OpenSSL maintainer and Google cryptographer Ben Laurie and I collaborated on an article for Nature magazine on technical systems for finding untrustworthy Certificate Authorities. We focused on Certificate Transparency, the solution that will shortly be integrated into Chrome, and also discuss Sovereign Keys, a related proposal from the Electronic Frontier Foundation. Both make clever use of cryptographic hashes, arranged in Merkle trees, to produce "untrusted, provable logs."
In 2011, a fake Adobe Flash updater was discovered on the Internet. To any user it looked authentic. The software’s cryptographic certificates, which securely verify
the authenticity and integrity of Internet connections, bore an authorized signature. Internet users who thought they were applying a legitimate patch unwittingly turned their computers into spies. An unknown master had access to all of their data. The keys used to sign the certificates had been stolen from a ‘certificate authority’ (CA), a trusted body (in this case, the Malaysian Agricultural Research and Development Institute) whose encrypted signature on a website or piece of software tells a browser program that the destination is bona fide. Until the breach was found and the certificate revoked, the keys could be used to impersonate virtually any site on the Internet.
Secure the Internet (PDF)
I first started writing about the remarkable Joi Ito in 2002, and over the decade and a half since, I’ve marvelled at his polymath abilities — running international Creative Commons, starting and investing in remarkable tech businesses, getting Timothy Leary’s ashes shot into space, backing Mondo 2000, using a sprawling Warcraft raiding guild to experiment with leadership and team structures, and now, running MIT’s storied Media Lab — and I’ve watched with excitement as he’s distilled his seemingly impossible-to-characterize approach to life in a set of 9 compact principles, which he and Jeff Howe have turned into Whiplash, a voraciously readable, extremely exciting, and eminently sensible book.
In Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?, a new paper in IEEE Security & Privacy, researchers from the University of Newcastle demonstrate a technique for guessing secruity details for credit-card numbers in six seconds — attackers spread their guesses out across many websites at once, so no website gets enough bad guesses […]
Michael Geist writes, “The global music industry has spent two decades lobbying for restrictive DMCA-style restrictions on digital locks. These so-called “anti-circumvention rules” have been actively opposed by many groups, but the copyright lobby claims that they are needed to comply with the World Intellectual Property Organization’s Internet treaties. Now the head of the RIAA […]
Holiday shopping is in full swing, and the Striiv Touch is one of the best gift ideas I’ve landed on. Its simple design works for females and males, and its wide range of features makes it suitable for even the non-fitness enthusiasts in your life.Unlike traditional fitness trackers, the Striiv Touch also acts as a smartwatch. It […]
The Pocket Tripod PRO had massive Kickstarter success in 2013, raising almost $85,000 in a single month. But this isn’t just another case of pre-release product hype. This ingenious little device folds out from a credit-card-shaped plastic slab into a sturdy stand with a surprisingly wide range of motion. In portrait orientation, your phone slides […]
Loot Crate is a totally different kind of subscription service that mails subscribers monthly boxes filled with curated geek, pop culture, and gamer paraphernalia. Its cult following awaits a box every month filled with everything from bobble heads to T-shirts to special edition collectibles. But nothing gets Loot Crate fans as excited as the limited […]