2013 FALLOUT

Chat about just about anything else

2013 FALLOUT

Postby mike acker on Tue Dec 31, 2013 4:14 pm

following the Snowden leaks and followed by the Target scandal there may be a bit more interest in how we use data.

I was fascinated by the article on Whitfield Diffie's expert testimony for New Egg in their trial v TQP

http://arstechnica.com/tech-policy/2013/11/newegg-trial-crypto-legend-diffie-takes-the-stand-to-knock-out-patent/

below the Heading A brief history of public-key crypto Whitfield says, in part
Code: Select all
The problem was vast, Diffie explained—nothing less than how to keep things private in a networked world. He recalled a conversation with his wife in 1973, sitting on a New Jersey park bench. "I told her that we were headed into a world where people would have important, intimate, long-term relationships with people they had never met face to face," he said. "I was worried about privacy in that world, and that's why I was working on cryptography."


i.e. he knew that pen&ink base procedures were not adequate in a network environment. I'm hoping more people will come to realize this but we need to get more people understanding that PGP is not just encryption -- it provides also authentication and integrity:

authentication allows a user to be quite sure that a message he has received is in fact from the person who says they sent it -- where regular e/mail is easily spoofed in this matter

integrity allows a user to be quite sure that a message has not been altered intransit e.g. by some kind of man in the middle scam

and of course encryption provides security allowing a user to be quite sure that a message has not be read by un-authorized person(s).

I'm "preaching to the choir" here of course but I think these are things that we need to move from the esoteric area to the best practice area.

endpoint computer security will be another hot topic. there being two keys to it: (1) make sure that un-authorized software updates are not allowed - either to the O/S or to an application; and (2) restrict what any given application program is allowed to do, e.g. via apparmor or equ.

the subject of supply stream malware is another matter; this will require a zero-defects approach with liabilities for failing to exert due diligence.
Home assembled box using ASUS M5A88-M motherboard and AMD Phenom II X4 3.4GHz cpu
User avatar
mike acker
Level 4
Level 4
 
Posts: 288
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Linux Mint is funded by ads and donations.
 

Sales of PII: Business Model

Postby mike acker on Wed Jan 01, 2014 10:21 am

Home assembled box using ASUS M5A88-M motherboard and AMD Phenom II X4 3.4GHz cpu
User avatar
mike acker
Level 4
Level 4
 
Posts: 288
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: 2013 FALLOUT

Postby Habitual on Wed Jan 01, 2014 9:20 pm

If you're connected to their internet in any way, Privacy is Gone.
My DorkBlog
Cirrhus9.com - Managed HA VDSs and Scalable grid solutions.
User avatar
Habitual
Level 7
Level 7
 
Posts: 1924
Joined: Sun Nov 21, 2010 8:31 pm
Location: Under the hood

Re: 2013 FALLOUT

Postby mike acker on Thu Jan 02, 2014 7:57 am

Habitual wrote:If you're connected to their internet in any way, Privacy is Gone.


+ you will never be able to prevent traffic analysis. TOR attempts to do this but with limited success.

+ traffic analysis obtains "meta data" -- who you connected to, when, and how long. content is another issue.

+ content can be protected by proper use of PGP. this is attempted in SSL and TLS and various "secure mail" systems. again, with limited success. x.509 certificates used in SSL and TLS systems are served up en masse by browser vendors and the process has turned out to be vulnerable: attack surface is too large.

+ to properly use PGP (GnuPG) you need to generate your own key-pair and then sign the certificates you need to validate -- and nothing more. (work needed*).

+ the ENIGMAIL interface to GnuPG is available for everyone here via the default mail client THUNDERBIRD. I'd like to see a thunderbird/enigmail discussion section here on MINT. There are e/mail discussion lists for ENIGMAIL and GnuPG. Thunderbird/ENIGMAIL is an excellent vehicle for learning about GnuPG -- and -- particularly PGP Trust Models -- which are the essential element of public key encryption that is glossed over by the SSL/TLS crowd.

~~
* when a Certificate Authority gives you an x.509 certificate you need to assign marginal trust only to that certificate. untill you have vetted the cert yourself you are not going to sign it. this isn't the monsted problem pundits cry ab out: you don't need complete trust on more than a small handfull of certificates,..... credit union, amazon ...
Home assembled box using ASUS M5A88-M motherboard and AMD Phenom II X4 3.4GHz cpu
User avatar
mike acker
Level 4
Level 4
 
Posts: 288
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI


Return to Open chat

Who is online

Users browsing this forum: No registered users and 11 guests