Here, Hold My Private Key

Wed, Feb 28, 2018

Paid certificate authority Trustico provides a premium installation service where they offer to take all the hassle, which comes with getting an SSL certificate running on your website, from you. Oh, this includes your private key but hey, service is service, right?

If you prefer, we can also generate your Certificate Signing Request, Private Key and Certificate and then provide it to you.

trustico thumb

Now, what could possibly go wrong if the guys who can sign your security certificate also have your private key and can modify your certificate at will? It is seriously amazing how the commercial CAs are cutting the branch they are sitting on. As if Let’s Encrypt, the completely free open source CA, chopping on the base of their tree wasn’t enough already. ^^

Update: In a contract struggle with DigiCert, Trustico asked DigiCert to revoke all certificates of Trustico’s customers, which are managed by DigiCert. DigiCert tells Trustico that only the customers can issue a revoke request for their certificates. They add, that they can only do a mass-revoke of all certificates if there is evidence of a security incident, compromising the customers private keys.

So Trustico sends an e-mail to DigiCert, containing more than 23,000 private keys. This apparently happened on the 27th of Feb. So now DigiCert has revoked all those 23k private keys effective 1st of Mar and sent e-mails to all those customers notifying them of the revocation.

Apparently Trustico did not only just generate the private keys for premium installation customers, they also saved them. As I said, what could possibly go wrong…

Oh, and Trustico has responded to DigiCert claiming

At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised

They did not offer any explanation as to where the 23,000 private keys came from, though. I smell proper legal action incoming and think I should stock up on my popcorn reserves!

Update Update: Trustico released a statement, admitting that they stored private keys for their customers SSL certificates. Additionally, among the compromised private keys are ones that were used by secure banking email servers or … Equifax!

There have already been calls for all other CAs to suspend or terminate their relationship with Trustico.

This gets better by the hour ^^

Thanks to the technological wonders of high-resolution cameras being widely available, we get to see the items on Trumps to-do list (english) which he took with him for his meeting with high school students and teachers in light of the recent school shooting.

trump note

The screenshot above is from the german state news tagesschau.

It is a small wonder he survived the meeting even though they forgot to add (6) breathe in, breathe out, repeat to the list…

In an attempt to win the fight against software piracy not by making a quality product for which customers want to pay money, but by shady and potentially illegal methods, flight sim company flightsimlabs (FSLabs) has installed malware onto their customers PCs. The malware consists of a password dumper that automatically locates the google chrome browser’s login file and then dumps all the usernames and passwords which can then be extracted by FSLabs.

The company claims it only uses this tool against pirates which, I think, is totally beside the point. Not a single paying customer, during the ordering or installation process, gave them consent to have a password stealing tool installed on their computer. Quite on the contrary, FSLabs also asks you to turn off your antivirus (not that those would be a big help anyway) software before installation. Now why would they do that? :)

While FSLabs has, after receiving a lot of backlash, apparently released an installer that does not contain this malware, they have served as another glowing beacon that shows why DRM is anti-consumer and totally despisable. I certainly would not buy anything from a company that thought it ok to install a password-stealing malware onto their paying customers machines.

Richard, a longtime maintainer for various open source projects, has offered Razor to do their dirty work for them and write firmware update software from scratch so Linux users that want to update their Razer devices without having to install Windows first can do so. All he asked for was some example code or at least the specifications so he could get started.

I offered to upstream any example code they could share under a free license, or to write the code from scratch given enough specifications to do so. This is something I’ve done for other vendors, and doesn’t take long as most vendor firmware updaters all do the same kind of thing; there are only so many ways to send a few kb of data to USB devices.

So how did Razer respond to the gift horse? I mean, they would be fools to turn down an offer of someone expanding their potential customer base for free, right?

I have discussed your offer with the dedicated team and we are thankful for your enthusiasm and for your good idea. I am afraid I have also to let you know that at this moment in time our support for software is only focused on Windows and Mac.

So don’t buy Razer hardware if you want to maintain them without a proprietary operating system. Personally I have never been a big fan of Razer as their desire to put everything into the cloud has taken one hillarious turn after the other. I’m sorry but my mouse settings do not need to be stored in the cloud and I do not want to create an account with your site just to use a piece of hardware I already paid for.

