A Must-Read Crypto Article

Don Davis' article Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML is another one of those must-read articles for anyone working with crypto. This 5 year old article shows how even the experienced security engineers can overlook or underestimate security problems.
Some key points the article:

  • Encrypt-and-Sign lacks non-repudiation property
  • Naive Sign-and-Encrypt leads to problems
  • Sign and encrypt interdependently

Some advices from me:

  • Sign as you would chain-lock a bicycle – anything not chained down (i.e. front wheel) is not protected
  • When in doubt, include – in addition to a timestamp, I would add a system-wide sequence id (i.e. host id + host-specific sequence #) before signing
  • When designing a signable structure, create an area for these extras

BTW, Last Call version of the C14N 1.1 spec is out. Given that standards like these have problems after being reviewed by countless experts, I think the open source effect on security is rather exaggerated.

North and South Korean Height Difference

Above photo from Korean Yonhap News shows a North Korean soldier, one of two found drifting in the sea and rescued, being handed over to North Korea at the DMZ. What saddens me is how short he is compared to the South Korean soldier to the right. Even sadder, the differences has widened due to recent famines. The fact that northern Koreans used to be taller than southern Koreans makes this photo a very stark example of what two generations of dictators, father and son, can do to their own people.


Get Firebug

Firebug 1.0 is a godsend for web developers. It's insanely good. It's still in beta but I've been using it for weeks and found it to be stable enough. Heck, even if it crashed the browser every five minutes (it doesn't), I would still use it. It's that good. Don't use the orange install button to install. Release Notes link just below it leads to the latest version. You'll have to use the orange install button now. My apology to Firebug guys for encouraging use of the other download link.
PS: I don't know why but installing firebug1.0-b7.xpi gives you 1.0b6 on Mac and 1.0b4 on Windows. scratch Restarting Firefox fixed this. My bad.
PPS: At least one person reported that Firefox update is incompatible with Firebug. I haven't had any problem with the update. If you encounter a problem, try switching back to the original Firefox theme.

Tags: , ,

Improving 5-Star Rating UI

I've been meaning to respond to Christopher Allen's Using 5-Star Rating Systems post but haven't had time until now. Like him, I see problems in the 5-point rating scale but my solution is somewhat different. Unless I misunderstood his solution, his approach aims to improve how distinctive meaning of each rating score is conveyed to the scorer. In doing so, he assumes the scorer will make a fair intelligent judgement given proper understanding of the scoring system.

My solution tries to focus more on primordial aspects of the scorer, emotions and group behavior, to address the problems of 5-star rating system. The key idea is to use peer pressure to normalize individual rating scores. Peer pressure is applied by displaying a miniature score distribution chart directly above (pressure, get it?) the 5-star scoring UI. In the example shown above, peer group's scores were mostly average and so was the scorer's.


Above are examples of a mostly negative rating and a mostly positive rating. In both, peer pressure is strong so the scorer must have strong emotions to break out.

Here we have an interesting example, a split in the peer group which weakens the peer pressure effect.
There are many subtle factors as well as hints in this solution but I'll leave that for another post later or as discussion fodder for others. ;-p
Disclaimer: this solution has not yet been proven in the field.

MyBlogLog and Privacy

I recently registered my face at MyBlogLog because Fred Wilson's ongoing fangelism about the service finally got to me. In short, experience exceeded expectation.
I knew MyBlogLog was being used by many of the blogs I frequent but I didn't really notice them because my eyes would just slip around the faces like I would around ads. Until I my face showed up in the box, that is. Holy Cow! My own face is an irresistible personalized eyeball magnet! If my face showed up in ads I come across, I'll have a difficult time gliding past them like before. This can't be MyBlogLog's business model, can it?
After joining MyBlogLog (only as a reader for now), I started noticing the MyBlogLog box at blogs I visited and noting familiar faces there alongside mine. Ha. Loic found time to read this blog while fighting the Le Web shitstorm! Hmm. Who is this MyBlogLog stalker? Overall, MyBlogLog significantly enhanced my blogging experience.
But I have some privacy concerns. As far as I can see, I have no control over where my face appears. If I visited a porn blog and the blog used MyBlogLog, my face would be seen by other visitors. Yikes! I know that such situations are not likely because it's not in the porn blog's interest to embarrass visitors, but not having control over where one's face appears is a big concern IMHO.
I am pretty sure that Eric and others at MyBlogLog must have thought about this problem already. The question is what they are doing to address the problem.