On Java and incompetence



  • Holy fucking cocksticks. Oracle is so incompetent they can't even make their own installers work. Here's a short story:

    1. Installer installs some useless shitty "Java Deployment Toolkit".
    2. Installer fellates a cactus and does not install the JRE.
    3. Installer informs user the installation completed successfully.
    4. Online Java verification fails.
    5. The troubleshooting FAQ is completely unhelpful.
    6. The FAQ does not mention that you're supposed to have something besides the "Java Deployment Toolkit" installed.

    Though to be fair, it's the steamy pile of entrails that is my online bank which forces me to install Java in the first place.



  • Gotta love those banks that require a computer with Java, so they can run security audit software from the web on your computer and verify that it won't run any random code from the web.



  • The JRE installer is a pain in the arse.

    The full (offline) version has always had a "silent" command line switch, purportedly allowing you to use it to perform unattended installations. Not long after Oracle acquired Sun, I started seeing occasional failures in my main software update script, which I run on all the school workstations at shutdown: instead of doing a silent installation of Java, the installer would pop up a modal dialog complaining about being unable to find revocation information for a certificate and hang the shutdown script waiting for OK or Cancel.

    It turns out that the installer phones home to https://sjremetrics.java.com, even during a silent installation, and barfs if it can't find the associated certificate revocation list.

    The workaround I'm using at present: every time I download an updated copy of the offline installer, I then run this script (which I keep in the folder I save those installers in) by hand:

    pushd "%~dp0"
    call :update 6
    call :update 7
    popd
    goto :eof
    
    
    
    :update
    set maj=jre1
    set min=%1
    set rev=0
    
    set installer=
    for %%F in (jre-%min%u??-windows-i586.exe) do set installer=%%~F
    if not defined installer goto :eof
    
    set upd=%installer:~6,2%
    set name=%maj%.%min%.%rev%_%upd%
    
    title Unpacking installer for %name%...
    start "Java installer" %installer%
    ping -n 11 127.0.0.1 >nul
    taskkill /f /im %installer%
    
    set spath=%APPDATA%\Sun\Java;%APPDATA%\..\LocalLow\Sun\Java
    for %%D in (%name%) do set src="%%~$spath:D"
    if not exist %src% goto :eof
    
    rmdir /s /q %name%
    xcopy /s /i %src% %name%
    rmdir /s /q %src%

    What this does:

    • Finds the latest Java 6 installer in the current directory
    • Starts it in interactive mode
    • Waits ten seconds, which is long enough for the installer to have got as far as waiting for a response to its first dialog
    • Kills it
    • Takes a copy of the folder the installer has unpacked into my profile (pre-Vista, this goes in the roaming profile) which contains a tiny MSI and a thumping great DATA1.CAB to go with it
    • Does it all again with the latest Java 7 installer

    To do the actual silent installation, I can then just use a reasonably sane pushd & msiexec /passive & popd sequence. It's only the actual installer executable that phones home to sjremetrics, not the embedded MSI, so this never pops up modal dialogs.

    For most installers that wrap MSIs, I can just extract those using 7zip. Not this one; opening it with 7zip shows the contents of DATA1.CAB. The only way I've found to get at the actual MSI is to run the thing. And no, it never cleans up the unpacked stuff, not even if you let it run to completion.

    The JRE installation step that uninstalls older versions is also quite fragile, and when it breaks, the installer will not then go on to install the new version. So I do that "by hand" as well:

