infosec

/Tag: infosec

SSL is still garbage.

How the NSA, and your boss, can intercept and break SSL | ZDNet

Most people believe that SSL is the gold-standard of Internet security. It is good, but SSL communications can be intercepted and broken. Here's how.

Apropos of the Shop outage yesterday: It is trivially easy (albeit usually expensive) to strip SSL connections, and do it in a way most end-users won’t be able to detect.

2018-09-18T10:36:53+00:0018th September, 2018|Tags: infosec, ssl, tech|Comments Off on SSL is still garbage.
Read More

Bad life choices.

James Mickens on machine learning, AI, and security.

From the keynote’s summary:

Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits.

2018-09-10T08:24:52+00:005th September, 2018|Tags: infosec, tech|1 Comment
Read More

Psuedorandom.

Bad news conspiracy theorists. QAnon codes are just a guy mashing his keyboard

The codes in Q’s posts aren’t actual codes, but instead “just random typing by someone who might play an instrument and uses a qwerty keyboard,” says password expert.

The world expert on password analysis (no, really) looks at the “secret codes” posted by QAnon conspiracy trolls… and determined they’re very obviously just keyboard mashing. The methodology used to determine this is pretty interesting, too, and makes total sense when explained. You can even follow along yourself at home!

Also of interest: the “codes” were almost certainly generated by someone using a QWERTY keyboard, which probably means someone in the US (UK keyboards have slightly different symbol arrangements above the number keys, as do Russian keyboards that have joint Cyrillic/English layouts).

2018-08-15T08:45:17+00:0015th August, 2018|Tags: culture, infosec|Comments Off on Psuedorandom.
Read More

Common goods.

Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.

Part of the problem with the ideal of individualized informed consent is that it assumes companies have the ability to inform us about the risks we are consenting to. They don’t. Strava surely did not intend to reveal the GPS coordinates of a possible Central Intelligence Agency annex in Mogadishu, Somalia — but it may have done just that. Even if all technology companies meant well and acted in good faith, they would not be in a position to let you know what exactly you were signing up for.

Zeynep Tufekci on risk.

2018-02-06T09:46:40+00:0024th July, 2018|Tags: infosec, privacy|12 Comments
Read More

SSL is terrible, pt. 495.

Extended Validation is Broken

Tl;dr, like everything else with SSL, EV is fucking broken.

Because I will forever be, at heart, a huge brat, one of my favorite questions to ask people who pretend to know about INFOSEC is, “So what, exactly, is the point of SSL?” (Or TLS, or HTTPS, or however you want to word it.)1

Pretty much no one, in the field or out of it, gets the answer to this question correct. I’ve written about it before2 but, tl;dr version, the original intent of SSL was to link an online presence with a real-world entity. The problem is that the validation requirements were, well. Expensive. Like, thousands of dollars worth of expensive, which is how much a “real” SSL certificate is supposed to cost. Because the CA that issues it is “supposed” to investigate you—to actually meet you, face-to-face, in fact—and make sure you’re really who you say you are, before issuing the cert in the first place.

“But Alis!” you say. “I can get an SSL cert free from, like, Let’s Encrypt! Hell, you get free certs from Let’s Encrypt!”

Yeah, I do. And the thing about Let’s Encrypt? It’s a perversion of the entire point of the system. And it provides exactly squat in the way of security, because in a world where anyone can get a cert issued to basically anything, for any purpose, under any name, how do you know that the entity you’re communicating with is, in fact, the entity you want to be communicating with?

Spoiler alert: you can’t, see original linked article.

“Wait,” you say, confused. “If SSL is so broken, why do tech companies like, say, Google push it so hard?”

Well, Dorothy, because, firstly, the one thing SSL does do is give carriers a level of plausible deniability when it comes to government requests to wiretap internet traffic. “Well. Here are the traffic logs from the server! Oh, well. No, you can’t read them because it’s all HTTPS. Sorry, not our fault! We did what you wanted!”3

But, mostly? Google in particular pushes SSL so damn hard because one of the thing SSL does in change the way HTTP referrers are sent. Why does Google care about this? Well, because it means webmasters suddenly don’t or can’t know where some or most of their website traffic is coming from, including search requests. So isn’t it great that Google can sell them this information as part of its ad platform! Phew, thanks Google! What a win for “privacy”!

… yeah.

Tl;dr, SSL is still terrible. And the “good” news? There’s still really no better option.

  1. The difference? Very briefly, SSL and TLS are two implementations of a secure communications protocol, with SSL being the older-and-now-deprecated version. HTTPS is basically “the web but with SSL/TLS.” In most cases the three terms are used as synecdoches, though HTTP isn’t the only thing that can be used with SSL/TLS. ^
  2. At length. It’s a bugbear, what can I say? ^
  3. It’s worth noting that this is mostly security theater; nation-state level actors, specifically intel organisations, can and do actively tap backbone networks. The thing they mostly don’t do is share the information gathered from these sources with law enforcement agencies, who desperately want it. In other words, yes. Most Current Issues In Government Surveillance are a dick measuring contest between spys and the cops. ^
2018-05-22T09:01:53+00:008th June, 2018|Tags: infosec, privacy, ssl, xp|1 Comment
Read More

When it’s girls, it’s not hacking.

Petz: A lost community of mostly female coders/gamers

I was about 15 in the early 2000s when I started playing Petz. I’d always loved animals and computers, so when I saw the games at Circuit…

A look at the strange, lost community of Petz hackers.

For the record, cheating in The Sims was my introduction to hacking hex files. I couldn’t find a trainer or cheat that would alter social relationships,1 so I wrote down, in order, the values for the current like/love values of the sim I wanted to edit, converted those to hex, opened the save file in a text editor, and found where that sequence appeared. Then I edited it. I corrupted a few files, but mostly it worked like a charm.

  1. And oh the irony that tn The Sims, as in real life, I suck at social interactions. ^
2017-12-21T08:40:56+00:0029th May, 2018|Tags: gaming, infosec, internet, pop culture, tech, video games|1 Comment
Read More

Stop using Facebook.

How Facebook Figures Out Everyone You've Ever Met

In real life, in the natural course of conversation, it is not uncommon to talk about a person you may know. You meet someone and say, "I'm from Sarasota," and they say, "Oh, I have a grandparent in Sarasota," and they tell you where they l...

Seriously. I’m not even kidding.

Stop.

Using.

Facebook.

2017-11-28T09:10:22+00:0011th May, 2018|Tags: facebook, infosec, privacy, social media|Comments Off on Stop using Facebook.
Read More