Business/Finance

The CA System is Intractably Broken

Tuesday, July 21, 2015

I’m dealing with the hassle of setting up certs for a new site over the last few days. It means using startcom’s certs because they’re pretty good (only one security breach) and they have a decently low-hassle free certificate that won’t trigger BS warnings in browsers marketing fake cert mafia placebo security products to unwitting users. (And the CTO answers email within minutes well past midnight.)

And in the middle of this, news of another breach to the CA system was announced on the heels of Lenovo’s SuperFish SSL crack, this time a class break that resulted in a Chinese company being able to generate the equivalent of a lawful intercept cert and provided it to a private company. Official lawful intercept certificates are a globally used tool to silently crack SSL so official governments can monitor SSL encrypted traffic in compliance with national laws like the US’s CALEA.

(aww, someone liked this: https://news.ycombinator.com/item?id=5858538)

But this time, it went to a private company and they were using it to intercept and crack Google traffic, and Google found out. The absurdity is to presume that this is an infrequent event. Such breaches (and a “breach” isn’t a lawful intercept tool, which are in constant and widespread use globally, but such a tool in the “wrong” hands) happen regularly. There’s no data on the ratio of discovered breaches to undiscovered breaches, of course. While it is possible that they are always found, seemingly accidental discoveries suggest far wider misuse than generally acknowledged.

The cert mafia should be abolished. Certificate authorities work for authoritarian environments in which a single entity is trusted by fiat as in a dictatorship or a company. The public should trust public opinion and a tool like Perspectives would end these problems as well as significantly lower the barrier to a fully encrypted web as those of us trying to protect our traffic wouldn’t need to choose between forking over cash to the cert mafia for fake security or making our users jump through scary security messages and complex work-arounds.

Posted at 00:53:59 GMT-0700

Category: FreeBSD • Privacy • Security • Technology

Google APIs Suck

Friday, January 4, 2013

Off-Site scripts are annoying and privacy invasive. They are a vector for malware, waste your computer’s resources, and generally add limited capability. They’re a shortcut for developers but rarely add real value that can’t be replaced by locally-hosted, open-source scripts and always compromise your privacy (or the privacy of your site’s visitors).

To explain – I use noscript (as everyone should) with Firefox (it doesn’t work with Chrome: I might consider trusting Google’s browser for some mainstream websites when it does, but I don’t really like that Chrome logs every keystroke back to Google and I’m not sure why anyone would tolerate that). NoScript enables me to give per-site permission to execute scripts.

The best sites don’t need any scripts to give me the information I need. It is OK if the whizzy experience is degraded somewhat for security’s sake, as long as that is my choice. Offsite scripting can add useful functionality, but the visitor should be able to opt out.

Most sites use offsite scripting for privacy invasion – generally they have made a deal with some heinous data aggregator who’s business model is to compile dossiers of every petty interest and quirk you might personally have and sell them to whoever can make money off them: advertisers, insurance companies, potential employers, national governments, anyone who can pay. In return for letting them scrounge your data off the site, they give the site operator some slick graphs (and who doesn’t love slick graphs). But you lose. Or you block google analytics with noscript. This was easy – block offsite scripts if you’re not using private browsing or switch to private browsing (and Chrome’s private browsing mode is probably fine) and enjoy the fully scripted experience.

But I’ve noticed recently a lot of sites are borrowing basic functionality from Google APIs. Simple things, for which there are plenty of open source scripts to use like uploading images – this basic functionality is being sold to them in an easy to integrate form in exchange for your personal information: in effect, you’re paying for their code with your privacy. And you either have to temporarily allow Google APIs to execute scripts in your browser and suck up your personal information or you can’t use the site.

If you manage a website, remove as many calls as you can, including removing calls back to wordpress and fonts. These are all data collection mechanisms that seem to make it easy in exchange for aggregating data on users. I recommend three browser plugins to significantly improve privacy and reduce data collection. They break some sites, but those sites are so privacy violating that you shouldn’t be visiting them anyway.

LocalCDN

Local CDN redirects CDN calls to locally cached copies, which improves performance and protects privacy. CDNs make good money off your private data without your consent and the features they provide are easily replaced with local delivery. This seems to have zero impact on browsing experience.

For firefox, you might try Decentraleyes.

Privacy Badger

EFF’s privacy badger is great. It can be your only ad blocker if you, say, support ad-monetized content but just don’t want to be tracked. EFF’s goal isn’t so much to end advertising but to give the user a tool to reject the more privacy invasive elements of such advertising or other mechanisms of tracking. The “learning” mode is disabled by default because using it is, itself, trackable.

uBlock Origin

The ur-privacy plugin, uBlock Origin is by default fairly agressive in blocking and so not only protects privacy, but blocks scripts that slow your computer down, waste your costly energy doing free work for advertisers, and speeds up browsing. It does, however, break some pages including things like logins and redirects, so become familiar with the mechanisms for selectively disabling blocking of scripts or sites that are important.

