Archive for February 2018

Here, Hold My Private Key

Wed, Feb 28, 2018

Paid certificate authority Trustico provides a premium installation service where they offer to take all the hassle, which comes with getting an SSL certificate running on your website, from you. Oh, this includes your private key but hey, service is service, right?

If you prefer, we can also generate your Certificate Signing Request, Private Key and Certificate and then provide it to you.

trustico thumb

Now, what could possibly go wrong if the guys who can sign your security certificate also have your private key and can modify your certificate at will? It is seriously amazing how the commercial CAs are cutting the branch they are sitting on. As if Let’s Encrypt, the completely free open source CA, chopping on the base of their tree wasn’t enough already. ^^

Update: In a contract struggle with DigiCert, Trustico asked DigiCert to revoke all certificates of Trustico’s customers, which are managed by DigiCert. DigiCert tells Trustico that only the customers can issue a revoke request for their certificates. They add, that they can only do a mass-revoke of all certificates if there is evidence of a security incident, compromising the customers private keys.

So Trustico sends an e-mail to DigiCert, containing more than 23,000 private keys. This apparently happened on the 27th of Feb. So now DigiCert has revoked all those 23k private keys effective 1st of Mar and sent e-mails to all those customers notifying them of the revocation.

Apparently Trustico did not only just generate the private keys for premium installation customers, they also saved them. As I said, what could possibly go wrong…

Oh, and Trustico has responded to DigiCert claiming

At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised

They did not offer any explanation as to where the 23,000 private keys came from, though. I smell proper legal action incoming and think I should stock up on my popcorn reserves!

Update Update: Trustico released a statement, admitting that they stored private keys for their customers SSL certificates. Additionally, among the compromised private keys are ones that were used by secure banking email servers or … Equifax!

There have already been calls for all other CAs to suspend or terminate their relationship with Trustico.

This gets better by the hour ^^

Thanks to the technological wonders of high-resolution cameras being widely available, we get to see the items on Trumps to-do list (english) which he took with him for his meeting with high school students and teachers in light of the recent school shooting.

trump note

The screenshot above is from the german state news tagesschau.

It is a small wonder he survived the meeting even though they forgot to add (6) breathe in, breathe out, repeat to the list…

In an attempt to win the fight against software piracy not by making a quality product for which customers want to pay money, but by shady and potentially illegal methods, flight sim company flightsimlabs (FSLabs) has installed malware onto their customers PCs. The malware consists of a password dumper that automatically locates the google chrome browser’s login file and then dumps all the usernames and passwords which can then be extracted by FSLabs.

The company claims it only uses this tool against pirates which, I think, is totally beside the point. Not a single paying customer, during the ordering or installation process, gave them consent to have a password stealing tool installed on their computer. Quite on the contrary, FSLabs also asks you to turn off your antivirus (not that those would be a big help anyway) software before installation. Now why would they do that? :)

While FSLabs has, after receiving a lot of backlash, apparently released an installer that does not contain this malware, they have served as another glowing beacon that shows why DRM is anti-consumer and totally despisable. I certainly would not buy anything from a company that thought it ok to install a password-stealing malware onto their paying customers machines.

Richard, a longtime maintainer for various open source projects, has offered Razor to do their dirty work for them and write firmware update software from scratch so Linux users that want to update their Razer devices without having to install Windows first can do so. All he asked for was some example code or at least the specifications so he could get started.

I offered to upstream any example code they could share under a free license, or to write the code from scratch given enough specifications to do so. This is something I’ve done for other vendors, and doesn’t take long as most vendor firmware updaters all do the same kind of thing; there are only so many ways to send a few kb of data to USB devices.

So how did Razer respond to the gift horse? I mean, they would be fools to turn down an offer of someone expanding their potential customer base for free, right?

I have discussed your offer with the dedicated team and we are thankful for your enthusiasm and for your good idea. I am afraid I have also to let you know that at this moment in time our support for software is only focused on Windows and Mac.

