September 3rd, 2011

The certificate collapse

I know this is tech stuff, but it is tech stuff affecting us all, as it connectsthe largest internet company in the worls, my little country and axis-of-evil-Iran. And you all know I love connections :)

Short story, highly simplified and for arguments sake untruely only applied to “websites”: This week, the trusted third party “Diginotar”, which issues SSL certificates was proven to be hacked by Iranian hackers. They were able to issue themselves a valid *.google.com certificate, enabling (Iranian AND others of course) governmental men-in-the-middles to eavesdrop on i.e. gmail, without anyone being able to even detect it. Diginotar also issues certificates for next to all governmental services inclusing social security, tax office, drivers licence office, municipal services, etcetera. Furthermore certificates for tor, for the add-on site of Mozilla and god knows what else.

Long story, still not entirely correct to keep it reasonably readable. A certificate is a rather smart digital “seal” that is issued by a trusted third party (TTP) and installed in a website (again simplified, it can in essence be used for all sorts of electronic communications). The TTP issues these certificates from a sort of “mother” certificate. Browsers on the other hand, have a clever way to prove the certificate from the website the user visits is actually derived from the “mother”. Browsers issue a security warning to the user if a website uses a certfiicate that is NOT derived from a well known set of trusted mothers. Now, if a TTP runs a flawless operation, keeps the known mothers entirely safe and actually check if the requester of a certificate (say: me) is requesting a certificate for a valid host for me (say: this website [valid], google.com [most definately NOT valid]), we have an unbreakable trust triangle. TTP trusts the website owner, the user (read: the browser makers) trusts whatever the TTP’s of this world say they can trust. There are around 650 TTP’s in this world, and a few dozens of trusted “mother” certificates.

A well known trusted “mother” is “Staat der Nederlanden Root CA”, which is THE root of my country! A derived “daughter” is “DigiNotar PKIoverheid CA Overheid en Bedrijven”. This root is used by a lot of governmental websites AND commercial companies and has been compromised. The hackers have created various certificates, including one for *.google.com, and various others that are considered “high profile. Browsers, until now, have trusted this false certificate. Several browser makers have started banning this certificate, and last night, the equivalent of the home office secretary, decided to revoke said daughter certificate. By the time you read this, all website using Diginotar’s certificate will be deemed “unsafe”. Oopsie. And the worst part is of course people believing they were using a safe, encrypted, untappable gmail account being secretly spied upon (and you can bet this has been done).

Diginotar’s damage control has been horrendous. Basically they have kept things under the rug when discovered, and they didn’t even file a complaint at the Justice department. That could even been regarded as willful negligence.

Update: oh my, too much, too much (see this list)

Update: Here is the published list of compromised (read: Diginotar certified) certificates. Brace:

CN=*.10million.org
CN=*.JanamFadayeRahbar.com
CN=*.RamzShekaneBozorg.com
CN=*.SahebeDonyayeDigital.com
CN=*.android.com
CN=*.aol.com
CN=*.azadegi.com
CN=*.balatarin.com
CN=*.comodo.com
CN=*.digicert.com
CN=*.globalsign.com
CN=*.google.com
CN=*.microsoft.com
CN=*.mossad.gov.il
CN=*.mozilla.org
CN=*.skype.com
CN=*.startssl.com
CN=*.thawte.com
CN=*.torproject.org
CN=*.walla.co.il
CN=*.windowsupdate.com
CN=*.wordpress.com
CN=Comodo Root CA
CN=CyberTrust Root CA
CN=DigiCert Root CA
CN=Equifax Root CA
CN=GlobalSign Root CA
CN=Thawte Root CA
CN=VeriSign Root CA
CN=addons.mozilla.org
CN=azadegi.com
CN=friends.walla.co.il
CN=login.live.com
CN=login.yahoo.com
CN=my.screenname.aol.com
CN=secure.logmein.com
CN=twitter.com
CN=wordpress.com
CN=www.10million.org
CN=www.Equifax.com
CN=www.balatarin.com
CN=www.cia.gov
CN=www.cybertrust.com
CN=www.facebook.com
CN=www.globalsign.com
CN=www.google.com
CN=www.hamdami.com
CN=www.mossad.gov.il
CN=www.sis.gov.uk
CN=www.update.microsoft.com

July 23rd, 2011

The shooting and bombing

Православни икониSo, yesterday evening, shortly after the bomb went off in Oslo (which looked very much like Oklahoma b.t.w.), our television networks were full of semi governmental (in this case, instituut Clingedael) or self proclaimed experts “explaining” the logical choice of “Islam terrorists” to do this and there (the prime minister’s office), given that

  • Norway was the only NATO member assisting in bombing Libya
  • Norway’s response in the Danish cartoon issue
  • etc. etc. etc.

Not a word about the issue of small but violent extreme right wing groups in Scandinavia.

Well, they were right. It was the work of a religious-conservative extremist. Just the wrong faith for this eh? Dang.

Note: I am sorry if this feels disrespectful to the victims and their families. It  is not. I am so terribly sorry  about this sickening event, whoever did it and for whatever motives. It is just the convenient “Moslim terrorist” knee jerk response by the politicians and even the “experts” that seriously rubs me the wrong way.

Disclaimer: I am an atheist. Not sure if it matters re. my opinion. Just saying.Православни икони

July 20th, 2011

The Crazy Order

Today, American Airlines announced their long awaited order for the narrowbodies, and nobody saw this one coming. Short background. In the mid late 90′s American Airlines, Delta Airlines and Continental Airlines entered into a deal with Boeing that basically said: If you (AA/DL/CO) order all aircraft types for which we have at least a competing product with us, we guarantee you not only a great price, but also darn good delivery slots. When Boeing later wanted to acquire McDonnell Douglas a few years later, the European Union forced Boeing into not being able to enforce said contract due to it being perceived as being anti-competitive, but nothing withheld AA, DL, CO or Boeing to simply continue the deal without enforcement. AA remained a loyal Boeing-only airline. So did Dl and CO, until they merged with Northwest and United respectively, who were both already operating Airbus aircraft.

After the huge problems with the 787 and to some extent the 747i in terms of promised delivery (and for that matter, the A380), airlines faith in OEM’s to actually deliver on time has melted away rapidly, and therefore, imho, part of the value of said contract. Mitigating that risk is only possible by diversifying ones OEM’s. And this is what happened today. Despite all the broo ha ha that “American will NEVER order anything but Boeing”, “If it ain’t Boeing, I am not going”, they ordered a stunning 260+365 Airbusses and 97+200 Boeings (see below for the breakdown). The Boeing part is slightly more vague, as the actual model offered (737 with new engines) has not been approved by the board yet as far as we know. I really feel for the guys in Seattle (less for the ones in Chicago btw) because it seems to be a royal slap in the face.

Now in all honesty, there is a lot more to this order than the above, so allow me to just add a few oneliners:

  • What helped was actually Airbus offering the better airplane  (google 320 NEO).
  • What helped was probably a very intricate financing deal. Airbus is known for pulling that sort of thing off, and AA is financially NOT in good shape. I don’t think Boeing was feeling comfy with all that exposure.
  • >50% (probably MUCH more) will be US manufactured (think engines and avionics), so it is good for the US economy either way. And Airbus might open that factory they had promised for the tanker deal they eventually lost anyway.
  • We (the Europeans) buy a lot of Boeings, Air France (yes them) and KLM (my home patch) especially. Don’t come crying to me.

Fair deal I think. Congrats to AA, Airbus AND Boeing.

ps: yes, I know a few readers are chiming for the home team, and that is great. So am I. But even more, this is, whatever one thinks about it, a major shift in this industry and we’re talking billions and billions of dollars.

Edit: The actual numbers are in layman’s terms:

OEM-model Firm Option Intended Intended Option (?) Sub total Delivery notes (ex options)
Airbus 32x classic 130 130  20-35/yr 2013-2017
Airbus 32x NEO 130 365 495  10 in ’17, 20-25/yr ’18-’22
Sub total Airbus 260 365 625
Boeing 737NG 97 40 137  20/yr, 2013-2017
Boeing 737RE 100 60 160  20/yr, 2018-2022
Sub total Boeing 97 40 100 60 297
GRAND TOTAL 357 405 100 60 922

 

An Airbus A32x “classic” and a Boeing 737NG is what you’d fly in today.

A NEO is the big hit of the moment really. It has sold close to 1000 over 1200 units, and will be available in a few years

An  “RE” is a non-existing designation, but is the Boeing equivalent of the NEO. It is not defined nor authorized for sale yet. AA promised to be a launch customer IF Boeing commits to building it for this one, read: get ‘m cheap but with the usual early production quirks. (but will not be the launch OPERATOR)

Good grief.

Edit: few more words about the late 90′s deal. Some typos

July 19th, 2011

The last of the scumbags

My country has been involved in the balkan war in a weird way. The mass-murdering in Srebreniza and the inability of the troups (under UN command) to do anything about it has left rather serious wounds. On the other hand, we house the The International Criminal Tribunal for the former Yugoslavia (ICTY) in The Hague.

A few weeks ago, Serbia arrested Ratko Mladic and send him to the ICTY. This morning, Goran Hadzic, the very last on the wanted list of the tribunal was arrested and will be in The Hague soon.

Added: he is being flown here as I write this (Fri 7/19)

A good thing. These people are the worst. They commanded the execution of thousands of people, mostly innocent civilians. War criminals like that should be caught and sentenced.

More on the nest: They got him

May 18th, 2011

The crash of AF 447

You have all read this in the papers. About a month ago the debris of AF 477 was found on the bottom of the Atlantic, after almost two years of its rather mysterious crash. Last week the Flight Data Recorder and the Cockpit Voice Recorder were found, retrieved, brought to the BEA in Paris (read; French NTSB) and read out. Last Monday there was a short press statement saying all data on both recorders was successfully retrieved (50 hours of flight parameters, 2 hours of cockpit conversations). I can tell you a lot of people were holding their breath last week. Would the recorders be found? Would they be in one piece? Would they be salvageable? And then: would they still have and give up their data, after a violent crash and 2 years in 3 kilometers deep salt water. They did. We will know what happened. And we will learn from that and make air travel a bit safer again. A big BIG thumbs up to the French government, Air France, the BEA and Woods Hole Oceanographic Institute for their relentless efforts to find the recorders, and to Honeywell for making them so incredibly strong and reliable.

OK, so that was old news (will not go into the question of retrieving the bodies or not). Then, French newspaper Figaro stated “sources close to the investigation stated that the preliminary analysis of the recorders exonerated Airbus”, implying it was a sole act of the pilots or an act of the Gods thing. Speculation immediately went into fifth gear. They were asleep. There was only one pilot in the cockpit when all the bells went off and he panicked, not hearing the gong to open the cockpit door. They incidentally locked themselves out of the cockpit etcetera, etcetera. Oh and of course this information was probably leaked by Airbus, following an agenda to push away the blame they obviously have.

The BEA was the first to respond there was no thing and also marked the entire affair as highly disrespectful to the (228) victims and families.

So what did happen? It was in fact this statement, from indeed Airbus, to its customers:

FROM : AIRBUS PRODUCT SAFETY DEPARTMENT TOULOUSE

ACCIDENT INFORMATION TELEX – ACCIDENT INFORMATION TELEX
SUBJECT: AF447 ACCIDENT INTO THE ATLANTIC OCEAN
OUR REF: AF447 AIT 7 dated May 16th 2011
PREVIOUS REF:

- Ref 1: AF447 AIT 1 dated June 1st 2009
- Ref 2: AF447 AIT 2 dated June 4th 2009
- Ref 3: AF447 AIT 3 dated June 8th 2009
- Ref 4: AF447 AIT 4 dated July 2nd 2009
- Ref 5: AF447 AIT 5 dated July 30th 2009
- Ref 6: AF447 AIT 6 dated April 03rd 2011

This AIT is an update of the previous AIT 6 concerning the AF447 accident which occurred over the Atlantic Ocean on June 1st, 2009.

