Italian Digital Signature Software Exposed to Man-in-the-middle Attack?

An independent researcher compiled a list of known Apple OSX-related vulnerabilities, including one that affects the Sparkle Updater Framework.

I’ve just checked my Mac with this command

find /Applications -name Sparkle.framework

and found that DikeX, the old version of the digital-signature tool released by Infocert S.p.a., uses Sparkle. I don’t know if the software is plagued by the bug, but this is exactly the point: nobody from Infocert just warned users with a single word about.

National Security, Mediaset and RAI Way Tower

Today the RAI (Radio Televisione Italiana, the public broadcasting company) Radio News Program asked me to provide an opinion about the risks for the national security in case the broadcasting towers belonging to RAI WAY (public-owned company) be purchased by a Mediaset-controlled company. The importance of these broadcasting towers relies upon the fact that they work both for “ordinary” TV programs and for the law-enforcement and other security-related agencies masts.

Here is the link to the interview that starts at 3:00 min. and, for the non-italian speaking people, here is the summary of what I said: privatizing the national security is an ongoing process started years ago with the “online piracy-child pornography excuse”. Regulations have been passed that turned over the ISP and Telcos’s shoulder the task to perform wiretapping, eavesdropping and geolocalization so this RAYWAY issue is just another brick in the wall. By going ahead with this privatization process, nevertheless, there is a  risk to jeopardize serious crimes investigations since the information about a criminal proceeding will be known by a much too big number of people. So I wander if this “National Security Frenziness” is for real, or it is just a way to spread the usuale FUD (Fear Uncertainty and Doubt.)

The Italian Internet Bill of Rights. The Trojan Horse Keeps Shaping

According to the Italian online newsmagazine Repubblica.it the Italian Bill of Rights endorsed by Boldrini, the leftist President of the Italian Low Chamber (Camera dei Deputati) is almost ready and will affirm principles such “net-neutrality”, “right to privacy”, “right to universal access” and so on.

If this is what is all this Internet Bill of Rights about, then much ado for practically nothing, since all the alleged “Internet Rights” are already broadly covered by existing laws and regulation but what we do lack is a fair enforcement. Copyright is one of the most blatant examples: the current law protects the author, gives him full control over his works and let him free to use whatever licensing model of choice. He has the right to be acknowledged as the creator of a work and to stop any detrimental use. But what happens in the real life is that these provisions are largely ignored because of the overwhelming power of those who make profit from authors’ work: the publishers. Thus, again, “rules” are the last needed thing in the world.

Of course (and hopefully) this Internet Bill of Rights will never be turned into a real, parliament-passed law. Nevertheless shall become a political platform to ease the shift of the legal liability from the single users who commits a crime or is lazy in protecting his rights to the Telco Industry.

This is not acceptable.

Does SHA-7 belong to the US NSA?

As everybody knows, the SHA-n is a series of cryptographic algorithm developed by the NSA and published by the US NIST. The current SHA-n lineup includes SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512.

On the contrary, SHA-7 (see this link – italian only, sorry), a “proprietary, patented encryption algorythm” developed by an Italian company doesn’t belong to the original “family”. And doesn’t have any endorsement by the scientific community.

I wonder why SHA-7 designers have choses this confusing name for their code.

 

 

A new breed of bureaucracy?

Since at least twenty years ago – in the beginning of the Internet Era in Italy -  one of the favorite topics has been how to use the Net to improve the efficiency of the State’s administrative machine. The pre-Internet experiences of big cities like Rome or Milan (and those of smaller while tech-savvy ones) showed a clear path that has never been pursued.

Digital Public Administration, in Italy, is still a dream (or a nightmare, better). Just to name a few examples, on-line healthcare-related services are almost useless. The project for automating the docket filing of civil lawsuits is in a deep coma, while no sign of life comes from the administration of criminal investigations and trials. And give everybody a 2 megabit Internet access (as Mr. Renato Brunetta, Minister of Public Administration advocates) is not a solution; because – putting apart the technological underdevelopment of this country – there is a deeper motivation for Italy to live in a digital (early) pleistocene.

Citizens – often with some merit – distrust computers, as (for less “noble” reasons) civil servants do.

By one side people look at ICT as a devilish matter, existing to make everybody life pity (think of viruses, phishing, angry copyright holders seeking vengeance for the nefarious downloader attack tho their rights, personal identity stolen on the net and so on.)

By another side (a certain number) of civil servants spread all along the pyramid of power don’t like the idea that by “going digital” they are under close scrutiny and  loose the traditional grasp on the normal citizen, who doesn’t need anymore to plea for a “favour” when interacting with public services.

Between these two contenders lays the “role” of the Public Administration as “Innovation Engine”. The alternative is very neat. It can be chosen to be a “follower”, thus letting the private interests of big corporation to rule the technological and process upgrade strategies. Or the Italian Public Administration can stand as a leader, giving the goals to reach and the path to get there, by imposing open technological standars (such as file formats, operating systems and – in general – everything that meet the idea of “openness”, non only in the Intellectual Property field.)

This is what United States of America did about forty years ago, when they created a computer-to-computer communication system free from royalties and copyright that changed not only those country, but the whole world: the TCP/IP protocol, i.e. the Internet.

This is the English translation of an article published by Nova IlSole24Ore on Oct. 29, 2009

Infocert, electronic signature and technology discrimination

Here we are again. Infocert – one of the biggest electronic signature provider in Italy – confirmed its technology lock-in attitude, by pushing users toward Microsoft Windows.

Infocert released  its USB based all-in-one solution named Businesskey and advertises its dongle as an “hassle-free” tool, with no installation required. This is not entirely true, because the system only works under Microsoft Windows: no Linux or Mac OSX support.  Admittedly, Infocert did release a Linux and MacOSX desktop-based version of Dike (the software client needed to handle the electronic signature), but didn’t do the same as “portable app”.

Consequences are clear and don’t need further explanation. What is astonishing is the silence of both Government and Authorities, that are allowing private entities to force citizens to pay non irrelevant monies to get public services.

Digital Signature. A chance for change?

After ten years Italy might let digital signature legal framework moves toward a coherent system.

Current legislation – Legislative Decree 82/2005 – is still affected by unclear definitions, EU directive translation errors and technical misunderstanding.

If passed in Parliament, draft law AC1441-bis will assign Government the power to amend these mistakes, a non-impossible mission if only the concerned persons will take their time in fully understand the issues debated since 1997 and never fully resolved.

More to come about, as soon as the Parliament will pass the law containing the amendment principles.