Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs

[Note: This item comes from friend David Rosenthal. DLH]

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
Chrome to immediately stop recognizing EV status and gradually nullify all certs.
By Dan Goodin
Mar 23 2017

In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.

More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs. With Symantec certificate representing more than 30 percent of the Internet’s valid certificates by volume in 2015, the move has the potential to prevent millions of Chrome users from being able to access large numbers of sites. What’s more, Sleevi cited Firefox data that showed Symantec-issued certificates are responsible for 42 percent of all certificate validations. To minimize the chances of disruption, Chrome will stagger the mass nullification in a way that requires they be replaced over time. To do this, Chrome will gradually decrease the “maximum age” of Symantec-issued certificates over a series of releases. Chrome 59 will limit the expiration to no more than 33 months after they were issued. By Chrome 64, validity would be limited to nine months.

Thursday’s announcement is only the latest development in Google’s 18-month critique of practices by Symantec issuers. In October 2015, Symantec fired an undisclosed number of employees responsible for issuing test certificates for third-party domains without the permission of the domain holders. One of the extended-validation certificates covered and and would have given the person possessing it the ability to cryptographically impersonate those two addresses. A month later, Google pressured Symantec into performing a costly audit of its certificate issuance process after finding the mis-issuances went well beyond what Symantec had first revealed.

In January, an independent security researcher unearthed evidence that Symantec improperly issued 108 new certificates. Thursday’s announcement came after Google’s investigation revealed that over a span of years, Symantec CAs have improperly issued more than 30,000 certificates. Such mis-issued certificates represent a potentially critical threat to virtually the entire Internet population because they make it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers. They are a major violation of the so-called baseline requirements that major browser makers impose of CAs as a condition of being trusted by major browsers.


Driven by heat and high winds, wildfires are 10 times worse this year than average

Driven by heat and high winds, wildfires are 10 times worse this year than average
Climate change means that there is no such thing as a typical “fire season” anymore.
By Natasha Geiling
Mar 21 2017

Wildfire season, or the period between spring and late fall when dry weather, heat, and ignition sources make wildfires more likely, is already off to a devastating start, with fires already burning through a combined 2 million acres across the country — ten times the average for mid-March. According to data from the National Interagency Fire Center, more acreage has already burned in 2017 than burned during the entire fire season in 1989, 1993, and 1998.

Record-high temperatures combined with low humidity and high wind have created the ideal environment for wildfires throughout much of the Great Plains and into the West, destroying homes and property and resulting in several deaths.

Late last week, a blaze near Boulder, Colorado, forced hundreds to evacuate from their homes. The fire, which burned 74 acres, was fully contained as of Monday. But the containment comes at a cost — according to the Denver Post, it cost firefighters $500,000 to fight the fire. Officials speculated that the fire was caused by human activity.

Earlier this month, Oklahoma Gov. Mary Fallin (R) declared a state of emergency in 22 Oklahoma counties, after wildfires burned through 400,000 acres in the state. According to the U.S. Drought Monitor, nearly three-quarters of the state is currently in drought conditions.

In Texas, an early-March blaze killed three ranchers as they tried to save cattle from a grass fire that eventually engulfed 100,000 acres. Another fire burned 300,000 acres of the Texas panhandle, the third largest in Texas A&M Forest Service history, while another fire burned 25,000 acres and threatened hundreds of homes near Amarillo.

In Kansas, early-March fires consumed more than 400,000 acres, destroying at least 30 homes. The fires forced between 10,000 and 12,000 evacuations, according to a spokeswoman with the Kansas Division of Emergency Management. They were the largest fires in state history.

A recent New York Times article chronicled the devastation wrought on ranchers by the recent Plains fires, some of whom lost hundreds of cattle. One Kansas rancher, who voted for Donald Trump for president, bemoaned Trump’s lack of engagement with the suffering ranchers, telling the Times, “I think he’d be doing himself a favor to come out and visit us.”

Emergency programs meant to help farmers and ranchers recover from catastrophic events — like the fires — are facing a 21 percent cut under Trump’s recently proposed “skinny budget.” Some ranchers told the Times they could be facing losses as high as $10 million.

The influence of climate change on wildfires is well-documented. Rising temperatures, combined with prolonged drought throughout the West, has prompted wildfires to spread across 16,000 more square miles than the otherwise would have — an area larger than Massachusetts and Connecticut combined. And over the last three decades, wildfire season has also gotten longer — as global temperatures have increased, wildfire season lasts on average 78 days longer.

