­tion of Win­dows PCs are com­pro­mised with tro­jans and keystroke-loggers and oth­er fla­vors of bad-ware; sig­nif­i­cant enough that the pretty-decent transport-level se­cu­ri­ty pro­vid­ed by TLS is im­ma­te­ri­al. Those of us who are technically-competent and don’t use Win­dows can feel in­di­vid­u­al­ly se­cure, but that doesn’t mean Gun­nar doesn’t have a point.
[5 comments]  
Security Hell · Tap, tap, tap, pause... “hmph”. Tap, tap, tap, pause... "grmph". [Ten min­utes pass.] Tap, tap, tap, pause... “Hellfire.” Tap, tap, tap, pause... “Crap.” [Ten more min­utes.] Tap, tap, tap, pause... “<multiple ex­ple­tives deleted>.” Tap, tap, tap, pause... loud splat sound as the yellow-stickies pad im­pacts the far of­fice wal­l. The cat­s, sens­ing trou­ble, have left the room. Is this the sound of: Try­ing to book a flight to some­where at­trac­tive us­ing points? Multi-threaded soft­ware be­ing de­bugged? An at­tempt to write WSDL by hand? Solv­ing a re­al­ly nasty Myst-series puz­zle? None of the above. Those sounds would be me try­ing to pick a new Sun LDAP pass­word that meets the incredibly-stiff re­quire­ments of our new (SarbOx-driven, they say) se­cu­ri­ty pol­i­cy. The dic­tio­nary they check in­cludes vari­ant spellings of the names of lit­tle towns in the Le­banese moun­tain­s! I asked Lau­ren: “How am I go­ing to re­mem­ber this?” She said: “Go pick up that that yellow-stickies pad you threw across the room, write it down on one, and put it some­where safe. Bruce Sch­neier says that’s OK.” While I gen­er­al­ly ap­prove of forc­ing peo­ple to avoid easily-stolen pass­word­s, I do wor­ry a lit­tle that these hard-to-guess things can al­so be hard to type, and per­haps thus vul­ner­a­ble to pry­ing eye­s. But any­how, if you were think­ing of writ­ing a pro­gram to guess anyone’s pass­word here at Sun, well for­get about it. [Up­date: I got a bunch of sug­ges­tions on how to deal with this, some of them good.] ...
 
Dangerous HTML · Via Rob Sayre (who’s co-editing the Atom Internet-Drafts), the dis­turb­ing re­al­iza­tion that there doesn’t seem to be any­where you can go read about all the things that can (and will) go wrong if you em­bed an HTML pro­ces­sor in your soft­ware. This is bad, be­cause such em­bed­ding is get­ting very easy and com­mon.
 
Regulate ISPs Now · I keep think­ing about our ex­pe­ri­ence at Christ­mas, when we set up my Mom for broad­band, and the lo­cal ISP thought it was just fine to send her home with a DSL mo­dem to plug in­to her Win98 box; no warn­ings, no ed­u­ca­tion, no fire­wall­s. This is just not OK. We have all sorts of reg­u­la­tion in place to en­sure that drivers are equipped with rea­son­ably safe gear and have some ba­sic ed­u­ca­tion on how to pro­ceed safe­ly. Sim­i­lar­ly, we reg­u­late res­i­den­tial con­struc­tion and in­vest­ment deal­ers and em­ploy­ers and man­u­fac­tur­ers, and this is a good thing. So I think we need some leg­is­la­tion in place that says if someone’s com­put­er gets hacked through no fault of their own and in­flicts dam­age on some In­ter­net us­er some­where, the ISP is li­able for that dam­age un­less they can show they took some min­i­mal ef­fort to ex­plain to their cus­tomers that the In­ter­net is a dan­ger­ous place, but that you can be safe if you fol­low a few sim­ple pre­cau­tion­s.
 
Security Blanket · To­day I turned on the FileVault thingie on my Mac, so ev­ery atom of my da­ta is 128-bit en­crypt­ed (Pleas­ing­ly, there doesn’t seem to be any per­cep­ti­ble slow­down). On top of which, we’re run­ning an­oth­er 128 bits of en­cryp­tion on the WiFi around the house, plus the link to the on­go­ing web host is via ssh which is RSA, uh I for­get how many bits in my key. So these hum­ble let­ters have been through a whole lot­ta bit-bangin’ along their route from my fin­ger­tips to your reti­na. Get­ting all this set up takes more work than it re­al­ly ought to, but it’s get­ting eas­ier, and once the ar­range­ments are there, it to­tal­ly doesn’t get in the way. Which is a good thing, be­cause the In­ter­net is a rough neigh­bor­hood, and in a rough neigh­bor­hood you don’t send your kids walk­ing off to school alone. No more should you send your vul­ner­a­ble lit­tle words out on its mean streets with­out some cryp­to­graph­ic Block Par­ents lend­ing a hand.
 
Insecurity by Obscurity · There’s this big com­pa­ny out there whose name ev­ery­one knows. I’ll just call them “Example Corp” be­cause this is a good ex­am­ple of how things can go wrong. What hap­pened was, this morn­ing I glanced at my serv­er logs and saw hits from http://le­gal.ex­am­ple.­com/blog; puz­zled, I checked it out and was chal­lenged for my email be­fore it would let me in. They were fine with my or­di­nary ad­dress, and I found my­self in their le­gal department’s in­ter­nal blog, full of dis­cus­sions of peo­ple su­ing them, re­ports to man­age­men­t, re­al juicy stuff. Nice Move­able Type group-blog se­tup; and they’d point­ed to my re­cent bulleted-list rant, leav­ing a trail of crumbs back to their un­pro­tect­ed un­men­tion­ables. I saw that a few of the posts were by a jblog­gs and Google, via a search for jblog­gs@ex­am­ple.­com, re­vealed that this par­tic­u­lar Joe was their Se­nior Vice Pres­i­dent and Gen­er­al Coun­sel. So I sent him an email say­ing “Er, your le­gal de­part­ment blog is open to the public.” and a cou­ple of hours lat­er got friend­ly email from some­one @ex­am­ple.­com say­ing “I think we closed it, could you check?” and they had. A cou­ple of de­tails in the nar­ra­tive have been changed to pro­tect the guilty, but if I told you what went be­tween legal. and .com you’d gasp. Any­how, we al­ready knew these things, but on the ev­i­dence it can’t hurt to say them again: First, se­cu­ri­ty by ob­scu­ri­ty just doesn’t work, and sec­ond, nev­er as­sume some­thing on a Web serv­er isn’t Internet-visible un­til you’ve had some­body try from out­side and prove it.
 
Random image, linked to its containing fragment