    :-jre6
    set jreMin=6
    goto -jre
    
    :-jre7
    set jreMin=7
    
    :-jre
    title Uninstalling Java runtime environment %jreMin%...
    net stop "Java Quick Starter"
    taskkill /f /im jusched.exe
    set rki="HKCR\Installer\Products"
    set rku="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    set tf1="%temp%\%~n0-temp-1.txt"
    set tf2="%temp%\%~n0-temp-2.txt"
    if %jreMin%==6 (
    	wmic product where "name like 'Java(TM) 6 %%' or name like 'J2SE Runtime %%'" list /format:list >%tf1%
    	reg query %rki% | findstr /r /c:"4EA42A62D9304AC4784BF23812.6..FF" >%tf2%
    	reg query %rki% | findstr /r /c:"8A0F842331866D117AB7000B0D....0." >>%tf2%
    	reg query %rku% | findstr /r /c:"{26A24AE4-039D-4CA4-87B4-2F83216...FF}" >>%tf2%
    	reg query %rku% | findstr /r /c:"{3248F0A8-6813-11D6-A77B-00B0D0.....0}" >>%tf2%
    )
    if %jreMin%==7 (
    	wmic product where "name like 'Java 7 %%'" list /format:list >%tf1%
    	reg query %rki% | findstr /r /c:"4EA42A62D9304AC4784BF23812.7..FF" >%tf2%
    	reg query %rku% | findstr /r /c:"{26A24AE4-039D-4CA4-87B4-2F83217...FF}" >>%tf2%
    )
    for /f "tokens=1,* delims==" %%A in ('type %tf1%') do @(
    	if "%%A" == "IdentifyingNumber" start /wait msiexec /passive /norestart /x "%%B"
    )
    for /f "tokens=1,* delims==" %%A in ('type %tf1%') do @(
    	if "%%A" == "InstallLocation" if exist "%%B" rmdir /s /q "%%B"
    	if "%%A" == "PackageCache" if exist "%%B" del /f /q "%%B"
    )
    for /d %%D in ("%ProgramFiles%\Java\jre1.*" "%ProgramFiles%\Java\jre%jreMin%") do rmdir /s /q "%%~D"
    for /f "delims=" %%K in ('type %tf2%') do reg delete "%%~K" /f

    I'm still not convinced that this removes every trace of Java, but it does get rid of enough of it to convince a subsequent installation to skip its own uninstall step.



  • @flabdablet said:

    The JRE installer is a pain in the arse.

    The full (offline) version has always had a "silent" command line switch, purportedly allowing you to use it to perform unattended installations. Not long after Oracle acquired Sun, I started seeing occasional failures in my main software update script, which I run on all the school workstations at shutdown: instead of doing a silent installation of Java, the installer would pop up a modal dialog complaining about being unable to find revocation information for a certificate and hang the shutdown script waiting for OK or Cancel.

    It turns out that the installer phones home to https://sjremetrics.java.com, even during a silent installation, and barfs if it can't find the associated certificate revocation list.

    The workaround I'm using at present: every time I download an updated copy of the offline installer, I then run this script (which I keep in the folder I save those installers in) by hand:

    pushd "%~dp0"
    call :update 6
    call :update 7
    popd
    goto :eof
    
    
    
    :update
    set maj=jre1
    set min=%1
    set rev=0
    
    set installer=
    for %%F in (jre-%min%u??-windows-i586.exe) do set installer=%%~F
    if not defined installer goto :eof
    
    set upd=%installer:~6,2%
    set name=%maj%.%min%.%rev%_%upd%
    
    title Unpacking installer for %name%...
    start "Java installer" %installer%
    ping -n 11 127.0.0.1 >nul
    taskkill /f /im %installer%
    
    set spath=%APPDATA%\Sun\Java;%APPDATA%\..\LocalLow\Sun\Java
    for %%D in (%name%) do set src="%%~$spath:D"
    if not exist %src% goto :eof
    
    rmdir /s /q %name%
    xcopy /s /i %src% %name%
    rmdir /s /q %src%

    What this does:

    • Finds the latest Java 6 installer in the current directory
    • Starts it in interactive mode
    • Waits ten seconds, which is long enough for the installer to have got as far as waiting for a response to its first dialog
    • Kills it
    • Takes a copy of the folder the installer has unpacked into my profile (pre-Vista, this goes in the roaming profile) which contains a tiny MSI and a thumping great DATA1.CAB to go with it
    • Does it all again with the latest Java 7 installer

    To do the actual silent installation, I can then just use a reasonably sane pushd & msiexec /passive & popd sequence. It's only the actual installer executable that phones home to sjremetrics, not the embedded MSI, so this never pops up modal dialogs.

    For most installers that wrap MSIs, I can just extract those using 7zip. Not this one; opening it with 7zip shows the contents of DATA1.CAB. The only way I've found to get at the actual MSI is to run the thing. And no, it never cleans up the unpacked stuff, not even if you let it run to completion.

