How even key escrow won’t work for Cameron

January 22nd, 2015

How is Cameron going to ensure that law enforcement can read all communications? One way would be to provide systems with ”back doors”; introducing intentional vulnerabilities. We all know that won’t work. Or rather will work much better than intended, if you get my drift.

Some, including Steve Gibson, maintain that it can in fact be done by having law enforcement maintain a secret, well-guarded, key and mandating that all messages sent are including that encryption target in every message. That would allow LE to decrypt it using a very carefully guarded secret key, if need be. All this without weakening the actual encryption mechanism.

The problem with this is that LE can’t know if everyone is following the law without actually trying to decrypt messages flying by. And to do that on a large scale by necessity implies that the “highly guarded” secret key must be available on a large number of systems, exposing it to compromise.

Even if we stipulate that there is some, hitherto unknown, mechanism that allows LE to verify that messages in fact include the LE destination without having the secret key available, they still can’t know if the encryption is valid until attempted. For instance, the encrypted symmetric key may be intentionally wrong. Or, the encrypted message may contain another encrypted message which does not contain the LE mandated item. And that, in turn, can only be discovered once you perform the actual decryption, which requires the ”highly protected” government key.

In other words, it won’t work.

Polish chap builds computer into a mouse

January 21st, 2015

Heh…

Polish chap builds computer into a mouse • The Register

The UK wants to essentially ban all secure communications

January 13th, 2015

Soon coming to a government near you.

The UK wants to essentially ban all secure communications

The CSDP cert is dead

January 11th, 2015

I had the IEEE CSDP certification since 2005, but let it lapse in 2014, since it was a significant cost to maintain. With IEEE/CS membership and recertification every three years, it cost me around $200 per year for the pleasure of having those four letters after my name. (I also maintained an ACM membership, costing another $100 a year.) Hardly anyone ever asked me what those letters mean, and even fewer ever knew, I figure. In theory, it’s a significant certification that needs some significant experience and knowledge of general software development principles to achieve, but if noone is interested in that, it’s not worth paying for on an ongoing basis. So, as I said, I let it lapse. At the same time, I quit paying for membership in both IEEE/CS and ACM, since none of these have really, when you look at it critically, contributed to either customers or reputation.

Recently, IEEE let us know they’re abandoning the CSDP (and the somewhat related CSDA) certifications entirely. So I guess I wasn’t wrong then.

Well, I can always hug my CISSP cert for consolation; I’m not giving up that one. And the MD, of course. That’s a real safety blanket.

I’m gonna learn french…

January 10th, 2015

SafariScreenSnapz049

You can get it too, right here.

Kids, cartoons and animals

January 6th, 2015

Kids, cartoons and animals: Top 5 most bizarre anti-Semitic videos – Not Just News – Jerusalem Post

You have to get them while they’re young.

You cannot trust

January 4th, 2015

Caspar Bowden spoke at the 31c3 conference. Snippets:

I told my technology officers at MicroSoft that if you sell cloud computing services to your own governments, this means that the NSA can do unlimited surveillance on that data. […] two months later they did fire me.

“Technology officers” represent MicroSoft in their respective countries.

On the “FISA Amendment Act of 2008 (Sec 702)”:

This means if you are not American, you cannot trust U.S. software services!!

Exactly.

The US congress was laughing, laughing at the idea that you have privacy rights. That is the climate of the US privacy debate.

“You”, in that sentence, refers to non-US persons outside the US.

FISAAA offers zero protection to foreigner’s data in US clouds. 

US is “exceptionally exceptional”: The number of references in surveillance law that discriminate by citizenship/nationality (NOT geography of communication path), per country:

US: 40, UK: zero, Germany: 1, Canada: 2, New Zeeland: 2, Australia: 2. No others.

On whistleblowers:

We need to give them watertight asylum, and probably some incentives, some rewards. I actually proposed to the parliament [EU parliament] that the whistleblower should get 25% of any fines subsequently exacted.

 Big applause from the audience…

How do people know politicians and officials aren’t influenced by fear of NSA spying in their own private life? […] this is highly corrosive to democracy!

Finally:

The thoughts that Edward Snowden has put in the minds of people cannot now be unthought.

What this all means, in practice, relating back to medical applications, is that we (Europeans) can’t use US software or services, which includes medical records such as EPIC, data analysis services such as IMS Health, data storage such as Amazon, Azure, iCloud, backup solutions (unless encrypted client side), or even US operating systems such as Android, iOS, OSX, Windows, a series of embedded OS, etc. At least not if we care about our patient’s right to privacy.

Why would anyone buy Google books…?

January 3rd, 2015

I just bought a book through Google Play, simply because the author chose to sell it there and on Kindle only. The Kindle book cost $62 yesterday ($50 today), the print book $47, and the Google Play version 300 SEK ($38). There’s no PDF version available.

But, all the pain…

Now I have to use an iPad to read the book. Or read it on the net, logged in to Google. Both experiences are less than great. The iPad app is laggy as hell, and the Google Books browser interface is unusual in its formatting, to put it mildly. But both are still better than what the Kindle experience would have been. So now I have GoodReader for most PDF books, Kindle for some, and Google Books for this single book. Great.

I bought the book for my company. The “receipt” Google sent me does not mention my name or my company name, breaking the accounting rules, so I can’t book it. It includes 25% VAT without specifying if that’s Swedish VAT or something else, so I can’t deduct it. The Google account settings don’t have any place where I can insert my Swedish VAT number, either.

In short, all this combines to make this book almost three times more expensive to me than it should have been. Or put differently: I could have bought three books for the same cost.

Oh, adding insult to injury, I had to register a Google Wallet to pay for the book, leaving my credit card info with Google for “future purchases”, which I sincerely hope I will never have to use. Yes, you can remove the card again in the wallet settings, which I did, but it should not have to be stored in the first place.

I wrote to Google customer service about this. I’m not holding my breath.

Please, people, don’t publish this way.

Apple upgrades really don’t work

December 20th, 2014

So the other day I tried upgrading my main work machine from Mavericks to Yosemite. Since we’re now at 10.10.1 I thought it might work. Not really. It took hours to install, hanging on the “4 minutes left” mark, but got through, finally. Then Mail wouldn’t work, freezing at the “updating mail database” (or something to that effect). Tried it multiple times.

This time I’d been smarter, having done the upgrade on a SuperDuper “sandbox” drive, so all I needed to do to revert was to reboot from the internal drive. Lucky for me that the “update” of the mail database hadn’t destroyed it. Worked fine on 10.9.5.

So I guess I’ll wait for 10.10.2 and try again then. Not that I think it will work.

Possible upcoming attempts to disable the Tor network

December 20th, 2014

Possible upcoming attempts to disable the Tor network | The Tor Blog: “The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.”

This is bad.