First Phase Of Security Audit Finds Vulnerabilities But No Backdoors In TrueCrypt Encryption Software

In the wake of the serious Heartbleed flaw in OpenSSL, more people are becoming aware of how widely used and important open source encryption tools are, and how their security is too often taken for granted. Some people were already worrying about this back in September last year, when we learned that the NSA had intentionally undermined encryption by weakening standards and introducing backdoors. As Techdirt reported, that led to a call for a security audit of TrueCrypt, a very popular open source disk encryption tool. Fortunately, the Open Crypto Audit Project raised a goodly sum of money through FundFill and IndieGogo, which allowed the first phase of the audit to be funded. Here’s what’s now been done (pdf):

The Open Crypto Audit Project engaged iSEC Partners to review select parts of the TrueCrypt 7.1a disk encryption software. This included reviewing the bootloader and Windows kernel driver for any system backdoors as well as any other security related issues.
The good news:

iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.
However, it did still find vulnerabilities in the code it examined:

the iSEC team identified eleven (11) issues in the assessed areas. Most issues were of severity Medium (four (4) found) or Low (four (4) found), with an additional three (3) issues having severity Informational (pertaining to Defense in Depth).


Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.
Because of that, among the recommendations that iSEC made was the following:

Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.
That’s an important point, and probably something that other open source projects might take to heart, too. Some have called into question whether Linus’s Law — that “all bugs are shallow, given enough eyeballs” — is really true for free software (although Eric Raymond, author of “The Cathedral and the Bazaar“, has offered a robust defense of that claim.) One reason why those eyeballs may not be finding the bugs is that the code, though open, is unnecessarily hard to read.

The fact that vulnerabilities were found — even if “all appear to be unintentional, introduced as the result of bugs rather than malice” as iSEC puts it — is another reason why the second phase of the audit, which will look at the details of how the cryptographic functions have been implemented, is necessary. The discovery of “issues” in TrueCrypt’s code also underlines why similar audits need to be conducted for all important open source security programs: if there are vulnerabilities in TrueCrypt, there are likely to be more elsewhere, perhaps much more serious. Finding them is largely a question of money, which is why companies currently free-riding on free software — perfectly legally — should start seriously thinking about making some voluntary contributions to help audit and improve them to prevent another Heartbleed.


French Politician Wants Twitter To Help Censor Speech

Jason Farago, a journalist for the UKs Guardian New Paper, praises a call by Najat Vallaud-Belkacem, a French politician and Minister for Women’s Rights, for Twitter to take responsibility for “hateful tweets” which are “illegal.”

Vallaud-Belkacem is calling for Twitter “to take steps to help prosecute” tweets that France feels are illegal. It seems impractical that the a company providing a platform that encourages free speech around the globe should somehow then be responsible for regulating the speech to the point of legal prosecutions against people. It is the role of the justice system (Police and Courts) to investigate and prosecute infringements to our laws.

The government there has made it clear to ISPs there that they might be held liable if they don’t “help” make sure that “bad stuff” online doesn’t see the light of day. The response is to overblock, just to be “safe.”

Somehow, well meaning people seem to think that “bad” speech is just obvious. But it’s not. Speech is speech, and whether or not it’s “good” or “bad” may very much depend on an individual’s context, sense of humor, situation in life or a variety of other issues. To think that Twitter, or any company, should be in a position to make decisions about a person’s ability to speak based on such amorphous concepts is a recipe for disaster — and basically runs counter to everything that a service like Twitter is about. Vallaud-Belkacem’s logic follows the standard censor’s argument — claiming that freedom of expression is important… except for speech she doesn’t like.

For what it’s worth, I agree 100% that the tweets she’s complaining about are offensive and disgusting. But to pin the blame on Twitter is to totally misplace it. It actually serves to take the focus off of those who actually posted the controversial posts, and suggest that if only we hid speech we didn’t like, it would go away. That’s not what happens. Instead, those who are censored tend to believe that they’re being persecuted by a government (or company) that “can’t handle the truth” and wants to shut them up. It doesn’t encourage the ignorant to be taught why they’re ignorant. It doesn’t encourage important discussions on why such statements are ridiculous and offensive. Instead, it just tries to sweep everything under the rug.

