Category: Quotations

Post author By Christopher Parsons
Post date February 11, 2012

The most important detail to focus on, is (per comment 12 by Brian Trzupek above) that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by Trustwave’s corporate customer.

That is, Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic.

This is very very different than the usual argument that is used to justify “legitimate” intermediate certificates: the corporate customer wants to generate lots of certs for internal servers that it owns.

Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done.

With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate).

~Christopher Soghoian, in comment about Trustwave

Tags Certificate Authority, Certificates, Security

Quotations

Post author By Christopher Parsons
Post date February 9, 2012

Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources – Facebook must be a favorite – or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user’s absence.

Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.

~Kim Davis, from Internet Evolution

Tags Biometrics, Facebook, Hacking, Mobiles, Passwords, Security

Links Quotations

How to hack a smartphone via radio

Post author By Christopher Parsons
Post date January 29, 2012

Network World:

Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.

“You tune to the right frequency,” says Kocher, who described the hacking procedure as involving use of a radio device much like a common AM radio that will be set up within about 10 feet from the smartphone. The radio-based device will pick up electromagnetic waves occurring when the crypto libraries inside the smartphone are used, and computations can reveal the private key. “We’re stealing the key as it’s being used,” he says, adding, “It’s independent of key length.”

Kocher says the goal of the hacking demo, which Cryptography Research will demonstrate throughout the RSA Conference at its booth, is not to disparage any particular smartphone manufacturer but to point out that the way crypto is used on devices can be improved.

“This is a problem that can be fixed,” he says, noting Cryptography Research is working with at least one of the major smartphone makers, which he declined to name, on the issues around these types of radio-based attacks.

This is a high level of awesome. I wonder who the major smartphone maker is; Microsoft? Apple?

Tags Cyber Security, Encryption, Smart Phone

Quotations

Post author By Christopher Parsons
Post date January 27, 2012

“Generally, things are not looking great with Google. I think that people have given Google a lot and with that they’ve trusted [Google] will do the right thing, that they will focus on the user and that their won’t be any surprises,” Marlinspike told IT Pro. “That’s turning out to not be true. They’re not really holding up their end of the bargain there.

“Now they’re saying you have until this time to change your mind, but it’s not about just opting in to providing data, it’s opting in in terms of connecting your life to a network that is controlled by Google.

“It’s difficult to now transition out of that. They were able to build that network through that trust and I feel like it’s not exactly fair for them to change the rules.”

~Moxie Marlinspike, January 26, 2012

Tags Google, Privacy, Security

Quotations

Post author By Christopher Parsons
Post date January 25, 2012

The NSA was quite aware that many new network systems were being built rapidly during the dotcom boom, and if cryptography wasn’t built in at the start, it should usually be too expensive to retrofit it later. So each year the NSA held the line on crypto controls meant dozens of systems open to surveillance for decades in the future. In these terms, the policy was successful: little of the world’s network traffic is encrypted, the main exceptions being DRM-protected content, Skype, the few web pages that are protected by TSL, opportunistic TLS encryption between mail servers, SSH traffic, corporate VPNs and online computer games. Everything else is pretty much open to interception – including masses of highly sensitive mail between companies.

~R. Anderson. (2008). Security Engineering: Second Edition. Indianapolis: Wiley Publishing Inc. Pp. 795.

Tags Dotcom, Encryption, Intelligence, NSA, Surveillance

Quotations

Post author By Christopher Parsons
Post date January 10, 2012

Surveillance is not itself sinister any more than discrimination is itself damaging … there are dangers inherent in surveillance systems whose crucial coding mechanisms involve categories derived from stereotypical or prejudicial sources.

~D. Lyon. (2003). Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination. New York: Routledge. Pp. 2.

Tags Discrimination, Surveillance

Quotations

2012.1.9

Post author By Christopher Parsons
Post date January 9, 2012

We must go further [than simply demanding transparency] and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.
Transparent Practices Don’t Stop Prejudicial Surveillance

Tags Surveillance, Transparency