There has been a lot of media coverage of the threats of Saudi Arabia and the UAE to shut down BlackBerry connectivity in their countries unless RIM (the maker of BlackBerry) introduces a back door so they can monitor communications.

I have been following this story closely, but wanted to wait until I had all the facts before blogging about it. At this point I don’t think I am going to get the whole story. The statements I am seeing are absolutely contradictory and the whole thing is getting really fishy.

UAE/SA say that they need to be able to access BlackBerry communications, but they can’t.

RIM says that their technology makes interception impossible because the communications are encrypted end to end between the BES server (located at the users place of business) and the handset. RIM claims not to have access to the decryption keys.

Third parties claim that RIM has arrangements with other countries (including the US and Russia) which allows such access.

RIM responds that this is false and that they don’t have this ability.

It looks like RIM and UAE/SA will come to an agreement while both continue to claim that they have not compromised their positions.

The moral of this story is that you should not trust security you can not fully analyze yourself. Anonymizer Universal uses strongly encrypted L2TP VPN technology to secure your information so even if your telecommunications provider is cooperating with surveillance they still can’t read the contents of your messages.

Unfortunately Anonymizer Universal does not support BlackBerry yet, but iPhone, Windows, and Mac users are protected.

This year the “Computers Freedom and Privacy” (CFP) conference is taking place in San Jose from June 15-18. This year is the 20th anniversary of the conference which helped shape my thinking about Internet Privacy and introduced me to many of the key players in this space.

Around the same time in 1992 an email mailing list started called “Cypherpunks”. Members were devoted discussions of Internet freedom and to creating and distributing privacy and security tools. Best known of these are the various flavors of Anonymous Remailers following the original anon.penen.fi.

This seems like a good time to stop and take stock of what has been achieved, lost, and abandoned in the evolution of privacy and anonymity on the Internet. I have organized a panel at CFP of some of the key Cypherpunks from the early days to talk about those early days, and share their vision and insight about where we are and where we should / are likely to end up.

I hope I will see many of you there.

NIST-certified USB Flash drives with hardware encryption cracked – The H Security: News and Features

Security firm SySS announced (in German) that it has discovered a massive vulnerability in the hardware encryption for USB thumb drives by Kingston, SanDisk and Verbatim. From the article at The H Security it looks like the problem is that all drives share a single symmetric encryption key at the hardware level. The password interface seems to simply do some gymnastics to get access to that key. It does not really matter what it does because SySS was able to intercept the actual hardware key being sent in the clear to the device.

They then simply wrote a little program to just send that key without bothering with the password or anything else. Because all drives by the same maker use the same key, this program can instantly open any encrypted USB drive by that maker.

From the sound of it, this is a very easy attack for someone to duplicate. If you have one of these drives, I would suggest that you treat them as if they were normal un-encrypted thumb drives.

Kudos to Kingston for quickly providing details of which of their drives are affected, and recalling them. SanDisk and Verbatim have issues software fixes. If I understand the attack correctly, I am not sure how a software patch will solve it, so watch this space.

Security guide to customs-proofing your laptop | The Iconoclast – politics, law, and technology – CNET News.comDeclan writes a witty and informative piece on securing a laptop against legals searches without cause at border crossings. 

Tool Physically Hacks Windows – Desktop Security News Analysis – Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer’s RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a “feature” not a “bug”. Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.