The long twilight of IE6
We discussed the question of why IE6 is still out there. Well ... http://arstechnica.com/microsoft/news/2010/08/despite-petition-uk-government-to-keep-ie6.ars reports that the UK government has officially decided not to replace IE6, feeling the costs outweigh the benefits. Quoting from the government response: "Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. There is no evidence that upgrading away from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats. The Government continues to work with Microsoft and other internet browser suppliers to understand the security of the products used by HMG, including Internet Explorer and we welcome the work that Microsoft are continuing do on delivering security solutions which are deployed as quickly as possible to all Internet Explorer users It is not straightforward for HMG departments to upgrade IE versions on their systems. Upgrading these systems to IE8 can be a very large operation, taking weeks to test and roll out to all users. To test all the web applications currently used by HMG departments can take months at significant potential cost to the taxpayer. It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users." -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: phpwn: PHP cookie PRNG flawed (Netscape redux)
travis+ml-cryptogra...@subspacefield.org writes: > https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf He doesn't mention the php.ini variables session.entropy_length and session.entropy_file. Last I checked, their default settings were unsafe, but setting them to 16 and /dev/urandom should solve the problem he describes in the paper. Unless not. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
phpwn: PHP cookie PRNG flawed (Netscape redux)
https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf Hey, another PRNG is broken. Raise your hand if you're surprised. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpXw4d3k1gaP.pgp Description: PGP signature
Preventing a recurrence of the Realtek/JMicron fiasco
I've been having an off-list discussion with someone about how you'd prevent the recent Realtek/JMicron certificate fiasco. My thoughts on this: Since many development shops see the signing process as nothing more than an annoying speed-bump that stands in the way of application deployment, not helped by the fact that code-signing tools like Windows SignTool and Unix' GPG are hard to use and poorly integrated into the development process, developers have generally used the most expedient means possible to sign their code, with signing keys left unprotected or with easy-to-guess passwords (trivial variations of "password" are a favourite in web advice columns that give examples of how to do code signing [0]), or passwords hard-coded into the scripts that are needed in order to integrate the signing into the build process. Combine this with the existence of entire families of malware such as Adrenalin, Nuklus/Apophis, Ursnif, and Zeus that integrate key-stealing functionality and it's inevitable that legitimate code-signing keys will end up in the hands of malware authors. [0] "p...@ssw0rd" is the "password1" of code signing. So my advice would be to keep the signing key on a dedicated, non-network- connected machine that takes to-be-signed input from a USB drive with autorun turned off (or, better, Didier Stevens' USB-protection driver installed, http://blog.didierstevens.com/programs/ariad/) and sign that. For test purposes during development you can always sign with test keys, and then only sign the final release once it's passed QA. Even if you don't want to go that far, just getting rid of the current worst practice would be a start, where code-signing keys are just random data to be copied onto every developer's machine with no password or a fixed password coded into batch files. Potential issues/discussion topics: - The signing tools should include a test key along the lines of the EICAR test virus sig. that's included by default and recognised everywhere as being purely a test key, to create a zero-overhead way of leaping the signing hurdle during development. - As an extension of the above, the development environment should have some checkbox option to test-sign debug builds of binaries so developers don't have to google + cut&paste obscure command-line strings and batch files into equally obscure config dialogs in their IDE. - Developers may need to repeatedly sign test releases and beta releases. How do you distinguish "signature for testing purposes" from "signature for live release"? Pretty much anything you do, e.g. throw up a warning every time a test-signed version is run, is going to cause enough discomfort eventually that developers will go back to using the release key. Any other issues that anyone can think of? Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
On Aug 4, 2010, at 11:29 PM, Peter Gutmann wrote: > Jon Callas writes: > >> But S.J. Perleman's "Three Shares in a Boat" > > Uhh. minor nitpick, it was Jerome K.Jerome who wrote "Three Shares in a > Boat". > He followed it up with "Three Certificates on the Bummel", a reference to the > sharing of commercial vendors' code-signing keys with malware authors. Oh, well. You are, of course, correct. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
