e-ignite

As many of you from the UK will know, petrol prices have gone skywards and show no sign of slowing. With the Government announcing even more taxation on fuel, it’s time to take a stand. Lorry Drivers took matters into their own hands and staged the first of a number of threatened protests which I wholeheartedly agree with.

If you agree that fuel prices are too high and something has to be done at government level, please take just a few moments of your time to sign the government petition before 17 June 2008:

http://petitions.pm.gov.uk/Lowerduty30/

According to a number of recent BBC News articles, the UK government are currently considering creating a massive database logging all phone calls and emails sent. As usual, the excuse for needing such a database is “Terrorism” or “serious crime”, but at what point must voters and members of the public say that enough is enough? It is inconceivable to think that each and every call that is made is logged and every email that you send is noted - with current mobile phone technology, it’s possible for your location to be pin-pointed (simply download the Google Maps java application to your mobile handset and see for yourself by clickong on “my location”) so does this mean that yourlocation at the time of the call would be logged? It’s absolutely possible.

We’ve seen the function creep of technologies like this already - for example, average speed cameras that use number plate recognition to catch those speeding were installed under the promise that they would only ever be used for the purposes of speed control. Now though, we see that they are used to track movements of “terrorists” or “serious criminals”. With a database of all calls made and received, will the function eventually creep so that your exact location is logged every fifteen minutes or so when your mobile phone “checks in” with the network? Email on the move is also susceptible to this form of tracking - the IP address that sends the email could be tracked and in the future, why would they not start logging all the websites you’ve visited recently?

Read the rest of this entry »

So it turns out that SHA-1 might be broken. If not broken as such, it’s certainly bruised and its ability to be relied upon is in a significant amount of doubt. But why should that matter? We can just use SHA-256 or SHA-512 for more security, can’t we? Well yes we can… but does that actually help the wider issue?

Think about this in another way: If you receive a signed email from a contact of yours and it verifies correctly, do you check what method of signature was used on the email? I’d suggest that unless you’ve fitted yourself for a tinfoil hat, you’re unlikely to do this. Seeing as the signature process is employed to provide verification, we need a method that can use in a widespread manner and that we can rely upon. Is it time to revoke SHA-1 and DSA signatures? Should encryption and signing packages refuse to verify messages and files signed using these methods? Perhaps. However, it’s extremely unlikely that this would be implemented - md5 was broken some time ago and yet it’s still used for verification of file downloads etc in a farily widespread manner. So what should we do to protect ourselves from potentially forged digital signatures?

Read the rest of this entry »