A friend and colleague introduced me to a 94-year-old gentleman with a rare tale to tell. John McCallister was recruited during World War II to be a US Army liaison officer at “Station X,” the UK’s highly secret codebreaking operation at Bletchley Park. Station X collected intercepted German radio messages, all encrypted with the supposedly-unbreakable Enigma cipher, and broke the encryption. The resulting data was distributed to a handful of senior UK and US military commanders.
At first, McCallister worked at Bletchley and learned about the codebreaking operation. He met Alan Turing, now recognized as a giant in computer science. Turing developed codebreaking machines at Bletchley, including the “bombe” (left). Then McCallister prepared for his own role: to handle and distribute the highly secret information to senior US military commanders.
Following the war, McCallister left the crypto world. After college and reserve service for the Korean War, he applied his mathematic skills to business accounting at General Electric and Zenith Electronics. He retired in 1984.
Continue reading A Yank at Bletchley Park
Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.
Recent reports suggest that they have broken their trust with the Internet community. Symantec has apparently delegated some of its authentication authority to Blue Coat software, a company that makes and sells network snooping gear. A 2013 report by Reporters Without Borders contains 2 pages highlighting Blue Coat’s role in helping repressive regimes monitor encrypted web traffic.
Symantec has issued Blue Coat its own authority certificate. Blue Coat can use this to create and distribute bogus certificates that allow its gear to decrypt encrypted web traffic.
Continue reading Symantec Breaks Trust with the Internet?
The current fight is about whether we will impose a technological infrastructure which will be exceptionally vulnerable to attackers in order to provide nothing more useful than some very, very short-term advantages to people investigating crimes.
Let me say it differently: We put everyone in danger if we weaken cybersecurity. We only help a few detectives in a few investigations.
I don’t want hackers playing with my home thermostats, my car’s computer, my water or electric utility systems, or financial computers. If we make it convenient for police to reach into our computers, we also make it easy for hackers. This threatens peoples lives directly.
Continue reading The Apple case isn’t “privacy” versus “safety”
Computing technology is insanely reliable when you look at statistical error rates. Hard drives read and write trillions of bits while rarely producing a reportable error. But when you want some data to live forever (like family photos or critical business records), even an occasional error is a problem.
I’ve been using OS X and Time Machine for at least a decade now. I rely on RAID 1 “mirrored” backups. In other words, my Time Machine storage contains 2 separate hard drives. Everything is written to both of them. If one fails, I replace it with a new one, and rebuild from the good drive.
I also like to encrypt my hard drives. OS X provides convenient and capable hard drive encryption, but it doesn’t play well with the OS X RAID service. I’ve found it best to use an external RAID enclosure which handles the mirroring. I let OS X handle the crypto.
Continue reading Backing Up OS X with Mirrored Encrypted RAID
I’m a fan of Boak’s Lectures – they cover the fundamentals of military cryptography just before the information revolution.David Boak developed the lectures for the National Security Agency’s Cryptologic School.
Even though the lectures are from the ’60s and ’70s, they remain relevant to today’s cybersecurity threats. Cryptographic techniques that were classified Secret in Boak’s work are prominent in modern commercial cryptosystems. A sanitized version of Boak’s Lectures (Vol 1, Vol 2) was released in 2008.
I’m happy to report that the Interagency Security Classification Appeals Panel has released a more complete (less redacted) version. It’s available from the Government Attic.
Continue reading NSA re-releases Boak’s Lectures
I’m upgrading my iPhone and trading in the old one. I had to erase the old one completely and unhook “Find my iPhone” from it.
I’d seen headlines hinting that recycled iPhones aren’t often erased. Some headlines suggest that the erasing operation itself doesn’t really work.
It works. It’s just time consuming. I turned off TouchID and the lock code. I disabled “Find my iPhone” and all the iCloud connections. Then I went on line and made sure the old phone wasn’t listed on my Apple account. Finally, I hit the “Erase All Contents and Settings” option.
The phone restarted with the Hello setup screen. I went through guided setup without hooking up iCloud or anything personal. I looked through the phone to make sure nothing was there. It was clean. I looked on Find My iPhone, and the old phone didn’t appear.
Continue reading Recycling an iPhone – not a picnic
If you have the technical interest to read this, you probably do a lot of your finances with your personal computer. Taxes, monthly budgets, check printing (on those rare occasions), and tracking numerous accounts – computers are far better than people at handling such details. A typical personal computer, or smart phone for that matter, contains company names, account numbers, login credentials, and everything else an identity thief might need. This is reasonably safe as long as you don’t lose your device and/or its hard drive.
But when you replace your computer or hard drive, or (God forbid) someone steals it, your intimate financial details are “out there” unless your drive is encrypted.
Continue reading Encrypt All Hard Drives!
Matthew Green published an entertaining rundown on the cryptographic back door in ANSI and NIST standards. He focuses on how it got there and why it’s still there, as opposed to its technical details.
I’ve been reviewing histories of cryptography recently and here’s an interesting thing about pre-computer encryption: it’s almost entirely used for communications security. People encryptedmessages, but they rarely encrypted documents.
I’ve finally found a few real-world cases: encrypted diaries. BBC did a short segment on them last summer. But I’m still looking – there must be other cases where someone needed to keep some long-term data secret from prying eyes.
Continue reading Real-world document encryption