In the wake of the recent bombings in the UK, police in the UK have asked for additional powers to hold terror suspects for up to 3 months without charge if they refuse to hand over encryption keys. While on the surface this sounds like a good way to fight recent happenings it’s no doubt going to be abused like all other knee jerk power grab actions of its kind.

If you are falsely accused and have encrypted files or software to enable you to encrypt things and are in no way, shape or form involved or responsible with the recent state of affairs all I can say is be afraid, be very afraid… http://www.guardian.co.uk/attackonlondon/story/0,16132,1533917,00.html

I attended the Massachusetts Software Council’s Open Source Special Interest Group “kickoff” meeting today. I went for 2 reasons, 1) I am developing a training system using open source software and 2) Dan Bricklin, the developer of VisiCalc for the Apple series of micro computers was a primary sponsor and panel member and I had never met him. If you do not know the history of the micro computer world, I offer you this VisiCalc to Basketball analogy. Dan Bricklin scored 70 points and made the gaming winning basket from half court, while being tripled teamed, to win both the NCAA and the NBA championships. It was a very interesting event and there were quite a few high powered executives and developers in the audience and on the panels. For more information on the event, you can go here

http://oss-sig.softwaregarden.com/blogs/oss-sig/

This group was knowledgeable, experienced and successful. Questions and responses were lively and engaging, well, except once.

Someone asked in effect

” Who is looking after the security of our software infrastructure. What is being done to help us manage the trust-ability of our software.”

The question was not answered or commented upon.

Hot on the heals of last weeks package loss in transit by Citibank, comes the announcement that 40 MILLION credit card numbers have been leaked by a cracker getting into CardSystems Solutions, a third party processing company of credit cards.

So I must ask once more, why do supposedly open source browser vendors keep spreading FUD that we are such a risk, when clearly 6 weeks running the US banking industry has gotten black eye after black eye with horrifically escalating breaches of private and financial information.

I’ll propose my question again, how can any CA breach be even on par with a major browser security breach. Bugs are patched and people are encouraged to upgrade, and life goes on every day, why are SSL certificates treated in such religious and completely incorrect notions of the real world we live in. Fair enough things may have started out much differently but that isn’t the reality we live in today or for the next 5 years to come.

The short version is SSL started out as a solution looking for a problem, and along came a few commercial CAs thinking they could rake in millions if not billions by doing annual ID checks, in the end they had to settle for protecting link layer security and selling snake oil about what was really being protected, after all the latest example proves time and time again the biggest risk and problem is protecting end points, and NOT the link layer.

So please tell me again why are we such a threat!?

We are desperately seeking multilingual people for a number of reasons, firstly the site is mostly complete in 5 languages other then english and we’d really like to see the website completed in more languages since language is a real barrier for many parts of the world and breaking down this barrier is one of our key goals.

The other reason we are after people is to verify translations, some spelling mistakes and mistranslations on legal documents could be a very big problem in future so it’s important we have as many capable eyes verifying as much documentation as possible. With the verification step we possibly only need people giving feed back in their own language to those helping to translate the website/documents.

One of the big changes of late is being able to produce the CAP and TTP PDFs on the fly via php code, this means our existing translation infrastructure can be used to also translate and keep these documents all in sync, rather then requiring translators to produce and handle PDF files if any changes are made.

The translations of the TTP PDF is especially important to get right since it will be dealing with people most likely unfamiliar with CAcert and our practises and in the past people have been rejected because the documents weren’t translated into their countries official language or because the wording made some people uneasy about signing them.

For more information or if you can help out with any of these things PLEASE by all means don’t be shy and join the translation mailing list and let everyone know what you’re willing and able to help out with.

Some time ago people work trying to work out how to generate dynamic PDFs on the spot to make assurances go a little smoother since a number of the fields could automatically be filled in, and you just setup at a conference or an assurance meeting and print out forms as needed which is a good idea. However at the time the only PDFlib usable in PHP needed a commercial license and CAcert lacked the funding at the time to pursue it further.

