I wrote yesterday about Dan Kaminsky's excellent thoughts on BitCoin, and wished aloud for comparable work from Ben Laurie. It turns out such work exists: here's Ben's critique of BitCoin, and here's his proposal for an alternative. Both are short, clear, excellent reads.

When Unix co-inventor Ken Thompson won the Turing Prize for his work, he dropped a bombshell in his acceptance speech: as an exercise, he had buried a back-door so deeply into the Unix infrastructure that no one had ever found it (to his knowledge). — Read the rest

A very good piece by Tom Simonite in the MIT Technology Review looks at the implications of Intel's announcement that it will slow the rate at which it increases the density of transistors in microprocessors.

As you know, Apple just said no to the FBI's request for a backdoor in the iPhone, bringing more public attention to the already hot discussion on encryption, civil liberties, and whether “those in authority” should have the ability to see private content and communications -- what's referred to as “exceptional access.”[1]

"We know of no case where such an addition of exceptional access capabilities has not resulted in weakened security."

An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs.

In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks. — Read the rest

Ever since BitCoin appeared, I've been waiting for two security experts to venture detailed opinions on it: Dan Kaminsky and Ben Laurie. Dan has now weighed in, with a long, thoughtful piece on the merits and demerits of BitCoin as a currency and as a phenomenon. — Read the rest

OpenSSL maintainer and Google cryptographer Ben Laurie and I collaborated on an article for Nature magazine on technical systems for finding untrustworthy Certificate Authorities. We focused on Certificate Transparency, the solution that will shortly be integrated into Chrome, and also discuss Sovereign Keys, a related proposal from the Electronic Frontier Foundation. — Read the rest

The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. — Read the rest

Cryptographer Ben Laurie, celebrated BitCoin skeptic, has written a short, provocative paper called An Efficient Distributed Currency, which proposes a distributed (but not decentralized) alternative. Kevin Marks is excited: "In effect you're doing an end run around Gresham's law, in the same way that the Brazilian Real did – and not how the US Govt is doing with dollar coins." — Read the rest

Ben Laurie is a respected cryptographer (he maintains OpenSSL and is in charge of security research for Google) and he's skeptical of BitCoin, a virtual, cryptography-based currency that has attracted a lot of attention. Ben has written three posts describing his objection to "proof-of-work" as a basis for a virtual currency, and they're great reading, as are the followups from his readers. — Read the rest

Security expert Ben Laurie has a scorching indictment of the "Verified by Visa" program used by British banks. This system is basically the perfect system for phishers and identity thieves, and conditions honest people to behave in foolish ways that leave them vulnerable to having their life's saving taken off of them. — Read the rest

Google cryptographer and all-round security expert Ben Laurie's been blogging some great security thinking lately. Today he's got a really fascinating, thoughtful piece about the problems of passwords:

So, where does this leave us? Users must have passwords, so why fight it?

Scott Amron's "Cash Money Clip" is an interesting take on money clips: a dollar bill with a steel plates stuck to it, one over a neodymium disc magnet. I'm a big fan of carrying cash in a clip (I gave up fat wallets in the back pocket and lower-back pain in favor of a small card-wallet and a cash-clip years ago) but I've never really trusted magnetic clips. — Read the rest

Ashley Highfield, the BBC's Director Future Media & Technology, has done an interview with the BBC Backstage podcast about the BBC's new DRM-based net-delivery system, iPlayer, which delivers a slim fraction of the functionality available to people who watch their TV over the air. — Read the rest

Nick Mathewson from the Tor project (a free tool that helps with anonymity and privacy online) says:

I guess you've really arrived when botnet spammers start using your name to trick hapless users into install their malware.

Around this morning, people started getting Spam with subject lines like "What you do online is at risk" and "Careful, you.re

Boing Boing reader Norman Shetler says,

An interesting side-note on the debate around Stephen Soderbergh's movie "Bubble." While it's certainly a commendable experiment to release a film on three different platforms simultaneously, bypassing age-old, rigid marketing techniques, I was surprised to see that the DVD of Bubble is listed as being Region 1 encoded.

One of the most exciting things about Skype is its encryption — when you use AIM or other IM and VoIP applications, chances are that your communications are in the clear and therefore easily eavesdropped-upon (especially on public WiFi networks).

Skype offers encryption by default, but the scrambling system has been a secret until now. — Read the rest

Cypherpunk Ben Laurie (owner of the remarkable Bunker data-center in the UK) has a cool hobby modeling "ideal knots" ("a knot whose form allows you to tie that particular knot with the least possible string. More formally, its the shape that mimimises L/r where L is the length of the centreline and r is the radius of the largest tube you can put around that centreline without self-intersection. — Read the rest