No reason why an ID card can not be mighty hard to forge - I'm thinking encrypt data on the card with some digital signature, the secret key stored in a central database, and one unique key per card. Easy to create, easy to revoke. Optionally add part of the information in unencrypted format too for those situations where security is less strict.
No matter how you look at it 40,000 is still 40,000. That's a significant number of phones. The iPhone and Google's phones were hyped badly before launch; highly anticipated; no wonder they sold well.
More fair would be to compare it to say a new Nokia or Sony Ericsson top-line model. I bet those companies would be quite happy to sell that number in the first day of sales. A not hyped, "yet another" kind of phone, that's what this is and that's what it should be compared to.
But of course Apple's iPhone is the de-facto reference smartphone these days. No matter what you do, release a smartphone and it'll be compared to the iPhone first.
From other posts it seems that most people are quite positive about the card as such, that it even allows for anonymous transactions (how that matches an ID card I don't know - maybe that's explained elsewhere in this discussion; going to read myself again later on). And European countries in general are way more protective of their citizen's privacy than the US is.
This security hole is a problem of the supporting software, how to get such software 100% secure I don't know. But not doing something as simple as checking that the SSL certificate is issued to who it should be issued to, is not exactly promising for the rest of this piece of software.
And indeed many people will try to hack it; I do think they should open source the whole thing. Give out the actual protocols how the communication with this smart card is done. How the communication with the government works. Publish it all. Including the full sources of all the software that works with these cards. Yes it helps hackers, and that's a good thing, thinking of open-sourced OpenSSL. Then you could even have multiple competing software packages to deal with these cards, for various OSes, alternative platforms, etc. Though setting up something like an "app store" for vetted software would be a good idea in such a scenario.
You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!
It's got nothing to do with the ID card itself, or identification to the government with it.
Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a.zip file which is supposed to be the update for itself. Updates are distributed as.zip files.
So this is vulnerability part 1: you can have it download the wrong file.
But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.
So there you have it: a glaring vulnerability that allows for remote installation of software.
The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.
Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.
Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.
Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.
A server has to sit in a corner, fit nicely so square (or for bigger setups: rackable) is preferred. Most of them don't have a monitor attached so a GUI is also unwanted.
Then what reason is there to pay an Apple price for a server?
Microsoft has a similar problem: their strong point is also the user interface, as that's what Windows is about after all. Windows is a desktop oriented OS, with server capabilities tacked on to it.
This depends apparently on your programming language. I know the.00000001 has to do with decimal to binary conversion which introduces this kind of errors. Anyway I just tried this in Python, and got a different result:
>>> 4195835*3145727/3145727
4195835L
>>> 4195835*3145727/3145727 == 4195835
True
>>> 4195835*3145727/3145727 == 4195835.00000001
False
>>>
Most older developments have phone poles. They're not ideal, but it's doable to run fiber along them, and less expensive than digging to boot.
Many places outside of the USA (like The Netherlands what this story is about) keep all their cables underground, except high voltage power lines. Actually all of Europe does this, except in the mountains where the ground is too rocky to dig. It costs more to set up, but much more reliable and no ugly poles all over the place.
I remember when cable TV came to my parents' home (roughly 25 years ago). Fantastic for me and my sister, more TV channels to watch! Anyway part of the installation was digging a trench to the house. I don't think they would ever use the existing pipes such as the sewage pipe.
It could be that this cable is in a tube by itself with room to get another cable through, I really wouldn't know.
Latency yes... that was (is?) an issue... I recall from 10, 15 years ago when ADSL was no more than about 1 Mbit, cable would blast it away at about 5 Mbit. Down that is; up has always been a fraction of that only.
Me downloading stuff was happy about the speed compared to ADSL lines.
Gamers however complained cable is too slow - they care more about latency than raw throughput.
And indeed cable is a shared medium but I never really had a problem with that. May be luck.
It's not DSL, it's cable, so using coax cables instead of telephone lines. I don't know what that means for speed vs. distance though. For your information: "CAI" is Dutch for "central antenna installation". Those cables have been laid to deliver TV signals.
Secondly "laying FTTH" of course is nice, but it's also mighty expensive and disruptive to break open all the streets and dig trenches to everyone's home. These CAI cables are there already, so why not continue to use them? Just like what DSL is basically doing with telephone lines.
When building new homes of course nowadays they should put an optical fibre in the trenches that they dig already for telephone, cable TV, water pipes, power lines, etc. Then it's a relative cheap upgrade. But for existing homes this is definitely the cheaper option.
Well it follows (part of) standard Windows troubleshooting and problem solving: 1) reboot computer. 2) reinstall problem application/component/driver. 3) reinstall Windows itself.
