Crypto So Easy My Mother Uses It


Raven by tuchodi

If you’ve been around the blog for a while, you know that I’m a big fan of the use of encryption for the sake of privacy.  I’ve ranted about PGP and S/MIME, tried to break steganography and complained about the privacy issues I face as a Gmail user.  This post is to let you know about a tool for securing your communication that is so simple to use, my mother uses it on a daily basis.  This tool is TextSecure from Open Whisper Systems.  Go install it right now.

It used to be that encrypting your communications required installing and learning a strong, user-proof tool like GnuPG or some random IM client with an OTR plugin.  Now that apps are the unit of software and users routinely install apps, it is a trivial thing to tell someone to install a new app.  It’s so easy that I’m only allowing two excuses for not securing your everyday instant messaging with TextSecure:

  1. You don’t use an Android smartphone or
  2. You don’t communicate with anyone over any sort of instant messaging.

That’s all.  Other excuses are invalid.  (When the iOS version is available even fewer of you will have a valid excuse.)  Now go install it.


Trying OpenStack with DevStack


Photo by Andy Renny

Many of my recent projects have been single-server web applications using TurboGears or Flask that consume a few other services. While I was thinking about challenges like scaling, it occurred to me that I should take a look at OpenStack. I hope this will give me a better idea of how the cloud (which I take for granted) works.

You can read the history of OpenStack if you’re so inclined.  Here is what matters: it is a set of cooperating services that can be used to build and scale applications.  It is an open source counterpart to some of Amazon’s AWS offerings and it powers the cloud services offered by Rackspace, HP, Red Hat and others.


What The x.509 Is Wrong With Gmail?

Elephants Family

Image by Benh LIEU SONG

You don’t often stop to think about x.509 and the Public Key Infrastructure
(PKI) that authenticates our Internet connections. Allow me to explain why you

Transport Layer Security (TLS) uses x.509 certificates to authenticate
connections. In your every-day use of the Internet, this means that you get a
certificate from a server when you connect over HTTPS (for example.) This
certificate is the only reasonable means you have to verify the identity of a

Why does this matter? I’m glad you asked.


Target: Gmail


Image by bloggingberlin

Your e-mail account is probably the most valuable online account you control.
The security of most of your other accounts depends on the security of your
e-mail account. (Think I’m wrong? Have you ever recovered a lost password?)
For this reason, it is worth considering how best to protect it.

I use Gmail for my personal e-mail. In this article, I’m going to discuss the
benefits and costs of letting Google manage my e-mail. Then I will focus on
how those benefits and costs affect the security of my personal communications.


Keeping E-mail Private (Revisited)

Image via

Image via

About a year ago, I wrote a post titled “Keeping E-mail Private“.  Thinking back over the last five months, my advice seems woefully inadequate.  To give the matter of private communications a more proper treatment, I’m going to write a series of articles on the topic of the security of communications systems.  I’m going to expand the scope beyond e-mail, though I’ll have to be picky so I’m not writing until the next century.  In this first article, I’ll be discussing threat modeling.  Later articles will delve into threats of insecure protocols, trusted third-parties and more.  Where possible, I’ll also discuss mitigation strategies so you don’t have to feel that the sky is falling (unless you want to.)

Threat modeling is a tool which allows us to decide which trade-offs we can make.  Some times we will give up security for the sake of convenience and others we will give up convenience for the sake of better security.