    The JRE installation step that uninstalls older versions is also quite fragile, and when it breaks, the installer will not then go on to install the new version. So I do that "by hand" as well:

    :-jre6
    set jreMin=6
    goto -jre
    
    :-jre7
    set jreMin=7
    
    :-jre
    title Uninstalling Java runtime environment %jreMin%...
    net stop "Java Quick Starter"
    taskkill /f /im jusched.exe
    set rki="HKCR\Installer\Products"
    set rku="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    set tf1="%temp%\%~n0-temp-1.txt"
    set tf2="%temp%\%~n0-temp-2.txt"
    if %jreMin%==6 (
    	wmic product where "name like 'Java(TM) 6 %%' or name like 'J2SE Runtime %%'" list /format:list >%tf1%
    	reg query %rki% | findstr /r /c:"4EA42A62D9304AC4784BF23812.6..FF" >%tf2%
    	reg query %rki% | findstr /r /c:"8A0F842331866D117AB7000B0D....0." >>%tf2%
    	reg query %rku% | findstr /r /c:"{26A24AE4-039D-4CA4-87B4-2F83216...FF}" >>%tf2%
    	reg query %rku% | findstr /r /c:"{3248F0A8-6813-11D6-A77B-00B0D0.....0}" >>%tf2%
    )
    if %jreMin%==7 (
    	wmic product where "name like 'Java 7 %%'" list /format:list >%tf1%
    	reg query %rki% | findstr /r /c:"4EA42A62D9304AC4784BF23812.7..FF" >%tf2%
    	reg query %rku% | findstr /r /c:"{26A24AE4-039D-4CA4-87B4-2F83217...FF}" >>%tf2%
    )
    for /f "tokens=1,* delims==" %%A in ('type %tf1%') do @(
    	if "%%A" == "IdentifyingNumber" start /wait msiexec /passive /norestart /x "%%B"
    )
    for /f "tokens=1,* delims==" %%A in ('type %tf1%') do @(
    	if "%%A" == "InstallLocation" if exist "%%B" rmdir /s /q "%%B"
    	if "%%A" == "PackageCache" if exist "%%B" del /f /q "%%B"
    )
    for /d %%D in ("%ProgramFiles%\Java\jre1.*" "%ProgramFiles%\Java\jre%jreMin%") do rmdir /s /q "%%~D"
    for /f "delims=" %%K in ('type %tf2%') do reg delete "%%~K" /f

    I'm still not convinced that this removes every trace of Java, but it does get rid of enough of it to convince a subsequent installation to skip its own uninstall step.

    Java, batch files with parameters and loops, GUIDs and lots of tildes... WHY



  • @Ronald said:

    WHY

    Because you deserve it, you scallywag.

    @Ronald said:

    Java

    Because software that's useful in the classroom relies on it.

    @Ronald said:

    batch files

    Because they work natively on both XP and Windows 7 workstations, they're reasonably concise for tasks like installing software and messing with files, they're trivially easy to debug if somewhat fiddly to write, and they don't force me to mess about with security policy just to make them run.

    @Ronald said:

    with parameters and loops

    Because subroutines and repeated operations? Why would I avoid basic language features like parameters and loops in any scripting language?

    @Ronald said:

    GUIDs

    Because that's how Java identifies its installation packages.

    For extra amusement value,
    HKCR\Installer\Products\8A0F842331866D117AB7000B0D610009 and
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160090}
    are actually the same GUID.

    @Ronald said:

    lots of tildes

    Because whoever designed threw together the syntax for cmd scripts really, really wanted to hurt all of us. The for command is an entertainingly bizarre little language all on its own.



  • @flabdablet said:

    For extra amusement value,
    HKCR\Installer\Products\8A0F842331866D117AB7000B0D610009 and
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160090}
    are actually the same GUID.

    @Ronald said:

    lots of tildes

    Because whoever designed threw together the syntax for cmd scripts really, really wanted to hurt all of us. The for command is an entertainingly bizarre little language all on its own.

