Wednesday, May 28, 2014

Apple Fumbles Again:
Software Update Broken Because
Apple Neglected To Update SSL Certificate

--

This crisis has ended, but…

Oh, if only I was the security boss over at Apple these days, my guillotine would be rusty with blood. Fumbling Bumbling Buffoonery. Better not hire me Apple.

But I digress. Check out these articles over at MacRumors and MacWorld (which itself has had recent severe incidents of fumbling and bumbling) about Apple breaking their Software Update system by way of forgetting to update its SSL security certificate. This is pure idiocy by Apple. Idiocy.

Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update

Apple neglects to renew SSL certificate, breaks Software Update in the process

Apple, do you have a higher priority than user security?

No you do not.

Get your act together please. This is a trend. It deserves loud computer community criticism.


--

Thursday, May 15, 2014

Invalid Apple PGP/GPG Key!
Is It Fake?
Or Is It A Blunder?

--

[Updated and solved at 3:22 pm. See the Addendum below.]

At 1:57 pm today, I received an email from 'Apple' entitled "APPLE-SA-2014-05-15-1 OS X Mavericks v10.9.3". 

The problem? It is signed with an INVALID PGP/GPG KEY. The public key in question is ID 0xEE3A8EED. No such key!

For those unfamiliar with PGP or GPG, a public key is part of a key exchange process which allows someone sending email to verify exactly who they are. They have uploaded their public key to the public key server, used by everyone for such exchanges. When they send an email, that public key is sent along in the email. Then the receiver can verify exactly who sent them the email by checking for the key on the key server.

Obviously, Apple uses public keys in order to allow you and me to know when an email message from them is real, as opposed to being FORGED by some crook or loon.

So what are we to make of an email from 'Apple' that has an INVALID KEY?!

The answer is: 
Assume it's a FAKE!

So Apple! Did you really send me this 10.9.3 announcement?
OR
Is this a fraud?!
OR
Is the Public Key Server messed up?

If Apple really did send me this email, and the server is working: OOPS! Apple pulled a HUGE BLUNDER!

I'm not going to share the email here in case it really is fraudulent. More later as my colleagues and I investigate this mysterious situation.


--

ADDENDUM: The Solution!

I beat Apple's key to the key server!

The key in question is NOW valid. There is no way to know when Apple uploaded this new key to the key server. But clearly, it was not being read out by the server at the time they sent their 10.9.3 announcement.

So the problem is, I have to assume, the PGP/GPG key server has a lag AND Apple delayed uploading their new key to the server until today. Their new key was created on May 2nd, would you believe. So that's apparently quite a delay between key creation and key upload to the server. I wish there was zero delay at the key server. How much is server lag contributing to the problem? I'm concerned enough to investigate that aspect of the further. I have networked with the GPG developer folks for years. Therefore, I'll attempt to chat with them about this situation.

CONCLUSION: Case Closed!

--

Sunday, May 4, 2014

Privacy Badger:
EFF Attacks 'Do Not Track' Deniers

--

Lately, I've been bashing away at all the applications and add-ons that seek and destroy Evercookies, those evil code danglers our web browsers leave exposed to the world, allowing nefarious marketing morons (vs marketing mavens) and #MyStupidGovernment to TRACK us wherever we go and whatever we do on the Internet. 

I for one condemn our surveilling overlords.

One fun browser add-on that just hit my radar is Privacy Badger, from my pals at EFF, the Electronic Frontier Foundation. It's currently in alpha testing, which means it's guaranteed to be broken and annoying. But I think it's going to be fun to test it out.

There is one big fat problem at the moment: 
Privacy Badger is Apple Safari illiterate, and so apparently are it's developers. That's really bad IMHO. So let's nag EFF to figure out how to make the two compatible. Or as EFF put it: 
If you have an idea for how to make Privacy Badger work for Safari…, please let us know!
Here's the Privacy Badger page at EFF:

https://www.eff.org/privacybadger

Here's an article about Privacy Badger and it's hope for the future:

Watch out, Yahoo! EFF looses BADGER on sites that ignore Do Not Track
Browser plugin nudges companies toward compliance

Me: I'll be trying out Privacy Badger on Firefox. Yes I know, Firefox for OS X can be an awful PITA to use, ruining web page rendering, requiring frequent cache dumps and page reloads. But it does have some lovely tools for wrestling the dark side of the Internet into total submission. I like that.

(I recently dumped Chromium as I am sick of it nagging me to log into Google every time I run the thing. I now consider Chromium to be 'nagware', which I never abide).

Some day in the future I'll be comparing the two prominent cookie control applications as well as the safe and reliable browser add-ons that kill tracking cookies dead. I also have this great idea for a new add-on for all web browsers that sends a header to all tracking websites that says "HA HA! YOU CAN'T TRACK ME!" What a glorious day that would be.

In case you didn't know: Privacy is a natural human right. Here in the USA, we have the Fourth Amendment to the US Constitution that spells it out quite elegantly and simply. But as we all now know, #MyStupidGovernment enjoys pretending the US Constitution doesn't even exist. That's a bad thing.

Total end-to-end encryption of everything on the Internet is now the goal. #MyStupidGovernment brought it on themselves.
--
For reference purposes:

The Fourth Amendment to the US Constitution:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Some relevant quotes:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
- Benjamin Franklin, Historical Review of Pennsylvania, 1759
To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public.
- Theodore Roosevelt - Kansas City Star, 7 May 1918
--