In the recent week, DigiNotar, a dutch company, has released hundreds of fake certificates. To make matters worse, DigiNotar is a "root" certificate and can sign and validate certificates on behalf of other CA. It appears the attackers signed 186 certificates that could have been intermediate certificates. The attackers also issued certificates in the names of other certificate authorities such Thawte, Verisign, Comodo and Equifax.

It seems the hackers have signed themselves hundreds of fake certificates including one for Google, which HAS been observed to have been used, Yahoo, Facebook, Microsoft, Yahoo!, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. Also, the cheecky hackers have also issued themselves wild card certificates such as *.*.com and *.*.org

These false certificates allow the hackers to masquerade as other well known companies like Google, Microsoft, etc, just like the picture on DigiNotar's website (to the right) shows. In fact, these false certificates have been used in man in the middle attacks performed allegedly by Iran. In a man in the middle attacks, the attacker makes independent connections with the victims and relays messages between them. In other word, the hacker stands between the connection between the victim and the website s/he wants to visit, hence the term man in the middle.

Example:
Example taken from Wikipedia

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the conversation to eavesdrop and possibly deliver a false message to Bob .

First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a man-in-the-middle attack can begin. Mallory sends a forged message to Alice that claims to be from Bob, but instead includes Mallory's public key.

Alice, believing this public key to be Bob's, encrypts her message with Mallory's key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message using her private key, possibly alters it if she wants, and re-enciphers it using the public key Bob originally sent to Alice. When Bob receives the newly enciphered message, he believes it came from Alice.

1. Alice sends a message to Bob, which is intercepted by Mallory:

Alice "Hi Bob, it's Alice. Give me your key"-->  Mallory      Bob

2. Mallory relays this message to Bob; Bob cannot tell it is not really from Alice:

Alice      Mallory "Hi Bob, it's Alice. Give me your key"-->   Bob

3. Bob responds with his encryption key:

Alice      Mallory   <--[Bob's_key] Bob

4. Mallory replaces Bob's key with her own, and relays this to Alice, claiming that it is Bob's key:

Alice   <--[Mallory's_key] Mallory      Bob

5. Alice encrypts a message with what she believes to be Bob's key, thinking that only Bob can read it:

Alice "Meet me at the bus stop!"[encrypted with Mallory's key]-->   Mallory      Bob

6. However, because it was actually encrypted with Mallory's key, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob's key, and forward it to Bob:

Alice      Mallory "Meet me in the windowless van at 22nd Ave!"[encrypted with Bob's key]-->   Bob

7. Bob thinks that this message is a secure communication from Alice.

Audits of DigiNotar to find out the cause behind the attacks found several distrubing conclusions about the security of DigiNotar

1. DigiNotar`s Window servers were unpatched and had no anti-virus scanners
2. DigiNotar's password for admin account were weak and easily cracked by brute forced attacks
3. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.
4. They had no centralized nor secure logging.
5. There was no effective separation of critical components

The list, which is expected to grow as the investication is still ongoing, is shocking and shows that DigiNotar's lack of security is to blame.

What other companies are doing in response to the incident? In reaction, Microsoft removed the DigiNotar root certificate from its list of trusted certificates with its browsers on all supported releases of Microsoft Windows to protect its users. This will remove DigiNotar as a trusted root certificate in all versions of Windows later then Windows Vista (that means Microsoft Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2). So far Windows XP and Windows Server 2003 are still affected as it does not have a mechanism to check with Microsoft's online list of trusted root certificates and update its list automatically; Windows XP and Server 2003 only supports updating the list of root certficates via an update from Microsoft Update and so far Microsoft haven't released such updates. Likewise, Google removed DigiNotar from the list of trusted certificate issuers and Mozilla released new versions of its Firefox browser, revoking trust in the DigiNotar root certificate. Opera so far has not completely revoked trust of DigiNotar, instead opting to only distrusting the comprimised certificates by checking certificate revocation list of the certificate's issuer. If you want to push Opera to revoke DigiNotar complete, visit this thread. Apple, the reigning "supreme" OS, has not done anything in response to the attacks. Safari and Mac OS X do not detect the certificate's revocation, and users must use the Keychain utility to manually delete the certificate, then restart Safari, to clear DigiNotar certificates from the system

