DNSSEC Has Failed (Update 26/3)

The original specification of DNSSEC is from 1997: RFC 2065. This means that it is now over 17 years ago since its initial appearance. Sure, it has a turbulent history, and has undergone some big changes. Even the ‘final’ specification (RFC 4033) is over 9 years old. Yet I am going to argue that it has failed.

Continue reading

Security Awareness Should be a Public Service

Cory Doctorow argues that security engineering should be public, like public health:

I think there’s a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.

Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, “Well, you’ve scared the hell out of me. Now what do I do? How do I make my computers secure?”

And I had to answer: “You can’t. No one of us can. I was a systems administrator 15 years ago. That means that I’m barely qualified to plug in a WiFi router today. I can’t make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone’s anti-copying strategy.

I agree that security these days is harder than ever. The Internet has become a hostile environment and there are many actors actively trying to break anything connected to it.

Public health is a service because it is in everybody’s general interest, and there is not much else we can do about it. Making security a public service creates exactly the wrong kind of incentive. Companies release broken products, and rely on consumers not knowing or caring about it. We have to create more awareness and public outrage, so that consumers actually care about this and can make an informed decision.

Informing the public about security related issues, now that I can agree with as a public service.

 

Dan Geer’s Speech Before RSA Conference 2014

Dan Geer presented a keynote presentation to the RSA conference which raises many excellent questions that I see also.
Full transcript.

Cryptocat toys with users privacy

Last week some news about Cryptocat caught my eye, they have just launched a new monitor. This monitor allows you to see usage numbers of Cryptocat in globally in rough areas. Like I did with the WhatsApp alternatives I immediately checked the privacy policy and was surprised with what I found.

Continue reading

[Dutch] Digitalisering Jeugdgezondheidszorg

Digitalisering is handig, want dat is efficient en zorgt voor besparing, dit is al een tijdje een dogma in de Nederlandse politiek. In de praktijk blijkt dat lang niet altijd zo te zijn, maar dat houdt de politiek niet tegen.  Dit zien we aan het weinig populaire Elektronisch Patiënten Dossier, maar ook bij Jeugdgezondheidszorg wordt dit dogma al een tijdje met veel moeite toegepast.

ekd2

Continue reading

Experiences With Responsible Disclosure

Hackers have been an important part of the Internet since its creation. They are the ones who try to take the technology just over the edge to see what happens. This may mean that things break, or other interesting things happen. Sometimes this means new products are created, new ways of using technology becomes available to users, and sometimes things break. Many hackers feel an obligation to share their insights so that technology can be improved upon, this leads to public disclosures. Continue reading

Ethernet energy efficiency

How power-hungry are various permutations of Ethernet on modern MacBook Pros? Tests performed and written up by Jeroen van der Ham and Iljitsch van Beijnum.

tbge Continue reading

Testing Net Neutrality is Hard

In the Netherlands we have a law on net neutrality, and we’re trying to defend this in Europe as well. Our law has been in effect since 2012. About one year after that, ISOC-NL received reports that some providers were breaking net neutrality. This was discussed in the Internet Transparency WG of which I’m also a member. The group worked together with the university of Dhaka to create a mobile app to test net neutrality on mobile providers, Open Internet. Continue reading

WhatsApp Alternatives part 2 – Secure Communication

This is an addition to my other post about WhatsApp alternatives. There are others that provide more than just messaging. Below is my personal impression about these. Continue reading

WhatsApp alternatives

Update: Threema support responded: traffic-data is deleted when the message is delivered, or after two weeks, whichever is earlier.

The popular WhatsApp messaging service has been bought by Facebook last week. It is reassuring to see that many people are worried about this. It means Facebook can collect and combine even more data about you than they already do. They now have the posts that you share with all your friends, but now they also have the messages that you share with your best friend, or with the small selected groups of friends. The worrying means that people are now looking for alternatives, and below is my personal take on some of the alternatives that I’ve seen. Continue reading