« January 2005 | Main | March 2005 »
February 28, 2005
I'm a notary in the spider web of trust, yeah yeah!
Yippehhh... From today, I'm a proud Thawte notary. To explain what that means, I need to give you a little background in crypotgraphy. In recent years, algorithms have been developed to make e-mail communication more secure. In particular, they ensure two things: 1) that e-mails cannot be read by anyone else but the intended recipient and 2) that the authorship of a particular e-mail can be verified, which implies that e-mails cannot be altered on the way. Don't forget that anyone can, in principle, send e-mail the appears to come from a different person, or any e-mail address they choose.
Thawte is a South-African company (owned by American Verisign) specializing in internet security, and their Web of Trust mainly supports both goals stated above. Here's how it works: suppose you'd like to digitally sign your e-mails, proving that you're their author or that you approve of the content. In order to do so, Thawte acts as a third party that guarantees that the e-mail comes from you. They don't need to see the particular e-mail - they just give you something like a digital passport, which is called a certificate. To get such a passport, you have to see a notary - like me - in person, and show him or her your real-life passport or other proofs of identity. You actually have to see more than just one notary. Then, you can get a digital passport (certificate) from Thawte, which allows you to sign your e-mails with your name. Because you have a certificate with your name on it, others can encrypt e-mail to you and be sure that only you can read it. (More explanations here.)
By the way, you can get started right away, even without seeing a notary in person. Just get a free personal certificate from them (it's all free, by the way!), and start signing your e-mail now. Without notarization, your e-mail will be signed only with your e-mail address, not with your name. That's because Thawte hasn't verified yet, that the address belongs to your name!
And if you're based in Edinburgh, pay me a visit and I'll notarize you.
Why did I become a notary? I thought it would be nice to meet people. But honestly - it's probably just some geeky gratification that I get from being an early adopter, campaigning for better e-mail security.
Posted by dr at 2:25 PM | Comments (1) | TrackBack
February 27, 2005
Scamming the scammers
"I am Alan McAidan and I'm interested in your Canon EOS300D Digital camera for sale.Please aquiant me with your last offer and the pictures too."
Judging from the langauge, it's not surprising that this somewhat old-fashioned query reached me from a former British colony - and not from Belgium, as the guy pretended. It was one of many scam-emails that I have received.
Of course, Alan McAiden is just a fake name, trimmed to be a little Irish - after all, I had put up an ad on the Irish website Buy&Sell: I was selling a digital camera. That was the ad that "Alan" replied to. Unfortunately, Alan used a different name in the email address, Leonard Mupettre. A glance at the technical gibberish in the e-mail headers revealed that it was actually sent from the Vic Biz Cyber Café located in Benin City. This didn't sound like a promising deal. I played along, and, as expected, I was asked to receive a cheque over some $5000, cash it and return the change to some obscure 'business partner'. Of course, the cheque would have been fake, and I would have lost a nice chunk of money.
What happens if you go all the way? I just found someone who likes to scam the scammers. I loved the story about Frank Kabongo, a nigerian scam-artist, as he loses some $220, when his seemingly innocent victim turns the tables on him... and tricks him into sending a "guarantee free". It's complete with recordings of phone conversations and letters - highly enjoyable. Another one is here - the 'victim' even puts on a fake Irish accent (hilarious!).
Posted by dr at 12:31 PM | Comments (1) | TrackBack
February 21, 2005
Places I've been, things I've seen
I wasted some time a while ago trying to find out to how many places I've been to in my (young) life. In my former job, I got to travel a lot (mainly scientific conferences and project meetings), and I also made it to Australia on a long vacation. So I thought I had covered a bit of the world - nada! The results were surprising.
So far, I have missed large parts of the world! All of Africa, Russia, China, India, the whole of South America - they're all virgin, speaking from a David-centric viewpoint! I've got lots of travelling to do...
In case you were wondering: I wrote a litte program that just takes a list of place names, finds out where exactly (latitude, longitude) they are and plots the results on a world map of variable size. Let me know if you'd like the code.
Posted by dr at 2:26 PM | Comments (2) | TrackBack
February 18, 2005
Blog spam: nonsense in the blogosphere
A new form of spam is on the horizon: Blog Spam. For a while now I noticed items popping up as new time and again in my Technorati RSS feeds that show me new entries for some keywords. "Cheap Web Hosting" is one of them. As you can easily see, it's just a collection of keywords that obviously attract visitors.