    Let me see if I get this right

    8A0F8423 3186 6D11 7A B7 00 0B 0D 61 00 09
    3248F0A8 6813 11D6 A7 7B 00 B0 D0 16 00 90
    

    The first 8 chars are reversed. Then the next 2 groups of 4 are reversed. Then every pair is reversed. And it's not in a way that would happen if you cast an int* to a char*, it's in some weird deliberate twisted idiotic way.
    Am I looking at some corner case of the GUID standard, which states that if the GUID is written with(out) dashes, then the chars must be swizzled as if written by a drunk chimp reading the GUID from a piece of paper while in a house of mirrors?



  • @Mo6eB said:

    Let me see if I get this right

    8A0F8423 3186 6D11 7A B7 00 0B 0D 61 00 09
    3248F0A8 6813 11D6 A7 7B 00 B0 D0 16 00 90
    

    The first 8 chars are reversed. Then the next 2 groups of 4 are reversed. Then every pair is reversed. And it's not in a way that would happen if you cast an int* to a char*, it's in some weird deliberate twisted idiotic way.
    Am I looking at some corner case of the GUID standard, which states that if the GUID is written with(out) dashes, then the chars must be swizzled as if written by a drunk chimp reading the GUID from a piece of paper while in a house of mirrors?

    I haven't bothered looking at enough HKCR\Installer\Products vs HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall subkeys to work out whether this is Sun bizarreness or Windows bizarreness. The MS GUID storage format has a uint32, a uint16[2] and a uint8[8] so I can see where the byte re-ordering is coming from, but the nybble swapping is just crazed.



  • I'm not entirely sure if this is possible but what I would have done was set up sjremetrics.java.com to redirect to a internal web server, then use Active Directory to push that server's cert to the domain somehow so that the systems don't complain about it being self-signed.



  • @MiffTheFox said:

    I'm not entirely sure if this is possible but what I would have done was set up sjremetrics.java.com to redirect to a internal web server, then use Active Directory to push that server's cert to the domain somehow so that the systems don't complain about it being self-signed.

    I would've just added an entry to the C:\windows\system32\drivers\etc\hosts file to redirect sjremetrics.java.com to localhost.



  • @Mo6eB said:

    Let me see if I get this right

    8A0F8423 3186 6D11 7A B7 00 0B 0D 61 00 09
    3248F0A8 6813 11D6 A7 7B 00 B0 D0 16 00 90
    

    The first 8 chars are reversed. Then the next 2 groups of 4 are reversed. Then every pair is reversed. And it's not in a way that would happen if you cast an int* to a char*, it's in some weird deliberate twisted idiotic way.
    Am I looking at some corner case of the GUID standard, which states that if the GUID is written with(out) dashes, then the chars must be swizzled as if written by a drunk chimp reading the GUID from a piece of paper while in a house of mirrors?

    As far as I know, this is Microsoft's standard method of obfuscating GUIDs in the registry so that they won't be found via a naive search. I remember reading the reason for wanting to do that, which was at least plausible, but can no longer remember what it is. (Probably something to do with preventing people trying to manually uninstall something by deleting all registry keys mentioning its GUID, in cases where that would cause the entire system to break.)

     



  • @The_Assimilator said:

    I would've just added an entry to the C:\windows\system32\drivers\etc\hosts file to redirect sjremetrics.java.com to localhost.

    How would that fix it? It still wouldn't be able to contact the server.



  • @blakeyrat said:

    @The_Assimilator said:
    I would've just added an entry to the C:\windows\system32\drivers\etc\hosts file to redirect sjremetrics.java.com to localhost.

    How would that fix it? It still wouldn't be able to contact the server.

    Presumably you could run a "null" webserver that swallows all requests and serves empty responses?



  • @Faxmachinen said:

    fellates a cactus

    My new favorite technical terminology.


  • Considered Harmful

    @Mo6eB said:

    swallows all requests and serves empty responses?

    It swallows and it doesn't talk back?



  • @blakeyrat said:

    @The_Assimilator said:
    I would've just added an entry to the C:\windows\system32\drivers\etc\hosts file to redirect sjremetrics.java.com to localhost.

    How would that fix it? It still wouldn't be able to contact the server.

