Category Archives: Information

General news/information to the CAcert community or about security in general

What will the Post look like in ten years?

Roberto Cirillo has been CEO of Swiss Post for just under two years. Before that, he was a McKinsey consultant, CEO of the British hospital group Optegra and head of the activities of the service company Sodexo in France. Cirillo took up his post with the aim of stopping the downward trend. In the past five years, the Post’s turnover has fallen by around CHF 1 milliard. The volume of letters is decreasing rapidly, the post offices are less and less frequented.

In an interview with the NZZ, he said: “Today, we make more than 90% of our turnover in the logistics sector with business customers. Especially in e-commerce and goods logistics. Of the CHF 3 milliard we plan to invest in the next four years, the majority will go into logistics and communication services. The reason why the Post was created over 170 years ago was not to transport letters. It was the secrecy of letters. It was about transmitting information securely, reliably and trustworthily. That’s what we want to do more of in the digital world as well.” (22.02.2021)

Assinatura digital: você ainda vai ter uma

Em sua coluna semanal do caderno Link do jornal O Estado de São Paulo, o jornalista Ricardo Kobashi anda difundindo a tecnologia da assinatura digital com linguagem fácil, voltada para o público não técnico.

No texto do dia 9 de maio, o jornalista escreveu esse artigo, entitulado “Assinatura digital: você ainda vai ter uma”, o qual traz um primeiro approach sobre a tecnologia para usuários de computador sem qualquer background em criptografia, assinatura ou certificação digitais.

O texto é simples e esclaredor, apesar de o autor utilizar como certa a adoção da ICP-Brasil, sua estrutura e custos, quando fala de certificação. O final, sobre banco P2P, é um pouco inocente, já que fluxo de valores é apenas uma das funções principais das instituições financeiras.

Aqui vai a íntegra do texto, com alguns comentários em itálico:

Assinatura digital: você ainda vai ter uma

Antes de mais nada, vamos lembrar que assinatura digital não tem nada ver com passar a sua assinatura feita à mão por um scanner e sair anexando a imagem em documentos ou mensagens de correio eletrônico.

Na prática, a coisa é um pouco mais complicada. Assinatura digital é um método que usa fórmulas matemáticas complicadíssimas para autenticar uma informação de forma a garantir a identidade de quem a enviou e que o seu conteúdo não foi nem será alterado.

Tem mais. Para que seja possível assinar eletronicamente um documento, é necessário que antes você possua uma ‘identidade digital’, que pode ser conseguida através de uma empresa credenciada a ofereçer o serviço. E que tenha o hardware necessário para guardá-la, seja o disco rígido do seu computador, um cartão inteligente ou um token, uma espécie de memory key que entra na porta USB do micro.

Nesse parágrafo o autor considera que a única forma de se utilizar assinatura digital é com certificados X509, não citando ferramentas como PGP/GnuPG. O comentário sobre HDs, smart card e token é correto, mas falta citar a diferença de segurança entre deixar sua chave no PC, sujeito a ataques, torjan, virii etc. e coloca-la no armazenador smart card ou token, que fornecem segurança comparativamente maior.

Garantir a integridade de uma informação digital e a identidade de seu autor não é pouco. Muito da burocracia governamental ainda resiste amparada pela dificuldade em se reproduzir digitalmente o que conseguimos com papéis, carimbos e cópias autenticadas. É certo que boa parte desses procedimentos tem origem cultural, na tradição do direito lusitano, mas algumas garantias serão sempre necessárias.

A popularização da assinatura digital traria benefícios para muita gente. Com a possibilidade de aumentar os serviços eletrônicos, o governo seria capaz de agilizar o atendimento às empresas, ao cidadão e diminuiria sua necessidade de contratação de pessoal. Nada mal. Do lado de cá, ganharíamos em conveniência, diminuição das filas e deslocamentos e, quem sabe, reduziríamos os gastos com fotocópias, autenticações e taxas afins.

