La Fonera

FON Social Router Engineering sample

Originally uploaded by tenz1225.

The first Fon Wifi Router is out, La Fonera. Specs:

– Wifi Chipset Atheros 2315 (Very interesting the 2 SSID’s feature; one for private WLAN, the other for public FONeros).
– Linux 2.4 (good news for all the OpenWRT hackers out there) with 4M Flash, 16M SDRAM.
– 1 RJ45 WAN port (goodbye 4-port LAN mini-switch Linksys WRT54G style).

Check out the video. Must get one of these soon. Let’s see if I can install the Freifunk Firmware with the supreme mesh OLSR daemon.

Prós & Prós

Não arranjaram melhor que o Mário Soares para debater com o Pacheco Pereira? Tanta gente neste país que defende o diálogo com a “rua árabe”… Triste figura. Daqui a pouco deve estar a dizer que uma das causas do terrorismo é a pobreza. Que o digam os africanos. Pois.

Internet killed the video star, part II

Amazon Unbox. Windows only. Boo.

In an attempt to avoid being an also-ran to Apple’s expected iTunes movie announcement next week, Amazon has launched its video download service, Unbox. Movies — 1355 of them, it seems — are available from Warner Bros., NBC Universal, 20th Century Fox, Paramount, Sony Pictures Home Entertainment, and others. According to the AP story, movies cost $7.99 to $14.99 to buy and $3.99 to rent, but we’re seeing a range all the way from $2.99 to $19.59 for downloads. Television shows are available as well, for $1.99 per episode (with your first TV show free right now). The service required a piece of software and will only work on Windows. Portability is limited to players using Windows Media Player and DVDs played only on the computer that originally received the movie download, as reported previously. Top that, Apple![Updates to follow.]

Via GigaOm.

OpenSSL Hell

From Netcraft, OpenSSL Vulnerable to Forged Signatures:

Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.

The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.

“All software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5,” OpenSSL said in its advisory. “This includes software that uses OpenSSL for SSL or TLS.” OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

Well, long life to yum & apt-get.

Update: important quote from the original post:

Implementors should review their RSA signature verification carefully to make sure that they are not being sloppy here. Remember the maxim that in cryptography, verification checks should err on the side of thoroughness. This is no place for laxity or permissiveness.

Daniel also recommends that people stop using RSA keys with exponents of 3. Even if your own implementation is not vulnerable to this attack, there’s no telling what the other guy’s code may do. And he is the one relying on your signature.

So, we cannot say for sure that other PKI/RSA implementations are not vulnerable. Think NSS/Mozilla.