Security updates

Update 20180505

REAL PRIVACY https://realprivacy.io/

Update 20180504 Always mistrust FREE SERVICES. Be sure somehow you are the product. If the free service is not clear how you are the product, or you do not understand it. Do not sign in on it because you might get misused.

Update 20180416

In update Update 20170914 I wrote about the security risk Windows is within the modern mobile-internet age. One should also be careful with Excel and Word! As this case shows: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/04/kensington-and-chelsea-council-fined-for-identifying-owners-of-unoccupied-properties-in-foi-response/

Update 20180108 What about Spectre and Meltdown?

Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack.

About Processor/OS/App separation

In fact transistor IT (separated from other techniques like quantum IT) is like a bottom up layered cake. Layer one being the processor. The top layer being the application (App). With in between the Operating System (OS).

Security depends on security in all three layers and clear layer separation. A lot of effort goes into keeping OS / App separation clear. Most security problems in resent years were caused by design flaws in that respect. For example the Flash app bypassed the Browser / OS separation. Early Microsoft Word and other Office products also were known to have a lot of these OS/App separation bypasses.

In resent years Transistor IT (TIT) has become a lot more secure by clear industry rules about OS/APP layering.

The error made by some Processor designers

OS (Linux / Windows / MacOS / iOS) design always assumed the bottom layer (the processor) also kept to the industry separation rule. Now in fact it has been found Intel and derivatives use OS layer restricted areas (More specific shared memory space) that only should be used by the OS.

Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.

Spectre

Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space.

Meltdown

Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel’s address space (which should normally be inaccessible to user programs).

For more technical details see: (until now the best article we have found about this issue)

(https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/)


The fact that the Processor/OS separation fault by the processor maker is the cause of the leak means that OS updates can overcome the security issue.

The processor makers have to keep to the non spoken rules for Processor/OS separation. It is there business interest to set standards for this. And so they will in next generation processors.

OS developers will develop tests to check on this.

From a user perspective we have to trust the OS makers and update always to the latest version of the OS.

Update 20170914 Windows is becoming a security risk

A year ago or so, I never would have thought I once would make this statement! 'Windows is becoming a security risk'. Simply because a trend toward all Unix-like was evident but I did not see the impact on security for Windows!

I did not see it because I have worked decades for multinationals using Windows and MS-Office products everywhere. It was the 'normal'. I saw the trend towards Unix-like systems as merely a commercial issue, I did not see the emerging security issue. Not that I am not UX aware, years ago when Linus did not start Linux, I played about with Minix as Linus did. I was the first in the Netherlands to implement Oracle on SCO-unix. One of the first deploying AIX. We deployed database/machine interfaces. We were the first in the corporation to switch from token-ring to Ethernet. I had one of the first 1000 email addresses in NL. etc. etc.

But WordPerfect and Lotus, MS-Word and Excel and later Office were inevitable tools to get work done.

It was normal to work on Linux, AIX, Ethernet security and on Windows security. But where UX was moving toward 'Open Source' integration Windows moved deliberately away from it. This was no issue when the internal network was not connected to the internet and cloud did not exist.

Now however the internet and telephony are integrated. And it all is UX based! Except for … Windows!

So more and more organizations need security expertise for UX and Windows. And for practical cost purposes, they have 'experts' doing both! The MS-Office / Windows addicted organizations, most of the time have Windows security experts also doing UX security. And that is risky! I don't say Windows can not be secure! I don't say Windows in a modern internet-UX environment can not be secure! It can! But at double the cost!

This is where the issue starts. Because of human habits and the difference in UX-open culture and Windows-closed culture. This culture mix is becoming an issue because of the smartphone, Ethernet integration. Bring Your Own device mixed with Windows in these environments is inevitable. And thus in fact Windows is becoming a security risk because wrong staffing and cost control.

My conclusion: Giving the reality of an UX based cloud, mobile device and internet of things world, Windows is no longer affordable! It is becoming a security risk!

20170829: How university libraries are becoming a security risk? I'll explain. I also propose a solution!

Universities live largly from subsidies. To proove they earned it, they largly do this by means of publications. This publications have to available for all students. So they have to be printed and made available in the university libraries.

However most of it is read only once. And most of it is even never quoted by any othe scientist. It costs sociaty money to maintain this printing industry. This is a perverse meganisme, but why is it becomming a security risk? One sentance 'Fake news!'

Today I read an article from the Dutch general (yes militairy) in the Volkskrant of today. He expresses his, rightfully, consern about troll's and desinfomration as a bigger risk than worms and viruses. He however forgets that truth is a moving target. It is moving because what the human collective nolage is, is moving. It should be in the university libraries available. But we produced so much scientific clutter. Unquoted, undebated, un discussed lose from citizen realism nonscience isms. This is largely not so for hard science as physics and mathematics. But largely so for sociale science, psygology, theology, language etc... Our science system is corrupting society. And we should wander if so called populisme is populism at all or maybe a revolt against fake science?

Fake news starts with fake science.

The best thing about internet is how it helped open source. It is the best guarantee for security. We all rely on it on a daily basis. We do so because we trust that it is continues be debated, improved, chalanged on a scientific level. And it is! And it can! because it is publicly openly available on the internet. Other also proposed this but never with the security argumant.

To keep our society open, free, tolerant and striving for a better life for any human on the planet, we should get rid of fake science! Because it is the root cause for fake news! We should start demanding universities to have their own wiki systems that should become the reference source for the global wiki! So society can start trusting it again because, like internet security, it is an open system, that continues can be debated, improved, chalanged. In the and security is a trust thing. And trust is in ourselves and based on circles of people around us. Based on our human networks. Technology and science is always only something in between.

20170814: Governments fail to take their role in internet security. And their approach to the issue is a dramatically conventional paper legal based. Why dont they provide free SSL certificate services? Why don't they prohibit free services that in fact are payed with the privacy of naive citizens? Why don't they provide encryption services? Stop making laws! Help creating solutions!!