Saturday, September 14, 2013

SSL is Broken. Here's how to Fix it!

In the last few days, Brazilian television show Fantastico published a video with details on how the NSA has been backdooring SSL connections and intercepting supposedly secure Internet communications. They accomplish this through the use of a well known technique called 'Man in the Middle" whereby the NSA inserts itself between the computer of the person they want to compromise and the computer to which that person is connecting. By doing so, they are able to establish an SSL encrypted connection with each side thereby allowing the targeted user to believe they are securely connected to a website while giving the NSA access to every single byte that crosses the wire.

This is not an encryption break. It is a well known flaw within the system that SSL relies on called "Certificate Authorities". Generally, when a website wants to offer users a secure way to connect to them, they purchase an SSL certificate from a certificate authority. Your browser has several certificate authorities defined as 'trusted' so any site that has a certificate signed by one of these authorites will also be trusted without question.

The problem is that any certificate authority can issue a valid certificate for any site and that certificate will not be questioned by the browser. That's because your browser doesn't care which certificate authority the certificate comes from, only that it's from one that it trusts. This is the NSA's ace-in-the-hole.

Let's say you buy a certificate from Verisign. Users who connect to your website will see the little lock and know that their connections are absolutely secure from eavesdropping. What the NSA does is either compel Verisign to issue a second certificate that is controlled by the agency or goes to another authority (they might even run their own) and get a second certificate. Then, they use traditional man-in-the-middle techniques to insert themselves between the users they want to attack and your site and, because their second certificate is signed by a trusted authority, it too is also trusted. The little lock engages, everything looks fine, and the NSA can watch and read everything you say and do on that particular site.

We've long suspected that this was happening. We've long known that it was possible. In fact, police successfully used this attack a number of times in the past to gather evidence that was later used to convict someone. But everyone downplayed the severity of the problem because, well, we didn't have anything better and we didn't realize that it was such a massive threat.  The leaks from Edward J. Snowden have changed that. We now know, beyond doubt, that the NSA and probably other federal agencies are actively using this attack against targets.

There is an answer and it's pretty simple...

A few years ago, security researcher and programmer Moxie Marlinspike presented a very elegant solution to the problems we face in blindly trusting certificate authorities. It was called "Notaries" and it works almost exactly like it sounds like it would.

Under the notary system, every time your browser receives a new certificate from a website, it asks several other computers on the Internet (either random ones or ones you've pre-selected) if they see the same certificate. If you're being man-in-the-middled and presented with a fake certificate, the notaries won't see the same certificate and you'll easily be able to detect a forgery. The system can be set up so that it requires the consensus of all of the queried notaries in order to mark a certificate as valid or a majority.  That means that, even if there are a few bad actors within the system - notaries controlled by the NSA, for example, it's still possible to get a reliable answer as to if the certificate you're seeing is real or not.

Notary security comes with a price...

As you might have already noticed, there is a glitch in the system that some people probably won't like. Since you're asking other computers if the certificate they see is the same certificate you're seeing, you are allowing other computers to know the sites you visit.  There isn't a good work around for that yet in Moxie's system but, for the time being, the answer seems to be 'only use notaries you trust and untrust any that violate your privacy'.

Since seeing Moxie's presentation, I've given this a lot of thought. In the end, I'm alright with selected other sites knowing what sites I visit as long as 1) I know they can't see what I'm doing on those sites and 2) they provide me with good security.  I'm sure that, once the system comes into wide use this problem will be solved pretty quickly though and there are a number of ways to address it even now. But I'll leave that as an exercise for you.

Our idea of trust has to change now...

Out of everything the leaks from Edward Snowden have shown us, the most important thing we need to take away from them is that our idea of trust and who we trust needs to change.  It turns out that the web is built on some pretty fragile security technologies that we need to seriously reevaluate. Even if we trust the companies that provide our services, that's not enough. We also need to be able to find trustable ways of consuming those services and plain old SSL simply isn't one of them.