O sistema financeiro também seria beneficiado. E muito. Apesar da
cortina de silêncio que cerca o assunto, as fraudes pela internet correm soltas. Os e-mails travestidos de avisos bancários que roubam nossas senhas e instalam vírus em nosso computador continuam a infernizar a vida dos especialistas em segurança na internet.

Uma refência aos ataques conhecidos como phishing que aumentam a cada dia…

A polícia tem feito prisões importantes, desbaratando quadrilhas aqui e ali, mas a prática continua. Assinatura digital dificultaria muito esse tipo de crime.

O problema é que ter uma assinatura digital, incluindo sua identidade digital e um token para armazená-la, não sai por menos de R$ 400. E, a cada ano será preciso pagar mais R$ 200 a título de renovação.

Esses dados são específicos para o âmbito da ICP-Brasil.

Há rumores de que os bancos estariam dispostos a pagar essa conta para aumentar a segurança das transações eletrônicas com seus clientes. Eles forneceriam a assinatura digital gratuitamente mas, em troca, o ônus das futuras fraudes digitais seria repassado aos correntistas.

É bom lembrar que a assinatura digital dificulta o crime virtual, mas não acaba com ele. Trazendo para o mundo real, a lógica da proposta é mais ou menos o seguinte: o banco coloca um vigilante armado e uma porta giratória com detector de metais na agência e, caso ela seja roubada, o prejuízo sai da sua conta. Não dá para engolir.

Se pensarmos um pouco… como em qualquer negócio, o risco de o banco perder dinheiro por fraudes ou roubos, inclusive os virtuais, já está embutido nos preços cobrados por eles. Isso acontece em qualquer negócio, principalmente em ramos altamente profissionais como o bancário. Se as fraudes diminuírem, é possível que a competição entre bancos leve até o preço dos serviços a baixarem proporcionalmente à economia do próprio banco.

Sonho com o dia que irão inventar o banco P2P, como o Kazaa, Messenger ou Skype. Vamos trocar valores sem intermediários e mandar uma banana para o sistema financeiro e seus lucros astronômicos. Mas, como isso ainda pode demorar alguns anos, é melhor se prevenir. Se você começar a ouvir falar em bancos oferecendo assinatura digital de graça, cuidado.

Discordo com o autor nesse ponto. Primeiramente, os bancos possuem outras funções, como crédito, por exemplo, que são essenciais não apenas para as pessoas físicas, mas principalmente para o governo e as empresas. Segundo, não vejo uma saída para implementação de troca de valores sem meio físico nem endosso por terceiros (nesse caso os bancos). Não pensei muito sobre o assunto, mas o que primeiro vêm a mente é a natural multiplicação do dinheiro. Certo que os bancos fazem isso, mas de uma forma controlada e supervisionada.

Pode ser que você esteja diante de um autêntico cavalo de Tróia. Pior que seu original grego, este presente pode torná-lo o único responsável por qualquer prejuízo ou futura fraude que ocorra durante suas transações online, isentando o banco ou o governo de qualquer ônus. Olho vivo.

Discordo parcialmente. Com a assinatura digital, uma transação seria exatamente como antes do mundo virtual: para cada ordem, há uma assinatura. E, no caso de certificados ICP-Brasil, essa assinatura tem validade legal no Brasil. Basta que se possa garantir que uma pessoa nunca irá assinar um documento com sua assinatura digital por engano. Isso sim, pode ser um problema. Vou escrever mais sobre esse aspecto no futuro…

Texto original por Ricardo Kobashi.

Sobre a Comunidade CAcert Brasil

When Captain CAcert rescues the Notaries of the Round Table

Today we are going on a little journey through time for a current occasion. Are you ready? Then jump into the fountain together with Frog King!

Many, many years ago, when grandmother was still a little girl, it may have been in 1995, a hardworking man named Mark Shuttleworth started a certificate issuing service in his poor parents’ garage, just like CAcert is one.

