jm + encryption   20

mozilla/sops: Secrets management stinks, use some sops!
sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP.
secrets  encryption  security  kms  pgp  gpg  editors  configuration 
10 weeks ago by jm
Shopify/ejson
'a small library to manage encrypted secrets using asymmetric encryption.'
The main benefits provided by ejson are:

Secrets can be safely stored in a git repo.
Changes to secrets are auditable on a line-by-line basis with git blame.
Anyone with git commit access has access to write new secrets.
Decryption access can easily be locked down to production servers only.
Secrets change synchronously with application source (as opposed to secrets provisioned by Configuration Management).
Simple, well-tested, easily-auditable source.
crypto  security  credentials  encryption  ejson  json  configuration  config 
july 2016 by jm
Open Whisper Systems >> Blog >> Reflections: The ecosystem is moving
Very interesting post on federation vs centralization for new services:
One of the controversial things we did with Signal early on was to build it as an unfederated service. Nothing about any of the protocols we've developed requires centralization; it's entirely possible to build a federated Signal Protocol based messenger, but I no longer believe that it is possible to build a competitive federated messenger at all.
development  encryption  communication  network-effects  federation  signal  ip  protocols  networking  smtp  platforms 
may 2016 by jm
Canadian Police Obtained BlackBerry’s Global Decryption Key in 2010
According to technical reports by the Royal Canadian Mounted Police that were filed in court, law enforcement intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages in connection with the probe. The report doesn't disclose exactly where the key — effectively a piece of code that could break the encryption on virtually any BlackBerry message sent from one device to another — came from. But, as one police officer put it, it was a key that could unlock millions of doors.
Government lawyers spent almost two years fighting in a Montreal courtroom to keep this information out of the public record.
canada  crime  encryption  security  blackberry  crypto  rcmp  police  rogers  montreal  rim 
april 2016 by jm
Hungary proposes anti-crypto law
up to 2 years imprisonment for use of apps for encrypted communication
crypto  hungary  laws  internet  crackdown  encryption 
april 2016 by jm
How is NSA breaking so much crypto?
If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.


(via Eric)
via:eric  encryption  privacy  security  nsa  crypto 
october 2015 by jm
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Holy shit. Gemalto totally rooted.
With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

[...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.
encryption  security  crypto  nsa  gchq  gemalto  smartcards  sim-cards  privacy  surveillance  spying 
february 2015 by jm
Yes, Isis exploits technology. But that’s no reason to compromise our privacy | Technology | The Observer
From the very beginning, Isis fanatics have been up to speed on [social media]. Which raises an interesting question: how come that GCHQ and the other intelligence agencies failed to notice the rise of the Isis menace until it was upon us? Were they so busy hoovering metadata and tapping submarine cables and “mastering the internet” (as the code name of one of their projects puts it) that they didn’t have time to see what every impressionable Muslim 14-year-old in the world with an internet connection could see?
gchq  guardian  encryption  nsa  isis  technology  social-media  snooping  surveillance 
november 2014 by jm
Mandos
'a system for allowing servers with encrypted root file systems to reboot unattended and/or remotely.' (via Tony Finch)
via:fanf  mandos  encryption  security  server  ops  sysadmin  linux 
october 2014 by jm
Google's new end-to-end key distribution proposal
'For End-To-End, our current approach to key distribution, is to use a model similar to Certificate Transparency, and use the email messages themselves as a gossip protocol, which allow the users themselves to keep the centralized authorities honest. This approach allows users to not have to know about keys, but at the same time, be able to make sure that the servers involved aren't doing anything malicious behind the users' back.'
end-to-end  encryption  google  security  email  crypto  key-distribution 
august 2014 by jm
Chef Vault
A way to securely store secrets (auth details, API keys, etc.) in Chef
chef  storage  knife  authorisation  api-keys  security  encryption 
june 2014 by jm
Open Crypto Audit Project: TrueCrypt
phase I, a source code audit by iSEC Partners, is now complete. Bruce Schneier says: "I'm still using it".
encryption  security  crypto  truecrypt  audits  source-code  isec  matthew-green 
april 2014 by jm
Trousseau
'an interesting approach to a common problem, that of securely passing secrets around an infrastructure. It uses GPG signed files under the hood and nicely integrates with both version control systems and S3.'

