Yesterday, I read a news about the green party's proposals for a copyright reform (strictly speaking, there's no copyright in Germany, it's called "Urheberrecht", but I'll stick with the term copyright, because it's commonly understood). One point was that they claimed they don't see any perspectives for a so-called cultural flatrate due to EU law. The basic idea of a cultural flatrate is that it would legalize private filesharing while putting a fee on internet access.

My point is more the reasoning than the issue itself. Because that's a repeating pattern. Whenever someone makes a proposal to change something relevant in copyright or patent law, this is pretty much always the conclusion: It's not possible due to one or another international law or treaty. The discussion ends before anyone can make any real argument why some copyright change might be a good idea or not.

The EU directive that, according to the green party, forbids a cultural flatrate is the EU Copyright Directive from 2001. This directive is itself an implementaiton of the WIPO Copyright Treaty from 1996.

Other treaties that are often relevant are the Berne Convention and the TRIPS Agreement of the WTO from 1994.

What all of those treaties have in common and what I find - in its combination - very troubling:

• They've been created at a time where many people affected by it today weren't allowed to vote or even weren't born.
• They were created in a time where the Internet as we know it today and the issues related to it simply didn't exist.
• It's hard to impossible to change those treaties.
• There has never been a wide public discussion about any of those treaties, the terms TRIPS, Berne Convention or WIPO copyright treaty are mostly unknown to the general public.

To put it simply: There's something terribly wrong. In so many ways. As I already said above, this is not about the question whether the cultural flatrate is a good idea. It's about the fact that it's almost impossible to make any proposal for a change in the way copyright works. That can't be good, no matter how you feel about copyright issues in general.

Yesterday, we had a meeting at CAcert Berlin where I had a little talk about how to almost-perfectly configure your HTTPS server. Motivation for that was the very nice Qualys SSL Server test, which can remote-check your SSL configuration and tell you a bunch of things about it.

While playing with that, I created a test setup which passes with 100 points in the Qualys test. However, you will hardly be able to access that page, which is mainly due to it's exclusive support for TLS 1.2. All major browsers fail. Someone from the audience told me that the iPhone browser was successfully able to access the page. To safe the reputation of free software, someone else found out that the Midori browser is also capable of accessing it. I've described what I did there on the page itself and you may also read it here via http.

Here are my slides "SSL, X.509, HTTPS - How to configure your HTTPS server" as ODP, as PDF and on Slideshare.

And some links mentioned in the slides:
Check SSL and SSH weak keys due to broken random numbers
EFF SSL Observatory
Sovereign Keys proect

Some great talks on the mentioned topics by others:
Facthacks Talk 29c3
MD5 considered harmful today - Creating a rogue CA Certificate
Is the SSLiverse a safe place?

Update: As people seem to find these browser issue interesting: It's been pointed out that the iPad Browser also works. Opera with TLS 1.2 enabled seems to work for some people, but not for me (maybe Windows-only). luakit and epiphany also work, but they don't check certificates at all, so that kind of doesn't count.

Just recently, Microsoft research has made some progress in developing a device to do live translations from English into Mandarin. I'd like to share some thoughts with you about that.

If you read my blog on a regular basis, you will know that I traveled through Russia, Mongolia and China last year. If there's one big thing I learned on this trip, it's this: English language is - on a worldwide scale - much less prevalent than I thought. Call me a fool, but I just wasn't aware of that. I thought, okay, maybe many people won't understand English, but at least I'll always be able to find someone nearby who's able to translate. That just wasn't the case. I spent days in cities where I met nobody that shared any language knowledge with me.

I'm pretty sure that translation technologies will become really important in the not-so-distant future. For many people, they already are. I've learned about the opinions of swedish initiatives without any knowledge of swedish just by using Google translate. Google Chrome and the free variant Chromium show directly the option to send something through Google translate if it detects that it's not in your language (although that wasn't working with Mongolian when I was there last year). I was in hotels where the staff pointed me to their PC with an instance of Yandex translate or Baidu translate where I should type in my questions in English (Yandex is something like the russian Google, Baidu is something like the chinese Google). Despite all the shortcomings of today's translation services, people use them to circumvent language barriers.

