Tag Archives: TLS

Weekly output: network security (x2), election security, Google finding Apple’s bugs

Posted on by
2

Now it can be told: I spent all of the last two weeks on the West Coast, with my stay in Las Vegas for Black Hat and DEF CON sandwiched inside time with my in-laws in California. That let me have a much shorter trip to and from Vegas and then segue from WiFi security to a little wine tasting and, more important, a lot of napping.

8/12/2019: WiFi can be a free-for-all for hackers. Here’s how to stop them from taking your data, USA Today

I e-mailed this to my editor with the following note: “I’m sending this over the DEF CON conference WiFi, so if you only see pirate-flag emoji I trust you’ll call or text to warn me.” If you don’t want to read all 600-ish words in this piece, the top three are “encryption is your friend.”

8/12/2019: This tech could secure voting machines, but not before 2020, Yahoo Finance

One of the big reasons I decided to stick around Vegas for DEF CON–even though it meant I’d have to pay $300 in cash for that conference badge–was the chance to see the exhibits and presentations at its Voting Village. The proceedings did not disappoint, even if a DARPA demo from a project with the delightful acronym of SSITH is far from yielding shipping voting hardware.

8/12/2019: Google got Apple to fix 10 security flaws in the iPhone, Yahoo Finance

Black Hat offered a two-course serving of Apple-security news. Its first day featured a briefing from Google Project Zero researcher Natalie Silvanovich about how her team uncovered 10 serious iOS vulnerabilities, and then its second day brought a talk from Apple security-engineering head Ivan Krstić that ended with news of a much more open bug-bounty program.

8/14/2019: This Morning with Gordon Deal August 13, 2019, This Morning with Gordon Deal

I talked about my USAT column on this business-news radio program; my spot starts just after the 13th minute.

Advertisement

Weekly output: mobile payments, Black Hat security, travel tech

Posted on by
Reply

I left Black Hat feeling a little overwhelmed–not because of how little time I had to take in things between my arrival in Vegas Tuesday afternoon and my departure Thursday night, but because of how many fascinating briefings I had to miss because I was attending others. And then there’s everything I missed by flying home before DEF CON

8/6/2018: Hang on, Apple: Phone payments still need work, USA Today

Seeing all the hype over Apple announcing that CVS will finally succumb to reality and accept Apple Pay (meaning you can also pay with any non-Apple phone that does NFC payments) got me feeling cranky enough to write this reality-check post. I’ve since received an e-mail from a reader saying he’s had no problem paying for stuff with his iPhone in Mexico, contrary to a statement in the column based on an incorrect reading of Apple and Google support documents. I’ve asked my editors to correct that part.

8/9/2018: Black Hat attendees are surprisingly lax about encryption, The Parallax

As I was putting together my Black Hat schedule, I got an invitation to tour the network operations center supervising the conference’s WiFi. I thought that visit would allow me a chance to look at a lot of blinking lights, but instead it provided up-close evidence of some horrifyingly slack security practices among a minority of Black Hat attendees.

FTU DC badge8/11/2018: Welcome and Keynote with Rob Pegoraro, Frequent Traveler University Washington, DC

After years of profiting from tips shared in various frequent-flyer forums, I had a chance to give back when FTU host Stefan Krasowski asked if I’d like to talk about my travel experiences to open this two-day program of seminars about airline and hotel loyalty programs and other sorts of travel hacking. We had a great conversation about freelance business-trip economics, the gadget accessories I take on the road, two underrated virtues of United elite status, and my worst airport-transit experience ever. My only regret: Since I couldn’t stick around for the rest of the day, I didn’t have a chance to meet the other FTU speakers, a few of whom I’ve been reading for years.

Weekly output: Google phones (x2), SXSL, e-mail encryption

Posted on by
Reply

I just watched the second presidential debate, and I was disappointed but not surprised by the lack of tech-policy banter. You?

yahoo-tech-google-phones-post10/3/2016: Why it matters that Google might be producing its own phones, Yahoo Finance

My suggestion at the end that Google might offer an installment-payment option for the new Pixel and Pixel XL phones–something analyst Jan Dawson suggested to me in an e-mail–panned out when Google introduced just that.

10/4/2016: Google’s new phones, WTOP

I spoke briefly about the Pixel and Pixel XL to the news station. One thing I wish I’d mentioned: These two new phones aren’t waterproof, unlike the iPhone 7 and the Galaxy S7.

