The Command Line

I installed the SSL Blacklist extension for Firefox a while ago when Debian and its derivatives were exposed to a weakness in generating certificates. I just noticed a warning from the extension, today, on a site I have trusted in the past and that didn’t run afoul of the Debian specific warning previously.

I clicked through for more information and it turns out that the extension has been updated, without fanfare, to spot SSL certificates that use an MD5 based fingerprint. The info shown when clicking More Info on the warning references the research I mentioned in my last podcast.

From the Márton Anka’s (the author of the extension) site:

Update 12/31/2008

SSL Blacklist now detects and warns about certificate chains that use the MD5 algorithm for RSA signatures.

An attack has been demonstrated yesterday that highlights the practicality of the well-publicizedpdf weaknesses of the MD5 algorithm. Essentially, any certificate signed with the MD5 algorithm may be counterfeit.

The demonstrated attack has two notable prerequisites: the ability to predict information in the prefix blocks of the data, and the present existence of CAs that use MD5-RSA to sign CSRs.

I was just thinking that an extension that simply warned about sites using MD5 based certificates should be well doable and a decent measure to help put pressure on sites and CA’s. Looks like I was a week or so late in that thought. Huge thanks to Márton for the original extension and now this valuable update.

On a related note, Verisign has announced they are no longer issuing MD5 based certificates. They are one of the biggies, hopefully the rest of the CA’s will soon follow suit.

I so wish I were anywhere on the west coast right now, the EFF is preparing to celebrate 18 years of protecting our civil liberties online tonight with what looks like a fantastic party. You can pre-purchase a ticket to the party with the option to pick up a discounted membership and some nice premiums. Wonder if I can order one of those NSA t-shirts anyway?

DJ Spooky is headlining but it looks like they have some great additional talent lined up, more details at the link. For a bit more you can also purchase a ticket to a VIP pre-party where DJ Spooky will be reading from his book, “Sound Unbound”. It looks like a great chance to meet EFF board members and other luminaries, too. I am so jealous of anyone who gets to go to the party, let alone the VIP pre-party.

If you make it to either or both events and are a listener of the show, please call the voice mail with a report or email me to schedule some time to chat. I’d love to snag a bit of first hand reporting for the podcast.

The software news out of the MacWorld keynote is far more interesting than the new hardware. I will be getting the iLife and iWork updates as I use both suites regularly. I am glad iWork didn’t go all web, we’ll see how well the new online service complements the desktop apps.

The biggest news, of course, is that the iTunes store is going DRM-free for its music catalog. I checked after I saw this story and while not all my purchased music has the upgrade option, yet, I was surprised that about six more albums had been freed up. I have seen some complaints of the cost but I think it is worth it to secure the freedom of my media. It also means I’ll once again consider buying new music from iTunes, including over WiFi with my iPod Touch.

There is no news on any of the other media in the iTunes store. That means it is pretty much a certainty that this deal is only for music. Audiobooks are all provided by Audible, now owned by Amazon, who has not made good on any promises to free up their offerings. Video across the board has been lagging the music industry in abandoning DRM regardless of the outlet.

I am not sure the dynamics overall are anywhere close, that the draw for the iPod as a TV and movie player is strong enough to encourage competitors onto the device via unrestricted formats. Add in the traction streaming services, like Hulu, have gained and I am not sure this same scenario will ever play out. Still, I think it is worth continuing to push on iTunes and Amazon on DRM for other media. Every day that they continue to profit from DRM-free music is a day’s more data of convincing them that the type of content is irrelevant to the question of digital locks.

Mark Shanks, one of the two fellows from SoundSprout that I met at the 6th birthday party that Public Knowledge and CopyNight DC sponsored, wrote me with the name of the artist that I played but could not remember.

You asked about the band whose CD we had brought to the party. The band was Fite House and their music can be found at www.fitehouse.com

SoundSprout.com is currently being revitalized; however, when we’re back up and running in the near future, fitehouse will be releasing a new CC album on our site.

