Once, a long, long time ago, I was ushered into a hotel room at a tech conference and only to find out it was a trick to convert me to the religion of libertarianism. The hard sell fast in place, an Apple Newton was shoved in my hands and I was asked to take a "libertarian quiz". Apparently, that Newton is still alive today.
If anybody knows of a libertarian quiz application for Mac OS X, that blogger could use one for her conversion from Newton to Air.
P.S. I did eventually become a libertarian, but not that day. If they had wanted to convert me, they should have given me a gun not a PDA as that is what finally flipped me over the wall.
Monday, January 31, 2011
Sunday, January 23, 2011
Black Man Wrongly Convicted in Self Defense Shooting of A White Man
In 2005, John McNeil rushed to the aid of his son who had been threatened in the family's backyard by Brian Epp with a knife. When McNeil arrived on the scene, Epp charged toward him. McNeil pulled his gun and fired a warning shot into the ground. But Epp kept coming until McNeil ended the situation with a single shot to the head. In 2006, McNeil was convicted of felony murder despite a police investigation that found the shooting to be self defense, eye witness testimony backing up that claim, and character witnesses testifying to the ill-temper of Epp.
McNeil also lost on appeal to the Georgia Supreme Court in 2008. However, Chief Justice Leah Ward Sears dissented saying:
It does appear that well-known gun rights advocate David Codrea did touch on this story a couple of months back, but his column descended into the issue of the NAACP's anti-gun stance instead of truly focusing on what appears to be a miscarriage of justice. That's unfortunate, especially since the national NAACP has no official anti-gun stance -- or so they said to Kenn Blanchard. The anti-gun activities are the products of the state and local chapters.
The gun-unfriendly nature of the NAACP and whether or not John McNeil is black and Brian Epp was white are irrelevant. What has happened here is that a man has been wrongly convicted in a self-defense shooting and pressure needs to be applied to correct this injustice. Perhaps the Governor of Georgia can be persuaded to grant McNeil a pardon. In the interests of black people and white people and people who care about the natural right to self defense, this case needs more publicity.
Interestingly, there is one more nexus between this story and gun rights. This shooting took place in Kennesaw, Georgia. In 1982, Kennesaw passed a law requiring every household to maintain and have a firearm. While the law is not really enforced and contains a loophole for anybody who doesn't want to abide by it, the city was responding to a gun ban in Morton Grove, Ill. and taking a stand for gun rights.
Links:
Justice for John McNeil - PDF of a glossy with lots of information.
NAACP armed defense endorsement is inconsistent with group's anti-gun stance - David Codrea's column.
S08A1221. McNEIL v. THE STATE. - from the GA Supreme Court
Another Black Man Convicted of Murder Charge Gets Life in Prison: He Says it Was Self-Defense
199 Good Year - the Urban Shooter Podcast episode where Kenn Blanchard discusses this case.
Self Defense Leads to a Life Sentence in Georgia -- NAACP press release.
McNeil also lost on appeal to the Georgia Supreme Court in 2008. However, Chief Justice Leah Ward Sears dissented saying:
I share the majority’s reluctance to overturn a jury verdict. However, I conclude that no rational trier of fact could find, based on the evidence presented at trial, that the State disproved McNeil’s claim of self-defense beyond a reasonable doubt. Accordingly, I must dissent.Epp was white. McNeil is black. Sears is also black. Could this be an issue of the justice system mistreating a man due to his race? It certainly wouldn't be the first time a person has been convicted in a righteous self defense shooting, but the only people taking notice of this case seem to be black. The NAACP says "Ask why gun rights advocates have not supported John McNeil." The answer is probably that most of us have never heard of this case. I only found out about it after listening to Kenn Blanchards's (The Black Man With A Gun) Urban Shooter Podcast, and he only heard about it because the NAACP called him. I can't find an article on it in either the Atlanta Journal Constitution or the Marietta Daily Journal (Marietta is the county-seat of Cobb County, where the shooting occurred).
It does appear that well-known gun rights advocate David Codrea did touch on this story a couple of months back, but his column descended into the issue of the NAACP's anti-gun stance instead of truly focusing on what appears to be a miscarriage of justice. That's unfortunate, especially since the national NAACP has no official anti-gun stance -- or so they said to Kenn Blanchard. The anti-gun activities are the products of the state and local chapters.
The gun-unfriendly nature of the NAACP and whether or not John McNeil is black and Brian Epp was white are irrelevant. What has happened here is that a man has been wrongly convicted in a self-defense shooting and pressure needs to be applied to correct this injustice. Perhaps the Governor of Georgia can be persuaded to grant McNeil a pardon. In the interests of black people and white people and people who care about the natural right to self defense, this case needs more publicity.
Interestingly, there is one more nexus between this story and gun rights. This shooting took place in Kennesaw, Georgia. In 1982, Kennesaw passed a law requiring every household to maintain and have a firearm. While the law is not really enforced and contains a loophole for anybody who doesn't want to abide by it, the city was responding to a gun ban in Morton Grove, Ill. and taking a stand for gun rights.
Links:
Justice for John McNeil - PDF of a glossy with lots of information.
NAACP armed defense endorsement is inconsistent with group's anti-gun stance - David Codrea's column.
S08A1221. McNEIL v. THE STATE. - from the GA Supreme Court
Another Black Man Convicted of Murder Charge Gets Life in Prison: He Says it Was Self-Defense
199 Good Year - the Urban Shooter Podcast episode where Kenn Blanchard discusses this case.
Self Defense Leads to a Life Sentence in Georgia -- NAACP press release.
Thursday, January 20, 2011
Some ASN.1 Goodies
If, like me, you are in a situation where your boss hates you and has you working on an ASN.1 project, I found a handy-dandy little program for dumping ASN.1 DER crap by Peter Gutmann. It is an old school C program, but I got it to compile on Linux and MacOS with zero difficulty. Just download the source (dumpasn1.c) and the config file (dumpasn1.cfg). Put them in the same directory, and then in that directory issue the following command: gcc -o dumpasn1 dumpasn1.c
The executable will be dumpans1, which if you run it without arguments gives you the options it takes. Running it on some piece of crap DER file will give you something like this:
0 16: SEQUENCE {
2 14: [0] {
4 12: SEQUENCE {
6 10: SEQUENCE {
8 1: INTEGER 0
11 5: INTEGER 00 FF FF FF FF
: }
: }
: }
: }
The executable will be dumpans1, which if you run it without arguments gives you the options it takes. Running it on some piece of crap DER file will give you something like this:
0 16: SEQUENCE {
2 14: [0] {
4 12: SEQUENCE {
6 10: SEQUENCE {
8 1: INTEGER 0
11 5: INTEGER 00 FF FF FF FF
: }
: }
: }
: }
Very slick, huh? Peter Gutmann notes on his web page that there is a Windows GUI version and ports in Javascript and PHP.
It sure beats reading a primer guide to ASN.1 and DER like this one and then trying to decode a hex dump.
Saturday, January 15, 2011
ASN.1 is INSANE!
I'm neck deep into some X.509 and ASN.1 coding shit and thought I'd take a moment to express just how insane it is. Holy crap is this unnecessarily complicated! And to think, there are people who believe XML is hard.
I realize that somewhere along the way they decided that implicit tagging was better than explicit tagging or vice versa or whatever, but instead of trying to make something backwards compatible what they should have done was stop, get some coffee, and realize the whole thing should be redone from scratch. And don't get me started on the tag classes. Who the F#@! came up with that! Then there is the multiple encodings... and dear heavens... BER! Seriously, if you end up with a binary encoding that can accidentally encode the same binary data in more than one way, its time to switch the brand of glue you are sniffing. "Basic" my ass!
As if all of that weren't bad enough, it would appear there was more crazy juice to go around when the IETF scribbled out RFC 3280. That would be the standard for the PKIX profile of X.509 public key certificates used in things like SSL/TLS, etc... It's got two different ASN.1 modules in Appendix A. What! Ones for implicit tags and the other for explicit tags, the first one being some bastardization of the ASN.1 notation that actually doesn't work (says so right there in the RFC) because the IETF didn't think the ASN.1 standard was fucked up enough... so they fucked it some more.
