I’m at the HOPE XI conference. Or I was. It’s kind of overcrowded, which is both great and not so great. I haven’t been to a HOPE since The Last HOPE, but I don’t recall it being as crowded. Perhaps it was. In any case, the logistics of getting in to see each talk in person is exhausting. Some of the talks I wanted to see today are definitely the big name headliners, and I can’t imagine it will be less crowded. Better to watch online. Some thoughts on the talks I did see.

When Vuln Disclosure Turns Ugly. What should you do if you find medical records on a publicly available ftp server? Hope you don’t get blamed for putting them there. The wrinkle here is that HIPAA requires the breached party to publish a notice of the incident, and they’re not likely to shoulder much of the blame. If you’re unlucky, the little notice in the back pages of the local newspaper will get picked up and sensationalized by somebody working the evil hackers beat. Most unfortunately, “journalists” don’t like printing corrections because that doesn’t generate clicks. And they really don’t like being threatened with defamation (libel/slander) because OMG 1st Amendment I know my rights. So, A) be careful, and B) try to get your story out there instead of letting the “victim” choose the narrative.

De-anonymizing Bitcoin. Not really, but close. If a transaction sends from multiple addresses, that implies control over all the private keys, which implies a single entity. Thus one can obtain a sense of how profitable ransom ware and dark markets are. Particularly interesting observation: customers were willing to maintain a credit balance with Silk Road, to be used for future purchases, with the expectation that their money was safe. Successor markets did not have this credit, with customers apparently transferring only the exact amount needed for each transaction. A lack of faith.

Chinese Locks. The Chinese lock market, of the key and tumbler variety, is a little different than the US market. The cheaper locks are really cheap, as competitors take an already cheap design and try to shave another corner. “Easier to stamp ‘hardened’ on the shackle than to make it hardened.” Interesting fact: locks come with more copies, like six or more, because there are so many locks in service that it would be impossible for a locksmith to maintain an inventory of blanks. Instead the lock comes with all the copies you need premade. Don’t lose any. Another consequence is that there are no master key locks. Instead the super for a building will have a giant key ring with 100 keys on it. Burdensome, but obviously prevents anyone from filing down their key to make a new master. Your key may not even fit the neighbors lock.

Crypto War II. Back in the 90s, before we needed to number crypto wars, the government tried to shut down commercial availability of strong crypto. They preferred the escrowable Clipper chip. But eventually crypto won out for about a decade. Now the FBI is concerned about going dark. There’s two ways to interpret this, of course. Very few actual wire taps encounter encryption, so what’s the problem? Lots of data is stored encrypted, now, which can’t be retrieved after the fact. Unless you have a spare million to buy an exploit. Is that the answer to the government’s request for a backdoor? There’s always going to be some bug, some weakness, that lets them in. And if it’s not 100%, nothing else in detective work is perfect. Matt Blaze also observed that even if “The FBI should be disbanded” is true, it’s unlikely to find a receptive audience among lawmakers.

Panopticlick. The EFF is back with newer, better browser fingerprinting to demonstrate the perils of tracking, and a suite of tools to thwart it like Privacy Badger. We can also work to reduce the amount of information that leaks from browsers, via fonts and canvas and so forth. If the Internet must be funded by advertising, then that advertising must not be privacy invading.