All posts by Rufo Guerreschi
FBI aiming at public law passed to be able to do, with a warrant, what NSA does with secret laws
New White House Cyber Czar: “Intruders get in through those holes that we know about that we could fix,” he says. “The question is, ‘Why don’t we do that?’…
… That clearly leads me to the conclusion that we really don’t understand all of those economics and psychology [situations] well enough.”
http://www.govinfosecurity.com/interviews/michael-daniels-path-to-white-house-i-2422
Time Inc. Rates Writers on How “Beneficial” They Are to Advertisers
Secret may be banned in Brazil over anonymity, after judge grants preliminary injunction — @Gigaom
Stanford Univ. paper: “Recognizing speech from smartphones gyroscope signals”
Morto il guru dello Yoga – Corriere.it
“Scientists, Not Politicians, Should Regulate NSA Surveillance” | Motherboard
“It is not that they have a privileged position to address these issues but rather that they are uniquely qualified to tease apart technical aspects of these issues from social and political ones.”
http://motherboard.vice.com/read/we-should-ask-scientists-what-they-think-about-nsa-surveillance
Snowden (on Tor):” I don’t think they’ve geolocated me, but they almost certainly monitor who I’m talking to online”
What does this say about Tor. Why someone like Snowden cannot use Tor to hide who he’s talking to? Is Tor not effective?!
Snowden: ” Except for the very highest level of classified documents, details about virtually all of the NSA’s surveillance programs were accessible to anyone, employee or contractor, private or general, who had top-secret NSA clearance and access to an NSA computer.”
Wired on Snowden: “As we sit down, he removes the battery from his cell phone”
Why doesn’t he use a cryptophone that he can trust enough to at least know it is off when he pushes the off button?
Maybe because nothing on the military or civilian market today can be trusted?!
“Hi, I had this idea, that remember INTEL boss did not say a word in a online interview about the NSA backdoor in his CPU
… ‘s his company makes, well, what if a group of people used croudfunding to raise money to buy a DEAD CPU design that can work with Linux, buy it dirt cheap, open source the design, get it working, and sell it, and the money to help pay bills and fund the next design upgrades?
So we would have a Open Hardware CPU for the people?
Is it doable?”
http://forum.prisonplanet.com/index.php?topic=260090.msg1479780#msg1479780
Even if Blackphone vulnerabilities require physical access they’re still a very big deal…
http://m.slashdot.org/story/205733
For some people (upper management, dissidents and the like), secure communication is not sufficient, they also need the phone to remain secure if it is lost or stolen. If having posession of the phone is the only thing that stands in the way of rooting it using this exploit, it is a serious flaw indeed.
And how many more are there?!
This is the one found small company in spare time. Imagine theb NSA or large zero-day companies, if it ever become worth the trouble because high-worth people start trusting it.
They have declared that their “transparency” policy means (a) some other critical bugs are there but you don’t get to know; (b) they will never let third party review crucial code
Blackphone “idea” of transparency, and media buy in
Blackphone CTO prides of their transparency while stating they will never “release” all their code for review, nor tell their customers when a critical bug may have been discovered. Also, they do not even mention firmware or hardware schematics, nor they clarify which code form third party they use that will not be available for review:
I welcome any and all discussion but the immutable constraint is this: we will do testing, we will publish a Transparency Report reflecting an honest view of the results, and we will use this data as evidence of due diligence in support of our objectives of security and privacy.
It doesn’t mean we can share absolutely everything, and it doesn’t mean we’ll release information the instant we receive it. For business or other reasons we may choose to hang onto certain things until after we’ve implemented fixes, but our Chief Security Officer’s team will be responsible for managing this line of communication and keeping the world informed of whatever we can share.
Blackphone and the IT security media
Months after its launch, and no code released (not to mention firmware or hardware schematics or fab oversight), the only people that question how in the world we can even assess it’s security are a few blog commenters, while everyone from Schneier down just cheers up for the secure phone or stay silent.
We clearly have a problem of competence and one of political correctness of long time it security experts not wanting to criticize head on their pal Zimmermann.
Here a few comments on Slashdot that point to the obvious:
Still Secret Source? (+4, Insightful)
bill_mcgonigle 2 days ago
Blackphone is the “you can’t look at it, but trust us” self-proclaimed “security” company, right? And it’s easily exploitable?
Dog-bites-man story.Re: Still Secret Source? (+4, Insightful)
chihowa 2 days ago
It’s one reason why I can’t rally behind Phil Zimmerman, as much as I like PGP and appreciate much of what he’s done. His insistence on keeping security software secretive and closed source, while seeming to understand the concept of trust, is baffling.Re: Still Secret Source?
Anonymous Coward 2 days ago
Indeed. If you are going to write software that can secure something it should be solid enough that be able to view the code doesn’t allow someone to just punch holes right through said security. Security through obscurity is something even Microsoft has learned doesn’t work so why is this champion of secure computing trying to push it
“NSA-Proof” Blackphone Gets Rooted Within 5 Minutes
Critical processor-level vulnerability found in most common high-security dual personal smartphone chips
Check out “Security flaw affects nearly every Android phone with a Qualcomm Snapdragon chip, researcher warns”
A case for UVST in my “The economics of meaningful assurance of computing services for civilian use” lecture slides
On Aug 8th 2014 in Trento, Italy, Open Media Cluster Director Dr. Rufo Guerreschi was invited and honored by Jovan Golic – the PEU EIT ICT LABS Privacy, Security and Trust Action Line Leader of the €3 billion EU R&D agency – to hold the (only) Concluding Guest Lecture to over 50 post-graduate students selected for their prestigious EU EIT ICT Labs “Security and Privacy in Digital Life” Summer School.
During the 90 minutes of the presentation, name “The economics of meaningful assurance of computing services for civilian use”, he argued the limited costs, public benefits and technical feasibility of the creation of computing services (and devices) with meaningfully-high security and privacy assurance for wide-scale civilian deployment, such as those we’ve been pursuing with our User Verified Social Telematics project, with over 15 Italian, EU and Brazilian partners.
Here a copy of the slides (odt, pdf), or here in Slideshare: