Last month I posted two things on Twitter directed at EU's Digital Agenda staff: (1) first a question on when will we get videoconferencing support for meetings in Brussels and (2) I proposed they start using digital signatures in all mail they send out.

.@DigitalAgendaEU All mail coming from EC/EU institutions should be digitally signed. Set an example & promote cross-MS CA recognition.

— Gorazd Božič (@gbozic) December 9, 2011

Digital signatures is old-tech in internet-measured time. All the relevant standards were defined at the turn of the century and EU even passed the Directive 1999/93/EC in 2000, which defines the legal framework for the use of digital signatures. All major e-mail software vendors support S/MIME and I believe most countries have set-up their own government-operated Certificate Authorities (CA) so they could provide all those modern e-government services.

So why aren't we using this technology? It's true that the current CA system is broken. In my opinion it is not broken because of some fundamental design flaw, it is rather a problem of settling for a commercialized version of identity assurance. Do we go to private companies to get our passports? Of course not. But we do buy commercial certificates from privately-owned CAs. Why? I guess because the "solution" to the PKI happened in the 1990s and everyone wanted a piece of the internet "make-money-fast" miracle (VeriSign and Thawte didn't do that bad financially, did they?). So it's natural that with the incentive to grab ever larger market shares and the constant need to cut down costs, security and security-related procedures are sooner or later trimmed down or stepped over by commercial CAs. And then we get DigiNotar and Comodo incidents. Are there any government-owned CAs that have been compromised? Not that there is no possibility for that, but still - you see my point.

But let's get back to the subject. 

APT has been the buzzword of 2011. Someone sneaking into your network and instead of wreaking complete and immediate havoc, they rather inspect, spread and quietly siphon your information off to a distant location. One of the common attack vectors for that is social-engineering via e-mail that includes malicious attachments. Government officials all over the world receive various "last-minute agenda changes" or "formal letters from UN" (or European Commission for that matter) that are sent to them by rogue parties and try to infect their computers via the latest PDF reader vulnerability. Or offer links that will lead to web sites loaded with all the latest Java exploits. Some of these are stopped by e-mail scanners and antivirus software, but a number of them still gets through this defense (some 0-day flaws get patched only after a month or so, which gives bad guys plenty of time to do their stuff). 

(The rumor has it that some of these attacks are even sponsored or performed by governments of other countries, but -Shhh! You didn't hear this from me!)

Now imagine this: one day the European Commission announces that all mail that they send out is going to be digitally signed by their own CA (hold on: not encrypted, signed only). Sysadmins maintaining mail servers all over EU (other parts of the world too if they care) can now add another simple filter. If the message is signed by the trusted CA-issued personal certificate, the mail with the attachment goes through. If not, the attachment is removed and placed in the quarantine, while the recipient of the message gets the text-only version with the explanation that the attachment is available in the office downstairs where the IT security people are inspecting it. And the important thing is that you are not breaking anything for those that don't have support for digital signatures. They will see an odd smime.p7s attachment, but that's all. You don't eliminate the problem of malicious attachments altogether, but in this line of business we all know we're never 100 % there. But you do add another obstacle, that's certain.

OK, if EC has problems with that maybe one of the countries that will take the 6-months EU presidency soon (Cyprus and Ireland are to follow the now-presiding Denmark) can find this interesting? 

It is my experience that these ideas are often met with arguments on how difficult is to set up EU-wide (or worldwide) PKI system where we will have a clean, smooth hierarchy and we will all agree on the root authority that will recognize national CAs. But we don't need that really. Banks sometimes operate their own CAs and just give you instructions how to add them to your certificate store. And we use that. There are systems that use web of trust models (PGP/GPG for example). It may not be perfect, but it's still a step in the right direction. 

Bad guys will adapt and will try with rogue CAs, attacks on legitimate CAs and so on, no doubt about that. But that is still much harder than just forging the stupid "From:" address in a message.

And please, let's just leave Gmail's lack of support for S/MIME out of this debate, OK? If they add S/MIME support, we might even start encrypting mail which in turn may present a bit of a problem for Google's business model. 

 

Imagine you have to visit Brussels for a one-day meeting and the plane ticket costs 700 €. Since our small airport in Ljubljana doesn't have the best connections, I usually have to leave the previous day and spend the night in a hotel. The meeting normally takes some 6 hours and people from big cities in Europe can fly in and out the same day. Even then you have to spend many hours traveling. So when this Dilbert cartoon came up on the twitter feed:

It prompted me to post this question:

.@DigitalAgendaEU Any plans to push videoconf support for EU meetings in Brussels? Will save time, cut travel expenses & emissions.

— Gorazd Božič (@gbozic) December8, 2011

The only time I remember videoconferences being used in EU meetings was when most of air traffic was canceled due to the eruption of a volcano on Iceland. Those couple of times that I asked if there is an alternative of attending the meeting via VC, the answer was always: "Sorry, no."

You want proof that twitter works? Here's the reply from the Digital Agenda staff:

@gbozic Many meetings r already via videoconference.Sometimes u also need to go where people are & meet them in person.What's ur suggestion?

— Digital Agenda(@DigitalAgendaEU) December 14, 2011

Since my points require more than 140 characters, here they are.

Combine in-person meetings with VC facilities

Personal contact is still very important and so are all the discussions that you have with your colleagues during coffee breaks and in the airports while waiting for your flight. We can not expect that even "telepresence" will substitute for physical human networking. On the other hand, VC can provide those participants that really can not make it to the meeting to participate in important decisions. It is providing an alternative, not a replacement.

