Archive for the ‘Cryptography’ Category

h1

Tor Users Urged To Update After Security Breach

January 31, 2010

From the better-really-late-than-really-never dept. and Slashdot YRO: If you use Tor, you’re cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: ‘In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we’d recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.’ Tor users should visit the download page and update ASAP.

Unfortunately for me on one of my computers, along with the security upgrade, there’s also a bit of TLS · weirdness happening which keeps the Tor client from ever joing the network.  Good thing I’ve got other computers with alternative OSs on them that I can use for my anonymous work on the intertubes.

h1

Upside to Google’s Adventures in China?

January 20, 2010

Automagic SSL for Gmail?From the silver-lining dept and Slashdot: Here’s one possible outcome of Google’s recent spate of problems with the Chinese government: They’ve now decided to make HTTPS the default transport option for their Gmail service.

While this move didn’t get as much attention as all the other “big issue” stories, it is a minor victory of sorts for NGOs and activists whose activities might attract the attention of the Chinese government.  By making secure transmission the default, non-tech-savvy users no longer have to go through this to protect their communications.

h1

Keystroke Loggers Are Back – This Time in Real Time

August 24, 2009

From Slashdot, the New York Times and the what’s-olde-is-new-dept: The NY Times has a story… on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. Real-time keyloggers were first discovered in the wild last year, but the …Times article should bring new attention to the threat.

So now that the Bad Guys™ are hoovering up your validation credentials in real-time (not “real” real-time, but faster than before), they’ve managed to break one particular implementation of a Two-Factor Authentication scheme.

Not bad, but the real threat is quite a bit less esoteric: continuous reporting of keystrokes gives miscreants a larger window of time to operate in.  The dangers presented by keystroke loggers could be largely mitigated by using some not-so-common sense: Keeping your computer clean and healthy and maybe even switching to a minority · operating system (while keeping your newly developed good habits) means that you’ve just eliminated a large majority of your security threats.

So you think getting people to “do the right thing” by their computers and data is impossible?  It wasn’t too long ago that people weren’t washing their hands before eating or preparing food, nor were they covering their mouths when they sneezed.

Good computer hygiene practices can be learned.  And understood.

h1

Out of the Office: Simple Electronic Security and Practical Data Protection Workshops

February 3, 2009

Knowledge is powerFrom the what-you-don’t-know-can-hurt-you department: I’ve recently returned from presenting my third successful “Simple Electronic Security and Practical Data Protection (SES & PDP) workshop in as many months: two abroad, and one here in Washington D.C.

Truly effective privacy protection and security strategies require more than “silver bullet” software, they require an understanding of the ecosystem in which they’re deployed and implemented.

That’s where these workshops come in: by helping you to understand how the different parts of the privacy and security food chain interact, you’re more likely to protect what’s valuable to you, in addition to feeling empowered and in control of your digital life.

Knowledge is power, and I love sharing it.  Drop me a line here for more information.

2009.03.16: I’ve just conducted two more workshops in the last month and have now decided to offer them as a short, free introductory seminar, and as a paid, hands-on workshop.   Go here to see how I can help you and your organization protect yourselves.

h1

A Brief Hiatus from Blogging: Beta Testing VaultletSuite 2 Go, v2.8

February 3, 2009

From the at-least-they’re-not-chainsaws-we’re-juggling department: For those of you keeping score, it’s been a while since I’ve blogged on privacy or security issues.

That would be because we’re currently finishing up development and beta testing the latest version of the VaultletSuite 2 Go, v2.8.

Stay tuned for more “P” Word once v2.8 goes into production!

h1

Double Plus Bad News for Digital Rights in the UK

October 16, 2008

God Save the Whig!From the when-it-rains-it-pours dept, LinuxWorld, and Slashdot: The Communications Data Bill (2008) will lead to the creation of a single, centralized database containing records of all e-mails sent, websites visited and mobile phones used by UK citizens.

On another front: “Defendants can’t deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.”

There’s so much woolly thinking here that I don’t know where to start, so I’ll just dive in.

With regards to the news on surveillance, not only is such legislation burdensome to ISPs, but the “monster under the bed“, I mean the terrorists, will easily work around such a feeble minded idea.  Either that, or they’ll only catch the stupidest ones, whilst tossing everybody else’s privacy out the window.

With regards to passphrases and encryption keys, claiming that an encryption key is no different from a physical key is stunning leap of logic.  While the kind you use to unlock your door can exist as an entity unto itself (separately and apart from its owner), an encryption key only exists in the mind of its user and can only be “discovered” via a communication act.

If that’s the case, how then is revealing your encryption key passphrase not self-incriminating?

And who’s to prove otherwise when you say that you “don’t remember” when asked for it?

h1

Skype Messages [Still] Monitored In China

October 6, 2008

This is not the first time we've discussed this...From the New York Times and Slashdot : SAN FRANCISCO — A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

While Skype’s encryption has yet to be audited by 3rd parties, at this point it almost doesn’t matter if it ever is. There’s huge window of opportunity to eavesdrop on text chats and conversations before the content is ever encrypted (on the sender’s computer) or after it’s been decrypted on the receiver’s computer.

This is yet another example of the oxymoron “business ethics” – some businesses will do anything to make a buck or to stay in their client’s good graces.

What to do, and who to trust? Try going with an open source IM client using “Off the Record” encryption. Encrypting voice is a bit more involved, but not impossible (just in beta).

Although this isn’t the first time Skype has been taken to task for this type of behavior, hats off to CitizenLab for bringing this back into the spotlight!

Follow

Get every new post delivered to your Inbox.