What is the outcome of the attacks? Most of the company as signed a death sentence for DigiNotar, removing it from the list of trusted root certificates. Audits of DigiNotar is being done and is uncovering more of the damage done. Also it seems that Govcert, Computer Security Incident Response Team for the Dutch government, have taken over operations of DigiNotar. Hope they do a better job.

Updates to article:

Microsoft

It seems Microsoft flicked the kill switch on DigiNotar and release an update that has revokes the trust of the following DigiNotar root certificates and placed them in the list of untrusted certificates:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie - G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

Windows users are now prevented from accessing sites with SSL certificates issued by DigiNotar instead of being presented with a certificate warning.

Previously, users going to sites using the DigiNotar cerficate is presented with an error screen with the option to continue as shown:

However, after the application of the update, the option to continue has been removed:

To test this behavior go to the https version of the DigiNotar's website.

All Windows users using automatic updates will apply this update and no reboot is required. However, on request from the Dutch government, Microsoft has delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally). This will give time for the Dutch websites to swap all their certificates to another, perhaps more trustworthing certificate authority. Therefore, the user would have to manually run Microsoft Update to receive the patch.

See http://www.microsoft.com/technet/security/advisory/2607712.mspx for more details.

Opera

It seems that Opera too have followed suit and removed trust for DigiNotar. For now, the user still have to manually remove the DigiNotar Root CA if it exists in his/her copy of Opera. Opera Software implies that new installations of Opera (that is, when installing Opera onto systems that did not have it installed previously) will not include the DigiNotar Root CA by default. Opera recommends that if you visit a site with a DigiNotar-issued certificate and it triggers an "Unknown issuer" dialog, click "Reject". See http://my.opera.com/rootstore/blog/2011/09/06/diginotar-first-step-disabling-the-root for more details.

This seems the end for DigiNotar.

PDF stands for portable document format. It is the most widely used format on the net for distributing time tables, manuals, etc. It was invented by Adobe in 1993 to represent documents in a way that is independent of application software, hardware, and operating systems. In order words, so that the document published looks the same everywhere. Adobe produces Adobe Reader to read this file format. But Adobe Reader is known to be too bulky and prone to virus attacks. In addition, Adobe Reader is simply a reader with no option to edit the PDF document (unless you pay). For that reason, many users use alternative PDF readers like Foxit Reader, PDF-XChange Viewer, and Nitro Reader, just to name a few. I will be focusing on these three readers in this review.

Foxit Reader

One of the most popular readers out there is the Foxit reader. Foxit is able to write to the PDF documents, but it leaves a watermark on it. The watermark can only be removed by a "paid" version.

Foxit is touted to be the smallest PDF reader in the market! While that is certainly true since it has the tiniest footprint, Foxit has sneakily bundled a bunch of possible unwanted programs with the installer. You can read more about it at Downloadsquid.com's post "Foxit updates free PDF reader to v4, but watch out for adware".

Another problem with Foxit is that it does not have a proper text selector. Pressing the text select tool will bring up an "I", which will draw squares around the text you want to select. This can result in chopped off texts. In addition, the copied tests tend to display as it was in the document. That means if the text is

Tall and
Skiny like
this

It will display like that in the document. That means that the text will break off at odd intervals and you will have to spend most of your time fixing the wrong breaks.

For these reasons, I do not recoment Foxit.