Young people in those countries are often learning English today, but it's a matter of fact that this will only very slowly translate into a real change. Lots of barriers exist. Many countries have their own language and another language that's used as the "international communication language" that's not English. For example, you'll probably get along pretty well in most post-soviet countries with Russian, no matter if the countries have their own native language or not. This also happens in single countries with more than one language. People have their native language and learn the countries language as their first foreign language.
Some people think their language is especially important and this stops the adoption of English (France is especially known for that). Some people have the strange idea that supporting English language knowledge is equivalent to supporting US politics and therefore oppose it.

Yes, one can try to learn more languages (I'm trying it with Mandarin myself and if I'll ever feel I can try a fourth language it'll probably be Russian), but if you look on the world scale, it's a loosing battle. To get along worldwide, you'd probably have to learn at least five languages. If you are fluent in English, Mandarin, Russian, Arabic and Spanish, you're probably quite good, but I doubt there are many people on this planet able to do that. If you're one of them, you have my deepest respect (please leave a comment if you are).

If you'd pick two completely random people of the world population, it's quite likely that they don't share a common language.

I see no reason in principle why technology can't solve that. We're probably far away from a StarTrek-alike universal translator and sadly evolution hasn't brought us the Babelfish yet, but I'm pretty confident that we will see rapid improvements in this area and that will change a lot. This may sound somewhat pathetic, but I think this could be a crucial issue in fixing some of the big problems of our world - hate, racism, war. It's just plain simple: If you have friends in China, you're less likely to think that "the chinese people are bad" (I'm using this example because I feel this thought is especially prevalent amongst the left-alternative people who would never admit any racist thoughts - but that's probably a topic for a blog entry on its own). If you have friends in Iran, you're less likely to support your country fighting a war against Iran. But having friends requires being able to communicate with them. Being able to have friends without the necessity of a common language is a fascinating thought to me.

Several years ago I bought a kind of very simple wardrobe from IKEA. It's called Bardu and is made out of steel rods and a plastic covering. It stands on wheels.

There are small plastic piece that connects the plastic rods with the wheels. And one of them broke a while back. I went to IKEA and asked for a replacement part. They told me that they don't ship parts for such old items - but they have an offering quite similar to the Bardu that I could buy. Sadly, the design has changed and the wheels are directly connected, so no compatible replacement part. The E-Mail service from IKEA told me the same: No replacement parts for old products.

At this point I could've complained about the fact that we live in a crazy world where someone suggests to you buying a new piece of furniture because a small plastic part of the old one is broken.

I posted a message in the RepRap-forum asking for help. If you don't know the RepRap: It's a 3D-printer, creating objects based on computer models out of simple plastic. The RepRap is an Open Source project built partly out of parts printed on other 3D printers. The idea is: Everyone can (with enough time and passion) built his own RepRap, all the documentation is available online.

I quickly got a response from someone from France who was willing to give it a try and re-create the needed plastic part on his 3D printer. Some message exchange later I sent him the broken and a non-broken part. Today, I got my RepRap-printed replacement part. It fits in perfectly. I'm seriously impressed.

Object on Thingiverse

Update (2012/12/11): I don't want to hide the fact that the whole issue turned out to be much trickier than thought. The original piece broke after a while. DeuxVis was so nice to experiment with likely more stable designs and sent me some more printed parts, but the first one already broke again. You can read the details in the RepRap-forum.

Ich spiele ja gelegentlich gerne ein gutes Videospiel. Und seit ungefähr 20 Jahren gerne jedes Spiel der Super Mario-Serie. Shigeru Miyamoto hat im vergangenen Jahr das neueste Werk fertiggestellt - Super Mario 3D Land. Die Videos, die ich gesehen hatte, sahen sehr vielversprechend aus.

Das Problem: Das Spiel ist für den Nintendo 3DS - und ich besitze keinen. Es ist nicht so, dass ich es mir nicht leisten könnte, mir so ein Gerät zu kaufen. Aber es erschien mir doch reichlich übertrieben - mit großer Warscheinlichkeit würde ich auf absehbare Zeit nur dieses eine Spiel spielen wollen. Wenn ich ein Spiel dann durchgespielt hab, ist mein Interesse, es nochmal zu spielen, in der Regel auch eher gering. Da der Nintendo 3DS noch relativ neu ist, ist auch ein gebrauchtes Gerät vergleichsweise teuer (etwas günstiger wird es auf ebay übrigens wenn man eins in Pink nimmt). Das hieße also eher abwarten, bis die Gebrauchtpreise in einigen Jahren günstig werden. Und überhaupt: Mein Interesse, die Menge an Zeug das in meiner Wohnung liegt und ich selten bis nie brauche, zu erhöhen, ist auch eher gering. Von jemand in meinem Bekanntenkreis, der einen 3DS hat, weiß ich gerade auch nicht.

