Re: The summer of PKI love

2005-08-12 Thread Mark Allen Earnest
James A. Donald wrote:
 --
 From: Stephan Neuhaus
 [EMAIL PROTECTED]
 
So, the optimism of the article's author aside, where
*do* we stand on PKI deployment?
 
 
 PKI's deployment to identify ssl servers is near one
 hundred percent.  PKI's deployment to sign and secure
 email, and to identify users, is near zero and seems
 unlikely to change.  PGP has substantially superior
 penetration. 

I would rank it closer to 0% myself. Don't get me wrong, we have plenty
of PK deployment with SSL servers, just no I. Anyone doing revocation
checking? How do you even do it? CRL? Delta CRL? OSCP? Do any browsers
really support these things? For those that do does any user actually
know how to do it? PKI is a massive undertaking that many seem to
confuse with just public key cryptography. Public key crypto is just one
component of PKI, and frankly I know VERY few groups that are actually
doing PKI and doing it right.

What we have are a couple dozen certificate authorities that were deemed
trustworthy by Microsoft that do not pop up warnings, and the rest that
do pop up warnings that most people blissfully ignore. HTTPS is really
good for encryption, absolutely sucks in practice for trust.

-- 

Mark Allen Earnest

Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University

KB3LYB


smime.p7s
Description: S/MIME Cryptographic Signature


Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-06 Thread Mark Allen Earnest
 I've personally
  designed and deployed many PKI solutions for large corporations for all
  sorts of security applications ranging from remote VPN access to wireless
  LAN security, and I can attest that the technology is simple, scalable, and
  reliable.  

*yawn* Yet another person who confuses PK with PKI. Almost NOBODY has
ever done PKI right. The I is the part everyone conveniently forgets
when they claim otherwise.

-- 

Mark Allen Earnest

Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University

KB3LYB


smime.p7s
Description: S/MIME Cryptographic Signature


Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-07 Thread Mark Allen Earnest

Steven M. Bellovin wrote:
  The bigger issue, though, is more subtle: keeping track of the keys is
non-trivial.  These need to be backed up, too, and kept separate from 
(but synchronized with) the tapes.  Worse yet, they need to be kept 
secure.  That may mean storing the keys with a different escrow 
company.  A loss of either piece,the tape or the key, renders the 
backup useless.  


Basically, expensive or not, security is very hard to get right. When 
you look at Choicepoint, Bank of America, and Citigroup (not to mention 
universities and smaller businesses) they have little to no incentive to 
keep your personal data secure. YOU bear the cost of data compromise, 
not them. The worst they get is some bad publicity and only if it 
affects CA residents, otherwise it can be kept quiet. The threat of bad 
publicity does not mean much when next week your compromise due to bad 
security will be forgotten as the media switches to the next one.


As it stands today, the cost/benefit analysis easily directs them away 
from taking strong measures to protect customer's financial data. Doing 
so is time consuming, opens up potential for problems, and gets them 
next to nothing in return.


--

Mark Allen Earnest

Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University

Lt Commander
Centre County Sheriff's Office Search and Rescue

KB3LYB


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Dell to Add Security Chip to PCs

2005-02-05 Thread Mark Allen Earnest
Trei, Peter wrote:
It could easily be leveraged to make motherboards
which will only run 'authorized' OSs, and OSs
which will run only 'authorized' software.
And you, the owner of the computer, will NOT
neccesarily be the authority which gets to decide
what OS and software the machine can run.
If you 'take ownership' as you put it, the internal
keys and certs change, and all of a sudden you
might not have a bootable computer anymore.
Goodbye Linux.
Goodbye Freeware.
Goodbye independent software development.
It would be a very sad world if this comes
to pass.
Yes it would, many governments are turning to Linux and other freeware. 
Many huge companies make heavy use of Linux and and freeware, suddenly 
losing this would have a massive effect on their bottom line and 
possibly enough to impact the economy as a whole. Independent software 
developers are a significant part of the economy as well, and most 
politicians do not want to associate themselves with the concept of 
hurting small business. Universities and other educational 
institutions will fight anything that resembles what you have described 
tooth and nail.

To think that this kind of technology would be mandated by a government 
is laughable. Nor do I believe there will be any conspiracy on the part 
of ISPs to require to in order to get on the Internet. As it stands now 
most people are running 5+ year old computer and windows 98/me, I doubt 
this is going to change much because for most people, this does what 
they want (minus all the security vulnerabilities, but with NAT 
appliances those are not even that big a deal). There is no customer 
demand for this technology to be mandated, there is no reason why an ISP 
or vendor would want to piss off significant percentages of their 
clients in this way. The software world is becoming MORE open. Firefox 
and Openoffice are becoming legitimate in the eyes of government and 
businesses, Linux is huge these days, and the open source development 
method is being talked about in business mags, board rooms, and 
universities everywhere.

The government was not able to get the Clipper chip passed and that was 
backed with the horror stories of rampant pedophilia, terrorism, and 
organized crime. Do you honestly believe they will be able to destroy 
open source, linux, independent software development, and the like with 
just the fear of movie piracy, mp3 sharing, and such? Do you really 
think they are willing to piss off large sections of the voting 
population, the tech segment of the economy, universities, small 
businesses, and the rest of the world just because the MPAA and RIAA 
don't like customers owning devices they do not control?

It is entirely possibly that a machine like you described will be built, 
 I wish them luck because they will need it. It is attempted quite 
often and yet history shows us that there is really no widespread demand 
for iOpeners, WebTV, and their ilk. I don't see customers demanding 
this, therefor there will probably not be much of a supply. Either way, 
there is currently a HUGE market for general use PCs that the end user 
controls, so I imagine there will always be companies willing to supply 
them.

My primary fear regarding TCPA is the remote attestation component. I 
can easily picture Microsoft deciding that they do not like Samba and 
decide to make it so that Windows boxes simply cannot communicate with 
it for domain, filesystem, or authentication purposes. All they need do 
is require that the piece on the other end be signed by Microsoft. Heck 
they could render http agent spoofing useless if they decide to make it 
so that only IE could connect to ISS. Again though, doing so would piss 
off a great many of their customers, some of who are slowly jumping ship 
to other solutions anyway.

--
Mark Allen Earnest
Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-28 Thread Mark Allen Earnest
Adam Shostack wrote:
I hate arguing by analogy, but:  VOIP is a perfectly smooth system.
It's lack of security features mean there isn't even a ridge to trip
you up as you wiretap.  Skype has some ridge.  It may turn out that
it's very very low, but its there.   Even if that's just the addition
of an openssl decrypt line to a reconstruct shell script.
In that case, the value of 'better' is vanishingly small, but it will
still take an attacker at least 5 minutes to figure that out.
I would contend that a false sense of security is worse than no security 
at all. Someone's behavior may be different if they are wrongfully 
assuming that their communications are encrypted by what they believe is 
strong encryption when if fact it may be very very low.

--
Mark Allen Earnest
Lead Systems Programmer
Emerging Technologies
The Pennsylvania State University


smime.p7s
Description: S/MIME Cryptographic Signature