You are here


Fraudulent Public-Key Certificates

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

Post category: 

The blunt sword of legislation

Minnesota's Senator Klobuchar has co-sponsored a bill to criminalize certain behavior by peer-to-peer file sharing programs.

The bill is supposed to require a sort of informed consent by computer owners whenever a P2P file sharing program arrives. Here's what the bill wants to require:

• Ensures that P2P file sharing programs cannot be installed without providing clear notice and obtaining informed consent of the authorized computer user.

• Makes it unlawful to prevent the authorized user of a computer from:

1. Blocking the installation of a peer-to-peer file sharing program, and/or

2. Disabling or removing any peer-to-peer file sharing program.

Having taught several networking courses (not to mention having written my share of networking software), I'm not sure where they can draw the line. What constitutes 'clear notice,' and does that include such things as Windows and Apple file sharing? Do these OS vendors already comply with planned legislative requirements, or will they have to update their configuration software?

Does "Microsoft Genuine Advantage" violate the law if it won't let the computer owner block its communication with the Mother Ship in Redmond? If so, how does Microsoft check for people using the same license on two or more computers?

Post category: 

When is public data non-public?

If it's public information on paper, is the electronic version also a public record?

As a techie, I tend to think so. The electronic version carries more information, is easier to work with, and is sometimes easier to authenticate.

The city of Phoenix, AZ, recently argued the opposite in court, and ultimately lost. Someone was suing the city and demanded some public records. The city provided paper copies, some of which appeared to be backdated. The plaintiff demanded the electronic copies so he could examine the metadata. The city refused, saying that the metadata was not public record. Two courts agreed, but the Arizona Supreme Court disagreed. So a court is on record saying that, if the document is a public record, the electronic form is also a public record.

Post category: 

Dell Laptop

I just bought a Dell laptop. I generally buy from vendors I know, and St. Thomas has been buying Dell systems for the past several years. I might have bought an Apple, but their lowest base price was $1,000. I knew I could do a little better. In any case, I wanted to run both Windows and Linux. Running OS-X would have been a plus (I'm addicted to Aperture) but not worth the extra dollars.

The hardware seems solid - an XPS 1330 - and it's comfortably compact. It has thumbprint authentication that seems tolerably robust. The major size limiters, the RAM and hard drive, are easy to replace. So is the 802.11g network card. It came with "Windows Home Premium." I'm astonished at the amount of Dell-branded software you have to trim back. And I'm appalled that the default search engine, "," directs you away from when you go looking for it.

Post category: 

A Microsoft-Centric World

Back in the 1970s when many of us were struggling to free ourselves from mainframes, the mantra in the computing world was "Nobody ever got fired for choosing IBM." No doubt Bill Gates was inspired by this to build his own empire. Today, people unblushingly swap "IBM" for "Microsoft" in that mantra.

Since converting back to the Macintosh I've been learning a lot about Microsoft-centric software. Several programs that ran on both systems have essentially withered, especially since the conversion to OS X. I'm most directly affected by Microsoft-centric teams at Intuit and at Adobe.

Post category: 

Design Patterns for Identity Systems

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.


There are four patterns: local, direct, indirect, and off-line.


Post category: 

Finally - fixing the updater vulnerability

One of my personal nightmares is in the automatic software updating mechanism that infests every significant modern software package. It's a huge vulnerability.

Many vendors ignored the problem because they hadn't seen a real exploit. In a recent article, Security Fix tells of a researcher in Argentina who has implemented a sample exploit, so vendors are (finally!) paying attention.

In these days of commercialized hacking, it makes sense to armor plate the whole software distribution pipeline. It's about time people started paying attention.

Post category: 

Desktop changes = Microsoft disaster

Ray Ozzie was talking at a conference, reported on by Mary Jo Foley in which he briefly compared the risk to Microsoft by Google and open source. The report also talks about Microsoft's "culture of crisis." I think the culture of crisis is the key to their success. Bill Gates was always identifying threats and demanding action: that's how he kept the company energized even as it grew huge.

Of course, Microsoft is burning their own bed regarding open source. A lot of people stay with Windows because it is familiar and they are afraid of the alternative. They've learned how to use XP (which was pretty similar to 2000, and 98, and so on) and it's easy to just keep using it. Then they arrive at Vista and everything is different! Menus hidden and holding different info. Start menu is radically different. Window frames are completely different.

In other words, at least 80% of computer users could switch from Windows XP to Ubuntu and not suffer any worse than if they'd switched to Windows Vista. Probably the same is true for the 'upgraded' Office product versus Open Office.

Post category: 

Death of the mouse?

So Bill Gates claims the mouse will be replaced by touch screens.

I'm not so sure myself.

Post category: 

Microsoft takes over your PC. Again.

Next month, Microsoft will install Internet Explorer 7 into your computer whether you want it or not.

When Microsoft forces everyone to update like this, it's usually for a really compelling business reason. I haven't found anything conclusive on Microsoft's site, but I suspect it involves Windows anti-piracy features. In other words, there may be something in IE7 that makes it harder to install and maintain unauthorized versions of Windows. Of course, this may also break legitimate but "weird" installations.

Wordpress tag: 
Post category: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer