When Captain CAcert rescues the Notaries of the Round Table

Today we are going on a little journey through time for a current occasion. Are you ready? Then jump into the fountain together with Frog King!

Many, many years ago, when grandmother was still a little girl, it may have been in 1995, a hardworking man named Mark Shuttleworth started a certificate issuing service in his poor parents’ garage, just like CAcert is one.

The name of this service was Thawte. Thawte was a great and important service. It is said that it covered half of the empire at that time. And because he was so old and so wise, he enjoyed some privileges. When Uncle Netscape, the browser, introduced new rules for certificates, Aunt Thawte, considering her age, only had to comply if she wanted to.

Now it was the case in those days that some people would have liked to send letters in an envelope. Good Aunt Thawte said: I have so many envelopes, I will give you some! And everyone who booked a free e-mail address with her got the certificate to wrap the messages as a gift. The Web of Trust was created to ensure that everything was above board and that the big bad wolf didn’t pretend to be one of the seven little goats. There, the letter writers met with the most trustworthy men and women of the entire empire for the knighting.

After the wizard Verisign took over Aunt Thawte’s service in 1999, the Web of Trust’s noble round table was abolished a few years later. Its members were very surprised to be thrown out of the castle just like that, since they had selflessly served the cause as noble knights and notaries.

However, it was a stormy time. And the storm wind blew a big sailing ship with full rigging from New South Wales, a spot of earth on a big island in the middle of the big, wide sea in the New World, across the ocean. Its name was emblazoned in gold letters on the stern: CAcert.

The captain held the wheel with both hands until the ship docked in a safe harbour. Immediately the crew rushed ashore to the desperate notaries and knights of the Thawte Round Table and offered to take them in their ship.

Numerous were those who gratefully accepted this offer, even more so when the captain said that he trusted Aunt Thawte. So it happened that large parts of Thawt’s Web of Trust were integrated into CAcert’s Web of Trust and the Thawte notaries became CAcert assurers. In a special program named Tverfiy, they could have their trust points transferred in 2009. Today, more than a decade later, CAcert is discontinuing the corresponding web site, after a long time since scattered notaries have joined CAcert’s community.

Further reading:
https://wiki.cacert.org/Tverify
https://en.wikipedia.org/wiki/Thawte#Web_of_Trust
old blog posts from the time

“If you don’t use technology consciously, you will be used by it” (40 years of CCC 3)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (middle) was there from the beginning. Today he is no longer active in the front row. He remembers.

You still work in the industry.

Steffen Wernéry: I’m a data protection officer for an operator of anonymised network connections (VPN). I’ve always been less interested in hacking than in hunting for security holes, which others can do better, than in the creative, design side. I first came to computers through my interest in acoustics, photography and video. When I was 20, I did an art project with Bernd Krake in which I transmitted image data by telephone between the Hamburg Kunstverein and the Massachusetts Institute of Technology (MIT).

What about the creative use of technology today?

Steffen Wernéry: Hacking is more necessary than ever. Not in the sense of computer crime, but in the original sense, the critical handling of technology and finding weak points. We are surrounded by unfinished products. Software and hardware have security vulnerabilities, and those who rely on them are quickly finished. Instead of relying on stock and preservation, companies produce technological junk. Even in the literal sense, none of this is environmentally friendly. The products are designed for consumption and to be addictive. People spend less and less time in real life.

Virtual versus real life, I’m surprised that you, as a net activist, see this as a contradiction. Doesn’t one enrich the other?

Steffen Wernéry: Sure, the internet is great if I want to repair my washing machine, if I want to exchange ideas with like-minded people about hobbies or politics, if I want to collect environmental data together with others. But most people sit in a consumption loop, waste their time and think that this is real life. We already said 40 years ago: machines reinforce structures. It happens all by itself. If you don’t use technology consciously, you will be used by it.

Sounds like the CCC has failed.

