RTFA: http://www.win.tue.nl/hashclash/TargetCollidingCer…

Our construction requires that the two colliding certificates are generated simultaneously. Al- though each resulting certificate by itself is completely unsuspicious, the fraud becomes apparent when the two certificates are put alongside, as may happen during a fraud analysis. An attacker can generate one of the certificates for a targeted person, the other one for himself, and attempt to use his own credentials to convince an external and generally trusted CA to sign the second one.
If successful, the attacker can then distribute the first certificate, which will be trusted by relying parties, e.g. to encrypt messages for the targeted person. The attacker however is in control of the corresponding private key, and can thus decrypt confidential information embedded in intercepted messages meant for the targeted person. Or the attacker can masquerade as the targeted person while signing messages, which will be trusted by anyone trusting the CA. In this scenario it does not matter whether the two certificates have different public keys (as in our example) or identical ones (in which case the colliding blocks would have to be hidden somewhere else in the certificate).
A problem is, however, that the CA will register the attacker’s identity. As soon as a dispute arises, the two certificates will be produced and revealed as colliding, and the attacker will be identified. Another problem is that the attacker must have sufficient control over the CA to predict all fields appearing before the public key, such as the serial number and the validity periods. It has frequently been suggested that this is an effective countermeasure against colliding certificate constructions in practice, but there is no consensus how hard it is to make accurate predictions.
When this condition of sufficient control over the CA by the attacker is satisfied, colliding certificates based on chosen-prefix collisions are a bigger threat than those based on random collisions. Obviously, the attack becomes effectively impossible if the CA adds a sufficient amount of fresh randomness to the certificate fields before the public key, such as in the serial number (as some already do, though probably for different reasons). This randomness is to be generated after the approval of the certification request. On the other hand, in general a relying party cannot verify this randomness. In our opinion, trustworthiness of certificates should not crucially depend on such
secondary and circumstantial aspects. On the contrary, CAs should use a trustworthy hash function that meets the design criteria. Unfortunately, this is no longer the case for MD5, or SHA-1. We stress that our construction (we prefer this wording to ‘attack’) is not a preimage attack.
As far as we know, existing certificates cannot be forged by chosen-prefix collisions if they have not been especially crafted for that purpose. However, a relying party cannot distinguish any given trustworthy certificate from a certificate that has been crafted by our method to violate PKI principles. Therefore we repeat, with more urgency, our recommendation that MD5 is no longer used in new X.509 certificates. Similar work [1] is in development for the SHA-1 hash function, so we feel that a renewed assessment of the use of SHA-1 in certificate generation is also appropriate.

Wow! I know this paper was distributed 8 months ago, but holy shit! In case you don’t know about X.509, it’s the standard that the entire SSL trust infrastructure is built on. X.509 describes what fields need to appear an an SSL certificate, and it’s in relying on these SSL certificates that a web browser (e.g. IE) decides if a secure (HTTPS) connection is forged or not.

So today, I was attempting to validate the SSL certificates involved in a particular communication. I visited https://www.verisign.com to see how their signing chain looked, because I assumed this would be a good example. On Verisign’s site, the chain starts with a Generation One (G1 - a Verisign marketing term, I think) Public Primary Certificate Authority (PCA). Some PCAs (around 100, at the moment) are trusted enough that they ship directly with web browsers. The private keys that correspond to those public PCAs are well-guarded. Verisign has a bunch of these public/private PCA key pairs, and one is used to start the chain that secures verisign.com. I already had it, since it came with Opera.

The next item in the chain was a G5 PCA, which was directly signed by the G1 PCA. Although the G5 PCA isn’t shipped with Opera, it is trusted because the G1 PCA is trusted; the G1 PCA extends trust through its signature on the G5 PCA.

The G5 PCA was used to sign another CA that appears to be used only for SSL certificates. The trust from the G1 PCA, which flows through the G5 PCA, extends to the SSL CA. Ultimately, the SSL CA is used to sign the verisign.com certificate. That’s why my browser “trusts” verisign.com. So, verisign SSL chain looks like this:

G1 PCA signs ITSELF, which signs G5 CA, which signs SSL CA, which signs verisign.com

Next, I looked at the SSL signing chain for a site that I was suspicious of. The other site’s chain looks like this:

G5 CA signs ITSELF, which signs SSL CA, which signs othersite.com

Because the G5 CA doesn’t ship with Opera, I don’t trust it unless I go out of my way to download, install, and trust that certificate. I actually did this, by locating the key on the Verisign website based on its “signature.” It’s not very hard to add SSL certificates to Opera, but there are a few problems with the process.

For example, unless I trust that my nameserver will correctly resolve the Verisign website, I cannot trust that I am actually getting a good copy of the certificate. Also, I must trust that verisign’s web servers are secure enough to guarantee that I am getting a trustworthy copy of the certificate.

Finally, there’s the proof of concept in the paper above, which suggests that it’s possible to tamper with X.509 certificates. Basically, this leaves open the possibility that the site I am connecting to is using a separate public keychain, which somehow is called by the same name, but which is self signed instead of G1-signed. In the case that a separate keychain is in use, the communication could conceivably be compromised…

So how to very if it’s good or not? I don’t trust the self-signed certificate as much as the G1-signed certificate. …so do I trust it at all?