If you want to learn more about notaries and how they very well could be the savior of web security, check out the presentation on them that Moxie did here. If you'd like to try out the concept now and you're using Firefox, you can download the plugin from here.

Liked this post?  Why not donate some Bitcoin?

Friday, September 13, 2013

Why I Chose Ubuntu One as my Cloud Storage Provider

Cloud storage is something that's really pained me over the years.  While I see the value of backing everything up to the cloud, I also see the very serious potential pitfalls of placing my data in the hands of someone else who, under the right circumstances, might be compelled to hand that data over to a third party. So, for a number of years, I've avoided using cloud storage nearly entirely.

But recently, the realities of daily life and the need to share large files with friends and collegues brought me back to considering the cloud. Since cloud storage is hot right now, there are a lot of options and I, systematically, went about trying all of the big ones for at least a week to see which I preferred. The services I tried were Dropbox, SugarSync, SpiderOak, Ubuntu One, and Jungle Disk.  I specifically excluded services like SkyDrive since 1) Microsoft seems fairly hostile towards Linux and I am a Linux user and 2) We know, through recent disclosures from Edward Snowden, that Microsoft has gotten cozy on several occassions (and possibly on an ongoing basis) with the US National Security Agency.

After trying each of these services for a week and uploading a few gigabytes of data, the choice of which service I was going to use was exceptionally clear: Ubuntu One.  Ubuntu One didn't outperform everyone else or offer the best price on storage space but it had something that none of the others did: my trust.

Overall, I trust the company behind Ubuntu One (Cannonical) to respect my privacy. The entire company is founded on the guiding principles of Free Software and respect for users rights so I feel very comfortable putting my most sensitive data in the company's hands.  Price wasn't too bad either. After getting a special deal on six months of 20 gigs of storage and purchasing another year of an additional 20 gigs, I now have 45 gigs for a little over $35 a year. Not the cheapest out there but definitely worth the little extra for the peace of mind I get.

Now, don't get me wrong: I don't trust Ubuntu One completely.  I don't just upload everything to the service without taking precautions. While I believe that they are unlikely to be compelled to disclose my data to a government agency, I don't discount the possibility of hackers or even a nosey Cannonical employee checking out my data. For that reason, I have a special folder in my Ubuntu One directory called "Sensitive" that I store any sensitive data too.  Data that I deem as sensitive is first encrypted using PGP in another directory then moved into the Sensitive directory for uploading to Ubuntu One. The service never sees unencrypted data that I deem too personal to share even with them.

Overall, I'm very happy with my choice. I feel good because I am using a company I trust and I'm helping to support a great product financially. And, since Ubuntu One is available on Windows, Mac, and Linux,  I know that I can easily access my data no matter where I go.

So that's that. My cloud storage search is over. I'm at peace with my decision and am actively recommending it to others who are looking for cloud storage solutions and who don't want to host their own. Ubuntu One seems like the best value for the security, peace of mind, and ease of use, it offers.

If you want to check it out, click on this link. You can get a free 5GB account and start using it immediately. Right now, the service is running a great special whereby if you purchase a single track from the music store for $0.99, you get six months of free streaming to your mobile device and 20gb free!

Did you like this post? Why not donate some Bitcoin!

Wednesday, September 11, 2013

How I Pay Homage to 9/11

Twelve years ago today, the largest and most deadly attack on our nation happened when Islamic terrorists used airplanes to destroy the World Trade Center in New York. That was a horrible day, perhaps the most horrible day of my life, and I've been forever changed by, not only the events that happened that day, but what's happened to our country in the intervening twelve years.

On that horrible day, the soul of our country was changed. We became fearful, distrustful of our friends and neighbors, and willing to accept things done in our name and in the name of 'protecting' us, that we probably wouldn't have accepted only a single day before.  We've seen our country become one where it's alright to swap a little freedom for some vague idea of safety and we're just about willing to accept anything in order to be assured, something nobody can really do, that we won't be attacked again.