Steffen Wernéry: The club does what it can. It teaches young people media competence in the project “Chaos macht Schule”. It participates in lawsuits against laws, keeps up the exchange with other institutions. But it is a fight against windmills. That’s why it’s so important to keep some anarchy and fun going. (Questions by Ruth Fulterer)

Starting in 1986, the hackers used a flaw in an operating system to infiltrate other people’s systems and gain access rights there. Computers at the Cern nuclear research centre were among those affected. In 1986, the club newspaper “Datenschleuder” printed an internal complaint about the intruders: “There seems to be a club based in Germany called the ‘chaos club’ whose collective hobby is hacking systems connected to public X25 networks.”

Wernéry and Wau Holland, the club’s leaders at the time, contacted the companies involved and later spoke out to the media when the case became public (above: broadcast from the German TV ARD from 15. September 1987). Then, on his way to a congress where he was to speak about data protection, Wernéry was arrested in France in 1988. He was believed to be an accomplice or even responsible for the hack. The investigators quickly dropped this accusation and he was released. The investigation into his complicity continued for a long time, but in the end came to nothing.

40 years Chaos Computer Club (2)

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry (on the picture in the middle) was there from the beginning. That’s why he’s already been in prison. Interview.


You soon became the most important figure in the club next to Wau Holland and later wrote the statutes. It says that the club is committed to freedom of information. What does that mean, freedom of information?

Steffen Wernéry: It means the right to freely exchange information. In other words, to communicate in encrypted form, with anyone, about anything, without censorship, without blockades. I find the second part of the statutes particularly important: the CCC is concerned with the effects of technologies on society and individual living beings and promotes knowledge about these developments.

How did you want to achieve all this?

Steffen Wernéry: We organised congresses, meetings and events. We have a magazine, the “Datenschleuder”. Of course, it was also about fun and creativity. What we call in the statutes “promoting the creative-critical use of technology”. We had originally written “hack” in the statutes, but the association register rejected this word because it was not in the Duden dictionary.

It was a hack on the edge of the permissible that made the Chaos Computer Club famous.

Steffen Wernéry: That was in 1984, when the post office had a monopoly on electronic messages. And anyone who wanted to be online had to use a device approved by the post office, which was incredibly expensive. Anyone using untested equipment was liable to a house search and confiscation of the equipment, along with a fine. The user fees for this system, the Internet precursor screen text (BTX), were very high. So the post office, we called them “Gilb”, was the enemy of hate for us. At that time, Wau Holland and I hacked into the BTX access of a Hamburg savings bank and called up a BTX page of the CCC from there, for which we had to pay. By the end of the night, we had booked 135000 D-Mark into our fee account. We made that public. It was embarrassing for the post office, which had claimed that its system was secure. The media jumped on the story. For the first time, data security was a big topic.

What happened next with the CCC?

Steffen Wernéry: That was the beginning of an acceleration. We got new members, there were more and more people on the networks. In 1986, things became more serious. A few people in the club had hacked into Nasa’s computers and sold information to the Soviet secret service KGB. The main participant, Karl Koch, was later found dead. To this day, some say it was suicide, others say it was murder. I myself spent two months in a French prison.

Why?

Steffen Wernéry: At that time, there were hardly any computers on the net. We hackers went where there were networks, for example to the Swiss research centre Cern. That was the European hacker training school. Because there, several people could be on the computers at the same time, chatting online or developing programmes together. Because some of these centres were also used for military purposes, this was quite critical. That’s why there have been investigations since 1986.

How did the trial against you turn out?

Steffen Wernéry: There was never a trial, but the investigations against me lasted 16 years, until 1998, without any result. The Hamburg prosecutor spread the word that I was an East German agent because a picture of Honecker hung in my kitchen. For the French, I was a Nazi because they had found “Mein Kampf” during the same house search. There was also mistrust within the club because of these investigations. It all became too much for me and I quit the front row.

Congratulations: 40 years Chaos Computer Club

40 years ago, the Chaos Computer Club was founded in Germany. Steffen Wernéry was there from the beginning. That’s why he’s already been in prison. Spectacular hacks, even into Nasa’s computers, made the Chaos Computer Club famous in the eighties.

