I think the link between absurdist theatre and SSL certificate revocation checking is a (bit) tenuous, but nevertheless Dan Goodin’s article over at Ars Technica does a good job in describing (in less technical language than Adam Langley’s post) why having your browser check for revoked SSL certificates really isn’t all that effective.
Google is researching ways to make encryption easier to use in Gmail:
In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.
PGP, or Pretty Good Privacy, is an encryption utility that historically has been difficult to break. But Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.
If Google is actually going to throw engineers and designers (most important: lots, and lots, and lots of UI and UX designers!) towards improving the basic usability of PGP that would be incredible. However, given people’s suspicion of the company given the NSA disclosures I have to wonder whether any public offering from Google will be regarded as some kind of a trojan horse by some civil liberties groups and the cynical public alike.
Some real gems in that post. Highly recommended if you want to understand why researchers/journalists complain vociferously about the hell of FOIA/ATIP laws.
Air Canada flight from Vancouver carried child with measles:
Health officials in Edmonton are issuing warnings after a passenger who arrived in the city on a flight from Vancouver was later diagnosed with measles, but similar warnings have not been issued in Vancouver.
I think that bad movies, and unpleasant contagious outbreaks, are premised on such realities.
Of a total of 33 main ships and submarines, 15 are being repaired or undergoing upgrades, while another four are at a lesser state of readiness as they conduct tests on recently installed and modernized systems.
This is an embarrassment given that Canada is (in theory) a naval nation. We have no serious land-borders to defend and are largely unable to project any significant force abroad via our navies. Such force projection needn’t be in the service of aggressive or ‘peacekeeping’ missions: simply being able to guard major shipping lanes is something that Canada is increasingly ill-suited to contribute to. Decades of failed procurement process have led to an embarrassing state of affairs, and one unlikely to improve anytime in the near future.
Using Heartbleed, the name for a flaw in security that is used in a wide range of web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or so-called VPN, session.
From there, the hacker or hackers used the Heartbleed bug about 1,000 times until successfully extracting information like passwords to get broader access to the victim’s network, said researchers at Mandiant, a cybersecurity firm.
The targeted company only noticed the attack in its later stages. When it began analyzing what happened, it realized the Heartbleed bug was used as the entry point, said Christopher Glyer, an investigator at Mandiant.
It’s a statement from Mandiant and so some mindfulness should be taken when reading their comments. (The same is true when parsing statements from other for-profit security companies.) Still, that Heartbleed is not only weaponized (that happened almost immediately after it was integrated into Metasploit) but is showing up in the wild prominently enough to warrant a response from Mandiant demonstrates why Heartbleed is going to be a problem for years going forward. For a good, if technical, discussion of why the hurt is just going to continue (like all things that involve breaking SSL…) see Adam Langley’s recent post titled “No, Don’t Enable Revocation Checking.”
Also: even if you don’t read Adam’s post you can follow the lesson he provides in the title of his technical post. If in the aftermath of the Heartbleed vulnerability you enabled Revocation Checking in Chrome then disable it, ASAP.
Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.
“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.
Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?
Source: Heartbleed may lead to more security audits, advanced security services
Third, and most important: The Conservative government, read the prime minister, has ignored this glaring strategic reality: To counter a Trudeau-led Liberal party and a Mulcair-led NDP, the Conservatives needed to curb their anti-democratic tendencies — epitomized by omnibus bills and constant, intransigent resistance to compromise, which looks like the arrogance of long-held power — and make themselves credible on the environment. Unfortunately for their more moderate supporters, they have done neither; if anything, they’ve doubled down.
Core Conservative support, just under 30 per cent of the voting population, has kept the party more than solvent; but it can’t win it a majority. That is a fundamental problem for the Harper team, and one it has precious little time to solve.
While I’d like to agree that the current governing party of Canada’s anti-democratic approaches should cost it seats, if not the election, I have strong doubts. I often speak with Canadians (of various political stripes) and ask whether they want decisive action (demonstrated in the form of the current government’s omnibus legislation) or a more drawn out periods of action as parties communicate to develop some kind of quasi-consensus on issues (often as characterized in a minority government situation). Save for the extremely rare person, most state a preference for decisiveness and regard omnibus legislation as efficient. The rationale is almost always that ‘government should be doing things, not stuck just talking for a long time and wasting taxpayer monies’.
Personally, I find such responses extremely depressing. But if my anecdotal conversations have any resonance with the broader Canadian public then I’d be doubtful that ‘anti-democratic’ approaches to governance will be what relieves the current governing party from power. Scandal, perhaps, but I don’t even think the Duffy affair is sufficiently scandalous to cost the government too much.
Beyond a short press release announcing its decision to drop the Wright probe on the eve of a state funeral, the RCMP’s top brass has taken up residence in the cone of silence to skirt all sorts of uncomfortable, unanswered questions about this discreditable affair.
The ordinary citizen part of me is perturbed by yesterday’s surprising events — which signal, yet again, that the rich, powerful and politically-connected are seemingly immune from any meaningful accountability for their actions.
The former investigative reporter in me is resigned to it all. I recall that the RCMP decided not to do a damn thing when it was revealed that former prime minister Brian Mulroney pocketed at least $225,000 in cash-stuffed envelopes from Karlheinz Schreiber, a notorious Austrian financier and arms dealer, while the pair met in New York soon after Mulroney left office in 1993.
Andrew Mitrovica, on the sadness and frustration that passing 90K to a sitting Senator is apparently neither a summary or indictable offence.
Source: The Wright affair: The RCMP falls off its horse … again
The Current ran an excellent piece yesterday on the importance of child vaccinations. Guests included Margaret Somerville (founding director of the McGill Centre for Medicine, Ethics and Law) and Paul Offit (head of Infectious Diseases and Director of the Vaccination Center at the Children’s Hospital of Philadelphia). One of his more memorable statements was:
Is it your inalienable right to catch and transmit a potentially fatal infection? I think the answer is no.
Towards the end of the interview the panelists were asked whether a distrust in authority promotes anti-vaccine attitudes. Both said yes. I tend to agree, but think that this response has to be put in a broader context: distrust in authority must be combined with a devastatingly poor science literacy amongst Americans and Canadians alike to appreciate the pushback against vaccination. In the US in particular there is rampant skepticism about basic truths about the development of the planet, of core scientific theories concerning biology, and a valourization of those who deliberately remain ignorant of these core scientific facts and theories. While the situation isn’t quite bad in Canada there remains pervasive failures in scientific education and distrust in medical doctors.
From a regulatory and public health standpoint the response to the ‘vaccine problem’ might be a more coercive public health agenda that actively works to improve ‘herd immunity’. But that would be correcting a symptom of a much broader problem: trust in authority and understanding of science. And there isn’t a clear political approach that’s likely to address this broader problem absent radical depolarization of the North American political climate and attempts to increase scientific literacy amongst children and their parents.
Excited Pixels 