* Posts by Steven J. Murdoch

3 publicly visible posts • joined 10 Sep 2007

Paper clip attack skewers Chip and PIN

Steven J. Murdoch

Re: Standard Denials

Regarding "the researchers are using an old version of WordPress that was updated to fix a fairly critical security vulnerability"

I did apply the vendor fix when news of the flaw was announced, but the patch doesn't update the version number. Our Wordpress install is not actually vulnerable, even though it apparently is an old version.

Tor at heart of embassy passwords leak

Steven J. Murdoch

Tor could be useful for embassy staff

"the use of third party proxy services which are not under control of the Security department is not permitted"

Actually, this could put staff at more risk than necessary. If I'm in an unfriendly country, logging into an embassy VPN would signal to anyone looking that I'm working for a foreign government. Whereas if I use Tor, it's not clear who I'm working for or what I'm doing. In certain situations, consular staff could find this very important for their safety and that of the people they meet.

Of course, Tor is not a silver bullet, and they need to be using end-to-end encryption as well. This fact has clearly been missed by their IT staff.

Steven J. Murdoch

Unencrypted traffic through Tor is bad, but sometimes better than no Tor

"Onion routing actually exacerbates the risk of packet sniffing"

Sometimes, but not always. Tor protects against local sniffing, but permits exit nodes to do so. Allowing either is pretty bad, but without using Tor it means that someone snooping the wireless or staff at the local ISP can read their email.

In the case of an embassy, local sniffing could be particularly bad as they are, by definition, in a foreign country. Someone sitting outside an Internet cafe, reading what goes past could be very interested in foreign intelligence. Sending data through a random exit node is a risk, but in most cases they won't care about the traffic.

Clearly the solution is end-to-end encryption, and there's not much Tor can do about that. Whether Tor makes things better or worse is a complicated question and depends on the scenario. I discuss this more on my blog: http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/