NSA: Please Turn off the Lights When You Leave. Nothing to See Here.

Linux Advocate Dietrich Schmitz shows how the general public can take action to truly protect their privacy using GnuPG with Evolution email. Read the details.

Mailvelope for Chrome: PGP Encrypted Email Made Easy

Linux Advocate Dietrich Schmitz officially endorses what he deems is a truly secure, easy to use PGP email encryption program. Read the details.

Step off Microsoft's License Treadmill to FOSS Linux

Linux Advocate Dietrich Schmitz reminds CIOs that XP Desktops destined for MS end of life support can be reprovisioned with FOSS Linux to run like brand new. Read how.

Bitcoin is NOT Money -- it's a Commodity

Linux Advocate shares news that the U.S. Treasury will treat Bitcoin as a Commodity 'Investment'. Read the details.

Google Drive Gets a Failing Grade on Privacy Protection

Linux Advocate Dietrich Schmitz puts out a public service privacy warning. Google Drive gets a failing grade on protecting your privacy.

Email: A Fundamentally Broken System

Email needs an overhaul. Privacy must be integrated.


Cookie Cutter Distros Don't Cut It


The 'Linux Inside' Stigma - It's real and it's a problem.

U.S. Patent and Trademark Office Turn a Deaf Ear

Linux Advocate Dietrich Schmitz reminds readers of a long ago failed petition by Mathematician Prof. Donald Knuth for stopping issuance of Software Patents.

Saturday, September 28, 2013

Linux Mint 15 "Olivia" Xfce Edition Approaches Perfection

by Dietrich Schmitz

I don't heap high praise on a Linux Distribution very often.  In fact, I have taken aim at various camps' Distros with regularity to the point of seeming rather harsh. 

But, that criticism isn't undeserved.  No, too often I see 'me too', 'me too', 'me too' cookie cutter mania.

When one of the major Linux Distributions goes into general release there is an ensuing outbreak 'like a bad rash' of clones which surface within hours of the announcement on Distrowatch.com.

You've seen it and often enough to realize that okay 'maybe' some of them might have some redeeming value, but many are just being 'copy cats'.  FOSS activists will argue for variety.  I argue that too many Distros 'confuse' and send a negative message in terms of perceived quality and consistency.  I have written about standardization here and elsewhere, so you know where I stand on that count.

Yesterday, I was curious about Ubuntu's impending release of 13.10 Saucy Salamander enough to download the Lubuntu 13.10 final beta2 derivative release for a quick evaluation.

It was driven primarily by my interest to see how the newest kernel 3.11.x performs.  Much to my disappointment I found directly after install that Chrome stable flash video was laggy.  I had just reinstalled over the top of Lubuntu 13.04 which has garnered a lot of my respect as being a very lightweight but complete Distribution quite suitable for Netbooks such as my Acer Aspire One D260 with 2GB of ram.  So, I was 'miffed' at the discovery of this.

Okay, this is the final beta2.  I realize that -- don't go firing off a comment filled with invectives just yet.  Hear me out.

With 'Axel' installed, I quickly downloaded the Xubuntu 13.10 beta2, 'dd' copied it to my SanDisk 16GB pen drive, booted up and installed, again over the top.

A half hour later I was up on Xubuntu 13.10 beta2.  I dispatched directly to the Chrome stable flash test with the same website's youtube video.  (Sigh)

Same laggy video.  I check my chrome://gpu settings and see 'all green':

So, I know hardware gpu assisted graphic acceleration is working fine with the supported Intel GMA3150.

What now?  Taps fingers....Okay, I am the proverbial glutton for punishment.  One more time, I went to the Kubuntu website, downloaded their 13.10 beta2 iso, slapped it on the pen drive and installed.  A half hour later,  I was on-line with the same Chrome version, same flash youtube video.  Verdict: Video was laggy.


That's another two hours of my life I'll never get back again, I thought.

That's really odd even if these are beta Distros.  My instincts tell me now to find another Distro using the same (approximately) kernel as Lubuntu 13.04 that has been in production for some time.

