infornet

Big Cable Owns Internet Access. Here’s How to Change That.

Surveying the landscape of internet access, one could be forgiven for a single dank conclusion: Winter is coming.

We know that Big Cable’s plan for high-speed internet access is to squeeze with “usage-based billing” and data caps, so as to milk ever-growing profits from their existing networks rather than invest in future-proof fiber optics. We’re also seeing that Big Cable has won the war for high-capacity, 25Mbps-download-or-better wired internet access, leaving AT&T and Verizon to concentrate primarily on mobile wireless. Indeed, Big Cable’s share of new and existing wired-access subscribers has never been greater — cable got both all new net subscribers in the third quarter of 2015 and captured millions of subscribers fleeing DSL — and its control over this market is growing faster than ever.

Wall Street analyst Craig Moffett predicts that, in the end, unless things change, cable will have 90 percent of subscribers in areas where it faces competition from only traditional DSL and will have the lion’s share of subscribers in areas where cable faces competition from souped-up copper-line DSL and fiber-to-the-node (aka “fiber to the neighborhood”).

We’re already seeing the deadening effects of this. Pew reports that home adoption of high-speed internet access has plateaued, while the percentage of smartphone-only users in the United States is growing. Just 8 percent of Americans were smartphone only in 2013. That number is now 13 percent—mostly lower-income households, minorities, and rural Americans. What’s the reason for nonadoption? Mostly cost: The monthly fee for high-speed internet is the main reason most of these people don’t have access at home. Smartphone-only users just don’t have same the quality of access as home high-speed internet subscribers. We are amplifying and entrenching existing inequality by not taking on this country’s internet access problem.

Islamic State fighters number far more than first thought, says CIA

US officials are shocked at the “Islamic State’s rapid growth.” Now, the CIA estimates that the Islamic State has somewhere between 20,000 to 31,500 fighters within its ranks. That number may include “some 15,000 foreign fighters in Syria alone, including 2,000 Westerners,” Al Jazeera reported, which noted the estimate is “far more than first thought.”

Islamic State fighters in Iraq and Syria number around 20,000 to 31,500 — a figure far higher than previously estimated, the Central Intelligence Agency has said.The new calculation includes some 15,000 foreign fighters in Syria alone, including 2,000 Westerners, a U.S. intelligence official told the AFP news agency on Thursday.

“The number is much higher than a previous estimate of 10,000,” Al Jazeera continues.

The scope of the operation, including the territory covered, indicates that tens of thousands of ISIS fighters participated in the recent fighting. The group is estimated to have anywhere around 50,000 members, thousands of foreign fighters and is more of an army rather than a smaller extremist group.

What’s the matter with PGP?

Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extensionThis is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs.

So great work by Google and Yahoo! Which is why following complaint is going to seem awfully ungrateful. I realize this and I couldn’t feel worse about it.

As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die.

In the remainder of this post I’m going to explain why this is so, what it means for the future of email encryption, and some of the things we should do about it. Nothing I’m going to say here will surprise anyone who’s familiar with the technology — in fact, this will barely be a technical post. That’s because, fundamentally, most of the problems with email encryption aren’t hyper-technical problems. They’re still baked into the cake.

How the U.S. Could Escalate Its Name-and-Shame Campaign Against China’s Espionage

Chinese companies believed to be benefiting from stolen secrets could be the next target of U.S. action to curb industrial espionage.

Earlier this week the U.S. Department of Justice indicted five Chinese military officers for industrial espionage, accusing them of leading attacks on the computers of U.S. companies including U.S. Steel and Westinghouse to gather material to be passed on to Chinese companies.

The move puts U.S. policy in line with experts who have argued that only naming and shaming the perpetrators, and pursuing them through legal action, will rein in such attacks. Digital IP theft is now normal for U.S companies, although few victims disclose the fact.

Dmitri Alperovitch, cofounder and chief technology officer (see “TR35: Dmitri Alperovitch”) of the security company Crowdstrike, a company that offers new ways to trace and fight back against cyberattacks, told MIT Technology Review’s Tom Simonite how the U.S. could use its new strategy to increase the pressure on China even further.

Attack of the Week: Triple Handshakes (3Shake)

The other day Apple released a major security update that fixes a number of terrifying things that can happen to your OS/X and iOS devices. You should install it. Not only does this fix a possible remote code execution vulnerability in the JPEG parser (!), it also patches a TLS/SSL protocol bug known as the “Triple Handshake” vulnerability. And this is great timing, since Triple Handshakes are something I’ve been meaning (and failing) to write about for over a month now.

