Jeremey's Weblog

Local news has picked up on the stupidity that is Real ID. The worst of it, though, is exemplified by the quote from "a Texas driver" at the end:

"The standing in line part is going to be difficult but I think as long as we have secruity [sic], we can't have enough security"

Huh? Can't have enough security? Whatever happened to freedom and liberty and all that we supposedly stand for as a nation? Whatever happened to thinking?

Oh, but we do have freedom, don't we... I could watch CSI or I could watch Lost... wow... now that's freedom.

Technorati Tags: security

This is a really good talk that Lauren Weinstein gave at Google about technology and privacy and so on. It's long, but very good IMO.

I'm sure the world will be shocked to learn that Microsoft's implementation of protecting Excel worksheets and workbooks may be... uhh... lacking in security. I needed to make a modification to a protected workbook (for extremely practical and entirely wholesome reasons), so I figured that I would see what it would take to figure out or find the password. Well not much, it turns out. I viewed the document using "less" in a terminal and near the end (always look there first) there's a section of code-like string fragments having to do with protecting and unprotecting, and nestled nearby was a short string that didn't make sense as code, didn't make sense as any kind of Excel keyword, and was not contained in the visible Excel workbook text.

So I tried unprotecting the workbook with that string as the password. Yep, that did it. Now I'm sure it was implemented that way so that the average human who forgets a password ten minutes after thinking it up wouldn't be completely stuck. But those kinds of "failsafes" are usually just wide open back doors. Definitely the case here.

No doubt thousands of other people figured this out long ago, but it was amusing to me.

If we're doing nothing wrong, why should we care about privacy? That's the subject of Bruce Schneier's latest Wired column.

In light of all the "security" being implemented by the current administration, we ought to all grab Gizmo and Zfone and use them whenever possible. Gizmo is an IM-like VoIP (i.e. real VoIP using SIP, RTP, etc.) client and Zfone is Phil Zimmerman's (think PGP) contribution to VoIP security. It embeds strong crypto in the RTP stream directly, bypassing any filters or blocking at higher layers.

Gizmo: http://www.gizmoproject.com/

Zfone: http://www.philzimmermann.com/EN/zfone/index.html

http://www.schneier.com/blog/archives/2006/05/nsa_creating_ma.html

Sigh. Yay Qwest.

Another wonderful Republican legislator from Texas: http://techdirt.com/articles/20060425/0819237.shtml

Government Worldview 101: "If we don't make more laws that restrict more freedoms, uhh... uhhh... what would we do, again?"

So I did a little analysis of an encrypted iChat session (tcpdump is your friend). Looks to me like they're doing a public key encrypt on each message. More specifically, I think they're encrypting a random session key for each message, and then encrypting the message with the session key, using a block cipher having large-ish blocks, so I suspect it's AES. That would be both the logical, good choice and would fit my guess based on message size differences. There's a momentary lag when sending each message, which would also support the notion that they're public-key encrypting each message in some way (that and the message size and the presence of certificate-like text). Interesting stuff.

It seems that Mac OS 10.4.3 has encrypted chat support for .Mac users using iChat. That's very cool... I'd love to know the details. I'd really love it if it was an iChat feature, rather than a .Mac feature, though. I use .Mac, but not everyone I want to talk to does, but alot of them use iChat. But hey, it's a start. There is some method to that madness, though, because it appears that the .Mac servers are in charge of issuing certs to "certified" .Mac users. Only .Mac knows that information. But it would be cool to have the option to encrypt-but-not-authenticate iChat sessions with any other iChat user.

Anyway, good show Apple... but give us options for encrypted chat with non-.Mac users, por favor. We'll suffer through the unauthenticatedness.