So don’t buy Razer hardware if you want to maintain them without a proprietary operating system. Personally I have never been a big fan of Razer as their desire to put everything into the cloud has taken one hillarious turn after the other. I’m sorry but my mouse settings do not need to be stored in the cloud and I do not want to create an account with your site just to use a piece of hardware I already paid for.

Apparently Syria has shot down an Israeli F-16 fighter jet. Israel claims that an Iranian drone, launched from Syria, entered their airspace and then set out to fly an attack against a target in Syria. I don’t really know what to make of this but Israel has been bombing targets in Syria for the past few months already. While I am not a fan of Assad and things happening in Syria, it is difficult to really get an idea of what is actually going on. At least one has to acknowledge that Israel is basically attacking a sovereign country. I guess the additional anti aircraft missiles Syria received from Russia are properly set up now. It was only a matter of time before Syria would start to defend against Israeli air raids. Why not shoot down the drone and be done with it? That would’ve been the sensible thing to do. On the other hand, if you are already annexing and occupying territory that does not belong to you for decades you are probably not in the “sensibility business”.

Update: it seems like the drone, which prompted Israel to attack Syria in the first place, was shot down by Israel when passing from Syria into the Golan heights. As stated above, that territory does not even belong to Israel and even the UN acknowledges Israels illegal occupation of that territory. So Israel is throwing a fit because Syria flew a drone on their own territory. Awesomesauce… it gets better and better.

I’d never thought I would say this but Uber, the ride hailing company, did something remarkably awesome. A group of five economists, two of which employed by Uber, two Stanford professors, and the chairman of the University of Chicago economics department have released a paper in which they report on their analysis of more than 740 million Uber trips in the States between Jan 2015 and Mar 2017, involving more than 1.8 million drivers.

The price a customer has to pay for an Uber ride is calculated by an algorithm that does not care about gender. The deciding parameters in making up the price of the fare are trip distance, wait time, speed, and surrounding circumstances like scarcity of available drivers. Even though there is no gender involved and the algorithm computing the fare is not just completely neutral in that regard but also does not care about things like whether someone works part- or full-time, funny enough there is still a gender pay gap. According to the paper, men earn an average of $21.28 per hour while women only earn an average of $20.04 per hour. The difference of $1.24 amounts to a gender pay gap of about 6%.

How can this be? There is no evil patriarchic society at play, the math is simple (the equation is actually part of the paper) and it does not discriminate against anyone. In their analysis, the writers name three main causes for the paygap that can be proven scientifically by the ride data they analyzed.

1. Men have more experience

The authors state that men and women learn at the same rate in terms of number of rides. They also state that for example wait times go down by 5% to 10% over 1500 rides of experience for both genders. This is because both men and women learn about which rides to reject and which to accept. But, according to the statistics, men learn more intensively per week of experience as they work longer hours. After a certain time interval, men will have accumulated more rides than women and thus more experience. With passing time, the percentage of men with a lot of experience will rise faster than the percentage of women. Also after six months, 77% of women will have quit working for Uber. With men, only 65% will have quit in the same period, leading to a further increase in high experience male drivers.

2. Men drive faster

For both genders, the speed goes down with experience as the drivers learn that congested areas are more lucrative than being out and about in the countryside. But, men still drive faster on average than women. They also drive longer trips and the combination of longer trips completed in less amount of time means more money. The authors mention studies that show that men are more risk tolerant than women, both in general and when driving in particular. This might explain the general tendency to drive faster. While mostly irrelevant in the daily life, in a drivers line of work speed of course pays off.

3. Men pick better spots and ride times

Possibly also a matter of experience, men tend to favour areas that have a lack of available drivers even though there is high demand. This leads to a bonus modifier for the fare in order to get more drivers into areas where they are needed the most. Men more actively seek out areas where there are high bonus factors available, leading to more income per trip.

What do we learn from this?

One of the most deciding factors is time spent working. If women prefer to work part-time they will accumulate less experience. Less experience usually means being less productive which then results in less pay. Either directly if the wage is coupled to hours worked or also indirectly because someone with more experience will move up the food chain faster. This holds true for both genders and this report shows that women do not need men to discriminate against them in order to be paid less. They can achieve this just fine by themselves. The question one should ask would be why the difference in work hours? Family? Lack of interest? Maybe being an Uber driver is not appealing to the general female populace, hell, I could hardly think of a more annoying job myself. It’s all in the eye of the beholder I guess.

