Category Archives: Information

General news/information to the CAcert community or about security in general

Assinatura digital: você ainda vai ter uma

Em sua coluna semanal do caderno Link do jornal O Estado de São Paulo, o jornalista Ricardo Kobashi anda difundindo a tecnologia da assinatura digital com linguagem fácil, voltada para o público não técnico.

No texto do dia 9 de maio, o jornalista escreveu esse artigo, entitulado “Assinatura digital: você ainda vai ter uma”, o qual traz um primeiro approach sobre a tecnologia para usuários de computador sem qualquer background em criptografia, assinatura ou certificação digitais.

O texto é simples e esclaredor, apesar de o autor utilizar como certa a adoção da ICP-Brasil, sua estrutura e custos, quando fala de certificação. O final, sobre banco P2P, é um pouco inocente, já que fluxo de valores é apenas uma das funções principais das instituições financeiras.

Aqui vai a íntegra do texto, com alguns comentários em itálico:

Assinatura digital: você ainda vai ter uma

Antes de mais nada, vamos lembrar que assinatura digital não tem nada ver com passar a sua assinatura feita à mão por um scanner e sair anexando a imagem em documentos ou mensagens de correio eletrônico.

Na prática, a coisa é um pouco mais complicada. Assinatura digital é um método que usa fórmulas matemáticas complicadíssimas para autenticar uma informação de forma a garantir a identidade de quem a enviou e que o seu conteúdo não foi nem será alterado.

Tem mais. Para que seja possível assinar eletronicamente um documento, é necessário que antes você possua uma ‘identidade digital’, que pode ser conseguida através de uma empresa credenciada a ofereçer o serviço. E que tenha o hardware necessário para guardá-la, seja o disco rígido do seu computador, um cartão inteligente ou um token, uma espécie de memory key que entra na porta USB do micro.

Nesse parágrafo o autor considera que a única forma de se utilizar assinatura digital é com certificados X509, não citando ferramentas como PGP/GnuPG. O comentário sobre HDs, smart card e token é correto, mas falta citar a diferença de segurança entre deixar sua chave no PC, sujeito a ataques, torjan, virii etc. e coloca-la no armazenador smart card ou token, que fornecem segurança comparativamente maior.

Garantir a integridade de uma informação digital e a identidade de seu autor não é pouco. Muito da burocracia governamental ainda resiste amparada pela dificuldade em se reproduzir digitalmente o que conseguimos com papéis, carimbos e cópias autenticadas. É certo que boa parte desses procedimentos tem origem cultural, na tradição do direito lusitano, mas algumas garantias serão sempre necessárias.

A popularização da assinatura digital traria benefícios para muita gente. Com a possibilidade de aumentar os serviços eletrônicos, o governo seria capaz de agilizar o atendimento às empresas, ao cidadão e diminuiria sua necessidade de contratação de pessoal. Nada mal. Do lado de cá, ganharíamos em conveniência, diminuição das filas e deslocamentos e, quem sabe, reduziríamos os gastos com fotocópias, autenticações e taxas afins.

O sistema financeiro também seria beneficiado. E muito. Apesar da
cortina de silêncio que cerca o assunto, as fraudes pela internet correm soltas. Os e-mails travestidos de avisos bancários que roubam nossas senhas e instalam vírus em nosso computador continuam a infernizar a vida dos especialistas em segurança na internet.

Uma refência aos ataques conhecidos como phishing que aumentam a cada dia…

A polícia tem feito prisões importantes, desbaratando quadrilhas aqui e ali, mas a prática continua. Assinatura digital dificultaria muito esse tipo de crime.

O problema é que ter uma assinatura digital, incluindo sua identidade digital e um token para armazená-la, não sai por menos de R$ 400. E, a cada ano será preciso pagar mais R$ 200 a título de renovação.

Esses dados são específicos para o âmbito da ICP-Brasil.