Of late I found myself needing to generate dynamic forms for a customer’s billing solution, I ended up using FPDF which is free for both commerical and non-commercial purposes. This then lead me to recall about people making requests for this feature with CAcert and I’ve spent a bit of time today making it a reality as this will be beneficial for a number of reasons.

This now lends itself to be translated in the same manner as the website, so the procedures to track and update phrases in other languages can now be applied to both the CAP and TTP forms. Already a number of people have translated these PDFs into other languages, and further progress is being made as I type this.

So this means that we don’t need to keep a bunch of PDF forms on hand in numerous languages, and updating forms in future is now a very easy task, as changing the layout or information on one form effectively changes them all so reduces work loads all round.

You can view the new forms by going here and here.

Recently yet another debacle has unfolded with Citigroup sending out letters to customers and former customers informing them that their data was lost in transit, all up an estimated 3.9 million records. This is about the 4th such incident in as many weeks to come to light, and the worst to date.

Surely the US banking industry should be loosing money over this as karmic retribution for such poor standards in handling private and confidential information, yet this just doesn’t seem to be the case.

So why are we being punished (by not being included) because we might cause harm, when these banks are doing everything they can to look like a fly by night operation?

CNN has the full story.

Interesting run down on the trojan horse doing the rounds in Israel and how the whole kit and caboodle was brought down by simply targeting the wrong person, and then that person finding their information leaked on the internet.

Read on for more details

For a long time now I’ve realised one of the biggest problems with PKI, especially in organisations, is distribution and management of the keys/certificates. So now that I actually have some hardware to play with it’s enabled me to start working on some solutions to this problem.

My first solution to this problem was also my first attempt at coding a PHP-GTK application as well, one of the benefits of PHP-GTK is it’s ability to be run across many platforms similar to java and .net, the down side was a major lack of decent examples and documentation. I came across numerous applications in the “Hello World”, and some very very advanced applications such as the novap2p app, but there was very little in the way of what I was attempting, so hopefully it will serve as a good demo for others as well as a useful tool for people with hardware crypto devices. The other down side is poor GUI design tools, I ended up using glade, but it is by far the worst GUI design tool I’ve ever used, although I don’t know that the full blame lies with glade, but it could have been made so much better, all the elements are there just some of the defaults are brain dead.

In any case, and a number of other non-php/gtk related issue later, I’ve posted the app online as well as some screen shots to the wiki, it’s a very basic app to make things easier in getting certificates signed and onto PKI cards, but it does work pretty well even if I do say so myself.

Some of you may be unaware, however we’ve pencilled the 3rd of July (for most time zones) in as the date of the next AGM. By law we are required to hold an AGM every 12 months.

If you would like to vote on, or be nominated for any of the board positions you must either become a member, or renew your membership by the 1st of July (so we can process things in time for the meeting).

If you would like to become a member it’s encouraged that you read our rules, as this has information covering most/all questions about memberships and board roles, it also has the membership form on the 2nd last page that needs to be filled out and signed.

Adobe’s PDF editor can digitally sign documents, or you can print it out and scan it. Once you have a signed document (either digital or written signatures) you need to email this to secretary at CAcert org. Once received all new membership requests will be dealt with as the first order of business at the next AGM.

It’s encouraged that everyone that wants to vote or be nominated for a role also get their membership paid for before the AGM as this will ensure your vote is valid and able to be counted.

Membership is only US$10/year, and if you don’t want to become a member, but just want to donate some money to CAcert that is also welcome.

What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer.

It’s also worth mentioning that the article also points out that the police didn’t claim to actually find anything relevant to their case that was encrypted.

What this amounts to is walking into a shopping centre with a bag, and the police concluding that you had a bag so you were intending to steal something, without actually finding any evidence of you stealing in the bag.