This speech is the one I referred to in my previous post Elizabeth Warren Delivers Scathing Speech On Trickle-Down Economics.  When I made that post, I did not have access to the video below that has just been posted on YouTube.  There are sound problems here and there in the video, but most of it is very easily understood.

Elizabeth Warren has the transcript Senator Warren’s Remarks at AFL-CIO National Summit on Raising Wages on her Senate web site.  The AFL-CIO has a web site about the AFL-CIO National Summit on Raising Wages,

Jeebus criminy, people, what part of her talk are you having trouble understanding? She has been saying many of these things since before she started running for office. However, she now talks about the most current data, and the most current political situation. You can’t possibly want to vote for the wing of the Democratic Party that she identifies as equally at fault as the Republicans, can you? If so, please tell me why you are still hanging on to the myth of the third way?

She talks about how the economy is only working for the top 10% of income earners. I wouldn’t be surprised if most of the readers of my blog fall into that category. Well, here is some shocking news I have to tell you based on my 40 year career in industry. There is nothing magical about being in the top 10%. The people who are benefiting from the rise in the economy might soon be limited to the top 5%, or 2%, or 1%, or 0.1%, or 0.01%.

Here is where my working experience comes into play. when I first started to work, industry was just starting to outsource some manufacturing to Asia. At Digital Equipment Corporation, the manufacture of magnetic core memory was being done in Hong Kong, if I remember correctly. The engineers with whom I worked thought nothing of it. They were engineers. They weren’t hunched over a bench stringing core memory bits onto wires. Also at that time, the best educated people from those low wage countries were getting their educations in the USA and staying to work here and earn American wages. Outsourcing was for other people to worry about.

By the time I was about to leave DEC, we had a contingent of engineers working in Japan, and communicating over high speed internet connections with engineers in Massachusetts. Because of timezones around the world we pretty much had engineering going on 24 hours a day.

When I went to work at Gateway Design Automation, they had a small contingent of about 30 engineers working in India. I was much more involved with the foreign operation than I had been at DEC. We learned that Texas Instruments already had a mach larger contingent of engineers working in India. TI had a high speed internet connection to their workers, while we had a 9600 baud connection shared by our 30 engineers in India.

By the time Cadence Design Systems bought out Gateway and as I continued to work for Cadence, the number of engineers in India and the infrastructure to communicate with them greatly improved. As I moved on to Analogy, Inc. Synopsys Design Systems, and Mentor Graphics, more of the engineering work was going on all around the world. Many of the best of the engineers in India and China were staying in their homelands. They were getting great educations there, they had high quality work to do, they had great technology to work with, and they commanded much lower salaries. I even started to hear about American engineering students having to go to India to get some experience that was no longer available over here.

However, it was not only engineers that were in India and China. Soon there was a migration of a small amount of middle management there, too.

The lesson is that there is an alligator eating off the lower rungs of the economic ladder, and there is absolutely nothing to stop that alligator from eating more and more rungs off that ladder. It’s not that these other countries don’t deserve the progress they are making. The point is that we can no longer just assume that our life style is safe if we don’t invest in our future. Not investing has has worked for the last 30 or so years for the top 10%. We are in effect eating our seed corn. The days of this working are running out for people higher and higher up on the ladder.

PC Magazine has the article and video Gogo Serving Fake SSL Certificates to Block Streaming Sites.

Mile-high Web provider Gogo appears to be running man-in-the-middle attacks on its own customers.

Based on a report by Google engineer Adrienne Porter Felt, Gogo Inflight Internet is serving SSL certificates from Gogo instead of site providers—a big no-no in online security.

Will someone please explain to me why this isn’t one of the biggest security flaws in the entire design of the secure sockets layer of internet data transport?  Surely people who designed and implemented the system considered this form of attack, didn’t they?  Surely PC magazine could explain how to protect yourself from this, can’t they?

If GoGo can do this, who is to say who else might not try this?

I cannot even comprehend how the security expert who discovered this could calmly say “serving SSL certificates from Gogo instead of site providers—a big no-no in online security.”  How could a security expert conceive of a secure system whose security depended on people not cheating?  I thought the whole point of security was to stop people from cheating.  If you design a system to stop people from cheating that depends on people not cheating, then you must be a fool.

Now, let me step back and try to consider this rationally.  If you follow the links in the article, you will eventually see what the discoverer of this fakery saw.

If you look at the, you will see it say “This certificate was singed by an untrusted issuer.”  The lesson learned is to never trust an untrusted issuer, duh!  However, I have to ask that if every browser is automatically set up to boldly issue such a warning, why haven’t millions of people in the flying public been screaming about this already?  Even if most people wouldn’t know what to do with such a message, there must be enough techies flying the friendly skies that many of them would have complained about this before.  I am definitely going to research this issue more.  This looks like a big, honking hole in internet security.