Posted at 07:34:36 GMT-0700

Category: Politics • Privacy • Security • Technology

Windows Suckz

Tuesday, February 28, 2012

I will never understand why companies choose to spend good money developing software and systems around Windows. How can they be so stupid as to pay for absurd and byzantine licensing of inferior, insecure, opaque operating systems on which to build their products the regular failure of which only serves to damage the reliability of their applications and harm their reputation while reducing profit and increasing cost?

On the plus side, seeing BSODs and hang screens in public places is always good for lulz.

Posted at 07:03:05 GMT-0700

Category: Technology • Travel

The Cloud is Ephemeral

Sunday, January 1, 2012

Never trust your business, applications, or critical data to a cloud service because you are at the mercy of the provider both for security and availability, neither of which are terribly likely. Cloud services are the .coms of the 2nd decade of the 21st century, they come and go and with them so go your data and possibly your entire enterprise. Typically the argument is that larger brands are safer, that a company like Google would not wipe out a service leaving their customers or partners high and dry, that they would be safe.

That would be a false assumption.

“The cloud is great when and while your desired application is present—assuming it’s secure and robust—but you are at the mercy of the provider for longevity.”

It is necessary to understand the mathematics of serial risk to evaluate the risk-weighted cost of integrating a cloud-provisioned service into a business. It is important to note that this is entirely different from integrating third party code, which just as frequently becomes abandonware; while abandonware can result in substantial enterprise costs in engineering an internally developed replacement it continues to function, a cloud service simply vanishes when the provisioning company “pivots” or craters, instantly breaking all dependent applications and even entire dependent enterprises: it is a zero day catastrophe.

Serial risks create an exponential risk of failure. When one establishes a business with N critical partners, the business risk of failure is mathematically similar to RAID 0. If each business has a probability of failure of X%, the chances of the business failing is 1-(1-X/100)^N. If X is 30% and your startup is dependent on another startup providing, say, a novel authentication mechanism to validate your cloud service, then the chances of failure for your startup rise from 30% to 51%. Two such dependencies and chances of failure rise to 64% (survival is a dismal 36%).

Posted at 22:34:08 GMT-0700

Category: Privacy • Technology

Oh Google… you’re so cute.

Friday, November 4, 2011

Sure you’re the largest data harvester in the world and you’ve convinced more people than even microsoft to migrate their personal and business data away from their relatively secure and relatively private personal computers and company servers onto your public, ephemeral servers where you make their data to every government in the world you do business with and all the hackers in China, and even in those circumstances where you do actually provide some measure of security, your services have helped eliminate any residual rational discomfort people might have had about giving Big Brother direct editorial review of every communication they have, every document they create, every question they think about. More than any other company, if only by dint of your scale, you have made an Orwellian informational panopticon reality.

But who can stay mad when you’re so damn cute. Barrel roll :-)

Posted at 03:51:05 GMT-0700

Category: Funny • Politics

Holiday Inn On King Patch

Monday, November 19, 2007

The room patch panel at the Holiday Inn on King in Toronto is the best I’ve encountered in a hotel. Watch you tube on the room’s large LCD TV… Play your iPod through the sound system. Free broadband. All hotels should do this.

Posted at 04:00:18 GMT-0700

Category: Hotels • photo • Reviews • Travel

Red Brick Café, Guelph

Thursday, November 15, 2007

As I’m spending more time in Guelph lately than expected, it has been a very good thing to discover the Red Brick Cafe. They have good food items and excellent coffee. No overheated milk and they know the difference between a cappuccino and a latte. With the favorable (to the US) exchange rate, it is a great deal too.

Posted at 10:00:16 GMT-0700

Category: Hotels • Restaurants • Reviews

Recent Posts
- A one page home/new tab page with random pictures, time, and weather 2024 April 11
- Putting ccache on a backed RAM disk to speed compiles 2024 March 16
- Audio File Analysis With Sox 2024 February 07
- Manually Update Time Zone Data on Android 10 2023 October 31
- Autodictating to self using Whisper to preserve privacy 2023 August 17
- Projecting Qubit Realizations to the Cryptopocalpyse Date 2023 August 04
- AI PSYOPS are changing strategic messaging 2023 July 29
- Convert A Slideshow/Presentation into HTML 5 Video 2023 July 23
- Mobotix Notifier in Python – get desktop messages from your cameras 2023 June 06
- Get a desktop alert when Thunderbird gets constipated 2023 May 29
Categories
Categories
Links
Search
Search for:
Archives
Archives
Post History
April 2024

M T W T F S S

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30

« Mar