The "What Brand of Crack Were They On" doesn't end there. I'm looking at a specification right now that mixes all the wonder above with CMS protocol data units passed over HTTP that encapsulate XML, some of which has elements consisting of base-64 encoded DER data. ERRGGGG!!!
I realize that somewhere along the way they decided that implicit tagging was better than explicit tagging or vice versa or whatever, but instead of trying to make something backwards compatible what they should have done was stop, get some coffee, and realize the whole thing should be redone from scratch. And don't get me started on the tag classes. Who the F#@! came up with that! Then there is the multiple encodings... and dear heavens... BER! Seriously, if you end up with a binary encoding that can accidentally encode the same binary data in more than one way, its time to switch the brand of glue you are sniffing. "Basic" my ass!
As if all of that weren't bad enough, it would appear there was more crazy juice to go around when the IETF scribbled out RFC 3280. That would be the standard for the PKIX profile of X.509 public key certificates used in things like SSL/TLS, etc... It's got two different ASN.1 modules in Appendix A. What! Ones for implicit tags and the other for explicit tags, the first one being some bastardization of the ASN.1 notation that actually doesn't work (says so right there in the RFC) because the IETF didn't think the ASN.1 standard was fucked up enough... so they fucked it some more.
The "What Brand of Crack Were They On" doesn't end there. I'm looking at a specification right now that mixes all the wonder above with CMS protocol data units passed over HTTP that encapsulate XML, some of which has elements consisting of base-64 encoded DER data. ERRGGGG!!!
Saturday, January 8, 2011
A Long, Rambling Post about Hardware Security Modules
If you have ever wondered what makes digital communications over the Internet secure, you'd probably find out that one of the essential schemes in all the hokus pokus is a little mathematical wizardry called public/private key cryptography. And if you have ever wondered how those private parts of public/private key cryptography are kept... well... private, you'd probably discover that there is this whole tech cottage industry for producing Hardware Security Modules or HSMs (obligatory Wikipedia link). I've got a current project underway using one, so I thought I jot down a few of things I've learned. If you want a good overview of these things, consult this SANS Institute paper.
An HSM is a tamper-evident piece of hardware, and the basic thing an HSM does is keep a private key inaccessible while allowing operations to be performed with that key from a client process. That basic software call references the private key via a handle with instructions to decrypt or sign blobs of data -- not unlike file I/O. PKCS#11 is the API standard upon which many HSMs can be commanded.
From what I can gather, the first bit of gear to be generally considered an HSM was the BBN SafeKeyper, first introduced in the early-to-mid 1990's. It was essentially a sealed box with a physical key hole for a set of physical keys. The physical keys were used by security officers to stop computer operations staff from using the SafeKeyper for anything but sanctioned operations. Mention of the BBN SafeKeyper goes back to early drafts of Public Key Infrastructure (PKI) standards and is mentioned explicitly in many of the first books on the subject. My understanding is that BBN no longer makes the SafeKeyper.
About five years ago I worked along side another team of programmers who had a Luna SA, also a sealed box with physical keys for security officers (from what I can tell, this is no longer true). Instead of looking like metal car keys (as I'm told was the case with the SafeKeypers), they were plastic and of varying color. When together on a key ring, they looked very much like a play toy for infants and toddlers.
The sealed boxes or appliances have one very big draw back: the number of private keys they can secure is limited by the amount of memory contained within. For any application where a large number of private keys must be kept from prying eyes, scaling out these HSMs becomes costly and operationally burdensome. I can only think of one type of Internet-scale application that would need this traditionally, and that would be web hosting with SSL or TLS (i.e. a web hosting provider needing to host many sites with separate SSL or TLS certificates for use in secure web transactions).
But two new types of hosting are now upon us. With the signing of the DNS roots, the use of DNSSEC is expected to become much more prevalent. And DNS hosting providers, with their thousands upon thousands of DNS zones, will need methods for ensuring that thousands upon thousands of private DNSSEC keys stay private. Already there is OpenDNSSEC, which interfaces with HSMs to keep the private keys secured.
The other type of hosting soon to be here will be related to the routing of the Internet and will be RPKI hosting. That's what I am up to, though there will probably only be a handful of organizations in the world that end up doing it. DNSSEC hosting will likely see a greater need.
To overcome this, many vendors have created HSMs fully contained on a PCI card. These HSMs have the ability to use the storage of the host computer for storing private keys. This works by encrypting the key storage on the host computer with a secret key contained in the HSM, making the keys stored on disk useful only to the HSM. Theoretically, this scheme lets an HSM secure as many private keys as can be stored or even retrieved by the host system... for most practical purposes, that would be an infinite number. I say theoretical, but I do know of one vendor with a crude implementation of this host based storage where the key storage file must be entirely decrypted just to use one key from the file reducing the effective capacity to just over 5,000 keys.
When using a PCI-based HSM, it is recommended to try them out first because there may be other gotchas. Once one of my engineers casually reported to me in passing that he could read the private keys held by the HSM of another vendor. To which I responded, "Isn't that exactly what the HSM is not suppose to allow us to do?" An investigation ensued, and we soon discovered that this particular device defaulted -- DEFAULTED -- to insecure key storage and had to be explicitly configured to do the proper thing.
Some HSMs can be loaded with custom programs that run inside the secure confines of the device. This has many uses, such as putting custom security logic inside the HSM. Typically, an HSM will sign any piece of data without knowing what it is. If there were a need for the HSM to make the authorization decisions about what to sign and what not to sign, writing custom code in the HSM would be the way to go.
One such programmable HSM is the IBM 4764, successor to the IBM 4758. The 4764 is a PCI-X card containing a secured PowerPC-based Linux processor and custom hardware for many of the cryptographic functions (the 4758 was an Intel x86 based OS/2 processor). The 4764 can run standard PKCS#11 software, can run custom program right on top of the embedded Linux kernel, or can run IBM's Common Cryptographic Architecture (CCA) with custom extensions. The IBM 4764 is slated to be replaced by the IBM 4765, which is already available for IBM zSeries mainframes (the 4765 is also a PowerPC-based Linux processor).
Finally, there are a few security standards which define how good an HSM is at a particular job. The most common standard for this is the FIPS 140-2 standard set by the US government. Its not hard to find HSMs that meet Level 3 and Level 4 of the standard.
And there you go... a rambling overview of Hardware Security Modules. Hopefully I've provided enough links to various topics that if you need to use one of these marvels for this tech cottage industry, you can get to the information you need quickly.
An HSM is a tamper-evident piece of hardware, and the basic thing an HSM does is keep a private key inaccessible while allowing operations to be performed with that key from a client process. That basic software call references the private key via a handle with instructions to decrypt or sign blobs of data -- not unlike file I/O. PKCS#11 is the API standard upon which many HSMs can be commanded.
From what I can gather, the first bit of gear to be generally considered an HSM was the BBN SafeKeyper, first introduced in the early-to-mid 1990's. It was essentially a sealed box with a physical key hole for a set of physical keys. The physical keys were used by security officers to stop computer operations staff from using the SafeKeyper for anything but sanctioned operations. Mention of the BBN SafeKeyper goes back to early drafts of Public Key Infrastructure (PKI) standards and is mentioned explicitly in many of the first books on the subject. My understanding is that BBN no longer makes the SafeKeyper.
About five years ago I worked along side another team of programmers who had a Luna SA, also a sealed box with physical keys for security officers (from what I can tell, this is no longer true). Instead of looking like metal car keys (as I'm told was the case with the SafeKeypers), they were plastic and of varying color. When together on a key ring, they looked very much like a play toy for infants and toddlers.
The sealed boxes or appliances have one very big draw back: the number of private keys they can secure is limited by the amount of memory contained within. For any application where a large number of private keys must be kept from prying eyes, scaling out these HSMs becomes costly and operationally burdensome. I can only think of one type of Internet-scale application that would need this traditionally, and that would be web hosting with SSL or TLS (i.e. a web hosting provider needing to host many sites with separate SSL or TLS certificates for use in secure web transactions).