So, I go to Distrowatch.com and stare at the trending list, noting the usual stack of top 10 contenders, and there at the top is Mint.  It occurred to me that I really hadn't tried Mint in quite a while and realized that they have an Xfce edition in their line-up which I directly downloaded, again putting on the pen drive, and proceeded to perform a clean install of Linux Mint 15 "Olivia" Xfce edition.  

Linux Mint 15, released in July 2013, includes a 3.8.x kernel.  Again I tested with Chrome stable the same youtube video -- this time no laggy video.  Huh.

Is this a kernel regression I thought?  Sure seems like it.

So, that really isn't the point here.  My serendipity led me back to a Distro which has always been in the top 5 on Distrowatch for a long time.  And I am most impressed with what Clem and the Linux Mint Developer Team have done.  Clearly, Mint is at the top of today's list for good reason.

The level of professionalism, fit, finish is evident from the moment you boot to login to Desktop presentation.  The Mint line-up of Distributions are arguably a 'cut above' the rest.

Linux Mint 15 "Olivia" Xfce Desktop with Mint-Minimal Icon Theme by +Paulo Silva 

The Xfce edition is as complete a Distribution as anyone can expect yet still has a level of conservative lightweight memory use going in its favor.

This isn't a Distribution review -- it's a commentary on what I see across the landscape and how truly only a small handful of Distros are worth their salt.  You only need spend ten minutes with it to realize how well executed and how well meshed everything in this Distro works.  It is a joy to use.

If you don't need Ubuntu, but would like to stay in the Ubuntu repo and remain lean, yet have a 'Windows-like' experience, then I would suggest you consider giving Linux Mint 15 Xfce a test drive.   

I have spent enough time now with Mint 15 Xfce to say that it approaches perfection.  

-- Dietrich
Enhanced by Zemanta

Wednesday, September 25, 2013

Wanna Get Your Point Across...? Show 'Em The "Magic"

My Uncle Ernie was a jokester and a magician.

When he and my cousins would make the drive down from Wisconsin, I waited patiently at the kitchen table, hoping he'd show me some of his tricks before we ate dinner.

Uncle Ernie rarely disappointed us.

Simple magic really...misdirection to make stuff disappear, card tricks, quarters found in your ear.  It's all stuff we roll our eyes at as adults, but to a 10 year old kid...

My Uncle Ernie was Merlin Incarnate.

Of course, to the magician, it's an ability...just like driving a car or riding a bicycle.  You are able to do it better, directly proportional to the amount of practice you put into it.

A few years back, I was active on the forums of a particular Linux distro.  I also spend a good deal of time advocating for said distro so of course I wanted it to succeed.

At this particular time, there was a fairly well known bug that caused evolution to open upon an email field, even if Thunderbird was your default email client.  There was a fairly complex set of instructions to correct the problem but a lot of new users were put off by having to hand edit obscure configuration files to fix it.

I don't think it took me more than 15 minutes to write a script to fix the broken system call and implement it.  It was a dirty little hack...code most any self-respecting geek wouldn't let see the light of day, but it did the job and that's all I really cared about.  I messaged the forum poster and told him how to make the script active.  With the click of a mouse, his problem, and this problem in general was relegated to "Problems that used to be".

When this new user asked me how I had fixed it, I hesitated for a moment or two...thinking that any explanation would be wasted on the uninitiated...pearls before swine as it were.

But I did indeed explain to him how a dirty little script hack had corrected the problem.  He was not only amazed...it opened his eyes to the real beauty of Linux and Open Source Software.

He now understood that if this problem had been a Windows issue, he would have had to wait until someone at Microsoft corrected the problem.  It might have been fixed, or it might not have been fixed...

With Linux, all he had to do was mention it on a forum and it was fixed on the spot.

I will let him reveal himself if he wishes...he is well-known in his distro circles and does a lot of good work both in the kernel and in the user space.  Not everyone has the opportunity to show others the magic trick.  Most people don't care...they just want the problem gone.

Like a funny noise in the motor of their car.

