Our GnuPG strategy and code isn't ready. We need to either make all that crypto stuff completely seamless, or improve the tools we expose to the user for manual work. Preferably both.
Of course, the last of those is the big one, and goes back to the discussion around Thunderbird last week. As the Mailpile team emphasised, the project is not being abandoned: the beta-testing did what it was supposed to do - winkle out problems - and the team will now use that feedback to address issues and improve things. But it does show once more that crypto is hard - and that's true not just for open source, but for all kinds of software. The big question remains: is it possible to make it easy enough for many more people to use, or is it doomed to be the preserve of those who really need it, or at least think they do?
OpenSSL, arguably the world's most important Web security library with its support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in such popular Web servers as Apache and Nginx, has had real trouble. First, there was HeartBleed and more recently there is FREAK. It's been one serious security problem after another. Now, the NCC Group, a well-regarded security company, will be auditing OpenSSL's code to catch errors before they appear in the wild.
Five of those security and security-related features were announced today and are on track to be included in the next edition, which should be PC-BSD 10.1.2. They are
PersonaCrypt – a command line utility to backup a user’s home directory to an encrypted external media
Tor Mode in System Updater Tray
Stealth Mode in PersonaCrypt
Ports now use LibreSSL by default instead of OpenSSL
Support for encrypted backups in Life-Preserver utility
Today at Mobile World Congress, the encrypted phone system Blackphone announced a new phone and tablet, along with a new business focus on enterprise. The phone is called the Blackphone 2, a successor to the first Blackphone shown at MWC last year, but adds a new processor, better screen, and a larger profile overall. The tablet, called the Blackphone+, is slated for release in the fall. Both run Blackphone's secure OS, forked off of Android, which is designed to protect metadata and provide end-to-end encryption throughout.
Security experts have discovered a highly threatening vulnerability in software preinstalled on some Windows computers manufactured by Lenovo through January 2015. Extreme negligence on the part of Lenovo and unscrupulous programming by its adware partner Superfish seem to have caused the vulnerability.
Linux Foundation Executive Director Jim Zemlin thinks the information security world needs fewer surgeons and more personal trainers, and he's putting his organization's money where his mouth is.
Speaking at this year's Linux Foundation Collaboration Summit, an invite-only event taking place this week in Santa Rosa, California, Zemlin took a break from his customary Linux and open source cheerleading to stress that the open source community needs to do more to address security.
A couple of weeks ago I described the host key rotation support forthcoming in OpenSSH 6.8. Almost immediately after smugly declaring "mission accomplished", the bug reports started rolling in. First Mike Larkin noticed an interaction with ssh's CheckHostIP option that would cause host key warnings, then Theo de Raadt complained about the new code unnecessarily rewriting known_hosts when no changes needed to be made, finally Philipp Kern and Jann Horn pointed out a way for a hostile server to abuse the extension.