thewayne: (Cyranose)
The good news is that a non-technical jury found that Google's use of Java to create Android was not infringing. Oracle has been suing Google over this for years and the jury came back after three days of deliberation and said Google was OK with what they did. Considering that Sun, who was bought out by Oracle, also thought it was OK even though Sun didn't like it, probably was a key factor.

Revealed in the testimony was that Oracle tried to develop their own phone using Java and couldn't.

I'm not a huge fan of Google. Yes, their products are pretty good, and I use their search engine, maps, and Gmail regularly. It's their original 'Don't be evil' mantra that bugs me because they monetize everything. Now, a business has to make money to survive in business, but why couldn't they be more upfront about it?

The basic standard is that if you're not paying for a service, then YOU (and your information) is the product being sold.

Oracle is, of course, going to appeal the verdict. Had Google lost, it is rumored that they could ask for as much as $9 BILLION dollars, insert your best Dr. Evil voice as needed.

The bad news concerns Apple. Amongst the many lawsuits against it at any given time was one from VirnetX that claimed that Apple was infringing against its patents with its Facetime and iMessage apps. Yesterday they lost the case. VirnetX is a patent troll: they buy lots of patents, wait for a product that is vaguely similar to be successful the go crying to the East Texas courts. VirnetX claims that Apple has done irreparable harm to its brand, even though they've never produced a product and no one has heard of them outside of the patent troll game.

So Apple may have to cough up a heck of a lot of money, or possibly turn off iMessages and Facetime, which would suck in a major way and probably FINALLY! get the attention of Congress and the need for patent reform.

Me, personally, I don't use Facetime but I can appreciate the product. I use iMessages regularly, and I love the fact that my texts, which are all so sexy and top secret, are very strongly encrypted and my cell carrier can't see them since they're shunted through Apple's servers. So I would hate to see them go.

Apple is, naturally, going to appeal the decision.


Apple just hired the co-founder of Silent Circle, Blackphone, and PGP Corp. Jon Callas is an expert when it comes to encrypted communications, so presumably he's going to beef-up Apple crypto and possibly revamp iMessages and Facetime so they're even more secure and perhaps no longer infringe on VirnetX's patents.
thewayne: (Cyranose)
PGP stands for Pretty Good Privacy, a VERY strong crypto system that gives excellent end-to-end encryption for email users. It has been released to security researchers to poke at it to find flaws, it's not yet available to the general public but will be in the form of browser add-ins.

On the plus side: industry-standard and publicly-examined crypto. This should do an excellent job of preventing anyone from reading your email except for the intended recipient. On the down side: it can be slightly clunky to use, though the Gmail integration should make key exchanges more smooth.

In brief, this is how PGP works. The software generates a gobsmackingly-huge prime number and creates two crypto keys, a public one and a private one. You don't need to be concerned about the content of the key because it's just a huge hexadecimal mess. Let's say that you and I want to exchange email, and we've both implemented PGP. Let's call my private key A1 and my public key A2, your private key is Z1 and your public key is Z2. We give our public keys to anyone with whom we want to exchange email, but we jealously guard our private keys. When I want to send you an email, the message is encrypted on my end using A1+Z2, you decrypt it using Z1+A2. At a basic level, that's all there is to it. The software handles combining the keys and encrypting or decrypting the message, it also handles key exchanges. The thing that you have to watch out for is if you ever lose your private key, you have to notify everyone that your key was compromised, your friends delete your public key from their systems, and then you generate a new pair of keys and redistribute your public key.

Which brings up a third negative: you can't use email on a public computer without importing your key in to that system, with potential security risks if that computer has already been compromised. A lot of people store their keys on USB drives which they try to never let out of their personal control. Another negative is that if you're sending big attachments in email, it can take some time for big files to have the crypto applied/removed.

Google is doing a definitely good thing here, opening up the code to the public for review by experts, and at some cost to them: they cannot read the encrypted messages, so they can't do keyword searches and targeted advertising.
thewayne: (Cyranose)
A little bit about open source software. The open source development model says that anyone who has the coding skills can contribute to big, complicated, programming projects. Anyone. As lone as your code is good, runs, and does what it's supposed to do, you are in. This is the model that gave us linux, which is the underpinning of a vast majority of servers on the internet and World Wide Web.

