A Must-Read Crypto Article

Don Davis' article Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML is another one of those must-read articles for anyone working with crypto. This 5 year old article shows how even the experienced security engineers can overlook or underestimate security problems.
Some key points the article:

  • Encrypt-and-Sign lacks non-repudiation property
  • Naive Sign-and-Encrypt leads to problems
  • Sign and encrypt interdependently

Some advices from me:

  • Sign as you would chain-lock a bicycle – anything not chained down (i.e. front wheel) is not protected
  • When in doubt, include – in addition to a timestamp, I would add a system-wide sequence id (i.e. host id + host-specific sequence #) before signing
  • When designing a signable structure, create an area for these extras

BTW, Last Call version of the C14N 1.1 spec is out. Given that standards like these have problems after being reviewed by countless experts, I think the open source effect on security is rather exaggerated.

North and South Korean Height Difference

Above photo from Korean Yonhap News shows a North Korean soldier, one of two found drifting in the sea and rescued, being handed over to North Korea at the DMZ. What saddens me is how short he is compared to the South Korean soldier to the right. Even sadder, the differences has widened due to recent famines. The fact that northern Koreans used to be taller than southern Koreans makes this photo a very stark example of what two generations of dictators, father and son, can do to their own people.


Get Firebug

Firebug 1.0 is a godsend for web developers. It's insanely good. It's still in beta but I've been using it for weeks and found it to be stable enough. Heck, even if it crashed the browser every five minutes (it doesn't), I would still use it. It's that good. Don't use the orange install button to install. Release Notes link just below it leads to the latest version. You'll have to use the orange install button now. My apology to Firebug guys for encouraging use of the other download link.
PS: I don't know why but installing firebug1.0-b7.xpi gives you 1.0b6 on Mac and 1.0b4 on Windows. scratch Restarting Firefox fixed this. My bad.
PPS: At least one person reported that Firefox update is incompatible with Firebug. I haven't had any problem with the update. If you encounter a problem, try switching back to the original Firefox theme.

Tags: , ,

Improving 5-Star Rating UI

I've been meaning to respond to Christopher Allen's Using 5-Star Rating Systems post but haven't had time until now. Like him, I see problems in the 5-point rating scale but my solution is somewhat different. Unless I misunderstood his solution, his approach aims to improve how distinctive meaning of each rating score is conveyed to the scorer. In doing so, he assumes the scorer will make a fair intelligent judgement given proper understanding of the scoring system.

My solution tries to focus more on primordial aspects of the scorer, emotions and group behavior, to address the problems of 5-star rating system. The key idea is to use peer pressure to normalize individual rating scores. Peer pressure is applied by displaying a miniature score distribution chart directly above (pressure, get it?) the 5-star scoring UI. In the example shown above, peer group's scores were mostly average and so was the scorer's.


Above are examples of a mostly negative rating and a mostly positive rating. In both, peer pressure is strong so the scorer must have strong emotions to break out.

Here we have an interesting example, a split in the peer group which weakens the peer pressure effect.
There are many subtle factors as well as hints in this solution but I'll leave that for another post later or as discussion fodder for others. ;-p
Disclaimer: this solution has not yet been proven in the field.

MyBlogLog and Privacy

I recently registered my face at MyBlogLog because Fred Wilson's ongoing fangelism about the service finally got to me. In short, experience exceeded expectation.
I knew MyBlogLog was being used by many of the blogs I frequent but I didn't really notice them because my eyes would just slip around the faces like I would around ads. Until I my face showed up in the box, that is. Holy Cow! My own face is an irresistible personalized eyeball magnet! If my face showed up in ads I come across, I'll have a difficult time gliding past them like before. This can't be MyBlogLog's business model, can it?
After joining MyBlogLog (only as a reader for now), I started noticing the MyBlogLog box at blogs I visited and noting familiar faces there alongside mine. Ha. Loic found time to read this blog while fighting the Le Web shitstorm! Hmm. Who is this MyBlogLog stalker? Overall, MyBlogLog significantly enhanced my blogging experience.
But I have some privacy concerns. As far as I can see, I have no control over where my face appears. If I visited a porn blog and the blog used MyBlogLog, my face would be seen by other visitors. Yikes! I know that such situations are not likely because it's not in the porn blog's interest to embarrass visitors, but not having control over where one's face appears is a big concern IMHO.
I am pretty sure that Eric and others at MyBlogLog must have thought about this problem already. The question is what they are doing to address the problem.

Buying Time for More Nukes

Zhang Liangui, professor of international strategic research at Central Party School in Beijing, said:

Despite signing treaties on non-proliferation, "North Korea never stopped its nuclear program" from the 1960s, and instead kept buying time. "The balance of comprehensive national strength began to tip in the early 1970s, and widened dramatically with the South's economic power growing 30 times greater than the North," he says.

"North Korean leaders see mastering nuclear weapons as the only possible measure to dispel the fear of failure in this competition, and even possibly to take the initiative in unifying the Korean peninsula though force."

The Australian News

I think his reading of the situation is right on the money. Unfortunately, a complete embargo will force North Korea to explode southward like an over-squeezed tube of toothpaste. Ally or not, expect South Korea to stay neutral in the coming embargo. But then it might be years from now if Kim Jong-Il continues to be successful in buying time.


Java XML Encryption API Status

JSR 106 (XML Digital Encryption API) has been stuck in Public Review for a year now, 11 months past its finish date. Since JCP process is as transparent as one-sided mirror, your guess is as good as mine. Its companion, JSR 105 (XML Digital Signature API), is bundled with Java 1.6 and JWSDP 2.0 but Sun has been pointing to Apache XML Security project for XML encryption. FYI, Sun's JSR 105 implementation is a repackaged version of Apache XML Security library.
On the Apache XML Security front, looks like version 1.4 is ready to be released except it hasn't because the release guy doesn't have time to update the web page. Funny. If you want to build one for yourself, beware that some elbow grease will be needed. I expected such a key open source project to be in a better state than it appeared to be.

Tags: , ,