It has been approved for release by the French BEA who lead the investigation as per European Regulation and ICAO Annex 13 International Recommendations.

Following underwater search campaigns and subsequent operations, the Digital Flight Data Recorder (DFDR) and Cockpit Voice Recorder (CVR) were recovered. Data extraction of both recorders have been performed at the BEA facilities in the presence of two German investigators from BFU, an American investigator from NTSB, two British investigators from AAIB and two Brazilian investigators from CENIPA, as well as an officer from the French judicial police and a court expert.

Data from DFDR and CVR have been successfully downloaded.

At this stage of the preliminary analysis of DFDR Airbus has no immediate recommendation to raise to operators.
Further update will be provided as soon as new significant information becomes available or as soon as Airbus will be authorized to share more information in compliance with investigation rules.

Yannick Malinge
Senior Vice President
Chief Product Safety Officer
Airbus

Read: “We know you are all eager to know if there are issues with our product. We informed you 6 times earlier, including recommendations. The recorder readout did not raise any immediate issues that you should know about with the aircraft. But we will keep you, who after all are flying the plane, closely in the loop.” As would (and do) all OEM’s. And these statements are always approved by the investigation authorities.

Now that is slightly different eh? Going from “…Airbus has no immediate recommendation to raise to operators…” to “Airbus totally exonerated…”. The media. Gotta love em.

Disclaimer: While I love all airplanes and think all OEM’s make the most incredible and often also beautiful machines, I am a mild Airbus fan.

Update: a BEA note describing what they found it is neither an interim report, not an analysis. Scary shit.икони

May 7th, 2011

The Norwegian country

Yes, admitted, this writer on the nest has not been to Alaska (yet), but I did vist Norway a few times, including  the most scenic “Geiranger Fjord”.  Have a look at this wonderful 360 degrees footage.

February 24th, 2011

The not-so revolution, let alone an Islamic revolution

In one of the new sources I follow, there was a review of “This is not an Islamic Revolution“. Allow me to be slightly lazy and copy here the fragments they choose too.

Our (read: Western) fear that any uprising in the middle east must resemble the devastating Iranian example is false.

Look at those involved in the uprisings, and it is clear that we are dealing with a post-Islamist generation. For them, the great revolutionary movements of the 1970s and 1980s are ancient history, their parents’ affair. The members of this young generation aren’t interested in ideology: their slogans are pragmatic and concrete – “Erhal!” or “Go now!”. Unlike their predecessors in Algeria in the 1980s, they make no appeal to Islam; rather, they are rejecting corrupt dictatorships and calling for democracy. This is not to say that the demonstrators are secular; but they are operating in a secular political space, and they do not see in Islam an ideology capable of creating a better world.

There is no link with terrorist groups. This is all about fighting repression and corrupt regimes.

Indeed, global jihad is completely detached from social movements and national struggles. Al-Qaeda tries to present itself as the vanguard of the global Muslim “umma” in its battle against western oppression, but without success. Al-Qaeda recruits deracinated young jihadists who have cut themselves off entirely from their families and communities. It remains stuck in the logic of the “propaganda of the deed” and has never bothered to try to build political structures inside Muslim societies.

Even more, thinking that  repressive, secular regime will somehow protect “us” against Islamic fundamentalism is flawed.

It is also a mistake to see the dictatorships as defending secularism against religious fanaticism. With the exception of Tunisia, authoritarian regimes in the Arab world have not made their societies secular; on the contrary, they have reached an accommodation with a neofundamentalist form of re-Islamisation in which the imposition of sharia law is called for without any discussion of the nature of political power.

It is a VERY compelling read. Recommended.

January 29th, 2011

Murdered by ones government, again

In December 2009, Zahra Bahrami, a born Iranian woman, but naturalized to be Dutch, traveled back to her home country for a family visit. What exactly happened there is not clear, but she was arrested for treason and drugs possession. The storyline here is she was arrested shortly after attending a demonstration against the regime. Iran not accepting her Dutch citizenship sentenced her to death.

