So Far

CHARGE

The Swing

Crypto Is Not A Panacea

Bricks

I was going to write this to an internal mailing list, following this week’s PRISM excitement, but I’ve decided to put it here instead. It was written (and cribbed from other stuff I’ve written elsewhere) in response to an argument that encrypting everything would somehow solve a scary-sounding though imprecisely-specified problem, a claim you may not be surprised to find out I think is foolish.

I’ve written about this elsewhere, so forgive me, but: I think that it’s a profound mistake to assume that crypto is a panacea here.

Backstory time: in 1993, the NSA released SHA, the Secure Hashing Algorithm; you’ve heard of it, I’m sure. Very soon afterwards – months, I think? – they came back and said no, stop, don’t use that. Use SHA-1 instead, here you go.

No explanation, nothing. But nobody else could even begin to make a case either way, so SHA-1 it is.

It’s 2005 before somebody manages to generate one, just one, collision in what’s now called SHA-0, and they do that by taking a theoretical attack that gets you close to a collision, generalizing it and running it for around 80,000 CPU hours or so on a machine with 256 Itanium-2 processors running this one job flat out for two weeks.

That hardware straight up didn’t exist in 1993. That was the year the original Doom came out, for what it’s worth, so it’s very likely that the “significant weakness” they found was found by a person or team of people scribbling on a whiteboard. And, note, they found the weaknesses in that algorithm in the weeks after publication when those holes – or indeed “any holes at all” – would take the public-facing crypto community more than a decade to discover were a theoretical possibility.

Now, wash that tender morsel down with this quote from an article in Wired quoting James Bamford, longtime writer about all things NSA:

“According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”

“Many average computer users in the US”? Welp. That’s SSL, then.

So odds are good that what we here in the public and private sectors consider to be strong crypto isn’t much more of an impediment for the NSA than ROT-13. In the public sector AES-128 is considered sufficient for information up to level “secret” only; AES-256 is for “top secret”, and both are part of the NSA’s Suite B series of cryptographic algorithms, outlined here.

Suite A is unlikely to ever see the light of day, not even so much as their names. The important thing that this suggests is that the NSA may internally have a class break for their recommended Series B crypto algorithms, or at least an attack that makes decryption computationally feasible for a small set of people that includes themselves, and indeed for anything weaker, or with known design flaws.

The problem that needs to be addressed here is a policy problem, not a technical one. And that’s actually great news, because if you’re getting into a pure-math-and-computational-power arms race with the NSA, you’re gonna have a bad time.

How Does Anyone Work In These Conditions

A little while ago, the espresso machine in our office broke down. This doomsday scenario is, and I say this without the least bit of hyperbole, the most catastrophically dire situation that can exist in this or any other possible universe. If the intertubes felt slow for you the last few weeks, that’s probably why.

After a while, I started asking a colleague, Sean Martell, to ‘shop up some old war propaganda every few days, to express our dismay.

So, here you go.

We Need Coffee To Survive

It Can Happen Here

We Can Do It

Mercifully it is now fixed, and productivity should normalize in a day or two.

Lightweight Notepad In A Bookmark

So, this is a cute trick that’s been making the rounds:

In Firefox, right-click your bookmarks bar and pick “new bookmark”. Call it “Quick Notepad”, and in the Location box, put:

data:text/html,<html contenteditable>

and now when you click on that bookmark, your browser window will basically become Notepad, a very light text editor. File -> Save works great, too.

Perhaps better, if you check the “Load this bookmark in the sidebar” option, that will give you an nice little way of making notes about a tab, though unfortunately this option isn’t easy to save.

Summertime

Poolside

YEAAAAAAAAAAAAAH

Aww yeah.

All Scrollbars Are Fleeting

“For over a thousand years, Roman conquerors returning from the wars enjoyed the honor of a triumph – a tumultuous parade. In the procession came trumpeters and musicians and strange animals from the conquered territories, together with carts laden with treasure and captured armaments. The conqueror rode in a triumphal chariot, the dazed prisoners walking in chains before him. Sometimes his children, robed in white, stood with him in the chariot, or rode the trace horses. A slave stood behind the conqueror, holding a golden crown, and whispering in his ear a warning: That all glory is fleeting.” – Patton (film)

I wish, just at this second, that the executives at Sony and Microsoft (though not exclusively them, to be sure) each had an employee, assigned personally to them, with a single task.

Their job is this: at any moment, day or night, at the instant that executive is about to begin something, they will decide arbitrarily, according to their whims and utterly without regard for the importance of the situation, to say the words “software update”.

At that point, the executive in question is obligated to simply stop. To be still, and do nothing. Perhaps they can decline – they can simply choose not to do whatever they were about to, knowing they’ll have to pay for this time later regardless – and after a period of time, perhaps five minutes, perhaps an hour, their employee will then simply say “restart”, and they can go on their way.

Over and over again, until they learn.

Raising A Revolution

I had a long conversation with the very excellent people of Samantha Blackmon’s “Not Your Mama’s Gamer” podcast the other day; I get rolling at around the half-hour mark. They’re quite flattering about the whole thing; we talk a lot about video games and parenting, and I had a great time doing it.

One of the points I got to make there was about the reaction I get when I tell people that I received death threats for making the Windwaker mod. They fall into basically two camps; I tell that story to men, and they’re invariably surprised, or at least feigning surprise. “Really? Death threats? No way. Really? For that?”

When I mention it to women, on the other hand, the reaction is invariably just a slow breath and long stare into the middle distance. “Yeah, that’s how it is. Did any one threaten to rape you to death? No? Well, you’re only halfway to your Being A Woman On The Internet Merit Badge, then. Oh, you though it would be any other way? That’s adorable.”

So much work to do.

No Shirt, No Shoes, No Service

No Wearable Cameras

If you own a public establishment, consider putting one of these near the door.

The keynote file it comes from is right here, under a CC-BY-SA 3.0 license, and you’re welcome to use it as often as you feel is necessary.

It’s Not Just For Lolcats

So, this is pretty awesome.

How does Wells Fargo secure your communications channel?

With animated gifs.

Ladies and gentlemen, Wells Fargo’s security. And, not to put to fine a point on it, their opinion of how trivially gulled their clients are.

Are you a client of Wells Fargo?

I’m just asking.

Narrative Paralysis

Yesterday on the subway I watched a man write “KEY INSIGHTS” at the top of a page in his Moleskine, and then just stare at the page unmoving for the next six stops. He hadn’t budged when I stepped off to switch trains; I have to admit that as the minutes ticked by, I struggled not to start laughing right there. “ZOMG Thought Leadership Liek Woah”, I was thinking.

This morning I realized I’d been staring at an email window with a “To:” line, a title, and a cursor blinking away in an otherwise empty editor for at least five minutes, maybe more.

Sorry, key-insights-on-the-subway-guy. The inside of my head could have been a little more sympathetic, it turns out.