In principle, spammers are following a beaten path here: search engine spam is an old phenomenon. People just put up junk on the web, with some highly sought-after keywords. Thousands of junk sites link to some only-commerces, only to make their sites turn up first in Google and other search engines. What is new is that they try to use content-rich blog platforms: Blogger and the like potentially have a high site-ranking, or, if you want to call it that way, a high credibility among the search engines. Of course, this depends on the ranking algorithm used by the search engine.
Comment spam essentially does the same: millions of junk comments on innocent people's blogs, which contain link to just a few targets that deal with online gambling. A alliance of Google and the makers of content management systems like Movable Type have developed a response: the blog systems now classify comment links in a general way (assigning rel="nofollow" to the link), so that search engines can simply ignore the links. Maybe that's why a few spammers are trying to get their feet wet in even muddier waters. They produce not just comments, but whole blogs, with dozens of nonsense-entries in just one day.
Often, these guys just mark all of their entries as updated -- daily. This will bring up their nonsense entries as a top search result on blog search engines like Technorati. Of course, the spammer can freely link to some target sites from there - however, that wouldn't be his main concern, as he could do so with any web site.
To tackle this problem, free blogspace providers such as Blogger will have to do something about people that create blogs automatically, and maybe they will have to aggressively delete blogs which aren't filled with proper, editorial content. Search engines, on the other hand, will need to employ more sophisticated techniques to determine the value - and thus, the ranking, of content. It would be an interesting way to investigate technical methods to determine, which content is actually edited, and which is just junk. Techniques from natural language processing and models from information theory might be a good starting point for this endeavour.
Posted by dr at 3:47 PM | Comments (1) | TrackBack
February 15, 2005
Txt msgs from Dublin, Ireland
Posted by dr at 11:45 AM | Comments (0) | TrackBack
February 9, 2005
Rocky is back!
Rocky is back - this animation is hilarious.
Posted by dr at 11:13 AM | Comments (1) | TrackBack
February 4, 2005
Maus - A Survivor's Tale: the Third Reich in a Comic
An expression of the tragic with comical means: that's a predominantly Jewish virtue, and probably only a Jew could legimately use the light-weight means of a cartoon to depict the horror of the Holocaust.
I finished reading Art Spiegelman's MAUS the other day, a Pulitzer-Prize winning series of cartoon books, depicting in black&white drawings how his father survived the Third Reich.
Vladek, a wealthy and smart Jewish Pole, has just started a family when Nazi Germany invaded Poland in 1938 and slowly began to destroy his life. He and his wife end up in concentration camps. Thanks to their wit, contacts and with (and maybe despite their) humanity towards their fellow Poles, they survived what was the worst ordeal in history. Their little boy did not. (His first wife Anna commited suicide in the 60's - survivor's guilt.)
Told with an autobiographic frame, where Vladek, as an ailing, sometimes difficult senior in New York, tells his life story to his son Art(ie), Spiegelman's cartoon has a lot of authenticity.
The Polish Jews are mice, the nazis become cats, and after a bit of thinking, Artie finds an allegory for the French, too: frogs. Of course!
We'd better be glad we're not citizens of this animal kingdom - I for my part wouldn't know which animal to choose. Maus is probably already well-known among comic enthusiasts, yet it's a time-less and very worthwhile read.
Art Spiegelman, The complete MAUS
(European / UK version, US Version)
Highly recommended.
Posted by dr at 11:51 PM | Comments (0) | TrackBack
February 3, 2005
Selling music by subscription vs. human nature.
The music industry has been trying hard to spread the word about their music subscription models: they say, they'll get rid of iTunes' model of selling song by song, and replace it with one where you pay a monthly fee to listen (not necessarily download and own) whatever you want.
Once more, these guys couldn't be more wrong in their perception of what people want. Hadley Stern over at Applematters has a commentary from an economical and practical point of view. He argues, e.g. that the iPod doesn't support subscriptions. But I'd like to do a little more mind-reading of music customers like you and me.
The big issue is a psychological one: people like to own things, rather than paying for consumption. That's why so much money is spent on DVDs, even though you don't watch them very often, and just getting them as rentals would be much cheaper. In a situation where you don't have an alternative: yes, people pay for entertainment: cinema, theatre, bars, sometimes even pay TV. But if there's an alternative, that is, to buy songs for little money, they happily go for that.