The name of this service was Thawte. Thawte was a great and important service. It is said that it covered half of the empire at that time. And because he was so old and so wise, he enjoyed some privileges. When Uncle Netscape, the browser, introduced new rules for certificates, Aunt Thawte, considering her age, only had to comply if she wanted to.

Now it was the case in those days that some people would have liked to send letters in an envelope. Good Aunt Thawte said: I have so many envelopes, I will give you some! And everyone who booked a free e-mail address with her got the certificate to wrap the messages as a gift. The Web of Trust was created to ensure that everything was above board and that the big bad wolf didn’t pretend to be one of the seven little goats. There, the letter writers met with the most trustworthy men and women of the entire empire for the knighting.

After the wizard Verisign took over Aunt Thawte’s service in 1999, the Web of Trust’s noble round table was abolished a few years later. Its members were very surprised to be thrown out of the castle just like that, since they had selflessly served the cause as noble knights and notaries.

However, it was a stormy time. And the storm wind blew a big sailing ship with full rigging from New South Wales, a spot of earth on a big island in the middle of the big, wide sea in the New World, across the ocean. Its name was emblazoned in gold letters on the stern: CAcert.

The captain held the wheel with both hands until the ship docked in a safe harbour. Immediately the crew rushed ashore to the desperate notaries and knights of the Thawte Round Table and offered to take them in their ship.

Numerous were those who gratefully accepted this offer, even more so when the captain said that he trusted Aunt Thawte. So it happened that large parts of Thawt’s Web of Trust were integrated into CAcert’s Web of Trust and the Thawte notaries became CAcert assurers. In a special program named Tverfiy, they could have their trust points transferred in 2009. Today, more than a decade later, CAcert is discontinuing the corresponding web site, after a long time since scattered notaries have joined CAcert’s community.

Further reading:
https://wiki.cacert.org/Tverify
https://en.wikipedia.org/wiki/Thawte#Web_of_Trust
old blog posts from the time

“If you don’t use technology consciously, you will be used by it” (40 years of CCC 3)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (middle) was there from the beginning. Today he is no longer active in the front row. He remembers.

You still work in the industry.

Steffen Wernéry: I’m a data protection officer for an operator of anonymised network connections (VPN). I’ve always been less interested in hacking than in hunting for security holes, which others can do better, than in the creative, design side. I first came to computers through my interest in acoustics, photography and video. When I was 20, I did an art project with Bernd Krake in which I transmitted image data by telephone between the Hamburg Kunstverein and the Massachusetts Institute of Technology (MIT).

What about the creative use of technology today?

Steffen Wernéry: Hacking is more necessary than ever. Not in the sense of computer crime, but in the original sense, the critical handling of technology and finding weak points. We are surrounded by unfinished products. Software and hardware have security vulnerabilities, and those who rely on them are quickly finished. Instead of relying on stock and preservation, companies produce technological junk. Even in the literal sense, none of this is environmentally friendly. The products are designed for consumption and to be addictive. People spend less and less time in real life.

Virtual versus real life, I’m surprised that you, as a net activist, see this as a contradiction. Doesn’t one enrich the other?

Steffen Wernéry: Sure, the internet is great if I want to repair my washing machine, if I want to exchange ideas with like-minded people about hobbies or politics, if I want to collect environmental data together with others. But most people sit in a consumption loop, waste their time and think that this is real life. We already said 40 years ago: machines reinforce structures. It happens all by itself. If you don’t use technology consciously, you will be used by it.

Sounds like the CCC has failed.

Steffen Wernéry: The club does what it can. It teaches young people media competence in the project “Chaos macht Schule”. It participates in lawsuits against laws, keeps up the exchange with other institutions. But it is a fight against windmills. That’s why it’s so important to keep some anarchy and fun going. (Questions by Ruth Fulterer)

Starting in 1986, the hackers used a flaw in an operating system to infiltrate other people’s systems and gain access rights there. Computers at the Cern nuclear research centre were among those affected. In 1986, the club newspaper “Datenschleuder” printed an internal complaint about the intruders: “There seems to be a club based in Germany called the ‘chaos club’ whose collective hobby is hacking systems connected to public X25 networks.”

