Archive for the ‘Cryptography’ Category


Tor Users Urged To Update After Security Breach

January 31, 2010

From the better-really-late-than-really-never dept. and Slashdot YRO: If you use Tor, you’re cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor or now: ‘In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with, a new server we’d recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.’ Tor users should visit the download page and update ASAP.

Unfortunately for me on one of my computers, along with the security upgrade, there’s also a bit of TLS · weirdness happening which keeps the Tor client from ever joing the network.  Good thing I’ve got other computers with alternative OSs on them that I can use for my anonymous work on the intertubes.


Upside to Google’s Adventures in China?

January 20, 2010

Automagic SSL for Gmail?From the silver-lining dept and Slashdot: Here’s one possible outcome of Google’s recent spate of problems with the Chinese government: They’ve now decided to make HTTPS the default transport option for their Gmail service.

While this move didn’t get as much attention as all the other “big issue” stories, it is a minor victory of sorts for NGOs and activists whose activities might attract the attention of the Chinese government.  By making secure transmission the default, non-tech-savvy users no longer have to go through this to protect their communications.


Keystroke Loggers Are Back – This Time in Real Time

August 24, 2009

From Slashdot, the New York Times and the what’s-olde-is-new-dept: The NY Times has a story… on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. Real-time keyloggers were first discovered in the wild last year, but the …Times article should bring new attention to the threat.

So now that the Bad Guys™ are hoovering up your validation credentials in real-time (not “real” real-time, but faster than before), they’ve managed to break one particular implementation of a Two-Factor Authentication scheme.

Not bad, but the real threat is quite a bit less esoteric: continuous reporting of keystrokes gives miscreants a larger window of time to operate in.  The dangers presented by keystroke loggers could be largely mitigated by using some not-so-common sense: Keeping your computer clean and healthy and maybe even switching to a minority · operating system (while keeping your newly developed good habits) means that you’ve just eliminated a large majority of your security threats.

So you think getting people to “do the right thing” by their computers and data is impossible?  It wasn’t too long ago that people weren’t washing their hands before eating or preparing food, nor were they covering their mouths when they sneezed.

Good computer hygiene practices can be learned.  And understood.


Out of the Office: Simple Electronic Security and Practical Data Protection Workshops

February 3, 2009

Knowledge is powerFrom the what-you-don’t-know-can-hurt-you department: I’ve recently returned from presenting my third successful “Simple Electronic Security and Practical Data Protection (SES & PDP) workshop in as many months: two abroad, and one here in Washington D.C.

Truly effective privacy protection and security strategies require more than “silver bullet” software, they require an understanding of the ecosystem in which they’re deployed and implemented.

That’s where these workshops come in: by helping you to understand how the different parts of the privacy and security food chain interact, you’re more likely to protect what’s valuable to you, in addition to feeling empowered and in control of your digital life.

Knowledge is power, and I love sharing it.  Drop me a line here for more information.

2009.03.16: I’ve just conducted two more workshops in the last month and have now decided to offer them as a short, free introductory seminar, and as a paid, hands-on workshop.   Go here to see how I can help you and your organization protect yourselves.


A Brief Hiatus from Blogging: Beta Testing VaultletSuite 2 Go, v2.8

February 3, 2009

From the at-least-they’re-not-chainsaws-we’re-juggling department: For those of you keeping score, it’s been a while since I’ve blogged on privacy or security issues.

That would be because we’re currently finishing up development and beta testing the latest version of the VaultletSuite 2 Go, v2.8.

Stay tuned for more “P” Word once v2.8 goes into production!


Double Plus Bad News for Digital Rights in the UK

October 16, 2008

God Save the Whig!From the when-it-rains-it-pours dept, LinuxWorld, and Slashdot: The Communications Data Bill (2008) will lead to the creation of a single, centralized database containing records of all e-mails sent, websites visited and mobile phones used by UK citizens.

On another front: “Defendants can’t deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.”

There’s so much woolly thinking here that I don’t know where to start, so I’ll just dive in.

With regards to the news on surveillance, not only is such legislation burdensome to ISPs, but the “monster under the bed“, I mean the terrorists, will easily work around such a feeble minded idea.  Either that, or they’ll only catch the stupidest ones, whilst tossing everybody else’s privacy out the window.