But two new types of hosting are now upon us. With the signing of the DNS roots, the use of DNSSEC is expected to become much more prevalent. And DNS hosting providers, with their thousands upon thousands of DNS zones, will need methods for ensuring that thousands upon thousands of private DNSSEC keys stay private. Already there is OpenDNSSEC, which interfaces with HSMs to keep the private keys secured.
The other type of hosting soon to be here will be related to the routing of the Internet and will be RPKI hosting. That's what I am up to, though there will probably only be a handful of organizations in the world that end up doing it. DNSSEC hosting will likely see a greater need.
To overcome this, many vendors have created HSMs fully contained on a PCI card. These HSMs have the ability to use the storage of the host computer for storing private keys. This works by encrypting the key storage on the host computer with a secret key contained in the HSM, making the keys stored on disk useful only to the HSM. Theoretically, this scheme lets an HSM secure as many private keys as can be stored or even retrieved by the host system... for most practical purposes, that would be an infinite number. I say theoretical, but I do know of one vendor with a crude implementation of this host based storage where the key storage file must be entirely decrypted just to use one key from the file reducing the effective capacity to just over 5,000 keys.
When using a PCI-based HSM, it is recommended to try them out first because there may be other gotchas. Once one of my engineers casually reported to me in passing that he could read the private keys held by the HSM of another vendor. To which I responded, "Isn't that exactly what the HSM is not suppose to allow us to do?" An investigation ensued, and we soon discovered that this particular device defaulted -- DEFAULTED -- to insecure key storage and had to be explicitly configured to do the proper thing.
Some HSMs can be loaded with custom programs that run inside the secure confines of the device. This has many uses, such as putting custom security logic inside the HSM. Typically, an HSM will sign any piece of data without knowing what it is. If there were a need for the HSM to make the authorization decisions about what to sign and what not to sign, writing custom code in the HSM would be the way to go.
One such programmable HSM is the IBM 4764, successor to the IBM 4758. The 4764 is a PCI-X card containing a secured PowerPC-based Linux processor and custom hardware for many of the cryptographic functions (the 4758 was an Intel x86 based OS/2 processor). The 4764 can run standard PKCS#11 software, can run custom program right on top of the embedded Linux kernel, or can run IBM's Common Cryptographic Architecture (CCA) with custom extensions. The IBM 4764 is slated to be replaced by the IBM 4765, which is already available for IBM zSeries mainframes (the 4765 is also a PowerPC-based Linux processor).
Finally, there are a few security standards which define how good an HSM is at a particular job. The most common standard for this is the FIPS 140-2 standard set by the US government. Its not hard to find HSMs that meet Level 3 and Level 4 of the standard.
And there you go... a rambling overview of Hardware Security Modules. Hopefully I've provided enough links to various topics that if you need to use one of these marvels for this tech cottage industry, you can get to the information you need quickly.
Monday, January 3, 2011
New Workstation
We got our new Dell workstations (as I mentioned previously) while I was out on vacation, and I have spent most of the day getting mine setup. They are pretty sweet: 4 cores at 3.9GHz, 12G of memory, and two 24 inch displays.
They came with Windows 7 Professional pre-installed. Apparently I was the only developer who even gave that a passing glance before installing Ubuntu over the top of it.
They came with Windows 7 Professional pre-installed. Apparently I was the only developer who even gave that a passing glance before installing Ubuntu over the top of it.
Sunday, January 2, 2011
Tech Cults
Bret Arends in the Wall Street Journal Online in December on reasons not to buy an iPad:
Windows 95 was suppose to be the 32-bit follow-on to Windows 3.1, but it was only partly 32-bit and employed a 16-bit to 32-bit "thunking" hack. And everybody knew it too, but none of the Microsoft worshippers cared... even though there were already well established 32-bit OSes from other vendors and sources. It didn't matter, they wanted "Windows 95". They lined up at stores waiting for the software to go on sale at midnight. And they did it again three years later for Windows 98.