Há rumores de que os bancos estariam dispostos a pagar essa conta para aumentar a segurança das transações eletrônicas com seus clientes. Eles forneceriam a assinatura digital gratuitamente mas, em troca, o ônus das futuras fraudes digitais seria repassado aos correntistas.

É bom lembrar que a assinatura digital dificulta o crime virtual, mas não acaba com ele. Trazendo para o mundo real, a lógica da proposta é mais ou menos o seguinte: o banco coloca um vigilante armado e uma porta giratória com detector de metais na agência e, caso ela seja roubada, o prejuízo sai da sua conta. Não dá para engolir.

Se pensarmos um pouco… como em qualquer negócio, o risco de o banco perder dinheiro por fraudes ou roubos, inclusive os virtuais, já está embutido nos preços cobrados por eles. Isso acontece em qualquer negócio, principalmente em ramos altamente profissionais como o bancário. Se as fraudes diminuírem, é possível que a competição entre bancos leve até o preço dos serviços a baixarem proporcionalmente à economia do próprio banco.

Sonho com o dia que irão inventar o banco P2P, como o Kazaa, Messenger ou Skype. Vamos trocar valores sem intermediários e mandar uma banana para o sistema financeiro e seus lucros astronômicos. Mas, como isso ainda pode demorar alguns anos, é melhor se prevenir. Se você começar a ouvir falar em bancos oferecendo assinatura digital de graça, cuidado.

Discordo com o autor nesse ponto. Primeiramente, os bancos possuem outras funções, como crédito, por exemplo, que são essenciais não apenas para as pessoas físicas, mas principalmente para o governo e as empresas. Segundo, não vejo uma saída para implementação de troca de valores sem meio físico nem endosso por terceiros (nesse caso os bancos). Não pensei muito sobre o assunto, mas o que primeiro vêm a mente é a natural multiplicação do dinheiro. Certo que os bancos fazem isso, mas de uma forma controlada e supervisionada.

Pode ser que você esteja diante de um autêntico cavalo de Tróia. Pior que seu original grego, este presente pode torná-lo o único responsável por qualquer prejuízo ou futura fraude que ocorra durante suas transações online, isentando o banco ou o governo de qualquer ônus. Olho vivo.

Discordo parcialmente. Com a assinatura digital, uma transação seria exatamente como antes do mundo virtual: para cada ordem, há uma assinatura. E, no caso de certificados ICP-Brasil, essa assinatura tem validade legal no Brasil. Basta que se possa garantir que uma pessoa nunca irá assinar um documento com sua assinatura digital por engano. Isso sim, pode ser um problema. Vou escrever mais sobre esse aspecto no futuro…

Texto original por Ricardo Kobashi.

Sobre a Comunidade CAcert Brasil

When Captain CAcert rescues the Notaries of the Round Table

Today we are going on a little journey through time for a current occasion. Are you ready? Then jump into the fountain together with Frog King!

Many, many years ago, when grandmother was still a little girl, it may have been in 1995, a hardworking man named Mark Shuttleworth started a certificate issuing service in his poor parents’ garage, just like CAcert is one.

The name of this service was Thawte. Thawte was a great and important service. It is said that it covered half of the empire at that time. And because he was so old and so wise, he enjoyed some privileges. When Uncle Netscape, the browser, introduced new rules for certificates, Aunt Thawte, considering her age, only had to comply if she wanted to.

Now it was the case in those days that some people would have liked to send letters in an envelope. Good Aunt Thawte said: I have so many envelopes, I will give you some! And everyone who booked a free e-mail address with her got the certificate to wrap the messages as a gift. The Web of Trust was created to ensure that everything was above board and that the big bad wolf didn’t pretend to be one of the seven little goats. There, the letter writers met with the most trustworthy men and women of the entire empire for the knighting.

After the wizard Verisign took over Aunt Thawte’s service in 1999, the Web of Trust’s noble round table was abolished a few years later. Its members were very surprised to be thrown out of the castle just like that, since they had selflessly served the cause as noble knights and notaries.

