Security Link Rodeo: Silk Road, the Patriot Act, Alan Turing, and Your Passwords

The man behind the Silk Road, Ross Ulbricht, received a life sentence after being convicted of money laundering and drug trafficking. It’s estimated that he made around $18 million on the website, which ran as a hidden service in the Tor network. Some of the operators for the Silk Road argue that it was a haven for libertarian philosophy, but does that really excuse the amount of damage they enabled? The Economist notes that since the Silk Road fell, illegal drug sales on the Internet have doubled.
Read more

A Look Back on the History of Cryptography

In May, I taught a class on the History of Cryptography at Portland Underground Grad School. I’m extremely grateful to PUGS for asking me to teach, because I’d never done it before. It was a great experience. My students were intelligent and the discussion was good. I learned quite a few things in the process.
Read more

Security Link Rodeo: The Patriot Act, Logjam, and Hacked Websites

Kind of good news: Senators Ron Wyden and Rand Paul teamed up to squash the Patriot Act extension. It’s going to expire on June 1st unless another vote is called on the 31st. The USA Freedom Act (which I think is good?) unfortunately didn’t make it through Senate, either.

Regarding the Logjam vulnerability that I mentioned last week, if you’ve got a cloud server and you’re generating new Diffie-Hellman parameters, make sure you’ve got good random numbers! Digital Ocean has advice on generating sufficient random data on cloud servers. The short version is that you should be running haveged on all of your servers.


Read more

Good, solid SSL

I’m in the middle of some major migrations and upgrades on the Arnesonium servers. So far, the results have been positive. For instance, the SSL/TLS configuration on my webserver is finally awesome. I’ve also got MaxCDN configured properly, so the entire website is now served via SSL/TLS only!

Here’s what the Qualys SSL Labs checker had to say:

Screenshot from 2015-05-23 19:02:27

Security Link Rodeo

My four-week History of Cryptography class at Portland Underground Grad School is almost over. While I’ve had plenty of experience with speaking to audiences about difficult subjects, this has been my first time with an ongoing class. I think I’m learning as much as my students! Because this class has helped rekindle my passion for cryptography and computer security, this link rodeo is going to focus on those subjects.
Read more

New Release of OpenPGP for WordPress

Version 1.3.0 of the OpenPGP Form Encryption for WordPress plugin is now available. It’s important to upgrade. It includes the following changes.

  • Updates OpenPGP.js to version 1.0.1
  • Tests the plugin against WordPress 4.2.2
  • Ensures that the browser can support OpenPGP.js

There are a few new features planned for this plugin. Expect a major version release in the next few months.

Check out the plugin page on the WordPress Plugin Repository.

Should WordPress Encrypt All Email?

Enigma PlugboardWordPress sends out email sometimes, and it doesn’t encrypt any of them by default. Integration of WordPress and OpenPGP for a better security is a case study by PaweĊ‚ Bulwan that examines the security implications of all of these emails. Are they leaking important information? Should WordPress site owners worry about them?
Read more

OpenPGP.js and WordPress

Near the end of November, I began fiddling with OpenPGP.js and building a WordPress plugin. My goal is to create a method by which visitors can encrypt messages to me on my Contact page using my public key.

I finished up a pretty simple little plugin. You can view the details here or head straight to the GitHub project page.

However, when I finished earlier this week and decided to submit it to the WordPress Plugin Directory, I found that somebody had beat me to it by almost a month. I’ve taken a look at the code and it looks pretty good. You can check out my plugin, which was published as OpenPGP Form Encryption for WordPress, and you can check out the other guy’s plugin, PGP Contact plugin.

OpenPGP is even more secure than an Enigma machine.

OpenPGP is even more secure than an Enigma machine.