More about why Feds hate encryption
Mar 18th, 2016 by Ken Hagler

Gov’t acci­den­tal­ly pub­lish­es tar­get of Lavabit probe: It’s Snow­den. In the sum­mer of 2013, secure e-mail ser­vice Lavabit was ordered by a fed­er­al judge to pro­vide real-time e-mail mon­i­tor­ing of one of its users. Rather than com­ply with the order, Lev­i­son shut down his entire com­pa­ny. He said what the gov­ern­ment was seek­ing would have endan­gered the pri­va­cy of all of his 410,000 users.

Lat­er, he did pro­vide the pri­vate key as a lengthy print­out in tiny type.

In court papers relat­ed to the Lavabit con­tro­ver­sy, the tar­get of the inves­ti­ga­tion was redact­ed, but it was wide­ly assumed to be Edward Snow­den. He was known to have used the ser­vice, and the charges against the tar­get were espi­onage and theft of gov­ern­ment prop­er­ty, the same charges Snow­den faced. [Ars Tech­ni­ca]

This is anoth­er illus­tra­tion of what the Fed­er­al Baby Incin­er­a­tors are talk­ing about when they demand that encryp­tion be ren­dered worth­less in order to fight “ter­ror­ism.” What they real­ly mean is to spy on polit­i­cal dis­si­dents, along with oth­er Gestapo-worthy goals such as impris­on­ing peo­ple who pre­vent pup­py­cide.

Skype proves me right on security
Jul 11th, 2013 by Ken Hagler

NSA taps Skype chats, new­ly pub­lished Snow­den leaks con­firm.

Skype audio and video chats, wide­ly regard­ed as resis­tant to inter­cep­tion thanks to encryp­tion, can be wire­tapped by Amer­i­can intel­li­gence agen­cies, accord­ing to a new report in The Guardian. The report appears to con­tra­dict claims by Microsoft that they have not pro­vid­ed the con­tents of Skype com­mu­ni­ca­tions to the gov­ern­ment.

In a sto­ry pub­lished Thurs­day, based on doc­u­ments leaked by for­mer Nation­al Secu­ri­ty Agency con­trac­tor Edward Snow­den, The Guardian offers some detail about exten­sive coöper­a­tion between the FBI, the Nation­al Secu­ri­ty Agency, and Microsoft to enable gov­ern­ment access to user com­mu­ni­ca­tions via the intel­li­gence tool known as PRISM. That coöper­a­tion includ­ed, accord­ing to the leaked NSA doc­u­ments, enabling access to e-mails and chats, the Sky­Drive cloud stor­age ser­vice, and Skype audio and video calls.

The Guardian hasn’t pub­lished the doc­u­ments on which this sto­ry is based, but has instead quot­ed from them.

[Ars Tech­ni­ca]

This is com­plete­ly unsur­pris­ing. I’ve been warn­ing about Skype’s inse­cu­ri­ty since 2005.

Good to know
Aug 16th, 2012 by Ken Hagler

An Analy­sis of Apple’s Fil­e­Vault 2.

This is an analy­sis of Apple’s disk encryp­tion pro­gram, Fil­e­Vault 2, that first appeared in the Lion oper­at­ing sys­tem. Short sum­ma­ry: they couldn’t break it. (Pre­sum­ably, the ver­sion in Moun­tain Lion isn’t any dif­fer­ent.)

[Schneier on Secu­ri­ty]

This is good news, but of course it’s impor­tant to keep in mind that Fil­e­Vault 2 secu­ri­ty can be com­pro­mised by accept­ing the option (on by default, as I recall) to send a recov­ery key to Apple. The best secu­ri­ty in the world is use­less if you give the keys to some­one who will give them up the first time some thug points a gun at him.

New MacBook Pro
Jul 2nd, 2012 by Ken Hagler

My new Reti­na screen Mac­Book Pro arrived today. I’d been plan­ning to buy one even before they were announced, on the assump­tion they would come out some­time this year, and my old Mac­Book Pro (an ear­ly 2008 mod­el) died just as they were being announced.

Although the improved screen is notice­able, the biggest improve­ment to me is how much lighter it is than the old mod­el it replaces. On the oth­er hand, all was not perfect–for some rea­son, it came with­out a recov­ery par­ti­tion. Since this mod­el doesn’t have a DVD dri­ve and didn’t come with a sys­tem disc, this would be pret­ty bad for any­one who got it as their only Mac and then had a prob­lem. It also kept me from turn­ing on Fil­e­vault, which requires the pres­ence of a recov­ery par­ti­tion. For­tu­nate­ly, some search­ing turned up instruc­tions on how to cre­ate a recov­ery par­ti­tion on a sys­tem that didn’t have it.

Second opinion on iCloud insecurity
Apr 3rd, 2012 by Ken Hagler

Apple holds the mas­ter decryp­tion key when it comes to iCloud secu­ri­ty, pri­va­cy [Ars Tech­ni­ca]

The folks at Ars Tech­ni­ca noticed the same thing I did about their ear­li­er arti­cle and actu­al­ly inves­ti­gat­ed.

Encryption for suckers
Jun 29th, 2011 by Ken Hagler

Call Encryp­tion App Costs More Than Your iPhone. If you real­ly had rea­son to encrypt your phone calls — or were on the pay­roll of the MI6 –  per­haps a $1,600 year­ly sub­scrip­tion to a cell phone call encryp­tion app ser­vice would make sense.


