Another SSL Attack

A short time ago I mentioned the vulnerability in certificates that are signed with MD5. Well I have just finished watching the presentation from Blackhat DC 2009 that details a different attack on SSL. Its a very simple attack and the take away here is that you don’t have to defeat SSL to defeat SSL!

Check the presentation over at SecurityTube.net Be sure to make sure you watch the video, not just read the slides, it makes a lot more sense with the audio. Official video link here

Edit: There is a five minute chat with the presenter on you tube here

OSG

FOSDEM 2009

Ive just got back from my annual trip to FOSDEM, it seems to get busier every year and each year there are exciting new things to be found

The top three projects that interested me this year were:

SUSE Studio: This is a web application (currently in closed alpha) that enables the very quick creation of virtual appliances. Currently it supports exporting to three types of appliance – VMWare Appliance, Bootable ISO, Bootable USB. The web interface itself is very slick, using the latest AJAX goodness, and is very intuitive. Lets say you want to set up an appliance that will have a webserver and database combo, you simply tick apache and mysql and it adds the relevant packages. It asks you to set up mysql (if that’s what you have chosen) and then you simply click on build and within a minute or two the appliance is ready to download

Another project that I was unaware of was Cobbler – this is used for the fast commissioning of multiple (from tens to thousands) servers. There are many use cases for it – one that he gave an example of is when a web server farm became breached and taken over by a malicious hacker in the middle of the night, He was able to rebuild the whole server farm with just a few commands! If you want to make you server commissioning both quick and completely standardised this is a very interesting program.

The final project I wanted to mention was FreeIPA, this aims to bring Identity, Policy and Auditing all under one roof. Its something that, although all the individual components have been available for ages, no-one seems to have brought them all together into one project, not in any coherent way at least. Currently it provides/uses LDAP (specifically the FDS) kerberos, DNS, DHCP and puts a web interface on the front of it all. It worth pointing out that policy and audit management wont be added until version 2, but this is certainly a project to watch

FOSDEM has really expanded the number of tracks it does in recent years and I know it would love to expand them further if they could get hold of a big enough space but I for one think it might be time to expand FOSDEM beyond its two day length, then we could fit in more talks. All in all a fantastic weekend in Belgium though

OSG

Collaborative documents

You know I love the cloud, no matter what some people say and so Im always interested in new sites and web based apps.

While on IT conversations recently I became aware of EtherPad and to be honest I initially “thought why bother, its already been done”

Whenever I think about collaborative documents I have to admit I think about it in the Google Docs paradigm. I use Google docs whenever I need to work on a document with somone else but then I watched their screencast – when they say multiple people working on a docuemnt at the same time, they mean at the same time 🙂

At the moment it seems to be limited to only text documents, so no spreadsheets or presentations; and I have no idea if they even plan that but I have to say its an impressive piece of work for sure.

Why not check it out at http://etherpad.com/

OSG