Category Archives: Information

General news/information to the CAcert community or about security in general

Need Volunteers for Apache Con 2005

We’re currently looking for up to 2 people on the North American continent, close to San Diego would be an advantage to us, as we need people to man a CAcert booth for at Apache Con 2005 (10th to the 14th of December), we (CAcert Inc) can allocate some funding that can be used to cover flights/accommodation/other expenses (printing etc).

As always there is a couple of catches, firstly you must currently have 100 assurance points (ie be an assurer), you must be willing to sit on the booth for the majority of the time (10am till 4pm minimum), and preference will be given to those that already have assurances under their belts and/or manned a CAcert booth at other conferences even if it costs a little more for their flights.

Of course the benefit is that you end up getting to spend some time in warm and possibly sunny Southern California during the North American winter 🙂

Any questions or for further information please email me directly, but there needs to be a decision made on this as soon as possible to ensure people that fly in will have a place to stay etc close to the conference.

CAcert root included in Nokia 770

Nokia has included the root certificate of CAcert into the new Nokia 770 Internet Tablet. This makes it possible to use secure websites, encrypt and digitally sign emails with free certificates from CAcert.org.

Currently Knoppix, Debian, Gentoo, Ubuntu, and other Linux distributions have incorporated CAcert into their products already, Nokia is the first commercial vendor to approve CAcert for it’s products. One of the main goals of CAcert was to be included in major browsers and CAcert continues to actively pursue other vendors such as Opera, Mozilla and Microsoft to be included as part of their browsers.

CAcert is a community certification authority that issues free SSL certificates worldwide for individuals and organisations, and CAcert aims to enable better privacy for the Internet. CAcert is committed to high standards of security and verification, to achieve this goal CAcert operates a worldwide network of Assurers who are verifying the identities according to the 4 eyes principle (or better), to have a high level of verification as it is of little benefit having security if you aren’t sure who you really are communicating with at the other end.

Properly securing wireless networks on the cheap

In part the reason CAcert exists is because very early on I realised how much a waste of time many of the security features that existed in the devices at the time (and even now still to a large extent).

Later on 802.1x came into the picture, but that has numerous complications with prerequisites with requiring you to setup RADIUS depending how you decide to go about configuring everything.

It’s worth noting that over the last few years the prices on access point routers have been dropping to the point that they can be now had in Australia for about the AU$100 price point (about US$50-70), the other interesting thing to note is that a number of companies making these devices ended up using linux on them rather then writing a custom OS which in turn lead to them being forced to release source code under provisions in the GPL.

This is where things start to get very interesting because on one hand we have cheap off the shelf small form factor devices and on the other we have th complete source code and tools to make customised firmware versions. These two events lead some smart cookies to take the sources and build up some amazing functionality along the way by taking software in the world of linux software.

So a long story short this is good news for people looking to better secure their wireless network and in such an easy and simplistic manner, via OpenVPN and these embedded devices, OpenVPN is a great choice because it seems as good as IPSec in terms of security, unless you happen to have state secrets to guard and I’m sure there are better options available from commercial vendors.

I’ve just spent the last couple of days experimenting with a Linksys WRT54G and managed to string together a guide on setting up a wireless access point router with OpenVPN and getting a linux laptop to talk to it as well.

SFD Hungary – CAcert Assurance Party

Hungary’s only Software Freedom Day event has been organized in Szeged. It is a city in the south with a big university and high involvement in open source.

There was a CAcert lecture and assurance party successfully held, about 50 new members joined the community. We were three assurers there.

More about the event:
SFD Szeged home: www.inf.u-szeged.hu/opensource/events.php
Lecture slides: www.artificis.hu/talks/sfd05

Dutch to Open Electronic Files on Children

“The Dutch government plans to open an electronic file on every child at birth as a tool to spot and protect the troubled kids of the future. All citizens will be tracked from cradle to grave in a single database – including health, education, family and police records.”

http://news.yahoo.com/s/ap/20050913/ap_on_re_eu/netherlands_child_files

—–

These kinds of articles always raise red flags with me when governments propose something that has the potential to be very unpopular as “benefiting” children.

This was posted to slashdot and the first few comments included:

– paedophiles wet dream
– WWII was fought to prevent this kind of overarching governmental reach and it’s occurring anyway
– several credit card gateways cracked recently leaking millions of records how would this be any better if it’s actually going to be useful across all govt agencies…

At this point if I were a citizen I’d firstly be very concerned, and then be very angry about this kind of thing, and if it goes through in the Netherlands it’s just as likely to be pushed in other countries.

Real time blacklists – naming and shaming

Long time systems administrators, they tend to either love or hate RBL lists depending what side of things you’re on (or have been on), in most cases people use information returned from these in conjunction with other metrics to more finely tune their spam response rather then using these lists as a be all and end all.

From time to time administrating you will end up on the wrong side of RBL lists more and more however this has less to do with blocking spam, but because of lazy users. Not to mention one of the biggest gripes administrators have to cope with in dealing with RBLs is they are often quite difficult to get off, supposedly to make it difficult on spammers, the jury is still out on that however. You can often find yourself listed even if you weren’t at fault because a large chunk of IP space you happen to be in the middle of is suddenly black listed!

To give some background here, I receive the majority of the bounced emails from the CAcert system and I keep an eye on why emails are being bounced, and it’s quite amusing to read some of the replies, such as people end up black listing their own mail relays.

Others also tend to report emails from us as spam either by accident or because they are simply too lazy to unsubscribe from our mailing lists, or for the emails automatically sent out to verify them on sign up! This almost almost ranks up there with my pet peeve with people black listing APNIC IP ranges (Asia Pacific NIC – which Australia happens to be part of but no where near the highest source of spam, even on a per captia basis!) because “most spam comes from Asia”, which is in fact false and they should black list ARIN instead because most spam comes from the US.