The issue, of course, is that it's conceivable that someone with nefarious intent could insert dodgy code that passes superficial inspection and that someone then has in-place a vulnerability, exploit, back door, whatever.

TrueCrypt is a disk encryption product that encrypts your entire drive, AKA whole disk encryption. Your computer won't boot unless you enter a password on powerup. You can remove the hard drive from the computer, and the whole thing is still encrypted. You can also create hidden 'shadow' volumes that are hidden from normal view: basically you can have multiple encrypted virtual hard drives on your system and they appear invisible, so if you're forced to give up your crypto key, such as by the UK gov't officials or someone using rubber hose decryption (they beat you with a rubber hose until you give up your crypto key), they theoretically won't find the hidden encrypted volume.

This is a great feature for foreign reporters or human rights workers.

The issue is that TrueCrypt is an open source software project, and in the post-Snowden world, it's possible that it was compromised a long time ago by the NSA or its proxies. So an audit was launched: examine every line of code for correctness, lack of vulnerability, and strength of its encryption. The first phase has been completed: the code appears correct and free of vulnerabilities. Now they're examining the strength of the encryption and the pseudo-random number generator (PRNG).

PRNGs are programs/algorithms that provide random numbers to encryption systems, and surprisingly, it's not easy to generate random numbers. One of my favorite PRNGs was a project run, IIRC, by UC Berkeley where they had two lava lamps going and a web cam pointed at them and doing integrations to provide pseudo-random numbers. I have no idea if the project is still running. The problem is, if the PRNG in a piece of crypto software is not sufficiently random or can be predicted, then the strength of the encryption is pretty much zero. It might be strong against common criminals, but it'll fall to supercomputers.

So now they're examining the encryption and the PRNG, which will tell us if the software is really good. As it stands, Bruce Schneier thinks its good enough to continue using.

(As a side note, most of the modern operating systems have built-in disk encryption. The problem is that they have weaknesses. Apple's encryption, for example, has a recovery key built-in for the boot partition, so if your entire drive is one partition, you're not as secure as you thought. I don't know much about how strong Microsoft's full disk encryption is or what known weaknesses there are, I don't keep up on their products as much as I probably should. The advantage of using a third-party crypto package like TrueCrypt is that you won't have a vulnerability like this, assuming it passes the audit, which I'm pretty confident on. The disadvantage is that if you lose your primary encryption key, there's nothing the OS vendor can do, all your contents are gone.)
thewayne: (Cyranose)
This is pretty funny, actually. Lavabit is a secure email provider: the only people with your crypto keys is you with your public and private keys and the recipient with their public and private keys. The way that this encryption works is that everyone gives their public key to anyone who wants it, but keeps their private key a closely-guarded secret. If I want to send you an email, I get your public key and encrypt the message with YOUR PUBLIC key and MY PRIVATE key. When you receive the email, you decrypt it with MY PUBLIC key and YOUR PRIVATE key. This is an automatic process controlled by the software, and it's almost impossible to crack. And don't ask me how it works, it has to do with generating huge prime numbers, but this is how it works in a nutshell. In fact, it is considered utterly secure and unbreakable: basically with sufficiently large keys, which are easy to generate, it would take computer power running until pretty much our sun goes nova to crack it. I never know your private key, the private key is never transmitted across the internet, so unless you machine is compromised with malware, you're pretty darn secure.

That's how Lavabit worked. Apparently the FBI was on to Snowden before he fled the country and they served Lavabit with a subpoena for all of their crypto keys so they could read this email. Lavabit had no choice but to comply, so they did. They provided the FBI with five SSL keys, each of which are 2,560 characters.

They printed them. In four-point type. Eleven pages of extremely small gibberish. And if you get one character wrong, the key is invalid and can't be used to decrypt messages.

The court was not amused and two months later demanded that he hand over the crypto keys in digital form. That was the day that Lavabit announced that it was shutting down, because once the keys were surrendered, the communications of their customers would no longer be secure.

