Meltdown & Spectre for non-techies

As you’ve probably heard by now, a very serious CPU bug was disclosed a few days ago. Lots of folks have tried to explain it in non-technical terms. I’ve not been satisfied with any of these, and as someone who believes it is a solemn responsibility of experts to make important topics accessible to all, that bugs me. So I spent some time reading up on the issues and coming up with my own explanation by analogy.

Continue reading “Meltdown & Spectre for non-techies”

security is hard, let’s improve the conversation

A few days ago, a number of folks were up in arms over the fact that you can see saved passwords in your Google Chrome settings. Separately, a few folks got really upset about how Firefox no longer provide a user interface for disabling JavaScript. These flare-ups make me sad, because the conversations are often deeply disrespectful, with a tone implying that there was obvious negligence or stupidity involved. There’s too little subtlety in the discussion, not enough respectful exchange. Security is hard. I don’t mean that you have to work really hard to do the right thing, I mean … Continue reading security is hard, let’s improve the conversation

Identity Systems: white labeling is a no-go

There’s a new blog post with some criticism of Mozilla Persona, the easy and secure web login solution that my team works on. The great thing about working in the open at Mozilla is that we get this kind of criticism openly, and we respond to it openly, too. The author’s central complaint is that the Persona brand is visible to the user: It [Persona] needs white-labeling. I know that branding drives adoption, but showing the Persona name on the login box at all is too much; it needs to be transparent for the user. Most of the visits to … Continue reading Identity Systems: white labeling is a no-go

connect on your terms

I want to talk about what we, the Identity Team at Mozilla, are working on. Mozilla makes Firefox, the 2nd most popular browser in the world, and the only major browser built by a non-profit. Mozilla’s mission is to build a better Web that answers to no one but you, the user. It’s hard to overstate how important this is in 2012, when the Web answers less and less to individual users, more and more to powerful data silos whose interests are not always aligned with those of users. To fulfill the Mozilla mission, the browser remains critical, but is … Continue reading connect on your terms

encryption is (mostly) not magic

A few months ago, Sony’s Playstation Network got hacked. Millions of accounts were breached, leaking physical addresses and passwords. Sony admitted that their data was “not encrypted.” Around the same time, researchers discovered that Dropbox stores user files “unencrypted.” Dozens (hundreds?) closed their accounts in protest. They’re my confidential files, they cried, why couldn’t you at least encrypt them? Many, including some quite tech-savvy folks, were quick to indicate that it would have been so easy to encrypt the data. Not encrypting the data proved Sony and Dropbox’s incompetence, they said. In my opinion, it’s not quite that simple. Encryption … Continue reading encryption is (mostly) not magic

Online Voting is Terrifying and Inevitable

Voting online for public office is a terrifying proposition to most security experts. The paths to subversion or failure are many: the server could get overwhelmed by attackers, preventing voting altogether the server could get hacked and the votes changed surreptitiously the users’ machines could get compromised by a virus, which would then flip votes as it chooses with little or no trace even if somehow we secure the entire digital channel, there’s still the issue of your spouse looking over your shoulder, strongly suggesting you vote a certain way So, terrifying. And yet, I’m now pretty sure it is … Continue reading Online Voting is Terrifying and Inevitable

(your) information wants to be free

A couple of weeks ago, Epsilon, an email marketing firm, was breached. If you are a customer of Tivo, Best Buy, Target, The College Board, Walgreens, etc., that means your name and email address were accessed by some attacker. You probably received a warning to watch out for phishing attacks (assuming it wasn’t caught in your spam filter). Yesterday, the Sony Playstation Network of 75 million gamers was compromised. Names, addresses, and possibly credit cards were accessed by attackers. This may well be the largest data breach in history. And a few days ago, it was discovered that iPhones keep … Continue reading (your) information wants to be free