On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling error in their implementation of the TLS Heartbeat Extension. This error could be used to reveal up to 64 kilobytes of the application's memory. The vulnerability had existed since December 31, 2011, and had been adopted to widespread use since the release of the OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the SSL server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key, which enables attackers to break the encryption of the server's earlier eavesdropped communications and impersonate as the server. The vulnerability might also reveal unencrypted parts of other user's sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack. [more...].
The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. [more...]
Here at Organic Design we have suffered from this flaw since 1 July 2013 when we upgraded from Debian 6 to Debian 7. Luckily we've been using Perfect Forward Secrecy since then which means that only live man-in-the-middle attacks would have been able to reveal any information, but changing passwords and certificates is still best done to be on the safe side. We upgraded the OS yesterday which implemented this security patch.
One of the great things about the architecture of the internet is that it is truly decentralised. By design, no one rules it and everyone can use it. But in the last two decades, a small collection of global technology companies have come to control the bulk of internet traffic. Google, Facebook, and others have captured our attention and with it, our data. In the face of such consolidation, concerns about the implications for personal privacy and security have never been more pressing. This is particularly the case following the NSA/GCHQ global surveillance revelations. For many, the solution to this situation is to return the internet to its original state -- distributed, open, and decentralised.
It is certainly not the first time that the idea of a peer-to-peer redesign of the whole internet has been vaunted, and it holds great appeal to those who think end-to-end encryption is needed. But such a system, workable at scale, is still just a thought experiment. Or is it?
A Scottish company, MaidSafe, claims that it has nearly finished building a system that does what Bitcloud is proposing. You can imagine our scepticism when a company we've never heard of, in the tiny town of Troon, with a terrible name and a 12-minute promotional video told me it had solved one of the most compelling problems on the internet. [more...]
The Bitcoin cryptocurrency's value hit USD $500 today. Many people believe this outrageous price increase to be a temporary bubble, but there are many reasons for it to be going up like this, the main reason for the continual rise in price is that the coins which have a limited supply acts like a share in the Bitcoin economy which is growing much more rapidly than the availability of the coins. The Bitcoin economy as a whole is at about seven billion dollars, but is expected to eventually reach the trillion dollar scale as it becomes more widely accepted and hits mainstream financial businesses and institutions - this would easily push the coin price into the tens of thousands of dollars.
The picture above is a screenshot from the Bitcoinity chart site. When the price hit $500, Kermit the frog appeared shouting "YAAAAAY!!" :-)
Organic Design has begun developing a new project called Bitgroup which is a peer-to-peer group-ware and social-network application based on Bitmessage. It allows groups to communicate and organise securely and privately without the need for centralised servers which can be shut down or compromised. It's also designed to work effectively in areas that have very limited or intermittent internet capabilities, and will eventually be able to work without internet at all by using local networks and removable media as it's transport mechanism. [more...]
A private P2P framework is essential in our view, but there's also many other things that we at Organic Design have found to be invaluable tools to have available in a decentralised groupware framework, such as support for workflow and contract oriented organisation, trust groups and the prioritisation of the sneakernet and meshing support to name a few. We have so many specific needs and ideas that we'd like to experiment with ourselves, that having our own peer-to-peer groupware framework is the best way forward for us even if there may be some other systems that are more mature or better in some respects.
Bitmessage is a peer-to-peer communications protocol based on the Bitcoin crypto-currency used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide "non-content" data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs.
We've now set up a Bitmessage gateway on the Organic Design server which means that existing mail users can now transparently send and receive messages in the Betmessage network. The security of the system is less working in this way since the connection to the Organic Design mail server is a normal SSL connection, but it's still very useful since most users would not be willing to set up a completely new communications application to use Bitmessage, so it helps to get the system more utilised. Users who start working more seriously with it later can take their existing address from the Organic Design gateway and use it in their local Bitmessage client. More detail about the gateway script and usage can be found in our local Bitmessage article.
The Wikimedia foundation have embarked on a grand new project addressing the need for a generic solution to workflow called "Flow". At first glance, Flow is a next generation discussion system - but that is only one part of it. Flow is actually a rethinking of how the foundation works collaboratively on their projects. Initially, the key components of Flow are will include powerful ways for users to have insight into their discussions, interests, subscriptions and tagging.
Of particular interest to us here at Organic Design is the incorporation into Flow of a "Workflow Description Language" module which can potentially encapsulate all the systems from discussion and notification mechanisms up to large-scale project workflow scenarios. This is the kind of thing we were trying to head towards with our Wiki Organisation system. For more information, see the Flow Portal.
Eventually we'd like to migrate our code repositories over completely from Subversion to Git since Git is much more in line with our philosophy being peer-to-peer instead of centralised. A full migration is a big process though - the Wikimedia foundation took well over a year of discussions and testing to achieve this migration.
But after the recent migration we made on our web-server from Apache to Nginx, we were left with the problem of anonymous users no longer being able to checkout local read-only copies of our code over HTTP since it relies on a module which isn't available for Nginx. We set up a Guest RSA key so that users could still do this over SSH, but this is a very complicated process for the average user and is a complete nightmare for Windows users.
So we took this problem as an opportunity to take the first step on the Git-migration journey! I found a very useful script by Daniel Pocock here which allows a read-only Git mirror to be maintained automatically from your Subversion repositories. This means anonymous users can easily access and use our public code while we still continue working with our local Subversion repositories without requiring any changes to our procedures :-)
Over the last week we've been upgrading the wiki from MediaWiki 1.19.2 to 1.21.1, the server operating system from Debian 6 to 7 and the web server from Apache to Nginx. One reason for the move is the recent interest in Perfect forward secrecy (PFS) coming from articles such as this. PFS is an obscure feature of SSL/TLS and requires at least OpenSSL version 1 which is included in Debian 7 but not in version 6. Also a more recent version of Apache than is packaged in Debian 7 is required, but Nginx has supported PFS for quite some time now.
In addition to supporting PFS, Nginx is by all accounts much more efficient than Apache as it uses an asynchronous event-driven approach to handling requests, instead of the Apache threaded or process-oriented approach. Also Nginx's event-driven approach can provide more predictable performance under high loads, thus their slogan; get async or get sunk!
We've been using Debian for our server operating system of choice for over ten years now, but I've recently decided to change from Ubuntu to Debian for our workstations as well now since Ubuntu is increasingly becoming the "microsoft of the free software world" with pay software and services at every corner and compulsory spyware riddled throughout system.
I was very dissapointed with the change of the desktop environment to Unity as well which I really can't stand, but the spyware is a real show-stopper for me so it's time for a change. Some other choices I've looked into which look really good are Linux Mint which currently holds the number one position in popularity of Linux distributions, Mageia which is number two, and gNewSense which has the strongest libre-oriented focus.