However, it was a stormy time. And the storm wind blew a big sailing ship with full rigging from New South Wales, a spot of earth on a big island in the middle of the big, wide sea in the New World, across the ocean. Its name was emblazoned in gold letters on the stern: CAcert.

The captain held the wheel with both hands until the ship docked in a safe harbour. Immediately the crew rushed ashore to the desperate notaries and knights of the Thawte Round Table and offered to take them in their ship.

Numerous were those who gratefully accepted this offer, even more so when the captain said that he trusted Aunt Thawte. So it happened that large parts of Thawt’s Web of Trust were integrated into CAcert’s Web of Trust and the Thawte notaries became CAcert assurers. In a special program named Tverfiy, they could have their trust points transferred in 2009. Today, more than a decade later, CAcert is discontinuing the corresponding web site, after a long time since scattered notaries have joined CAcert’s community.

Further reading:
https://wiki.cacert.org/Tverify
https://en.wikipedia.org/wiki/Thawte#Web_of_Trust
old blog posts from the time

“If you don’t use technology consciously, you will be used by it” (40 years of CCC 3)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (middle) was there from the beginning. Today he is no longer active in the front row. He remembers.

You still work in the industry.

Steffen Wernéry: I’m a data protection officer for an operator of anonymised network connections (VPN). I’ve always been less interested in hacking than in hunting for security holes, which others can do better, than in the creative, design side. I first came to computers through my interest in acoustics, photography and video. When I was 20, I did an art project with Bernd Krake in which I transmitted image data by telephone between the Hamburg Kunstverein and the Massachusetts Institute of Technology (MIT).

What about the creative use of technology today?

Steffen Wernéry: Hacking is more necessary than ever. Not in the sense of computer crime, but in the original sense, the critical handling of technology and finding weak points. We are surrounded by unfinished products. Software and hardware have security vulnerabilities, and those who rely on them are quickly finished. Instead of relying on stock and preservation, companies produce technological junk. Even in the literal sense, none of this is environmentally friendly. The products are designed for consumption and to be addictive. People spend less and less time in real life.

Virtual versus real life, I’m surprised that you, as a net activist, see this as a contradiction. Doesn’t one enrich the other?

Steffen Wernéry: Sure, the internet is great if I want to repair my washing machine, if I want to exchange ideas with like-minded people about hobbies or politics, if I want to collect environmental data together with others. But most people sit in a consumption loop, waste their time and think that this is real life. We already said 40 years ago: machines reinforce structures. It happens all by itself. If you don’t use technology consciously, you will be used by it.

Sounds like the CCC has failed.

Steffen Wernéry: The club does what it can. It teaches young people media competence in the project “Chaos macht Schule”. It participates in lawsuits against laws, keeps up the exchange with other institutions. But it is a fight against windmills. That’s why it’s so important to keep some anarchy and fun going. (Questions by Ruth Fulterer)

Starting in 1986, the hackers used a flaw in an operating system to infiltrate other people’s systems and gain access rights there. Computers at the Cern nuclear research centre were among those affected. In 1986, the club newspaper “Datenschleuder” printed an internal complaint about the intruders: “There seems to be a club based in Germany called the ‘chaos club’ whose collective hobby is hacking systems connected to public X25 networks.”

Wernéry and Wau Holland, the club’s leaders at the time, contacted the companies involved and later spoke out to the media when the case became public (above: broadcast from the German TV ARD from 15. September 1987). Then, on his way to a congress where he was to speak about data protection, Wernéry was arrested in France in 1988. He was believed to be an accomplice or even responsible for the hack. The investigators quickly dropped this accusation and he was released. The investigation into his complicity continued for a long time, but in the end came to nothing.

40 years Chaos Computer Club (2)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (on the picture in the middle) was there from the beginning. That’s why he’s already been in prison. Interview.


You soon became the most important figure in the club next to Wau Holland and later wrote the statutes. It says that the club is committed to freedom of information. What does that mean, freedom of information?