I like this as an approach to securely distributing secrets across a stack of services during deployment. Check in the file of keys, gpg keygen on the server, and add it to the keyfile's ACL during deployment. To simplify, shared or pre-generated GPG keys could also be used.

(via the Devops Weekly newsletter)
gpg  encryption  crypto  secrets  key-distribution  pki  devops  deployment 
february 2014 by jm
Schneier on Security: The NSA Is Breaking Most Encryption on the Internet
The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics.
It's joint reporting between the Guardian, the New York Times, and ProPublica.
I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my two essays on today's revelations.
Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.
encryption  communication  government  nsa  security  bruce-schneier  crypto  politics  snooping  gchq  guardian  journalism 
september 2013 by jm
"Security Engineering" now online in full
Ross Anderson says: 'I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.'
security  books  reference  coding  software  encryption  ross-anderson 
february 2013 by jm
FareBot: Read data from public transit cards with your NFC-equipped Android phone - codebutler
'When demonstrating FareBot, many people are surprised to learn that much of the data on their ORCA card is not encrypted or protected. This fact is published by ORCA, but is not commonly known and may be of concern to some people who would rather not broadcast where they’ve been to anyone who can brush against the outside of their wallet. Transit agencies across the board should do a better job explaining to riders how the cards work and what the privacy implications are.' (via Boing Boing)
via:boingboing  privacy  android  rfid  security  transit  mobile  encryption  mifare  desfire  farebot  from delicious
february 2011 by jm
Life without a CA | The Tor Blog
do you trust the default set of root CAs in modern web browsers? sounds like we probably shouldn't
ca  certificates  https  encryption  firefox  ssl  trust  privacy  web  root-cas  from delicious
august 2010 by jm
tcpcrypt
opportunistic encryption of TCP connections. not the simplest to set up, though
cryptography  encryption  tcp  security  internet  tcpcrypt  opportunistic  from delicious
august 2010 by jm
Overclocking SSL
techie details from Adam Langley on how Google's been improving TLS/SSL, with lots of good tips. they switched in January to HTTPS for all Gmail users by default, without any additional machines or hardware
certificates  encryption  google  https  latency  speed  ssl  tcp  tls  web  performance  from delicious
july 2010 by jm
TLS-encrypted spam
the Rustock botnet is now attempting TLS encryption of spam delivery sessions
tls  rustock  botnets  anti-spam  mailchannels  ssl  encryption  from delicious
march 2010 by jm

related tags

android  anti-spam  api-keys  audits  authorisation  blackberry  books  botnets  bruce-schneier  ca  canada  certificates  chef  coding  communication  config  configuration  crackdown  credentials  crime  crypto  cryptography  deployment  desfire  development  devops  editors  ejson  email  encryption  end-to-end  farebot  federation  firefox  gchq  gemalto  google  government  gpg  guardian  https  hungary  internet  ip  isec  isis  journalism  json  key-distribution  kms  knife  latency  laws  linux  mailchannels  mandos  matthew-green  mifare  mobile  montreal  network-effects  networking  nsa  opportunistic  ops  performance  pgp  pki  platforms  police  politics  privacy  protocols  rcmp  reference  rfid  rim  rogers  root-cas  ross-anderson  rustock  secrets  security  server  signal  sim-cards  smartcards  smtp  snooping  social-media  software  source-code  speed  spying  ssl  storage  surveillance  sysadmin  tcp  tcpcrypt  technology  tls  transit  truecrypt  trust  via:boingboing  via:eric  via:fanf  web 

Copy this bookmark:



description:


tags: