Let’s Encrypt – getting your own (free) SSL certificates

For those who’ve not been paying attention the Let’s Encrypt project entered public beta recently so that anyone could get their own SSL certificates. So I jumped right in with the simp_le client (as the standard client tries to configure Apache for you, and I didn’t want that as my config is pretty custom) and used this tutorial as inspiration.

My server is running Debian Squeeze LTS (for long painful reasons that I won’t go into here now) but the client installation was painless, I just patched out a warning about Python 2.6 no longer being supported in venv/lib/python2.6/site-packages/cryptography/__init__.py. 🙂

It worked well until I got rate limited for creating more than 10 certificates in a day (yeah, I host a number of domains).

Very happy with the outcome, A+ would buy again.. 🙂

News Corporation – the new face of piracy

According to Panorama from the BBC in the UK it appears Sky TV in the UK had a subsidiary involved with people cracking On Digital’s smartcards and also with people running a website to share the keys from those smartcards.

Of course News Corporation is a multinational, so it wouldn’t surprise you to know that there are now allegations that they were involved in similar antics here in Australia:

News Corporation is alleged to have used a security division known as Operational Security to encourage hackers to pirate the smart cards of rival pay TV operators including Austar and Optus, thereby draining them of revenue and devaluing the businesses.

Perhaps FACT, AFACT. MPAA, etc should adjust their “piracy funds terrorism” to warn that by supporting piracy you will be supporting Rupert Murdoch, News Corporation, Sky, Fox News, etc.. That would put a lot more people off..

Happy Babbagemas Everyone!

Turns out that the day after Newtonmas is Babbagemas, the annual celebration of Charles Babbage’s birthday on 26th December 1791. As well as having something to do with computers he also had a good understanding of your common or garden politician and their scientific understanding:

On two occasions I have been asked, – “Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?” In one case a member of the Upper, and in the other a member of the Lower House put this question. I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.

It is traditional (starting from now) to celebrate Babbagemas by blogging on the day.

Soliciting Australian Signatories to an Open Letter Against Software Patents to Minister Kim Carr

The Melbourne Free Software Interest Group (a group of Melbourne computer folks with an interest in software freedom) have put together an open letter to Senator the Hon Kim Carr, the Minister for Innovation, to request that software be excluded from patenting as part of the Australian governments review of patents in general.

We are currently collecting signatures to the letter and if you are in Australia and of a like mind we would really appreciate it if you would contribute your signature too! Just click on the link, read the letter and the form to sign it is at the bottom of the page. Please also pass this on to others you know who may be interested.

Serious SSL Renegotiation Problem

This just in from Ben Lawrie:

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

But wait, there’s more..

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Ben has a patch against the current development head of OpenSSL to ban renegotiation, but for most people it’ll need backporting to their current OpenSSL versions..

UK Government Apologises to Alan Turing

55 years after Alan Turing, one of the fathers of modern computing and one of the intellectual powerhouses behind the achievements of Bletchley Park, committed suicide following his conviction for “gross indecency” for being gay and his subsequent exile from GCHQ the UK Prime Minister has apologised for his treatment.

Turing was a quite brilliant mathematician, most famous for his work on breaking the German Enigma codes. It is no exaggeration to say that, without his outstanding contribution, the history of World War Two could well have been very different. He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war. The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. In 1952, he was convicted of ‘gross indecency’ – in effect, tried for being gay. His sentence – and he was faced with the miserable choice of this or prison – was chemical castration by a series of injections of female hormones. He took his own life just two years later. […] we’re sorry, you deserved so much better.

The BBC has a good article on Turing, his persecution and the apology.

Alan, we all owe you a massive debt of gratitude for all your work and I’m very sorry the UK treated you so very cruelly. We cannot right those wrongs, all we can hope to do is to learn from them and try to not let them be repeated.

(Heard via an InsideHPC blog)

The snooping dragon: social-malware surveillance of the Tibetan movement

Shishir Nagaraja of the University of Illinois at Urbana-Champaign and Ross Anderson of Cambridge University have published a very interesting paper called “The snooping dragon: social-malware surveillance of the Tibetan movement” (abstract, full report) on how agents of the Chinese government managed to infiltrate the computer network of the Dalai Lama’s organisation through ingenious social engineering and gain access to intelligence information that could lead to peoples arrest and possible execution.

It’s a very interesting report and points out that the techniques used are within the reach of motivated individuals as well as government intelligence agencies and ponders how much less well known organisations can cope with such attacks; it also lends weight to the sage advice offered in Ross Andersons “Security Engineering” book. Both are well worth a read, even for those of us whose network security is not a literal matter of life or death.

Redacted NSA Cold War History Released

Via Bruce Schneier, a redacted version of the NSA’s American Cryptology during the Cold War, (1945-1989) has been released thank to a request from the George Washington Universities National Security Archive project.

It includes a rather interesting section (book 1, pages 18 and 19) on how, in 1947, the UK foreign intelligence agency, SIS, decrypted some KGB messages from Canberra that turned out to include classified UK intelligence military estimates. This caused the US to break off crypto intelligence sharing with Australia putting the British in an awkward situation; as Clement Attlee put it:

The intermingling of American and British knowledge in all these fields is so great that to be certain of of denying American classified information to the Australians, we should have to deny them the greater part of our own reports. We should thus be placed in a disagreeable dilemma of having to choose between cutting of relations with the United States in defence questions or cutting off relations with Australia.

It took 5 years, the establishment of ASIO and a change in government from Chifley to Menzies before the US would reestablish full resumption of cryptologic exchanges with Australia and the author of the history concludes that this has a very bad effect on early American intelligence efforts against China.

The cause of the original leak to the KGB ? Two “leftists” in the Australian diplomatic service…