    The issue seems to be related to inability to contact a certificate revocation list server rather than sjremetrics.java.com itself. I'm also not seeing sjremetrics.java.com in the school's web proxy log, which means that the installer is trying to connect direct instead of using that proxy, which will result in a complete lack of response anyway; can't see how making it get its non-response from localhost instead would change much.

    Given that it can't get to sjremetrics.java.com, I'm buggered if I know where it's getting the certificate whose revocation time it wants to check - does Windows cache these things somewhere? If so, clearing out that cache might help. But having found a way to extract an MSI that doesn't phone home at all, I'm happy just using that. The idea of fartarsing about with my networking arrangements just to work around one software package's broken installer doesn't have much appeal.



  • @joe.edwards said:

    [quote user="Mo6eB"]swallows all requests and serves empty responses?

    It swallows and it doesn't talk back?

    [/quote]

    Over HTTPS? Without causing a certificate error?



  • I thought Java and Incompetent meant the same thing.



  • @ais523 said:

    Microsoft's standard method of obfuscating GUIDs

    Ah! Another "this behavior is by design" gotcha.

    I have yet to find any MS documentation describing this awfulness, but it does look like it's not Sun's fault.


  • Considered Harmful

    @MiffTheFox said:

    @joe.edwards said:
    @Mo6eB said:
    swallows all requests and serves empty responses?

    It swallows and it doesn't talk back?

    Over HTTPS? Without causing a certificate error?

    1. Woosh.
    2. You could self-sign the certificate and not receive a warning if you're willing to add your own signing authority to the trusted root certificates store of each box you manage (though this is quite WTFy)


  • @joe.edwards said:

    You could self-sign the certificate and not receive a warning if you're willing to add your own signing authority to the trusted root certificates store of each box you manage (though this is quite WTFy)

    Really? I don't think it's WTFy to push out your own CA. Admittedly, just to get around a Java install problem it might be a bit much..


  • Considered Harmful

    @morbiuswilters said:

    @joe.edwards said:
    You could self-sign the certificate and not receive a warning if you're willing to add your own signing authority to the trusted root certificates store of each box you manage (though this is quite WTFy)

    Really? I don't think it's WTFy to push out your own CA. Admittedly, just to get around a Java install problem it might be a bit much..


    Well, in general I think it's poor security practice because you're tampering with the chain of trust. This makes it possible (if far-fetched) that someone could piggyback a fake certificate onto your self-signed one. If your private key becomes compromised, an attacker can basically impersonate anybody because they control a certificate in your root store.



  • @joe.edwards said:

    You could self-sign the certificate and not receive a warning if you're willing to add your own signing authority to the trusted root certificates store of each box you manage (though this is quite WTFy)

    That's what I've been trying to say from the start. Actually implementing HTTPS isn't part of my skillset, I just know how to hand a working application off to the person keeping Apache running.



  • @joe.edwards said:

    Well, in general I think it's poor security practice because you're tampering with the chain of trust. This makes it possible (if far-fetched) that someone could piggyback a fake certificate onto your self-signed one. If your private key becomes compromised, an attacker can basically impersonate anybody because they control a certificate in your root store.

    There are something like 1500 organizations out there with CA certs right now. Organizations like the Department of Homeland Security and the Chinese government, not to mention bargain-basement SSL providers who are probably running their operation out of EC2.

    The only time my CA private key is decrypted is when I need to sign something, which is probably twice a year. The rest of the time it lives on an IronKey with a password committed only to memory. I honestly think my CA private key is more secure than probably 90% of the ones out there.



  • @MiffTheFox said:

    Actually implementing HTTPS isn't part of my skillset, I just know how to hand a working application off to the person keeping Apache running.

    Then why didn't you say anything about pushing out your own self-signed CA cert? You could use Active Directory to do it.



  • @morbiuswilters said:

    @MiffTheFox said:
    Actually implementing HTTPS isn't part of my skillset, I just know how to hand a working application off to the person keeping Apache running.

    Then why didn't you say anything about pushing out your own self-signed CA cert? You could use Active Directory to do it.

    @MiffTheFox said:

    I'm not entirely sure if this is possible but what I would have done was set up sjremetrics.java.com to redirect to a internal web server, then use Active Directory to push that server's cert to the domain somehow so that the systems don't complain about it being self-signed.