10/4/2016: Obama gathers top tech to tackle US problems, Yahoo Finance

I spent most of Monday at the White House, which is not a bad way to while away an afternoon. This South by South Lawn event did not feature free beer (at least during the day) and so fell short of being a D.C. salute to Austin’s South by Southwest festival, but on the other hand SXSW has yet to allow me to see Rep. John Lewis (D.-Ga.) speak.

10/9/2016: How to protect your email from snooping, USA Today

Freelancing for multiple clients can sometimes lead to situations where one client asks you to write about an issue involving another.

Weekly output: iOS updates, Mac ransomware, ISP privacy (x2), wedding gifts, e-mail security

Posted on by
Reply

AUSTIN–I’ve been here since Friday morning, and somehow I have not eaten any brisket yet. If you choose to regard that oversight as a character issue, I can’t blame you.

3/7/2016: How to recover from iPhone update gone bad, USA Today

I made a mistake in this column–I misread an Apple tech-support note about restoring an iPhone in an Apple Store as evidence that you could also borrow a computer there to backup your iPhone and then restore it. That’s not the case, as two people pointed out, so I’ve asked my editor to correct the piece.

Yahoo Tech ISP-privacy post3/7/2016: Your ISP might not be spying on you now — but you’d be crazy not to worry that it will, Yahoo Tech

This post started life as a simpler, shorter unpacking of a report about the limits to Internet providers’ visibility of their subscribers’ online activity, but the topic and the word count expanded a bit from there.

3/8/2016: Ransomware on the Mac: Turns out identify theft is a problem for apps, too, Yahoo Tech

After this ran, a friend commented on my Facebook page that he uses the Transmission app but had chosen to skip the update that had been contaminated with a ransomware payload. Yikes.

3/9/2016: Great Wedding Registry Gift Ideas, The Sweethome

As part of this long guide to wedding presents, Casey Johnston interviewed my wife and I about the stand mixer that (I think) some of her parents’ friends gave us, and which I use to make bread every week.

3/11/2016: FCC proposes new broadband-privacy rules — and your ISP probably hates them, Yahoo Tech

Federal Communications Commission chairman Tom Wheeler proposed some not-too-sweeping proposals to limit what your ISP can do with the data it collects about your online activity, and Big Telecom is not amused.

3/13/2016: How to give your email a security checkup, USA Today

I was pleasantly surprised to see some large Internet providers support IMAP syncing and TLS encryption–but others have horribly obsolete and insecure setups. Think about that when you hear somebody insist that the only way to get a good and reliable service online is to pay for it.

Weekly output: online comments, Chrome and site security

Posted on by
Reply

We’re thisclose to the slow days of summer, but we’re not there yet.That’s probably why I’m still taking care of work chores on a Sunday night.

Yahoo Tech online-communities post7/21/2015: Why Online Comments Suck (and How to Fix Them), Yahoo Tech

You know where this essay about the lack of constructive conversation at Reddit and other places online got zero comments? At Reddit. You never know sometimes…

7/26/2015: Why Chrome questions your bank’s security, USA Today

This column became a lot more work to report when financial-industry PR types clammed up after I asked what I thought was a simple question about their sites’ security. And then Google wasn’t much more help itself.

Weekly output: e-mail security (x2), MacBook webcam

Posted on by
Reply

This week’s work involved the Virginia countryside, a space capsule, robots playing soccer, and some quality time with drones. And yet none of those things showed up in this week’s articles. But there’s always next week…

Yahoo Tech TLS post6/10/2014: Explained: How ‘TLS’ Keeps Your Email Secure, Yahoo Tech

I enjoyed crafting the photo for this, and not just because it gave me an excuse to flip through old postcards. I did not enjoy reading the comments as much: the repeated assertion there that nothing online can be made secure is both incorrect on a technical level and fundamentally defeatist.

6/10/2014: 4 Ways Your Email Provider Can Encrypt Your Messages, Yahoo Tech

I wrote a short sidebar–something we’ve taken to doing more often at Yahoo Tech–outlining how e-mail encryption has advanced over the last decade or so… at least at some providers.

6/15/2014: Revisiting a fix for your MacBook webcam, USA Today

Yes, you read about this topic earlier this year in my USAT column. But this time around the remedy may work a little more reliably. There’s also a tip about watching Netflix on a computer without Microsoft’s Silverlight plug-in–if you’re running Windows 8.1.

Heartbleed and bleeding-heart open-source advocacy

Posted on by
2

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.