IEEE supports the use of unfettered strong encryption to protect confidentiality and integrity of data and communications. We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as “backdoors” or “key escrow schemes” in order to facilitate government access to encrypted data. Governments have legitimate law enforcement and national security interests. IEEE believes that mandating the intentional creation of backdoors or escrow schemes – no matter how well intentioned – does not serve those interests well and will lead to the creation of vulnerabilities that would result in unforeseen effects as well as some predictable negative consequences.
— IEEE Position Statement
Tag: Security
Why hardware + software is cheaper than hardware alone
Thomas Dullien of Google’s Project Zero on why security suffers because it’s actually cheaper to build more complex things (i.e. ship some piece of hardware with a general purpose processor and define features in software instead of using a purpose-built chip).
Aktivieren Sie JavaScript um das Video zu sehen.
https://www.youtube.com/watch?v=q98foLaAfX8
https://www.youtube.com/watch?v=q98foLaAfX8
Rooting With/For Rowhammer
The Rowhammer class of exploits never stops to amaze.
What Mafia Teaches Us About Trust & Security
David Eaves has some interesting thoughts on what Mafia can tell us about trust and security. He also has a few ideas on how the physical game setup gives advantage to different parties.
WhatsApp End-to-end Encryption
WhatsApp just announced they enabled end-to-end encryption for all their users … this is huge news. They have put a white paper up describing their implementation. Good news: it’s based on the Signal protocol and first tests seem to suggest they did it properly. 👏
TSA’s Random Lane Picker
This is so moronic I almost fell off my chair laughing: it seems like the TSA spent $47,000 on a “random lane picker.” Please, you be the judge whether it was worth it:
Aktivieren Sie JavaScript um das Video zu sehen.
https://www.youtube.com/watch?v=P_KmFJ2gGzw
https://www.youtube.com/watch?v=P_KmFJ2gGzw
It needs to be operated manually … with hygienic gloves! 😂
Data Is A Toxic Asset
Bruce Schneier also finds data is actually a toxic asset. 😶
Ramen Code
The plaintiffs in Toyota’s Unintended Acceleration lawsuit had someone with knowledge in building embedded software had a look at Toyota’s source code:
possible bit flips, task deaths that would disable the failsafes, memory corruption, single-point failures, inadequate protections against stack overflow and buffer overflow, single-fault containment regions, thousands of global variables. The list of deficiencies in process and product was lengthy.
Leaky Apps
How much data are the most popular apps on Android and iOS leaking to third parties (i.e. people who have nothing to do with the app you’re using). A LOT!
CFSSL FTW
After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.
Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.
I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀
Have a look at the full Gist or just the most interesting part:
You’ll still have to deploy them yourself.
Update 2016-10-04:
Fixed some issues with this Gist.
- Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
- Updated the example CSRs and the script so it can now be run without errors
Update 2017-10-08:
- Cleaned up
renew-certs.shby extracting functions for generating root CA, intermediate CA and service keys.