Categories
Pet Peeves

Dear Microsoft, I have a simple request.

While messing around with X.509 certificates I not only encountered Umlauts, but Extended Validation Certificates as well. All nice and dandy, but these contain special OIDs in the subject field which openssl does not know the name.

Googling around I found a few references to their names, but no definitive source (especially for a short-name).

Anyway, the OIDs in question are under 1.3.6.1.4.1.311.60.2.1. So who is responsible for that OID tree? First step IANA, where we find the OID registry, which tells us:

SMI Private Enterprise Codes: Prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) See http://www.iana.org/assignments/enterprise-numbers

which I do and where I find that enterprise-number 311 was assigned to Microsoft. They have a nice knowledge-base article which lists some Object IDs, but no information on the subtree ’60’.

So dear Redmond, what about an update to that page?

Categories
Pet Peeves

Scaremongering with graphs

Newspapers often enough publish graphs which give wrong impressions on what the numbers behind the diagram actually mean. The usual culprit is a y-axis which does not start with 0, thus visually inflating any trend/changes in the data.

This week I stumbled upon something else:

kleine zeitung diagram

The article was all about “Do we have to expect more extreme weather in the future thanks to global warming?”. The expert they interviewed kind of rejected the premise that we can deduce anything from one year’s weather. But they wanted to have a scary graph in the article, so they came up with this one.

So what’s wrong? If you compare the temperature and precipitation graphs of one year with the long-term averages, then it’s almost a given that the current year will look more extreme than the averages.

The comparison might make sense if you argue that 2009 is colder/warmer/wetter/dryer than the average year, but for comparing weather variance, this is completely worthless.

Categories
Internet Pet Peeves

Zeger reitet wieder

Um sein Geschäft mit X.509 Zertifikaten anzukurbeln, schreibt er eine Pressemeldung, die auch prompt von der Fuzo übernommen wird.

Es scheint um X.509 Zertifikate für SMTP/STARTTLS zu gehen, also die Verschlüsselung des Transportweges beim Mailversand.

Was ist da dran alles falsch?

Categories
Pet Peeves

a-trust

I’m usually a quite peaceful guy, but whenever I need to interact with an A-trust product or their website, I get this urge to kick someone.

Hard.

In this case I wanted to send an encrypted mail to an user of the Austrian Citizen Card. For that, I need the X.509 cert for that person.

The first obstacle was the non-graceful degradation of the a-trust website if you have disabled javascript (or, in my case, use NoScript in Firefox). Okay, once I cleared that hurdle, I got a list of 6 or 8 keys for my recipient. The list doesn’t show which keys are ECC and which are RSA, and trying to download them gave me:

a trust fail

for single certs and

a trust fail2

for chains.

Good work, folks.

Categories
Pet Peeves System Administration

Broadcom woes

The company laptop (Windows XP) of my wife came with the Broadcom software for controlling the Wifi settings.

I’ve already had so many troubles getting that box to talk WPA to my local WLAN at home (an OpenWrt Kamikaze running on an Alix box) that I switched back to WEP.

Last week I tried to get the Broadcom junk to talk WPA to the Linksys ADSL/WLAN CPE at my mother’s place. No go. Just once, for a few seconds it managed to get the TKIP key. Most of the time it failed to negotiate an AES key. Whatever.

I’m so glad I convinced her tech department to give us local admin rights. That way I finally just nuked that dysfunctional piece of sh*** and went back to the default Windows WLAN configuration tool.

That just worked.

Instantly. No hassle at all.

Categories
Pet Peeves

US social security numbers

Today, slashdot features yet another article concerning the non-security of SSN as an authenticator. A good number of comments already discussed the stupidity of basing security on the secrecy of the SSN.

Actually, I think there is just one simple solution to keep companies from relying on the SSN as a way to authenticate people:

Publish them all.

In reality, everybody who actually uses SSNs to authenticate people needs to have access to the DB of SSNs. Anybody who handles forms which contained SSN learns them. It’s a shared secret. And it’s used so widely that the circle of people who know them is so large that the secrecy is impossible to maintain.

They may be a secret, but they are a pretty open secret. That’s not security, that’s just a marginally plausible veneer of security.

In order to get something secure in place, you need to convince people that the current scheme is broken beyond repair. So just publish them. All 300 million of them. Get over it.

Categories
Austria Pet Peeves

Yeah, right

Today at the local (small) supermarket:

obst beim zielpunkt

Well, at some point in history, both Spain and (parts of) Italy were part of the Hapsburg Empire, but the rest? Give me a break.

Categories
CERT Pet Peeves

FUD, the Microsoft way

Dear Microsoft,

we all know that the “Fear, Uncertainty, and Doubt”-strategy worked quite well against Linux and other threats to your Monopoly business. By why do you apply the same tactic towards a Windows user that simply wants to open a zip-file?

microsoft-fud

(Translation: “This page contains an unspecified potential security risk. Do you want to continue?”)

What do you think a user should do with that information?

Categories
Internet Pet Peeves

Heise, Slashdot, Broken Records, and DNSSEC

Almost whenever a security event involving Windows is featured on Slashdot or Heise, some Linux fanboys will invariably post their cocky “that would not have happened with Linux” messages.

I start to see the same thing with DNS incidents and DNSSEC.

This is just as childish and stupid, especially as the voices writing such notes are often enough established engineers and not your average adolescent geek.

In reality most of the recent DNS hacks were not perpetrated by crafting forged DNS responses to poison caches but were successful attacks against the Registrar/Registrant interfaces. No, DNSSEC would not have helped in such a case.

The same is true for DNSSEC and the domain-based censorship which was just passed by the German government. DNSSEC will not help here. It is no panacea against meddling with DNS answers. It depends on who is doing the validation and whether the offending domains are actually signed or not (not likely these days):

  1. DNSSEC validation is done at the ISP resolver:

    DNSSEC doesn’t help the end-user here at all.

  2. DNSSEC validation in the client, ISP recursor is used:

    If the domain is signed, then the user will get a NXDOMAIN (or maybe a better error-reporting) instead of the IP address of the STOP-sign website.

    So the censuring still works, just the alerting of the user (and the logging of the STOP-sign access) does not.

  3. DNSSEC validation in the client, full recursion at the client

    Censorship is ineffective. Just the same as when the local recursor does no DNSSEC checking.

Remember: DNSSEC is not about the availability part of security, it’s only about the integrity. Censorship does not really need to attack the integrity, it’s all about availability.

Categories
Internet Pet Peeves

Bad timing, Last.fm

Date: Wed, 20 May 2009 14:05:42 +0000
To: @bofh.priv.at
From: “Last.fm”
Subject: Your free trial to Last.fm Radio is over. Did you enjoy it?

Hi XYZ,

Your free trial to Last.fm Radio is about to end. If you’re enjoying it, why not
subscribe for only €3.00/month and continue listening to non-stop personalised
radio.

http://www.last.fm/subscribe

Best Regards,
The Last.fm Team

and

Deny This, Last.fm
by Michael Arrington on May 22, 2009

A couple of months ago Erick Schonfeld wrote a post titled “Did Last.fm Just Hand Over User Listening Data To the RIAA?” based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter.

I was inclined to pay them the 3€, partly because I’ve listened a lot to a stream from them, but after this breach of their privacy agreement?

Sorry, no deal guys.

[Update: yes, I know that LastFM is disputing this story.]