Jon Callas writes: >But S.J. Perleman's "Three Shares in a Boat" Uhh. minor nitpick, it was Jerome K.Jerome who wrote "Three Shares in a Boat". He followed it up with "Three Certificates on the Bummel", a reference to the sharing of commercial vendors' code-signing keys with malware authors. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
On Jul 30, 2010, at 4:58 AM, Peter Gutmann wrote: > > [0] I've never understood why this is a comedy of errors, it seems more like >a tragedy of errors to me. That is because a tragedy involves someone dying. Strictly speaking, a tragedy involves a Great Person who is brought to their undoing and death because of some small fatal flaw in their otherwise sterling character. In contrast, comedies involve no one dying, but the entertaining exploits of flawed people in flawed circumstances. PKI is not a tragedy, it's comedy. No one dies in PKI. They may get embarrassed or lose money, but that happens in comedy. It's the basis of many timeless comedies. Specifically, PKI is a farce. In the same strict definition of dramatic types, a farce is a comedy in which small silly things are compounded on top of each other, over and over. The term farce itself comes from the French "to stuff" and is comedically like stuffing more and more feathers into a pillow until the thing explodes. So farces involve ludicrous situations, buffoonery, wildly improbable / implausible situations, and crude characterizations of well-known comedic types. Farces typically also involve mistaken identity, disguises, verbal humor including sexual innuendo all in a fast-paced plot that doesn't let up piling things on top of each other until the whole thing bursts at the seams. PKI has figured in tragedy, most notably when Polonius asked Hamlet, "What are you signing, milord?" and he answered, "OIDs, OIDs, OIDs," but that was considered comic relief. Farcical use of PKI is far more common. We all know the words to Gilbert's patter-song, "I Am the Very Model of a Certificate Authority," and Wilde's genius shows throughout "The Importance of Being Trusted." Lady Bracknell's snarky comment, "To lose one HSM, Mr. Worthing, may be regarded as a misfortune, but lose your backup smacks of carelessness," is pretty much the basis of the WebTrust audit practice even to this day. More to the point, not only did Cyrano issue bogus short-lived certificates to help woo Roxane, but Mozart and Da Ponte wrote an entire farcical opera on the subject of abuse of issuance, "EV Fan Tutti." There are some who assert that he did this under the control of the Freemasons, who were then trying to gain control of the Austro-Hungarian authentication systems. These were each farcical social commentary on the identity trust policies of the day. Mozart touched upon this again (libretto by Bretzner this time) in "The Revocation of the Seraglio," but this was comic veneer over the discontent that the so-called Aluminum Bavariati had with the trade certifications in siding sales throughout the German states, as well as export control policies since Aluminum was an expensive strategic metal of the time. People suspected the Freemasons were behind it all yet again. Nonetheless, it was all farce. Most of us would like to forget some of the more grotesque twentieth-century farces, like the thirties short where Moe, Larry, and Shemp start the "Daddy-O" DNS registration company and CA or the "23 Skidoo" DNA-sequencing firm as a way out of the Great Depression. But S.J. Perleman's "Three Shares in a Boat" shows a real-world use of a threshold scheme. I don't think anyone said it better than W.C. Fields did in "Never Give a Sucker an Even Break" and "You Can't Cheat an Honest Man." I think you'll have to agree that unlike history, which starts out as tragedy and replays itself as farce, PKI has always been farce over the centuries. It might actually end up as tragedy, but so far so good. I'm sure that if we look further, the Athenians had the same issues with it that we do today, and that Sophocles had his own farcical commentary. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
David-Sarah Hopwood writes: >Huh? I don't understand the argument being made here. It's a bogus argument, the text says: He took a legitimate software package and removed the signature of the digital certificate it contained, then installed the package on his computer. The Installer application didn't indicate that the certificate had been modified. The certificate wasn't modified, they just stripped the signature from the executable. "Only an expert will be able to detect a problem," Schouwenberg said. "And all Microsoft will tell you is that the file is not signed." And what else should Windows say? "We put this through our time machine and noticed that at some time in the past it was signed and now it isn't"? The rest of the story isn't much better: The Stuxnet worm, which surfaced last month, used fake Verisign digital certificates No, they were genuine certs, just in the wrong hands. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com