Electronic Frontier Foundation staff technologist Peter Eckersley has a good, in-depth analysis of the revelation that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla and others by spoofing Comodo, a major Certificate Authority. CAs are companies that are allowed to sell cryptographically signed certificates that browsers use to verify their network connections; with these spoofed certs, the hackers could undetectably impersonate Yahoo and Google (allowing them to read mail even if it was being read over a secure connection), the Mozilla certificate would allow them to slip malicious spyware onto the computer of anyone installing a Firefox plugin.
It appears that the fraud was detected before any harm could be done, but Eckersley explains how close we came to a global security meltdown, and starts thinking about how we can prepare for a more successful attack in the future.
Most Certificate Authorities do good work. Some make mistakes occasionally,2 but that is normal in computer security. The real problem is a structural one: there are 1,500 CA certificates controlled by around 650 organizations,3 and every time you connect to an HTTPS webserver, or exchange email (POP/IMAP/SMTP) encrypted by TLS, you implicitly trust all of those certificate authorities!
What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time.
For the time being, we will make just one remark about this. Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem. One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens' computer security. But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.
Cyrus Farivar sez, "Iranian-Canadian blogger Hossein Derakhshan was temporarily released from a Tehran prison, after having been incarcerated for 26 months, according to a report Thursday on Mashregh News, a conservative Iranian news website.
The site was among the first to report Derakhshan's conviction at the end of September on charges of 'conspiring with hostile governments, disseminating anti-Islamic propaganda, disseminating anti-revolutionary propaganda, blasphemy, and operating and managing obscene pornography websites.'
The account was confirmed by a source close to the Derakhshan family, who wished to remain anonymous and said Derakhshan was 'happy to be out,' adding 'we have been pushing for this for months, especially after his trial, but it has always been refused.'"
Following Iran's 2009 elections, thousands of people took the streets in protest. An as-yet-unknown number of these protesters were arrested and taken off the grid, removed from the system, and many of them still cannot be found, despite continual inquiries from family, friends, and compatriots.
This is the subject of the current chapter of the webcomic Zahra's Paradise, titled Kahrizak. Kahrizak is the incarceration center where so many protesters disappeared to. It was eventually closed when it became public
knowledge, and an embarrassment for the regime.
In this chapter of Zahra's Paradise, the narrator/blogger receives news: one of his
friends who was missing, Ali, has been released and has returned home. Everyone rejoices, and they gather to celebrate.
But Ali does not want to celebrate; his experiences in prison have been traumatic. He does have a message for the blogger, though: his brother, Mehdi, was held with him in Kahrizak, where the government moved troublesome people it wanted out of the normal system, inaccessible to any pleas for help.
This chapter, Kahrizak is a story about intimidation and rape and torture; it's a story about what people do when they're given power over others and no limits to restrain them. It's a story of systemic brutality that leaves everyone who goes through the prison system broken, sometimes for no more reason then the fact that they had an opinion, and spoke about it.
If you haven't been following the case of Hossein Derakhshan, here's all you really need to know: he's a blogger and a Canadian citizen who was arrested in Tehran in 2008 because of things he wrote. He was finally tried, and now he may be executed, and the Canadian government has done nothing to help him.
There are many more details, of course. Details of good things he's done, like when he taught thousands of Iranians how to blog in their own language, and when he traveled to Israel to show his readers that Israelis were not their enemies. And there are details of lousy things he's done, like when he decided to support Ahmadinejadand and his nuclear arms program, and when he turned on peaceful friends and baited the media.
And there are details that muddy his case: he is also an Iranian citizen, and Iran doesn't recognize dual citizenship, and that makes it harder for Canada to do anything, and so they haven't tried.
But these details are irrelevant. "Hoder" is a Canadian citizen with the same rights as any other, and the fact that his country is sitting idle while he faces execution is a shame and an outrage.
If the Canadian Embassy is pressured to do something, they might, and that could well save Hossein's life. The Canadian Embassy in Iran can be contacted at firstname.lastname@example.org.
A group of Iranian activists abroad and in Iran have produced a professional translation of my novel Little Brother and have released it online with the hope that it will be of interest to Iran's online activists. I've written an introduction to the edition on online activism and dissidence. It was a volunteer-led project, but they paid the translator (whose identity is a not publicly disclosed at this time), and are asking for donations to help defray the cost.
