Information Security & Occasional Forays Into Adjacent Realms
In a well-engineered screed, targeting both laptop and phone encryption modalities, Andrew Cunningham writing at Ars Technica's gadget section provides us with a tell-all discussion of how, in fact, to protect thyself from the evil that lurketh without. Today's Must Read.
Presented for your consideration - a 1997 paper entitled The Use of Encrypted, Coded and Secret Communications is an "Ancient Liberty" Protected by the United States Constitution, published by the University of Virginia Journal of Law and Technology]*.
John Fraser III the author of this superlative screed (now an attorney in Washington, DC) presents his fascinating argument on encryption, and the 'ancient right' to utilize cryptographic artifacts in the course of communications, protected, of course, by our nations' Constitution. Today's Must Read.
*Va. J.L. & Tech. 2 Fall 1997 1522-1687 / © 1997 Virginia Journal of Law and Technology Association
via Wired's Kim Zetter, comes reportage, detailing the proposed ban on bitwise munitions, in this case, the United State's attempts at the utilization of the Wassenaar Arrangement as a foundational source for all things bannable, particularly systems, code, applications, and research in the information security realm...
Evidently, certain interested parties missed that day in law school when the discussion turned to the prohibition of the export of PGP, and the jailing of Phil Zimmermann, including the miniscule effect that effort had on the acquisition of the bits by parties unknown... History - apparently - does offer a repeatable repast.
Certainly an eponymous panel of cryptographic scientists, inclusive of Paul Kocher (Moderator) , Adi Shamir, Whitfield Diffie, Ed Giorgio, Ronald Rivest holding forth, as it were...
Good news for TrueCrypt, via the inimitable Dan Goodin, writing at Ars Technica, of the apparent clean bill of cryptographic health, as it were...
"The TL;DR is that based on this audit, TrueCrypt appears to be a relatively well-designed piece of crypto software," Matt Green, a Johns Hopkins University professor specializing in cryptography and an audit organizer, wrote in a blog post accompanying Thursday's report. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances." via Dan Goodin at Ars Technica
News (on April 2, 2015), of the Mozilla Foundation's Firefox, Google Inc.'s (NasdaqGS: GOOG) Chrome, Google Inc.'s Android and Norways' Opera Software ASA's Opera browser tunneling plugin HTTPS Everywhere Version 5, of which, has been released by the Electronic Frontier Foundation (EFF).
While we do applaud (and support, and you should too) the EFF in the organizations' effort to provide secure tunneling to the world (one plugin at a time), there is always the concern of governmental, corporate and institutional users sitting behind proxies with in-built MITM surveillance capabilities, similar to the Stanford MITM model...
News, via iMore's Rene Ritchie, of the latest attack vector on iOS - monikered FREAK (aka "Factoring RSA Export Keys"). Plans to rub-it-out early next week, in the midst of Apple Inc.'s (NasdaqGS: AAPL) latest iOS update process have been published. Better late than never, eh?
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.
In which, we are enthralled by Le Bon Professeur Jules Verne. Via a typically superb post - crafted by Nick Pelling at his Tremendous Cipher Mysteries site; further, by way of a fascinating article in the United States Army Signal Corps Bulletin of April to June 1940 detailing Monsieur Verne's prediliction for both transpositional and Vigenère ciphers. Outstanding.
More IPV6 myths exposed by ISOC's Deploy360 Director Chris Grundemann. This time focusing on the myth that IPv6 is too new to be attacked. Today's MustRead!
Well now, this is good news [of coursepurely dependent upon where your place is within the transaction, and future issues of both key management and governance related challenges] as Box has commenced with provisioning customers with their encryption keys. Gotta admire the transfer of risk in this action, all under the guide of enterprise key management...
'Today, Box says it has a new product that gets the job done. Called “Enterprise Key Management (EKM),” the service puts encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center. The Box service still must access customer’s data in order to enable sharing and collaboration, but EKM makes sure that only happens when the customer wants it to, Box says.' ArsTechnica's Jon Brodkin
In an astonishing turn of luck, Alan Turing's Banbury Notes have turned up as roof insulation, at Beltchley Park's Hut 6. Reportedly, the notes were discovered during the renovation of the Hut in 2013.
Astoundingly, myths still arise in this epoch of science, strangely so, when dealing with new technologies [Read: new means new in the final two years of the last century as IPv4 was originally codified by the IETF in 1981, with the acceptance of RFC 791] - in this case the vaunted move to IPv6. Now, arising from the ashes of IPv4 exhaustion hysteria, comes a current popular myth surrounds the utilization NATs in IPv4 and the lack of a counterpart construct in IPv6.
Dr. Michael Geist (Law Professor at the University of Ottawa, and the current holder of the Canada Research Chair in Internet and E-commerce Law) holds forth on current cloud cogitation up north (at least within the data confines of the Government of Canada / Gouvernement du Canada).
An End-to-End Encrypted Secret, that is...