Some people wonder why we refuse to fly since I have retired.  Add this one to the list of reasons.

I would only be flying for pleasure, anyway.  So the risk to me is that I might “only” be giving away access to all my financial and health data.  Think about all the business travelers who are compromising their companies’ secret information while all along they think they are protecting it.

CertificateTransparency.org has the article What is Certificate Transparency?  They first explain the issue:

Thanks to modern cryptography, browsers can usually detect malicious websites that are provisioned with forged or fake SSL certificates. However, current cryptographic mechanisms aren’t so good at detecting malicious websites if they’re provisioned with mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue.

They prescribe certificate transparency as the solution.  Read about it, and see if you feel any safer.  Obviously this flaw is well known to anybody who wants to cheat the system.

ZDnet published the article How the NSA, and your boss, can intercept and break SSL in June 2013..

Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box.

If the punctuation of that quote is misleading, let me reword it slightly.  For a fee, you can buy an SSL interception application without the need to know anything about how that application accomplishes the feat.  That’s not even the most disturbing part of what is in the article.

As I think about the description of the interception in the above article, I wonder how GoGo could have been so sloppy that it allowed the browser to detect that ““This certificate was singed by an untrusted issuer.”  The only thing I can guess is that the Google engineer who detected this had independent means of checking the authenticity of the certificate that purported to come from YouTube (which is owned by Google.)

January 12, 2015

The Hacker News has the article New Firefox 32 Adds Protection Against MiTM Attack and Rogue Certificates. I am still not convinced.

Stackexchange has the Q & A How do RSA fingerprints protect from MITM attacks?

I posed the following questions to that Q & A:

What about a Man in the middle attack that fakes the public key and the fingerprint of the secure server. In other words, the MITM gives you a public key to use that it has the private key for. It then forwards your message on to the actual recipient by re-encoding your decrypted message with the real public key. It does the same fakery for the message coming back from the secure server.

How do you really know that the public key you are getting is the actual public key of the server you intended to talk to? Yes their are certificate authorities, but if the MITM can fake the public key of your intended target, why can’t it fake what you get from the certificate authority?

I am still not entirely convinced. All the methods that I have read about a secure exchange of information to ensure a secure exchange of information all seem circular to me. If you could have a secure exchange of information to set up a secure exchange of information, then why couldn’t that method be your method of secure exchange? Adding more layers to the protocol may increase the number of things the MITM attacker has to fake, but it is nowhere near the size of the mathematical difficulty that adding more binary bits to the code would present if you could only know for sure that you had a valid public key.

For those complaining about how hot it is in Florida this January, I offer some examples of how we are dressing in Sturbridge to go out and get our newspapers from the end of the driveway.

At 10 degree and some wind, I took the advice of the weather people, and took some extra precautions.

Talking Points Memo has the article Elizabeth Warren Delivers Scathing Speech On Trickle-Down Economics.

“Pretty much the whole Republican Party – and, if we’re going to be honest, too many Democrats – talked about the evils of ‘big government’ and called for deregulation,” Warren continued.
.
.
.
“The trickle-down experiment that began in the Reagan years failed America’s middle class,” Warren said. “Sure, the rich are doing great. Giant corporations are doing great. Lobbyists are doing great. But we need an economy where everyone else who works hard gets a shot at doing great!”

If you want a nice poster on this topic, see my previous post The Lesson Of The Current Economic Boom.

Among the too many Democrats you could include President Obama and both Clintons, Bill and Hillary.  Yet, somehow there are still Democrats who are pining fir Hillary Clinton to run for President.  What would it take to get them to wake up?  I keep trying everything I know to get them to see the reality.

January 7, 2015

See my subsequent post Sen. Elizabeth Warren at the AFL-CIO Raising Wages Summit to see the video of the speech.

The Seattle Times has the article Guest: Travel writer Rick Steves warns that corporate profiteering comes with a price.

Maybe there is a crisis in this country — just not the one we keep hearing about. In reality, perhaps it’s a crisis of distribution within the vast and growing American economic pie. Or a crisis between our huge pie and the billions of desperately poor people elsewhere on our planet. What’s our response? A contemporary version of “Let them eat cake.”

Who knew that Rick Steves was far more than “just” a travel writer?  Given the history that he tells in this article, the inevitable outcome of our current situation does not look good for the shortened 1%.

Thanks to Summer Starbuck for posting this on her Facebook page.