Archive for October, 2009

Misogyny online

October 9, 2009

I just read the following post.  (Warning: it talks about violence toward women.) (Go ahead, read it, I’ll wait.)

http://geekfeminism.org/2009/10/08/psa-mikeeusas-hate-speech-and-harassment/

and holy FUCK am I pissed off.  How can someone, anyone, be so misogynistic… so vile… so repugnant?  Especially in the geek / OSS community where we’re supposed to be somewhat more intelligent and understanding than average (/b/ not withstanding.)

Ok, Johnny, take a hit of kind bud… calm down.   I’M  STILL REALLY PISSED!!  OK, maybe a cig will help… BRB…

OK, I think that’s the first time I’ve ever used all caps.  Now, I know that women, online or off, have to put up with a lot of bullshit.  I know that people are often assholes when they’re hiding behind their computer.  Hell, I can be as abrasive as anyone.  And I doubt anyone will hold me up as a paragon of feminism, with my constant references to porn stars and what not.  Sexism is a gray area; even self-described feminists differ on what constitutes it.

But threatening to kill women in general, sending threats to specific individuals, encouraging others to kill them, extolling the virtues of raping tweens….  That. Is. Not. Cool.  That is, in fact, the behavior of a sociopath.  In fact, it’s hard to believe this guy is not in jail yet.  What bugs me the most is that this is not happening in some right-wing nutjob forum, or /b/, or Yahoo! discussions, where one expects to find the lowest common denominator spouting crap, but in technical and professional forums.  Sure, these forums often serve as social venues, flames wars can get pretty vitriolic, and geeks are known for having strong opinions on just about every subject.  But this… this is not okay.  (OK, that’s not what bothers me most; what bothers me most is Fucking Death Threats!  Against members of our community!)

So here’s my suggestion: every time this motherfucker shows up, someone tweet it and everyone retweet it.  Then every person out there with a thread of moral fiber, get on whatever forum and tear this guy a new one.  Let him know that he is not part of our community, he is not welcome, no one agrees with him.  In this case, ignoring the troll obviously isn’t going to make him go away.  “If the answer isn’t violence, neither is it silence!”  Record his IP.  If he uses Tor, temporarily block Tor from your site – I bet he won’t be able to resists coming back.  Infect his browser.  Gather information on him.  Scan his machine.  Find out who he is.  Pass information to LEOs.  Ruin his credit.  Prank his phone.  Drown out his voice, hopefully forever.

Finally, a big shout out to all the women and girls who are part of the community.  Most of us guy geeks want you here.  We *like* girls who can point out errors in our code.  The community, indeed the software itself, is better and more interesting with you involved in it.  Kudos for speaking up about this asshole and sticking in there.

Whew.

Defeating SSL, part deux

October 5, 2009

A commenter on my post re: public key crypto made the accurate observation that given a properly implemented PKI with out-of-band key exchange, SSL *is* secure.  I can’t argue with that.  My point, which I don’t think I made well, is that there are so many possible points where the implementation can go wrong, the chance of being vulnerable to at least one is unacceptably high today.  I’ve outlined some threat models here.

First, a refresher on how SSL works and the existing PKI system for it.  When your browser connects to an SSL-enabled web site, the site tells the browser which Certificate Authority signed their public key pair.  Your browser verifies this with the CA’s public key, which was (normally) installed in the browser when you installed it.  If you can decrypt with the public key, you know the site’s SSL cert was signed by the CA’s private key.  Thus, you can trust that the public key the web site is providing you is correct.

Fail mode one:  For this to work, you have to trust the browser and the device (PC, tablet, phone) you’re working on.  Are you really that sure that every device you run SSL from has not been compromised?  There are exploits – many of them remote – for every OS, every phone, most other common devices.

Second: Do you trust the browser?  When we say that there’s an out-of-band key exchange, what we really mean is that the public key of the CA was preinstalled in your browser.  Thus, you have to be absolutely sure your browser was not tampered with.  When was the last time you double checked that your Firefox update was downloading from a properly certified SSL site?  Did you check an MD5 hash or PGP signature?  How about your plugins?  And wait: how about all those desktop or iPhone apps that use https to communicate?  Do you trust them as much as you trust IE or Firefox?

Third: Do you trust *every* CA in the list?  There’s a lot these days!  Should you trust them just because the makers of IE or Firefox or Opera trust them?  How rigorously do the CAs themselves check the certs they issue?

Fourth: Is every user going to pay attention to warnings about SSL.  OK, it’s hard to miss the ones in Firefox these days, but what about all those other apps?

Finally, will anyone even notice if they are not using SSL?  Because if they don’t there’s a very good chance SSLstrip can inject you.

So to me, it looks like the risk of any one error is fairly small.  But the risk that some error occurred is much, much higher.  Combine this with the increased ease of doing MitM attacks with wireless and SSL doesn’t seem like such a strong protection to bet your bank account on.