But before we get there: a few points of order.

First, if Heartbleed taught us one thing, it’s that when it comes to TLS vulnerabilities, branding is key. Henceforth, and with apologies to Bhargavan, Delignat-Lavaud, Pironti,  Fournet and Strub (who actually discovered the attack*), for the rest of this post I will be referring to the vulnerability simply as “3Shake”.

On a more serious note, 3Shake is not Heartbleed. That’s both good and bad. It’s good because Heartbleed was nasty and 3Shake really isn’t anywhere near as dangerous. It’s bad since, awful as it was, Heartbleed was only an implementation vulnerability — and one in a single TLS library to boot. 3Shake represents a novel and fundamental bug in the TLS protocol.

The final thing you should know about 3Shake is that, according to the cryptographic literature, it shouldn’t exist.

nsa

How do you know if an RNG is working?

Last week, Edward Snowden spoke to a packed crowd at SXSW about the many problems (and limited solutions) facing those of us who want to keep our communications private. Snowden said a number of things — including a shout out to Moxie’s company Whisper Systems, who certainly deserve it. But instead of talking about that, I wanted to focus on (in my opinion) one of Snowden’s most important quotes:

We need all those brilliant Belgian cryptographers to go “alright we know that these encryption algorithms we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them?”

Now it’s possible I’m a little biased, but it seems to me this cuts to the core of our problems with building secure systems in an increasingly hostile world. Namely: most encryption relies on some source of “random” numbers, either to generate keys or (particularly in the case of public key encryption) to provide semantic security for our ciphertexts.

What this means is that an attacker who can predict the output of your RNG — perhaps by taking advantage of a bug, or even compromising it at a design level — can often completely decrypt your communications. The Debian project learned this firsthand, as have many others. This certainly hasn’t escaped NSA’s notice, if the allegations regarding its Dual EC random number generator are true.

All of this brings us back to Snowden’s quote above, and the question he throws open for us. How do you know that an RNG is working? What kind of tests can we run on our code to avoid flaws ranging from the idiotic to the highly malicious? Unfortunately this question does not have an easy answer. In the rest of this post I’m going to try to explain why.

Can Hackers Decrypt Target’s PIN Data?

Slightly longer answer: it depends on whether they have access to the encryption key, or to a machine that contains the encryption key.

In case you have no idea what I’m talking about: there was recently a massive credit card breach at Target. If you’re like many people you probably heard about this three times. First in the news, then again in your email when Target notified you that you were a victim, and finally a third time when you checked your credit card bill. Not a proud day for our nation’s retailers.

The news got a bit messier today when Target announced the thieves had also managed to get their hands on the PIN numbers of unfortunate debit card customers. But this time there’s a silver lining: according to Target, the PIN data was encrypted under a key the hackers don’t have.

700 Domains Seized as Part of Anti-Counterfeit Crackdown

Law enforcement agencies from three continents seized more than 700 domains on Tuesday for selling counterfeit goods. US Immigration and Customs Enforcement (ICE), Europol, and Hong Kong Customs worked together on the project, which was called “In Our Sites, Project Cyber Monday IV” in the US. The agencies were coordinated by the National Intellectual Property Rights Coordination Center.

The US government is now targeting PayPal accounts used by the websites for seizure, and $175,000 of criminal proceeds. eBay is cooperating with the investigation, and made a statement in support of the efforts of law enforcement to protect its customers and brand.

Email

The Daunting Challenge of Secure E-mail

When users of Lavabit, an encrypted e-mail service, logged on to the site this past August, they found a bewildering letter on the site’s main page. Ladar Levison, the founder and sole employee of Lavabit, had shut down his business rather than “become complicit in crimes against the American people.” Lavabit subscribers would later discover that Levison had walked away because federal investigators had asked him to hand over his master decryption key, which would have granted them unfettered access to most of Lavabit’s data. Shortly afterward, the encryption provider Silent Circle followed suit, summarily deleting its users’ stored mail and mothballing its e-mail servers. In the wake of the Snowden revelations, which should have driven demand for their services, encrypted e-mail providers were, in the United States at least, rapidly becoming an endangered species. This leads to a question that has received relatively little attention: Why is encrypted e-mail so rare in the first place?