March 15th, 2015
New Zealand Used NSA System to Target Officials, Anti-Corruption Campaigner – The Intercept:
Analysts from Government Communications Security Bureau, or GCSB, programmed the Internet spy system XKEYSCORE to intercept documents authored by the closest aides and confidants of the prime minister on the tiny Solomon Islands. The agency also entered keywords into the system so that it would intercept documents containing references to the Solomons’ leading anti-corruption activist, who is known for publishing government leaks on his website.
March 11th, 2015
The CIA Campaign to Steal Apple’s Secrets:
A few months after Comey’s remarks, Robert Litt, the general counsel for the Office of the Director of National Intelligence, also appeared at Brookings. “One of the many ways in which Snowden’s leaks have damaged our national security is by driving a wedge between the government and providers and technology companies, so that some companies that formerly recognized that protecting our nation was a valuable and important public service now feel compelled to stand in opposition,” Litt said. He appealed to corporations to embrace “a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.”
(Via The Intercept)
The official line seems to be that it’s ok for the US government to break any law or constitution it pleases as long as the public doesn’t know. It’s not the governments fault for breaking the law, it’s Snowden’s fault for letting us know.
The governments (all of them) tried to drive a wedge between the tech companies and the users but failed, at least a little bit. Litt turns this narrative around and claims that Snowden’s revelations are driving a wedge between the tech companies and the government. No, it’s the act of the governments that is driving a wedge between themselves and the rest of us, tech companies, providers, and the public alike.
The pure gall is breathtaking.
Do read the article. There’s a lot of worrying stuff in there, including the attempt to subvert the XCode tool chain in order to build in malware into other developer’s executables.
February 7th, 2015
My Angry Posts | Spaf’s Thoughts: “What angers me is that people are willing to endanger others — including her and the rest of my family — because of paranoia and willful stupidity. If it was only them, natural selection would help take care of the problem, but they pose a danger to me and my family, too by rejecting standard vaccination.”
February 7th, 2015
It really gets my goat to see a foreword to a book be titled “Forward”. It’s so disturbing, in fact, that I have a difficult time getting over it. This latest example is from an otherwise pretty professionally produced ebook.
January 22nd, 2015
How is Cameron going to ensure that law enforcement can read all communications? One way would be to provide systems with ”back doors”; introducing intentional vulnerabilities. We all know that won’t work. Or rather will work much better than intended, if you get my drift.
Some, including Steve Gibson, maintain that it can in fact be done by having law enforcement maintain a secret, well-guarded, key and mandating that all messages sent are including that encryption target in every message. That would allow LE to decrypt it using a very carefully guarded secret key, if need be. All this without weakening the actual encryption mechanism.
The problem with this is that LE can’t know if everyone is following the law without actually trying to decrypt messages flying by. And to do that on a large scale by necessity implies that the “highly guarded” secret key must be available on a large number of systems, exposing it to compromise.
Even if we stipulate that there is some, hitherto unknown, mechanism that allows LE to verify that messages in fact include the LE destination without having the secret key available, they still can’t know if the encryption is valid until attempted. For instance, the encrypted symmetric key may be intentionally wrong. Or, the encrypted message may contain another encrypted message which does not contain the LE mandated item. And that, in turn, can only be discovered once you perform the actual decryption, which requires the ”highly protected” government key.
In other words, it won’t work.
January 11th, 2015
I had the IEEE CSDP certification since 2005, but let it lapse in 2014, since it was a significant cost to maintain. With IEEE/CS membership and recertification every three years, it cost me around $200 per year for the pleasure of having those four letters after my name. (I also maintained an ACM membership, costing another $100 a year.) Hardly anyone ever asked me what those letters mean, and even fewer ever knew, I figure. In theory, it’s a significant certification that needs some significant experience and knowledge of general software development principles to achieve, but if noone is interested in that, it’s not worth paying for on an ongoing basis. So, as I said, I let it lapse. At the same time, I quit paying for membership in both IEEE/CS and ACM, since none of these have really, when you look at it critically, contributed to either customers or reputation.
Recently, IEEE let us know they’re abandoning the CSDP (and the somewhat related CSDA) certifications entirely. So I guess I wasn’t wrong then.
Well, I can always hug my CISSP cert for consolation; I’m not giving up that one. And the MD, of course. That’s a real safety blanket.
January 10th, 2015
You can get it too, right here.