The Market Ticker
Commentary on The Capital Markets- Category [Technology]

I have repeatedly warned, going back to before Obamacare was passed, that "electronic" medical records are dangerous.  They're dangerous not only to your wallet, because they give all sorts of commercial interests access to data that is none of their damn business but can be (and will be) used to disadvantage you (and that's perfectly legal, as the law stands right now) but in addition the privacy implications when (not if) breaches of security occur are extraordinarily severe.

In point of fact your medical records should be yours -- not your doctor's, not the hospital's and not the insurance company's.  Yours, period, end of discussion.

That means you possess them.  You choose who has access to them, why, and for how long.  You have the right to not only revoke that permission but insist on their destruction and certification of same, with strong criminal and civil penalties for violations.

But you insisted on none of this, America, and now we have another 11 million Americans with stolen medical records (after roughly 80 million just recently from Anthem) which means that roughly one American in three has had their personal data stolen -- and not just identification information either as some of the data taken involved medical history.

This attack apparently disclosed names, social security numbers, medical information and bank account numbers.

There is utterly no reason for you to allow this, America.  There is no reason for anyone to have your medical records but you, with the exception of your physician and others providing treatment during the time they are doing so.

Yes, I recognize that there are serious technological concerns with this demand.  But we live in a world where 32Gb MicroSD cards are smaller than a dime yet cost just a few dollars, while strong data encryption also exists and costs nothing, making securing the data on such card a trivial undertaking. There is utterly no reason that we cannot design and implement a system in which these files are encapsulated with a multi-key encryption scheme that allows you, and you alone, to issue and revoke keys to providers as you alone determine, while leaving you, and only you, with final control of that data store.

When will you wake up, America?

View this entry with comments (registration required to post)

There's been a lot of digital ink spilled on this over the last week or so, and I think it's time to weigh in on exactly what's going on with this vulnerability and its consequences.

First, the basis of the attack is that when one sets up a SSL-encrypted (https) session the server and client (your browser) perform a "handshake" procedure to agree on a cipher (that is, an encryption method) they both support.  There are a lot of possible permutations of encryption allowed to be used, and both the server and client have a list of what they'll accept.

Normally, the "best" (as determined by the server, as it gets to choose which it prefers of the proposals the client makes that it supports) is used.

FREAK requires that someone be able to "get in the middle" of the connection, intercept the request, and then issue it with an "Export grade" (that is, very weak) cipher request.  The server, if it accepts it, is then allowed to reply back to the client (which may not have included that in its list of proposals) and the client (if it accepts that) now completes the negotiation.  The "man in the middle" now passively listens without interference, smug in the knowledge that it can then run that encryption through its cracking software and decrypt the transmission.

There's been quite a lot of noise made about various browsers being vulnerable to this.  But focusing on that is exactly backward, and here's why.

mobile browser may go places where there are legal restrictions on using strong cryptography.  If you disable the capability for "weaker" encryption without the ability for the user to choose now that user, if they go to such a place, can't connect with "encryption" at all!

There are people blasting on various browser vendors over this, but there's a real secondary problem here that comes up that is not limited to people living in repressive places.  For example, SSL3 has known weaknesses and thus there has been a screamfest of people disabling it entirely in browsers.  This is wrong-headed because there are a fair number of embedded systems out there that have SSL3-based encryption for their web management and no firmware update available as those devices are no longer under active support.

By removing SSL3 capability from browsers almost on a universal basis the effect of this is to completely remove the ability to remotely manage such a device but the device itself remains vulnerable to the attacks!  Thanks jackasses -- go ahead and warn me, but by God if I have a device that only talks SSL3 out there in the wild essentially forcing me to buy a replacement for a perfectly-functional piece of gear ought to result in you getting the bill for that.

This sort of crap is outrageous -- but it's utterly common in today's screamfest mentality when it comes to computer security.

The fact is that FREAK only works if the server is either misconfigured or is required to support weak ciphers intentionally.  If the latter there is nothing to fix since the server is intentionally set up to serve clients in places where strong encryption is not permitted.  If the former fix the damn server configuration!

Does the corner case where a client will take a cipher it did not propose a problem?  Sure.  Fix that.  But that is in no way a "critical" problem that requires the sort of oh my God my damn hair is on fire sort of histrionic that is being displayed.

Save that for the idiots on the server side (you know, the places with the data you're worried about!) who ought to have set up their servers to only accept strong ciphers (where legal) for well north of a decade.

View this entry with comments (registration required to post)

Main Navigation
MUST-READ Selection:
The Search For Unicorns

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.