When I first started working in for the Deputy CIO for Business Process & Systems Review, I was exposed to a data visualization called a “galaxy chart“. The version I saw was developed by Technomics, Inc., who (interestingly) do a lot of work for my former organization, PA&E (now CAPE).
While Technomics seemed to claim (when I met them) that they “invented” the galaxy chart, I think this is probably an overstatement, since there seems to be plenty of prior art.
tl;dr For years, I have wondered what would happen if you tricked OpenSSL into signing a server certificate with a non-CA cert. Unsurprisingly, nothing useful.
So, I’m a cheapskate and I buy the el-cheapo domain-control-validated SSL certificates for risacher.org for $17/year. That gets me a cert with alternative names “risacher.org” and “www.risacher.org”. I currently host risacher.org on Amazon’s EC2 service, but I also have a few apps that I host for myself on the server in my basement, connected via my residential internet service. Since the web apps on this server are not used by anyone but me, I’ve been content to use self-signed certificates for it.
But I’ve always wondered – what would happen if you tricked OpenSSL into thinking you are a Certificate Authority (CA), and signing a certificate for “basement.risacher.org” using the certificate for “risacher.org” as the CA cert? Could you act as your own CA “for free” to create unlimited subdomain certificates?
This should not work. The server certificate include a constraint that says it is not a CA certificate. It basically shouldn’t even be possible, but math is math, and the signing operations are the same for a CA certificate as they are for any other certificate. If you have the public & private keys, the rest is just formatting & metadata, right?
Long-story short, I finally tried this yesterday. I created a certificate signing request for the server in my basement, and I signed it with the $17 server cert that I got from “PositiveSSL”, which chains up to “USERTrust”. It took some minor trickery to get OpenSSL to do this, but it wasn’t particularly difficult. Once installed, both Firefox and Internet Explorer reject the certificate as invalid, and provide no option to accept the risk and use it anyway. Internet Explorer simply reports “There is a problem with this website’s security certificate.” Firefox gives slightly more information in that it names the error “sec_error_inadequate_key_usage”, an error message I don’t think I’ve ever seen before.
Interestingly, I also tried to access it with Mobile Safari, which reported an invalid certificate but did allow me to accept the risk.
It was early in the morning around Thursday, when my family let me off-leash to go cruise the playa to see the art. I was way out in the deep playa, almost at the 12:00 apex of the trash fence, almost as far out as it is possible to be. I rode my bike up to a cabinet standing alone by itself in the desert. The sun was just over the hills to the east. There was a man and woman about 50 meters away, on a blanket watching the sunrise, but otherwise, I was alone.
The cabinet was a slightly battered-looking piece of furniture, like you would find in a bedroom at a beach rental. There were some drawers on the left, and two swinging doors, top and bottom. The drawers were screwed shut. The bottom door was secured with some heavy steel rings, locked with a bicycle lock, the kind that you dial in a combination of four letters and it releases. As I parked my bicycle and walked up to the cabinet, I could hear a woman’s voice from within, telling a story. Here is what I heard, retold as best I can remember 6 weeks later… Continue reading
My work computer (Windows 7 Enterprise) informed me today with a sad red “x” icon that:
Provider could not perform the action since the context was acquired as silent.
This is now my favorite error message; just barely edging out the message from 2003-era Windows ME which informed my girlfriend that she should contact her system administrator.
This article is also posted to my Intelink blog.
Every so often, a government project manager asks me a question like this:
I’m looking to hire some government guys and I’m interested in young folks hacking on [my project].
So, here’s my predicament: if they work on the code, their work becomes ‘public domain’ and not something that could be restricted by licenses (at least according to some legal advice I’ve been given). If the work is the in public domain, I have no way of ensuring that someone won’t take the code and sell it back to the government as their own (because they could modify it and put a proprietary seal on it).
Here’s my question: is there some legal structures that can be put in place to restrict modification, use and distribution like typical software licenses for government-created works?
Here’s some ways this has been done before. Continue reading
The Joint Staff shall not operate or be organized as an overall Armed Forces General Staff and shall have no executive authority. - 10 U.S. Code § 155(e)