Subscription models weaken the well-known collector's experience: we love to have a book collection, a CD collection, or an MP3 collection. We love to show it off to our friends, because we identify with the stuff we collect. Sometimes, songs even serve as keepsakes, stirring up old memories.
Subscriptions will have a place and will get the music fat cats a constant cash flow - but their market is limited. Subscriptions are for dedicated, consumerist few. iTunes is for everyone.
Posted by dr at 12:25 PM | Comments (1) | TrackBack
February 2, 2005
Encryption: Create your own key in private, then get a Thawte cert!
Another adventure in the world of digital cryptography.
Last weekend, while over in Berlin, I managed to get two friendly Thawte notaries to take a look at my passport and then get Thawte to sign my digital key used to digitally sign e-mail. They verified that I am the person that I claim to be, so somebody else can trust my digital signature. The notarization process is a nice thing, not only because it established trust by always having at least two notaries verify your identify, but also because you get to meet some random geeks in town!
As usual, I encountered some oddities. In the following, I'll describe my solutions to two problems. The first is a security issue: Any certification authority such as Thawte may have the chance to see and store your private key, which is not a good thing. This can happen in the web-browser supported process of generating keys. The second issue is a technical problem that occurs only in Mac OS X: the Mac's keychain doesn't like to import several certificates for the same key pair. In the following, I assume you have a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works. You can read up on it in an earlier blog entry.
Once you have enough trust-points, you will need to get a new certificate from Thawte. The first certificate they give you has no name it, because they couldn't verify your name. The new one
demonstrates that they believe your name to be authentic, not just your e-mail address.
However, the way Thawte is set up, it seems to generate a new secret/public key pair for a new
certificate. That is annoying, because you'll get encrypted e-mail from people that don't have your new public key yet - and you can't decrypt it. The other problem is that Thawte has the possibility of retaining your secret key, which is a big no-no, of course, as they - or some intelligence agency - could read your e-mail. Let's not be paranoid: Thawte is a company from South Africa, so it's not a US company within easy reach of CIA and NSA. But either way you want to guard your secret key closely, and keep it on your machine at all times.
I found this tutorial by Daniel Baker, who thankfully figured out how to generate a public/secret key pair locally with the openssl command, without going through Thawte's key generation process. Then, the public key is sent to Thawte using their special developer's option, and they sign it for you. It is sent back, needs to be post-processed a little and can then be imported into your own system. Daniel describes the process for Mac OS X, but it should work with little modification for Linux, and in principle on Windows, too.
There is one caveat I noticed on OS X 10.3. You may want to request multiple certificates using the same key pair: one for each e-mail address. (I use the same public/private key to reduce clutter.) However, when you import the certificates into your OS X keychain, it will complain that "the item already exists in your keychain". It will refuse to import any certificates but the first one. The reason for that seems to be that the final certificate file always contains a copy of the secret key that is being certified, and OS X detects that this key is already present in the key chain. Unfortunately, it abandons the whole import!
The solution to this is to bundle all certificates for import, as follows. Suppose you have three e-mail addresses and request one certificate for each. Download your certificates with Thawte and modify the files with a text editor as described in Daniel's tutorial. I assume you name them in thawte-cert-email-A.txt through -C.txt. The next step is to convert the certificates with the following command - however, output all of the results into the same file:
openssl pkcs7 -print_certs -in thawte-cert-email-A.txt >deliver.certs
openssl pkcs7 -print_certs -in thawte-cert-email-B.txt >>deliver.certs
openssl pkcs7 -print_certs -in thawte-cert-email-C.txt >>deliver.certs
Then, convert the resulting certificate to pkcs12 binary format for the key chain:
openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12
I assume, the file mail.p12 now contains your key pair, Thawte's root certificate and a certificate for each e-mail address.
You should now use Keychain Access (find it in /Applications/Utilities/) to move your 'secret key' to an extra key chain. I recommend keeping it there, because you might get e-mail encrypted to your old key which you will want to decrypt at some point. Look for an entry of type 'private key'. Here's what that should look like:
Create a new key chain, give it meaningful name - such as 'old keys' - and drag&drop the private key there. It's a good idea to move your public key and the old certificate - if you have one - for this key pair too.
You can then import it into the keychain by saying open mail.p12
Keychain Access will ask you, where to import it, and not complain about importing something that already exists. That's it!
A final tip: I recommend you back up your key pair (file mail.key) and the certificate file mail.p12 in a safe place.
Posted by dr at 11:14 AM | Comments (2) | TrackBack