ENTRIES TAGGED "encryption"

Big data and privacy: an uneasy face-off for government to face

MIT workshop kicks off Obama campaign on privacy

Thrust into controversy by Edward Snowden’s first revelations last year, President Obama belatedly welcomed a “conversation” about privacy. As cynical as you may feel about US spying, that conversation with the federal government has now begun. In particular, the first of three public workshops took place Monday at MIT.

Given the locale, a focus on the technical aspects of privacy was appropriate for this discussion. Speakers cheered about the value of data (invoking the “big data” buzzword often), delineated the trade-offs between accumulating useful data and preserving privacy, and introduced technologies that could analyze encrypted data without revealing facts about individuals. Two more workshops will be held in other cities, one focusing on ethics and the other on law.

Read more…

Comment

The technical aspects of privacy

The first of three public workshops kicked off a conversation with the federal government on data privacy in the US.

Thrust into controversy by Edward Snowden’s first revelations last year, President Obama belatedly welcomed a “conversation” about privacy. As cynical as you may feel about US spying, that conversation with the federal government has now begun. In particular, the first of three public workshops took place Monday at MIT.

Given the locale, a focus on the technical aspects of privacy was appropriate for this discussion. Speakers cheered about the value of data (invoking the “big data” buzzword often), delineated the trade-offs between accumulating useful data and preserving privacy, and introduced technologies that could analyze encrypted data without revealing facts about individuals. Two more workshops will be held in other cities, one focusing on ethics and the other on law. Read more…

Comments: 7

The RSA/NSA controversy concerns you!

This controversy impacts everyone (and here's what we can do about it)

As a cyber security author and CEO of a security consulting company, I was personally shocked by the RSA’s attitude about the alleged secret payments it received from the NSA as well as its willingness to weaken its BSAFE product; especially after the weakness became public in 2006. I was even more shocked by the lack of outrage shown by many security bloggers, analysts, and security company executives.

The speaker-in-protest count has reached 13 speakers who have canceled talks they were scheduled to give at the RSA Conference (RSAC) next week, first and most notably, Mikko Hypponen, who published this open letter. A few outraged others have also spoken out about their decision to cancel their talks, including Dave Kearns and, via Twitter, Adam Langley and Josh Thomas.

Read more…

Comment

Adobe’s Breach Widens

When will Adobe disclose the full extent of its breach to users?

Over the last week, the analysis of the Adobe breach has gotten more interesting.

The actual file itself has been available via BitTorrent. I found a torrent file and looked through it myself. If you’re interested, note that the torrent gets you a 4+GB zip of the actual 10GB of text.

Paul Ducklin at Sophos has published a very good analysis of the contents of that file. The summary is that each record has an account number, an account name, an email address, the encrypted password, and the person’s password hint.

Read more…

Comment

Security After the Death of Trust

Not just paying attention, but starting over

[contextly_sidebar id="214edfe1c80f880bd3aa0ce4d78cf1d0"]

Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that “we need to start planning for a computing world with minimal trust.”

So what are our options? I’m not sure if this ordering goes precisely from worst to best, but today this order seems sensible.

Stay the Course

This situation may not be that bad, right?

Read more…

Comment

After the NSA Subverted Security Standards

Is protecting open processes possible?

I was somewhat surprised, despite my paranoia, by the extent of NSA data collection. I was very surprised, though, to find the New York Times reporting that NSA seems to have eased its data collection challenge by weakening security standards generally:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

The Guardian tells a similar story. It’s not just commercial software, where the path seemed direct, but open standards and software where it seems like it should have been harder.

I was very happy to wake up to a piece from the IETF emphasizing their commitment to strengthening security. There’s one problem, though, in its claim that:

IETF participants want to build secure and deployable systems for all Internet users

Last week’s revelations make it sadly clear that not all IETF participants are excited about creating genuinely secure systems.

