Sunday, January 25, 2009

Dream machine: laptop with hypervisor?

Podcasts are an interesting way of staying up-to-date, especially when spending a lot of time in your car like I do. A podcast that I recently discovered is DABBC. DABBC focuses mainly on virtualization and tracks vendors such as Citrix, VMWare, Microsoft, Parallels and others.

Episode 67 of DABBC Radio is an interview with Ian Pratt, a Britt who co-founded XenSource (acquired by Citrix). Interesting to learn about paravirtualization, whereby the OS on top of the hypervisor is aware about the hypervisor underneath and the OS behaves somewhat differently as when it had full access to the hardware. I also learned that more and more vendors are shipping machines with virualization support in the hardware. E.g. HP and Dell seem to ship servers that contain Xen in the hardware.

Most customers I work for don't allow me to connect to their corporate network with my own laptop. They provide me with a laptop configured according to their corporate guidelines (typically XP). As a consequence, I'm always on the road with 2 or 3 laptops. Wouldn't it be great if they provided me with a machine image that I could run on top of the hypervisor of my own laptop?

Thursday, January 1, 2009

MD5 broken - Rogue CA certificate created

The ACM TechNews contained a pointer to an interesting article. The MD5 hash algorithm is broken. Based on this weakness, researches have succeeded in creating their own intermediary CA certificate. And this in turn allows them to sign whatever SSL certificate they want!

The presentation by the researchers is quite clear and very interesting. The researchers used 200 PS-3 game consoles, but Amazon EC2 could have been used just as well. They also leveraged some weaknesses in the CA they attacked (RapidSSL): use of MD5 (obviously), predication of serial number (sequential) and validity (fixed amount of time to generate cert).

Their conclusion:
  • No need to panic, the Internet is not completely broken
  • The affected CAs are switching to SHA-1
  • Making the theoretical possible is sometimes the only way you can affect change and secure the Internet
Anyway, it's getting time to move to something stronger than SHA-1 as well.