Link

19 Year-Old Vulnerability Continues to Haunt the Internet

Via Ars Technical:

A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.

Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.

But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.

In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.

Link

Security Planner by the Citizen Lab

From the Citizen Lab:1

Security Planner is an easy-to-use platform with tested, peer reviewed recommendations for staying safe online. With just a few clicks, Security Planner tailors straightforward recommendations based on someone’s digital habits and the technology they use. Recommendations are presented with clear language, making it easier to decide if they are right for someone. Our goal is to put people in a position to move from learning to action.

Our recommendations are developed by a peer review committee of experts from universities, nonprofits, and the private sector. The committee has decades of combined experience in digital security and produces recommendations that balance objectivity, accountability, and accessibility. This approach ensures that no private company can exercise influence over the products or services that we recommend. Security Planner is also overseen by an advisory board whose members include some of the world’s leading thinkers and practitioners in the digital security space.

Security Planner is a free tool that is designed to help everyone answer, and solve, their questions about online security. Check it out!

  1. In the interests of full disclosure, I’m an employee of the Citizen Lab though was only minimally involved in this particular project.
Link

How Russia Polices Yandex

From Vice Motherboard:

This year, the “news aggregator law” came into effect in Russia. It requires websites that publish links to news stories with over one million daily users (Yandex.News has over six million daily users) to be responsible for all the content on their platform, which is an enormous responsibility.

“Our Yandex.News team has been actively working to retain a high quality service for our users following new regulations that impacted our service this past year,” Yandex told Motherboard in a statement, adding that to comply with new regulations, it reduced the number of sources that were aggregated from 7,000 to 1,000 with “official media licenses.”

The predicable result of the Russian government’s new law is that the government can better influence what information is surfaced to Russian citizens: when state news outlets release the same press release, en masse, Yandex1 and other major aggregators with a large number of readers are predominantly exposed to what the government wants them to see. So while Russia may interfere with foreign countries’ political processes by exploiting how social network and aggregator algorithms function (along with out-and-out illegal exfiltration and modification of communications data) they, themselves, are trying to immunize themselves to equivalent kinds of threats by way of the liabilities they place on the same kinds of companies which do business in Russia.

More broadly, the experience in Russia and changes in how Yandex operates should raise a warning flag for caution advocates in the Western world who are calling for social media companies to be (better) regulated, such as by striking down or modifying Section 230 of the Communications Decency Act (CDA). While there are clear dangers associated with these companies operating as contemporary digital sovereigns there are also risks associated with imposing harsh liability systems for publishing other persons’ content.

While such regulations might reduce some foreign interference in political systems it could simultaneously diminish the frequency at which legitimate alternative sources of information which are widely surfaced to the public. It remains unclear just how we should regulate the spread of malicious political messaging2 but, at the same time, it’s critical to ensure that any measures don’t have the detrimental effect of narrowing and diminishing the political conversations in which citizens can participate. It’s the very freedoms to have such conversations that distinguishes free democratic countries from those that are more autocratic.

  1. Sidenote: Yandex is the only website I’ve ever had to block from scraping my professional website because it was functionally acting as a DDoS.
  2. One idea would be to deliberately cut down on how easy it is to spread any and all information. By requiring additional manual effort to share content only the most motivated would share it. Requiring actual humans to share content with other humans, if done in a robust way, might cut down on the ability of bots to automatically propagate content as though ‘real’ people were sharing it.
Link

Om Malik on the Blog Post Bribe Scandal

He writes:

The chase for cheap page views to arbitrage against advertising dollars is the real reason everyone at this mega page view factories willingly embraced this trend towards free content, which in turn left the whole experiment open to abuse. If you generate a lot of page views for these sites, you aren’t going away, because, in the end, it is all about page views.

On my other, professional, site I regularly receive requests from marketers to publish their content for some sort of payment. Many are outlandish in their requests whereas others have clearly done their homework and identified a range of posts the given brand wants to be associated with.

Some of the payment rates or product offerings are outlandish, others churlish, but none of them have ever overcome my baseline position: I own my professional web presence in order to build my reputation and brand. That brand is worth more than a few hundred or thousand dollars; it represents, at least in part, my ability to earn money over the span of the coming decades.

While there’s been some comic back and forth about charging marketers tens or hundreds of thousands of dollars to post other parties’ branded content, I think there is legitimately something to the idea. If you view your web presence as a long-term part of your career, and damaging that presence could potentially cost you in terms of future employment opportunities or consulting prospects, then that kind of valuation starts to make some sense.

Link

What’s On My Homescreen, December 2017 Edition

Screenshot of my iPhone 7 homescreen from December 2017
Screenshot of my iPhone 7 homescreen from December 2017

My homescreen is mostly divided between stuff that I want immediate access to on a very regular basis and one or two ‘testing’ applications (in terms of position on the homescreen and/or whether I like them as applications). Without further ado:

Photography (Folder): I play with a lot of different photo apps, though I tend to alternate between Darkroom and Snapseed a fair bit and rarely use Polar anymore. Slow Shutter is something I’m playing around with off and on, and ProCam was free.

Reminders: I don’t like the application but since I basically just use it for groceries I’m not willing to spend money for a ‘better’ app.

