Vacation
I’m sitting on the balcony, with a quick summer thunderstorm pouring it’s rain down cooling everything down. I love the rain, lightning and thunder and a few days into my vacation I’m slowly getting into the pace where I can really enjoy it. 
Yesterday I was at a friend’s place and watched movies. We saw In Bruges and Cinema Paradiso. I really liked the first one, with Colin Farrell for once being cast in a role that seems to suit him. One of the things that impressed me the most was the the pacing of the first part of the film. It wasn’t slow or boring to watch, and at the same time it conveyed the strange slowness and contrast of two brutal hitmen being forced to walk around in medieval Bruges and succeeding more or less well in appreciating the architecture and culture. Step by step, hardly noticeable at first, the tempo increased and I got a strong sense of anticipation of the resolution that I rarely feel these days when watching film. The Shakespearean ending matched the rest quite well. All in all an excellent film.
Cinema Paradiso on the other hand, was not what I had hoped for. Appearing at position 93 on the IMDb Top 250 movies of all times my expectations was perhaps a bit too high. My tastes have a tendency to match the IMDB crowd most of the time, but obviously not here. I think the film was overly sentimental, slow and I had a difficult time connecting with the young protagonist in the beginning, even though he was positively charming and severely beaten and yelled at on several occasions.
What made the experience somewhat enjoyable, despite the identification problems, was the beautiful scenography and wardrobe, as well as the occasional glimpse into the political climate of Italy in the mid 20th century. Yes, I positively love the sweater that teen Salvatore wears in one scene. Too bad you got listen to far too many overly sentimental string arrangements. And that is from someone that loves Ennio Morricone and doesn’t have any problems with bombastic symphonic scores for lots of other films. Trying to end on a positive note, I am glad that I didn’t watch the Director’s Cut. 47 minutes longer.
Filed under Movies | Comment (0)The definition of irony
It turns out that the very definition of irony is placed just outside my office window. It has been there for quite some time, including when we had our most intense rain storm this year.
The text reads “NOTE: The goods must be stored on a level surface in a dry place protected from rain”.
Filed under Uncategorized | Comment (0)CentOS, here I come!
With the release of CentOS 5.2 a while ago I decided that it was finally time to make the switch from Fedora on my primary work computer to something else. I have felt for a while now that the fast pace of Fedora, and it’s sometimes pretty serious regressions have made it increasingly a bad fit to my operating system needs. I spend my working days doing software development in Java, and I need an operating system that I can be productive in, and yet a system that is stable enough and with enough long term planning and testing to not get in the way of my work.
So, I have made the switch and so far I’m happy with it. I’ll be back with some followup posts with info about adaptations and fixes for my new environment.
Filed under centos | Comment (0)Perfect Forward Secrecy
When thinking about the possibilities and problems with cryptography when it comes to protecting from a large and resourceful eavesdropping organization such as FRA i found myself asking this question: If someone passively snoops encrypted web communication, is it possible to decrypt the information at a later date, if the secret key of the website somehow gets in the hands of the eavesdropper?
Why is this important? Well, if you have a scenario when for example a government agency has the ability to eavesdrop on and store vast amounts of data it might come to a situation when said agency gets really interested in decoding some of the encrypted information that is has snooped. If you are a government agency it might be enough to send a nasty letter to for example a webmail or social networking service demanding the key, or even break into the hosting facility that holds the secret key and obtain it, legally or illegally.
Anyway, back to my question. After some research I have found the somewhat dissatisfying answer is most of the time, stored encrypted traffic can be decrypted if the key is obtained. There is however a technique that effectively prevents such a scenario called Perfect Forward Secrecy. It is available when using the the DHE key exchange protocol, which is part of some of the cipher suites that can be used with TLS, the protocol used when connecting to a website with an address starting with https.
DHE stands for Diffie-Hellman key exchange with Ephemeral parameters, a method for a server and a client (in this case a web browser) to find a common session key that is used to encrypt the actual data without ever sending the actual session key in clear text. The key, as well as the Diffie-Hellman parameters used by the client and server to calculate the key is (hopefully) never stored on disk, but created for each connection (or, in the case of session caching, each couple of connections between the same server and client) and then discarded. The long term secret key used to authenticate the server and hopefully prevent man-in-the-middle attacks can not be used to re-create the session key even if it is known by an attacker.
To be able to use DHE to set up the encrypted connection, both web server and web browser need to support it. All modern web browsers that I have tested supports it, but for some reason many web servers doesn’t. Why? I’m not really sure, but I think that it might have to do with several factors. It it requires a bit more server resources to set up a DHE key exchange than it does to set up a straight RSA one. Also, I think that many people making decisions about which cryptos to provide has too much confidence that a secret key will remain secret.
Anyway, if you want to test if your web browser supports Ephemeral Diffie-Hellman key exchange, feel free to visit my cryptography test page that I set up to try this out. If you want to avoid certificate warnings you might want to install the CACert root key in your web browser. It is as least as secure and well maintained as the other root certificates that are already bundled with your web browser or operating system.
Filed under Cryptography | Comment (0)Why cryptography matters
Ever since the the discussion began about the FRA legislation I have thought about the implications of a large, secret organization eavesdropping on Internet communication. After the law was decided upon by our parliament here in Sweden I have researched more and more about encryption systems and techniques as a means to divert the feelings of hopelessness and sadness about the political system and the process that lead to the awful law.
