SSL: welcome to digital GULAG

Let's take a look at a seemingly innocent practice of OCSP stapling. Basically it is a certification that your certificate is valid, with the certificate for the validity of your certificate being issued by your certificate authority and bundled with your original certificate. Sounds perfect! If only we could certify the validity of this second certificate too, with a third certificate issued by the same authority, would be enough, certainly, three certificates are enough for everyone. Right?

This practice stems from OSCP (an Internet protocol used for obtaining the revocation status) which is not nearly as funny, and far from «innocent».

The original OCSP implementation can introduce a significant cost for the certificate authorities (CA) because it requires them to provide responses to every client of a given certificate in real time. For example, when a certificate is issued to a high traffic website, the servers of CAs are likely to be hit by enormous volumes of OCSP requests querying the validity of the certificate.

Do you see what does this quote imply? That FOR EACH SSL CONNECTION YOU MUST ASK THE AUTHORITY'S PERMISSION. The certificate authority is now an authority that decides whether to allow or refuse your SSL connections. In real time. You no longer decide to connect to a host of your choice, this decision is moving to some authorities.

Let that sink in.

====
P.S. Certificate revocation (without SSL) is not that dangerous and absurd. It was initially designed to work OFFLINE, i.e. all certificates, requests and answers are strictly timestamped — which makes revocation lists valuable and transferable — this is all designed to post-factum verification of documents and such.

On the doorsteps of ivory tower: encryption for a "demanding" customer

Recently I took a somewhat deeper-than-intended dive into a wonderful world of so-called “secure communications” (don’t ask me why, maybe I will tell you eventually). No, not Signal or Protonmail, nor Tox or OTR. I mean paid (and rather expensive) services and devices you probably never heard of (and had every reason not to). Do the names like Myntex, Encrochat, Skyecc, Ennetcom ring a bell? Probably it does not, as it should be, unless they fuck something up spectacularly enough to hit the newspaper headlines (some of them really did).

Three lessons should be learned

FIRST, while experts are discussing technical peculiarities, John Q. Public is not interested in all that technobabble. This attitude constitutes a security issue in its own right, but at least it is well-known and we know what we need to do: to educate the customer about several basic, intuitive and easy for a non-technical person concepts — OPSEC, attack surface, threat models, supply chain security, encryption key life cycle etc. And then we leave everything «more technical» to a trustworthy independent audit.

Right? NO. Those people are not interested AT ALL (technobabble included), and they treat your aforementioned audit with the same amount of interest. And your educational initiative goes the same way since the entire syllabus you call «very very basics every human being must understand» fits comfortably into the category «technobabble» in the customer's world view. For them «Military grade security» is just as convincing as «we had a public independent review» — a little more than white noise and the former is still more than the latter. Let alone the popular opinion about audit: «You could compromise your security by allowing god-knows-who look into the implementation details! It was careless!»

SECOND, as “business” customers do not really care about technology, you cannot show them the trustworthiness of your solution by using the technological correctness of this solution. There is no common ground, no scientific consensus, no expert is trusted, everything is «my word vs your word», no audit is reliable (and that’s yet another reason nobody is interested in audits).

For your customers the very notion of «trust» implies interpersonal relations. They cannot trust anything but people. A piece of software being trusted? Or better still: trusted for a certain particular property? — those notions are not welcome in a businessman's brain. However, that may not be a detriment. In the end of the day we can not eliminate the «human factor» from the software as long as humans write it (with all the backdoors and eastereggs). Trust (as your customers understand it) is all about loyalty. Trust (as you understand it) is an expression of your knowledge of the software capabilities. Perhaps someone should stop abusing the word, and I suggest to stick to the older meaning. Get yourself a new word! On the other hand, the traditional loyalty-driven interpretation of trust leads to horrible decisions in the context of infosec. A catastrophic clusterfuck of any magnitude, is easily forgiveable as long as it is caused by mere negligence as opposed to sabotage. «Yeah, people make mistakes, but they did their best, yes? They TRIED!»

THIRD is that trust issues with people lead those customers into miserable situations, as they know people no better than they know technology, but for no reason they feel more confident in that area. Running a successful business (especially risky one, if you know what I mean) reinforces confirmation bias about knowing people. First you make a lot of money, and next day you get scammed by a Nigerian prince, a Russian bride or a fake crypto.

I guess I should write a separate essay about liability shift and self-preservation mechanisms that sometimes fail in unexpected way for unexpected people, but not now.

On positive impact of ransomware on information security

I truly hate I need to write this. And I feel really sorry for those who were forced to learn it the hard way, but don't tell me you haven't been warned in advance years before. However.