The CD Mark brought was excellent and the artists, as I mentioned in the podcast where I talked about the party, are very much open content and free culture advocates. Glad tidings that this band has a new release in the works.

This is news cast 166.

In the intro, just a quick round up of events for this month and the coming year including Farpoint, Balticon 43 and Shmoocon. I’ll also be attending Wiki White House at Google’s DC office this week and a luncheon discussion of the Jacobsen case put together by the DC bar. The former appears to be full up and the latter does involve a fee.

If you want to help me get to Penguicon and/or Dragon*Con this year, please make a donation.

This week’s security alert is just a lengthy discussion of an attack on the public key infrastructure based on the well researched possibility of collisions with the MD5 algorithm.

In this week’s news the web comic User Friendly calls attention to the end of the VHS, a new project exploring molecular computing, a book and project bring design patterns to social activism much like they were adopted for software development (you can purchase the book on Amazon), and a paper testing how well the four common browsers handle private data, the problem of Flash cookies being the most disturbing finding.

Following up this week Flickr’s The Commons project put into question with a Yahoo layoff and an unconfirmed report that the RIAA may be firing MediaSentry.

 

 News Cast for 1/4/2009 [40:56m]: Play Now | Play in Popup | Download

Grab the detailed show notes with time offsets and additional links either as PDF or OPML.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

Quick News Links

• Latest Linux kernel release
  The two biggest changes are a new memory manager for the GPU, GEM, and the ext4 file system. The article also mentions moving new driver development to a more visible location in the mainline which may help prompt contribution. The article has links to more detail on the other changes.
• FBI code cracking challenge
  This is their second such challenge in as many years. Contests like this are common, just not coming from law enforcement agencies. I’d be willing to bet it is a recruiting tactic of some sort.
• Swedish Pirate Party rises about the margin
  The party is apparently experiencing solid growth and surprisingly positive results in voting polls. The article speculates that progress made by copyright maximalists may be encouraging voters to consider the alternative.
• CCC hackers demo critical crack of telephony security
  The standard in question, DECT, has been cracked before but required an expensive set up. This research shows eavesdropping accomplished with a cheap PC-card meant for wireless VoIP. Not surprisingly, encryption and authentication are often weakly implemented, if at all. Apparently, even when encryption is enabled, the researchers are able to spoof a base station and disabled it after the fact.
• Python on the G1
  Good news for early adopters who want another option beyond Java. It builds already on existing work and I have to imagine as it attracts interest, we’ll see the setup become easier for the average user or casual script hacking.
• AMD releases more code for open source ATI drivers
  This was apparently done by a couple of motivated employees and should boost driver development and cascade on through to a better end user experience.
• Interview with creator of online tools for civic life
  More good hacktivism, using tech to make data more available regardless of progress on government transparency.
• Google dropping support for IE6
  They are pushing both Chrome and Firefox 3, instead, and some features of Gmail no longer work in the aging browser. IE7 is still supported, as will IE8, no doubt. Not that surprising just on how old IE6 is, though it also supports the theory that Google is trying to become an independent channel through Chrome.
• Silicon that emulates stem cell growth, differentiation
  Not a lot of detail but it makes me think of a story I covered a while ago. A computing substrate that self assembled. The problem with that system was the unevenness of the quality of elements in the resulting computer. The trick to that project was software that mapped out the resulting system to route around unusable elements. No idea if this is the same thing.
• Interview with RMS on 25 years of free software
  This is a good history of GNU but also covers free software and the GPL more generally. It even discusses the popularization of Linux and the problems getting contributions up stream, not just from individuals but also from distro makers, in particular,Canonical.

