I just want to take another opportunity to hawk the Signal SMS app. It’s a good client, it’s run by one of the smartest and seemingly nicest people in security today, and it’s funded as a nonprofit.
Why do I mention it? This is a little political, but it’s related to everyone’s privacy and security, so I’m going to chime in about this tidbit that came out this week:
According to a transparency report (PDF) released by the Office of the Director of National Intelligence, the agency got its hands on 534 million call and text records from telecommunications companies like AT&T and Verizon in 2017. That’s over three times the number (151 million) it collected in 2016, which was the first full year since new surveillance rules under the USA Freedom Act took effect.
This isn’t a bad bundle for $15, all told. I’d consider it a buy if you want to understand some of the underlying security and crypto concepts, but not if you’re looking for up to the minute exploits or state of the industry type stuff.
For example: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition is a book from 2011. A fair bit of it is still relevant, but six years is a long time. On the other hand, something like Cryptography Engineering: Design Principles and Practical Applications is going to be a solid foundational crypto book for a long time.
If you have zero certs or industry experience, the CEH isn’t the worst place in the world to start to get a beginning job, but it’s basically just a memorization test and the industry knows it.
Hardening SSH can be a challenge, but it’s critical to get done.
OpenSSH is the administrative tool of choice for any good Unix/Linux sysadmin, and every bad guy in the world knows it. There’s a lot of scanning constantly looking for low-hanging fruit like misconfigured SSH services.
Continue reading “Hardening SSH With Configuration Changes”
If you’re reading this and you haven’t already installed Signal by the incredible Open Whisper Systems, go give it a try. One of the most seamless and painless ways to add security and privacy to your SMS life:
Signal for iOS
Signal for Android
I’ve got two pieces about the state of modern crypto wars! The current dialog is about hash functions SHA-2 versus SHA-3. They also talk about some other competing functions like BLAKE and KangarooTwelve, but in the interest of sanity I’m going to stick to SHA-2 and SHA-3. These are both NIST-published standards, and NIST standards are generally the bar used by .. well, everyone.
Continue reading “Crypto Wars”