Nitro Reader

Another popular PDF reader is Nitro reader. Like Foxit and PDF Xchange Viewer, Nitro Reader allows you to edit PDF documents. Nitro reader (non embeded) uses a similiar Ribbon interface to the popular Microsoft Office Suite. While it certainly is easier to use, in terms of user friendliness, the embeded version of Nitro reader does not render properly. The embeded version's display is similiar to Chrome's included PDF reader. The embeded version display texts WAY too small. There is no way to zoom via conventional means (ctrl+middle scroll wheel on the mouse). The only way to zoom in is to hover the mouse near the bottom of the screen and press the zoom buttons that appear there. Because of this glaring bug, I cannot recommend Nitro reader. On a plus side, Nitro reader does not come bundled with any apps and the installer is straight forward.

PDF-XChange Viewer

Another well known PDF reader is PDF-XChange Viewer by Tracker software. It is the PDF user I am currently using. Like Foxit and Nitro reader, PDF Xchange allows you to edit PDF documents. However, unlike Nitro reader, the embeded version renders the texts properly and allows the use of conventional "zoom in". Also, it has a proper "select" tool (unlike Foxit). In addition, it have a "snap shot" tool to extract images (URL links to YouTube video demostrating the tool. However, the user interface is a little tricky to use but there are plenty of help out there. On a downside, the installer comes bundle with Ask toolbar. However, the installer is straight forward unlike Foxit, which tries to trick you into downloading and installing the toolbar. If you don't want the toolbar, simply uncheck the option that you "agree" to ask terms and conditions. In addition, the option to change your homepage to Ask.com is uncheck by default.

Conclusion

PDF-XChange Viewer is my recommended PDF viewer of choice. That is because it have a nice balance of editing tools and does not have glaring problems (or ethical issues) as the other PDF viewers I have tried.

“First Flight”

by Thu Ya Win (me)

Dawn is breaking.
The sun peeks over the horizon.
Covering the entire plain with its pink-orange light,
Warming young bird’s face with its gentle ray.

The day has come.
Testing his strength, he must.
Today, he will fly or fall.

Hopping out from his nest
Grasping the branch with his slender legs
Stretching his wings,
Wriggling his tail,
Preparing for his first flight.

Calculating the wind speed,
Figuring the wind direction.
Making sure that everything is just right.

Glancing back, he could see his mother,
Filling with pride as well as worry.
Standing beside his mother is his father,
As stern as a commander.
Cheering and encouraging him are his brothers and sisters.

Focusing ahead
Wind blowing in his face,
He spreads his wings.
Inhaling deeply
To muster his courage

With great determination,
Courageously, cautiously

Leap!

A mighty flap of wings
A screech of power
Shoots up in the air

Soaring over the tree tops,
Through the clouds.
Almost touching the sky.
Exploring the world.

This guest post is written by Thu Win aka Wikipedian for Shoot and Tell

This month's theme is "holiday." That means that this exhibition will show the best pictures of what our show and tell members are doing during the summer holidays. To see the other images that do not make the cut, visit http://my.opera.com/shootell/albums/tags.dml?tag=Holiday%20theme

Here are a table of some pictures that I quite like but doesn't quite make the final cut.

Here are 5 pictures that I think demostrates photography at its peak quality.

John (aka Loku)
Caption: Cloud Gate - Millennium Park - Chicago On my recent visit to this great city I walked to Millennium Park. The word "awesome" can't do justice in describing the sculpture - you simply have to be there, looking at the seamless curved mirrored reflecting everything back in a breathtaking beauty. Chicagoans affectionately call this sculpture "The Bean". They love it and the wonderful park and surrounding area, and so did I as I stood with my trusty camera and composed this shot. I hope you all like what you see here.
Thu's Commentary: The silver dome in the picture give it a sense of mystery. Is it an alien spacecraft landing in the middle of a crowded pavalion?

Richard
Caption: An observation platform crowded with people from all over the world is not the easiest place to set a tripod and long lens, but I had to do it today to capture the Yellowstone Lower Falls in all their silky glory. I used a 1.8 ND neutral density filter to cut the bright daylight down to where I could do a 1.3 second exposure at f/18. An aperture that is pretty small and reduces the sharpness a little thanks to diffraction limiting but not enough to blur the people standing at the the top of the falls (upper right corner). It was very windy and I had to use image stabilization on my tripod to hold the lens still enough for the long exposure. This shot came out particularly well. Again, an unedited photograph direct from the camera on 'Standard' settings. No cropping or any other editing.
Thu's Commentary: The long 1.3 second exposure setting resulted in the blurring of the waterfall. This create a sense of might and power!