Quick Security Alerts

• Microsoft denies media player bug

Quick Follow Up Links

• Martin drops porn filter from free wireless plan
• FCC denies SOC petition

It would be so easy to dog pile on Microsoft’s poor, beleaguered media player. Take it from me, daylight savings and leap year handling is no fun and easy enough to get wrong or fail to test properly. These sorts of bugs make it past quality assurance from time to time, more often than we like to admit really. You remember those routers a few years back that all checked their clocks against an external source in lock step, bogging down large networks?

Edge cases are hard to test by definition. In retrospect, a leap year seems easy enough to check but think about all of the core cases QA has to cover with a media device. Playback, media synchronization, all the UI bits, battery handling, and many more besides. In thinking about the full test suite for a media player, would it occur to you to permute the system clock through each day of a standard year, let alone a leap year?

It turns out that in the Zune case, the bug apparently originates in a lower level chip driver. So even if Microsoft had tested their own software stack fully, that doesn’t guarantee they would have flushed out this integration issue.

The difficulty of testing the unanticipated is why techniques like fuzzing were developed. This is a permutation of a security axiom, though. An engineer can easily build a system that they cannot manage to break, this doesn’t mean the system lacks faults. It says more about the biases and perceptions of the engineer. At least fuzzing illustrates a bit of creativity in trying to get past an engineering team’s built-in limitations.

The open source development model, in contrast to Microsoft’s secretive methods, would be easy to advance as an anodyne. It has its advantages in terms of transparency, that many more engineering eyes would be combing through the code increasing the odds of spotting a problem like this. There is also such a rich tradition of re-use that allows any given project to build on the momentum of core libraries benefit from external achievements in quality and functionality. For popular libraries and tools, many other users have tackled the integration scenarios a new project is likely to encounter. Using an open source library means higher level projects can feed fixes back into lower level components, fixing their own issues as they encounter them.

Unfortunately, testing is one of the areas where open source projects are constantly short handed. Everyone wants to write new features, finding bugs and submitting patches just seem less glamorous. Many projects require a certain level of patches submitted by a potential contributor before granting them full commit rights to the code repository. I am sure that helps, to a degree, but I think it may as often chill interest in contributing code.

My only real takeaway from this little debacle is to be reminded that hacking on code is only one element of a successful project. I read many excellent thinkers on the subject of incorporating security and usability alongside core development on projects. Quality testing may not even have the appeal of these other not strictly coding aspects of projects but it needs its own top notch advocates who bring the same creativity and zeal to reduce the odds of an embarrassing but easy to commit defect like this own escaping into the wild.

This is a feature cast.

In the intro, I share my review of Ed Piskor’s “Wizzywig Volume 1: Phreak”.

The feature this week is part two of a round table discussion of some of the issues that were prominent this year. I was joined by Kevin Crosby, Vaskin Kissoyan, and Eric Christensen. The topic of this part is where we are at with copyright infringement and enforcement. Most recently the RIAA has announced it is stopping its individual law suits. However, they are pressing an unusual criminal case against an individual. The risk of the urge to perfect enforcement is the increasing irrelevance of copyright to the average person.

 

 Year in Review 2008, Part 2 [38:05m]: Play Now | Play in Popup | Download

Grab the detailed show notes with time offsets and additional links either as PDF or OPML.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

Knuth has a Posse, Me!

Originally uploaded by cmdln

My pile of books to read is, not surprisingly, quite tall. I am hardly alone in this respect. My wishlist, though, has crept north of three digits. I don’t put most of those books on my public wishlist since it is a bit overwhelming and I tend to buy them on my own on a regular basis.

I put Knuth’s “The Art of Computer Programming” on my public list since it is a bit pricey and not of immediate use to my day job. I didn’t expect anyone to purchase it for me. At most, I thought I might receive a gift card some day that would make enough of a dent for me to splurge on the remainder.

Imagine my surprise when I opened a package from my mother to find the hardcover, boxed set nestled inside. My delighted squeal was followed by an attempt to explain my exuberance to the wife who is not acquainted with the works of Knuth.

