Why We Encrypt
Tuesday, June 23, 2015
Bruce Schneier: Every time you use encryption, you're protecting someone who needs to use it to stay alive. This is the clearest statement I’ve seen of the case for ubiquitous, on-by-default encryption.Tuesday, June 23, 2015
Bruce Schneier: Every time you use encryption, you're protecting someone who needs to use it to stay alive. This is the clearest statement I’ve seen of the case for ubiquitous, on-by-default encryption.Sunday, May 17, 2015
Ars Technica: The UK government has quietly passed new legislation that exempts GCHQ, police, and other intelligence officers from prosecution for hacking into computers and mobile phones.Friday, May 17, 2013
Ed Felten, yesterday: CALEA II: Risks of wiretap modifications to endpoints Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps.Thursday, April 4, 2013
When Steve Gibson talked on Security Now 398 about how few users' Java plugins are actually up-to-date, this question hit me:
The problem with having all of these old Java versions running around is that attacks always get better. How much more sophisticated are the attacks of today than the attacks of just one year ago? Why, then, should anyone think a free browser plugin released today—even if it's secure by today's standards—will stand up to the attacks of one year from now?
Monday, December 17, 2012
In light of recent events, I wondered if anyone was making a connection between gun control and the regulation of strong encryption. So I googled it and found that someone had: me, two years ago. Related: why do so many news reports use the term “gunman” (emphasizing the noun; Google News has 2.49 million results in the past week) instead of “shooter” (emphasizing the verb; 216,000 results in the same week)?Friday, October 5, 2012
When I wrote about my experience setting up AD Single Sign-On for Linux, I said the next step was to extend the transparent SSO experience into WordPress. The biggest reason for that—I thought—was so that the WordPress server could then impersonate the logged-in user to pull resources from our SharePoint server (using SharePoint Web Services) and include them on WP pages. Basically a WordPress front-end with SharePoint doing some Digital Asset Management duties on the back-end.Wednesday, March 7, 2012
I mentioned a while ago that I have a Linux web server set up with Kerberos SSO in our AD domain. Setting it up was a lot more tedious than it seems like it should have been. I found bits and pieces of useful information here and there, and some step-by-step guides to help with specific sub-tasks, but I couldn’t find a good, intranet-specific guide to help me understand the big picture—what pieces I needed (and didn’t need) and how they fit together. So here’s part 1 of my attempt to rectify that situation (part 2 will be the WordPress integration—I’m still working on that part).
Friday, January 20, 2012
I’ve started a project to move the front-end of our intranet from SharePoint to WordPress (SP is just too icky to do any serious front-end work with). The plan is for WordPress to become the front-end and CMS for news-type content, keep SharePoint for file library and calendar-type stuff (at least for now), and use the SP web services to integrate the SP content into WP. All of the various authentications involved must be transparent to the end-user.Friday, October 1, 2010
Charlie Savage reported Monday in the New York Times that the Obama administration is seeking legislation that would require “back-doors” in all encryption products and services in the US. Of course, they cite terrorism as a primary motivation. How best to balance the needs of law enforcement (and of government in general) with the privacy and liberty of the citizen is an age-old question. While I sympathize with the needs of law enforcement, the Internet wiretap plan simply will not accomplish its stated purpose.Tuesday, March 2, 2010
It used to be that network infrastructure was one of an organization’s most valuable assets and security was geared toward protecting the infrastructure; but costs are falling, and the network has become a commodity. Meanwhile, the volume and value of information stored electronically are growing rapidly. For this reason, Dan Greer advocates a paradigm shift in information security, which he calls the Enterprise Information Protection Paradigm. We suggest that this paradigm be called enterprise information protection (EIP).Monday, July 27, 2009
All of my company’s inbound and outbound email goes through a security service that scans for spam and viruses. From time to time I get an email from someone saying that they got a message that they consider spam. I see that as a good sign. Here’s why: Spam filters are machines, with some human input to fine-tune the filter criteria, doing the best job they can. The algorithms are ever-improving, but they’re still just computer programs.