Today, it was confirmed she was executed by hanging. In Iran, this used to be being hoisted by a crane, not breaking the neck, but dying a slow, painful, barbarian death. Diplomatic contacts have been put on the back-burner and there are voices stating there is no use in having an embassy at all. Picture posted to show we are talking real people, not some abstract concept of life and death.

Zahra Bahrami

Note: the Iranian government states she was convicted of drugs trafficking, which, if true, is not the smartest thing to do (see footnote in this post). And she was caught here for that crime earlier. The major issue though is the death sentence in itself, and the complete opaqueness of the trial. No assistance, no lawyers, no nothing.

Note: The “security forces” informed her daughter last week Zahra Bahrami was being buried at the same moment in a village a couple of hundred kilometers from Teheran, making the process of dealing with all this unnecessary harder for the family. The Dutch ambassador in Teheran is being withdrawn. The minister of foreign affairs was being seriously questioned about the diplomatic actions and non actions of the administration. He lied flat out saying “everything posssible had been done”, while, in fact he personally had done literally nothing at all. But of course this had no consequences. What is the expression again? The chicken is involved in the bacon-and-egg; the pig is committed?

January 25th, 2011

The violence

In Europe, the how should I put it, “general opinion” is more or less that the American society is more cruel, more violent, than us sophisticated lot (uh huh, please DO read the sarcasm). Still, a major difference exists which I have touched here long ago and that is the availability of firearms. Where in the US, you are allowed, no obliged almost, to protect your family and property, in most of Europe violence is a “state monopoly”. The implications have many gray areas which is really out of the scope of this entry.

More interesting though is that the “more cruel, more violent” notion seems to slowly permeate in the US. An American analysis.

The recent murderous acts of violence committed by Jared Lee Loughner in Arizona cannot be reduced to the mental instability of young man out of touch with reality. Nor can such a horrendous act be reduced to a breakdown in civil discourse. Such rationales are too easy, and emulate what Frank Rich has called “classic American denial.” (…)

I want to suggest that underlying the Arizona shootings is a culture of cruelty that has become so widespread in American society that the violence it produces is largely taken for granted, often dismissed in terms that cut it off from any larger systemic forces at work in the society.

I am not entirely sure yet I buy into this analysis. The comments are interesting too (ignoring the extreme guns-freedom blah). Especially imho when they DO refer to Europe.

Think the overall message of the article is clear and sound, referring to the American culture is a bit too simplistic as here in Europe we see without the easy access to arms identical trends. Governments are not doing their jobs, instead going for the easy way and running from one media hype to the next with a magnifier allowing fear to take over from common sense. Please lets stick together, use our brains and respect each species as only then we have a change to survive a couple of more generations on this planet.

The last sentence a bit dramatic but I didn’t want to censor and I am always in favor of using our brains. What do you think?

January 17th, 2011

Good manners in the age of Wikileaks

In The London Review of books, Slavoj Žižek published an essay about the meaning of the Wikileaks era. An intriguing piece I must say, and I can only recommend to read it.

The only surprising thing about the WikiLeaks revelations is that they contain no surprises. Didn’t we learn exactly what we expected to learn? The real disturbance was at the level of appearances: we can no longer pretend we don’t know what everyone knows we know. This is the paradox of public space: even if everyone knows an unpleasant fact, saying it in public changes everything.

In Europe, there is the this half-sentence. still being used in this context. It is a reminiscent of the second world war. It is was many, many regime supporters said when confronted with the atrocities of the Nazi’s: “Wir haben es nicht gewusst” (“We didn’t know”). Žižek’s conclusion is not very agreeable.

We face the shameless cynicism of a global order whose agents only imagine that they believe in their ideas of democracy, human rights and so on. Through actions like the WikiLeaks disclosures, the shame – our shame for tolerating such power over us – is made more shameful by being publicised. When the US intervenes in Iraq to bring secular democracy, and the result is the strengthening of religious fundamentalism and a much stronger Iran, this is not the tragic mistake of a sincere agent, but the case of a cynical trickster being beaten at his own game.