Collaborate Disseminate
I receive a fair amount of email from strangers. My email address is public, which doesn’t seem
to be a popular choice these days, but I’ve received enough inspiring correspondence over the years
to leave it be.
When I receive a GPG encrypted ema… Continue reading GPG And Me
Earlier this week, a company called Telegram announced a “secure” mobile messaging product. How secure? In their words
of their FAQ, “very secure.” Curious to learn more, I went to look at the protocol, and immediately had a number of
questions and concerns. However, when pressed on technical details by others, they responded
with the academic credentials of their developers (math Ph.Ds) instead of engaging in a more reasonable dialog. They also
declined my suggestions for collaboration of any kind.
Most recently, they’ve chosen to respond to the concerns of the security community with… a crypto cracking contest!
Continue reading A Crypto Challenge For The Telegram Developers
In August of this year, Ladar Levison shut down his email service, Lavabit, in an attempt to avoid complying with a US government
request for his users’ emails. To defy the US government’s gag order and shut down his service took
great courage, and I believe that Ladar deserves our support in his legal defense of that decision.
There is now an effort underway to restart the Lavabit project, however, which might be a good opportunity to take a critical look at
the service itself. After all, how is it possible that a service which wasn’t supposed to have access to its
users’ emails found itself in a position where it had no other option but to shut down in an attempt to avoid
complying with a request for the contents of its users’ emails?
Suddenly, it feels like 2000 again. Back then, surveillance programs like
Carnivore,
Echelon, and
Total Information Awareness
helped spark a surge in electronic privacy awareness. Now a decade later, the recent discovery of programs like
PRISM… Continue reading We Should All Have Something To Hide
Last week I was contacted by an agent of
Mobily, one of two telecoms operating in
Saudi Arabia, about a surveillance project that they’re working on in that country.
Having published two reasonably popular MITM tools,
it’s not uncommon for me to g… Continue reading A Saudi Arabia Telecom’s Surveillance Pitch
Last week I saw a tweet about Guardian Project’s “StrongTrustManager,” which was built for increasing the security of
SSL connections in Android. It’s part of their OnionKit library, and their app Gibberbot uses it to secure its XMPP
connections.
I recently released an Android library that provides simple
SSL pinning support, and have previously written
about the great opportunity we have for mobile apps to sidestep the many problems
plaguing us with CA certificates, so I was excited to see something else out there.
Since I had just released something similar, I went to look at what the Guardian Project implementation provides, and
incidentally ended up discovering a few security vulnerabilities. I’ve decided to write them up here, since they’ve turned
out to be fairly common problems amongst TLS implementations, and might be of some value to document.
Continue reading Guardian’s StrongTrustManager Vulnerabilities
To my great surprise, young people now somewhat frequently contact me in order to solicit career advice.
They are usually in college or highschool, and want to know what the best next steps are for a career in
security or software development.
I don’t really know who Dustin Curtis is, but he blogs a lot, and those blog entries often end up on
Hacker News. Not too long ago, he wrote a blog post titled “The Best,”
in which he explains that he has nice stuff. That in fact, everything he … Continue reading The Worst
When it comes to designing secure protocols, I have a principle that goes like this: if you have to
perform any cryptographic operation before verifying the
MAC on a message you’ve received, it will
somehow inevitably lead to doom.
From Swindle To Hazard
In recent months, Comodo has been
hacked repeatedly, DigiNotar was
compromised, and the security of CAs as a whole has been found to be
not altogether inspiring. The consensus finally seems to be shifting from the notion … Continue reading Your app shouldn’t suffer SSL’s problems