Like the squeaky door that doesn't respond to oil or lubricant.

Like the computer that won't open the right program when you click the trigger link.....

But every now and then, you show someone how the magic trick works and it intrigues them.

And that, in turn...

It can change history.
Enhanced by Zemanta

Sunday, September 15, 2013

Is NIST History?

by Dietrich Schmitz

In my last story, Is OpenSSL's Cryptography Broken?, I reported the ongoing developments surrounding a suspect security problem with the implementation of openssl.

The story, unfortunately, continues to unfold with suspicion now turning to confirmation in a NY Times report that the NSA inserted altered random number generator code into the Dual Eliptic Curve Deterministic Random Bit Generator so as to predict private key encoding and provide a 'backdoor' entry point mechanism.  (Image credit: fearlessmen.com)

Despite strong denials coming from the National Institute of Standards and Technology (NIST) who oversaw the development of the Eliptic Curve Cryptography (ECC) standard, many now are left having a strong distrust of the agency.  From a The Register story NIST publicly responded:
The US National Institute of Standards and Technology (NIST) has vehemently denied accusations that it deliberately weakened encryption standards to help the NSA's monitoring activities.
"We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place," said NIST in a statement.
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large."
The statement from NIST said that working with the NSA was 'standard operating procedure' and required by law.  In an attempt to throw a 'wet blanket' on the bonfire, NIST has reopened the standard for public comment.

Regardless, one outspoken Developer, Bruce Schnierer, said in a podcast:
NIST took a big credibility hit unfortunately. There are good people there doing good work but we don't know which of their standards are tainted, we don't know how much collaboration there is with the NSA. 
And unfortunately because trust is lost when they get up and say the NSA doesn't affect our standards we don't believe them. We need a way to get back trust.
In other news the IETF offered up a 'fool-proof' plan to PRISM-proof the Internet.

What is the take-away?

Cryptography standards have all now been put into question in addition to the public relations disaster that confronts NIST.

Whether or not NIST will recover remains to be seen as it is quite likely that all cryptography standards will require rigorous audits.

In the meantime, the prevailing perception is that many cryptographic standards have been compromised and privacy is not assured by virtue of their use on the Internet.  As such, it will take a significant amount of time to pragmatically review each standard and thoroughly vet code before a level of confidence in these needed privacy measures will be restored.

And, the question of whether or not trust should be placed in agencies such as NIST is now the main focus and primary concern.  Is NIST history?  Only time will tell.

-- Dietrich

Enhanced by Zemanta

Tuesday, September 10, 2013

Is OpenSSL's Cryptography Broken?

by Dietrich Schmitz

Last month, in early August, a colleague Friend of mine, +Scott Doty contacted me.  He expressed his concern regarding Red Hat's implementation of OpenSSL.

The issue brought to my attention by Scott concerns a specific bugzilla ticket which was opened in 2007 and has never been addressed.

I offered Scott to reach out to Red Hat's public relations the same day he contacted me.  The answer returned the following day was essentially a 'no comment' and that I should refer to the comments section on the ticket -- deemed to be 'self-explanatory'.  If you take the time to review the ticket, you'll see where Scott appended his own comments in the August time frame toward the bottom.  It's fairly long.

Red Hat had absolutely no intention of fixing the bug, specifically, regarding the treatment of the Elliptic Curve Cryptography implementation in OpenSSL, and according to the comments on the ticket they felt ECC was patent encumbered.

Yet, in other sources on the Internet, one can find reference to a 'work-around' which would avoid any IP infringement issues.  Quoting from Wikipedia.org's ECC page:

"...However, according to RSA Laboratories, "in all of these cases, it is the implementation technique that is patented, not the prime or representation, and there are alternative, compatible implementation techniques that are not covered by the patents."[3] Additionally,Daniel J. Bernstein has stated that he is "not aware of" patents that cover the Curve25519 elliptic curve Diffie–Hellman algorithm or its implementation.[4] RFC 6090, published in February 2011, documents ECC techniques, some of which were published so long ago that even if they were patented any such patents for these previously published techniques would now be expired...."

