Apple Suspects Hardware Espionage

From 9to5Mac:

At least part of the driver for this is to ensure that the servers are secure. Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.

I can’t say this is terribly surprising. There’s been reports of this sort of thing happening to Cisco hardware among others.

Google Giving Preference To SSL

Looks like I beat this one by a few months. SSL is now a ranking signal for Google. I switched this and a few other sites over to SSL a few months ago, while enabling SPDY and a few other things I’m playing around with. So far this has been pretty painless and actually simplified a few things. Doing this at scale with legacy infrastructure and 3rd parties however is a whole different ballgame. It will take a while for this switch to happen for bigger players not already on board.

Heartbleed and OpenSSL

Heartbleed

Heartbleed is a pretty nasty security bug. Thankfully it can be fixed by a quick package update (unless you’re mod_spdy among other culprits (this one got me briefly). Then for good measure revoke certs and reissue to make sure nothing is left to chance. Need to make sure everything built on OpenSSL is not impacted.

While at it, I made a few tweaks to SSL configurations to hopefully let more traffic us Forward Secrecy which is a step forward.

What’s disappointing is that security researchers rather than let vendors have a few days to update and push fixes decided to get a domain name and spiffy graphic then 0 day the internet. Not terribly professional.

Slowly Moving The Web To HTTPS

The EFF has a pretty good post on the move to make HTTPS closer to the new normal on the web. It’s hardly normal yet, but it’s improving. Already some of the bigger sites on the internet like Google, Facebook and Twitter are serving up HTTPS for almost everything. They do it for security as well as performance (SPDY).

In the longer run (few years from now) I wouldn’t be surprised if the majority of web traffic starts moving over HTTPS. This will not be well accepted by many institutions including all governments, but it’s certainly better for people, especially those in nations who restrict speech and rights the most. We’ll also see a lot of legislation to only use encryption methods with known vulnerabilities and back doors. I wouldn’t even be surprised if some countries try and break the web by using alternate means of encryption similar to what South Korea did years ago. Obviously fighting this is going to prove important.

QR Codes Compromised By Stickers

QR CodeCriminals have realized that QR codes are not human readable and are taking advantage. Shocking isn’t it? From The Register:

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.

It’s extremely simple to print out a sticker pointing to a bogus URL and put it on an existing billboard in a public place. A casual user simply uses the QR code and instead of going to the intended location they go to a malicious website. Of course we could require SSL for QR codes so there’s some overhead in creating them (you need an SSL cert), but that still wouldn’t fix the problem correctly.

Humans need to be able to understand their own decision making process. A human pointing at a QR code is a human making a decision to do the unknown. That’s the problem. You can’t combine “decision” and “unknown” and reliably have a good outcome.

Facebook Going HTTPS

Apparently HTTPS is going to be standard for all Facebook users:

As announced last year, we are moving to HTTPS for all users. This week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world.

Great move, I’m glad they are finally getting to that point. Performance should improve over time as it appears they are on board with SPDY. I think that this will benefit them in the long run. Users win the day it rolls out.

Silent Circle Finally Bringing Security To Mobile?

Silent Circle is a pretty interesting sounding app:

It’s a model for the nested cryptography of Silent Circle. The “safe room” is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it’s been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that’s every bit as intricate as the Southern Command’s network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact.

This sounds like security done right. Why this is newsworthy in 2012 is what saddens me. This should be the standard, not the exception. Regardless, kudos to these folks for shedding light on what so many others are doing wrong.

Chrome Enables Do-Not-Track

Chrome finally added Do-Not-Track (DNT) to Chromium. They are the last major browser to complete implementation and start giving users a choice in terms of their preference to tracking.

DNT isn’t a perfect solution as it has no enforcement. Regardless it’s a step in the right direction and empowers ad networks to respect users privacy preferences, something that in the past was difficult even for those willing to do so. It won’t solve the problem, but it helps and has a low barrier to entry. That’s a good thing.

Wikipedia’s Jimmy Wales Threatens To Encrypt Wikipedia

Wikipedia’s Jimmy Wales threatened to encrypt traffic to the UK if new tracking laws are implemented:

But if we find that UK ISPs are mandated to keep track of every single web page that you read on Wikipedia, I’m almost certain – err, I shouldn’t speak for our technical staff – we would immediately move to a default of encrypting all our connections in the UK.

Truthfully, we’re going that way anyway. It’s only a matter of time before all websites will be moving to HTTPS for the sake of implementing SPDY or whatever succeeds it. I don’t see a non-secure standard taking hold any longer. Security is no longer considered a bonus, it’s a requirement. Facebook does it by default now, Twitter does it by default now, WordPress.com does it by default now (for SPDY). It’s not just personal communications. Lots of non-personal data is going over HTTPS now. The trend will keep accelerating. It’s no longer as cost prohibitive to implement. Don’t be shocked if this entire blog is HTTPS only in the not too distant future.