I think what they did was absolutely brilliant. I'm also sure that the FBI will amend their information demands to state " DIGITAL form." The article has a sample page of what they keys look like that were given to the FBI.
thewayne: (Cyranose)
They're applying strong crypto and logging to the voice stack, not much detail as to whether the data on the phone is encrypted which I think would be fairly trivial. They're also discussion about Germany encrypting other smart phone OS's. It'd be cool if the software were released to the public, but that'd totally screw law enforcement and CALEA.
thewayne: (Default)
The Feds were able to decrypt her laptop, it's not known if her co-defendant ex-husband might have given them the password or if one that she previously gave them finally worked. Regardless, the timing is a little suspect.
thewayne: (Default)
Her attorney said that it wasn't clear to him if she installed the software herself. She has not yet declared this in court, so the prosecution hasn't announced any plans to deal with this yet.

I wouldn't think it would be hard to compel her to provide a list of possible passwords then run permutations of those against the encrypted image. But you run in to the easy bypass of providing them with a list of reasonable yet wrong passwords that stand zero chance of decrypting the drive.

I'm also curious if the prosecution and investigating law enforcement agency followed procedure and are doing their forensic examination from a cloned image of the drive and not messing with the drive itself, otherwise they open an argument for the defense that their messing with the computer has corrupted the drive and it cannot be decrypted. They probably did, but cases have been lost before where investigating authorities haven't followed correct procedure.
thewayne: (Default)
Said defendant is accused of bank fraud and used PGP to encrypt her entire laptop hard drive. Apparently the prosecutors don't have much of a case without the contents of said hard drive. And now the judge has given her until 2/21 to produce an unlocked hard drive. And, as a marvelous kicker, "The judge added that the government is precluded “from using Ms. Fricosu’s act of production of the unencrypted hard drive against her in any prosecution.”"

She unsuccessfully argued that this was a case of compelled self-incrimination.
thewayne: (Default)
DNS, the Domain Name System, is a database lookup that translates a domain name entered into a browser or other program into an IP address. You type, DNS does a lookup and finds that Google's IP address is Simplifies things all around.

Usually your default DNS provider is configured by your ISP which looks upstream to heftier DNS servers for their information. You can configure your computer to use any DNS server that you like, but you could be potentially violating terms of service of your ISP or the other server.

The problem is that the DNS lookup process happens in plain text, meaning that you are potentially vulnerable to man-in-the-middle snooping and possible alteration. There have been a lot of effort over the last couple of years to make DNS more secure, including encryption. And now an encrypted DNS system is available!

The DNS service provider OpenDNS is providing encrypted lookups to its DNS servers for Mac clients. A Windows version is promised, and since the source code is available on GitHub, I'm sure a *nix version will be available soon.
thewayne: (Default)
"AT&T is adopting technology that gives a person with an Android device two user profiles, enabling company email and other data to reside in an encrypted partition separate from a user's apps, games and unfettered web browsing. AT&T is calling the feature Toggle, and plans to release it later this year. Toggle is a regular app that, once installed, creates its own encrypted desktop under the control of company IT bosses. Toggle is a rebranding of an app developed by startup Enterproid, which continues to develop its own version. AT&T think this move will encourage smartphone adoption in the enterprise. Interestingly, Apple's current version of iOS and app guidelines exclude multiple profiles on one device."

I can see this as a good move that will help the phone be increasingly adopted in business, but what they need to do is extend this encryption to the entire phone! People are realizing that we're now functionally carrying our entire life in our pocket or purse: photos, contacts, personal and private information, etc., and that can be a real problem if lost. I've carried a PDA for close to 20 years now, and I've been cognizant of this and kept the important stuff in encrypted files. A lot of information was still vulnerable, but at least the most important stuff was affected.

But now in California, Michigan, and other states, you can get your phone sucked dry by the cops during a routine traffic stop. So this really needs to be extended throughout the phone.

One thing that I find interesting is in relation to my current employer. Currently Blackberry's are the standard data phone. I was speaking to one of my fellow IT drones and he said that policies were being put in place so that people with iPhones and Microsoft phones can have them connected to the enterprise. Conspicuously absent from the list? Android phones. The problem viewed from a security perspective is that the operating system is forked for just about every manufacturer and almost every phone. They have different screen dimensions, different keyboards, different feature sets, and this requires customizations and extensions to the operating system. And in doing so, increases the chance for exploits. This is a case where monolithic control over the code base can be an advantage.