Longer and more widespread fires mean more danger to humans, who are increasingly building homes and communities closer to forests, grasslands, and other fire-prone areas. But the increase in burn acreage and fire season also comes with economic costs to taxpayers.


Innovative rural broadband solution

Note: This item comes from friend Jock Gill. DLH]

From: Jonathan P Gill <>
Subject: Innovative rural broadband solution
Date: March 21, 2017 at 9:00:52 AM EDT
To: Dewayne Hendricks <>


Perhaps you’re readers would find this of interest:

“Too many rural areas in America still have slow broadband service. San Juan Islands (Washington State) used to have only DSL (1 Mbps) service provided by CenturyLink, and spotty cellular phone coverage from AT&T and Verizon. Recently, however, Orcas Power and Light (OPALCO), a rural electric cooperative, created a wholly owned private subsidiary called Rock Island Communications (RIC) to meet local demand for faster broadband.”



A retired police chief is detained at JFK for one reason: His name is Hassan

A retired police chief is detained at JFK for one reason: His name is Hassan
By Petula Dvorak
Mar 20 2017

He’s been called lots of things: chief, deputy chief, officer, husband, son, dad, immigrant, American.

But none of those titles mattered when Hassan Aden landed on U.S. soil earlier this month in Trump’s America. All that mattered was that his name is Hassan. And that, apparently, was enough for U.S. Customs and Border Protection officers to question everything else about Aden’s life.

Aden, 52, is a retired Greenville, N.C., police chief and a former deputy chief with the Alexandria police in Virginia.

So why was a lifelong law enforcement official detained for an hour and a half at New York’s John F. Kennedy Airport when he returned from a trip to Paris? Was he being profiled because of his Muslim-sounding first name?

Hassan Aden, 52, is a retired Greenville, N.C., police chief and a former deputy chief with the Alexandria police in Va. Aden says he was “profiled” at New York’s John F. Kennedy International Airport because of his name. (WUSA)

Hassan is an immigrant, the Italian-born son of an Italian mother and a Somali father. He has lived in this country for 42 years and is a naturalized U.S. citizen. He has a U.S. passport and TSA Pre-check. He’s been out of the country dozens of times without incident. Not this time.

“This experience has left me feeling vulnerable and unsure of the future of a country that was once great and that I proudly called my own,” Aden wrote in a long Facebook post describing the unnerving detention. “This experience makes me question if this is indeed home.”

A spokeswoman for U.S. Customs and Border Protection denied that officers were engaging in profiling. In an email to my Post colleague Faiz Siddiqui, she said the agency bars race and ethnicity from being considered in screening “in all but the most exceptional circumstances.”

So what was exceptional about a retired cop coming home from celebrating his mother’s 80th birthday? One thing: his first name.

Aden was treated shamefully. The America that stops Chief Aden, locks him in a room and judges him is an America filled with fear and ignorance, not “the land of the free and the home of the brave.”

Want to say this is about terrorism?

Give. Us. A. Break.

This guy’s a cop. He knows what’s up.

“Prior to this administration, I frequently attended meetings at the White House and advised on national police policy reforms — all that to say that If this can happen to me, it can happen to anyone with attributes that can be ‘profiled,’ ”Aden wrote. “No one is safe from this type of unlawful government intrusion.”


MUST WATCH: On Bacteria Crisis Across America

MUST WATCH: On Bacteria Crisis Across America
Mar 21 2017

In an extended discussion, legendary consumer advocate Erin Brockovich, environmental investigator Bob Bowcock, and water contamination investigator Scott Smith discuss the bacteria issues popping up across the country due to water contamination.

Video: 28:29 min

I’m a bit brown. But in America I’m white. Not for much longer

I’m a bit brown. But in America I’m white. Not for much longer
The US Census Bureau plans to redefine ‘white’ to exclude people with Middle Eastern and North African origins. It’s a reminder that the identity has always been fluid
By Arwa Mahdawi
Mar 21 2017

We live in a weird time for whiteness. But, before I get into that, a small disclaimer. You may look at my name and worry that I am unqualified to speak about whiteness; I would like to set these doubts to rest and assure you that I myself am a white person. It’s true that, technically speaking, I’m a bit brown but, when it comes to my legal standing, I’m all white. Well, I’m white in America anyway. The US Census Bureau, you see, defines “white” as “a person having origins in any of the original peoples of Europe, the Middle East, or North Africa”. Being half-Palestinian and half-English I fall squarely into that box.