With regards to passphrases and encryption keys, claiming that an encryption key is no different from a physical key is stunning leap of logic.  While the kind you use to unlock your door can exist as an entity unto itself (separately and apart from its owner), an encryption key only exists in the mind of its user and can only be “discovered” via a communication act.

If that’s the case, how then is revealing your encryption key passphrase not self-incriminating?

And who’s to prove otherwise when you say that you “don’t remember” when asked for it?


Skype Messages [Still] Monitored In China

October 6, 2008

This is not the first time we've discussed this...From the New York Times and Slashdot : SAN FRANCISCO — A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

While Skype’s encryption has yet to be audited by 3rd parties, at this point it almost doesn’t matter if it ever is. There’s huge window of opportunity to eavesdrop on text chats and conversations before the content is ever encrypted (on the sender’s computer) or after it’s been decrypted on the receiver’s computer.

This is yet another example of the oxymoron “business ethics” – some businesses will do anything to make a buck or to stay in their client’s good graces.

What to do, and who to trust? Try going with an open source IM client using “Off the Record” encryption. Encrypting voice is a bit more involved, but not impossible (just in beta).

Although this isn’t the first time Skype has been taken to task for this type of behavior, hats off to CitizenLab for bringing this back into the spotlight!


Think Twice Before Crossing Borders with Your Valuable Information, Part II

August 15, 2008

From WashingtonPost: Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

It’s worth noting that the usual suspects (including the monster under the bed), are trotted out in defense of this policy declaration. In fact, I’d be surprised if they weren’t mentioned as justification.

Now you know: you have no right to privacy when crossing a U.S. border.  None. What to do? Don’t carry your company’s or your personal information with you on your electronic devices and make plans to access your data securely once you arrive at your destination.


Think Twice Before Crossing Borders with Your Valuable Information

February 11, 2008

From WashingtonPost and The Register: Maria Udy, a marketing executive with a global travel management firm in Bethesda, said her company laptop was seized by a federal agent as she was flying from Dulles International Airport to London in December 2006. Udy, a British citizen, said the agent told her he had “a security concern” with her. “I was basically given the option of handing over my laptop or not getting on that flight,” she said.

The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel.

Despite the heartening news that passwords are protected by the 5th amendment in the U.S., customs agents apparently haven’t heard about this precendent. Instead they have taken their original mandate to prevent the importation of contraband into their countries and are now applying it to your data and the devices that hold it.

What to do before your next business trip or vacation? Encrypt and store your valuable data where you can access it from the internet once you get there, and/or create a hidden volume with TrueCrypt on your laptop. And don’t forget to support the Electronic Frontier Foundation’s request for clarity on this matter.


US drafting plan to allow government unfettered access to all internet communications

January 22, 2008

From Wall Street Journal & TheRawStory: Spychief Mike McConnell is drafting a plan “to protect America’s cyberspace” (WSJ’S wording) or “for cyberspace spying” (TheRawStory’s words) that will raise privacy issues and make the current debate over surveillance law look like “a walk in the park,” McConnell tells The New Yorker.

“This is going to be a goat rope on the Hill. My prediction is that we’re going to screw around with this until something horrendous happens.”

At issue, McConnell acknowledges, is that in order to accomplish his plan, the U.S. government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse.

Whether this article is based upon a trial balloon or not is irrelevant – this sounds like a recipe for disaster.

Worst case: If this plan is approved and implemented, you can say goodbye to democratic dissent, private love letters, and the open and honest exchange of ideas, along with patient/doctor and client/attorney privilege. Filling the privacy vacuum you could find further politicization of government employment, balance sheets gone astray, abuses of power, businesses that can’t protect the privacy of their clients’ transactions, and the witch hunt of the week, just to name a few possible potential downsides to this power grab.

Best case: Individuals, businesses, non-profits, and academics, along with their congressional representatives from across the political spectrum will see this straw man for what it is and quash it. But not without first having to deal with the two-headed false dilemmas tag team of “privacy vs. security” and the perpetually sanctimonious “if you’ve done nothing wrong, than you’ve nothing to fear” argument.

It appears reasonable to assert that if president Bush doesn’t use email for personal communications because he doesn’t want “you reading [his] personal stuff” then, all other high-minded and principled arguments aside, I’m equally justified in saying that neither do I want any government reading mine.


Get every new post delivered to your Inbox.