from the ow!-my-foot!-shot-it-right-off! dept
In fact, as many quickly noted, Roskomnadzor's own website happens to be secured with a certificate from... Comodo:
by Mike Masnick
Tue, Jul 26th 2016 7:04am
by Mike Masnick
Fri, Jun 24th 2016 12:45pm
Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.At the very least, this kind of stupid stunt has me reconsidering if we should ever use Comodo's certificates on our site going forward. We've been a happy Comodo customer for many years, but I hate supporting bullies. Update: And... of course, after this goes public, Comodo suddenly backs down. Of course that doesn't explain why it refused to do so when asked months ago.
If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web.
by Tim Cushing
Mon, Feb 29th 2016 8:25am
Chris Soghoian, the ACLU's chief technologist, has decided to troll the DEA. His complaint is valid, though. The problem is, how do you troll the DEA when it's almost impossible to find the contact info of the person you want to speak to? Just like the FBI has more options at its disposal than simply demanding Apple help it beat down an iPhone's front door, Soghoian was able to route around the DEA's unforthcoming attitude.
How to disclose a security flaw to the DEA.— Christopher Soghoian (@csoghoian) February 28, 2016
1 Find CISO on LinkedIn.
2 Look up consulting company records.
How to disclose a security flaw to the DEA.The email address was harvested from a third-party website for a company DEA CISO Bret Stevens is apparently associated with, Innovative Security Solutions, Inc., conveniently located in northeastern Virginia, right outside of Washington, DC.
1 Find CISO on LinkedIn.
2 Look up consulting company records.
The DEA operates an online tipform, through which individuals can report "possible violation of controlled substances laws and regulations. Violations may include the growing, manufacture, distribution or trafficking of controlled substances."Quite correct. Not only has the Office of Management and Budget stated every agency must use HTTPS on all public-facing websites by the end of 2016, but you'd think a form that collects personal info about members of the public -- especially in conjunction with info about possibly armed and violent criminals -- would be given an extra layer of security. Apparently, the DEA is not all that concerned about its tips being scooped by criminals, or criminals intercepting unsecured tips in order to target do-gooders.
This website does not use HTTPS to protect the transmission of information. It should.
On a more general note, I would also like to encourage you to post publicly contact information for your information security team, so that researchers and other individuals can responsibly disclose flaws such as this issue. This is a best practice followed by some federal agencies, widely adopted by those in the private sector, and promoted as a best practice by the Federal Trade Commission.If this email manages to reach Bret Stevens, it will likely be sneered/groused at before being discarded as the imperious communications of a meddling motormouth representing an entity far too concerned about the rights of all Americans, especially the guilty, drug-dealing ones. As for its unsecured tip form, it will likely remain unsecured until the DEA is finally forced into compliance with the OMB's instructions.
by Glyn Moody
Fri, Feb 26th 2016 6:27am
It will come as no surprise to sophisticated Internet users like Techdirt readers that the UK's attempts to block a growing list of "pirate" sites are easy to circumvent. But a post on TorrentFreak suggests that you don't even need to be a sophisticated Techdirt reader to do that:
While it's hard to stamp out piracy completely, the measures were supposed make it harder for UK Internet subscribers to access these sites.
Apparently this has been known in certain circles for quite a while. Some pirate sites have even gone so far as to force users to connect using HTTPS to enable them to enjoy this further advantage of encryption. There's an interesting discussion in the comments on the TorrentFreak post as to when and why HTTPS connections can get around the court-mandated blocks, and what ISPs might try to do to close this gaping loophole. Even if they do, the other circumvention methods will remain.
However, a recent review of current blocking practices shows that several ISPs including Virgin Media, BT, EE and TalkTalk are failing. It turns out that many subscribers don't have to jump through technological hoops to circumvent the blockades, as many popular pirate sites are freely accessible on their regular connections.
With the help from several subscribers, TorrentFreak was able to confirm that the HTTPS versions of most blocked websites including The Pirate Bay, KickassTorrents, RARBG and Torrentz, are still freely accessible.
The real point here is that the copyright industries are fighting a war they cannot win. That's not just stupid in itself, but doubly stupid, because there's a much better approach that they could take, as Techdirt has noted before: all they need to do to stop most people visiting pirate sites is to offer a good service at a fair price. Simple, really. Almost as simple as using HTTPS.
by Tim Cushing
Wed, Dec 2nd 2015 10:38am
Scores of big brands – from AT&T and Yahoo! to Netflix, GoPro and Macy's – are being sued because their HTTPS websites allegedly infringe an encryption patent.CryptoPeak, of course, offers no cryptography products. It does, however, manage a portfolio of 66 lawsuits, all filed in the Texas Eastern District Court, beginning roughly 60 days after it acquired the patent. Among the illustrious names listed as defendants are PNC Financial Services, VUDU, Netflix, State Farm, Allstate, Petco, GoPro, Mary Kay, Target, Groupon, Williams-Sonoma, Etsy, Priceline… well, the list goes on and on and on.
