VueStar Image Link Patent Info Site

For those who’ve heard about the crazy news about the patent trolls that are invoicing people based on their claims to have invented image linking in 2000 (and patented it in 2002) there is a site that is gathering information about the patent itself (Republic of Singapore Patent No. 95940) and the Australian company behind it.

The site is at http://suevuestar.biz/ and includes the handy information that the Australian patent actually lapsed because they failed to pay the renewal fees!

Bletchley Park in Cash Trouble ?

For the past few weeks I’ve been reading “Codebreakers“, a collection of memoirs and essays by former staff at Bletchley Park, aka the Government Code and Cipher School (GCCS) War Station-X, Room 47 Foreign Office, etc. which worked throughout the war breaking enemy ciphers such as the German Enigma machine, the decrypts of which were called “Ultra“.

But today, via Bruce Scheiers blog, I’ve learnt that the trust that now runs BP has is facing financial problems as they receive no external funding and need cash to help preserve the buildings and the exhibits they restored after taking over the site in the 1990s.

The Bletchley Park Trust receives no external funding. It has been deemed ineligible for funding by the National Lottery, and turned down by the Bill & Melinda Gates Foundation because the Microsoft founder will only fund internet-based technology projects.

For the site that hosted the organisation that arguably saved the day in World War 2, not to mention being the birthplace of the first real computer, Colossus (( yes, I know it wasn’t Turing complete! )), it’s a sad predicament. 🙁

Response to PayPal on EV Certificates

Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.

I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting attack against PayPal through a page protected by such a certificate.
Continue reading

Re: Glen Turner: Key generation

In his blog Glen writes on the Debian OpenSSL stuffup:

Hopefully this fiasco will re-energise hardware manufacturers into providing hardware-based randomn number generation. The current scavenging across the operating system for any source of entropy isn’t acceptable and is one of the root causes of this current flaw.

But this wouldn’t have helped in this situation as OpenSSL already supported those sources but the patch ((which was posted to the openssl-dev list for comments prior to being applied, well worth a read as it’s a short thread )) effectively removed the call to add those (and all other) sources of entropy into the pool, leaving just the PID – hence 32,768 possible keys.. 🙁

If you’re an LWN subscriber (and if you’re not, you should be!) this article is well worth a read (it’ll become accessible to non-subscribers on Thursday, Australian time)..

Vacation 1.2.7.0 rc1 released

This is the first release candidate for vacation 1.2.7.0 and fixes a segmentation fault for a broken Reply-To: header where there is no address specified.

I’ve also added a KNOWN_BUGS file which lists the fact that vacation currently doesn’t cope with multi-line (wrapped) headers, this is scheduled to be fixed in 1.3 and work is in progress in the SVN trunk for this.

Please test this and report back – if you find any problems please do report them!

Download the release from SourceForge.

Help Search for the Missing 1999 Mars Polar Lander

The Planetary Societys Emily Lakdawalla has blogged about an interesting project up on their website at the moment, trying to rope in volunteers to help NASA locate Mars Polar Lander using images from the HiRISE camera on the Mars Reconnaissance Orbiter. Emily writes:

What I would really love is if any of you readers out there who wanted to join in the search would write to me and let me know which image you’re searching, or ask me to assign you one, so that we can spread out the effort of all the volunteer searchers and make sure each image is examined by multiple people. I’ve also given some guidelines on how to report anything that you think might be a piece of the missing Mars Polar Lander. So if you want to join in the search, go check out that page.

Currently there are 18 images to search through, and the full resolution JPEG 2000 images are over 1GB a shot..

Debian OpenSSL stuffup – SSH keys and SSL certs not random enough (updated)

Update: Debian has a good summary page on their wiki.

This is pretty serious – a packaging stuff-up for OpenSSL by Debian (and hence Ubuntu) has resulted in not-very-random randomness being used in various packages such as OpenSSH for key generation. The Ubuntu report says:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

This is a Bad Thing(tm), Debian have told their own developers:

Since the nature of the crypto used in ssh cannot ensure confidentiality if either side uses weak random numbers we have also randomized all user passwords in LDAP.

It’s also been around for almost 2 years now according to the Debian security notice:

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected.

So now would be a good time to change your passwords, unless you can be certain you’ve never logged into a Debian or Debian derived system..

Old protocols have their advantages

If you were fretting about the Ubuntu mirrors being so slow, remember that the installer defaults to using HTTP, rather than FTP.

Warning: download speeds can go down as well as up..