Find a tool that fits

The reputation of the H.323 beast still resounds when we talk about VC. But for some time we know of more user-friendly solutions that don't need specialised VC rooms with expensive equipment. Skype was the first to really popularise videocalls and web-conferencing solutions such as Adobe Connect provide a platform for connecting laptop users with no special equipment. I'm sure there are other fine commercial solutions, Adobe's is the one we use at ARNES. The point? Don't go for an overkill that won't be approved because of budget cuts. And certainly don't go reinventing the wheel by funding a 4-year project to develop another solution.

Make it a standard

The goal should be: VC support will become a normal channel providing participants an alternative way of attending the meeting. As it is with microphones and sound systems nowadays.

So what's the connection with the flying cars? Well, back in the 1950s and 60s everyone was thinking how we will have personal flying cars in the future. We still don't have them. 10 years ago everyone was lecturing how videoconferencing will change the way we think about meetings. I still don't see that future either.

OK, digital signatures next time. :)

Imagine you google yourself, full name and your company name, and this comes up as the first hit:

Not good for business (well, unless the company you work for is actually Freepornia). Most likely the site is using several name combinations to clone web pages and get more clicks to the site. Surely there is a way to remove this obscene page. You can report the misuse of your name on an adult website (via this form) or use the feedback form on the bottom of the page to report a site that has been successful in evading Google's SafeSearch filter. In the first form the information is supposedly sent to Google, but you get no feedback from them. Did they receive it, are they processing your request? That information is however available when reporting SafeSearch filter problems.

So that's it for Google. In the meantime you can try and find the provider of this offending site and report the misuse of your name to them. You find out that IPs are those of CloudFlare. This is a company that provides reverse proxies so the real site is in the background and content is served to the public from CloudFlare's infrastructure. They say this is not their problem and that you should talk to someone in Netherlands. That is where the real source is. You tell them that the content is still being served from their IPs, but no: go talk to the Dutch people. It's LeaseWeb, a hosting provider.

And you do. At first, they just say: "We will inform our customer." Then they say: "This is not our customer." Only after an exchange of several messages and lenghty explanations they agree to remove the site. Which they dont.

But now a couple of days has passed and you go and check back with Google. Your SafeSearch request was denied!

Not appearing in their search results? You go check with a different browser, use a different device, use a different ISP, the first result for your name is still Freepornia! What kind of search engine are they using themselves, Bing? The porn page is not showing there, that's true.

Denied... This must be a mistake. Maybe Freepornia is doing some tricks based on the HTTP_REFERER and the IP you are coming from? But, no -- search pages are generated by Google and they control what is the first hit.

OK. Let's explain the situation in more detail and send some e-mails to google.com. Silence.

Try the web forms at Google again. Denied again.

Our future lies in the cloud, they say.

One of the hot stories this week is how a Dutch Certificate Authority (CA) DigiNotar issued a certificate for .google.com to someone, supposedly in Iran. Such a certificate can be used to snoop on all traffic users in a country (if you're a state agency in possesion of this certificate). Now the Finnish AV company F-Secure has discovered evidence that DigiNotar has been hacked in the past. One breach goes back to 2009, done by Turkish defacers .

Sent from my iPhone

On the 2011 Safer Internet Day Eurostat presented "a selection of statistics concerning internet security". The first table also lists the percentace of users that use "some kind of IT protection" and also the percentage of users that caught some kind of virus infection (grouped by country). After looking at the data a bit, nothing was really sticking out. I decided to put this in a spreadsheet and here's the resulting scatterplot:

That's scattered. The coefficient of determination (R-squared) is a mere 0,12 while the Student t-test is less than 0.001. The first can be interpreted that only 12% of the variance in one of the variables (getting an infection) can be attributed to the other (having some kind of protection). With the t-test we can say (with a probability of more than 99.9%) that these two variables are independent of each other.

Does this mean that having "some kind of IT protection" in place does not have any real effect on the likelihood of you getting some nasty malware on your computer? That would be really really bad news for the antivirus industry! But there's another possibility which I think is more likely: the data was not collected in a manner that would enable useful analysis. I would dare to say that surveys are not the proper way to collect such information. Why? Because people will be quick to provide an "acceptable" answer. "Do you have some sort of IT protection?" is too broad and vague (and begs a positive answer). Same for the "Did you catch anything nasty in the past year?" question.

Bad ones. I have to use Windows for running some very specific win-only software. Yesterday I decided to install Windows 7 into my Parallels Desktop on Mac. Today it installed a bunch of Windows updates and ... BLUE SCREENED! Automatic repair failed. Diagnostics mentiones "Bad patch". System restore to an earlier version said that "an unspecified error occurred during system restore (0x8000ffff). 

I composed this shortly before November 1st. On that day we have a custom to honour the memory of all those that have passed away. The song is dedicated to my good friend Tom who died last year aged 40 from a very rare form of cancer. 

The song was done using Notion 3 notation software and Vienna Symphonic Library Special Edition orchestral library.

Largo by bitfeld

I used the resulting audio track in Logic and have myself recorded four real violins (2 first, 2 second parts) and two violas over this track. They are put low in the mix and impossible to distinguish (except on one or two occasions where I made a mistake playing) but I think this contributes to the mix substantially.

There's some quiet crackling noise on some parts of the mix which is clearly the result of compression of the audio done by soundcloud.com. I'm guessing that the cause could be Notion's built-in reverb or not enough EQ on the track (I didn't chop low-end and high-end in the mix). If you know what's causing this, I would love to know. The same thing happens on Bandcamp (there's an older version there).

If you're a Soundcloud user, I'd appreciate a comment, otherwise you can place it at the bottom of this post. If you like the composition, please feel free to donwload it by clicking the down-arrow on the right edge of the player above.