Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[billjonesgeneralstore] - Nov 5, 2013 Reblogged this on You Better Watch Out.

An excellent and informing interview with the founder of the Lavabit email service, who was recently involved in a legal case with the FBI, who attempted to force him to hand over SSL encryption keys. This was of course the email service used by Edward Snowden, so attracted a lot of attention. There’s some really interesting technical stuff in here, specifically about the value of perfect forward secrecy in HTTPS encryption, which he wasn’t using, and how he protected his user’s data, in many clever ways. A classic part, was when finally forced to reveal the SSL key protecting all 400,000 user’s data, he printed it out in 4 point font, to hand to the FBI agents, and then whilst they took the sealed envelope away, proceeded to completely shutdown the service, his company, and encrypt all the data onto external hard drives.  Brilliant stuff. http://www.youtube.com/watch?v=XTe0mT1611c

Do you have an Android phone? Some interesting news I read this week was that an innocuous (on by default) setting on Android phones can save your Wifi passwords on Google’s servers.  It also backs up all your app settings, bookmarks and so on.  This isn’t that worrying - it could be considered a useful feature.  However, the worrying thing is that these plain-text passwords aren’t encrypted using your account details - they are available in unencrypted form to Google employees. This includes the password to any Wifi point you’ve connected to - home, work, and so on.  Seeing as how Google have been harshly criticised in the past for collecting data about the locations of Wifi access points, it seems a little foolish to trust them with unencrypted passwords to all these access points too.  We already know they can be compelled to hand off this information to the security services.  It just makes it a little too easy for it to be abused. They claim that turning off the feature will delete the data from their servers - but who knows whether that happens or not?  I am getting more and more concerned about how much this one company knows about me.  It gives them an awful lot of power. What if I want to save my app settings but not my Wifi passwords?  There is no option.  It’s pretty much all or nothing.  I shall be backing up my data myself from now on I think…

I found some interesting old news, back from 1999 that someone posted a link to in the SecurityNow newsgroups. I’ve recently started listening to this podcast - it’s a brilliant way to keep up with computer security news, and I feel a lot more informed having started to listen. http://www.heise.de/tp/artikel/5/5263/1.html http://www.heise.de/tp/artikel/2/2898/1.html The articles were to do with NSA back doors in several pieces of software, Microsoft Windows and Lotus Notes. Both of these were verified back in 2009 by security researchers by reverse engineering software. They traced inbuilt keys to the NSA, by virtue of the fact that they were called by the stealthy name, ‘NSAKEY’. This came out of some debugging symbols mistakenly left in Service Pack 5 for Windows NT. To some, this might be extremely old news (well, it was 14 years ago). However, it does show that at least then, Microsoft and Lotus (now owned by IBM) were willing and able to install backdoors, for the NSA to snoop on their customers. If they were willing and able then - why not now? So, the chances of there actually being backdoors in Windows and Notes today, given the revelations last week - I’d say are pretty high. Microsoft have had years to develop a reputation for poor security in their products, and have been desperately trying to regain people’s trust since the bad old days. I wonder if the coming revelations from the Snowden files may set them back again in winning their customer’s trust.