Security and Privacy

4We have recently learned about how the NSA and GCHQ have been spying on their own people and on everyone else, and I think that may make one or two people just a bit queasy. So I want to explore a little of what we can do to preserve our privacy and secure our systems. But I need to make a disclaimer: I am not a security expert by any means. My role is more that of someone who can learn some simple things and pass them on in what I hope is an understandable manner. I do hope to give you some resources to guide you if you want to dive a little deeper into this. So with that disclaimer, let’s go.

Why Do We Need Privacy, And Isn’t It A Waste Of Time Anyway?

I think all of us may have had some hazy idea that “the government”, whomever that may be where you live, was investigating all manner of things. I happen to live in the United States of America, but I know our situation is not unique. If you think back a few years, the government of …

Encryption and E-mail

This is a series of tutorials on the subject of encryption and its use in e-mail communications. Encryption Basics Creating a Key Pair – Command Line Creating a Key Pair – GUI Client Encryption and E-mail with Thunderbird Encryption and Gmail Encrypting E-mail on Android; Importing Keys

Hashing, Passwords, and Certificates

This series explains the fundamentals of hashing and its application in passwords and certificates. Hashing and Password Security Passwords, Entropy, and Good Password Practices Symmetric vs. Asymmetric Encryption Digital Signatures and Certificates TLS/SSL Certificate Issues and Solutions  

True Crypt, Heartbleed, and Lessons Learned

In the last few weeks (as I write this in late April 2014) two events have combined to deliver a powerful lesson on the security of Open Source software. But it is important to know exactly what the right lesson is. I have seen reports that Heartbleed was a proof of something fundamentally wrong with …

Sensible Security: The Schneier Model

Back in 2001 there was a certain incident on September 11 that lead many people to go “OMG! We are doomed! We must increase security! Do whatever it takes!” And the NSA was happy to oblige. And on 7/7/05 an attack in London added to the frenzy. I think it is fair to say that …

TrueCrypt and GnuPG: An Update

Previously we looked at the issues around TrueCrypt and Heartbleed, and noted that a fundamental problem was that technologies we rely on to be safe are often developed and maintained by volunteers or people on a shoestring budget. There is now more news worth looking at in this respect, so it is time for an …

TrueCrypt, Heartbleed, and Lessons Learned

This appeared as a cover story in Full Circle Magazine Issue #86, June 2014 In the last few weeks (as I write this in late April 2014) two events have combined to deliver a powerful lesson on the security of Open Source software. But it is important to know exactly what the right lesson is. …

LastPass Hacked: What Does This Mean?

On June 15, LastPass disclosed that it had been hacked, and I think by now just about everyone has heard about it. I know I received questions because I have recommended LastPass often, and my advice has been to stay with them. What I want to do now is explain exactly why this was not …

SSH and Tunneling

This series will look at how to create secure connections over the Internet using SSH and Tunneling. SSH Introduction SSH Basics

Security Best Practices from SOUPS

SOUPS is the Symposium On Usable Privacy and Security, which in conjunctions with Usenix puts on an event each year where papers are presented. The 2015 event caught my eye because of a paper entitled “…no one can hack my mind”: Comparing Expert and Non-Expert Security Practices, by three researchers from Google: Iulia Ion, Rob …

NIST’s New Password Rules

We have looked at the guidelines for users in creating good passwords, but what are the best practices for the places that make you create those passwords? These would be places like Web sites, corporate networks, and so on. They create rules that are often difficult or annoying, such as “Every password must contain a …

Diffie-Hellman-Merkle Key Exchange

Ralph Merkle Although this is usually referred to in the simpler form of Diffie-Hellman,  no less an authority than Martin Hellman has said that it should also be credited to Ralph Merkle, whose work Diffie and Hellman built upon: The system…has since become known as Diffie–Hellman key exchange. While that system was first described in …

Diffie-Hellman and Forward Secrecy

We often do examples of cryptographic protocols using Alice and Bob, and we may tend to think of them as just two individuals. But in the real world, the environment is more often one of an individual communicating with a server and establishing secure communications. This usually involves both Diffie-Hellman and a public key method …

TLS 1.3

There is a new standard on the Internet for secure communications called the Transport Layer Security Protocol Version 1.3, or for short, TLS 1.3. What is this about? Well, back in the old days we had something called SSL which was developed by Netscape in 1995. This was a way to establish encrypted communication with …

NIST Cybersecurity Framework

In the United States, the National Institute of Standards and Technology (NIST) has a number of responsibilities, but for our purposes the area of interest is in information technology and security. And the part I want to look at here is the NIST Cybersecurity Framework. This sets standards for best practices that private companies are …

Encryption and Quantum Computing

If you have been paying attention to encryption technology, you probably know that the safety of encryption from being cracked relies on the concept of “computational infeasibility”, which is a fancy way of saying that any encryption can be broken if you have enough time and enough resources, but if those quantities are simply impractical …

NotPetya and Maersk: An Object Lesson

I don’t know how many people have noticed, but in my opinion we are in a state of war with Russia right now, only the weapons are code instead of missiles and bullets. A good example of this is the NotPetya malware which hit various networks in June of 2017. It initially looked like a …

News update on Firefox

Firefox is carving out a spot on the Internet as a privacy-respecting alternative to Google Chrome. As I write this, they have published a Web Page under the title 2019 Firefox Flashback. This is making fun of Google’s many offers to show you what you did all year because, of course, that is how Google …

NIST’s Quantum Cryptography Update 20200815

The National Institute of Standards and Technology (NIST) has been engaged in a program to find ways to securely encrypt messages in a world where there is quantum computing. I previously wrote about this in Encryption and Quantum Computing in April of 2019, but there is some progress on this front. The Issue Encryption is …

NIST Quantum Cryptography Update 20221008

The Problem The National Institute of Standards and Technology (NIST) is the U.S. Government Agency responsible for setting the standards for encryption technology used by the government, and has become the de facto standard setter for most of private industry as well. And aside from one lamentable lapse involving the NSA putting backdoors into Elliptical …

Passkeys

As we all know by now, there are serious problems with the model of authentication on the Internet today, which is based on user names and passwords. It seems that on a nearly daily basis we hear of another site being hacked, and user credentials being stolen. To help guard against password thefts we are …