Monthly Archives: April 2014

Lavaboom builds encrypted webmail service to resist snooping

Posted on by

A new webmail service called Lavaboom promises to provide easy-to-use email encryption without ever learning its users private encryption keys or message contents.

Lavaboom, based in Germany and founded by Felix Mller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden. Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.

Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.

Lavaboom calls this feature zero-knowledge privacy and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users browsers instead of its own servers.

The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plaintext emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably wont protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.

Security researchers have yet to weigh in on the strength of Lavabooms implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.

Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.

Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost 8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.

In addition to your key-pair and password we can either send you a randomly generated code or you can use the OTP-feature of a YubiKey. Or even both. We strongly recommend using YubiKey, Lavaboom said on its website.

The service uses the popular OpenPGP email encryption standard thats based on public-key cryptography. Each user will have a public and a private key that will form a keypair. The public key will be advertised publicly and will be used by other users to encrypt messages sent to the key owner and the key owner will then use his private key to decrypt those messages.

Read the rest here:
Lavaboom builds encrypted webmail service to resist snooping

Snowden’s Email Provider Loses Appeal Over Encryption Keys

Posted on by

Lavabit founder Ladar Levison. Image: Gage Skidmore/Flickr

A federal appeals court has upheld a contempt citation against the founder of the defunct secure e-mail company Lavabit, finding that the weighty internet privacy issues he raised on appeal should have been brought up earlier in the legal process.

The decision disposes of a closely watched privacy case on a technicality, without ruling one way or the other on the substantial issue: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.

The case began in June, when Texas-based Lavabit was served with a pen register order requiring it to give the government a live feed of the email activity on a particular account. The feed would include metadata like the from and to lines on every message, and the IP addresses used to access the mailbox.

Because pen register orders provide only metadata, they can be obtained without probable cause that the target has committed a crime. But in this case the court filings suggest strongly that the target was indicted NSA leaker Edward Snowden, Lavabits most famous user.

Levison resisted the order on the grounds that he couldnt comply without reprogramming the elaborate encryption system hed built to protect his users privacy. He eventually relented and offered to gather up the email metadata and transmit it to the government after 60 days. Later he offered to engineer a faster solution. But by then, weeks had passed, and the FBI was determined to get what it wanted directly and in real time.

So in July the government served Levison with a search warrant striking at the Achilles heel of his system: the private SSL key that would allow the FBI to decrypt traffic to and from the site, and collect Snowdens metadata directly. The government promised it wouldnt use the key to spy on Lavabits other 400,000 users, which the key would technically enable them to do.

Levison turned over the keys as a nearly illegible computer printout in 4-point type. In early August, Hilton who once served on the top-secret FISA court ordered Levison to provide the keys instead in the industry-standard electronic format, and began fining him $5,000 a day for noncompliance.

After two days, Levison complied, but then immediately shuttered Lavabit altogether.

Levison appealed the contempt order to the 4th Circuit, and civil rights groups, including the ACLU and the EFF, filed briefs in support of his position.

Read the original here:
Snowden’s Email Provider Loses Appeal Over Encryption Keys

Coverity finds open source software quality better than proprietary code

Posted on by

Summary: Coverity, a company specializing in software quality and security testing solutions, finds that open source programs tend to have fewer errors than proprietary programs.

The irony isn't lost on me: Coverity, a a company specializing in software quality and security testing solution, has found that open source software has fewer defects in its code than proprietary programs in the aftermath of open-source OpenSSL Heartbleed programming fiasco. Nevertheless, the numbers don't lie and the 2013 Coverity Scan Open Source Report (PDF Link) found that open source had fewer errors per thousand lines of code (KLoC) than proprietary software.

The Coverity Scan service, which the study was based on, was started with the US Department of Homeland Security in 2006. The project was designed to give hard answers to questions about open source software quality and security.

For this latest Coverity Scan Report, the company analyzed code from more than 750 open source C/C++ projects as well as an anonymous sample of enterprise projects. In addition, the report highlights analysis results from several popular, open source Java projects that have joined the Scan service since March 2013. Specifically, the company scanned the code of C/C++ programs, such as NetBSD, FreeBSD, LibreOffice, and Linux, and Java projects such as Apache Hadoop, HBase, and Cassandra.

The 2013 report's key findings included:

Zack Samocha, senior director of products for Coverity, said in a statement, "Our objective with the Coverity Scan service is to help the open source community create high-quality software. Based on the results of this report as well as the increasing popularity of the service open source software projects that leverage development testing continue to increase the quality of their software, such that they have raised the bar for the entire industry."

Coverity also announced that it has opened up access to the Coverity Scan service, allowing anyone interested in open source software to view the progress of participating projects. Individuals can now become Project Observers, which enables them to track the state of relevant open source projects in the Scan service and view high-level data including the count of outstanding defects, fixed defects, and defect density.

"Weve seen an exponential increase in the number of people who have asked to join the Coverity Scan service, simply to monitor the defects being found and fixed. In many cases, these people work for large enterprise organizations that utilize open source software within their commercial projects," concluded Samocha. "By opening up the Scan service to these individuals, we are now enabling a new level of visibility into the code quality of the open-source projects, which they are including in their software supply chain."

