Category Archives: Technology

Miscellaneous technology related articles

Heartbleed

First Phase Of Security Audit Finds Vulnerabilities But No Backdoors In TrueCrypt Encryption Software

In the wake of the serious Heartbleed flaw in OpenSSL, more people are becoming aware of how widely used and important open source encryption tools are, and how their security is too often taken for granted. Some people were already worrying about this back in September last year, when we learned that the NSA had intentionally undermined encryption by weakening standards and introducing backdoors. As Techdirt reported, that led to a call for a security audit of TrueCrypt, a very popular open source disk encryption tool. Fortunately, the Open Crypto Audit Project raised a goodly sum of money through FundFill and IndieGogo, which allowed the first phase of the audit to be funded. Here’s what’s now been done (pdf):

The Open Crypto Audit Project engaged iSEC Partners to review select parts of the TrueCrypt 7.1a disk encryption software. This included reviewing the bootloader and Windows kernel driver for any system backdoors as well as any other security related issues.
The good news:

iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.
However, it did still find vulnerabilities in the code it examined:

the iSEC team identified eleven (11) issues in the assessed areas. Most issues were of severity Medium (four (4) found) or Low (four (4) found), with an additional three (3) issues having severity Informational (pertaining to Defense in Depth).

 

Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.
Because of that, among the recommendations that iSEC made was the following:

Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.
That’s an important point, and probably something that other open source projects might take to heart, too. Some have called into question whether Linus’s Law — that “all bugs are shallow, given enough eyeballs” — is really true for free software (although Eric Raymond, author of “The Cathedral and the Bazaar“, has offered a robust defense of that claim.) One reason why those eyeballs may not be finding the bugs is that the code, though open, is unnecessarily hard to read.

The fact that vulnerabilities were found — even if “all appear to be unintentional, introduced as the result of bugs rather than malice” as iSEC puts it — is another reason why the second phase of the audit, which will look at the details of how the cryptographic functions have been implemented, is necessary. The discovery of “issues” in TrueCrypt’s code also underlines why similar audits need to be conducted for all important open source security programs: if there are vulnerabilities in TrueCrypt, there are likely to be more elsewhere, perhaps much more serious. Finding them is largely a question of money, which is why companies currently free-riding on free software — perfectly legally — should start seriously thinking about making some voluntary contributions to help audit and improve them to prevent another Heartbleed.

BBC

The Odd Future Approach: Give Away The Music, Sell Awesome Stuff

The BBC has a great short video feature looking at Odd Future, the massively popular (and equally controversial) rap collective, and their merchandise-focused approach to the music business. Odd Future has always been an interesting case study in music: their graphic content prevents them from getting much radio play, their career was started and built online, and they give away all their music (20 albums worth, at this point) for free. But they have been making money since the beginning by selling homemade merchandise directly to fans, offering lots of limited edition shirts and one-off products. Now they’ve combined that approach with their highly successful tours, by launching pop-up merch shops in every city before the show. They do meet-and-greets at the shop where they take photos and sign autographs. The fans love it—they were in Toronto recently, and the line for the pop-up shop stretched several blocks, and according to the BBC they are moving unique hand-made t-shirts at £100 each.

Tour merchandise has always been popular, but Odd Future takes it to the next level (though they’re not the only artists to experiment with this kind of thing). Rather than just selling cheap t-shirts at a massive markup from a table in the venue, they turn it into a whole companion experience to the show, and offer merch that’s actually one-of-a-kind. The Odd Future kids are naturals at connecting with fans, and this shows how they also combine that with a bundle of different reasons to buy. Well-known for shirking the establishment in every way imaginable, Odd Future doesn’t seem to care too much about record sales, and they definitely don’t care about piracy or competing with free—they’ve found a new way of doing things, and it’s working.

Note: let’s not turn this into a debate about the morality/merits of Odd Future’s music. For that, head over to Tim Cushing’s excellent post on Lost In The Sound.

