05.09.07
Posted in Political, Life at 8:53 pm by Stoner
A friend’s blog referenced this article on The Onion. Now, the article is satire but it strikes a particular and terrible cord: as we get older we become desensitized to violence and ineptitude. You get pounded day and night by the media spewing bad news and worse news. Murder rates, death tolls, domestic abuse, scandal, corruption…it gets to the point people don’t care - they simply want to get on with their lives. Then, when a particularly heinous crime is committed, they turn away, content to let someone else deal with it only no one deals with it.
As you get older, do you wonder why young people are so vocal and active? They haven’t built up their immune systems to the crap constantly shoveled at them. After so long, they throw in the towel and become “normal” people. I’m not talking about changing attention spans as in “what’s the crisis of the month?” - I’m talking about apathy towards everything outside of their immediate sphere (family, work and community.) A few folks are able to stay steadfast and stick with their activism. I applaud them.
Where this is particularly frightening is politics. Either GW is the most brilliant politician in US history or he really is *that* dumb. Clinton got impeached for oral sex. GW lied, lied and lied some more, got us involved in a war that has a cloudy outcome as far as democracy in Iraq and now he’s going to make a move to do the same in Iran. When most of the population suffers from the apathy I described, the political leaders will get away with whatever they want because they know the people won’t do anything to stop them.
What is it going to take to slap the stupid out of people and get them to act?
Permalink
03.21.07
Posted in Political at 7:09 pm by Stoner
Came across this story today, about Delta Airlines CEO Gerald Grinstein. He has been working to bring Delta out of Chapter 11 bankruptcy and now that they’re set to do that, he’ll be retiring. Usually when a CEO of a major corporation retires or leaves (or gets fired,) they get blessed with a huge compensation package - the Golden Parachute.
Gerald has bucked the trend. He has refused his compensation package, a sum of about $10 million. Instead, he asked that the funds go to scholarships and hardship assistance for Delta employees, families and retirees - the people who were really affected by the bankruptcy. His statement in the article is wonderful: “Corporate pay packages have gotten out of control.”
I’m not saying that CEOs aren’t worth it. Some are very good and deserve the compensation they receive. Others are lame ducks that deserve to eat dirt.
Thank you, Gerald. You get a gold star.
Permalink
03.09.07
Posted in Technology, Political, Linux at 2:40 am by Stoner
“What are RSA warnings about man in the middle attacks?”
This was posed in a chat room and is a most excellent question. One that has a simple answer but very deep and far-reaching implications.
“What is a Man-in-the-Middle (MitM) attack?”
Quite simply, it’s when an attacker sits between two communicating parties (web browser and web server, ftp client and ftp server, Skype phone and Skype phone, IM client and IM server, etc.), intercepting their network traffic, usually without their knowledge or consent. While in this position, the attacker may choose to simply read the conversation, make a copy of it or change it while it’s in transit. Without proper safe guards, neither the sender nor receiver will know the attacker is there or whether or not their communication was changed in any way.
A common example of this is a telephone wiretap that law enforcement agencies use to record conversations of suspects. The police act as the man-in-the-middle (well, the phone company does all the leg work to tap the line, the police just hit the Record button on the tape deck.)
One important thing to remember is you never have a direct, unbroken line of communication to another entity (think: two tin cans connected by a string), whether it’s a telephone call, an IM chat, an HTTPS session or an email. Your data gets lumped in with a lot of other folks data and pushed along shared paths. Usually, it gets broken down into smaller packets, sent out on a wire, then reassembled at the destination. Another quirk of the Internet is that those packets may not all travel along the same route before they get to the destination.
“So where is this all going?”
Well, first off, you need to know, proof-positive, that the entity you’re connecting to is who they claim to be. If you can’t establish that when you connected to Paypal that you 100%-for-certain are talking to Paypal, then everything else is moot. You also need to know that the data that gets transmitted back and forth has not been altered in any way. Once you connect to your online broker, how do you know that the account number didn’t have two of the numbers transposed on your sell order (possibly depositing the funds into someone else’s account?) And finally, how do you know that someone isn’t reading your social security number off your tax forms when you submit it to the IRS through eFile?
“You sure are long-winded. Can you cut to the chase?”