Steffen Wernéry: It means the right to freely exchange information. In other words, to communicate in encrypted form, with anyone, about anything, without censorship, without blockades. I find the second part of the statutes particularly important: the CCC is concerned with the effects of technologies on society and individual living beings and promotes knowledge about these developments.

How did you want to achieve all this?

Steffen Wernéry: We organised congresses, meetings and events. We have a magazine, the “Datenschleuder”. Of course, it was also about fun and creativity. What we call in the statutes “promoting the creative-critical use of technology”. We had originally written “hack” in the statutes, but the association register rejected this word because it was not in the Duden dictionary.

It was a hack on the edge of the permissible that made the Chaos Computer Club famous.

Steffen Wernéry: That was in 1984, when the post office had a monopoly on electronic messages. And anyone who wanted to be online had to use a device approved by the post office, which was incredibly expensive. Anyone using untested equipment was liable to a house search and confiscation of the equipment, along with a fine. The user fees for this system, the Internet precursor screen text (BTX), were very high. So the post office, we called them “Gilb”, was the enemy of hate for us. At that time, Wau Holland and I hacked into the BTX access of a Hamburg savings bank and called up a BTX page of the CCC from there, for which we had to pay. By the end of the night, we had booked 135000 D-Mark into our fee account. We made that public. It was embarrassing for the post office, which had claimed that its system was secure. The media jumped on the story. For the first time, data security was a big topic.

What happened next with the CCC?

Steffen Wernéry: That was the beginning of an acceleration. We got new members, there were more and more people on the networks. In 1986, things became more serious. A few people in the club had hacked into Nasa’s computers and sold information to the Soviet secret service KGB. The main participant, Karl Koch, was later found dead. To this day, some say it was suicide, others say it was murder. I myself spent two months in a French prison.

Why?

Steffen Wernéry: At that time, there were hardly any computers on the net. We hackers went where there were networks, for example to the Swiss research centre Cern. That was the European hacker training school. Because there, several people could be on the computers at the same time, chatting online or developing programmes together. Because some of these centres were also used for military purposes, this was quite critical. That’s why there have been investigations since 1986.

How did the trial against you turn out?

Steffen Wernéry: There was never a trial, but the investigations against me lasted 16 years, until 1998, without any result. The Hamburg prosecutor spread the word that I was an East German agent because a picture of Honecker hung in my kitchen. For the French, I was a Nazi because they had found “Mein Kampf” during the same house search. There was also mistrust within the club because of these investigations. It all became too much for me and I quit the front row.

Congratulations: 40 years Chaos Computer Club

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry was there from the beginning. That’s why he’s already been in prison. Spectacular hacks, even into Nasa’s computers, made the Chaos Computer Club famous in the eighties.

It was seen as a Robin Hood-like hacker gang that is always a little smarter than the powerful and beats them with their own means: the computers . Steffen Wernéry joined shortly after its founding on 12 September 1981 and was at the forefront of the club’s transformation from a nerd regulars’ table to a well-known hacker club.

Today, the club claims to have 8,000 members and hosts one of the world’s largest hacker conventions. The basic philosophy has remained the same: The Chaos Computer Club wants to draw attention to the social consequences of technology and sees hacking as an instrument of enlightenment.

How does your history with the Chaos Computer Club begin?

Steffen Wernéry: It was in 1983 in the left-wing bookshop “Schwarzmarkt” in Hamburg. I had read online that the Chaos Computer Club was meeting there. I hoped to be able to exchange passwords there.

Swap passwords?

Steffen Wernéry: The internet didn’t exist back then, only individual computers on the telephone network. When you found other computers, you wanted to have a look at them. For example, into databases or via the computers of newspapers to the news of agencies in the USA. And the passwords were exchanged with each other.

And did you get any?

Steffen Wernéry: Unfortunately, no. I had to find out that no one from the Chaos Computer Club was online yet. Nevertheless, the visit changed my life. Because I met the founder of the club, Wau Holland. He talked about the computer not only being for the administration and surveillance of citizens. Citizens themselves should use it, for exchange and transparency. He wanted the machine-readable government instead of the machine-readable citizen. That made sense to me. From then on, I was in.