I believe this betrays the spirit of 9/11.  For the last decade, we've been told by our government that we were attacked 'because of our freedom' and, yet, the answer to those attacks seems to be to do exactly what the attackers supposedly want: reduce freedom. It makes no sense for a free people to become less free in response to a supposed direct attack on their freedoms. It's contridictory and confusing to think that way.

So I choose not to think that way. I choose to honor the lives of those lost on 9/11 by embracing my freedom and committing to fighting those, from both inside and outside my country, who stand in its way.  I will not gnash my teeth and rent my clothing and scream and cry about how scared I am. I will not judge or fear my neighbor because of his religion or ethnicity or the color of his skin. I will not give up my liberty just for the illusion of security.

And I hope you won't either.

The best way to pay homage to those who died in the attack is to commit to living a life so free that your very existence is an insult to those who hate freedom - no matter where they come from. It's refusing to trade that liberty for any cost and not living your life in fear. It's about living your life to its fullest and to embrace liberty with a wild abandon that would make those who died proud. To me, that is what 9/11 represents. And that is how I choose to honor it.

Did you like this post? Why not donate some Bitcoin!

Sunday, September 8, 2013

The NSA Has Not Broken Internet Encryption

In the last few days since the most recent leak by Edward Snowden, I've received countless emails from people I've convinced to use encryption forwarding me story after story about how the US National Security Agency has 'broken Internet encryption".  These articles are usually followed by comments like "See, I told you they had access to everything!" or "Why bother using encryption at all now?"

Here's why: because the NSA hasn't actually broken Internet encryption!

What the Snowden documents reveal is a pattern of coercion  by the NSA to force companies into deliberately making their encryption products weak, turning over their encryption keys, or providing backdoors into encrypted systems. None of this constitutes 'breaking' encryption anymore than if I come across an open door in your house and I walk in I'm 'breaking and entering'. It's silly sensationalism put out by a media that can barely understand what encryption actually is much less what it takes to break it.

Are all encryption technologies still safe? No. I would seriously question encryption software and hardware that doesn't disclose its source code for public review. I know companies like to yell 'trade secrets' but that's bull. Encryption isn't a trade secret and by claiming it is they are showing that 1) they don't fully understand encryption and why it's not a bad thing to publish your source code or 2) they are afraid of public review; maybe because something is there to find.

So, as these leaks continue to give us a better view of how the NSA operates in attacking the Internet, one thing becomes clear: we have passed the time when we can blindly trust technology companies and the software they create to protect us. We need more than words and promises from these companies because words are cheap. We need source code, we need peer review, we need complete transparency.

Now, I know a lot of you will say 'being open source doesn't guarantee that there aren't subtle things in the code meant to weaken it' and that's very true. But being open source means that we have a better chance to discover those holes and weaknesses than we do if we don't have the source code.  It's trivial to hide something nasty in a product that doesn't disclose its source code; it's not so easy to do so when thousands of eyes will be pouring over the code specifically looking for those 'something nasty's'.

So, no, "Internet encryption' has not been broken - not all of it at least. But it's time that we become much more choosy about the products and companies in who's hands we place our security.  We have to outright reject the notion of 'trusted companies' and only accept verifiable proof that a company's products are secure. That's the only way we'll have a fighting chance against adversaries like the NSA.

Now, go tell the New York Times to shut the hell up about things they know nothing about.

Liked this post?  Send me some Bitcoin!

Saturday, September 7, 2013

Trust is an Easy Word. Fighting the Government Shows Integrity

In todays networked world, we hear the word 'trust' a lot.  Companies like Google, AT&T, Apple, and others constantly talk about how their customers trust them and how we should trust them with the most intimate details of our lives: our contact lists, our emails, our medical records, everything. "Store it in the cloud!", they proclaim, "We can be trusted to protect your data".

But that really hasn't proven to be the case, has it?  Recent revelations from NSA whistleblower Edward Snowden have shown that these companies don't deserve our trust.  Many of the large companies who hold our most secret information have proven that they are willing to betray us as long as they are, in turn, protected from our ire.