While the app is free to down­load, both the caller and the receiv­er have to join the ser­vice that costs sev­er­al times more than their phones. [Cult of Mac]

Alter­nate­ly, you could buy Ground­wire for $9.99, and then spend anoth­er $24.99 on “ZRTP For Out­go­ing Calls” as an in-app pur­chase if you want to make out­go­ing encrypt­ed calls. Sup­port for incom­ing calls is includ­ed in the basic app, and no year­ly sub­scrip­tion is required. The price dif­fer­ence is so enor­mous that I can’t imag­ine any legit­i­mate rea­son why any­one would pay for the over­priced option. I there­fore must con­clude that it real­ly is intend­ed only for gov­ern­ment employ­ees.

Encrypted voice and IM for Android
May 27th, 2010 by Ken Hagler

End-to-End Encrypt­ed Cell Phone Calls.

Android app. (Slash­dot thread.)

[Schneier on Secu­ri­ty]

From the arti­cle:

Red­Phone uses ZRTP, an open source Inter­net voice cryp­tog­ra­phy scheme cre­at­ed by Phil Zim­mer­mann, inven­tor of the widely-used Pret­ty Good Pri­va­cy or PGP encryp­tion.


TextSe­cure uses a sim­i­lar scheme devel­oped by cryp­tog­ra­phers Ian Gold­berg and Niki­ta Borisov known as “Off The Record” to exchange scram­bled text mes­sages.

This means that you could talk secure­ly to any­one using Zfone on a com­put­er, and IM secure­ly to any­one with Adi­um or anoth­er app that sup­ports the OTR pro­to­col.

There’s also this rather impor­tant dis­tinc­tion from Skype, the “secu­ri­ty” of which I’ve crit­i­cized before:

Whis­per Sys­tems’ apps aren’t the first to bring encrypt­ed VoIP to smart­phones. But apps like Skype and Von­age don’t pub­lish their source code, leav­ing the rig­or of their secu­ri­ty large­ly a mat­ter of spec­u­la­tion.

GPGMail being updated for Snow Leopard?
Oct 26th, 2009 by Ken Hagler

This thread in Source­Forge sug­gests that the GPG­Mail plu­g­in, need­ed to inte­grate GPG with Apple Mail, has found a new devel­op­er who is updat­ing it to work with Snow Leop­ard. This is good news, as PGP is once again insist­ing that they will not update their own Mail plugin–they real­ly want to force their cus­tomers into using their hor­ri­bly crap­py encrypt­ing proxy, which is some­thing I cer­tain­ly won’t do.

PGP Whole Disk Encryption
May 17th, 2009 by Ken Hagler

After trying it for three weeks without problems, I bought the latest version of PGP Desktop Professional, which includes whole disk encryption. Both my MacBook Pro's internal hard drive and the external drive I use for Time Machine backups have gotten along with it just fine, even through the system update to 10.5.7. For the most part there's no noticeable impact on performance, but then my laptop doesn't do anything really disk intensive--all my photography work happens on a different computer which I will not be encrypting. There did seem to be a slowdown in Time Machine backups, but that's not an area where performance is really relevant. I would really prefer to use TrueCrypt, but as it currently can only do whole disk encryption on Windows (where I have been using it for some time), that wasn't an option.

The rest of the PGP Desktop package gets a mixed review. I had looked at PGP last summer and dismissed it as unacceptable because of the horribly designed proxy it relies on for encrypting email, but this time around I discovered that there is also an officially unsupported plugin available for Mail. The plugin works the same way as the GPGMail plugin, but with fewer features. This is not surprising, as they have the same author. Apparently some brainless product manager at PGP Corporation had decided to kill the plugin (presumably to force users into using their worthless proxy), and it was brought back by popular demand.

Since the last time I looked at PGP, it's lost the ability to communicate with public key servers other than the one actually run by PGP Corporation, which very few people use. According to a thread on the PGP support forum, the developers know about this bug and just don't care about fixing it. Well, nobody will ever accuse the PGP Corporation of having good customer service or QA! Fortunately the keyservers have web interfaces so the problem can be worked around as long as you're using the "unsupported" Mail plugin. Anyone foolish enough to use the proxy will be out of luck, though.

I ultimately decided to switch from GPG to PGP for my email needs, at least for the moment, because while both of them have huge problems on the Mac, PGP's refusal to work with keyservers that aren't owned by the PGP Corporation is less of a problem than the hideously unusable keychain management that GPG inflicts.

New attacks on SHA-1
Apr 30th, 2009 by Ken Hagler

This was post­ed on the PGP-Basics mail­ing list by Robert J. Hansen:

Some researchers are claim­ing they’ve been able to make the Sheng­dong
Uni­ver­si­ty attack on SHA-1 a fac­tor of about 2000 times eas­i­er. If
their research is cor­rect, that means SHA-1 is now attack­able by reg­u­lar

These results are not unex­pect­ed. We knew this day would come. For the
last cou­ple of years most cryp­to nerds have been strong­ly rec­om­mend­ing
peo­ple either migrate away from SHA-1 imme­di­ate­ly, or at the very least
have a migra­tion plan put togeth­er.

If you have already migrat­ed — then you may ignore this devel­op­ment.

If you have not — then it is increas­ing­ly urgent you do so.

Orig­i­nal URL:

»  Substance:WordPress   »  Style:Ahren Ahimsa
© Ken Hagler. All rights reserved.