Backlog in the delivery of certificates

Unfortunately, there has been a backlog in the delivery of renewed and new certificates in Signer. The Critical Team cannot solve this remotely. A visit to the data centre is planned for next Monday. The stuck certificates should then be delivered. We are sorry that there has been a disruption again.

Im Signer ist es leider zu einem Stau der Auslieferung erneuerter und neuer Zertifikate gekommen. Das Critical Team kann dies nicht per Fernwartung lösen. Ein Besuch des Rechenzentrums ist am kommenden Montag geplant. Die feststeckenden Zertifikate sollten anschliessend ausgeliefert werden. Es tut uns Leid, dass es erneut zu einer Störung gekommen ist.

Expanded support

Heat, floods, hurricanes and other unplannable events quickly lead to delays. We are proud that, despite everything, the handover of the keys to support went smoothly yesterday and the new volunteers now have access to the relevant systems to assist the existing team.

On the allegorical picture you can see Joost handing over the access rights to Aleš, Matthias and David. Also present: Critical Admin, President and Secretary.

Deutsch: Support verstärkt

Hitze, Hochwasser, Hurrikane und andere unplanbare Ereignisse führen schnell zu Verzögerungen. Wir sind stolz darauf, dass trotz allem die Schlüsselübergabe beim Support gestern geklappt hat und die neuen freiwilligen Mitarbeiter ab sofort Zugang zu den relevanten Systemen haben, um das bestehende Team zu unterstützen.

Auf dem allegorischen Bild seht ihr Joost, der Aleš, Matthias und David die Zugriffsrechte überreicht. Mit von der Partie: Critical Admin, Präsident und Sekretär.

New signer proves itself in use

EN: Signer is running again

DE: Signer ist wieder in Betrieb

FR: Signataire fonctionne à nouveau

ES: Firmante vuelve a funcionar

IT: Firmatario è di nuovo in funzione

The signer has been running again since yesterday, Friday, around 13:00 CEST. We then (while we were doing other work) watched the processing for about another hour… Around 0:30 CEST all outstanding certificate requests (~3000) were processed.

Things didn’t quite go as planned in June. As soon as something cannot be done remotely – there is no remote access to critical systems for security reasons – someone who is authorised to do so has to go the data centre in the Netherlands. Despite Corona, quarantine, floods, overtime at the company and whatever else comes up. That’s maybe two hours. Then two hours home again and in between the actual work. During the opening hours of the data centre, in your free time and paying for your own train ticket or petrol. It’s not always easy to reconcile all that. On Friday afternoon, however, the time had come and the Signer has now been running smoothly again for over a day.

As can be seen from the Critical Team’s plan published yesterday, preliminary work is already underway to make the system redundant throughout and even more robust, so that failures should no longer be noticed by users, because no one is interested in such failures! We are very sorry that you had to wait so long. At the same time, we thank the small core team who have sacrificed nights and weekends over the last five weeks to get the technology back up and running for the CAcert community!

Datacenter-Visit on 2021-07-16 *UPDATE*

The activation of signer machine was successful, all pending certificates were processed in the last hours.

Short version: There is a visit at the datacenter planned to enable the signer again (and do some other maintenance there).

Long version:

Unfortunately it was not possible to get the signer back to work again during the last visit due to a hardware-issue with the harddrive.

To get the server running on the (pre-)created backup drive did fail, too …

Therefore we took the time during the last weeks (when it was not possible to visit the datacenter due to different business and personal reasons) to rebuild a test-environment on spare hardware and to train ourselves.

We should now be able to do the necessary steps to bring back the signer machine to work.

In the background we’re currently adjusting our processes to make it easier to visit the datacenter during out-of-office-times (as every trip to the datacenter takes several hours additionally to the time we’re working at the servers).