But, if someone suggests that a person A with less experience than person B should be paid the exact same amount, they are actually the ones who are discriminating.

And since we men are apparently born with the need for speed and a greater risk tolerance, take it easy girls, this also means that we are far more likely to live life the squirrel way: Live fast, die young, and leave a flat patch of fur on the highway ;)

Every time another study claims to have found a link between an increased cancer risk and mobile phone usage, like the newest NIH study here (TR-596) I cringe in my chair, awaiting the hordes of inept journalists to jump on the bandwagon and proclaim practically the end of civilization due to death by smartphone. Of course if the media is writing about it then the average Joe is inclined to believe it, even though this question can actually be approached with some common sense.

So what is cellphone radiation? Cellphones emit microwaves, which is the designation for electromagnetic radiation with a wavelength between 1 mm and 1 m or a frequency between 300 MHz (3 * 108 Hz) and 300 GHz (3 * 1011 Hz). Which frequency is emitted by your cellphone depends on the network and technology in use. Most phones operate around 900 MHz, 1900 MHz, or 2100 MHz, depending on the frequencies in use in your country. Here is a nice graphic that shows the range of the electromagnetic spectrum by the way. So, how can this harm us? If you are wondering whether the term microwave refers to the same device that you use to heat up your food then you are correct, but hold your horses for a minute, it all depends on the power! And before we come to that, let us examine what ways there are to affect tissue in a way that this could lead to something like cancer.

Destroy the DNA with ionizing radiation

A surefire way to get cancer is to break up the bonds that hold your DNA together. While your body has ways to repair broken DNA, it sometimes makes mistakes while doing so. The more mistakes happen, the higher the chance that the DNA will be distorted in a way that using its (now errorneous) information to produce otherwise useful things for your body, now leads to the formation of a malignant tumor that grows and spreads. So the first and most obvious way to get cancer is to cause as many breaks in the DNA as possible.

Your DNA is held together by ionic bonds which have a certain force of attraction if you will. If something highly energetic comes along, think of something like a bullet, and hits this bond, it can break. However, your bullet needs to have a certain amount of energy so it can actually overcome the ionic bond or nothing will hapen. Think of taking a cannonball and throwing it against a house wall with your hands. You can probably do this all day and nothing much will happen. Load that cannonball into a cannon first and fire it at the house and it will go right through. This is of course because the cannonball has more (kinetic) energy when fired from a cannon since your arms are just too weak to give it sufficient energy.

It really is the same with electromagnetic radiation or photons, which is one and the same. A photon hitting your DNA must have a certain amount of energy or nothing will happen. Throwing more than one low-energy photon at your DNA does not help either in the same way as it does not help if you and your friends throw cannonballs at a wall together. More balls do not make up for one ball with enough energy to penetrate…. let’s use a different analogy next time. :o) Long story short, more particles do not help, they need to have enough energy in the first place!

Can mobile phones destroy your DNA?

So, how much energy do you need to destroy DNA? The range of ionizing radiation starts at around 120 eV which is short for electronvolt and is the unit physicists like to describe the energy of particles with. There is no need to understand the background of electronvolts or how to convert it into different units of energy as you will soon see, it is all about the ratio. So everything above 120 eV will be able to destroy your DNA but the more your are below 120 eV the less likely this can happen.

The higher the frequency of a photon, the higher its energy so lets take the highest frequency we have for mobile phones which, as I wrote above, is 2100 MHz. Let’s make it 3000 MHz just for kicks. At that frequency a photon will have the energy of 12 µeV which is microelectronvolt. Micro is a millionth so a mobile phone microwave photon has 12 millionth of 1 eV of energy. How many eV did we need to destroy our DNA? Around 120. This means that photons emitted from mobile phones only have one ten millionth (0.0000001) the amount of energy that would be needed to ionize our DNA bonds and lead to cancer this way. This will never ever happen! CASE CLOSED

What about the heat?