It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems."
CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent – so it's suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic.
Perhaps crucially, [the patent] describes a means for "generating public keys" and "publishing public keys", and it's certainly true that ECC does involve generating public keys and using them.Netflix, which has already moved to dismiss the suit against it, doesn't concern itself too much with the patent's supposed function. Instead, it argues the patent (along with the numerous lawsuits) should be invalidated/tossed because of other wording used in the patent paperwork itself.
But the patent is focused on "a key recovery agent to recover the user's private key or information encrypted under said user's corresponding public key" – which is really not the point of ECC.
The invalidity of the claims asserted here is cut and dry. The Asserted Claims recite “a method and apparatus.” Thus, a practitioner cannot know the scope of the Asserted Claims from reading them because they explicitly claim “separate statutory classes of invention,” an act expressly forbidden by the law. For this reason alone, these claims are invalid on their face, and the Court should declare so at this stage.Netflix then points out the "method and apparatus" wording appears in multiple claims.
The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the Court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims. CryptoPeak has done just that in its Amended Complaint, alleging that “[n]othwithstanding that [the claims] generically recite the existence of ‘apparatus’ in their preambles, each of the . . . Asserted Claims is a method claim . . . .” (Dkt. No. 21 at 4 (emphasis added).)Seems like a solid argument, but CryptoPeak didn't file in this particular court just because it coincidentally happened to have rented a mailbox and an empty office in Longview, Texas shortly before filing the lawsuits. It filed in this court because magical things often happen for patent trolls -- wholly unrelated to the validity of their claims and their affected Texan accents. If this wasn't the case, then this particular district wouldn't be the IP shitmagnet that it is. If CryptoPeak can nail down a few settlements and licensing agreements, it makes the hassle and expense of serial filing worthwhile. And isn't that why our patent system was implemented in the first place?
This request is improper and should be rejected. The Court must read the claims as written, “not as the patentees wish they [ ] were written.”
by Karl Bode
Tue, Nov 24th 2015 10:38am
"This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.
by Tim Cushing
Thu, Oct 15th 2015 11:41am
The NSA hasn't said much (well... compared to the FBI) over the past several months about the default phone encryption offered by Google and Apple. This lack of public outcry has to do with the NSA's capabilities, rather than a sudden interest in ensuring people around the world have access to secure communications. If it truly felt the world would be a better place with safer computing, it wouldn't have invested so much in hardware implants, software exploits and -- its biggest black budget line -- defeating encryption.
Where there's no smoke, there's a great deal of fire which can neither be confirmed nor denied. The NSA has very likely punched holes in encryption in existing encryption. But how does it do it? A brute force attack on encryption would be largely futile, even with the computing power the agency possesses. Alex Halderman and Nadia Heninger at Freedom to Tinker have a theory, and it involves a "flaw" in a highly-recommended encryption algorithm.
The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.The belief that these common primes (or at least some of them) wouldn't be cracked relied on the assumption that no one entity would have the money to assemble the computing force needed to break the code. The problem is that the NSA likely has the time, money and power to tackle this enormous project. Here's why it first seemed unlikely:
For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.And here's the reality of the situation, as exposed by documents leaked by Snowden.
The 2013 “black budget” request, leaked as part of the Snowden cache, states that NSA has prioritized “investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.” It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.What was once considered to be beyond the capabilities of even the biggest intelligence agency is obviously well within its reach. As the authors point out, this would explain the other information seen in leaked documents, like the NSA's ability to decrypt some secured connections "on command" or eavesdrop on VPN traffic.
Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem.As the authors point out, the NSA has recommended better encryption methods, but no one's in any hurry to adopt them because no one trusts the NSA to recommend a method it hasn't already weakened, if not completely compromised. If there's any truth to what's covered here, the NSA has sat quietly by and allowed researchers to recommend yet another encryption method that it's already made large strides towards defeating. And, once again, we can see that when the word "security" is combined with the word "national," it means something completely different than when it stands on its own.
by Mike Masnick
Mon, Sep 21st 2015 11:14pm
On October 1 all new links wrapped with Twitter's t.co wrapper will use the https URL scheme. The https scheme helps Twitter securely deliver readers to the intended destination.We have discussed for years, of course, the value of encrypting more of the web, and especially increasing use of HTTPS-by-default. Kudos to Twitter for making this move and encouraging widespread use of HTTPS to better protect people's surfing. It's worth noting that Twitter is also warning sites that they may see a drop in referrals from Twitter, because browsers drop the referrer from the header when an HTTPS link goes to an HTTP destination -- but it notes that it will be using referrer policy instead, which is good. Most modern browsers support referrer policy, and thus this isn't really that big a deal. However, it's one of the random complaints that some anti-HTTPS campaigners have argued over the years (that the lack of referrer is a big loss under HTTPS).
by Mike Masnick
Fri, Jun 26th 2015 2:47pm
As you hopefully already know, the Wayback Machine is a tremendously useful tool for looking up archived versions of websites. It is a kind of library of our internet history. Of course, as the article at Global Voices notes, part of the reason the entire site is getting blocked is due to the use of HTTPS. While some might argue that this is a reason why sites shouldn't go to default HTTPS, I'd argued the opposite: it shows the value in HTTPS in that it makes censorship much more difficult such that when it occurs, the results are so ridiculous that it hopefully leads to greater pushback on the ridiculous attempts to censor.