These companies all sing a familiar song: "it's the government", they say, "We're being forced to turn over your data to them. It's not our fault!"  In many, if not most cases, this is technically true. But it's not the whole story.

When the government comes knocking on a corporations door, the leaders of that business are immediately faced with a choice: do they roll over and hand the government data their users have entrusted to them or do they fight?  We know that, in the majority of cases, these companies have simply chosen to give in and hand over the goods.

And why shouldn't they?  After all, they are protected from us  by the government! It's highly unlikely that they will ever be caught betraying their users and, even if they are, they have special arrangements with the government where they largely can't be sued. It's a sweet deal that allows the company to take the easy way out of a tough moral decision. It lets them out of the legal aspect of it, but it doesn't release them from the immorality of what they're doing.

Don't get me wrong, I understand that there are times when those companies that choose to fight will lose and have to hand over their users data. But at least they've shown that they've tried to protect you. It's easy to claim patriotism or coercion and roll over. It's another thing to stand up, dig your heels in, fight, and lose.  One is the cowardly way out. One shows integrity.

So the next time you hear a company talk about trust, ask yourself (and them) this: are they willing to stand up and fight for your rights when your data is demanded from them by a large and powerful adversary like the government?  If they aren't, then they don't deserve your trust or your business. Words are cheap. It's easy to throw around words like 'trust' and 'integrity'. It's a whole other story to actually be a company people can trust.

So far, I'm not seeing a lot of reasons to trust anyone in today's tech world. And that is perhaps the saddest part of this whole NSA scandal: learning how deeply we've been betrayed.

Did you like this post? Why not send me some Bitcoin!

Friday, September 6, 2013

It's impossible for an indie developer to make a living writing software for Linux

Less than  a year ago, I transitioned my small startup from one that primary did IT consulting to one that developed interesting software products. I'm a one man shop and I originally only developed for Windows. But, after revisiting a tool that allowed me to easily build cross-platform applications, I decided to try my hand at developing applications for the Ubuntu Linux desktop.

I chose Ubuntu for a number of reasons. Most importantly, it seems like that's the distro where all the exciting things are happening and technologies are truly being expanded.  It also is the distro with the largest number of desktop users and the greatest need for really good  consumer software. So I ported a few of the applications that were selling particularly well on Windows to Ubuntu and put them up for sale in the Software Center.

I treated this like any other part of my commercial venture: I did marketing, PR, advertising, the whole nine-yards. And, for about a few months, things went pretty well.  They went so well, in fact, that I got seduced into believing that, with the right software,  I might just be able to make a full-time living writing software for the great untapped Linux desktop market.

Then sales tanked. I don't mean they "declined" either. I mean they tanked. Within a few weeks I went from selling a pretty decent amount of software to selling one to two copies a month. Then, after another month or two, that number dropped down to zero.

I developed other software, played on novel things that I'd seen the community say 'it would be nice to have' and, once again, I saw a slight (and I mean slight) number of sales then a near total drop.

So now, while I'm still primarily a Linux user and I'll continue to develop free and open source software for Linux, I'm back to developing all of my commercial software for Windows and Mac full-time.

I realize there are a number of possible explanations as to why my software didn't sell. One might be that it simply wasn't good software. I've considered that and, while that's a possibility, I have to contend with the fact that the Windows version was selling really well.  I know the Linux and Windows crowds are very different, but there are some common themes that run between them; enough where consumer software that resonated with one should resonate at least a little bit with the other.

Another explanation might be that I wasn't producing the right kind of software for Linux. Like I said: with the two markets being so different there is a chance that what people want and are willing to pay for on one platform doesn't automatically translate to the other platform.

A third option might be that my software was not open source - a huge selling point in the Linux community.   If I had to pick one of the reasons I just mentioned as something that contributed to my non-sales, I'd likely say this was it. In fact, I got comments on Google+ telling me I was a traitor to the Linux community for not giving away my source code.