Another way to get cancer is by heating up your tissue in excess of 42 °C which leads to proteins to denature, a fancy way to describe killing cells if you like. This is also one of the reasons why a really high fever can be life-threatening. So if you kill cells, your body has to replace them. When building new cells, your body can fuck up, so to speak, and put something together the wrong way. If the resulting misbuilt cell starts to multiply like crazy and spreads around, there’s your cancer again. So, since we cannot ionize the DNA with microwave radiation, can we maybe heat up the tissue enough for cells to die so they have to be replaced? After all, your microwave oven can also heat up your food pretty good.

This is where the amount of photons comes in. While more photons hitting your tissue do not raise the chance to destroy DNA if they do not have enough energy to do so, they do warm up your tissue. This amount of photons is what we call power and we usually use watts (W) to describe it. Your microwave oven usually has something in the order of 800 W of power. This means a whole lot of photons hitting your food, which then gets really hot. You really should not stick your head in there which is why microwave ovens have a safety switch so they can not be turned on if the door is still open. (Put down that screwdriver and leave that safety switch alone! It’s there for a reason!) Your mobile phone has a lot less power!

The current SAR (specific absorption rate) limit for exposure to radiation is around 1.6 W/kg or 2.0 W/kg depending on the limits enforced in your country. This basically describes how much power per kg of tissue is deemed safe. The SAR rating of your phone will be even less. Most phones are in the range of 0.2 W/kg to 1.0 W/kg. If the reception is good the phones also throttle down to save battery, their power output in that case is even only a fraction of these values. There is a nice website from the Bundesamt für Strahlenschutz (the German agency for protection from radiation) where you can look up the SAR values of hundreds of phones (available in English). (Please don’t mind them using the German word for mobile phone which is Handy. So if they ask you for your handy model don’t get any funny ideas, just input the model of your cellphone ^^)

As we can see, mobile phones only have tiny amounts of power compared to a microwave oven (Lucky us!). Is this enough to maybe at least get your tissue to 42 °C? There has been research conducted by Van Leeuwen, et al. who developed a head temperature model based on MRI scans to investigate the effect of microwave radiation on the tissue temperature. On top of it all, they also verified their model by experiments they conducted to measure the skin temperature rise, so this is a pretty solid piece of work.

The blood circulating in our veins is the main source of cooling and heat transport in our body, else we would overheat. Also, simple physics tells us that the more difference in temperature there is between two areas or volumes, the more the heat transport is increased. This also means that as tissue warms up, the temperature difference to the blood temperature becomes larger and thus the heat transfer to the blood gets stronger resulting in even better cooling. If you have a constant heat source, the temperature rises at first but then, as the cooling becomes more efficient, levels out and stays at a constant value without increasing further unless you apply more power. Van Leeuwen found that the maximum rise in brain temperature after hours of constant mobile phone usage was 0.12 °C. A bloody tenth of degree! The average body temperature of a human can easily vary by as much as 1 °C throughout the day. How is this supposed to create cancer problems for you? You should be more affraid of getting cancer from catching a cold with the resulting fever.

So have fun, go about your business, use your phone as much as you want, and stop worrying. Also stop fucking telling people that they get cancer. Oh, before I close this, how did the newest study I mentioned at the very top determine that there is an increased risk for cancer? Well first of all they blasted mice with 10 W/kg of radiation. Your body cooling system is efficient but it will crap out at some point. You can not simulate a long exposure by increasing the dosage if a lower dosage is completely safe in the long run. We have a built-in “air conditioning” and of course you can make it fail if you make it hot enough. They could’ve put the mice into a microwave oven and then complained about health side-effects, same deal.

Oh and they don’t seem to be so sure of themselves either:

The combined incidences of fibrosarcoma, sarcoma, or malignant fibrous histiocytoma of the skin were increased in 5 and 10 W/kg males, although not significantly or in an exposure concentration-related manner.

Great, not only did we up the dosage to an unrealistic level, it also hardly shows any difference…