http://disqus.com/by/sweis/enWed, 03 Jun 2009 15:42:20 -0000http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/#comment-10447205<p>The moral of the story is that crypto will only break your heart.</p>Steve WeisWed, 03 Jun 2009 15:42:20 -0000http://benlog.com/articles/2009/05/29/google-wave-%e2%80%93-thoughts/#comment-74528898<p>Hey Ben. Thought you might be interested in the draft verification protocol: <a href="http://www.waveprotocol.org/whitepapers/wave-protocol-verification" rel="nofollow noopener" target="_blank" title="http://www.waveprotocol.org/whitepapers/wave-protocol-verification">http://www.waveprotocol.org...</a></p>Steve WeisFri, 29 May 2009 15:23:36 -0000http://blog.zentact.com/2008/11/importing-contacts/#comment-4379971<p>You should use OAuth to import contacts form large email providers.</p><p>Asking users to type in their username and password on untrusted third-party sites is a bad security practice that trains users to be phished. It's also a barrier to entry that will dissuade people from trying your site.</p>Steve WeisFri, 12 Dec 2008 19:24:47 -0000http://www.inquisitr.com/2302/google-unveils-open-source-security-tool/#comment-1161180<p>Thanks for the link. I'm looking forward to working with the open source community to grow Keyczar.</p>Steve WeisMon, 11 Aug 2008 15:58:44 -0000http://www.wired.com/threatlevel/2008/07/cnns-former-bei/#comment-127962419<p>Using encryption is illegal in China without a license. Using it may draw attention to yourself and give the government a reason to detain you. Since you would be violating local laws, your local embassy may not be able to help you. The authorities would be within their rights by local laws to force you to divulge your secret keys.</p><p>Regardless, here are some technical comments:<br>1. Use full disk encryption on your laptop. It offers protection from having your laptop stolen or from casual government snooping. However, you may be compelled to reveal your decryption keys. If your laptop is seized and out of your possession, they could also install logging software or carry out more esoteric attacks, regardless of disk encryption.</p><p>2. If you use public-key encryption, use a public key whose private key you do not know, and preferably, can convince someone else that you do not know. Some human rights activists have used Amnesty International's public key.</p><p>If you work for a news organization, have them prominently post a public key on their website. Then you might be able to convince your interrogator that you really don't know the corresponding secret key.</p><p>As mentioned, you would likely be in violation of local laws just for using encryption.</p><p>3. Winnowing and chaffing is an option to achieve confidentiality without encryption, and thus keeping legal. I don't know of readily available or easy to use software to do it, but it would not be hard to implement. You'd also need to carry a secret or private authentication key with you.</p><p>In a country that respected the rule of law, you could honestly argue that you're not violating any bans on cryptography since you are only signing data. But in most countries, they'd probably still jail you and force you to reveal your key.</p><p>One final word of advice: Know what you're doing or find someone who does. Crypto is very, very easy to use improperly. This is one case where the stakes can be dire.</p>Steve WeisWed, 30 Jul 2008 08:12:29 -0000