Apparently Syria has shot down an Israeli F-16 fighter jet. Israel claims that an Iranian drone, launched from Syria, entered their airspace and then set out to fly an attack against a target in Syria. I don’t really know what to make of this but Israel has been bombing targets in Syria for the past few months already. While I am not a fan of Assad and things happening in Syria, it is difficult to really get an idea of what is actually going on. At least one has to acknowledge that Israel is basically attacking a sovereign country. I guess the additional anti aircraft missiles Syria received from Russia are properly set up now. It was only a matter of time before Syria would start to defend against Israeli air raids. Why not shoot down the drone and be done with it? That would’ve been the sensible thing to do. On the other hand, if you are already annexing and occupying territory that does not belong to you for decades you are probably not in the “sensibility business”.

Update: it seems like the drone, which prompted Israel to attack Syria in the first place, was shot down by Israel when passing from Syria into the Golan heights. As stated above, that territory does not even belong to Israel and even the UN acknowledges Israels illegal occupation of that territory. So Israel is throwing a fit because Syria flew a drone on their own territory. Awesomesauce… it gets better and better.

I’d never thought I would say this but Uber, the ride hailing company, did something remarkably awesome. A group of five economists, two of which employed by Uber, two Stanford professors, and the chairman of the University of Chicago economics department have released a paper in which they report on their analysis of more than 740 million Uber trips in the States between Jan 2015 and Mar 2017, involving more than 1.8 million drivers.

The price a customer has to pay for an Uber ride is calculated by an algorithm that does not care about gender. The deciding parameters in making up the price of the fare are trip distance, wait time, speed, and surrounding circumstances like scarcity of available drivers. Even though there is no gender involved and the algorithm computing the fare is not just completely neutral in that regard but also does not care about things like whether someone works part- or full-time, funny enough there is still a gender pay gap. According to the paper, men earn an average of $21.28 per hour while women only earn an average of $20.04 per hour. The difference of $1.24 amounts to a gender pay gap of about 6%.

How can this be? There is no evil patriarchic society at play, the math is simple (the equation is actually part of the paper) and it does not discriminate against anyone. In their analysis, the writers name three main causes for the paygap that can be proven scientifically by the ride data they analyzed.

1. Men have more experience

The authors state that men and women learn at the same rate in terms of number of rides. They also state that for example wait times go down by 5% to 10% over 1500 rides of experience for both genders. This is because both men and women learn about which rides to reject and which to accept. But, according to the statistics, men learn more intensively per week of experience as they work longer hours. After a certain time interval, men will have accumulated more rides than women and thus more experience. With passing time, the percentage of men with a lot of experience will rise faster than the percentage of women. Also after six months, 77% of women will have quit working for Uber. With men, only 65% will have quit in the same period, leading to a further increase in high experience male drivers.

2. Men drive faster

For both genders, the speed goes down with experience as the drivers learn that congested areas are more lucrative than being out and about in the countryside. But, men still drive faster on average than women. They also drive longer trips and the combination of longer trips completed in less amount of time means more money. The authors mention studies that show that men are more risk tolerant than women, both in general and when driving in particular. This might explain the general tendency to drive faster. While mostly irrelevant in the daily life, in a drivers line of work speed of course pays off.

3. Men pick better spots and ride times

Possibly also a matter of experience, men tend to favour areas that have a lack of available drivers even though there is high demand. This leads to a bonus modifier for the fare in order to get more drivers into areas where they are needed the most. Men more actively seek out areas where there are high bonus factors available, leading to more income per trip.

What do we learn from this?

One of the most deciding factors is time spent working. If women prefer to work part-time they will accumulate less experience. Less experience usually means being less productive which then results in less pay. Either directly if the wage is coupled to hours worked or also indirectly because someone with more experience will move up the food chain faster. This holds true for both genders and this report shows that women do not need men to discriminate against them in order to be paid less. They can achieve this just fine by themselves. The question one should ask would be why the difference in work hours? Family? Lack of interest? Maybe being an Uber driver is not appealing to the general female populace, hell, I could hardly think of a more annoying job myself. It’s all in the eye of the beholder I guess.

But, if someone suggests that a person A with less experience than person B should be paid the exact same amount, they are actually the ones who are discriminating.

And since we men are apparently born with the need for speed and a greater risk tolerance, take it easy girls, this also means that we are far more likely to live life the squirrel way: Live fast, die young, and leave a flat patch of fur on the highway ;)