I sometimes say, half jokingly, that my motto is There is no problem that doesn’t have a technical solution. This is of course false, but when it comes to privacy on the internet, technology can be helpful.
For those of you that doesn’t know about FRA and the new law, it is the Swedish equivalent of the NSA and they have traditionally provided the swedish government with military intelligence gathered from intercepted radio traffic. Since the airwaves has become kind of boring to listen to over the years with people using new means of communication, our politicians has come up with a new law that grants the FRA access to all Internet and telephone communication that crosses Sweden’s borders.
Many people has seen the problems with this new situation. FRA is an organization that is impossible to subject to efficient regulatory oversight, and with vast amounts of personal data being collected it is obvious that invasion of privacy can happen and probably will happen on on a massive scale. Why? Because FRA works in secret and their continued existence is conditioned on their ability produce interesting information. So, my theory is that you can pretty much assume that FRA will do the things that are most efficient to get information about criminal or suspicious activity, regardless of wether it invades someone’s privacy or not, and regardless of what the official FRA rhetoric says about the right to privacy.
What is the most efficient information gathering techniques you can use with massive amounts of internet traffic? I believe the answer is by profiling individuals. Find out what websites you visit, find out who you send emails to. Who are your friends on Facebook? If we assume that FRA does not have any limits internally as to what it does with the information it collects, my guess is that all political activity that is considered somewhat extreme will be investigated, and not only the people actually members of suspect policial parties but also their friends, neighbours and relatives. Also, it would lessen the efficiency of the system to discard user profiles that the organization finds no use for, so everything even remotely interesting will be saved and can be revisited if a suspicion arises sometime in the future.
Does this sound scary? Well, I think it is, and that is why I advocate the use of cryptography for all types of communication, as often as possible. The history is full of examples of governments that has gone from good to somewhat abusive to totalitarian and evil. The internet activity that seems innocent now might not be seen as innocent in the future. Done right, the use of cryptography can bring a great deal of protection from eavesdropping to internet users. So, please do.
Filed under Cryptography | Comment (0)Living next door to Freddy
It turns out that the positioning functionality in my iPhone gets confused sometimes. Yesterday it thought that I was just outside of Topeka, Kansas. That is about 7300km (4500miles) wrong. On the other hand, if I’m in Topeka that means that I live quite close to Fred Phelps and the Westboro Baptist Church. That could be interesting.
So, I wanted encrypted access to multiple websites
Multiple websites on a single server that provide encrypted access is traditionally done by adding one IP address per website. However, that is no longer necessary now that modern web browsers has support for Server Name Indication which enables multiple HTTPS websites sharing a single IP address. All that is needed is to enable support for this on your webserver.
On the Linux distribution I use on my servers, CentOS 4, that was a bit tricky. My first plan was to update the openssl package to a version that supports SNI, but that turned out to be seriously difficult since the library has changed major version between the version shipped in CentOS 4 and the version that includes SNI support and that would mean recompiling many parts of the core system.
However, I found that there is an alternative apache module to the mod_ssl shipping in CentOS called mod_gnutls. It provides the same basic functionality but does so without using the openssl library. So, I pulled the latest stable version of mod_gnutls and made an RPM package of it. It depended on newer versions of a few packages that I could pull from Fedora rawhide and recompile for CentOS 4. If you want to use the packages I built, they are available from a special yum repository. Adding this repository and installing mod_gnutls will upgrade the system provided libgcrypt and gnutls packages to newer versions.
Filed under Geeky | Comment (0)A day with the kids
Today Alex went with some friends to an auction on the country side, so I had a quiet day with the kids at home. When Alex is away I sometimes take the opportunity to cook food that he doesn’t like. So I made liver stew. It went a fair bit better than last time, when the stew was more like soup.
I also used the day to dive deep into a geeky computer project while the kids were playing. More about the specifics of that in a separate post, but the end is that you now can access this web server via an encrypted connection via https://noa.resare.com as well as the usual way.
I also managed to watch two pilot episodes of new TV shows. I really liked the first one, The Mentalist and the second one – Flashpoint – was kind of ok, but something I think I will follow.
Filed under Uncategorized | Comment (0)Ah, the joys of new gadgetry
So today was iPhone 3G day. Telia, network operator with an exclusive deal with Apple here in Sweden, has worked hard to hype the release day. There were three stores in sweden that held special midnight events, however there is about 1000km to the closest one in Stockholm, so I had to wait until the morning to get a chance to buy.
This was my first time in a release day line, and I didn’t really know what to expect. I went in line about 2 hours before the store was to open, and there were about 25 people before in line before me. It was cold, somewhat rainy and a bit slow but with some really interesting podcasts from This American Life in my iPod it was nice anyway. I had my alpaca sweater on and my timing couldn’t have been better, when I finally got into the store I got the second last black 16gig iPod in the store.
So, now I’m a proud owner of a really neat phone.
Is web standards compliance finally catching on?
I was surprised today to see a W3C Valid XHTML icon today at the bottom of www.svd.se, the webpage of one of the largest daily newspapers here in Sweden. I have always thought that being compliant with the various HTML and related standards was something that only geeks paid attention to, and that major mainstream web pages would always use as ugly HTML code as they got away with with decent rendering on a few tested browsers. It’s always nice to be positively surprised.
Filed under Uncategorized | Comment (0)