And this is not joking - it is roughly how I was taught to do things when working for an ISP telephone help desk back when WinXP had just been released. First we had to advice reboot; if that doesn't work (usually customer tried already) recreate the dial-in icon, if that didn't work "well you probably best just reinstall Windows but I'm not allowed to advice that nor do we support this, so I'll put you through to the next level help desk".
No, but that actually accentuates the problem with Linux not having any such options (unless you paid for your red hat or canonical server, that is). Hell the computer OEMs all have their own support as well.
Mandriva used to have a paid support option (used it once, many years ago). And that was a pay-per-ticket option; I didn't buy a boxed set (which at the time came with some support tickets included). I haven't needed it so can't say whether still available but wouldn't know why not.
I'm using Linux in my office. Training to my staff was limited to "this is the web browser, that is the e-mailer, that is your word processor". She never used Linux before.
A previous staff didn't even realise she was not using Windows for about a month, after which I told her.
That's the current state of the Linux desktop. The second story is from some four years ago already. The average user is not going to install a different distro every month; they get the computer, work with what it comes with (does Windows come with much software in the first place? Or do they have to hunt it down still?), and do so for years to come.
The point is that Linux should go its own way, not try to be the same as Windows, but be something different - something better hopefully. Windows and Apple have long been nice role models, but Linux has grown up and it's time to move on - try new things, be different. Like OS-X is different from Windows. Like iOS and Android are totally different again.
Firefox has taken on Internet Explorer largely by being different, by offering things IE did not have. Of course they copied a lot from IE and other browsers, now IE is copying back from FF even. FF is quite successful I'd say. At the moment we have several browsers each with >10% market share and that's good. They are different, don't try to be the exact same, and that's how they now compete with each other. And the end result is better compatibility (HTML standards instead of IE quirks). The same is possible with OSes, but not if everyone tries to be "just like Windows".
Why do we have to worry so much about all Windows software running on Linux?
Windows software doesn't run on the average Mac either - and that hasn't stopped Apple from selling lots and lots of laptops. The US PC market share is over 10% already. Laptops I know is higher but can't get a current figure, in 2007 it was already over 17%. Not bad at all, and they still don't run Windows software.
So obviously running Windows software is not necessary any more. Just make sure you have your own set of software - and that it works well, that's more than good enough. Forget about Windows, just like Windows doesn't run Linux or OS-X applications.
It doesn't have to be Linux per se, but look at the alternatives:
OSX: pretty, works great, but even more closed than Windows. Available for Apple hardware only (legally).
Linux: flourishing community, large field with many commercial players producing lots of different products (even if their distribution is distributed for free, also Ubuntu is in the business to make money, and as such Ubuntu Linux is a commercial product).
BSD: maybe not dying, but also not something with strong commercial backing. Could be a contender if only some commercial business would pick it up.
Solaris: great for servers, not so much for the desktop. I understand an excellent choice for large multi-processor systems, which not many people have on their desktop (yet). Doesn't seem to do well under Oracle's rein.
And that's about it in the desktop world. Yes lots and lots of other OSes, some under development others abandoned, but nothing with any serious traction that I can think of.
Linux: if your driver is not included/installed already, your device likely won't work. And nowadays most devices have drivers.
Windows: don't count on any drivers included, you'll have to hunt them down yourself (if not supplied with the device).
Indeed I've always wondered why my motherboards come with drivers... and also why I could not re-install a stock Win98 on a "Win98 certified" laptop (that was around 2002). It just wouldn't even install. Then I went back to Linux - and everything worked out of the box.
The iPad - OK not a desktop but for many buyers a laptop replacement, including doing general business tasks - seems to do quite OK by not looking or behaving like Windows at all.
Now that is exactly why there are these organisations called "app stores" for mobile devices and "repositories" for Linux distributions so you don't have to worry about compiling for your architecture, whatever that may be.
And besides there are plenty of Android-based "iPad's" available these days from China. Since days after the announcement of the iPad by Apple I'm getting those ads from Chinese manufacturers.
It seems the iPad itself is also doing quite well with an alternative OS on an alternative processor (and wasn't that one ARM based as well?).
- Provision of real, available, phone-based technical support
And who is to do this? Can you call Microsoft to get help with your problems, without being IT head of a big company having big contracts? I have never heard of anyone being able to do so. Support always comes from the community: friends, family, and even the shop they bought the computer from. But not from the maker.
- Real, complete documentation
Admittedly I have never really dived into Windows documentation, but the "trouble shooting" wizards have never been helpful for me.
And if you're thinking of documentation of applications... I bet it's as bad for Windows as it is for Linux as it's the developer (person or company) that has to make it!
