Saturday, October 19, 2013

The security services are stripping us of basic Internet security


Open Rights Group International - The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

Their reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.
The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works
This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols. READ FULL ARTICLE AT OPENRIGHTSGROUP.ORG

Friday, October 18, 2013

ORG: Say no to the Nomitax!


This coming Monday, Nominet's consultation on a .uk domain ends. We are asking everyone to respond and say 'no'.

Nominet were told to stop creating new second level domains (like .co.uk or .me.uk) because they are a monopoly, and instead an independent consultative group decides when new .uk domains are needed. This group also decides who controls them, to avoid Nominet simply inventing new second level domains (SLDs). This is important, as many people want to own all the domains potentially associated with their personal or company name. Only really new and non-confusing SLDs should be added, so that this problem is avoided.


Nominet have circumvented this attempt to stop them printing money and demanding new registrations from UK domain owners, by asking to allow anyone to own a top level .uk domain. This means you will now be faced with registering not just mydomain.co.uk and mydomain.org.uk but also, if you want to control the name, mydomain.uk – resulting in a windfall for the cash-rich Nominet, but plenty of problems for everyone else.

For instance, in the future, how will you know if someuniversity.uk is a real University, or just another commercial outfit posing as an HE establishment? Will thelawcommission.uk be a government body, or a private entity?

Aside from this confusion, Nominet's consultation makes an extraordinary attempt to argue that it needs more cash because it operates in the public interest, so more cash means more public interest activities for the public.

This is the standard argument for a tax, not a new round of domain registrations. Nominet are not entitled to make such a tautologous argument, their public purpose is to provide a secure and trusted domain registry service.

If their new registry policy does not serve that – and they don't manage to argue that it does – then they cannot simply say that more cash for Nominet is a great reason to charge UK domain owners for new domains.
You can respond using their online form. You can also read their full consultation page and our response.

Say no to the Nomitax!