In future we plan to set up an additional confuguration, which can take over in case of a failure in the datacenter, but this will still take time. However: The exact procedure needs to be worked out as the machines are not to be connected to the internet, but need to communicate (e.g. for CRL-creation, certificate serial numbers etc.).

Protect yourself and your computer!

Français | Deutsch | English

Protégez-vous et protégez votre ordinateur!

Un certificat de CAcert protège contre les dangers sur Internet. En choisissant CAcert, vous avez fait un bon choix, car ici, vous n’espérez pas simplement que le prestataire le fera déjà bien, mais en tant que membre de la communauté CAcert, vous avez toutes les possibilités: Vérifiez notre travail – ou mieux encore: coopérez vous-même, car à qui pouvez-vous faire confiance plus qu’à vous-même et à vos plus proches collaborateurs!

Malheureusement, il existe des dangers contre lesquels vous ne pouvez pas vous protéger avec nos certificats. Les inondations, par exemple, ou les virus corona. Au rez-de-chaussée du siège de CAcert Inc. à Genève, en face de la gare des Eaux Vives, se trouve un grand centre de tests et de vaccination. Ici, vous pouvez obtenir immédiatement une protection X.509 et Covid-19.

Pour que les assurances redeviennent plus faciles et que nous puissions nous rencontrer à nouveau en personne lors d’une conférence prochainement: Protégez-vous avec un masque, gardez distance et respectez l’hygiène. Et: Faites-vous vacciner! Les deux, CAcert et Covid-19 nécessitent deux rendez-vous.*

*avec des assureurs expérimentés avec au moins 25 points, sinon cela peut être plus. La protection Covid se déploie 10 jours après la deuxième vaccination.

Schützen Sie sich und Ihren Computer!

Ein Zertifikat von CAcert schützt vor Gefahren im Internet. Mit der Wahl von CAcert haben Sie eine gute Wahl getroffen, denn hier hoffen Sie nicht einfach, dass der Anbieter es hoffentlich schon gut macht, sondern Sie haben als Mitglied der CAcert-Gemeinschaft alle Möglichkeiten: Überprüfen Sie unsere Arbeit – oder noch besser: arbeiten Sie selber mit, denn wem kann man mehr vertrauen, als sich selbst und seinen engsten Mitarbeitern!

Leider gibt es Gefahren, gegen die man sich mit unseren Zertifikaten nicht schützen kann. Überschwemmungen zum Beispiel oder Coronaviren. Im Erdgeschoss des Hauptsitzes des Trägervereins CAcert Inc. in Genf befindet sich ein grosses Test- und Impfzentrum. Hier bekommen Sie gleich beides X.509 und Covid-19-Schutz.

Damit Assurances wieder einfacher werden und wir uns demnächst wieder an einer Konferenz persönlich treffen können: Schützen Sie sich mit Maske, Abstand und Hygiene. Und: Lassen Sie sich impfen! Sowohl bei CAcert als auch bei Covid-19 braucht es zwei Termine.*

*mit erfahrenen Assurern mit mindestens 25 Punkten, sonst können es mehr sein. Covid-Schutz entfaltet sich 10 Tage nach der zweiten Impfung.

Protect yourself and your computer!

A certificate from CAcert protects you from dangers on the Internet. By choosing CAcert you have made a good choice, because here you are not simply hoping that the provider will already do it well, but as a member of the CAcert community you have all the options: Check our work – or even better: work with us yourself, because who can you trust more than yourself and your closest colleagues!

Unfortunately, there are dangers against which you cannot protect yourself with our certificates. Floods, for example, or corona viruses. On the ground floor of the headquarters of CAcert Inc. in Geneva there is a large testing and vaccination centre. Here you can get both X.509 and Covid-19 protection at once.

So that assurances become easier again and we can meet again in person at a conference soon: Protect yourself with mask, distance and hygiene. And: get vaccinated! Both CAcert and Covid-19 require two appointments.*

*with experienced assurers with at least 25 points, otherwise it may be more. Covid protection unfolds 10 days after the second vaccination.