  • @joe.edwards said:

    Well, in general I think it's poor security practice because you're tampering with the chain of trust. This makes it possible (if far-fetched) that someone could piggyback a fake certificate onto your self-signed one. If your private key becomes compromised, an attacker can basically impersonate anybody because they control a certificate in your root store.

    Or! They could just send an email reading: "I'm the password and credit card number inspector, please type both below to ensure they meet our guideilnes" and clean out your employees the old-fashioned way!



  • @Mo6eB said:

    @flabdablet said:

    For extra amusement value,
    HKCR\Installer\Products\8A0F842331866D117AB7000B0D610009 and
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160090}
    are actually the same GUID.

    @Ronald said:

    lots of tildes

    Because whoever designed threw together the syntax for cmd scripts really, really wanted to hurt all of us. The for command is an entertainingly bizarre little language all on its own.

    Let me see if I get this right

    8A0F8423 3186 6D11 7A B7 00 0B 0D 61 00 09
    3248F0A8 6813 11D6 A7 7B 00 B0 D0 16 00 90
    

    The first 8 chars are reversed. Then the next 2 groups of 4 are reversed. Then every pair is reversed. And it's not in a way that would happen if you cast an int* to a char*, it's in some weird deliberate twisted idiotic way.
    Am I looking at some corner case of the GUID standard, which states that if the GUID is written with(out) dashes, then the chars must be swizzled as if written by a drunk chimp reading the GUID from a piece of paper while in a house of mirrors?

     


    You know MS GUID parts 1-3 are low endian, while part 4 (last 64 bits) is big-endian?

     

     



  • @MiffTheFox said:

    @morbiuswilters said:
    @MiffTheFox said:
    Actually implementing HTTPS isn't part of my skillset, I just know how to hand a working application off to the person keeping Apache running.

    Then why didn't you say anything about pushing out your own self-signed CA cert? You could use Active Directory to do it.

    @MiffTheFox said:

    I'm not entirely sure if this is possible but what I would have done was set up sjremetrics.java.com to redirect to a internal web server, then use Active Directory to push that server's cert to the domain somehow so that the systems don't complain about it being self-signed.

    You got Morbs'd!



  • @morbiuswilters said:

    The rest of the time it lives on an IronKey with a password committed only to memory.
    Why don't you use a smartcard or a token instead?



  • @ender said:

    @morbiuswilters said:
    The rest of the time it lives on an IronKey with a password committed only to memory.
    Why don't you use a smartcard or a token instead?

    I'm assuming you're talking about a smartcard or token to remember the password for the IronKey?



  • @morbiuswilters said:

    I'm assuming you're talking about a smartcard or token to remember the password for the IronKey?
    No, I mean use the smartcard to store the certificate - I imagine it's simpler to enter the PIN when you need to use the certificate (if you're really paranoid, you can even get a reader with keypad) than unlocking IronKey and pointing whatever application needs the certificate at it (unless IronKey acts as a smartcard/token, too).



  • @ender said:

    No, I mean use the smartcard to store the certificate - I imagine it's simpler to enter the PIN when you need to use the certificate (if you're really paranoid, you can even get a reader with keypad) than unlocking IronKey and pointing whatever application needs the certificate at it (unless IronKey acts as a smartcard/token, too).

    I'm guessing a smartcard reader and cards would be more expensive and more of a hassle to get installed. Plus I'd have to carry the reader all around with me. Also, I don't know if a PIN is really something I'd want to secure a certificate with. To get the same entropy as a 12-character password, I'd have to have a lot of digits..



  • @morbiuswilters said:

    I'm guessing a smartcard reader and cards would be more expensive and more of a hassle to get installed.
    I had a look at IronKey prices, and they probably wouldn't be. I've got a Gemalto .net card (doesn't need any middleware on most Windows versions) cut down to SIM size and a small reader (from looking at IronKey pictures, the reader is probably a bit smaller). I paid 48€ for the card and reader together, and they work in nearly every computer without having to install additional software (XP needs to have certain updates installed, but those usually are).
    @morbiuswilters said:
    Also, I don't know if a PIN is really something I'd want to secure a certificate with. To get the same entropy as a 12-character password, I'd have to have a lot of digits..
    Just because it's called a PIN, it doesn't mean it's limited to just numbers - mine certainly isn't. Also, I set my card to erase itself if the wrong PIN is entered more than 5 times.