In the mid-90's, the Microsoft cult creeped me out. I remember installing a Linux FTP server for my company in 1996, only to have the IT director replace it with a Windows 95 FTP server. There was nothing wrong with the Linux server, but he just wanted a Microsoft solution. It didn't matter that you could telnet into the FTP port and type some random garbage and the Windows server would go tits-up. Nope, he didn't care. It had to be Microsoft! He once replaced the company's OS/2 based Lotus Notes server with a Windows NT based Lotus Notes server just because it had to be Microsoft. And he wasn't close to the only person I ever ran into with this attitude. Heck, I still know people who won't use anything other than Windows.
The fact is tech cults exist. They come in many shapes and sizes. Before Microsoft, it use to be "Nobody ever got fired for buying IBM." But as the tech has become more personal, the tech cults have become more noticeable.
When the slide-ruler generation was battling it out between IBM and DEC, the winner seldom affected the every-day lives of many people. Even the Windows vs. OS/2 wars didn't impact everybody all the time, as in those days PCs in the home were less common and most often they were desktops, not laptops. But the tech cults we have today are duking it out with netbooks, tablets, and smart phones... devices meant to be carried around most of the day... technology that is much more personable than ever before. So yeah, the Apple fanboys lining up at the mall are going overboard. But at least they are being passionate about a bit of kit that is within them every waking moment.
OK, I already knew about the fans. Last summer, three-quarters of the people standing in line so they could buy the new iPhone the moment it went on sale already owned an iPhone. But now it's the company, too. Look at how it reacted last spring, when a Silicon Valley blogger scooped an early iPhone 4: Next thing he knew he was being handcuffed on his lawn in front of his wife while police ransacked his house. And think of Steve Jobs, complaining that news coverage of the iPhone 4's troubled aerial had been "blown so out of proportion that it's incredible." Hmmm, out-of-proportion media coverage—you sure you want to go there, Steve? This is the guy marketing a new telephone under the slogan "This changes everything. Again." Maybe this stuff shouldn't matter to me, but I have to confess it's turning me off.I wonder if he was ever similarly turned off by the last popular tech cult, one in which a lot of people are still active, Microsoft? Because if you look back 15 years ago at the Windows 95 launch, it was about the same. There was crazy, lame marketing by Microsoft complete with hiring the Rolling Stones and Jay Leno and a huge publicity campaign complete with a tent-city launch and giant screen videos.
Windows 95 was suppose to be the 32-bit follow-on to Windows 3.1, but it was only partly 32-bit and employed a 16-bit to 32-bit "thunking" hack. And everybody knew it too, but none of the Microsoft worshippers cared... even though there were already well established 32-bit OSes from other vendors and sources. It didn't matter, they wanted "Windows 95". They lined up at stores waiting for the software to go on sale at midnight. And they did it again three years later for Windows 98.
In the mid-90's, the Microsoft cult creeped me out. I remember installing a Linux FTP server for my company in 1996, only to have the IT director replace it with a Windows 95 FTP server. There was nothing wrong with the Linux server, but he just wanted a Microsoft solution. It didn't matter that you could telnet into the FTP port and type some random garbage and the Windows server would go tits-up. Nope, he didn't care. It had to be Microsoft! He once replaced the company's OS/2 based Lotus Notes server with a Windows NT based Lotus Notes server just because it had to be Microsoft. And he wasn't close to the only person I ever ran into with this attitude. Heck, I still know people who won't use anything other than Windows.
The fact is tech cults exist. They come in many shapes and sizes. Before Microsoft, it use to be "Nobody ever got fired for buying IBM." But as the tech has become more personal, the tech cults have become more noticeable.
When the slide-ruler generation was battling it out between IBM and DEC, the winner seldom affected the every-day lives of many people. Even the Windows vs. OS/2 wars didn't impact everybody all the time, as in those days PCs in the home were less common and most often they were desktops, not laptops. But the tech cults we have today are duking it out with netbooks, tablets, and smart phones... devices meant to be carried around most of the day... technology that is much more personable than ever before. So yeah, the Apple fanboys lining up at the mall are going overboard. But at least they are being passionate about a bit of kit that is within them every waking moment.
Saturday, January 1, 2011
Happy New Year
Happy New Year to all. And in case you accidentally clicked on a horrible video link posted by some douche, here's a much better song to start the new year with... including a great fight scene.
Subscribe to:
Posts (Atom)