Wernéry and Wau Holland, the club’s leaders at the time, contacted the companies involved and later spoke out to the media when the case became public (above: broadcast from the German TV ARD from 15. September 1987). Then, on his way to a congress where he was to speak about data protection, Wernéry was arrested in France in 1988. He was believed to be an accomplice or even responsible for the hack. The investigators quickly dropped this accusation and he was released. The investigation into his complicity continued for a long time, but in the end came to nothing.

40 years Chaos Computer Club (2)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (on the picture in the middle) was there from the beginning. That’s why he’s already been in prison. Interview.


You soon became the most important figure in the club next to Wau Holland and later wrote the statutes. It says that the club is committed to freedom of information. What does that mean, freedom of information?

Steffen Wernéry: It means the right to freely exchange information. In other words, to communicate in encrypted form, with anyone, about anything, without censorship, without blockades. I find the second part of the statutes particularly important: the CCC is concerned with the effects of technologies on society and individual living beings and promotes knowledge about these developments.

How did you want to achieve all this?

Steffen Wernéry: We organised congresses, meetings and events. We have a magazine, the “Datenschleuder”. Of course, it was also about fun and creativity. What we call in the statutes “promoting the creative-critical use of technology”. We had originally written “hack” in the statutes, but the association register rejected this word because it was not in the Duden dictionary.

It was a hack on the edge of the permissible that made the Chaos Computer Club famous.

Steffen Wernéry: That was in 1984, when the post office had a monopoly on electronic messages. And anyone who wanted to be online had to use a device approved by the post office, which was incredibly expensive. Anyone using untested equipment was liable to a house search and confiscation of the equipment, along with a fine. The user fees for this system, the Internet precursor screen text (BTX), were very high. So the post office, we called them “Gilb”, was the enemy of hate for us. At that time, Wau Holland and I hacked into the BTX access of a Hamburg savings bank and called up a BTX page of the CCC from there, for which we had to pay. By the end of the night, we had booked 135000 D-Mark into our fee account. We made that public. It was embarrassing for the post office, which had claimed that its system was secure. The media jumped on the story. For the first time, data security was a big topic.

What happened next with the CCC?

Steffen Wernéry: That was the beginning of an acceleration. We got new members, there were more and more people on the networks. In 1986, things became more serious. A few people in the club had hacked into Nasa’s computers and sold information to the Soviet secret service KGB. The main participant, Karl Koch, was later found dead. To this day, some say it was suicide, others say it was murder. I myself spent two months in a French prison.

Why?

Steffen Wernéry: At that time, there were hardly any computers on the net. We hackers went where there were networks, for example to the Swiss research centre Cern. That was the European hacker training school. Because there, several people could be on the computers at the same time, chatting online or developing programmes together. Because some of these centres were also used for military purposes, this was quite critical. That’s why there have been investigations since 1986.

How did the trial against you turn out?

Steffen Wernéry: There was never a trial, but the investigations against me lasted 16 years, until 1998, without any result. The Hamburg prosecutor spread the word that I was an East German agent because a picture of Honecker hung in my kitchen. For the French, I was a Nazi because they had found “Mein Kampf” during the same house search. There was also mistrust within the club because of these investigations. It all became too much for me and I quit the front row.

Congratulations: 40 years Chaos Computer Club

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry was there from the beginning. That’s why he’s already been in prison. Spectacular hacks, even into Nasa’s computers, made the Chaos Computer Club famous in the eighties.

It was seen as a Robin Hood-like hacker gang that is always a little smarter than the powerful and beats them with their own means: the computers . Steffen Wernéry joined shortly after its founding on 12 September 1981 and was at the forefront of the club’s transformation from a nerd regulars’ table to a well-known hacker club.

Today, the club claims to have 8,000 members and hosts one of the world’s largest hacker conventions. The basic philosophy has remained the same: The Chaos Computer Club wants to draw attention to the social consequences of technology and sees hacking as an instrument of enlightenment.

