August 23, 2017

Archives for September 2013

The Debian OpenSSL Bug: Backdoor or Security Accident?

On Monday, Ed wrote about Software Transparency, the idea that software is more resistant to intentional backdoors (and unintentional security vulnerabilities) if the process used to create it is transparent. Elements of software transparency include the availability of source code and the ability to read or contribute to a project’s issue tracker or internal developer discussion. He mentioned a case that I want to discuss in detail: in 2008, the Debian Project (a popular Linux distribution used for many web servers) announced that the pseudorandom number generator in Debian’s version of OpenSSL was broken and insecure.
[Read more…]

Software Transparency

Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don’t believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.

Transparency of this type is a much-touted advantage of open source software, so it’s natural to expect that the rise of backdoor fears will boost the popularity of open source code. [Read more…]

Is the NSA keeping your encrypted traffic forever?

Much has been written recently about the NSA’s program to systematically defeat the encryption methods used on the internet and in other communications technologies – Project Bullrun, in the parlance of our times. We’ve learned that the NSA can read significant quantities of encrypted traffic on the web, from mobile phone networks, and on virtual private networks, which companies use to connect remote employees or offices to their corporate networks over the public Internet. Knowing this leaves me with a question: if the NSA captures and decrypts an enciphered message, how are the spoils to be handled? Does an encrypted e-mail or web session between people within the United States enjoy the same protections as an unencrypted e-mail between the same people?

The surprising answer appears to be that encrypted messages get less protection! [Read more…]