Article source: http://www.techdirt.com/blog/casestudies/articles/20120411/11583818455/odd-future-approach-give-away-music-sell-awesome-stuff.shtml

Apple

China’s fake Apple stores

The signs look real, the products look real and the staff all think that they work for Steve Jobs – but five Apple stores in the city of Kunming, southern China are fake.

A fascinating discovery by 27-year-old American blogger, BirdAbroad, after a few months away, her neighbourhood changed pretty fast, with three Starbucks, an H&M and, seemingly, three Apple stores popping up while she was away.

Grey slate floors, steel staircases, wood benches and staff in branded blue t-shirts. Everything appears routinely Apple. But look more closely and some of the branding is a little off (Apple doesn’t write ‘Apple Stoer under its logo) and the staff badges didn’t have individual names. The fake Apple store in China is so convincing that even its staff are fooled and appeared to think they were working for the real Apple. An astonishing piece of extreme bootlegging.

Although Kunming, the capital city of southwestern Yunnan Province is typical of China’s rapid development it is a relatively remote city and the intrepid blogger was suspicious. She looked up Apple’s official China site and lo – Apple has only four stores in China, two of which are in Beijing and two in Shanghai.

“Being the curious types that we are, we struck up some conversation with these salespeople who, hand to God, all genuinely think they work for Apple,” she wrote.

Chinese industrial and commercial authorities in Kunming started an inspection on all the city’s electronics stores. The inspection includes business licenses, authorised permits of brand use, and the purchase channel of each store.

Since the story broke several fake or at least seriously questionable Apple stores from Croatia to Colombia, Burma to Venezuela, Slovenia to Spain, and in a dozen locations in China. You also must appreciate the hilarity of the fake Hard Rock Cafe in Ho Chi Minh City and the fake Hooters in Cancun.

I don’t think for a minute that Apple will let this one go.

SOPA-Ireland

Stop “Irish SOPA” Legislation

On 26-01-2012 junior Minister Sean Sherlock proposed an “Irish SOPA”. The proposed legal amendment, whose final wording has not been released, raises fears that courts could be given the right to hold intermediaries such as websites and ISPs to account for hosting any material that might infringe copyright. This could include most online services.

The proposed legal amendment is in response to an Irish High Court action held in 2010. The action was between EMI Records (Ireland), Sony Music Entertainment Ireland, Universal Music Ireland Limited, Warner Music Ireland Limited and WEA International Incorporated and UPC Communications Ireland Limited. The media companies sought an injunction against UPC as an Internet service provider, to prevent the theft of their copyright by third parties illegally downloading it over the Internet. Finding in favour of UPC, in his judgment, Mr Justice Peter Charleton held that laws seeking to identify and disconnect copyright infringers were not enforceable in Ireland, regardless of the record companies’ complaints.

The media companies’ strategy towards copyright theft, seems a little bit like the Police prosecuting the National Roads Authority for assisting a thief driving to and from the premises stolen from.

Just like the now possibly abandoned SOPA and PIPA legislation in the US, Minister Sherlocks proposal, which has not been published at this point, could put the burden on website owners to police user-contributed material and call for the unnecessary blocking of entire sites. Small sites won’t have sufficient resources to defend themselves. Internet businesses based in Ireland, such as our own indigenous Irish companies or inward foreign investment corporations could be closed down or discouraged from opening offices in Ireland. Sites might also be prevented from showing up in major search engines.

Consider signing the “Stop Internet Censorship. Stop SOPA in Ireland” petition here.

Stop SOPA | Stop PIPA

Stop Internet Piracy Act (SOPA) and the Protect IP Act (PIPA)

Many websites world-wide were blacked out 18-Jan-20121 to protest proposed U.S. legislation that threatens internet freedom: the Stop Internet Piracy Act (SOPA) and the Protect IP Act (PIPA). From personal blogs to Wikipedia, sites all over the web — including this one — are asking you to help stop this dangerous legislation from being passed.

To learn how this legislation will affect internet freedom, check out Wikipedia.