Pirate Party Logo

The Pirate Party

The Pirate Party [1] wants to fundamentally reform copyright law, get rid of the patent system, and ensure that citizens’ rights to privacy are respected. Founded by Rick Falkvinge on the January 1, 2006 in Sweden the movement is going from strength to strength.

Three tenets of the agenda [2] are:

  • Reform of copyright law to promote the sharing and spread of knowledge and ideas. Aiming to make the Internet the greatest public library ever created. All non-commercial copying and use should be completely free. In today’s fast paced, technology lead environment, commercial copyright should be limited to five years after publication (not seventy years after the person is dead). A complete ban on Digital Rights Media (DRM) as a way for the media companies to both write and enforce their own arbitrary laws.
  • Eliminate the patent system. Pharmaceutical and Software patents are singled out. In the case of Pharmaceuticals, a report published by The European Federation of Pharmaceutical Industries and Associations (EFIA) [3] is cited. According to the 2006 report, compulsory health insurance across the European Union contributes €97.7B to Pharmaceutical Research and Development (R&D). Is 20% of this were allocated directly to R&D more money would be spent on research, while tax payers would have a drastically lowered cost. Software patents inhibit technical progress in the IT field, and pose a serious threat to both small and medium-sized companies and private programmers. Although current patent law explicitly says that computer programs should not be patentable, such grants are commonly granted.
  • Respect for the right to privacy. Following 9/11 terrorist attacks, Europe has allowed itself to be swept along with increasing the level of surveillance and control over all its citizens. Modern European history, in particular, Communist Regimes and Fascism, demonstrate how the state can convincingly tell us how these steps are necessary but that this road often also leads to abuse of such powers and state sponsored oppression.

With this agenda, Pirate Parties have been started in some 33 countries, inspired by the Swedish initiative. They cooperate through Pirate Parties International (PPI) [4].

The Pirate Party of Germany gained seats in the city council of Münster and Aachen in August 2009, and in the federal election a month later they received 2.0% of the party list votes, becoming the biggest party outside the Bundestag. In the election to the Abgeordnetenhaus in Berlin in September 2011, the Pirate Party received 9 % of the votes and – for the first time in Germany – gained seats in a state parliament.

[1] http://thepirateparty.com/

[2] http://thepirateparty.com/index.php/policy-overview

[3] http://www.efpia.org/Objects/2/Files/infigures2006.pdf

[4] http://en.wikipedia.org/wiki/Pirate_Parties_International


Hulu Considers TV Everywhere Authentication

Sources tell The New York Post [1] that Hulu, is considering a change to the TV Everywhere model proposed by Comcast and Time Warner [2]. Under that scheme, viewers will have to prove they are pay-TV customers in order to watch shows through the popular online service. These sources also claim this authentication model was behind the move last week by Providence Equity Partners to cash out of Hulu after five years.

Hulu is a joint venture between NBC, News Corp/Fox, and (since last year) Disney/ABC. It was created by the US TV networks as a counterweight to YouTube, a safe place where they could run their full-length TV shows online with their own ads.

This development must be considered bad news for the 31 million “cable-cutters”, attracted to Hulu’s free-for-all model. TV Everywhere (TVE) is a verification systems that will require viewers to log in with their cable or satellite TV account number.

[1] http://www.nypost.com/p/news/business/tv_in_real_dime_ph0GiKk7rC9agDUEkHae2I?utm_medium=rss&utm_content=Business

[2] http://blog.comcast.com/2009/06/on-demand-online-and-tv-everywhere.html







Music in 5-4 time

Odd Meters

Listening to the Dave Brubeck Quartet’s iconic jazz album, Time Out, got me thinking about “Odd Meters”. Odd meters are what musicians call exceptional time signatures.

In musical notation, a bar is a segment of time defined by a given number of beats. Each beat is assigned a particular note value or duration. A piece of music consists of several bars (usually of the same length), and the number of beats in each bar is specified at the beginning of the score by the top number of a time signature, while the bottom number indicates the note value of the beat. For example, a waltz is written in 3/4 time (spoken as, “three-four time”). The top number e.g. “3” means three beats in every bar, the bottom number e.g. “4” indicates that each beat has a quarter note duration. This gives awaltz it’s typical, 1-2-3, 1-2-3, 1-2-3 rhythm and feel.

