Always strive to learn something useful. --Sophocles

This is starting out with a warning: this article is really, REALLY deep computer security stuff, DO NOT dig into it if you don't have a minimal understanding of network encryption, SSH, RSA, etcetera! YOU WILL BE LOST!

RSA is a pretty much a deprecated encryption technique. While it was good in its day, it's somewhat broken and has been superseded by better methodologies, both because technology moves ever onward and because it's broken. Apparently it's mainly in use in old systems where companies haven't bothered to replace it: 'If it ain't broke, leave it alone', and just haven't budgeted the funds and time to get it done.

People who try to break computer security have found an interesting way to break RSA even worse. They monitor and sit and wait. The first thing that happens when establishing an SSH connection (and other secure types of connections) is a handshake - the computers send a few packets back and forth, exchange keys (encryption certificates), and get to know each other (proverbially). This handshake process is supposed to be encrypted and secured and not easily spied upon. Except sometimes it isn't.

Computers make mistakes. Sometimes the process that encrypts the handshake fails, it can be a memory bit failure, and this can reveal part of one of the private keys that provides the encryption to the handshake. These keys are generated by multiplying very large prime numbers. If you recover one of the keys, you can then recover the other key by dividing by great whomping big prime numbers. Once you break that, you have access to the certificates that created the secure connection and you can now sit in the middle and impersonate all traffic of either host.

This is what people in computer security call BAD.

OpenSSH applied fixes to try to prevent it, but some major vendors, including Cisco, roll their own code and had some pretty bad vulnerabilities to this problem. They might have fixed it, but when you're running closed-source software (where you've written your own code), rather than relying on an open software where there are tons of eyes looking for problems and testing, it's often weaker than the open source version such as OpenSSH.

Interesting times.

No real solid information as to whether or not this has been exploited in the wild as it's really hard to detect interception attacks like this.

https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/

It's called Intel One Mono, and at my first glance, it's pretty decent, though I'm not too sure that I care for the lower case L. They have an extremely unrestrictive license for it, and lots of instructions on how to download it from Github and incorporate it into most major editors.

https://www.omgubuntu.co.uk/2023/06/intel-one-mono-font

https://github.com/intel/intel-one-mono

https://developers.slashdot.org/story/23/06/10/030224/intel-open-sources-new-one-mono-font-for-programmers

The purpose is to generate encryption keys with a high level of entropy. Specifically, it's a kit of 25 dice that get locked in to a 5x5 grid. For each die, the die is individually numbered, each face is individually numbered, and the rotation is individually numbered! Because of this, the entropy possible is 2^196, or 124,127,134,662,179,891,202,329,100,571,859,806,502,566,406,865,813,504,000,000! That's a bloody huge number!

Here's what it looks like after you shake the dice in the provided bag, roll them into the provided plastic cage and lock them down:




After you roll the dice and lock it down, you use a smartphone app to capture the dice and an app generates the key, which you can use within your phone or copy into a USB key. The best thing is that the software that generates the key is open source, so if the company disappears, as long as you still have your dice or a picture of it, you can still regenerate your key! And the case design is such that if you drop it (or a toddler accident), it won't accidentally pop open and spill the dice all over the place.

Bruce Schneier, noted encryption expert, is a consultant on the project.

I ordered two of them, I think they're pretty cool. And at $25 for the basic kit, they're not too expensive. Honestly, I don't know if I'll ever use it, but the potential utility is quite good. And since they've already built 900 kits and sent them to the fulfillment center, there's zero chance that the project will not succeed.

https://www.crowdsupply.com/dicekeys/dicekeys

I think they have a good plan and have an excellent chance of success. Several years ago Munich tried to switch to Linux, and last year they switched back to Windows. They tried an everything in one shot approach, which I think is doomed from the get go. Barcelona is starting with replacing their Exchange servers with Open-XChange, Internet Explorer with Firefox, and Office with LibreOffice. Then they'll continue from there, eventually replacing the underlying Windows OS with Ubuntu after all of the apps are open source. I'm not sure when they'll be replacing their data center servers with Linux, it's not mentioned in the Europa.eu article.

