Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Quotations

…the Consumer Groups note Bell Canada’s somewhat thin argument on s. 36 to the effect that throttling is examination of the “application header of the content but not the content itself.” This is akin to arguing that one is listening into a telephone conversation and identifying the language being spoken but not listening to the words. However, this is a false analogy, as Bell does influence the content of the message by blocking the usability of the P2P protocol by slowing it down, thus rendering its purpose (to quickly download large files) moot. To continue the language analogy, Bell is effectively listening in for, say, Mandarin Chinese and making sure the call breaks up and drops out to the point that half of the speakers simply abandon the call.

PIAC on Bell’s usage of deep packet inspection to throttle CAIP customers’ data throughput
Categories
Videos

“There’s nothing to fear but fear itself, and the people who are spreading it.”

Categories
Links Writing

The Problems With Smartphone Password Managers

In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.

Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.

In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.

The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.

Abstract:

In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection

Access the paper (.pdf)

The Problems With Smartphone Password Managers

Categories
Videos

On the inherent (in)security of the software-driven devices

A quick TEDx talk about the inherent (in)security of the software-driven devices that are increasingly embedded throughout our lives.

Categories
Links

A Pedophile Survivor on Bill C-30

Anne Rector gives voice to many who were systematically abused as children and who, often as a result of the abuse, are now ardent protectors of basic privacy rights. From her piece:

While I’m fairly openly about many things, my privacy has been savagely breached quite enough in this life. I should be able to preserve the tatters of personal privacy that remain, as I wish.

But this Conservative crime bill targets my privacy’s safeguards, and it’s inappropriate of politicians to use ‘pedophiles’ to strip me of them.

Just try claiming that I support child pornographers… and I’ll impart what fierce really is.

Go read the piece. It’s short. It does a good job identifying just how hurtful and harmful the Canadian Government’s equivalency of privacy advocates and child pornographers is for those who have suffered at the hands of child abusers.

Categories
Links

Fallout from Comodo and DigiNotar Hacks Continues

The hacking of major certificate authorities, Comodo and DigiNotar, has been somewhat addressed by certificate blacklists and revocations. Despite these measures, however, the fallout of the hacks continues. As picked up by PC Magazine,

This week Kaspersky has discovered malicious droppers – programs that install malware – bearing stolen VeriSign certificates originally issued to a Swiss company called Conpavi AG.

One of the droppers carries a 32-bit driver containing a malicious DLL, which gets injected into your Internet browser process. A malicious 64-bit dropper injects the DLL directly.

From there, the DLL reroutes all your search queries in Google, Yahoo!, and Bing, to a pay-per-click search engine called Search 123. Search 123 makes money off people who search and click on their results.

As a colleague of mine commented, this is just another nail in X.509’s coffin. Let’s just hope that not too many innocents are buried along with it.

Categories
Links

Google Chrome Addons Fingerprinting

Krzysztof Kotowicz has recently published the first part of a Chrome hacking series. In what went up mid-March, he provides the proof of concept code to ID the addons that users have installed. (The live demo – avoid if you’re particularly privacy conscious – is here.) There are various advantages to knowing what, specifically, browser users are running:

  • It contributes to developing unique browser fingerprints, letting advertisers track you passively (i.e. without cookies);
  • It enables an attacker to try and compromise the browser through vulnerabilities in third-party addons;
  • It lets websites deny you access to the site if you’re using certain extensions (e.g. a site dependent on web-based ad revenue might refuse to show you any content if you happen to be running adblock or Ghostery)

Means of uniquely identifying browsers have come and gone before, and this will continue into the future. That said, as more and more of people’s computer experiences occur through their browsers an ever-increasing effort will be placed on compromising the primary experience vector. It will be interesting to see if Google – and the other major browser vendors – decide to see this means of identifying customer-selected elements of the browser as a possible attack vector and consequently move to limit addon-directed surveillance.

Categories
Quotations

The great evil that we as Americans face is the banal evil of second-rate minds who can’t make it in the private sector and who therefore turn to the massive wealth directed by our government as the means to securing wealth for themselves. The enemy is not evil. The enemy is well dressed.

Lawrence Lessig from Republic, Lost: How Money Corrupts Congress – and a Plan to Stop It
Categories
Quotations

… an institution can be corrupted in the same way Yeltsin was when individuals within that institution become dependent upon an influence that distracts them from the intended purpose of the institution. The distracting dependency corrupts the institution.

Larry Lessig from Republic, Lost: How Money Corrupts Congress – and a Plan to Stop It
Categories
Links Writing

On Hiring Hackers

Kevin McArthur has a response to firms who are demanding highly credentialed security staff: stop it!

Much of his argument surrounds problems with the credentialing process. He focuses on the fact that the time spent achieving an undergrad, MA, and set of professional certifications leaves prospective hires woefully out-of-date and unprepared to address existing security threats.

I recognize the argument but think that it’s somewhat of a strawman: there is nothing in a credentialing process forcing individuals to solely focus on building and achieving their credentials. Indeed, many of the larger companies that I’m familiar with hire hackers as employees and then offer them opportunities to pursue credentials on their own time, on the company dime, over the course of their employment. Many take advantage of this opportunity. This serves two purposes: adds ‘book smarts’ to a repertoire of critical thinking habits and makes the company ‘stickier’ to the employee because of the educational benefits of working for the company.

Under the rubric of enabling education opportunities for staff you can get security talent that is very good and also happens to be well educated. It’s a false dichotomy to suggest that you can have either ‘book smarts’ or ‘real world smarts’: there are lots of people with both. They don’t tend to be right out of university or high school, but they are out there.

What’s more important, and what I think the real focus of the article is meant to be, is that relying on credentials instead of work accomplished is the wrong way of evaluating prospective security staff hires. On that point, we entirely agree.