It’s RMS news week!

Richard Stallman was at the UN World Summit on the Information Society and part of the security was that everyone had to wear an RFID tag to get through the security checks. Stallman’s privacy hackles were raised by this and he proceeded to wrap his tag in tinfoil and encouraged others to do likewise. This really annoyed security, enough that eventually they refused to let him exit a room.

UN Security eventually let him out, and then would not allow him to enter the room where he was appearing on another panel.

I got to the room just as the panel was about to start, at the moment that the problem suddenly evaporated and Richard was allowed to enter. No doubt some of our UN hosts had been dealing with security during those two hours, and eventually got an order from a high-enough officer or something. We’ll probably never know who, but imagine the headlines: Kofi Annan frees Richard Stallman. So, I walk in and Richard relates the entire situation to me in front of the audience present, including more than one government minister, and other folks arriving for the panel. I humorously remind Richard that he and I both have immunity as delegates, and he responds “You mean, I should have shot that guy Kramer?”. Kramer is the CompTIA representative who comes along to these things to relate an pro-software-patenting and generally anti-Free-Software viewpoint which gets Richard very steamed up. There’s a laugh, and I explain that our immunity probably doesn’t go that far. Richard goes on to say that he wouldn’t really kill anyone, but no doubt UN Security has heard this entire exchange too.

Been toying with how to securely transmit emails lately. As half (or more than, actually) of our company resides in the UK, and we conduct most of our communications via email (when not using Skype), secure email is a concern. We sometimes need to discuss client’s requests, which can involved the inner working of their business, or perhaps names, addresses & phone numbers that probably shouldn’t be public knowlege. Also there are things like design mockups and templates that we wouldn’t want someone else to get their hands on.

Unfortunately, making email secure is a real PITA with most tools requiring you to setup a public/private key system and/or muck around with non-trivial settings in your mail client. However, today Wired News has an article on a new program which is just in beta at the moment called Ciphire. It’s free for personal, non-profit, educational & press use, and a commercial product will be available later this year. I thought I’d give it a go, seeing as the Wired article was full of praise:

Setup was a snap: Just download and install the client, choose which e-mail addresses you want to associate with Ciphire, enter a password, and the application sets itself up.

Working with the program is just as simple. When two people using the Ciphire client exchange e-mails, the client intercepts e-mail right after the Send button is pressed, and before it leaves the computer. The recipient’s security certificate is retrieved at the Ciphire Certificate Directory, security checks are performed, and then the message and any attachments are encrypted with the recipient’s key.

Incoming e-mail is also intercepted before it appears in a user’s inbox, the message is decrypted (if necessary) and the sender is authenticated using the corresponding certificate from the Ciphire Certificate Directory.

Now that’s the way things are supposed to work. Remember when marketing was telling us all that technology was going to make our lives less complex? Don’t see too much of that happening. But this is indeed simple and, once installed, pretty much transparent. The install was, in fact, seemless. I didn’t need to deviate from any of the default choices and the most complex thing I needed to do was choose a password & then hit ‘Get Mail’ in Thunderbird twice to receice the two confirmation email used to setup the public & private keys.

The more observant of you will have noticed I said Thunderbird. That’s right, they’ve even gone to the trouble of making this work on programs other than Outlook. Infact, because it doesn’t integrate with the client, but sits between the client & the mail server, it should work with any mail program using either POP or IMAP!

The other helpful thing is the extensive online help, including forums, how-to guides (including a general intro to the public/private key concept) and an online form for submitting bugs.

The great thing about this program is that you can forget that it’s running. The only thing I’ve noticed is that it takes about a second longer for my emails to finish sending, but this is very minor & may very well go away with the final release version. The fact that you don’t have to keep track of who can read your encrypted mail is good too. Because the system knows who has Ciphire setup, it decides for you whether to encrypt the email or not. If the receipient can’t receive encrypted mail, it just signs the mail so that the receipient can verifiy that you are the sender (which is better than nothing).

All in all, this program looks good, and when the commercial product comes out I think I’ll be looking closely at it to see whether we can use it here, especially as this will include a mail gateway and/or proxy.

[hat tip Gadgetopia for the Wired article link]

PuTTY, a great little freeware SSH client, has had a security update. Anyone who uses PuTTY should upgrade to version 0.56.

PuTTY 0.56, released today, fixes a serious security hole which can allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.56 as soon as possible.

That’s two really bad holes in three months. I’d like to apologise to all our users for the inconvenience.

Considering Simon Tatham & his team do all this work for free, I don’t think he should be too upset. The fact that they patched the flaws almost immediately speaks volumes for their commitment & integrity. Kudos to you!

Whirlpool Forums user Wireless has a microwave access point on their back fence in a weatherproof box. This is aparently a scary thing.

Got home in the arvo today with four cops outside my unit.

Apparently it was due to a black box which I’ve placed on the fence. Some neighbours got so alert (but of course, not alarmed) that they called 1800123400, thinking it was a bomb.

…

I’ve cut the wire to the weatherproof box (hosting an access point) and opened it up and showed it to them - it’s a very deadly 2.4Ghz microwave radiation weapon.

I can see itthe headlines now Al Qaeda sleeper operative buys house in the suburbs, lives there for years then blows his house up for no apparent reason. Apparently the police were really rude too. That’s not too bright, I mean if he was a terrorist, wouldn’t he be a bit touchy.