— The end of compliance-driven security is now official. Petya is not impressed with your ISO27K certificate. Nor does it give a flying fsck about your recent audit performed by a Big4 company.
— Make prevention great again (in detection dominated world we live in now)! Too busy playing with your all-new AI-driven deep learning UEBA box? Ooops, your homework goes first. Get patched, enable smb signing, check your account privileges and do other boring stuff and then you may play.

Did I say BCP and business process maturity? Forget that, I was kidding, hahaha. That's for grown-ups.

How to fix U.S. educational system once and for all

Amendment 28


The U.S. govt has no right to interfere with any aspect of public education, neither institutionalized nor irregular. It is prohibited for the govt to fund a school, advertise education services, impose standards or requirements in any way related to public education, limit educational activities in any way shape or form (for example: by demanding licensing).

Amendment 29


A teacher has an absolute, unrestricted, unalienable right to choose his students as he sees fit. A teacher is free to enroll and dismiss students on a whim at any time without answering to anyone or explaining his motives. The right of a teacher to freely select his students can not be limited by any institution, this amendment overrides any contractual obligations in this regard.

=================
Simple as that. No more laws and «departments» and «committees» are needed. You can even send your department of education to a re-education camp in Siberia.

And by the way, these two clauses are sufficient to return MALE teachers to the schools.

On The Banishment Of Cash (part1)

I am failing to understand four simple things:
why do people always fail to know the limits of their individual reach?
why do people always believe everything authorities say?
why do people always think «it won't happen to us»?
why do people always prefer to lose everything in order to save a part?

All these four shine and glitter as they intricately weave into the topic of «cash vs plastic» (keep them in mind while reading).

It has become a popular fad to use «plastic» instead of cash… as usual people are completely unaware of the dangers of this fad. And for some reason they think that «plastic» is somewhat equivalent to cash — NOT EVEN REMOTELY!

The most important issue is (as usual) the simplest one and (as usual) the most ignored one — WHO COMMITS A TRANSACTION? You come to a store for a loaf of bread, you pay for it and take it away. Are you sure it was you who payed for it? I am sure, because I always use cash. When I give a banknote to a cashier I physically commit the transaction — this is MY FINAL SAY. When you type your PIN, you MERELY ASK a bank to commit the transaction for you. In the end of the day it is the bank's decision whether you gonna have this loaf of bread or not. Think about it for once! The bread you are having now is not a result of a free trade between you and a backer, it is a free will of an (undoubtedly honest) 3rd-party. The bank decided on their own volition to allow you to have this bread, and they can as easily decide to starve you at any time.

And when I am speaking about bread, I literally mean bread. It is a common practice in Ukraine and Russia to arrest bank accounts of family members of political dissidents, thus rendering them incapable of engaging in any trade, i.e. buying bread. When you are under a police investigation for political reasons, you are offered a choice: your family will starve unless you confess that you were digging a tunnel under Kremlin with a premeditated goal to assassinate the dear comrade Stalin. The most famous implementation of this tactics is the Ruslan Kotsaba case, his wife and kids have only survived thanks to the public campaign (launched by the defence attorney) encouraging people to trade with the wife for cash (she is a pastry chief).

But, of course! It can not happen to you! No way! (Ask The Lighthouse Project what methods do courts and prosecutors employ in USA and Canada to exert pressure on falsely accused.)

The banks do not bother with breaching your security, they took away your agency altogether.


(to be continued)

Any sales pitch mentioning WannaCry is a scam.

snake oil
To suffer a significant damage from WannaCry, you need to craft a redundant clusterfuck of FIVE SIMULTANEOUSLY MET conditions:

  1. Failure to learn from previous cases (remember Cornflicker? It was pretty much similar thing)
  2. Workflow process failure (why do you need those file shares at all?)
  3. Basic business continuity management process failure (where are your backups?)
  4. Patch management process failure (to miss an almost two month old critical patch?)
  5. Basic threat intelligence and situational awareness failure (not like in «use a fancy IPS with IoC feed and dashboard with world map on it», more like «read several top security-related articles in non-technical media at least weekly»)

And after you won the bingo, you expect you can BUY something that will defeat such an ultimate ability to screw up? Duh.

The greatest problem with "public" schools

...is that they are NOT public.

Do you, dear public, pay for those schools?
You do… you pay exactly «for» but not «to». The schools actually receive money from the govt, NOT from you. And you have no control over the money distribution. When the money are given to the schools they don't bear your scent anymore — these are «govt's money» at the moment. The govt decides who takes the money, and for these money, a school has to appease the govt, NOT you. These «public» schools are indeed the govt's schools.

Americans seem to forget the old russian proverb:
Who dines the girl, he dances her.