What’s the relationship with the musical theory lesson and Dave Brubeck?

Some music written in odd meter sounds like an intellectual exercise. The music of Dave Brubeck and Paul Desmond is a notable exception. Recognised as one of the greatest jazz albums ever recorded, Time Out sold over a million records in 1961 and continues to be popular 50 years after it was written. Every track on this album is written in a different time signature. “Take Five” has become arguably the most popular piece of music by far written in 5/4. Written by and featuring Paul Desmond on Alto Saxophone, Take Five was a platinum number one hit on Billboard’s charts, a serious feat for a jazz track,

Dave Brubeck composed Unsquare Dance written in the 7/4 time signatures. He used the rhythmic influences from Eastern Europe to create a very fresh sound previously unfound in jazz.

Other notable music in 5/4 signatures include:

  • Money by Pink Floyd.
  • How Deep the Father’s Love for Us recorded by Sarah Sadler.
  • Theme tunes from Mission Impossible, Mod Squad, and The Incredibles.
  • River Man recorded by Nick Drake.
  • In Mixolydian Mode (No. 48) by Bartók.
  • English Roundabout by XTC.
  • Do What You Like by Blind Faith (Eric Clapton, Steve Winwood etc.).









Pass Me A Cold One

Beer has shaped civilization for centuries. It’s one of the oldest alcoholic beverages, and it comes in countless varieties for just about every taste. The progress of beer is unstoppable, and here are just a few more advances in the field of beer:

  • Japan-based brewer, Kirin has developed a special tap that will chill/freeze the head of the beer at 23 degrees Fahrenheit. The frozen part acts a lid to keep the beer cold for up to 30 minutes. (http://beerstreetjournal.com/kirin-launching-frozen-foam-beer/)
  • Otley Brewing Company in South Wales has launched a range of beer flavoured ice creams and sorbets. (http://www.morningadvertiser.co.uk/Pub-Chef/Otley-brewer-launches-beer-flavoured-ice-cream)
  • In a marketing deal, the iconic secret agent James Bond will ditch his trademark shaken Martini for a sip of a beer. Makers of the latest Bond movie, Skyfall, have linked a $45 million advertisement campaign that will see 007 sip a Heineken in at least one scene. (http://www.dailymail.co.uk/tvshowbiz/article-2131180/Daniel-Craig-shaken-stirred-Heinekens-sponsorship-new-Bond-film-Skyfall.html)

Finally the German institute for pure beer (DIRB) is trying to get Germany’s 16th-century beer purity law listed by the UN as one of the world’s cultural treasures. UNESCO already includes activities such as flamenco dancing in Spain, traditional carpet-weaving in Iran, the chant of the Sybil in Majorca, wrestling in oil in Turkey and French food. (http://www.thelocal.de/society/20110527-35277.html)


European Politicans Protest ACTA with Anonymous Masks

Rent a Crowd

What do you do when you have an unpopular cause but still wish to get media attention?

Bizarrely, it appears that some in the Copyright Lobby decided to try to put on a pro-ACTA demonstration for World Intellectual Property Day. The group in Germany reportedly tried recruiting students, who are asked to attend a 2-hour demonstration in return for €100,

A Google translation of the text,

Reference: http://torrentfreak.com/copyright-lobby-hires-pro-acta-demonstators-120424/

Against a background of widespread protests across Europe in opposition to the anti-democracy bill ACTA. Poland’s Prime Minister, Donald Tusk, was forced to stall his countries ratification of the legislation after politicians attend government functions wearing Anonymous masks in protest (Post Image). If Poland or any other EU member state, or the European Parliament itself, fails to ratify the document, it becomes null and void across the union.







French Tweeters Get Around Ban On Tweeting Election Results Using WWII-Era Codes

French Presidential election, 22 April 2012 sees a throwback to World War II codes broadcast to Resistance fighters in Nazi-occupied France from the BBC in London. A whole new generation of French citizens used similar means of communication as the famously cryptic BBC coded terms to subvert current laws preventing anyone announcing vote predictions in the election before polls closed at 8:00 pm.