Aber das große Internet ist so toll und hat eine Lösung für mich parat: Leihplattformen schießen gerade aus dem Boden - man nutzt Dinge gemeinsam und findet über das Internet Menschen, die gegen eine geringe Gebühr etwas ausleihen wollen. Bei leihdirwas.de habe ich mir - für einen sehr fairen Preis - einen 3DS mit Super Mario 3D Land geliehen. In meinem Fall quasi die perfekte Lösung.

I've promised that I'll dig into some old file formats and check how well they can be accessed on today's systems with free software.

Today, I'll start with audio formats. To begin, in general there are two kinds of audio formats. Streamed audio formats start with a more or less raw audio stream, apply some encoding and sometimes (lossless or lossy) compression. There are also tracker audio formats. They have internal information on tone pitches and instruments. Most really old computer audio files are tracker formats (like the popular C64 SID format). This blog post will be about streamed audio formats and I'll save the tracked ones for a later one.

The file formats I've chosen are more or less random, the main criteria being that I once stepped over them and still remember that. There's a hughe collection of all kinds of media file samples on the mplayer server.

The single most important project regarding exotic audio or video formats is ffmpeg, a library that does despite its name much more than decoding mpeg. All major free software media players use ffmpeg.

The file formats I've investigated:

• Some of the very first files distributing music through the Internet I remember were real audio files (extension .ra or .rm) from the german punk band WIZO. Real audio has a whole bunch of variants, scanning through some of my old backups, most of them used either AC-3 or Real Audio 2.0 as their codec. Thanks to Waybach Machine, you can still find the WIZO downloads (Raum der Zeit - Techno is AC-3, the others are RealAudio 2.0).
• vqf (or TwinVQ) was once announced having better quality than MP3 and was discussed as its successor. However, it seems it is almost completely distinct today, I didn't find anything at all (except in the above mentioned sample collection) in vqf format for download.
• Monkey's audio, extension .ape, is a lossless audio codec, which is itself licensed under some kind of noncommercial-use-only license that doesn't qualify as free software. It's not really old, as it's still being developed, but I added it as another example of an uncommon format.
• Shorten (extension shn) is an old lossless audio format, which was often used by the etree project that collects recordings of concerts. Today, it is mostly deprecated by flac, but the old recordings are still available.
• voc: The popular dos floppy copying program vgacopy had sound before I had a soundcard - it used the pc speaker to play .voc files it had shipped. It's a format used by some Creative software for their SoundBlaster. It's a more-or-less raw audio format like wav.

ffmpeg is able to decode and play all of these audio codecs. But what I found out was that this doesn't necessarily mean every application using ffmpeg can do this as well. I've tested mplayer, xine, vlc, audacious and totem (based on gstreamer). Although there are quite many free software media players - both for audio and video - out there, this should cover pretty much everything. Most media players use xine, vlc or gstreamer indirectly.

	mplayer	xine	vlc	audacious	totem/gstreamer
ra AC3	Yes	No Yes	Yes	Yes	No
ra 2.0	Yes	No	No	Yes	No
vqf	Yes	No	Yes	Yes	No
ape	Yes	No	No	Yes	Yes
shn	Yes	Yes	No	Yes	Yes
voc	Yes	Scratchy	Scratchy	No	No

Shorten playback has some problems, seeking often does not work, but this seems to be a limitation of the format itself. If I found feature requests for those formats, I've linked them, I also opened a bunch of them myself.

Conclusion: ffmpeg does a really fine job in playing all the obscure audio streaming formats. However, not every player that's based on ffmpeg plays every format ffmpeg can play. mplayer is the only player that succeeds with everything, probably because mplayer's devleopment is very tightly related to ffmpeg's development.

Update: I forgot to mention libav. It is a fork of ffmpeg. However, there's not that much to say, as ffmpeg and libav are still quite similar in their codec support. audacious does not support libav yet, all other apps just produce the same result.

I recently had a discussion about the accessibility of today's computer content in the future. We started asking ourselves how well the support in current software is to read and use old legacy data formats - graphics, videos, text, layout documents, whatever may still be interesting today.