It was seen as a Robin Hood-like hacker gang that is always a little smarter than the powerful and beats them with their own means: the computers . Steffen Wernéry joined shortly after its founding on 12 September 1981 and was at the forefront of the club’s transformation from a nerd regulars’ table to a well-known hacker club.

Today, the club claims to have 8,000 members and hosts one of the world’s largest hacker conventions. The basic philosophy has remained the same: The Chaos Computer Club wants to draw attention to the social consequences of technology and sees hacking as an instrument of enlightenment.

How does your history with the Chaos Computer Club begin?

Steffen Wernéry: It was in 1983 in the left-wing bookshop “Schwarzmarkt” in Hamburg. I had read online that the Chaos Computer Club was meeting there. I hoped to be able to exchange passwords there.

Swap passwords?

Steffen Wernéry: The internet didn’t exist back then, only individual computers on the telephone network. When you found other computers, you wanted to have a look at them. For example, into databases or via the computers of newspapers to the news of agencies in the USA. And the passwords were exchanged with each other.

And did you get any?

Steffen Wernéry: Unfortunately, no. I had to find out that no one from the Chaos Computer Club was online yet. Nevertheless, the visit changed my life. Because I met the founder of the club, Wau Holland. He talked about the computer not only being for the administration and surveillance of citizens. Citizens themselves should use it, for exchange and transparency. He wanted the machine-readable government instead of the machine-readable citizen. That made sense to me. From then on, I was in.

Signature server back in operation

Retour en fonctionnement du serveur de signature

Le serveur responsable de signer à la demande les certificats émis par CAcert dispose de deux disques durs, en redondance l’un de l’autre. Lorsqu’un dysfonctionnement se produit, aucune maintenance à distance n’est possible, car la machine n’est intentionnellement pas branchée au réseau. Seul un câble série permet d’échanger requêtes et réponses avec le reste de notre infrastructure. Aucune connexion n’est possible par ce moyen.

Or, depuis le 2 Août, nous observions la mise en attente de toutes les demandes de signature de certificats. L’équipe des infrastructures critiques est donc intervenue sur site ce 21 Août. Un problème dans le traitement d’un des certificats était la cause du blocage. Ce problème est résolu, mais reste à diagnostiquer avec précision. Il s’agit d’une série d’incidents que nous n’avions jamais vus auparavant.

Compte tenu des deux autres incidents intervenus plus tôt cette année, liés au système de fichiers de notre serveur de signature, nous devions accroitre sa résilience. Aussi, ce 21 août, l’équipe des infrastructures critiques a installé dans le rack un second serveur de signature, comme secours passif du premier. La présence de liens série dédiés vers chaque machine permettra à l’avenir de basculer très rapidement sur le second serveur de signature, en cas de nouveau problème. Dans tous les cas, les deux serveurs restent comme auparavant isolés du réseau.

Nous prions nos membres de nous excuser pour ces dysfonctionnements, et encourageons ceux résidant en Hollande où dans sa proche périphérie, à envisager de s’associer au travail de notre équipe des infrastructures critiques, ce qui augmenterait notre capacité d’intervention rapide.

Simultanément, nous espérons que l’intervention d’hier marque la fin de cette longue et exceptionnelle série.

English version

The server responsible for signing certificates issued by CAcert on demand has two hard disks, redundant to each other. When a malfunction occurs, no remote maintenance is possible, as the machine is intentionally not connected to the network. Only a serial cable is used to exchange requests and responses with the rest of our infrastructure. No connection is possible by this means.

However, since the 2nd of August, we have been seeing all certificate signing requests being put on hold. The Critical Infrastructure team therefore intervened on site on the 21st of August. A problem in the processing of one of the certificates was the cause of the blockage. This problem has been solved, but remains to be precisely diagnosed. This is a series of failures that we have never seen before.

In light of the two other incidents earlier this year related to the file system of our signature server, we needed to increase its resilience. So on 21 August, the Critical Infrastructure team installed a second signature server in the rack as a passive backup to the first. The presence of dedicated serial links to each machine will make it possible in future to switch very quickly to the second signature server in the event of a new problem. In any case, the two servers remain isolated from the network as before.

We apologise to our members for the inconvenience, and encourage those living in or near the Netherlands to consider working with our Critical Infrastructure team, which would increase our ability to respond quickly.

At the same time, we hope that yesterday’s intervention marks the end of this long and exceptional series.

Backlog in the delivery of certificates

Unfortunately, there has been a backlog in the delivery of renewed and new certificates in Signer. The Critical Team cannot solve this remotely. A visit to the data centre is planned for next Monday. The stuck certificates should then be delivered. We are sorry that there has been a disruption again.

Im Signer ist es leider zu einem Stau der Auslieferung erneuerter und neuer Zertifikate gekommen. Das Critical Team kann dies nicht per Fernwartung lösen. Ein Besuch des Rechenzentrums ist am kommenden Montag geplant. Die feststeckenden Zertifikate sollten anschliessend ausgeliefert werden. Es tut uns Leid, dass es erneut zu einer Störung gekommen ist.

Expanded support

Heat, floods, hurricanes and other unplannable events quickly lead to delays. We are proud that, despite everything, the handover of the keys to support went smoothly yesterday and the new volunteers now have access to the relevant systems to assist the existing team.

On the allegorical picture you can see Joost handing over the access rights to Aleš, Matthias and David. Also present: Critical Admin, President and Secretary.

Deutsch: Support verstärkt

Hitze, Hochwasser, Hurrikane und andere unplanbare Ereignisse führen schnell zu Verzögerungen. Wir sind stolz darauf, dass trotz allem die Schlüsselübergabe beim Support gestern geklappt hat und die neuen freiwilligen Mitarbeiter ab sofort Zugang zu den relevanten Systemen haben, um das bestehende Team zu unterstützen.

Auf dem allegorischen Bild seht ihr Joost, der Aleš, Matthias und David die Zugriffsrechte überreicht. Mit von der Partie: Critical Admin, Präsident und Sekretär.

New signer proves itself in use

EN: Signer is running again

DE: Signer ist wieder in Betrieb

FR: Signataire fonctionne à nouveau

ES: Firmante vuelve a funcionar

IT: Firmatario è di nuovo in funzione

The signer has been running again since yesterday, Friday, around 13:00 CEST. We then (while we were doing other work) watched the processing for about another hour… Around 0:30 CEST all outstanding certificate requests (~3000) were processed.

Things didn’t quite go as planned in June. As soon as something cannot be done remotely – there is no remote access to critical systems for security reasons – someone who is authorised to do so has to go the data centre in the Netherlands. Despite Corona, quarantine, floods, overtime at the company and whatever else comes up. That’s maybe two hours. Then two hours home again and in between the actual work. During the opening hours of the data centre, in your free time and paying for your own train ticket or petrol. It’s not always easy to reconcile all that. On Friday afternoon, however, the time had come and the Signer has now been running smoothly again for over a day.

As can be seen from the Critical Team’s plan published yesterday, preliminary work is already underway to make the system redundant throughout and even more robust, so that failures should no longer be noticed by users, because no one is interested in such failures! We are very sorry that you had to wait so long. At the same time, we thank the small core team who have sacrificed nights and weekends over the last five weeks to get the technology back up and running for the CAcert community!

Datacenter-Visit on 2021-07-16 *UPDATE*

The activation of signer machine was successful, all pending certificates were processed in the last hours.

Short version: There is a visit at the datacenter planned to enable the signer again (and do some other maintenance there).

Long version:

Unfortunately it was not possible to get the signer back to work again during the last visit due to a hardware-issue with the harddrive.

To get the server running on the (pre-)created backup drive did fail, too …

Therefore we took the time during the last weeks (when it was not possible to visit the datacenter due to different business and personal reasons) to rebuild a test-environment on spare hardware and to train ourselves.

We should now be able to do the necessary steps to bring back the signer machine to work.

In the background we’re currently adjusting our processes to make it easier to visit the datacenter during out-of-office-times (as every trip to the datacenter takes several hours additionally to the time we’re working at the servers).