But I honestly don't think any of these reasons are the real reason my software didn't sell. I believe it's because, as a general rule, Linux users are simply not used to and very averse to spending any money on software at all.  I'm not saying Linux users are cheap (the success of packages like the Humble Bundle disproves that) but they are much more selective  at what they spend their money on than their Mac and, especially, Windows using cousins.

On the Mac and Windows platforms, users are used to paying for software. Sure, they'll look for zero cost software first but, in the end, it's not that big of a deal if they have to pull out their wallet and slap down some cash to get what they want. In the Linux world, this is most certainly not the case. Windows and Mac users are not really willing to use really hard to use or crappy software just because it's free. Linux users are. Linux users are also not averse to simply writing their own software if the itch scratches them which is not generally something Windows and Mac users can do.

All that tallies up to the fact that it's impossible at this time for an indie developer to make a living (I don't mean a few hundred bucks a month, I mean a real living where you can pay your bills and eat) by writing software for the Linux desktop. Even Ubuntu, the most popular Linux desktop in the world. Maybe one day that will change, but right now, it's just not doable.  And I'm not saying that because I couldn't make money writing Linux software, I'm saying that because nobody writing consumer software for Linux is making a living doing it.

For me, the realization of that fact was very depressing. On one hand, I know that, in order to succeed, Linux needs good, professionally designed software. On the other hand, I think it's exceptionally difficult for developers to write that type of software while relying on donations (which is what the common advice is).  Developers need to eat, they have bills, they have children and families. Passion and idealism is one thing, reality can be quite another. At the end of the day, at least in my case, I choose financial stability over idealism. I'd love to write Linux software full time. But I also really like to not go to bed hungry.

Unfortunately, at least for now, the two simply don't mix well.

Thursday, September 5, 2013

Paypal Strinks Again: $45,000 in MailPile Campaign Funds Frozen!

The MailPile project made a disturbing announcement on their blog  earlier today, announcing that, of the $135,000 they raised in a whirlwind Indigogo fundraising campaign, Paypal, the payment processor used by Indigogo, has frozen $45,000 and nobody knows when or if they plan to release it.

MailPile is an open source project with the goal of creating a secure, easy to use, webmail client that integrates things like PGP and other privacy preserving features. There's been a lot of excitement around the project since the fundraising campaign started and this could be a serious blow if it's not resolved.

As many of you know, this is not the first time Paypal has frozen an account for dubious reasons. There's a whole website dedicated to Paypal horror stories and many developers and contractors have found themselves unfortunate victims of Paypal's wishy-washy attitude about 'possible fraud'.  It seems like that's the general excuse the company uses when it wants to hold onto someone's money for an indefinite amount of time without any detailed explaination.

In the case of MailPile, though, Paypal did offer a 'resolution; of sorts: they wanted a detailed breakdown of how the MailPile team plans to use the money,

While I understand Paypal's position of trying to protect their customers, it's fairly obvious that MailPile isn't conducting fraud and they're not a threat to any Paypal customer. Why Paypal would choose to freeze their account while countless others of questionable merit go unfrozen is beyond my comprehension.

For now, the MailPile team asks that the community not take any drastic action. They certainly don't want us to cancel our donations since it seems one of the things Paypal is concerned with is chargebacks. They ask that, if you're concerned about what's going on, speak out. Write to Paypal (a cordial letter) or blog about it. Speak about it on Twitter and let people know what's going on. This is probably the best way we can help MailPile now.

I also want to encourage anyone considering donating to the MailPile campaign to do so via Bitcoin instead of Paypal. I noticed that the project had a Bitcoin address on their site and I think that's probably one of the most assured ways that they will see a direct benefit from your donation. While you likely won't get any of the perks associated with the Indiegogo campaign (or maybe you will, I don't know), it's a great way to support the project outside of Paypals grasp.

You can find their Bitcoin address on the main page of their site.