Read more…

Comment: 1
Four short links: 18 July 2013

Four short links: 18 July 2013

Rules of the Internet, Bigness of the Data, Wifi ADCs, and Google Flirts with Client-Side Encryption

  1. Ten Rules of the Internet (Anil Dash) — they’re all candidates for becoming “Dash’s Law”. I like this one the most: When a company or industry is facing changes to its business due to technology, it will argue against the need for change based on the moral importance of its work, rather than trying to understand the social underpinnings.
  2. Data Storage by Vertical (Quartz) — The US alone is home to 898 exabytes (1 EB = 1 billion gigabytes)—nearly a third of the global total. By contrast, Western Europe has 19% and China has 13%. Legally, much of that data itself is property of the consumers or companies who generate it, and licensed to companies that are responsible for it. And in the US—a digital universe of 898 exabytes (1 EB = 1 billion gigabytes)—companies have some kind of liability or responsibility for 77% of all that data.
  3. x-OSCa wireless I/O board that provides just about any software with access to 32 high-performance analogue/digital channels via OSC messages over WiFi. There is no user programmable firmware and no software or drivers to install making x-OSC immediately compatible with any WiFi-enabled platform. All internal settings can be adjusted using any web browser.
  4. Google Experimenting with Encrypting Google Drive (CNet) — If that’s the case, a government agency serving a search warrant or subpoena on Google would be unable to obtain the unencrypted plain text of customer files. But the government might be able to convince a judge to grant a wiretap order, forcing Google to intercept and divulge the user’s login information the next time the user types it in. Advertising depends on the service provider being able to read your data. Either your Drive’s contents aren’t valuable to Google advertising, or it won’t be a host-resistant encryption process.
Comment
Four short links: 8 October 2009 Four short links: 8 October 2009

Four short links: 8 October 2009

DIY Baby Rocker, Unix Systems Glory, Encrypting Ephemera, and Explaining Creative Joy

  1. Linux Baby Rocker — inventive use of a CD drive and the eject command … (via Hacker News)
  2. I Like Unicorn Because It’s Unix — forceful rant about the need to rediscover Unix systems programming. Reminds me of the Varnish notes where the author explains that it works better because it uses the operating system instead of recreating it poorly.
  3. Encrypting Ephemeral Storage and EBS Volumes on Amazon — step-by-step instructions. (via Matt Biddulph on Delicious)
  4. You Have No Life if a video smacks even slightly of concentrated effort or advance planning, someone will inevitably scoff that the subject has a) “too much time on his hands” or b) “no life.” Ten times out of ten. [...] After six years I lack a succinct, meaningful response to my students’ defensive, clannish embrace of mediocrity, though I’m grateful for this tweet, which comes pretty close: dwineman: You say “looks like somebody has too much time on their hands” but all I hear is “I’m sad because I don’t know what creativity feels like.”
Comments Off
Four short links: 23 July 2009

Four short links: 23 July 2009

Wave Fed, Fake Steve, Vanish and Reconnoiter

  1. Google Wave Federation Protocol — the interesting part of Wave for me is the system for keeping databases coherent. There’s a
    reference implementationl.
  2. I shouldn’t have yelled at that Chinese guy so much — the post that redeemed Fake Steve Jobs in my eyes. We all know that there’s no fucking way in the world we should have microwave ovens and refrigerators and TV sets and everything else at the prices we’re paying for them. There’s no way we get all this stuff and everything is done fair and square and everyone gets treated right. No way. And don’t be confused — what we’re talking about here is our way of life. Our standard of living. You want to “fix things in China,” well, it’s gonna cost you. Because everything you own, it’s all done on the backs of millions of poor people whose lives are so awful you can’t even begin to imagine them, people who will do anything to get a life that is a tiny bit better than the shitty one they were born into, people who get exploited and treated like shit and, in the worst of all cases, pay with their lives.
  3. Vanish — time-limited encryption in a Firefox plugin.
  4. Reconnoiter — holy cow web console and analytics for data centers, from the magic Theo Schlossnagle. He built the screenshots for his OSCON presentation, graphing streams of live performance data from dozens of data centers, while on a Virgin America flight.
Comments Off
Dramatic Increase in Number of Tor Clients from Iran: Interview with Tor Project and the EFF

Dramatic Increase in Number of Tor Clients from Iran: Interview with Tor Project and the EFF

The Tor Project produces an anonymous proxy services which allows users to evade surveillance. In this interview, Andrew Lewman talks about the Tor Project and discusses some statistics that show its increased use from with Iran. This article also includes some questions and answers with the EFF about the legal implications of running an open proxy server.

Comments: 2