RTFA: http://www.mercurynews.com/opinion/ci_7175561?ncli…

ince 2001, the Bush administration and America’s leading telecommunications carriers have been blatantly violating the law and the privacy of millions of Americans. Working together, they have engaged in a comprehensive and insidious warrantless dragnet surveillance program that ignores the careful legal safeguards set forth by Congress. Under this program, the carriers intercept and disclose to the government the telephone and Internet communications of millions of their customers, along with detailed records about customers’ communications.
Since January 2006, the Electronic Frontier Foundation has been litigating Hepting vs. AT&T, a case arising from AT&T’s participation in the illegal surveillance. The case is brought on behalf of all of AT&T’s customers to stop the ongoing conduct and to hold the company responsible in order to compensate the millions of ordinary Americans who have been affected. This should also serve to discourage the telecom giant from agreeing to such illegal schemes in the future.

But if you’ve done nothing wrong, then what do YOU have to worry about? Well, if you are still worried about people committing crimes AGAINST you, then I don’t suppose you need to be concerned by your personal activities, at all. Instead, it’s the actions of others that might concern you. We express such concerns about the behavior of others as LAW, and we extend legal authority to certain individuals in order that they might “stop” people who break the laws.

Although I’ve done nothing wrong (and therefore shouldn’t be concerned that my phone calls are monitored), I am still concerned by this monitoring activity, because such activity is illegal, and I AM concerned about the illegal actions of others. We can debate whether or not this monitoring SHOULD be illegal, but as it stands, we’re just at the point of being concerned about it.

It’s okay to be concerned that the US government is monitoring its citizens. Before this point, it wasn’t obvious that such eavesdropping took place. Prior to 2001, if you were simply AFRAID that the government might be monitoring you, then unless you had proof, you were merely PARANOID. Now it is no longer a matter of paranoia. Now that the issue has been dragged out into the public for all US citizens to consider, what is the consensus?

We must ask ourselves as a nation:

1. are we confident that we can maintain a free society without private communication?
2. when members of our government violate the law we created, can we successfuly seek justice using existing legal structures? Are we free to petition our government for redress of grievances?
3. without transparency in government, can we maintain a free and democratic society?

It’s a little unpleasant to consider, but this is the situation we have been thrust into.

RTFA: http://www.physorg.com/news110194718.html

This burst appears to have originated from the distant Universe and may have been produced by an exotic event such as the collision of two neutron stars or the death throes of an evaporating black hole,” said Duncan Lorimer, Assistant Professor of Physics at West Virginia University (WVU) and the National Radio Astronomy Observatory (NRAO). The research team led by Lorimer consists of Matthew Bailes of Swinburne University in Australia, Maura McLaughlin of WVU and NRAO, David Narkevic of WVU, and Fronefield Crawford of Franklin and Marshall College in Lancaster, Pennsylvania. The astronomers announced their findings in the September 27 issue of the online journal Science Express.

Huh? Blast of energy in the middle of the Pacific - that sounds familiar, but I thought there were treaties against it.

RTFA: http://www.bradblog.com/?p=3778

Elections Say the Darndest Things: Lieberman Senate Opponents Receive Exact Same Number of Votes in 2006 as in 2000…

At the risk of stoking conspiracy theories which I have no interesting in doing, I have absolutely no idea what to make of this. Though it seems worth putting out there nonetheless. Make of it what you will…

Like the guy said, make of it what you will. This first broke at the end of 2006, but Lieberman is back in the news about his Iran, erm, proposal.

RTFA: http://www.youtube.com/watch?v=hOlmNBxke-E

Taser A story of hushed talked and hand signals.

Interesting video! This clearly depicts that, at a certain point, a plainclothes individual tells the police when to assault the kid. It seems to be the Skull and Bones question that made them cut his microphone. That was what made them decide to tackle him.

So who, exactly, is this guy? The decider. He knows when you’ve used up all your free speech.

RTFA: http://www.dailymail.co.uk/pages/live/articles/new…

When Matej Kus’s teammates heard him talking after he was knocked out in a speedway accident, they were relieved he was conscious.

But they were also a little surprised.

For although the 18-year- old Czech knew only the most basic English phrases, he was conversing fluently in the language with paramedics.

Er? This definitely warrants closer inspection

RTFA: http://www.youtube.com/watch?v=ALxA34r9sE8

Ever heard of the myth of standing up an egg on summer solstice? There are many who dispute it saying it can be done with “persistence” and “enough practice and skill” any day of the year. That’s fine, I did with one shot on the summer solstice… so did my buddy Ian… It’s up to you to decide…

Hmmm… yeah, this is weird - has anyone done this NOT on a solstice?

RTFA: http://en.wikipedia.org/wiki/Indent_style#K.26R_st…

The Allman style is common, and is named after Eric Allman. It puts the brace associated with a control statement on the next line, indented to the same level as the control statement. Statements within the braces are indented to the next level.

while (x == y)
{
something();
somethingelse();
}
finalthing();

This style is similar to the standard indentation used by the Pascal programming language and Transact-SQL, where the braces are equivalent to the “begin” and “end” keywords.

Meh - not to get overzealous about the topic, but I think this is the easiest to read and write.