Using simple code words for each of the election candidates, French Twitter users circumvented fines up to €75,000 for making predictions on the outcome of the election before the polls closed:

  • As a result, incumbent Nicolas Sarkozy became either Tokaji wine which, like his father, comes from Hungary, or Rolex because of his perceived “bling-bling” lifestyle.
  • His Socialist opponent Francois Hollande was either Gouda cheese (from Holland) or a soft, sweet “Flanby” caramel desert — an old and unforgiving nickname for the portly frontrunner.
  • Far-right candidate Marine Le Pen was associated with the names of totalitarian regimes or rodents and Communist Party-backed Jean-Luc Melenchon was either a rotten tomato or something linked to the former Soviet Union.

From there, it sounds like people just had fun with it, figuring out all sorts of ways to obliquely refer to the different candidates and how well they were doing without directly referring to any of them. Once again, the internet views censorship as an obstacle, and routes around it, through a rather creative form of “encryption.”


EU Supporters Contemplate Rejecting ACTA

Last week we saw the Socialists and Democrats, the second-largest bloc in the European Parliament, turn against the Anti-Counterfeiting Trade Agreement (ACTA). The Rapporteur for ACTA, David Martin MEP (Labour / Scotland), has recommended that the European Parliament should reject the treaty, saying:

“in the end I think the hopes of ACTA are outweighed by the fears; my recommendation is that we reject ACTA”.[1]

Martin’s view was echoed by both the President of the Socialists & Democrats in the European Parliament, Johannes Swoboda (Austria) , and by Sergei Stanishev (Bulgaria), Interim President of the Party of European Socialists, who said:

“The attempt to tackle infringement of intellectual property rights on the internet was done in a very short sighted way. This is a serious subject that needs to be dealt with, however ACTA is not the right place, ACTA is not the right tool and this is not the right way to deal with this issue”. [2]

This makes it practically certain that the left-wing bloc will vote against ratifying ACTA this summer. Combined with the stated position of the Green party, that means ACTA is closer to being thrown out when the vote for ratification takes place in Brussels this summer. The deciding factor is how politicians in the centre-right coalition of Liberals and Conservatives will vote. One of the key centre-right members in the European Parliament, Daniel Caspary (Christian Democrats / Germany), said that the relevant EU committees must be given enough time to make their reports before the final vote, but added, significantly:

“If we reject ACTA, we should tell the European Commission exactly why, and present them with alternative proposals”.

The fact that even the centre-right parties are now seriously thinking about rejecting ACTA, and what to do next, means that while ACTA may not be dead in Europe yet, it is looking increasingly unlikely to make into law.

[1] http://www.bbc.co.uk/news/technology-17728045

[2] http://www.euractiv.com/infosociety/eu-parliament-draftsman-urges-acta-rejection-news-512122




The Odd Future Approach: Give Away The Music, Sell Awesome Stuff

The BBC has a great short video feature looking at Odd Future, the massively popular (and equally controversial) rap collective, and their merchandise-focused approach to the music business. Odd Future has always been an interesting case study in music: their graphic content prevents them from getting much radio play, their career was started and built online, and they give away all their music (20 albums worth, at this point) for free. But they have been making money since the beginning by selling homemade merchandise directly to fans, offering lots of limited edition shirts and one-off products. Now they’ve combined that approach with their highly successful tours, by launching pop-up merch shops in every city before the show. They do meet-and-greets at the shop where they take photos and sign autographs. The fans love it—they were in Toronto recently, and the line for the pop-up shop stretched several blocks, and according to the BBC they are moving unique hand-made t-shirts at £100 each.

Tour merchandise has always been popular, but Odd Future takes it to the next level (though they’re not the only artists to experiment with this kind of thing). Rather than just selling cheap t-shirts at a massive markup from a table in the venue, they turn it into a whole companion experience to the show, and offer merch that’s actually one-of-a-kind. The Odd Future kids are naturals at connecting with fans, and this shows how they also combine that with a bundle of different reasons to buy. Well-known for shirking the establishment in every way imaginable, Odd Future doesn’t seem to care too much about record sales, and they definitely don’t care about piracy or competing with free—they’ve found a new way of doing things, and it’s working.

Note: let’s not turn this into a debate about the morality/merits of Odd Future’s music. For that, head over to Tim Cushing’s excellent post on Lost In The Sound.

Article source: http://www.techdirt.com/blog/casestudies/articles/20120411/11583818455/odd-future-approach-give-away-music-sell-awesome-stuff.shtml