Tor partially blocked in China | The Tor Blog

That last article lead me to this post on the TOR blog from September 15, 2009 (I am a bit late to this party). China is now blocking about 80% of the public TOR nodes.

This mostly ends a rather baffling situation where for some reason the Chinese were failing to block TOR even though it was being used effectively for censorship circumvention, the list of nodes is publicly available, and they are no more difficult to block than any other server.

Privacy Network Tor Suffers Breach | Privacy Digest

It has been reported, and the TOR folks have confirmed, that two of their core directory servers were recently compromised along with another server showing usage metrics. While it does not at first appear that the attack was aimed at compromising the TOR network, it would certainly have made some interesting attacks possible. Specifically, it looks like it would have allowed attackers to force users on to chains of all enemy run nodes. This is very concerning.

It also brings us the issue of general security of the TOR nodes. Since they are mostly run my volunteers, the security of the nodes is going to be very inconsistent. It is likely that many of them are vulnerable to attack which would give an adversary the ability to control a much larger fraction of the TOR network.

Official Google Blog: A new approach to China

Google is officially stating that a number of email accounts hosted by Google were attacked from within China. The accounts seem to be mostly connected to Chinese human rights activists. They also state that this is part of a larger pattern extending over a number of other companies.

The most amazing thing about this is the very aggressive pro-privacy stance Google is taking in response to this. They are saying that they will stop censoring search results at Google.cn. That they will talk with the Chinese about how to do this, but are willing to completely pull out of operations in China if they can’t provide un-censored content from within.

The post is worth reading in full. Here are the concluding paragraphs:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow. We shall see.

NIST-certified USB Flash drives with hardware encryption cracked - The H Security: News and Features

Security firm SySS announced (in German) that it has discovered a massive vulnerability in the hardware encryption for USB thumb drives by Kingston, SanDisk and Verbatim. From the article at The H Security it looks like the problem is that all drives share a single symmetric encryption key at the hardware level. The password interface seems to simply do some gymnastics to get access to that key. It does not really matter what it does because SySS was able to intercept the actual hardware key being sent in the clear to the device.

They then simply wrote a little program to just send that key without bothering with the password or anything else. Because all drives by the same maker use the same key, this program can instantly open any encrypted USB drive by that maker.

From the sound of it, this is a very easy attack for someone to duplicate. If you have one of these drives, I would suggest that you treat them as if they were normal un-encrypted thumb drives.

Kudos to Kingston for quickly providing details of which of their drives are affected, and recalling them. SanDisk and Verbatim have issues software fixes. If I understand the attack correctly, I am not sure how a software patch will solve it, so watch this space.

Our major new product release is now in Beta. We were hoping to release it in late 2009, but the testing has revealed some issues we want to fix first. I am not willing to compromise on the quality or security of our products. The unsatisfactory result of trying to stretch our old framework to work with new operating systems and browsers drove us to this total re-architecture of the solutions.

A nice side effect is that the new products will work cross platform (we should launch with Mac, Windows and iPhone), and support many more programs and protocols than the old solutions. It supports all the latest browsers on all supported platforms.

We don’t have a firm ship date yet, but we are getting close.

Google and India Test the Limits of Liberty - WSJ.com

In this case, it is not the search engine, but their social networking site “Orkut” which is the issue. Google’s troubles stem less from their actions than the fact that they are the dominant social networking site in India, and so most of those issues happen on that site.

Google has been forced to take down a lot of content, and hand over the identities of many posters. If the examples in the article are to be believed, the threshold for censorship is not high.

At the risk of repeating myself, if you live in India and you want to say something that might push or cross the line, do it with robust anonymity technology. You might still have your post taken down, but they can’t come after you.