Alright, so it struck Scott as being odd that such a bug was laying around collecting dust, and I agreed.

In the meantime, we have seen a series of news releases with Snowden giving out new information.  One of the claims has been that the capability of NSA to penetrate presumed to be secure cryptography standards has become much improved to such an extent that they are now collecting information flowing over SSL with impunity and have broken a few other cryptographic standards, purportedly.  I say this only because it's Snowden's word vs. the NSA and the NSA is completely 'mum' on the topic.

The sensational news story "Report: NSA Can Break Internet Encryption"arrived last week and created quite a stir.  The title is a carefully crafted wording.  Naturally, it is quite an unsettling thought to have all presumed Internet security breached, but the story's author hedged a bit at the end of his story saying:
"...Despite the NSA's ability to crack web encryption with these means, Wired's Kim Zetter notes that "these methods don’t involve cracking the algorithms and the math underlying the encryption, but rather rely upon circumventing and otherwise undermining encryption." 
And Snowden himself said during a Q&A with The Guardian in June that cryptography works. 
"Properly implemented strong crypto systems are one of the few things that you can rely on," he said...."
Now, the distinction to be made ties into the title of the story -- namely that, provided that an 'implementation' of strong cryptography coded 'properly' with no side-effect bugs cannot be hacked.

Put another way, bug-laden cryptography can result in weakening of the underlying cipher's strength and so can potentially be cracked.

This would seem to suggest that the NSA have found defects in various cryptographic standards, or, by whatever means, have introduced themselves intentionally crafted bugs in such a way to induce such weakening, thereby achieving their end-goal to crack encryption methodologies.

This led me to think more about OpenSSL and that languishing buzilla ticket.  Just yesterday, I had an exchange with +Jan Wildeboer to whom I regularly communicate, usually on Google Plus.  I broached the matter of the Red Hat OpenSSL bugzilla ECC ticket with him and curiously enough, today, he cc'd me with this Google Plus post (thank you Jan):

Mike Hearn

Shared publicly  -  10:29 AM
A few days ago Bruce Schneier, who has reviewed the leaked Snowden documents, warned against the use of elliptic curve cryptography on the grounds that it requires users to agree on curve parameters and he no longer trusts the parameters to not have back doors. Specifically he's talking about the NIST curves. NIST is a US organisation that was previously widely respected and considered trustworthy.

However, his warning seemed to be based more on general conservatism than any specific intelligence cleaned from the leaked documents. We know the NSA has tried to subvert the standards setting process and we know they may have advanced mathematical attacks that the public doesn't know about. ECC requires various constants to be agreed on globally for an instantiation to be used. Hence, the concern.

But that isn't specific evidence. Unfortunately, today I  learned (via Gregory Maxwell) that the process for selecting the "random" curve parameters appears on the surface to be completely implausible. The parameters are the output of SHA1, which should be good if the seed was selected in a reproducible manner. But they were not. The seeds are extremely large constants with no explanations of where they came from. That smells very strongly of something that might be hacked.

It gets better. It turns out that these constants are not only unexplainable but were actually generated by an employee of the NSA. And it turns out that the IEEE working group that worked on standards for ECC was actually holding its meetings on the NSA campus and its membership therefore had to be approved by the NSA as well.

At this point it is fair to assume that the NIST SECG curves should be abandoned for all uses. Bitcoin uses secp256k1 which was not selected in the same way and is more likely to be OK, and besides the NSA is unlikely to care about stealing peoples wallets (we don't use ECC for secrecy, just authenticity). And luckily academics like djb and Tanja Lange have created new variants of ECC independently of the NSA which are technically better anyway. But the upgrade process away from the SEC curves is going to be a pain.

So, that's quite interesting.  It would now appear that ECC is borked and quite possibly has been so for quite some time, thanks to the handy-work of the NSA.

The cat is now out of the bag.  I am now wondering how many other cryptographic standards need a thorough audit and scrubbing of any questionable code and fixing of languishing bugs?

-- Dietrich
Enhanced by Zemanta