Overall, I agree with the Free/Open Source concept of many eyes makes problems visible and easy to fix, but this works in both directions, for good guys and bad guys. And the bad guys are very highly motivated, there's a lot more money for them to find and sell an exploit than there is for the good guys. And this is a problem for the overall Android code base: Maker X finds a significant bug that can lead to an exploit in their code, so they fix it. They may or may not notify other Makers because that bug may or may not exist in their code base. And they can report the bug to Google's Android team, but THEY CANNOT directly patch the fix back in to the base code tree! Most F/OSS projects you can either directly patch the code or submit a patch for review to the code maintainers, unless Google has changed this policy since I first heard of it, its a lot harder to get these patches submitted to them.
thewayne: (Default)
So theoretically, if you get pulled over for a traffic stop, the officer can suck your phone dry using the same sort of device they use in cell phone stores to transfer data between phones. Your best defense is to silence it and put it in the glove compartment and refuse all requests to search your car without a search warrant.

Since this is an appellate court, hopefully it'll get appealed to the SCOTUS.
thewayne: (Default)
The case is interesting. The woman in question is being charged with various securities fraud crimes with having illegally obtained deeds of houses about to go into foreclosure, but the prosecutors are having problems because she seems to have used very strong encryption on her laptop. They're now saying that they don't want her password, they just want her to unlock her laptop so they can inspect the files therein.

I can't imagine this being anything except self-incrimination.

In England it is a crime to not provide an encryption password if the gov't asks for it. I wonder how long before we have such a law here. TrueCrypt has a feature called plausible deniability in which you have a password for your real info, and another password that unlocks the volume in such a way that your secure data is still secure, I imagine we'll be seeing it getting adopted a lot more.
thewayne: (Default)
This is pretty cool! It's not a common attack vector, but it's one that has been exploited and wouldn't be difficult. They're using AES-128, which is not easily broken. The cool thing about it is that it's going to sell for $40! The bad thing is that it isn't ergonomic, otherwise I'd be seriously interested.
thewayne: (Default)
It's an interesting proposition, and it's not using current router tech. Basically, each person who connects to a router would be separately encrypted, presumably through a shared key. The problem is that once someone can connect to a router it isn't too difficult to listen in to other people's traffic. If each connection is separately encrypted, you pretty much eliminate that possibility. (their site kinda sucks, on my browser I have to scroll down quite a bit to get to the text)

At the same time, you have the issue that people are getting raided by ATF/DHS/MOUSE at 3am, getting guns pointed at their head, having people with guns shout at them that they're child molesters, and they didn't do anything: people used their open connection to download porn, and in one case, send death threats to the vice president. I'm not entirely clear on how full encryption will prevent this. But for the time being, I'm keeping my router encrypted, no broadcast SSID, and MAC filtering. It's not totally hack-proof, but it's as close as I can easily get. I'd like to have an open router, but if I do, it's going to have all connections logged.
thewayne: (Default)
A 19 year old refused to give up a 50 character password and is sentenced to 16 weeks in jail. He's being investigated for child exploitation. In England, you can't make the excuse "I don't remember it" without going to jail. It's not yet against the law in the US, but who knows how long that will last.

And an XKCD cartoon showing the true value of disk encryption:
thewayne: (Clue-by-Four)
Saudi Arabia recently forced RIM to install servers there that allows the government to snoop on Blackberry communications. I think RIM is about to cave in India, and on top of that, the Indian government wants access to Google, Skype, and VPN data!

I wonder how much interest will grow in those countries for strong encryption and easy steganography.

Yet more countries go on to my Do Not Visit list.
thewayne: (Default)
This first appeared a couple of years ago and claimed to encrypt a variety of files on your hard drive with RSA 1024 bit encryption. The original virus did a poor job of implementing RSA encryption and was only using 660 bytes. Because of this weakness, data was recoverable.

Well, in the two years since it was originally released, the author has fixed the code and it now uses all 1024 bits, which means that it's fundamentally unbreakable.

So what happens if your computer gets encrypted? Better hope your backups are good.

Kaspersky Anti-Virus would also like to talk to you, there's a chance they can recover your data.

This Slashdot article points to the Kaspersky alert:

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:25 pm
Powered by Dreamwidth Studios