I remembered having such a discussion some years ago and back then, Works documents were mentioned by someone as a somewhat difficult format. Back then, libwps existed with some command line tools to convert to staroffice format (which could then be opened by openoffice) and experimental patches existed for openoffice itself. Seems at least here the situation has improved. The current version of libreoffice reads Works documents out of the box.

Free software projects play an important role in keeping old data accessible. Just to name two, ffmpeg does a great job in supporting a large number of old and exotic video formats. It's used by a bunch of popular video players like mplayer and vlc. For graphics files, there is imagemagick, which provides a conversion tool to up-to-date formats like PNG.

In some upcoming blog entries, I'll try to explore things, will look for old files and see if I am able to use them.

A call to my readers: Do you have any old stuff laying around that you'd find interesting to access today? Which file formats are difficult to access? Are you searching for tools to open / convert them? Do you have something old that might be worth publishing to others as well? Send me your stuff, I'm very interested.

In Braunschweig hat sich die Piratenpartei darüber beschwert, dass die Internetzugänge der Ratsfraktion in Braunschweig überwacht werden. So wird etwa jede aufgerufene Webadresse gespeichert.

CDU-Oberbürgermeister und Ex-NPD-Mitglied Gert Hoffmann hat dazu folgendes mitzuteilen:


Und nein, das ist keine Satire, sondern steht tatsächlich genau so in der Pressemitteilung der Stadt.

Two days ago, the german Chaos Computer Club (CCC) published a sample that's supposedly a variant of a german state spy software (the so-called "Bundestrojaner").

You might wonder if your anti virus software is protecting you. The webpage Virus Total lets you upload suspicious files, scans them with 43 different anti virus applications and presents you the result. Currently, 24 of 43 scanners detect the Bundestrojaner.

The CCC provides some further information where they state that the file they released is not the original one - they had several samples that differed and to avoid detection of the potential source, they changed the differing parts to something completely else. You might wonder if your anti virus app also detects the "original" Bundestrojaner and not just the modified file the CCC released.

We can easily check this if we change the modified pieces again to something else. A modified variant lowered the detection rate to 14 of 43 - amongst them the popular McAffee software. Now, it's pretty useless to only detect the exact published sample of a malware if we know that the original malware is different.

Application	Version	Sig date	Modified sample	Original CCC sample
AhnLab-V3	2011.10.08.01	2011-Okt-09	Trojan/Win32.R2d2	Trojan/Win32.R2d2
AntiVir	7.11.15.175	2011-Okt-09	TR/GruenFink.1	TR/GruenFink.1
Antiy-AVL	2.0.3.7	2011-Okt-09	-	-
Avast	6.0.1289.0	2011-Okt-09	Win32:Trojan-gen	Win32:Trojan-gen
AVG	10.0.0.1190	2011-Okt-07	-	-
BitDefender	7.2	2011-Okt-10	Backdoor.R2D2.A	Backdoor.R2D2.A
ByteHero	1.0.0.1	2011-Sep-23	-	-
CAT-QuickHeal	11.00	2011-Okt-07	-	-
ClamAV	0.97.0.0	2011-Okt-10	Trojan.BTroj-1	Trojan.BTroj-1
Commtouch	5.3.2.6	2011-Okt-10	-	W32/R2D2.A
Comodo	10407	2011-Okt-10	-	Backdoor.Win32.R2D2.A
DrWeb	5.0.2.03300	2011-Okt-10	-	-
Emsisoft	5.1.0.11	2011-Okt-10	Trojan.Win32.Bundestrojaner!A2	Backdoor.Win32.R2D2!IK
eSafe	7.0.17.0	2011-Okt-06	-	-
eTrust-Vet	36.1.8605	2011-Okt-07	-	-
F-Prot	4.6.2.117	2011-Okt-09	-	W32/R2D2.A
F-Secure	9.0.16440.0	2011-Okt-10	Backdoor:W32/R2D2.A	Backdoor:W32/R2D2.A
Fortinet	4.3.370.0	2011-Okt-10	-	W32/R2D2.A!tr.bdr
GData	22	2011-Okt-10	Backdoor.R2D2.A	Backdoor.R2D2.A
Ikarus	T3.1.1.107.0	2011-Okt-10	-	Backdoor.Win32.R2D2
Jiangmin	13.0.900	2011-Okt-09	-	-
K7AntiVirus	91155258	2011-Okt-08	-	-
Kaspersky	9.0.0.837	2011-Okt-09	Backdoor.Win32.R2D2.a	Backdoor.Win32.R2D2.a
McAfee	5.400.0.1158	2011-Okt-10	-	Artemis!930712416770
McAfee-GW-Edition	2010.1D	2011-Okt-09	-	Artemis!930712416770
Microsoft	17702	2011-Okt-10	Backdoor:Win32/R2d2.A	Backdoor:Win32/R2d2.A
NOD32	6529	2011-Okt-10	Win32/R2D2.A	Win32/R2D2.A
Norman	6.7.2011	2011-Okt-09	-	-
nProtect	2011-10-10.01	2011-Okt-10	-	-
Panda	10.0.3.5	2011-Okt-09	-	Suspiciousfile
PCTools	8.0.0.5	2011-Okt-10	Backdoor.R2D2	Backdoor.R2D2
Prevx	3.0	2011-Okt-10	-	-
Rising	23.78.06.02	2011-Okt-09	-	-
Sophos	4.70.0	2011-Okt-10	Troj/BckR2D2-A	Troj/BckR2D2-A
SUPERAntiSpyware	4.40.0.1006	2011-Okt-08	-	-
Symantec	20111.2.0.82	2011-Okt-10	Backdoor.R2D2	Backdoor.R2D2
TheHacker	6.7.0.1.318	2011-Okt-09	-	-
TrendMicro	9.500.0.1008	2011-Okt-09	-	-
TrendMicro-HouseCall	9.500.0.1008	2011-Okt-10	-	BKDR_R2D2.A
VBA32	3.12.16.4	2011-Okt-07	-	-
VIPRE	10718	2011-Okt-10	-	Trojan.Win32.Generic!BT
ViRobot	2011.10.10.4710	2011-Okt-10	-	-
VirusBuster	14.1.3.0	2011-Okt-09	-	-