No reason why an ID card can not be mighty hard to forge - I'm thinking encrypt data on the card with some digital signature, the secret key stored in a central database, and one unique key per card. Easy to create, easy to revoke. Optionally add part of the information in unencrypted format too for those situations where security is less strict.
No matter how you look at it 40,000 is still 40,000. That's a significant number of phones. The iPhone and Google's phones were hyped badly before launch; highly anticipated; no wonder they sold well.
More fair would be to compare it to say a new Nokia or Sony Ericsson top-line model. I bet those companies would be quite happy to sell that number in the first day of sales. A not hyped, "yet another" kind of phone, that's what this is and that's what it should be compared to.
But of course Apple's iPhone is the de-facto reference smartphone these days. No matter what you do, release a smartphone and it'll be compared to the iPhone first.
From other posts it seems that most people are quite positive about the card as such, that it even allows for anonymous transactions (how that matches an ID card I don't know - maybe that's explained elsewhere in this discussion; going to read myself again later on). And European countries in general are way more protective of their citizen's privacy than the US is.
This security hole is a problem of the supporting software, how to get such software 100% secure I don't know. But not doing something as simple as checking that the SSL certificate is issued to who it should be issued to, is not exactly promising for the rest of this piece of software.
And indeed many people will try to hack it; I do think they should open source the whole thing. Give out the actual protocols how the communication with this smart card is done. How the communication with the government works. Publish it all. Including the full sources of all the software that works with these cards. Yes it helps hackers, and that's a good thing, thinking of open-sourced OpenSSL. Then you could even have multiple competing software packages to deal with these cards, for various OSes, alternative platforms, etc. Though setting up something like an "app store" for vetted software would be a good idea in such a scenario.
Don't forget guns.
Any valid SSL certificate will do; it's not checked. That's the main problem.
You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!
It's got nothing to do with the ID card itself, or identification to the government with it.
Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.
So this is vulnerability part 1: you can have it download the wrong file.
But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.
So there you have it: a glaring vulnerability that allows for remote installation of software.
The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.
Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.
Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.
Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.
A server has to sit in a corner, fit nicely so square (or for bigger setups: rackable) is preferred. Most of them don't have a monitor attached so a GUI is also unwanted.
Then what reason is there to pay an Apple price for a server?
Microsoft has a similar problem: their strong point is also the user interface, as that's what Windows is about after all. Windows is a desktop oriented OS, with server capabilities tacked on to it.
This depends apparently on your programming language. I know the .00000001 has to do with decimal to binary conversion which introduces this kind of errors. Anyway I just tried this in Python, and got a different result:
>>> 4195835*3145727/3145727
4195835L
>>> 4195835*3145727/3145727 == 4195835
True
>>> 4195835*3145727/3145727 == 4195835.00000001
False
>>>
Most older developments have phone poles. They're not ideal, but it's doable to run fiber along them, and less expensive than digging to boot.
Many places outside of the USA (like The Netherlands what this story is about) keep all their cables underground, except high voltage power lines. Actually all of Europe does this, except in the mountains where the ground is too rocky to dig. It costs more to set up, but much more reliable and no ugly poles all over the place.
I remember when cable TV came to my parents' home (roughly 25 years ago). Fantastic for me and my sister, more TV channels to watch! Anyway part of the installation was digging a trench to the house. I don't think they would ever use the existing pipes such as the sewage pipe.
It could be that this cable is in a tube by itself with room to get another cable through, I really wouldn't know.
Latency yes... that was (is?) an issue... I recall from 10, 15 years ago when ADSL was no more than about 1 Mbit, cable would blast it away at about 5 Mbit. Down that is; up has always been a fraction of that only.
Me downloading stuff was happy about the speed compared to ADSL lines.
Gamers however complained cable is too slow - they care more about latency than raw throughput.
And indeed cable is a shared medium but I never really had a problem with that. May be luck.
It's not DSL, it's cable, so using coax cables instead of telephone lines. I don't know what that means for speed vs. distance though. For your information: "CAI" is Dutch for "central antenna installation". Those cables have been laid to deliver TV signals.
Secondly "laying FTTH" of course is nice, but it's also mighty expensive and disruptive to break open all the streets and dig trenches to everyone's home. These CAI cables are there already, so why not continue to use them? Just like what DSL is basically doing with telephone lines.
When building new homes of course nowadays they should put an optical fibre in the trenches that they dig already for telephone, cable TV, water pipes, power lines, etc. Then it's a relative cheap upgrade. But for existing homes this is definitely the cheaper option.
Well it follows (part of) standard Windows troubleshooting and problem solving: 1) reboot computer. 2) reinstall problem application/component/driver. 3) reinstall Windows itself.
