Do You Know Your iCloud Security Code?

A while ago my iPad played up, forcing me to reinstall it through iTunes. Since I do not keep much data on the device itself, this wasn’t much of a problem, except for the time lost with a bit of tinkering and figuring out how to do it correctly – it was the first time I had to resort to this measure.

In the course of the procedure I was asked to enter my “iCloud Security Code“. I take great care to register all my passwords, as I explained in “Minding your own password business“. But my files showed no knowledge of such a code. Strange: could I have forgotten to write it down?

Searching on the Internet helped to clarify things. Matthew Green is a well-known cryptographer, and his article titled “Is Apple’s Cloud Key Vault a crypto backdoor?” not only tells you that the iCloud security Code is (usually) identical to you iPad passcode. It is, in fact, a rather comprehensive yet clear overview of how Apple handles your passcodes and crypto keys in the iCloud Keychain. Good reading material for when you have a clear mind ;-)

Read Full Post »

Choices Are Limited When Looking For Secure Messaging Apps

I have used the Signal – Private Messenger app for a long time – I even remember that it was originally called ‘TextSecure’.

Luckily for me, the app also includes support for ‘normal’ (unsecure!) SMS messages, because only a very limited number of friends and acquaintances were willing to follow me. Perhaps this news will change their minds:

Without any fanfare, the Senate Sergeant at Arms recently told Senate staffers that Signal, widely considered by security researchers and experts to be the most secure encrypted messaging app, has been approved for use.

Source: ZDNet

So the US Senate is allowed to use this app – will the Open Whisper Systems crew be proud and see this as a compliment?

Read Full Post »

Security And Trust On The Internet

In a blog post titled “Securing our Digital Economy“, the president and CEO of the Internet Society writes:

The truth is that economies can only function within a secure and trusted environment.

Which brings us to encryption. […]

Encryption is a technical building block for securing infrastructure, communications and information. It should be made stronger and universal, not weaker.

Stronger encryption? I’m all for it. Do I really have to explain that government-enforced “backdoors” in encryption tools will only weaken those tools – and the trust they are supposed to deliver?

Source: Shutterstock

Read Full Post »

You Have Been Warned!

Bruce Schneier says: “The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters“.

Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.

Read Full Post »

“… It Should Be Possible To Break The Law”

I have been a user of TextSecure (now Signal) on Android for many years. Not that I have much to hide, nor do I have many family members or friends that use the same application to profit from the message encryption – no, just as a matter of principle. But it was only recently that I could peer into the mind of the man who created the tool: Moxie Marlinspike (this pseudonym would not look out of place in a cyberpunk novel). So thanks, Wired, for this opportunity to “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us“.

Just as knives can be used to stage a terrorist attack, so can any tool be used for good as well as for bad. Does that mean we have to cripple the tool, which is what some people are asking when talking about encryption? From the Wired article:

Marlinspike follows this remark with a statement that practically no one else in the privacy community is willing to make in public: that yes, people will use encryption to do illegal things. And that may just be the whole point. “I actually think that law enforcement should be difficult,” Marlinspike says, looking calmly out at the crowd. “And I think it should actually be possible to break the law.”

Up to a degree, I concur with that statement. Of course, it does not mean that any law is there to be broken all day long, every time it is possible. But how can you make better laws, if the existing ones cannot be broken? Laws are just one of the tools humans use to organise their lives. When society evolves, e.g. because of fundamental changes in technology, laws have to change as well… Let’s just make sure we pick the right law to break.

(View his talk on Vimeo by clicking on the image)

PS. Marlinspike is not a prolific blogger, but the writing on his blog is nevertheless a good way to get an idea of how he thinks. Recommended reading – not just about encryption.

Read Full Post »

Does Being A Robot Makes You Free? Ask The Snowbot!

I like the NYMAG.COM article titled “I, Snowbot”. In it, the author describes the current life of Edward Snowden. The (long) text manages to include themes like telepresence, encryption and ethics, and is very much worth reading – even if you do not agree with Snowden and everything he did.

I agree with this quote, by the way:

Surveillance is ultimately not about safety. Surveillance is about power. Surveillance is about control.
Edward Snowden

Is the Snowbot part of the team, or isn’t he?

His telepresence in the USA, where he is a wanted criminal, is special, of course: as a ‘robot’, he can go where he wants… Strange for a man who never leaves Moskow, and strange too, I guess, for US law enforcement. But hey, that’s the force of the Internet – digital disruption, anyone?

Read Full Post »

Don’t Use KeePass On A Mac, Use Keeweb

I have been writing about KeePass since 2009, because I have been using this tool (in one of its many guises) since then. Last year, around June, I tried to upgrade to the then latest version 2.29 of the official release. On my Mac, all in all, things did not work out that well. To install the (.NET version of the) program, you have to:

• Install Mono
• Install XQuartz
• Download keepassXXX.zip (where XXX is the chosen version number)
• Start a terminal session, go to the unzipped folder and start the app using this command:
  

  mono keepass.exe

  (which looks silly on a Mac, and there are ways around it, but nevertheless…)

• Choose the correct XML type if your data are coming from a KeePassX 1.x “export to XML”.

Using it isn’t intuitive – remember: KeePass is not a Mac app, and that means Command-S will NOT save your file; you have to use Ctrl-S. If you resize a window, or change the width of a column, strange things will happen on the screen. Don’t try drag-and-drop operations: they will crash the app with error messages saying: “System.NotSupportedException: Implement me” or worse.

After a few edits (an import of the old database in XML format + choosing a new icon for a group), trying to edit a second group entry crashed the app. In the console I saw this error message:

: CGContextDrawImage: invalid context 0x0. This is a serious error. This application, or a library it uses, is using an invalid context and is thereby contributing to an overall degradation of system stability and reliability. This notice is a courtesy: please fix this problem. It will become a fatal error in an upcoming update.

Well, I did not find a good explanation for this problem, and ended up deleting everything so that I could continue to use the older KeePassX version I have since long.

But a few weeks ago, I did find a relatively simple way to replace that old version: Keeweb. It’s a multiplatform application, built on the same principles as the Atom editor: both are based on the ‘electron’ framework. So basically you’re running a local application built with web technologies. And yes, it does work in the same manner on my Macs, on Linux machines and even on Windows. I like it, because it is devoid of complicated installation procedures, and that simplifies things when you only need it occasionally on your desktop. To top it off, there is also an offline web version of the same application. What more can you want? Check it out, you may like it too.

Read Full Post »