Encryption. Yes, the strange, fuzzy world of really, really big numbers, obscure phrases like “initialization vectors,” “message hashing” and “cipher block chaining”, complex mathematics and more acronyms than should be allowed by law. This is the technology that can help with all this. Properly implemented and used*, an encryption system can provide the following features:
- identification - verifying with certainty that entities are who they claim to be
- message integrity - verifying that a message was not altered in any way between source and destination
- message protection - transforming data such that only those authorized to read it may do so
(*Note, I said ‘Properly implemented and used.’ It is very easy to screw up encryption systems, whether a means of sharing keys of not handled securely or an algorithm has a programming flaw in it or people simply don’t care enough to follow all the steps necessary to ensure the system is working properly.)
For the rest of this, I’m going to simplify things for brevity, believe it or not, and even fudge a thing or two for sake of clarity. If you know about encryption, you’ll know when I do.
You’re already very familiar with all these features. Let’s examine HTTPS (HTTP over Secure Socket Layer or SSL.) With HTTPS, when your browser connects to an HTTPS web server, that server presents its certificate, identifying it to you. This certificate has been digitally “signed” by a 3rd party system, known as a Certificate Authority (CA.) Your browser contains the certificates of many CA systems (Verisign, Thawte, AT&T, America Online, Wells Fargo…the list goes on) so it is able to verify the 3rd party’s signature on that certificate, even talk to the 3rd party CA to verify that the web server’s certificate genuinely belongs to the server that presented it to you (thus, satisfying feature #1.) Once identity is established, it uses the certificates as part of the encryption process to provide features #2 and #3, thus, protecting you from an attacker.
Now, suppose someone attempted a MitM attack on an HTTPS web site. Part of the web server certificate’s details includes the server name, like www.paypal.com or login.yahoo.com. Your browser checks that the hostname in the certificate is the same as the site it’s connecting to. If they’re different, it will pop up a warning box, alerting you to this inconsistency and allowing you to halt communications. In order for a MitM attack to succeed, the attacker would have to fool you into connecting to a host that looks similar to your intended web destination, like www.paypa1.com (note, the ell is now a one.) This commonly happens in phishing emails because they use HTML to disguise the true URL you connect to when you click on the supposed “update your account” link. If you do click on the link, the MitM attack succeeds because the browser is connecting to a HTTPS site with a valid certificate (www.paypa1.com). The attacker makes a 2nd connection from their site to www.paypal.com, passing the data back and forth - all the while, you think you’re connected to PayPal. At this point, the attacker can simply read the data, recording your username, password, bank account info, etc. or they may even change it, depending on their goals at the time.
“What about the message that started this book you’re writing?”
The message that started all this comes from the SSH protocol. SSH provides all 3 features we want, identification, message integrity and protection. The message is a warning about the identification phase of an SSH connection. When SSH is set up on the server, host keys are generated. These are similar to SSL certificates except there is no 3rd party CA Authority. When you connect to a SSH server with a client (like putty or SecureCRT), you are presented with the host key of the server. At this point, you can accept it or reject it. When you accept it, it gets recorded for later reference. If you reject it, communication stops.
“Without a CA Authority, how do you know you’re connecting to the server you think you are?”
Good question. A host key looks like a lot of random, senseless data. You can get what’s called a “fingerprint” of the host key. This fingerprint is intended to be shared among those who will be connecting to the system and it is much easier to read than a host key itself. When folks want to connect to the server for the first time, their SSH client will show them the fingerprint for the host key presented to it and they can compare that fingerprint with the one they got earlier. If they match, they know the host key is genuine and they can store it for later connections. If they don’t match, they know they aren’t talking to the system they thought they were and can drop the connection without compromising security. The distribution of key fingerprints is left up to the folks managing the systems.
“Anything else I should know?”
Tons. I would encourage you to get more educated about encryption. There’s more to it than math and weird names. There is a pretty serious political atmosphere surrounding it and if you start researching it, you’ll find out just how far reaching encryption is and why it’s so important.
Some links to get you started:
http://www.philzimmermann.com/EN/background/index.html
http://www.schneier.com/
http://en.wikipedia.org/wiki/Whitfield_Diffie
Permalink