In future we plan to set up an additional confuguration, which can take over in case of a failure in the datacenter, but this will still take time. However: The exact procedure needs to be worked out as the machines are not to be connected to the internet, but need to communicate (e.g. for CRL-creation, certificate serial numbers etc.).

Protect yourself and your computer!

Français | Deutsch | English

Protégez-vous et protégez votre ordinateur!

Un certificat de CAcert protège contre les dangers sur Internet. En choisissant CAcert, vous avez fait un bon choix, car ici, vous n’espérez pas simplement que le prestataire le fera déjà bien, mais en tant que membre de la communauté CAcert, vous avez toutes les possibilités: Vérifiez notre travail – ou mieux encore: coopérez vous-même, car à qui pouvez-vous faire confiance plus qu’à vous-même et à vos plus proches collaborateurs!

Malheureusement, il existe des dangers contre lesquels vous ne pouvez pas vous protéger avec nos certificats. Les inondations, par exemple, ou les virus corona. Au rez-de-chaussée du siège de CAcert Inc. à Genève, en face de la gare des Eaux Vives, se trouve un grand centre de tests et de vaccination. Ici, vous pouvez obtenir immédiatement une protection X.509 et Covid-19.

Pour que les assurances redeviennent plus faciles et que nous puissions nous rencontrer à nouveau en personne lors d’une conférence prochainement: Protégez-vous avec un masque, gardez distance et respectez l’hygiène. Et: Faites-vous vacciner! Les deux, CAcert et Covid-19 nécessitent deux rendez-vous.*

*avec des assureurs expérimentés avec au moins 25 points, sinon cela peut être plus. La protection Covid se déploie 10 jours après la deuxième vaccination.

Schützen Sie sich und Ihren Computer!

Ein Zertifikat von CAcert schützt vor Gefahren im Internet. Mit der Wahl von CAcert haben Sie eine gute Wahl getroffen, denn hier hoffen Sie nicht einfach, dass der Anbieter es hoffentlich schon gut macht, sondern Sie haben als Mitglied der CAcert-Gemeinschaft alle Möglichkeiten: Überprüfen Sie unsere Arbeit – oder noch besser: arbeiten Sie selber mit, denn wem kann man mehr vertrauen, als sich selbst und seinen engsten Mitarbeitern!

Leider gibt es Gefahren, gegen die man sich mit unseren Zertifikaten nicht schützen kann. Überschwemmungen zum Beispiel oder Coronaviren. Im Erdgeschoss des Hauptsitzes des Trägervereins CAcert Inc. in Genf befindet sich ein grosses Test- und Impfzentrum. Hier bekommen Sie gleich beides X.509 und Covid-19-Schutz.

Damit Assurances wieder einfacher werden und wir uns demnächst wieder an einer Konferenz persönlich treffen können: Schützen Sie sich mit Maske, Abstand und Hygiene. Und: Lassen Sie sich impfen! Sowohl bei CAcert als auch bei Covid-19 braucht es zwei Termine.*

*mit erfahrenen Assurern mit mindestens 25 Punkten, sonst können es mehr sein. Covid-Schutz entfaltet sich 10 Tage nach der zweiten Impfung.

Protect yourself and your computer!

A certificate from CAcert protects you from dangers on the Internet. By choosing CAcert you have made a good choice, because here you are not simply hoping that the provider will already do it well, but as a member of the CAcert community you have all the options: Check our work – or even better: work with us yourself, because who can you trust more than yourself and your closest colleagues!

Unfortunately, there are dangers against which you cannot protect yourself with our certificates. Floods, for example, or corona viruses. On the ground floor of the headquarters of CAcert Inc. in Geneva there is a large testing and vaccination centre. Here you can get both X.509 and Covid-19 protection at once.

So that assurances become easier again and we can meet again in person at a conference soon: Protect yourself with mask, distance and hygiene. And: get vaccinated! Both CAcert and Covid-19 require two appointments.*

*with experienced assurers with at least 25 points, otherwise it may be more. Covid protection unfolds 10 days after the second vaccination.