Related Stories:

Go here to read the rest:
Coverity finds open source software quality better than proprietary code

Plant Breeders Release First ‘Open Source Seeds’

Posted on by

hide captionBackers of the new Open Source Seed Initiative will pass out 29 new varieties of fourteen different crops, including broccoli, carrots and kale on Thursday.

Backers of the new Open Source Seed Initiative will pass out 29 new varieties of fourteen different crops, including broccoli, carrots and kale on Thursday.

A group of scientists and food activists is launching a campaign Thursday to change the rules that govern seeds. They're releasing 29 new varieties of crops under a new "open source pledge" that's intended to safeguard the ability of farmers, gardeners, and plant breeders to share those seeds freely.

It's inspired by the example of open source software, which is freely available for anyone to use, but cannot legally be converted into anyone's proprietary product.

At an event on the campus of the University of Wisconsin-Madison, backers of the new Open Source Seed Initiative will pass out 29 new varieties of fourteen different crops, including carrots, kale, broccoli and quinoa. Anyone receiving the seeds must pledge not to restrict their use by means of patents, licenses or any other kind of intellectual property. In fact, any future plant that's derived from these open source seeds also has to remain freely available as well.

Irwin Goldman, a vegetable breeder at the University of Wisconsin-Madison, helped organize the campaign. It's an attempt to restore the practice of open sharing that was the rule among plant breeders when he entered the profession more than 20 years ago.

"If other breeders asked for our materials, we would send them a packet of seed, and they would do the same for us," he says. "That was a wonderful way to work, and that way of working is no longer with us."

These days, seeds are intellectual property. Some are patented as inventions. You need permission from the patent holder to use them, and you're not supposed to harvest seeds for replanting the next year.

Even university breeders operate under these rules. When Goldwin creates a new variety of onions, carrots or table beets, a technology-transfer arm of the university licenses it to seed companies.

This brings in money that helps pay for Goldman's work, but he still doesn't like the consequences of restricting access to plant genes what he calls germplasm. "If we don't share germplasm and freely exchange it, then we will limit our ability to improve the crop," he says.

View post:
Plant Breeders Release First 'Open Source Seeds'

Cryptography – Simple English Wikipedia, the free encyclopedia

Posted on by

Cryptography (also known as cryptology; comes from Greek , kryptos, "hidden, secret"; and , grph, "I write", or -, -logia, respectively)[1] is the practice and study of hiding information. It is sometimes called code, but this is not really a correct name. It is the science used to try to keep information secret and safe. Modern cryptography is a mix of mathematics, computer science, and electrical engineering. Cryptography is used in ATM (bank) cards, computer passwords, and shopping on the internet.

When a message is sent using cryptography, it is changed (or encrypted) before it is sent. The method of changing text is called a "code" or, more precisely, a "cipher". The changed text is called "ciphertext". The change makes the message hard to read. Someone who wants to read it must change it back (or decrypt it). How to change it back is a secret. Both the person that sends the message and the one that gets it should know the secret way to change it, but other people should not be able to. Studying the cyphertext to discover the secret is called "cryptanalysis" or "cracking" or sometimes "code breaking".

Different types of cryptography can be easier or harder to use and can hide the secret message better or worse. Ciphers use a "key" which is a secret that hides the secret messages. The cryptographic method needn't be secret. Various people can use the same method but different keys, so they cannot read each others' messages. Since the Caesar cipher has only as many keys as the number of letters in the alphabet, it is easily cracked by trying all the keys. Ciphers that allow billions of keys are cracked by more complex methods.

In symmetric cryptography, both the sender and receiver share the key. The sender uses the key in a certain way to hide the message. Then, the receiver will use the same key in the opposite way to reveal the message. Most types of cryptography are symmetric. Advanced Encryption Standard is a widely used one.

Asymmetric cryptography is harder to use. Each person who wants to use asymmetric cryptography uses a secret key number, and a different number, a "public key" that they can tell everyone. If someone else wants to send this person a message, they'll use the number they've been told to hide the message. Now the message cannot be revealed, even by the sender, but the receiver can easily reveal the message with his secret or "private key". This way, nobody else needs to know the secret key.

The details of asymmetric cryptography make it less useful than symmetric cryptography for actually sending messages. Instead, it is often used for computer signatures, when a computer must know that a file was sent from a certain sender. For example, computer software companies that release updates for their software can sign those updates to prove that the update was made by them, so that hackers cannot make their own updates that would cause harm. Computers can also use asymmetric ciphers to give each other the keys for symmetric ciphers.

Computers can do hard math very fast, and because of this they can do very strong encryption. Examples are computer algorithms like RSA, AES, Blowfish, and many others. Using good algorithms like these can make it very hard to read the information that is sent.

People are better at patterns, changing order of words or letters, and using words with different meanings. Because people are slower than computers, any cryptography they use can probably be broken if enough of the secret way to change it is known.

Simple forms of cryptography that people can do without machines are Caesar ciphers and transposition ciphers, but there are lots more. They are especially useful in espionage because a spy won't be caught carrying a code machine.

Original post:
Cryptography - Simple English Wikipedia, the free encyclopedia