Brad Smith and Jonathan Zittrain on Privacy, Surveillance, and Rebuilding Trust in Tech

Some key concepts come up in this discussion of trust and corporate principles in the Post Snowden age of the internet. Pay attentions to Microsoft’s conclusions on when to redirect government subpoenas and when to deny extraterritorial requests.

“…but secret courts with secret decisions are NOT part of the American legal tradition” — Brad Smith — Microsoft’s general counsel and executive vice president of Legal and Corporate Affairs on the need for reform of the FISA court.


 

Brad Smith and Jonathan Zittrain on Privacy, Surveillance, and Rebuilding Trust in Tech – YouTube.

Vemödalen: The Fear That Everything Has Already Been Done

So I have this feeling often while taking photos — and then I try to do something different, but actually doing something different that’s not been done before is exceedingly rare because … 7 billion. Let me repeat that: Seven Billion. Now say it again like Carl Sagan would, then feel the hope and despair.

 

Vemödalen: The Fear That Everything Has Already Been Done – YouTube.

Net Neutrality’s Biggest Fan: Justice Scalia

One of the key arguments in the brand X case was that broadband providers didn’t just offer transmission, but also packaged information services such as e-mail, and thus were information providers. However you then have to ask what’s the essential difference between voicemail and email other than media format?

It’s an important discussion especially at this juncture; telephony has always been held to higher standards for stability and reliability than broadband. Now that broadband is consuming wired telephone service with VOIP and media conferencing services, it’s time to ask public safety questions like: shouldn’t broadband be at least as dependable at POTS was?

e.g. If the area power goes out and you have POTS, your phone will still work due to an infrastructure that includes batteries, UPS’s, and Generators at strategic nodes to keep phone system electric current available during power outages. If your cable goes out you have no such system to keep your phone in service, indeed if you want a battery for your cable modem in most cases you have to ask. If the area power goes out, your phone dies if it’s over a broadband pipe.

Before net neutrality became a left-wing cause célèbre, it had an unlikely champion: U.S. Supreme Court Justice Antonin Scalia.

In 2005, Scalia in a dissent wrote that the Federal Communications Commission should classify broadband providers as a more heavily regulated Title II telecommunications service—a position in sync with a statement from President Barack Obama on Monday as well as with calls from groups such as Free Press and Consumers Union.

“After all is said and done, after all the regulatory cant has been translated, and the smoke of agency expertise blown away,” Scalia wrote in 2005, “it remains perfectly clear that someone who sells cable-modem service is ‘offering’ telecommunications.”

Justice Ruth Bader Ginsburg and since-retired Justice David Souter joined his dissent in National Cable & Telecommunications Association v. Brand X Internet Services.

via National Journal

If You Use SSL 3.0, it’s Time to Migrate Off

Google’s getting ready to phase out SSL 3.0 in Chrome 39 due to it’s vulnerability to “man in the middle” attacks like those presented by Poodle.

apgoogle data center
If they are going there, then you need to move as well. While Google’s move will protect consumers using Chrome, it’s not going to help you if a hacker gets into your network using an old browser that allows downgrade to SSL 3.x or lower short keys and your apps still accept that.

If you still allow old versions of ssl (aka secure sockets layer, now superseded by TLS 1.2,) to be used in your enterprise due to outdated applications or hardware deficiencies then you need to migrate to TLS 1.2 and disallow insecure SSL 3.0 and lower connections that might still use short cryptographic keys. (SHA 256 or better is the current NIST recommendation. See table on page 67.)

You also need to be very aware that several well known web services and applications just one or two versions down sometimes come with older versions of SSL embedded in Apache Tomcat services. A good scanner such as Nessus will reveal that an insecure version of Apache (or whatever) SSL is being used with shorter keys, but it won’t tell you which app is the culprit so you are going to have to monitor the transactions to trace them back if you are not sure which one it is. This is especially true if your app vendor is not coming clean about it. Longer keys also take more server resource to crypt/decrypt so be prepared for a potential performance hit after you upgrade.

From Lucian Constantin at InfoWorld:

The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed “POODLE,” the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.

Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol’s only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.

HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years — browsers to support secure connections with old servers and servers to support secure connections with old browsers.

More:

http://www.infoworld.com/article/2841961/applications/google-to-kill-off-ssl-30-in-chrome-40.html