We are pleased to announce that the first version of the Persian edition of "Little Brother" by Cory Doctorow is available for download now.
The translation of the book is licensed under the Creative Commons Atrribution-NonCommercial-ShareAlike 3.0 license. Little Brother (in English) can be downloaded for free from Cory's website.
Please send us your comments to email@example.com.
Gina from kick-ass comics publisher FirstSecond sez,
First Second Books is pleased to announce a new online serial project: Zahra's Paradise, a graphic novel about the social and political situation in today's Iran, will be serialized on line beginning 12:00 a.m., February 19, 2010 and be published in book form in 2011. In the beginning, the serialization will reflect events in Iran's recent past, but in the months to come, as current events unfold in Iran, they will be woven into the story.
Written by Amir, a human rights activist, and illustrated by Khalil, Zahra's Paradise tells the story of an Iranian blogger's search for his brother, Mehdi, a nineteen year old protester who has disappeared in Tehran after the June 2009 unrest. As the blogger and his mother, Zahra Alavi, begin their search for Mehdi, we are drawn into the underbelly of the Islamic Republicâ€"an elaborate labyrinth in which countless dissidents have vanished over the past decades. Although the characters are fictional composites of actual people in Iran, the context and events are real. The project is a roman Ãƒ clef of history as it happens.
Mowjcamp.com is back up! Friends at EFF were able to broker a conversation between Yahoo, Moniker, Melbourne IT and Access Now. The situation is complicated, and I'm still trying to understand the details of the resolution, but it's fantastic news that the site is back up. Special thanks to friends at Yahoo! who ended up taking the brunt of the criticism for the downtime. That wasn't fair, and was in part my fault for not understanding everyone's role in the situation. Yahoo! worked extremely hard to resolve the situation after being called out and deserve special thanks for their hard work, as does everyone who took action to get this important site back online.
Ethan Zuckerman writes, "Mowjcamp, the green movement's main citizen media site, was hacked by the 'Iranian Cyber Army' the same day they hit Twitter, in mid-December 2009. Twitter was back online within two hours. Mowjcamp - despite the intervention of AccessNow and others - is still offline six weeks later, caught in an apparent dispute between Yahoo and Moniker over control of the domain. I've posted about the situation today, looking at the process of Denial of Service via bureaucracy. Danny O'Brien at EFF will be writing on Deep Links about the situation later today. Would love some help shining the light on Yahoo in particular, a founding member of the GNI (group focused on freedom of expression online), which has been unresponsive and difficult throughout the process. "
I've been in regular contact with the administrators of Mowjcamp as they've tried to regain control of their site. For six weeks, they've been getting the runaround from Yahoo! (where they'd originally registered the domain names) and Moniker (where the hackers moved control of the domain name). Yahoo has been informed that the site was illegally moved by hackers who managed to access a Yahoo Mail account and authorize a transfer to Moniker - they've told the site administrators that there's nothing they can do, and the problem's in Moniker's hands. Moniker, in turn, tells the administrators that they've responded to Yahoo, which will resolve their problem. In the meantime, the site continues to be inaccessible from the URLs by which it is most widely known. (Yes, I've contacted friends within Yahoo! So have many other well-connected friends, who've put pressure on Moniker as well. That I'm complaining in this blogpost shows just how successful we've been so far going directly to the companies involved.)
Update, Feb 3 2010: Ethan adds, "Mowjcamp.com is back up! Friends at EFF were able to broker a conversation between Yahoo, Moniker, Melbourne IT and Access Now. The situation is complicated, and I'm still trying to understand the details of the resolution, but it's fantastic news that the site is back up. Special thanks to friends at Yahoo! who ended up taking the brunt of the criticism for the downtime. That wasn't fair, and was in part my fault for not understanding everyone's role in the situation. Yahoo! worked extremely hard to resolve the situation after being called out and deserve special thanks for their hard work, as does everyone who took action to get this important site back online."
Yahoo!, Moniker: why is Mowjcamp.com still offline 6 weeks after hack attack?
Search Engine's Jesse Brown sez, "Canadian/Iranian blogger Hossein Derakhshan has been held and tortured in a Tehran prison for over a year, without being charged. Both the Canadian and Iranian governments seem content to let him stay there.
The media has also largely forgotten his case. Hoder's imprisonment begs the question: do we only fight for the freedom of dissidents whose beliefs we agree with?"