“MathWorld News is reporting that RSA-640 has been factored. F. Bahr, M. Boehm, J. Franke, and T. Kleinjung, memebers of the German Federal Agency for Information Technology Security (BSI) announced they had cracked the 193-digit number last Friday using the General Number Field Sieve. The team purportedly used 80 opteron CPUs and 5 months to achieve victory.”

I realise that 1024bit keys are exponentially bigger then 640bit, however this shows that the time to crack 1024bit keys are getting awfully close to useless when dealing with material that needs a longish life span, not to mention some of the root certificates in browsers are still 1024bit, and even if it took these guys 5 times as long, those certificates are still going to be valid when they get finished.

And people complained about the 4096bit certificate CAcert uses 🙂 (well complained because not all apps supported key sizes bigger then 1024bit!)

PS found this website, which gives a break down of how long you can expect varying keylengths to be good for.

In the wake of the recent bombings in the UK, police in the UK have asked for additional powers to hold terror suspects for up to 3 months without charge if they refuse to hand over encryption keys. While on the surface this sounds like a good way to fight recent happenings it’s no doubt going to be abused like all other knee jerk power grab actions of its kind.

If you are falsely accused and have encrypted files or software to enable you to encrypt things and are in no way, shape or form involved or responsible with the recent state of affairs all I can say is be afraid, be very afraid… http://www.guardian.co.uk/attackonlondon/story/0,16132,1533917,00.html

I attended the Massachusetts Software Council’s Open Source Special Interest Group “kickoff” meeting today. I went for 2 reasons, 1) I am developing a training system using open source software and 2) Dan Bricklin, the developer of VisiCalc for the Apple series of micro computers was a primary sponsor and panel member and I had never met him. If you do not know the history of the micro computer world, I offer you this VisiCalc to Basketball analogy. Dan Bricklin scored 70 points and made the gaming winning basket from half court, while being tripled teamed, to win both the NCAA and the NBA championships. It was a very interesting event and there were quite a few high powered executives and developers in the audience and on the panels. For more information on the event, you can go here

http://oss-sig.softwaregarden.com/blogs/oss-sig/

This group was knowledgeable, experienced and successful. Questions and responses were lively and engaging, well, except once.

Someone asked in effect

” Who is looking after the security of our software infrastructure. What is being done to help us manage the trust-ability of our software.”

The question was not answered or commented upon.

Hot on the heals of last weeks package loss in transit by Citibank, comes the announcement that 40 MILLION credit card numbers have been leaked by a cracker getting into CardSystems Solutions, a third party processing company of credit cards.

So I must ask once more, why do supposedly open source browser vendors keep spreading FUD that we are such a risk, when clearly 6 weeks running the US banking industry has gotten black eye after black eye with horrifically escalating breaches of private and financial information.

I’ll propose my question again, how can any CA breach be even on par with a major browser security breach. Bugs are patched and people are encouraged to upgrade, and life goes on every day, why are SSL certificates treated in such religious and completely incorrect notions of the real world we live in. Fair enough things may have started out much differently but that isn’t the reality we live in today or for the next 5 years to come.

The short version is SSL started out as a solution looking for a problem, and along came a few commercial CAs thinking they could rake in millions if not billions by doing annual ID checks, in the end they had to settle for protecting link layer security and selling snake oil about what was really being protected, after all the latest example proves time and time again the biggest risk and problem is protecting end points, and NOT the link layer.

So please tell me again why are we such a threat!?

We are desperately seeking multilingual people for a number of reasons, firstly the site is mostly complete in 5 languages other then english and we’d really like to see the website completed in more languages since language is a real barrier for many parts of the world and breaking down this barrier is one of our key goals.

The other reason we are after people is to verify translations, some spelling mistakes and mistranslations on legal documents could be a very big problem in future so it’s important we have as many capable eyes verifying as much documentation as possible. With the verification step we possibly only need people giving feed back in their own language to those helping to translate the website/documents.

One of the big changes of late is being able to produce the CAP and TTP PDFs on the fly via php code, this means our existing translation infrastructure can be used to also translate and keep these documents all in sync, rather then requiring translators to produce and handle PDF files if any changes are made.

The translations of the TTP PDF is especially important to get right since it will be dealing with people most likely unfamiliar with CAcert and our practises and in the past people have been rejected because the documents weren’t translated into their countries official language or because the wording made some people uneasy about signing them.

For more information or if you can help out with any of these things PLEASE by all means don’t be shy and join the translation mailing list and let everyone know what you’re willing and able to help out with.

Some time ago people work trying to work out how to generate dynamic PDFs on the spot to make assurances go a little smoother since a number of the fields could automatically be filled in, and you just setup at a conference or an assurance meeting and print out forms as needed which is a good idea. However at the time the only PDFlib usable in PHP needed a commercial license and CAcert lacked the funding at the time to pursue it further.

Of late I found myself needing to generate dynamic forms for a customer’s billing solution, I ended up using FPDF which is free for both commerical and non-commercial purposes. This then lead me to recall about people making requests for this feature with CAcert and I’ve spent a bit of time today making it a reality as this will be beneficial for a number of reasons.

This now lends itself to be translated in the same manner as the website, so the procedures to track and update phrases in other languages can now be applied to both the CAP and TTP forms. Already a number of people have translated these PDFs into other languages, and further progress is being made as I type this.

So this means that we don’t need to keep a bunch of PDF forms on hand in numerous languages, and updating forms in future is now a very easy task, as changing the layout or information on one form effectively changes them all so reduces work loads all round.

You can view the new forms by going here and here.

Recently yet another debacle has unfolded with Citigroup sending out letters to customers and former customers informing them that their data was lost in transit, all up an estimated 3.9 million records. This is about the 4th such incident in as many weeks to come to light, and the worst to date.

Surely the US banking industry should be loosing money over this as karmic retribution for such poor standards in handling private and confidential information, yet this just doesn’t seem to be the case.

So why are we being punished (by not being included) because we might cause harm, when these banks are doing everything they can to look like a fly by night operation?

CNN has the full story.

Interesting run down on the trojan horse doing the rounds in Israel and how the whole kit and caboodle was brought down by simply targeting the wrong person, and then that person finding their information leaked on the internet.

Read on for more details