Scans done Monday morning around 8:00.

Michael S. Hart, the founder of Project Gutenberg, died some days ago.

Project Gutenberg, if you don't know, is a webpage collecting electronic books online. It was founded in 1971 (yes, long before the Internet as we know it today existed), when Hart typed the Declaration of Independency on a Xerox mainframe. Hart can be seen as the inventor of electronic books - 40 years ago.

We're still waiting for ebooks to get into mainstream. Currently, ebook reading devices are available, but their usage is not widespread yet. But I'm almost certain that ebooks will become very important within the next years. Hart had that opinion 40 years ago.

Today, Project Gutenberg has about 36.000 books. Most of them are public domain, because their copyright expired. There are other similar projects today: Wikisource is a sister project of Wikipedia and archive.org has a lot of scanned books, including most of the public domain books digitalized by Google.

Some mission statements for Project Gutenberg from Michael S. Hart (taken from Wikipedia) I find that sum up things very well:
"Encourage the Creation and Distribution of eBooks"
"Help Break Down the Bars of Ignorance and Illiteracy"
"Give As Many eBooks to As Many People As Possible"

Morgen findet die inzwischen schon traditionell zu nennende jährliche Demonstration „Freiheit statt Angst“ in Berlin statt. Seit 2007 gehen jährlich tausende Menschen unter diesem Motto für Datenschutz und digitale Bürgerrechte auf die Straße. Los geht es um 13:00 Uhr am Pariser Platz (Brandenburger Tor).

Angesichts der aktuellen Auseinandersetzungen – im Moment ist ja wieder die Vorratsdatenspeicherung ganz hoch im Kurs – möchte ich hier die Gelegenheit nutzen, zur Teilnahme aufzurufen.

Und für alle, denen Berlin zu weit ist, sei hier auch nochmals darauf verwiesen, dass zur Zeit eine Petition gegen die Wiedereinführung der Vorratsdatenspeicherung beim Bundestag läuft – die bislang leider mit etwa 20.000 Unterstützern noch nicht so gut läuft wie sie sollte. Aber es gibt auch gute Nachrichten: Einer Umfrage zu Folge spricht sich die Mehrheit der Bundesbürger gegen eine anlasslose Speicherung von Kommunikationsdaten aus.

