Hubert Chathi

Hubert Chathi: Help stop the proposed warrantless spying legislation http://www.StopSpying.ca/ #privacy #security

Hubert Chathi: "If you wanted to be a smuggler, probably the first thing you'd want to do is enrol in the Nexus program" http://www.cbc.ca/news/canada/british-columbia/story/2011/07/18/bc-nexus-pass-smuggling-border.html #security

Hubert Chathi: Banks turn a blind eye to fraud http://www.cbc.ca/news/canada/british-columbia/story/2011/05/02/bc-abmfraud.html #security

Hubert Chathi: Awesome http://www.cbc.ca/news/world/story/2011/02/22/body-scanners-airport.html #security #privacy

Hubert Chathi: airline #security season again: http://www.cbc.ca/world/story/2010/11/16/body-scanner-backlash-air-travel.html and http://www.newser.com/story/105351/tsa-pats-down-3-year-old.html

Hubert Chathi: OK, now this is really getting ridiculous http://en.wikinews.org/wiki/Bomb_scare_aboard_plane_caused_by_harmless_prayer_box #security #paranoia

Hubert Chathi: stupid paranoia wins again http://www.cbc.ca/canada/story/2010/01/05/security-canada-us-airport.html #security

Hubert Chathi: "secure" USB drives not-so-secure: http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html #security

Hubert Chathi: Nearly 2/3 of Canadians would #vote online http://www.cbc.ca/politics/story/2009/12/17/ekos-poll.html In related news, nearly 2/3 of Canadians don't understand #security

Hubert Chathi: wants users to have passwords that are 20 characters long, with at least 8 upper-case letters, 9 lowercase letters, 4 digits, and 8 Unicode symbols above the normal ASCII range... #security

Hubert Chathi: doesn't like this: http://www.cbc.ca/technology/story/2009/06/18/tech-internet-police-bill-intercept-electronic-communications.html #privacy #security

No, not that kind of hash. The NIST is holding a contest for a new cryptographic hash function. Vulnerabilities have been found in the most commonly used hash functions, MD5 and SHA-1, and the contest is for the new SHA-3 standard. The deadline for submissions was last Friday, so if you missed it, too bad.

Schneier et al. have submitted their algorithm, called skein, and Rivest et al. have submitted MD6.

The NIST held a similar contest several years back for encryption algorithms, which resulted in Rijndael being officially named as the Advanced Encryption Standard. That contest took 5 years. We'll see how long this one takes. Hashing is generally less well-understood, and harder to do, than encryption.

I blogged about a year an a half ago about spam killing statistics on my server. I thought I'd post an update since then. These are the spam rejections from the past 10 days.

• viruses rejected by ClamAV: 14 (all phishing attempts — no actual viruses)
• spam rejected by SpamAssassin: 194 (this doesn't count spam eliminated by greylisting, since there's no easy way for me to get those stats)
• rejected by the DNSBL at zen.spamhaus.org: 4,603
• rejected by the DNSBLs at rfc-ignorant.org (dsn and bogusmx): 16
• sent to a nonexisting user: 451
• relay attempts: 37
• failed sender verification: 48
• bogus bounce messages (backscatter from spam): 7
• mail delivered to my inbox: 873

Obviously, these numbers don't show the whole picture — they're only based on 10 days of activity. For example, the backscatter that I get seems to happen in waves, so it's low now, but some times, it's huge.

So in all, in the past 10 days, my mail server rejected 5,370 messages (compared to 3,281 from my last blog) and accepted 873 (compared to 564 from my last blog) messages. I also have another layer of spam filtering when I fetch the mail from my server.

So, spam volumes are up by about 1.6 times. General mail volume is also up — I'm subscribed to a few more mailing lists.

Changes to my filtering setup since last time include:

• using DNSBLs: this drops a lot of spam, as you can see, and reduces the load on my server (since they only require a DNS lookup, and don't need to be content scanned
• lowering the threshold for SpamAssassin
• signing my outgoing envelope sender, so that I can reject bogus bounces
• enabling sender verification
• enabling client SMTP authorization: it doesn't make a showing in these stats, but it drops a few spam here and there. I wish more people would publish CSA records. It's an easy check for spoofing, and a dead giveaway if it fails. It just isn't very well known.

I've also started reporting some spam via spamcop.

Jes complained that I haven't blogged recently, so here it goes. I'm back in Waterloo, after a nice break in Edmonton. I got back on the 8th. Southern Ontario has had a lack of snow this winter ... until I got back. It started snowing the night I got back, and since then, we had one or two days without snow on the ground. We even had a snowstorm that shut down the school last Monday.

On my flight back, I was randomly selected at security for a patdown, I guess to make sure that I wasn't hiding a plastic gun in my pants that would evade detection by the metal detectors. The guard who searched me was professional an courteous. Random searches are a good thing for security, as long as they are truly random, and not based on things like racial profiling. Because once you start trying to profile, the terrorists will recruit people who don't fit the profile.

Thumbs up to cashiers in Alberta (at least the ones that I met at Best Buy and MEC). The signature on my credit card is worn off. The cashiers in Alberta actually checked that it was me by asking for my driver's license. Nobody in Ontario ever checked my license.

Thumbs down to the Vancouver airport. They had to shut down the international terminal and re-screen everyone because of a security mess-up. I don't know the exact details, but it seems like somebody failed to do their job.

As usual, my news pile is backing up (but not bad as my photo pile — I still have my summer photos to put up). So here's a dump of some of the articles.

First of all, don't take pictures of the police, or you might get arrested. (/., /. followup) (Even if you are fully within your rights to do so.)

Also, don't play in trees if you are a 12-year old child. You'll get arrested, and put your DNA on record. (/.)

If you're in an American airport, don't say that the TSA Director Kip Hawley is an idiot, even if he really is an idiot. (KHIAI, /.) If you do that, you may get detained. Because apparently freedom of speech doesn't apply inside an airport.

OK, enough sarcasm. (What? Hubert being sarcastic? Never...)

Electronic voting machines are becoming more commonly used in the US. But it seems like every month, there's a new problem that's found with them. The Open Voting Foundation took apart a Diebold machine, and found that it just takes flipping a single switch, and you can make the machine load your own software, instead of the (supposedly) certified software. (/.) The electronic voting machines also wreaked havoc in Maryland elections. Ed Felten et al. have shown how to infect a Diebold voting machine with a virus and change election results. (Dr. Dobbs, /.)

As Canada considers implementing their own version of the DMCA legislation, Professor Michael Geist, ran a series called 30 Days of DRM, which outlined 30 issues that need to be considered in anti-circumvention legislation. (A brief background: DRM, or “Digital Rights Management”, also called “Digital Restrictions Management”, is a term that refers to technologies used to limit access to digital media, such as music and movies. Anti-circumvention legislation makes it illegal to bypass DRM, aimed at preventing unauthorized duplication, but which also prevents legitimate use of the media.)

Despite claims of security, the new e-passports have been cloned. (/.) While this is not the same as creating a new, fake passport, it is still a significant hole. Some security is gained by embedding a chip inside a passport, but the new passports are generally viewed as unforgeable, giving people a false sense of security.

And the Senate Judiciary Committee has voted to extend the US's warrantless wiretapping. (/.) Because who needs judicial oversight? (Whoops. There I go with the sarcasm again.)

Remember the big scare back in August, that caused airline passengers to not be allowed to bring liquids (with a few exceptions) on board an airplane? Well, a Pakistani judge has ruled that there is not enough evidence against one of the key suspects to link him to any terrorist activities. (BBC, Al Jazeera, /.) Can we please have our water bottles back, now?