24 Feb 2015
I receive a fair amount of email from strangers. My email address is public, which doesn’t seem
to be a popular choice these days, but I’ve received enough inspiring correspondence over the years
to leave it be.
When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I
don’t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass
my inbox entirely, but for now I sigh, unlock my key, start reading, and – with a faint glimmer of
hope – am typically disappointed.
12 Jun 2013
Suddenly, it feels like 2000 again. Back then, surveillance programs like
Total Information Awareness
helped spark a surge in electronic privacy awareness. Now a decade later, the recent discovery of programs like
Boundless Informant, and
are catalyzing renewed concern.
13 May 2013
Last week I was contacted by an agent of
Mobily, one of two telecoms operating in
Saudi Arabia, about a surveillance project that they’re working on in that country.
Having published two reasonably popular MITM tools,
it’s not uncommon for me to get emails requesting that I help people with their
interception projects. I typically don’t respond, but this one (an email titled
“Solution for monitoring encrypted data on telecom”) caught my eye.
07 Jan 2013
To my great surprise, young people now somewhat frequently contact me in order to solicit career advice.
They are usually in college or highschool, and want to know what the best next steps are for a career in
security or software development.
This is, honestly, a really complicated question, mostly because I’m usually concerned that the question
itself might be the wrong one to be asking. What I want to say, more often than not, is something along
the lines of don’t do it; when I got out of highschool and focused on the answer to that same
question, it was very nearly one of the biggest mistakes of my life.
Since I get these inquiries fairly regularly, I thought I’d write something here that I can use as a sort
of canonical starting point for a response.
27 Nov 2012
I don’t really know who Dustin Curtis is, but he blogs a lot, and those blog entries often end up on
Hacker News. Not too long ago, he wrote a blog post titled “The Best,”
in which he explains that he has nice stuff. That in fact, everything he owns is actually the very
best of its kind.
Dustin’s blog post culminates in the triumph of his quest for the perfect set of flatware. Apparently,
this is what the perfect collection of forks, knives, and spoons looks like, which we can assume Dustin Curtis
has in his kitchen drawer at this very moment:
13 Dec 2011
When it comes to designing secure protocols, I have a principle that goes like this: if you have to
perform any cryptographic operation before verifying the
MAC on a message you’ve received, it will
somehow inevitably lead to doom.
05 Dec 2011
In recent months, Comodo has been
hacked repeatedly, DigiNotar was
compromised, and the security of CAs as a whole has been found to be
not altogether inspiring. The consensus finally seems to be shifting from the notion that CAs are
merely a ripoff, to the notion that they are a ripoff, a security problem, and that we want them
dead as immediately as possible. The only question that remains is how to replace them.
11 Apr 2011
In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol
for making secure HTTP requests, and what they came up with was called SSL. Given the relatively
scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone
at Netscape was working under, their efforts can only be seen
as incredibly heroic. It’s amazing that SSL has endured for as long as it has, in contrast to a number
of other protocols from the same vintage. We’ve definitely learned a lot since then, though, but the thing
about protocols and APIs is that there’s very little going back.