* Posts by Richard Simpson

5 posts • joined 8 May 2007

Finding security bugs on the road to creating a verifiably secure TLS lib

Richard Simpson

Re: Mathematically correct code

Is this an issue in this case? Surely TLS execution time isn't a limiting factor in most internet transactions? Even if it ran at a fraction of the current speed, would that be a problem for most modern computers? Hmm, perhaps an issue at the server end. Presumably this scheme can't be extended into hardware crypto accelerators?

Also, forgive my ignorance, but I thought that TLS was primarily used to achieve a secure key exchange for a traditional cipher which is then used to exchange the actual data. I get the impressions that this work isn't fiddling with the actual cipher code which will remain just as fast and/or buggy as now but I am ready to be corrected on this point.


Indie review of UK surveillance laws: As you were, GCHQ

Richard Simpson

Relatively good on Encryption

Having waded through quite a bit of the report, three paragraphs in particular seem pertinent to the encryption debate:

13.11 ...There may be all sorts of reasons – not least, secure encryption – why it is not physically possible to intercept a particular communication, or track a particular individual. But the power to do so needs to exist, even if it is only usable in cases where skill or trickery can provide a way around the obstacle. ...

13.12 ... Few now contend for a master key to all communications held by the state, for a requirement to hold data locally in unencrypted form, or for a guaranteed facility to insert back doors into any telecommunications system. Such tools threaten the integrity of our communications and of the internet itself. Far preferable, on any view, is a law-based system in which encryption keys are handed over (by service providers or by the users themselves) only after properly authorised requests.

13.13 ...there is a compelling public interest in being able to penetrate any channel of communication, however partially or sporadically. ... Hence the argument for permitting ingenious or intrusive techniques (such as bulk data analysis or Computer Network Exploitation) which may go some way towards enabling otherwise insuperable obstacles to be circumvented

So, he seems to be saying that encryption should not be legislated against (as now), laws should exist to force people to hand over keys (as now, but step forward perfect forward secrecy) and GCHQ should be allowed to try to break encryption (again, presumably as now).

Laws forcing password hand over remain troubling, particularly for those of us getting older and more forgetful, but they have two big flaws from GCHQ's point of view; (a) they are expensive to apply so can't be done on a massive scale and (b) the suspect then knows for certain that they are being investigated. Otherwise, it remains that case that we can try to make our systems more secure and GCHQ can expend effort and money trying to break in - Game On!

Of course, this is all just a report with no legal powers from a lawyer who can be replaced if he starts saying too many sensible things. It remains to be seen if May and Cameron take any notice of it!


Japan scores ballistic missile shootdown bullseye

Richard Simpson

ICBMs fly too high?

Hmm, perhaps I am missing something here, but surely ICBMs only fly high for part of their journey. Surely, they have to come down to lower altitudes at the end of their flight, otherwise, they won't do anything useful? Now, I don't doubt that shooting down ICBMs is more difficult, but perhaps it is because they go faster? After all, if they go higher up and they had a bigger rocket to start with then it seems logical that they will be going faster by the time they get near the ground.

This all reminds me of an article by George Orwell in which he mocks pre-WW2 newspaper articles explaining that there is no threat from German bombers because anti-aircraft defences would force them to fly too high. The idea presumably being that if you drop a bomb from high enough then it won't reach the ground :-)


Patent damages not refunded if EPO cancels patent

Richard Simpson

Just a statement of what we all know anyway.

So far as I can see, all the judge is saying is that it is OK for the legal system to be unjust, so long as that is good for business.

Surely it has been painfully obvious for years that this is their opinion, its just that judges and politicians don't normally come right out and say so.


Student detained following attacks on Estonian websites

Richard Simpson

Some interesting points

1) There is a great deal of talk from Estonians about how Russians are invaders. That was certainly the case many years ago, but most Russians living their now were born there and in many cases so were their parents. I accept that many believe that people should be punished for the actions of their parents, grandparents etc. I am not one of them.

2) Most of the trouble in Tallinn has been caused by general purpose hooligans. The sort of people who in the UK would be rioting because their football team lost.

3) It is perhaps instructive to compare Estonia with Lithuania. They both have very similar 20th century histories, but everyone who was a permanent resident on the day that Lithuania gained independence became a citizen. The same is not true in Estonia where there are still a great number of stateless Russians.

4) Estonia gained independence in 1991, therefore, any Russian younger than their mid-thirties can't regret that they no longer run the country, since they never did.

5) Is Amnesty International prejudiced against Estonians? I don't know, but they certainly have plenty to say about their language laws (http://web.amnesty.org/library/Index/ENGEUR510012007?open&of=ENG-EST). In my non-legal opinion, Estonia is going to end up in front of the EU for breaching EU laws designed to protect linguistic minorities.

6) Very little known fact: Consider my wife's grandmother. She lives in Russia in the same cottage she was born in and speaks only Russian. She sounds like the sort of person that the Estonians would want nothing to do with doesn't she? But, between the two world wars, the bit of Russia where she lives was part of the first Estonian Republic. As a result of this, the Estonian government will give citizenship to her and any of her decedents. My wife's cousin doesn't speak a word of Estonian and apart from 2 short holidays has never set foot in the place, but because of her grandmother she now has an Estonian and thus EU passport. Meanwhile, many Russians who were born in Tallinn and have lived there all their lives, but also don't speak Estonian remain stateless. This seems a little inconsistent to me.