Author Archives: Duane

CAcert Portable Verification Device (PVD)

For the Ohio Linuxfest we had a number of portable verification devices (aka coffee mugs), made up as donationware items. We over estimated the demand and we have a quantity of these left over and are offering them primarily for those in the US (due to postage costs).

We’re offering these mugs for a minimum donation of $10 (unless you want to pick up in the Columbus area or donate more money), the cost break down is $5 for the mug, and $5 is to cover banking fees and postage.

PVD action shot
PVD Logo

Problems with the current location database

As of about 5 minutes ago I put the finishing touches on code to allow people to make changes to the location data.

This includes being able to move locations between regions, adding and deleting locations and adding and deleting regions.

If you delete a region it will also delete any locations hanging off it.

So those making changes should only use deletes as a last resort as this has implications for users that have selected a location for their location.

Moving a location between regions will not have any impact on users as the region will be updated for all users etc.

The plan is to also replace the current system of listing yourself, you will simply be able to type in your location and hopefully the system will be able to narrow it down so this should be a lot quicker and more efficient. Also finding assurers will gain the same ability to type in a location and the system will in turn the system will display the closest 100 assurers.

Currently people store their location against their user record, I’m planning to split this off into it’s own table so users can store multiple locations.

Need Volunteers for the SoCal Linux Expo

I’ve been asked for volunteers to attend the SoCal Linux Expo which is on between the 11th and 12th of Feburary 2006. We’ve been offered a booth and so we are looking for a couple of people to sit on it. We (CAcert Inc) can put funding toward this to cover flights, transfers to and from the airport and hotel accomodation during the Expo.

The conditions for funding is you must currently have 100 assurance points (ie be an assurer), you must be willing to sit on the booth for the majority of the time (10am till 4pm minimum), and preference will be given to those that already have assurances under their belts and/or manned a CAcert booth at other conferences even if it costs a little more for their flights.

Any questions or for further information please email me directly, but there needs to be a decision made on this as soon as possible to ensure people that fly in will have a place to stay etc close to the conference.

Need Volunteers for Apache Con 2005

We’re currently looking for up to 2 people on the North American continent, close to San Diego would be an advantage to us, as we need people to man a CAcert booth for at Apache Con 2005 (10th to the 14th of December), we (CAcert Inc) can allocate some funding that can be used to cover flights/accommodation/other expenses (printing etc).

As always there is a couple of catches, firstly you must currently have 100 assurance points (ie be an assurer), you must be willing to sit on the booth for the majority of the time (10am till 4pm minimum), and preference will be given to those that already have assurances under their belts and/or manned a CAcert booth at other conferences even if it costs a little more for their flights.

Of course the benefit is that you end up getting to spend some time in warm and possibly sunny Southern California during the North American winter ­čÖé

Any questions or for further information please email me directly, but there needs to be a decision made on this as soon as possible to ensure people that fly in will have a place to stay etc close to the conference.

Time for the paranoid to start upgrading keys

MathWorld News is reporting that RSA-640 has been factored. F. Bahr, M. Boehm, J. Franke, and T. Kleinjung, memebers of the German Federal Agency for Information Technology Security (BSI) announced they had cracked the 193-digit number last Friday using the General Number Field Sieve. The team purportedly used 80 opteron CPUs and 5 months to achieve victory.”

I realise that 1024bit keys are exponentially bigger then 640bit, however this shows that the time to crack 1024bit keys are getting awfully close to useless when dealing with material that needs a longish life span, not to mention some of the root certificates in browsers are still 1024bit, and even if it took these guys 5 times as long, those certificates are still going to be valid when they get finished.

And people complained about the 4096bit certificate CAcert uses ­čÖé (well complained because not all apps supported key sizes bigger then 1024bit!)

PS found this website, which gives a break down of how long you can expect varying keylengths to be good for.

Properly securing wireless networks on the cheap

In part the reason CAcert exists is because very early on I realised how much a waste of time many of the security features that existed in the devices at the time (and even now still to a large extent).

Later on 802.1x came into the picture, but that has numerous complications with prerequisites with requiring you to setup RADIUS depending how you decide to go about configuring everything.

It’s worth noting that over the last few years the prices on access point routers have been dropping to the point that they can be now had in Australia for about the AU$100 price point (about US$50-70), the other interesting thing to note is that a number of companies making these devices ended up using linux on them rather then writing a custom OS which in turn lead to them being forced to release source code under provisions in the GPL.

This is where things start to get very interesting because on one hand we have cheap off the shelf small form factor devices and on the other we have th complete source code and tools to make customised firmware versions. These two events lead some smart cookies to take the sources and build up some amazing functionality along the way by taking software in the world of linux software.

So a long story short this is good news for people looking to better secure their wireless network and in such an easy and simplistic manner, via OpenVPN and these embedded devices, OpenVPN is a great choice because it seems as good as IPSec in terms of security, unless you happen to have state secrets to guard and I’m sure there are better options available from commercial vendors.

I’ve just spent the last couple of days experimenting with a Linksys WRT54G and managed to string together a guide on setting up a wireless access point router with OpenVPN and getting a linux laptop to talk to it as well.

Complete failure of Oracle security response and utter neglect of their responsibility to their customers

The following was posted to the bugtraq mailing list:

Dear security community and Oracle users,
Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there’s a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter.

Extract from interview between Mary Ann Davidson and IDG

IDGNS: “What other advice do you have for customers on security?”

Davidson: “Push your vendor to tell you how they build their software and ask them if they train people on secure coding practices. ”

Now some context has been put in place I can continue.
Continue reading

Dutch to Open Electronic Files on Children

“The Dutch government plans to open an electronic file on every child at birth as a tool to spot and protect the troubled kids of the future. All citizens will be tracked from cradle to grave in a single database – including health, education, family and police records.”

http://news.yahoo.com/s/ap/20050913/ap_on_re_eu/netherlands_child_files

—–

These kinds of articles always raise red flags with me when governments propose something that has the potential to be very unpopular as “benefiting” children.

This was posted to slashdot and the first few comments included:

– paedophiles wet dream
– WWII was fought to prevent this kind of overarching governmental reach and it’s occurring anyway
– several credit card gateways cracked recently leaking millions of records how would this be any better if it’s actually going to be useful across all govt agencies…

At this point if I were a citizen I’d firstly be very concerned, and then be very angry about this kind of thing, and if it goes through in the Netherlands it’s just as likely to be pushed in other countries.

Request for Enhancement

Someone has posted a RFE (Request for enhancement) to the Novell/Sse bugzilla to include CAcert’s root in software distributed by Novell/Suse.

Ohio Linux Festival

October 1st 2005 – Ohio Linux Festival to be held in Columbus Ohio, there will be more then enough assurers on hand to get full points. Free registration so no excuses for anyone in the region not attending!

Look for the large CAcert banner we sneak up!