Einen Kritikpunkt möchte ich hier aber noch loswerden. Im vergangenen Jahr wurde die Demonstration von übermäßig vielen 9/11-Verschwörungstheoretikern heimgesucht – das ging so weit, dass ein englischsprachiger Artikel die Situation so darstellte, als sei es insgesamt eine Protestaktion von Verschwörungstheoretikern gewesen (was Unfug ist, es war eine Handvoll unter Tausenden). Einen ähnlich gelagerten Fall gab es bereits 2008 in Köln, als eine Datenschutzdemo von einer christlichen Sekte geradezu okkupiert wurde. Angesichts dieser Vorgeschichte finde ich es mehr als unglücklich, ausgerechnet Esoqueen Nina Hagen zur diesjährigen Demonstration einzuladen. Die hat nämlich zu HAARP und UFOs auch eher interessante Ansichten und ist mir bislang nicht durch intelligente politische Analysen aufgefallen.

Aber nichtsdestotrotz: Die Themen sind verdammt wichtig, die Gegenseite schläft nicht. Also: Morgen auf die Straße!

OpenLeaks is a planned platform like WikiLeaks, founded by ex-Wikileaks member Daniel Domscheit-Berg. It's been announced a while back and a beta is currently presented in cooperation with the newspaper taz during the Chaos Communication Camp (where I am right now).

I had a short look and found some things noteworthy:
The page is SSL-only, any connection attempt with http will be forwarded to https. When I opened the page in firefox, I got a message that the certificate is not valid. That's obviously bad, although most people probably won't see this message.

What is wrong here is that an intermediate certificate is missing - we have a so-called transvalid certificate (the term "transvalid" has been used for it by the EFF SSL Observatory project). Firefox includes the root certificate from Go Daddy, but the certificate is signed by another certificate which itself is signed by the root certificate. To make this work, one has to ship the so-called intermediate certificate when opening an SSL connection.

The reason why most people won't see this warning and why it probably went unnoticed is that browsers remember intermediate certificates. If someone ever was on a webpage which uses the Go Daddy intermediate certificate, he won't see this warning. I saw it because I usually don't use Firefox and it had a rather fresh configuration.

There was another thing that bothered me: On top of the page, there's a line "Before submitting anything verify that the fingerprints of the SSL certificate match!" followed by a SHA-1 certificate fingerprint. Beside the fact that it's english on a german page, this is a rather ridiculous suggestion. Checking a fingerprint of an SSL connection against one you got through exactly that SSL connection is bogus. Checking a certificate fingerprint doesn't make any sense if you got it through a connection that was secured with that certificate. If checking a fingerprint should make sense, it has to come through a different channel. Beside that, nowhere is explained how a user should do that and what a fingerprint is at all. I doubt that this is of any help for the targetted audience by a whistleblower platform - it will probably only confuse people.

Both issues give me the impression that the people who designed OpenLeaks don't really know how SSL works - and that's not a good sign.

I have a magnet plate hanging over my desk. Usually, the normal magnets for that purpose you can buy in shops are of very low quality and not very strong and fail to hold more than a few pieces of paper.

I recently discovered a way to get much better magnets almost for free: From old harddisks. To open a harddisks, you will usually need some kind of Torx screwdriver. Inside, you will find one or two very strong neodym magnets, which were originally used to move the read head.

Pioneer One is a science fiction series. What's special about it: It's completely supported by donations and it's distributed via BitTorrent. It comes under a Creative Commons Attribution-NonCommercial-ShareAlike license.

I read about the first episode a while back, but I forgot about it. Recently, I stumbled upon it again and took the opportunity to watch it. Up until now, just two episodes are completed, Episode three is announced for 28th of March and Episode four is in production. Further episodes will depend on the donations they get.

The rough story: A space ship is coming down over Montana and lands in Canadian territory. It spreads radiation, so the first suspicion is that it might be a terrorist attack. They find a probably russian human inside the ship, unconscious, with signets from the Sovjet Union. Their suspicion: The Sovjet Union has sent humans to settle on Mars and this one is a child coming back. The case is investigated by members of the US department of homeland security.

I found it pretty good. You can see overall that it's an independent production (for example the offices just don't look like offices from the US department of homeland security), but that makes no odds. The storyline is exciting, the actors do their job pretty well, the characters are interesting. My favorite character until now is Zachary Walzer, a scientist who's been endorsing Mars missions to the US authorities for a long time.

From the story concept, I'm not sure how this will make a very long series. At the moment it sounds like at some point they know what's going on and then it may not be interesting any more. Though there were some hints in which direction it might get to continue the story after that. I'm looking forward to see more.