And this is not joking - it is roughly how I was taught to do things when working for an ISP telephone help desk back when WinXP had just been released. First we had to advice reboot; if that doesn't work (usually customer tried already) recreate the dial-in icon, if that didn't work "well you probably best just reinstall Windows but I'm not allowed to advice that nor do we support this, so I'll put you through to the next level help desk".
No, but that actually accentuates the problem with Linux not having any such options (unless you paid for your red hat or canonical server, that is). Hell the computer OEMs all have their own support as well.
Mandriva used to have a paid support option (used it once, many years ago). And that was a pay-per-ticket option; I didn't buy a boxed set (which at the time came with some support tickets included). I haven't needed it so can't say whether still available but wouldn't know why not.
Your statement is true, but besides the point. And indeed part of the problem related to getting Linux on the desktop.
I'm using Linux in my office. Training to my staff was limited to "this is the web browser, that is the e-mailer, that is your word processor". She never used Linux before.
A previous staff didn't even realise she was not using Windows for about a month, after which I told her.
That's the current state of the Linux desktop. The second story is from some four years ago already. The average user is not going to install a different distro every month; they get the computer, work with what it comes with (does Windows come with much software in the first place? Or do they have to hunt it down still?), and do so for years to come.
The point is that Linux should go its own way, not try to be the same as Windows, but be something different - something better hopefully. Windows and Apple have long been nice role models, but Linux has grown up and it's time to move on - try new things, be different. Like OS-X is different from Windows. Like iOS and Android are totally different again.
Firefox has taken on Internet Explorer largely by being different, by offering things IE did not have. Of course they copied a lot from IE and other browsers, now IE is copying back from FF even. FF is quite successful I'd say. At the moment we have several browsers each with >10% market share and that's good. They are different, don't try to be the exact same, and that's how they now compete with each other. And the end result is better compatibility (HTML standards instead of IE quirks). The same is possible with OSes, but not if everyone tries to be "just like Windows".
Why do we have to worry so much about all Windows software running on Linux?
Windows software doesn't run on the average Mac either - and that hasn't stopped Apple from selling lots and lots of laptops. The US PC market share is over 10% already. Laptops I know is higher but can't get a current figure, in 2007 it was already over 17%. Not bad at all, and they still don't run Windows software.
So obviously running Windows software is not necessary any more. Just make sure you have your own set of software - and that it works well, that's more than good enough. Forget about Windows, just like Windows doesn't run Linux or OS-X applications.
It doesn't have to be Linux per se, but look at the alternatives:
OSX: pretty, works great, but even more closed than Windows. Available for Apple hardware only (legally).
Linux: flourishing community, large field with many commercial players producing lots of different products (even if their distribution is distributed for free, also Ubuntu is in the business to make money, and as such Ubuntu Linux is a commercial product).
BSD: maybe not dying, but also not something with strong commercial backing. Could be a contender if only some commercial business would pick it up.
Solaris: great for servers, not so much for the desktop. I understand an excellent choice for large multi-processor systems, which not many people have on their desktop (yet). Doesn't seem to do well under Oracle's rein.
And that's about it in the desktop world. Yes lots and lots of other OSes, some under development others abandoned, but nothing with any serious traction that I can think of.
The same old story when it comes to drivers.
Linux: if your driver is not included/installed already, your device likely won't work. And nowadays most devices have drivers.
Windows: don't count on any drivers included, you'll have to hunt them down yourself (if not supplied with the device).
Indeed I've always wondered why my motherboards come with drivers... and also why I could not re-install a stock Win98 on a "Win98 certified" laptop (that was around 2002). It just wouldn't even install. Then I went back to Linux - and everything worked out of the box.
The iPad - OK not a desktop but for many buyers a laptop replacement, including doing general business tasks - seems to do quite OK by not looking or behaving like Windows at all.
Now that is exactly why there are these organisations called "app stores" for mobile devices and "repositories" for Linux distributions so you don't have to worry about compiling for your architecture, whatever that may be.
And besides there are plenty of Android-based "iPad's" available these days from China. Since days after the announcement of the iPad by Apple I'm getting those ads from Chinese manufacturers.
It seems the iPad itself is also doing quite well with an alternative OS on an alternative processor (and wasn't that one ARM based as well?).
Because we are comparing Windows to Linux:
- Provision of real, available, phone-based technical support
And who is to do this? Can you call Microsoft to get help with your problems, without being IT head of a big company having big contracts? I have never heard of anyone being able to do so. Support always comes from the community: friends, family, and even the shop they bought the computer from. But not from the maker.
- Real, complete documentation
Admittedly I have never really dived into Windows documentation, but the "trouble shooting" wizards have never been helpful for me.
And if you're thinking of documentation of applications... I bet it's as bad for Windows as it is for Linux as it's the developer (person or company) that has to make it!
winning lawsuit != (long term) profit.