More about why Feds hate encryption
Mar 18th, 2016 by Ken Hagler

Gov’t accidentally publishes target of Lavabit probe: It’s Snowden. In the summer of 2013, secure e-mail service Lavabit was ordered by a federal judge to provide real-time e-mail monitoring of one of its users. Rather than comply with the order, Levison shut down his entire company. He said what the government was seeking would have endangered the privacy of all of his 410,000 users.

Later, he did provide the private key as a lengthy printout in tiny type.

In court papers related to the Lavabit controversy, the target of the investigation was redacted, but it was widely assumed to be Edward Snowden. He was known to have used the service, and the charges against the target were espionage and theft of government property, the same charges Snowden faced. [Ars Technica]

This is another illustration of what the Federal Baby Incinerators are talking about when they demand that encryption be rendered worthless in order to fight “terrorism.” What they really mean is to spy on political dissidents, along with other Gestapo-worthy goals such as imprisoning people who prevent puppycide.

Skype proves me right on security
Jul 11th, 2013 by Ken Hagler

NSA taps Skype chats, newly published Snowden leaks confirm.

Skype audio and video chats, widely regarded as resistant to interception thanks to encryption, can be wiretapped by American intelligence agencies, according to a new report in The Guardian. The report appears to contradict claims by Microsoft that they have not provided the contents of Skype communications to the government.

In a story published Thursday, based on documents leaked by former National Security Agency contractor Edward Snowden, The Guardian offers some detail about extensive cooperation between the FBI, the National Security Agency, and Microsoft to enable government access to user communications via the intelligence tool known as PRISM. That cooperation included, according to the leaked NSA documents, enabling access to e-mails and chats, the SkyDrive cloud storage service, and Skype audio and video calls.

The Guardian hasn’t published the documents on which this story is based, but has instead quoted from them.

[Ars Technica]

This is completely unsurprising. I’ve been warning about Skype’s insecurity since 2005.

Good to know
Aug 16th, 2012 by Ken Hagler

An Analysis of Apple's FileVault 2.

This is an analysis of Apple’s disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn’t break it. (Presumably, the version in Mountain Lion isn’t any different.)

[Schneier on Security]

This is good news, but of course it’s important to keep in mind that FileVault 2 security can be compromised by accepting the option (on by default, as I recall) to send a recovery key to Apple. The best security in the world is useless if you give the keys to someone who will give them up the first time some thug points a gun at him.

New MacBook Pro
Jul 2nd, 2012 by Ken Hagler

My new Retina screen MacBook Pro arrived today. I’d been planning to buy one even before they were announced, on the assumption they would come out sometime this year, and my old MacBook Pro (an early 2008 model) died just as they were being announced.

Although the improved screen is noticeable, the biggest improvement to me is how much lighter it is than the old model it replaces. On the other hand, all was not perfect–for some reason, it came without a recovery partition. Since this model doesn’t have a DVD drive and didn’t come with a system disc, this would be pretty bad for anyone who got it as their only Mac and then had a problem. It also kept me from turning on Filevault, which requires the presence of a recovery partition. Fortunately, some searching turned up instructions on how to create a recovery partition on a system that didn’t have it.

Second opinion on iCloud insecurity
Apr 3rd, 2012 by Ken Hagler

Apple holds the master decryption key when it comes to iCloud security, privacy [Ars Technica]

The folks at Ars Technica noticed the same thing I did about their earlier article and actually investigated.

Encryption for suckers
Jun 29th, 2011 by Ken Hagler

Call Encryption App Costs More Than Your iPhone. If you really had reason to encrypt your phone calls — or were on the payroll of the MI6 –  perhaps a $1,600 yearly subscription to a cell phone call encryption app service would make sense.


While the app is free to download, both the caller and the receiver have to join the service that costs several times more than their phones. [Cult of Mac]

Alternately, you could buy Groundwire for $9.99, and then spend another $24.99 on “ZRTP For Outgoing Calls” as an in-app purchase if you want to make outgoing encrypted calls. Support for incoming calls is included in the basic app, and no yearly subscription is required. The price difference is so enormous that I can’t imagine any legitimate reason why anyone would pay for the overpriced option. I therefore must conclude that it really is intended only for government employees.