How does your history with the Chaos Computer Club begin?

Steffen Wernéry: It was in 1983 in the left-wing bookshop “Schwarzmarkt” in Hamburg. I had read online that the Chaos Computer Club was meeting there. I hoped to be able to exchange passwords there.

Swap passwords?

Steffen Wernéry: The internet didn’t exist back then, only individual computers on the telephone network. When you found other computers, you wanted to have a look at them. For example, into databases or via the computers of newspapers to the news of agencies in the USA. And the passwords were exchanged with each other.

And did you get any?

Steffen Wernéry: Unfortunately, no. I had to find out that no one from the Chaos Computer Club was online yet. Nevertheless, the visit changed my life. Because I met the founder of the club, Wau Holland. He talked about the computer not only being for the administration and surveillance of citizens. Citizens themselves should use it, for exchange and transparency. He wanted the machine-readable government instead of the machine-readable citizen. That made sense to me. From then on, I was in.

Backlog in the delivery of certificates

Unfortunately, there has been a backlog in the delivery of renewed and new certificates in Signer. The Critical Team cannot solve this remotely. A visit to the data centre is planned for next Monday. The stuck certificates should then be delivered. We are sorry that there has been a disruption again.

Im Signer ist es leider zu einem Stau der Auslieferung erneuerter und neuer Zertifikate gekommen. Das Critical Team kann dies nicht per Fernwartung lösen. Ein Besuch des Rechenzentrums ist am kommenden Montag geplant. Die feststeckenden Zertifikate sollten anschliessend ausgeliefert werden. Es tut uns Leid, dass es erneut zu einer Störung gekommen ist.

Expanded support

Heat, floods, hurricanes and other unplannable events quickly lead to delays. We are proud that, despite everything, the handover of the keys to support went smoothly yesterday and the new volunteers now have access to the relevant systems to assist the existing team.

On the allegorical picture you can see Joost handing over the access rights to Aleš, Matthias and David. Also present: Critical Admin, President and Secretary.

Deutsch: Support verstärkt

Hitze, Hochwasser, Hurrikane und andere unplanbare Ereignisse führen schnell zu Verzögerungen. Wir sind stolz darauf, dass trotz allem die Schlüsselübergabe beim Support gestern geklappt hat und die neuen freiwilligen Mitarbeiter ab sofort Zugang zu den relevanten Systemen haben, um das bestehende Team zu unterstützen.

Auf dem allegorischen Bild seht ihr Joost, der Aleš, Matthias und David die Zugriffsrechte überreicht. Mit von der Partie: Critical Admin, Präsident und Sekretär.

New signer proves itself in use

EN: Signer is running again

DE: Signer ist wieder in Betrieb

FR: Signataire fonctionne à nouveau

ES: Firmante vuelve a funcionar

IT: Firmatario è di nuovo in funzione

The signer has been running again since yesterday, Friday, around 13:00 CEST. We then (while we were doing other work) watched the processing for about another hour… Around 0:30 CEST all outstanding certificate requests (~3000) were processed.

Things didn’t quite go as planned in June. As soon as something cannot be done remotely – there is no remote access to critical systems for security reasons – someone who is authorised to do so has to go the data centre in the Netherlands. Despite Corona, quarantine, floods, overtime at the company and whatever else comes up. That’s maybe two hours. Then two hours home again and in between the actual work. During the opening hours of the data centre, in your free time and paying for your own train ticket or petrol. It’s not always easy to reconcile all that. On Friday afternoon, however, the time had come and the Signer has now been running smoothly again for over a day.

As can be seen from the Critical Team’s plan published yesterday, preliminary work is already underway to make the system redundant throughout and even more robust, so that failures should no longer be noticed by users, because no one is interested in such failures! We are very sorry that you had to wait so long. At the same time, we thank the small core team who have sacrificed nights and weekends over the last five weeks to get the technology back up and running for the CAcert community!