The Russian government has blocked the Internet Archive, the San-Francisco-based website that provides the popular Wayback Machine, which allows users to view archived webpages. The decision to ban the Internet Archive appears to be the work of Russia's Attorney General, meaning that police determined that the website contains extremist content.
Rublacklist.net says police targeted the Internet Archive because of a saved webpage called “Solitary Jihad in Russia,” a short text that claims to offer information about the “theory and practice of partisan resistance.” At one point, the text states that Islamic sharia law “must be instituted all across the world.”
According to the website Rublacklist.net (a censorship-monitoring project operated by the Russian Pirate Party), the page in question* on the Internet Archive was added to Russia's official registry of banned websites on June 23, 2015. Because the Internet Archive uses https, some Russian ISPs will have to block the entire website in order to comply with the blacklisting, since encrypted traffic won't allow them to differentiate between different pages of the same site. According to TJournal, users of mobile Internet provider Yota were unable to access the page, the Wayback Machine, or the Internet Archive on June 25.
by Mike Masnick
Tue, Jun 16th 2015 10:30am
Explore some core concepts:
|09:34||Comcast: The Economics Of Offering Cheaper, Better Streaming TV Service 'Unproven' (17)|
|08:32||The Selfie-Taking Monkey Who Has No Idea He Has Lawyers Has Appealed His Copyright Lawsuit (52)|
|06:54||Bruce Schneier Sounds The Alarm: If You're Worried About Russians Hacking, Maybe Help Fix Voting Machine Security (79)|
|03:51||Security Researchers Sued For Exposing Internet Filtering Company's Sale Of Censorship Software To Blacklisted Country (24)|
|23:48||New Law In Illinois Restricts Stingray Use, Requires Court Orders For Deployment (8)|
|16:05||Wireless Industry To Request En Banc Appeal Hearing On Net Neutrality Rules (16)|
|14:38||NSA Surveillance Compliance Reports Show Typos, Lack Of Communication Resulting In Erroneous Targeting And Collection (2)|
|13:11||Techdirt's DMCA Takedown T-Shirt, Going Fast (1)|
|11:54||Dentist Sues Another Unhappy Patient; Offers To Let Journalist See Patients' Private Files To Dispute Claims (14)|
|10:44||Intellectual Property Fun: Is Comedy Central Claiming It Owns The Character Stephen Colbert? (27)|
|10:38||Daily Deal: Radix '.tech' Domain (8)|
|09:37||United Arab Emirates Makes Using A VPN A Crime... To Protect The Local Telcos From VoIP Competition (21)|
|08:34||Photographer Sues Getty Images For $1 Billion For Claiming Copyright On Photos She Donated To The Public (55)|
|06:29||After Ripping Off Cities, States For Years, Verizon Makes Some Familiar Broadband Promises To Boston (38)|
|03:25||Not Just In The US: TPP Meeting More Resistance In Australia And Japan, Too (24)|
|23:09||How The EU Might Keep Internet Access Open To The Public (5)|
|15:49||'Wish I Had The Power' To Hack Enemies' Emails, Says Man Very Close To Having Such Power (127)|
|14:36||Court Says Bugs The FBI Planted Around California Courthouses Did Not Violate Anyone's Expectation Of Privacy (30)|
|13:03||Federal Prosecutors Use All Writs Order To Compel Suspect To Unlock Phone With His Fingerprint (26)|
|11:50||Russian Copyright Law Allows Entire News Site To Be Shut Down Over A Single Copied Article (3)|
|10:43||Clinton Friend Admits What Everyone Knows Is True: Clinton Still Supports TPP & Will Back It (60)|
|10:38||Daily Deal: Project Management Certification Training 2016 Bundle (0)|
|09:34||Colorado Republican Committee Tries To Use CFAA To Get Even With A Bogus Tweeter, Fails Completely (10)|
|08:34||IP Lawyers Tell Copyright Office To Stop Screwing The Public By Opposing Cable Box Reform (12)|
|06:58||Putin's Internet Trolls Are Stoking The Vitriolic Fire By Posing As Trump Supporters (63)|
|03:56||This Is What It Was Like To Take Part In The Failed Turkish Coup, In The Words Of The Plotters (15)|
|23:59||EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption (17)|
|16:14||MIT Media Lab Launched Disobedience Award, Funded By Reid Hoffman (12)|
|14:33||Anti-Vax Film Distributors Threaten Critic And Autistic Rights Advocate With Defamation (164)|
|13:13||Techdirt Podcast Episode 83: 'Disruption' Is Not An Excuse For Lying (0)|