If I raised your interest, go ahead and download Pioneer One.

The Electronic Frontier Foundation is running a fascinating project called the SSL Observatory. What they basically do is quite simple: They collected all SSL certificates they could get via https (by scanning all possible IPs), put them in a database and made statistics with them.

For an introduction, watch their talk at the 27C3 - it's worth it. For example, they found a couple of "Extended Validation"-Certificates that clearly violated the rules for extended validation, including one 512-bit EV-certificate.

The great thing is: They provide the full mysql database for download. I took the time to import the thing locally and am now able to run my own queries against it.

Let's show some examples: I'm interested in crypto algorithms used in the wild, so I wanted to know which are used in the wild at all. My query:

SELECT `Signature Algorithm`, count(*) FROM valid_certs GROUP BY `Signature Algorithm` ORDER BY count(*);

shows all signature algorithms used on the certificates.
And the result:

+--------------------------+----------+
| Signature Algorithm      | count(*) |
+--------------------------+----------+
|  sha512WithRSAEncryption |        1 |
|  sha1WithRSA             |        1 |
|  md2WithRSAEncryption    |        4 |
|  sha256WithRSAEncryption |       62 |
|  md5WithRSAEncryption    |    29958 |
|  sha1WithRSAEncryption   |  1503333 |
+--------------------------+----------+

Nothing very surprising here. Seems nobody is using anything else than RSA. The most popular hash algorithm is SHA-1, followed by MD5. The transition to SHA-256 seems to go very slowly (btw., the most common argument I heared when asking CAs for SHA-256 certificates was that Windows XP before service pack 3 doesn't support that). The four MD2-certificates seem interesting, though even that old, it's still more secure than MD5 and provides a similar security margin as SHA-1, though support for it has been removed from a couple of security libraries some time ago.

This query was only for the valid certs, meaning they were signed by any browser-supported certificate authority. Now I run the same query on the all_certs table, which contains every cert, including expired, self-signed or otherwise invalid ones:

+-------------------------------------------------------+----------+
| Signature Algorithm                                   | count(*) |
+-------------------------------------------------------+----------+
|  1.2.840.113549.27.1.5                                |        1 |
|  sha1                                                 |        1 |
|  dsaEncryption                                        |        1 |
|  1.3.6.1.4.1.5849.1.3.2                               |        1 |
|  md5WithRSAEncryption ANDALSO  md5WithRSAEncryption   |        1 |
|  ecdsa-with-Specified                                 |        1 |
|  dsaWithSHA1-old                                      |        2 |
|  itu-t ANDALSO  itu-t                                 |        2 |
|  dsaWithSHA                                           |        3 |
|  1.2.840.113549.1.1.10                                |        4 |
|  ecdsa-with-SHA384                                    |        5 |
|  ecdsa-with-SHA512                                    |        5 |
|  ripemd160WithRSA                                     |        9 |
|  md4WithRSAEncryption                                 |       15 |
|  sha384WithRSAEncryption                              |       24 |
|  GOST R 34.11-94 with GOST R 34.10-94                 |       25 |
|  shaWithRSAEncryption                                 |       50 |
|  sha1WithRSAEncryption ANDALSO  sha1WithRSAEncryption |       72 |
|  rsaEncryption                                        |       86 |
|  md2WithRSAEncryption                                 |      120 |
|  GOST R 34.11-94 with GOST R 34.10-2001               |      378 |
|  sha512WithRSAEncryption                              |      513 |
|  sha256WithRSAEncryption                              |     2542 |
|  dsaWithSHA1                                          |     2703 |
|  sha1WithRSA                                          |    60969 |
|  md5WithRSAEncryption                                 |  1354658 |
|  sha1WithRSAEncryption                                |  4196367 |
+-------------------------------------------------------+----------+

It seems quite some people are experimenting with DSA signatures. Interesting are the number of GOST-certificates. GOST was a set of cryptography standards by the former soviet union. Seems the number of people trying to use elliptic curves is really low (compared to the popularity they have and that if anyone cares for SSL performance, they may be a good catch). For the algorithms only showing numbers, 1.2.840.113549.1.1.10 is RSASSA-PSS (not detected by current openssl release versions), 1.3.6.1.4.1.5849.1.3.2 is also a GOST-variant (GOST3411withECGOST3410) and 1.2.840.113549.27.1.5 is unknown to google, so it must be something very special.