Apparently this is part of a new European campaign called Public Money, Public Code, of which Barcelona is the first country to attempt such a conversion. It certainly won't be easy being the first, but they'll be able to provide LOTS of information to other municipalities who go down this path later.

https://joinup.ec.europa.eu/news/public-money-public-code

https://linux.slashdot.org/story/18/01/15/0415219/city-of-barcelona-dumps-windows-for-linux-and-open-source-software

https://publiccode.eu/

There's a good comment on the Slashdot story:

"Most IT shops do not know the answer to three questions
1) How much (all up, everything) do we pay microsoft in licence fees per year
2) How much do we pay other vendors for licence fees
3) Over 3 years how much have we paid for software- all up, including lawyers, audits, and licence management packages, and administrators who add nothing to the bottom line ensuring 'compliance'"

This can be a compelling reason to go open source like this.

A couple of things in the news about the HP TouchPad, the WebOS tablet device that was blown-out in August for $99. The OS and the tablet got pretty good reviews, up until the point that HP decided to abandon all WebOS development at a cost to them of a billion dollars or so. It's the operating system that they acquired when they bought out Palm Pilot, and it powered their Palm smart phones.

The first piece of news is that HP is having a mondo big sale on eBay tomorrow, Sunday, 11 December, at 6pm Central Standard Time, and will be blowing out "an unspecified quantity" of factory refurbished units at the $99+ price. An accessory pack will be available, and the units will have a 90 day warranty.

http://techcrunch.com/2011/12/07/hp-touchpad-ebay/

http://hardware.slashdot.org/story/11/12/08/1545236/hp-reviving-the-99-touch-pad-on-december-11th

The other piece of news is that HP is releasing the WebOS to the open source community. It was speculated that RIM, the makers of Blackberry, would buy it. I think it would have been a good fit for RIM, but I guess it didn't happen. HP claims that they will be an active participant in the project, but I tend to question that since they've bought in to Windows Mobile OS for cell phones. No one is making hardware for this OS, and the Android community have been very active in porting to it, so I'm not sure how useful WebOS going open source will be.

I think you're going to see two things. The highest amount of activity will be the Android TouchPad community as they'll be trying to get their apps already in the various Android app stores working on the TouchPad. You'll see some WebOS activity for the newness of it, people will study it to see how they did things and what other interesting things they can adapt in to other open source projects. Some people will write some bug fixes and new interconnectedness link software, but I don't think this will be a huge group. I think the least activity will be people doing new development in WebOS. There's no growing hardware base: all of the hardware has been made, and that number will suffer a steady decline over the years as it fails and is with increasing rapidity eclipsed by newfangledness. I don't think that you'll see any manufacturers building hardware for the WebOS, it's too easy to just make it for Android, which has a growing and vibrant community.

So you've got two camps (IMO): the hackers who want an inexpensive tablet to root, port Android to it, and enjoy the heck out of it, and the people who don't pry beneath the covers and buy an inexpensive tablet and use it until it gets glitchy, then they'll bitch that they can't get it repaired and dump it for an iPad or Android tablet or eBook reader.

That's what I think, but what do I know.

http://www.wired.com/gadgetlab/2011/12/hp-webos-open-source/

http://www.h-online.com/open/news/item/HP-to-make-webOS-an-open-source-project-1393262.html

http://mobile.slashdot.org/story/11/12/09/1857254/hp-making-webos-open-source


This puts me in a bit of a conflicted bind. I was planning on buying a Nook Tablet from Barnes & Noble, if you're a member you can get them for $225. It would be brand-spanking new and have all sorts of wonderful support available through a major corporation that, as far as I'm hearing, is doing a very good job of keeping customers happy with it. Or I might be able to drop less than half that for a unit that has no company support, only a 90 day warranty, and to expand it's capability I'd have to install a new operating system on it that would be dependent on varying quality levels of community support.

I'm probably going to go with the Nook. I'm tired of having to wrestle with software, I don't want to think about the number of systems that I've had to patch, bring back from the dead, and sacrifice brindled calves to in the pale moonlight over the last 20+ years as an IT person. I just want to have confidence that my shit will work when I hit the power button, and that it won't be difficult to find good resources to fix it if it glitches or dies.