Security

Election Crypto Conspiracy Theory

1 Comment

Eye atop a pyramid - a mystical signI’m not often a fan of conspiracy theories, except for entertainment value. This one is interesting because it combines international intrigue, the elections, and our world of notoriously poor email security.

The conspiracy arises from foreigners trying to influence the United States election. They spy on unprotected emails and leak the contents to influence US public opinion. This isn’t limited to attacks on the Democratic candidate Hillary Clinton. Some suggest that Fox News and the Trump campaign have also been attacked this way.

We could be blocking this threat, except that pressure groups within the government want to leave as much information unprotected as possible, notably law enforcement and intelligence agencies. I think we face a greater threat from foreign exploitation of our unprotected emails than we face from impeded investigations or even a few terrorist bombs.

Continue reading Election Crypto Conspiracy Theory

Tech History

A Yank at Bletchley Park

A friend and colOne of Turing's Bombe devicesleague introduced me to a 94-year-old gentleman with a rare tale to tell. John McCallister was recruited during World War II to be a US Army liaison officer at “Station X,” the UK’s highly secret codebreaking operation at Bletchley Park. Station X collected intercepted German radio messages, all encrypted with the supposedly-unbreakable Enigma cipher, and broke the encryption. The resulting data was distributed to a handful of senior UK and US military commanders.

At first, McCallister worked at Bletchley and learned about the codebreaking operation. He met Alan Turing, now recognized as a giant in computer science. Turing developed codebreaking machines at Bletchley, including the “bombe” (left). Then McCallister prepared for his own role: to handle and distribute the highly secret information to senior US military commanders.

Following the war, McCallister left the crypto world. After college and reserve service for the Korean War, he applied his mathematic skills to business accounting at General Electric and Zenith Electronics. He retired in 1984.

[Postscript added]

Continue reading A Yank at Bletchley Park

Security

Symantec Breaks Trust with the Internet?

1 Comment

Crypto machine rotor

Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.

Recent reports suggest that they have broken their trust with the Internet community. Symantec has apparently delegated some of its authentication authority to Blue Coat software, a company that makes and sells network snooping gear. A 2013 report by Reporters Without Borders contains 2 pages highlighting Blue Coat’s role in helping repressive regimes monitor encrypted web traffic.

Symantec has issued Blue Coat its own authority certificate. Blue Coat can use this to create and distribute bogus certificates that allow its gear to decrypt encrypted web traffic.

Continue reading Symantec Breaks Trust with the Internet?

Security

Update on the Apple Music Mess

1 Comment

The trouble reported earlier with Apple Music seems to have attracted high level attention. James Pinkstone had reported that Apple Music deleted countless unique tracks he had stored in iTunes, and that an Apple service rep assured him this was correct behavior.

As he describes in a later blog post, Apple contacted him promptly. They assured him that file deletion is not an intended feature of Apple Music, and they sent engineers to try to figure it out.

This doesn’t change my own conclusion: the only way to ensure ownership of electronic media is to remove copy protection. This requires a bit of geeking around on a desktop. If your ebooks and music reside exclusively in proprietary apps, like Kindle or the Apple products, then the vendor can delete them at will. It happened on the Kindle.

Tech History

Which cables to keep, which to discard?

Serial cable vs parallel cableCNET recently published a list of cables to keep and cables to discard. I like to keep things for historical interest as well as for practical reasons. Historical examples allow me to show students different ways of doing the same thing. The picture on the left illustrates “serial vs parallel” and I use a similar image in my textbook. I don’t collect ancient types of wire for investment purposes: values don’t justify it.

You need to decide why you want to keep cables, and keep the cables accordingly. Like most Web journalism, CNET largely ignored that question. Here are some reasons:

  • I have equipment that uses a particular cable
  • I’ll probably buy equipment that uses a particular cable.

Let’s look at those reasons and consider CNET’s recommendations.

Continue reading Which cables to keep, which to discard?

Security

Apple Music Deletes Personal Content

apple music[UPDATE: Apple now claims this was a bug; see the updated post]

This is perhaps the worst example of entertainment engineering I’ve ever heard. Blogger and musician jamespinkstone claims that Apple Music deleted countless unusual tracks in his music collection. It “matched” the tracks with entries in its library. Then it deleted the matched ones from his hard drive. When he tried to play a rare piano version of “Sister Jack” he instead heard a common demo version. Apple Music apparently decided the tracks were similar enough to treat as identical.

This is worse than Sony planting malware on PCs to as a sort of copy protection. I’m no musician, but I appreciate the differences in my 3 or 4 versions of early Bonnie Raitt songs.

This is why I don’t trust the big vendors like Apple or Google to host my private ebook library.

Security

University: Anti-phishing not really a “policy”

Bogus Citibank login from phishing emailThe University of Minnesota’s HR department send me an email in January telling me that I had to submit to a background check. The good news: I do them all the time.

The bad news: the background check company can only complete the check if you follow a URL embedded in an email.

This is how phishing emails work. The email comes from a convincing-sounding source, like the University’s HR department, or some third-party on their behalf. You respond to it, only to find that it really wasn’t the HR department collecting the information.

Bottom line: you can’t trust email. No matter how many times it says “This isn’t a spam email,” or “This isn’t a phishing email,” you can’t trust email.

[Update 5 January 2018: The UMN HR department has sent me TWO possible phishes as I prepare to take up my reappointment. I passed this to the IT Security people. They have ‘spoken to’ the HR department, and they started a phishing blog.]

Continue reading University: Anti-phishing not really a “policy”

Security

The Apple case isn’t “privacy” versus “safety”

The current fight is about whether we will impose a technological infrastructure which will be exceptionally vulnerable to attackers in order to provide nothing more useful than some very, very short-term advantages to people investigating crimes.

Let me say it differently: We put everyone in danger if we weaken cybersecurity. We only help a few detectives in a few investigations.

I don’t want hackers playing with my home thermostats, my car’s computer, my water or electric utility systems, or financial computers. If we make it convenient for police to reach into our computers, we also make it easy for hackers. This threatens peoples lives directly.

Continue reading The Apple case isn’t “privacy” versus “safety”

Security

Backing Up OS X with Mirrored Encrypted RAID

BombComputing technology is insanely reliable when you look at statistical error rates. Hard drives read and write trillions of bits while rarely producing a reportable error. But when you want some data to live forever (like family photos or critical business records), even an occasional error is a problem.

I’ve been using OS X and Time Machine for at least a decade now. I rely on RAID 1 “mirrored” backups. In other words, my Time Machine storage contains 2 separate hard drives. Everything is written to both of them. If one fails, I replace it with a new one, and rebuild from the good drive.

I also like to encrypt my hard drives. OS X provides convenient and capable hard drive encryption, but it doesn’t play well with the OS X RAID service. I’ve found it best to use an external RAID enclosure which handles the mirroring. I let OS X handle the crypto.

Continue reading Backing Up OS X with Mirrored Encrypted RAID