But I may not be able to hang out in that box much longer. There are plans afoot to add a new “Middle East/North Africa” category to the US census. After 70-plus years of having to tick “white” or “other” on administrative documents, people originating from the Middle East and North Africa may soon have their own category.

Whether our very own check box is a privilege or petrifying is still to be decided. Middle Easterners aren’t exactly persona particularly grata in the US right now. Identifying ourselves more explicitly to the government might not be the smartest move – particularly considering that, during the second world war, the US government used census data to send more than 100,000 Japanese Americans to internment camps.

All of this is a little odd. Why are people from the Middle East counted as white by the US government but considered definitely-not-white by many Americans? How can you count somebody as white one year and then decide they’re not white the next year? Indeed it raises the question, what actually is “whiteness” and who qualifies as white?

Once upon a time this wasn’t a question that was asked very much in western countries. White people were the majority and white was simply the default. Demographics have changed, however, and, over the past decade, census data on either side of the Atlantic has been warning white Brits and Americans that they may soon become a minority. This has thrown whiteness into crisis and has had a not-insignificant part to play in Brexit, the election of Trump, and the rise of a new wave of white nationalism. The so-called alt-right, for example, was born out of the idea that white identity is under attack. As Dan Cassino, a political scientist, told the Guardian: “The founding myth of the alt-right is that the disadvantaged groups in American politics are actually running things … [and] oppressing white men.”

The idea that white identity is under attack assumes that whiteness is something fixed, something immutable. But whiteness has always been a fluid category. Whiteness isn’t a biological fact, rather it is a sort of members-only club that has rewritten its entry requirements over the years.


Experts criticize US electronic devices ban on some flights from Middle East

Experts criticize US electronic devices ban on some flights from Middle East
Technologists say new rules against electronics ‘larger than a cellphone’ on flights from 10 airports seem illogical and at odds with basic computer science
By Sam Thielman in New York and Sam Levin in San Francisco
Mar 21 2017

The US government’s unexpected ban on laptops, iPads and other electronics “larger than a cellphone” on certain flights has sparked criticisms from technology experts, who say the new rules appear to be at odds with basic computer science.

Following the distribution of a “confidential” edict from the US transportation safety administration (TSA), authorities confirmed that the US will now require flights from specific Middle Eastern airports to prohibit passengers from carrying certain electronics.

Senior Trump administration officials cited “evaluated intelligence” that terrorists favored “smuggling explosive devices in various consumer items” in a hastily convened press briefing on Monday night, hours after news broke of the planned prohibition on in-cabin devices.

The ban, which allows the devices to be stowed in checked in baggage, affects flights from ten airports in Jordan, Egypt, Turkey, Saudi Arabia, Morocco, Qatar, Kuwait and the United Arab Emirates, according to the US department of homeland security (DHS).

While DHS officials claimed the rules would help prevent terrorist attacks on commercial airlines, tech experts questioned the safety implications of the ban. If there are concerns about laptops on board being used as explosives, those same risks could exist in checked baggage, they said. Additionally, many smartphones, which are not banned, have the same capabilities as larger devices.

“It’s weird, because it doesn’t match a conventional threat model,” said Nicholas Weaver, researcher at the International Computer Science Institute at the University of California, Berkeley. “If you assume the attacker is interested in turning a laptop into a bomb, it would work just as well in the cargo hold.”

He added: “If you’re worried about hacking, a cell phone is a computer.”

Some experts, and even the Federal Aviation Administration, have also increasingly raised concerns that the shipment of lithium batteries in airplane cargo, poses a serious fire risk.

During the press call, numerous questions about the meaning of “larger than a cell phone” did not provide clarity.

“To be honest, guys, there’s a pretty universal understanding of where we’re at,” said one exasperated official after repeated questions on how large a phone could be before it qualified as a tablet and was banned. Requirements appear to be at the discretion of the airlines.

Passengers must submit to the ban “regardless of status and pre-clearance”, according to DHS officials.

A state department official referred reporters to “several terrorist events on airplanes in the last year”, all outside the US. When pressed, a Homeland Security official said only one incident involved a bomb smuggled into the cabin – an explosion resulting in a single fatality on a Somali carrier called Daallo that does not fly to the US.

Bruce Schneier, a security technologist, called the new rules an “onerous travel restriction”.