Richard
Caption: The extraordinary salt deposits at Mammoth Hot Springs, Yellowstone National Park. In the background you can see steam rising from hot pools of blue water. In the foreground, cooler pools of water on the reddish-brown steps. The strong sulphurous chemical scent that wafts over this view has to be smelled in person to truly appreciate the otherworldly view of this scene - like looking at another planet!
Thu's Commentary: Richard's picture show the breath taking view of the Mammoth Hot Springs. The salt deposit actually looks like flowing rapids!

Thu Win
Caption: The Miner's hound in Redruth, Cornwall. Notice the features of the dogs are actually boots.
Thu's Commentary: This unique scalputure of a "boot" dog can be found in the town center of Redruth. If you look closely, all the structures of the dog, including the mouth, is made up of individual boots!

Elina Zaproudi
Caption: Another shade of the sunset.. It was a very windy day. The sea was very rough and unsuitable for swimming. The light of this lovely sunset filtered through water waves!!! I used apperture -0.3, W/B auto and ISO 800..
Thu's Commentary: The large aperture and fast shutter speed enables the camera to capture the individual droplets of waves. The individual droplets of wave smashing on the beach adds to the glamor and glory of the image. The setting sun also contribute to the epicness of the image.

Conclusion: I love looking at all your beautiful photos. Chosing the best ones is quite hard. In the end, I managed to pick 5 pictures that I think is the pinicle of photography. The composition of the images are simple stunning. I especially love the last image by Elina Zaproudi. The waves spraying onto a beach at sunset is simply stunning!

In addition, the mixture of black and white pictures goes to show that it doesn't require color to take a great photograph! Just plain black and white also works really well! Don't look at these photographs and say, I will never be as good as them, and just give up. I'm sure these photographers had made many mistakes and learned from them. If at first you don't succeed, never give up! You will get it one day. As Thomas Edison, a famous American inventor best known for inventing the lightbulb, once said, "Genius is one percent inspiration and 99 percent perspiration."

Note: This is the "final" version that I did on my blog before submitting the codes to the Show and tell team to post. You can view the Show & Tell version here

Updated links

I have been using Internet Explorer 9 for quite some time and one of the feature of Internet Explorer I like is the accelerators. Accelerators is not a plugin and you can add as many (or as little) as you like. Here I will list my top 5 plugins.

1. Define with Google Dictionary http://accelerators.tcgcomputers.com/

This accelerator allows you to select on any term you want and then right click the term to have it defined by Google Dictionary.

2. Define with Merriam Webster http://www.merriam-webster.com/downloads/ie8/ie8search.htm

Define with Merriam Webster is similiar to the define with Google Dicitionary, but it is using the Merriam Webster dictionary instead.

3. Open URL in New Tab http://accelerators.tcgcomputers.com/

Another great accelerator is "Open URL in New Tab." Ever encounter a RAW unlinked URL in a blog post or forum post? You would have to copy and paste the URL into the address bar and then surf to the page. This accelerator let you skip the copy and paste step and enables you to go straight to the page in one click. Just select the link and hit "Open URL in New Tab."

4. Search YouTube http://www.iegallery.com/us/addons/detail.aspx?id=898

This plugin allows you to directly search YouTube by selecting the keyword you want to search and then clicking on "Search YouTube

5. Translate with Bing
http://ie.microsoft.com/activities/en-en/default.aspx?c=Translate

Translate with Bing allows you to translate any foreign sentences by simply highlighting it and hovering over this accelerator. The translated tab will appear in a small square next to the accelerator. In the page I linked you have two "translate with" accelerators. Translate with Google won't display the translated text without switching the page while the Translate with Bing does.