In any case the latest RBL (http://www.stop-spam.info/lookup.php?ip=202.87.16.201) that has come to my attention (they actually brag on their website about how many millions of IPs they have blocked!) basically takes the cake and they should be avoided like the plague. They have blacklisted the IPs CAcert sits on, the only information given is that it’s a country black list (you read right, it’s not a company black list, but an entire country), not to mention a country with a really low spam rate in any case!

This kind of thing is normally taken care of by sending in a report and asking to be removed or exempted from the black list, but I challenge anyone to find a method to contact them via their website within the first few minutes of looking, I’m still looking.

These guys are taking a sledge hammer to break open an egg and they should NOT be used as a RBL at all EVER, in fact this is the worst RBL list I’ve ever seen, and they point you to a page disclaiming all responsibility and that someone else has blocked the emails, but they are responsible for keeping an up to date lists otherwise this is a worst abuse then the spam they claim to be trying to prevent.

2005 Annual General Meeting

CAcert AGM has come and gone uneventfully this year. The meeting minutes are now online http://www.cacert.org/meetings/20050703.txt

Points of Interest:

New board for the 2005-06 financial year elected unapposed due to low amount of nominations:

Duane Groth – President
Mark Lipscombe – Vice President
Tina Kubota – Secretary
Ryan Verner – Ordinary Member
Matthew Asham – Ordinary Member

The meeting was ajourned for up to next 2 weeks to have the financial summary made available due to events beyond our control.

Conference Report – Linuxtag 2005

Ralf sent in this report about his recent results from LinuxTag 2005…


LinuxTag 2005 was again a great success for CAcert. We, Philipp ‘Sourcerer’ and I, supported by Eric ‘Nox’, Michael ‘MiGri’ and some others assured approx. 700 people. First time, we wore (self-made V0.1) T-shirts to represent the CI of CAcert.

As a direct result of LT assurance the 3000 assurer barrier has been broken!

As super-assurers, Phillipp and I ‘only’ usually issued 120 points and encouraged the applicants to get to the full points by doing cross-assurances near by our booth so we could answer upcoming questions.

For applicants in ‘underdeveloped areas’ 😉 we issued full 150 and aske to bring some friends around to be assured so they can spin the web of trust in their region.

Usually the identity was pre-checked and the form was marked by an assurer’s aid (Eric, Migri, Steffen, …) and the assured by one of the super assurers.

Now and then, Philipp vanished for hours to the other (.com-)conference hall and built contacts to ‘Them’.

To applicant’s with an existing account the points were issued right at the booth (I had an OpenVPN tunnel to my home based network, of course secured by CAcert certificates) and all the others were asked to create their account as soon as possible.

By today, the pile of unprocessed forms is reduced to approx. 40, all of these got more than 3 reminder emails. Maybe thos mails get lost as false positives in a spam filter or thos applicants changed their mind.

So this is the end of my first entry to the blog. Please excuse typos or strange phrases. This is NOT my native language and school was ages ago 😉

Cheers,

Ralf.

P.S. Good news! For Europe, I mangaged to persuade Petra from www.kernelconcepts.de to offer high-quality CAcert T-shirts at a good price ( evend reduced if you order by CAcert-cert signed mail 😉 plus shipping. See details at http://wiki.cacert.org/wiki/t-shirts

Mozilla drops Open in favour of Smoke Filled Rooms

Things are slowly coming out about what happened a month ago in New York city, and my initial questions still go unanswered, many excuses are being spun but very few answers are given freely, and this is really disappointing coming from the Mozilla guys.

Mozilla touts, like many open source projects that being open and free is a major benefit to society, yet they then have the hide to turn round and conspire with commercial interests behind close door for what we’re being told will be the benefit of the internet.

I’m not sure about anyone else but my memory isn’t that bad that I’ve forgotten how US commercial interests don’t do anything unless it will effect their bottom line, either for increased profits, or due to regulatory disputes planning to inflict fines or other restrictions that will hurt their bottom line. This is highlighted only too well in the current SPF vs Sender ID debate, Microsoft as usual came in late to the game thinking, “we’ve missed another boat, what the hell do we do now?”. What they came up with, was a small variation of SPF then turned round and requested a patent on their “innovation”!

Microsoft then did what Microsoft always does, turned round and tried to inflict their “invention” on us, but it was no olive branch, it was a thorny stem with no rose on the end, basically they have and are still trying to take control of email via a patented invention that does very little more then what SPF does, in fact they are still trying to push through their “invention” by brute force. Since the MADRID task force collapsed due to lack of consensus, Microsoft has a solution lacking mass adoption, so they are planning to mark any email being sent to their domains as junk that don’t support (or properly support) Sender ID.

So anyway back to the current story, basically Mozilla hasn’t learnt from history and they actually think they will be able to do more good then harm from closed door talks then what happened with MADRID. I doubt anyone will claim the internet could be where it is without open standards, and open discussions preceding before that, hell CAcert thrives based on open discussions, there are a lot of smart people out there with a lot of good ideas and we’d be mad to simply ignore them.

However this is exactly what the Mozilla guys have done, and in the process alienated a lot of smart specialists in the area they are trying to define, the end result will be that we all suffer, and a very good example of where this has happened in the past is with Wifi security (this is after all how CAcert begun, bad Wifi security needing something else to protect information), basically cryptography experts weren’t consulted openly and we ended up with something basically a waste of time that can be cracked in minutes, so tell me how those closed door talks helped society exactly.

Ian from FinancialCryptography has some more information on the topic on his blog as well, which is well worth the read. https://www.financialcryptography.com/mt/archives/000514.html