I have many books on my technical book shelf. More than a few the quality of which are best measured by the width of their spine. A few, like Design Patterns, The Progamatic Programmers, and Effective Java are much loved and well thumbed. The Knuth set is now the crown jewel of my technical library and I look forward to making my best effort to reading them cover to cover. I fear doing so may take me almost as long as the author has been working on them.

Two of the volumes in the boxed set I received are of the third edition. The original copyright on the first volume is as old as I am. In the preface, Knuth still describes these as works in progress. And the series is not yet complete. I think there is something like six or eight volumes in total planned. Knuth clearly means to cover all the worthwhile fundamentals of computer science and he is well qualified to do so.

I think likening it to Newton’s Principa is a fair comparison in terms of the breadth, depth and importance of the work. And Knuth is still with us and working in the field.

Flipping through the first few pages of Volume 1 reveals a tidy flow chart, a procedure for reading the first book. I am relieved to see a box marked, “Relax”. I am very much going to enjoying disappearing into these books as my time and other pursuits allow.

Thanks, Mom.

One of the joys of running Linux on my work PC is using Gwibber as my sole micro blogging client. Gwibber was original written by Ryan Paul, segphault, who is also a regular contributor to Ars Technica.

Gwibber is to micro blogs and life streams what Pidgin is to IM. Thankfully, some of the micro blog services have died off but my own social network is currently split across two. My fellow tech geeks and free software advocates all like to hang out on Identi.ca. It has considerably more hacker cred and is free software in all of and the best senses of the word. All the rest of my friends are on Twitter, since it was one of the first and still one of the most popular.

I have cobbled together my own scripts for posting to both services. Consuming messages from both has been a challenge. On the Mac, there really is only Twhirl for multiple services. I know many people who like it, I personally cannot stand it. I don’t know how much of the crummy UI is the fault of Adobe’s AIR platform or the application developers. In either case, I find it ugly and largely unusable. Your mileage may vary. I end up using Twitterific, which I still like for its IM-like and email-like features and I have to compromise and use XMPP for Identi.ca. XMPP, a form of instance messaging, is workable but not ideal since it is separate from Twitterific and doesn’t give me some of the niceties of a dedicated client.

On Linux, however, Gwibber works exactly how I want a micro blog client to work. It is even smart enough to coalesce duplicate messages from the small overlap in my subscriptions between the two services. It lacks a few things, like direct support in the UI for direct messaging on either service, but you can still use “d username msg” just like you can in XMPP and Twitterific.

What I desperately want now that I have been using Gwibber daily for just a bit over a month is to be able to run it natively on my Macs. I had been playing around with MacPorts to set up some other software and was curious if it would be possible to supply Gwibber enough of its dependencies to get it to run.

The short answer is no, at this time, it is not possible. I got close, mostly by trying to run the main Python script and installing each module it needs in turn. Actually, first I had to change the bang path to the MacPorts version of Python, in /opt/local, since using the env trick in the stock script just plain didn’t work under OS X.

I managed to get all the way up to webkit, seemingly the last dependency. Ironically, given how webkit is used so heavily by Apple and contains some of their code contributions, I could not get the MacPorts port of webkit to build successfully. I am also not certain that that would have been sufficient as I believe I would also need GTK bindings, Python bindings, or possibly both to make Gwibber happy.

The silver lining is I think I may have solved some issues I was having with the MacPorts port of GNUCash incidentally. I had to install Quartz to satisfy an X dependency in GTK. I think this may have made it possible to compile other GTK applications, though I have not yet tested that theory.

To be perfectly honest, what I want is the Python guts of Gwibber with a nice Cocoa front end. With PyObjC and XCode 3, this should be possible. I set out a while ago to try to accomplish just such a piece of software until I conceded defeat in the face of Cocoa. Too many years doing lower level, web application and systems development may have spoiled me for desktop application hacking. I welcome anyone else who wants to try and actually would be happy to pitch in, with testing, documentation or even coding the non-Cocoa bits.