Encrypted voice and IM for Android
May 27th, 2010 by Ken Hagler

End-to-End Encrypted Cell Phone Calls.

Android app. (Slashdot thread.)

[Schneier on Security]

From the article:

RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption.


TextSecure uses a similar scheme developed by cryptographers Ian Goldberg and Nikita Borisov known as “Off The Record” to exchange scrambled text messages.

This means that you could talk securely to anyone using Zfone on a computer, and IM securely to anyone with Adium or another app that supports the OTR protocol.

There’s also this rather important distinction from Skype, the “security” of which I’ve criticized before:

Whisper Systems’ apps aren’t the first to bring encrypted VoIP to smartphones. But apps like Skype and Vonage don’t publish their source code, leaving the rigor of their security largely a matter of speculation.

GPGMail being updated for Snow Leopard?
Oct 26th, 2009 by Ken Hagler

This thread in SourceForge suggests that the GPGMail plugin, needed to integrate GPG with Apple Mail, has found a new developer who is updating it to work with Snow Leopard. This is good news, as PGP is once again insisting that they will not update their own Mail plugin–they really want to force their customers into using their horribly crappy encrypting proxy, which is something I certainly won’t do.

PGP Whole Disk Encryption
May 17th, 2009 by Ken Hagler

After trying it for three weeks without problems, I bought the latest version of PGP Desktop Professional, which includes whole disk encryption. Both my MacBook Pro’s internal hard drive and the external drive I use for Time Machine backups have gotten along with it just fine, even through the system update to 10.5.7. For the most part there’s no noticeable impact on performance, but then my laptop doesn’t do anything really disk intensive–all my photography work happens on a different computer which I will not be encrypting. There did seem to be a slowdown in Time Machine backups, but that’s not an area where performance is really relevant. I would really prefer to use TrueCrypt, but as it currently can only do whole disk encryption on Windows (where I have been using it for some time), that wasn’t an option.

The rest of the PGP Desktop package gets a mixed review. I had looked at PGP last summer and dismissed it as unacceptable because of the horribly designed proxy it relies on for encrypting email, but this time around I discovered that there is also an officially unsupported plugin available for Mail. The plugin works the same way as the GPGMail plugin, but with fewer features. This is not surprising, as they have the same author. Apparently some brainless product manager at PGP Corporation had decided to kill the plugin (presumably to force users into using their worthless proxy), and it was brought back by popular demand.

Since the last time I looked at PGP, it’s lost the ability to communicate with public key servers other than the one actually run by PGP Corporation, which very few people use. According to a thread on the PGP support forum, the developers know about this bug and just don’t care about fixing it. Well, nobody will ever accuse the PGP Corporation of having good customer service or QA! Fortunately the keyservers have web interfaces so the problem can be worked around as long as you’re using the “unsupported” Mail plugin. Anyone foolish enough to use the proxy will be out of luck, though.

I ultimately decided to switch from GPG to PGP for my email needs, at least for the moment, because while both of them have huge problems on the Mac, PGP’s refusal to work with keyservers that aren’t owned by the PGP Corporation is less of a problem than the hideously unusable keychain management that GPG inflicts.

New attacks on SHA-1
Apr 30th, 2009 by Ken Hagler

This was posted on the PGP-Basics mailing list by Robert J. Hansen:

Some researchers are claiming they’ve been able to make the Shengdong
University attack on SHA-1 a factor of about 2000 times easier. If
their research is correct, that means SHA-1 is now attackable by regular

These results are not unexpected. We knew this day would come. For the
last couple of years most crypto nerds have been strongly recommending
people either migrate away from SHA-1 immediately, or at the very least
have a migration plan put together.

If you have already migrated — then you may ignore this development.

If you have not — then it is increasingly urgent you do so.

Original URL:

»  Substance:WordPress   »  Style:Ahren Ahimsa
© Ken Hagler. All rights reserved.