Notes: Much of my life exists in Notes.  I wish there was better support for markdown and would love tagging support. And it’d be great if Apple would fix the freezing bug that was introduced in iOS 11! But on the whole Notes plays well across all my Apple devices and the interface just gets out of the way.

Messages: Not my default means of communicating with people, in part because I try to avoid sending SMS messages as best I’m able for security reasons, but it’s a necessary evil in my life.

Phone: I take and make a lot of calls.

WhatsApp: My preferred method of communicating because it’s a cross-platform app (don’t need to know if someone is on an iPhone, Android, Blackberry, or whatever else) and encrypts voice-, video-, and text-based messages end-to-end. Still, it leaks some metadata and so, in some instances I use…

Signal: The best of consumer-available secure messaging app. Unlike WhatsApp, Signal keeps the bare minimum amount of information required to process communications.

Podcasts: I listen to silly numbers of Podcasts. I had problems with the application in iOS 9 but they seem to have been fixed in iOS 10/11. Importantly, the application syncs well across all the Apple devices that I own.

Hello Weather: I wish I could download and use Dark Sky but it’s not available in the Canadian App Store. Hello Weather pulls data from the same repository as Dark Sky so it’s as accurate, if not as pretty.

Day One: I’ve kept digital journals in one format or another for well over 15 or 16 years. I’ve been using Day One for a few years and love the interface.

Ulysses: I keep coming back to Ulysses even though I don’t derive any joy from using it. It’s certainly functional and lets me publish to my WordPress websites and I enjoy how it does markdown. But the interface is the definition of ‘meh’ for me.

Reeder: Too much of my time is spent in Reeder. I follow a lot of wonky websites and blogs, plus fashion, tech, culture, and more. So much to read and so little time!

Paprika: A relatively new application in my life, I’m seeing whether the application fits  into my life. Previously I was using the Notes app to keep track of recipes but that didn’t scale very well. My hope is that Paprika really does take over part of my life and make shopping that much more pleasant.

iBooks: For pleasure reading I only purchase digital copies through iBooks. I realize it’s a walled garden but I’ve long since made my peace with that.

Activity: I’ve tracked my baseline activity information for almost ten year and this app collects daily information from my Apple Watch. I use a separate application — Healthview — to study longer-term trends in my personal fitness and health.

Halide: The newest application in my life! Though I usually shoot with my mirrorless camera, sometimes it’s not convenient and so I whip out my iPhone. Halide gives me more control over what I’m shooting and I really appreciate the ability to turn on focus peaking.

Safari: Because I, too, browse the Internet.

Mail: It’s not the best of clients but it’s as bad as most. And the really good ones would force me to move my mail through additional third-parties, and I’m not willing to engage in that kind of activity.

Tweetbot: I use Twitter a lot and a large portion of my professional network is located there. But the official Twitter application is just horrible in my view, whereas Tweetbot gets out of my way and lets me just enjoy the content steaming by.

Music: I usually have music playing in the background if I’m not listening to a podcast.

Link

(In)Security and Scruff

From The Verge:

Ashley: And then, you mentioned it in transit, do you store these on Scruff’s personal servers? When it’s on the server, is it encrypted? What kind of protections do you have on the server?

We take a number of steps to secure our network. Encryption is a multifaceted and multilayered question and process. Yeah, I can say that the technical architecture of Scruff is one that we have had very smart people look into. We’ve worked with security researchers and security experts to ensure that the data that’s on Scruff stays safe and that our members can use Scruff with confidence and know that their information isn’t going to be disclosed to unauthorized parties.

This is exactly the kind of answer that should set off alarm bells: the developer of Scruff doesn’t actually answer the specific and direction question about the company’s encryption policies in an equivalently direct and specific way. Maybe Scruff really does have strong security protocols in place but you certainly wouldn’t know that was the case based on the answer provided.

It’d be a great idea if someone were to develop the equivalent of the EFF’s or IX Maps’ scorecards, which evaluate the policies of digital and Internet companies, and apply it to online dating services. I wonder how well these services would actually fare when evaluated on their privacy and security and anti-harassment policies…

Link

Privacy Enhancing Technologies – A Review of Tools and Techniques

From the Office of the Privacy Commissioner of Canada:

PETs are a category of technologies that have not previously been systematically studied by the Office of the Privacy Commissioner of Canada (OPC). As a result, there were some gaps in our knowledge of these tools and techniques. In order to begin to address these gaps, a more systematic study of these tools and techniques was undertaken, starting with a (non-exhaustive) review of the general types of privacy enhancing technologies available. This paper presents the results of that review.

While Privacy Enhancing Technologies (PETs) have been around for a long time there are only some which have really taken hold over time, and usually only as a result of there being a commercial incentive for companies to integrate the enhancements.

Some of the failures of PETs to be widely adopted have stemmed from the reasons specific PETs were created (to effectively forestall formal regulatory or legislative action), others because of their complexity (you shouldn’t need a graduate degree to configure your tools properly!), and yet others because the PETs in question were built by researchers and not intended for commercialization.

The OPC’s review of dominant types of PETs is good and probably represents the most current of reviews. But the specific categories of tools, types of risks, and reasons PETs have failed to really take hold have largely been the same for a decade. We need to move beyond research and theory and actually do something soon given that data is leaking faster and further than ever before, and the rate of leakage and dispersal is only increasing.