  • @ender said:

    @morbiuswilters said:
    I'm guessing a smartcard reader and cards would be more expensive and more of a hassle to get installed.
    I had a look at IronKey prices, and they probably wouldn't be. I've got a Gemalto .net card (doesn't need any middleware on most Windows versions) cut down to SIM size and a small reader (from looking at IronKey pictures, the reader is probably a bit smaller). I paid 48€ for the card and reader together, and they work in nearly every computer without having to install additional software (XP needs to have certain updates installed, but those usually are).
    @morbiuswilters said:
    Also, I don't know if a PIN is really something I'd want to secure a certificate with. To get the same entropy as a 12-character password, I'd have to have a lot of digits..
    Just because it's called a PIN, it doesn't mean it's limited to just numbers - mine certainly isn't. Also, I set my card to erase itself if the wrong PIN is entered more than 5 times.

    IronKeys aren't too bad: $89 for 1gb on Amazon. Also, it works out-of-the-box with Windows, OSX and Linux (which is what I'd primarily need, anyway). No special reader and the stick itself is durable as all get-out. And it self-destructs if you enter the wrong password 10 times. All-in-all, smartcards and IronKeys both sound fine.



  • @morbiuswilters said:

    IronKeys aren't too bad: $89 for 1gb on Amazon. Also, it works out-of-the-box with Windows, OSX and Linux (which is what I'd primarily need, anyway). No special reader and the stick itself is durable as all get-out. And it self-destructs if you enter the wrong password 10 times. All-in-all, smartcards and IronKeys both sound fine.
    $89 is anything but reasonable for 1GB IMHO, no matter the security features (also, $599 for a slow 64GB stick?!).


  • Discourse touched me in a no-no place

    @morbiuswilters said:

    The only time my CA private key is decrypted is when I need to sign something, which is probably twice a year. The rest of the time it lives on an IronKey with a password committed only to memory. I honestly think my CA private key is more secure than probably 90% of the ones out there.
    Keep that IronKey in a safe (together with how to access it in a different safe, if you're bothered about the bus factor of a password just in your memory) and you've got genuinely good security practices. The better public CAs do about the same thing, except they use that master key to sign a number of operational CA keys (which aren't roots) which are then used to sign certificates from the outside world. The crappy CAs just put everything online and hope that they don't get hacked, which probably counts as Security by Prayer or something like that.



  • @ender said:

    $89 is anything but reasonable for 1GB IMHO

    How much is the smartcard?

    @ender said:

    (also, $599 for a slow 64GB stick?!).

    I have the 32gb and it's not too slow. I'm not usually storing much on it, though, it's just for stuff that must remain confidential.



  • @dkf said:

    The better public CAs do about the same thing, except they use that master key to sign a number of operational CA keys (which aren't roots) which are then used to sign certificates from the outside world.

    Intermediates can sign any other cert, including CA certs. Also, considering how shitty revocation works in most libraries and applications, if one is compromised it's pretty much as bad as having a root compromised. In fact, I seem to remember awhile back there was a CA that had an intermediate hacked and so Google's response was just to issue a browser update rather than rely on the broken-ass revocation infrastructure.



  • @spamcourt said:

    You know MS GUID parts 1-3 are low endian, while part 4 (last 64 bits) is big-endian?

    That explains the byte re-ordering. It doesn't explain the nybble swapping.

    I have yet to find an official MS rationale for the format of these "packed GUIDs", just a bunch of guesswork about why they "probably" did it this way. If you can link me to a document somewhere on microsoft.com that describes the format, please do.



  • @Ronald said:

    Java, batch files with parameters and loops, GUIDs and lots of tildes... WHY

    Here, just for you, is a snippet of cmd script to turn a GUID string into a packed GUID string:

    :: Given a GUID in the format {abcdefgh-ijkl-mnop-qrst-uvwxyzABCDEF},
    :: return it as a "packed GUID" hgfedcbalkjiponmrqtsvuxwzyBADCFE
    
    :packGUID
    set %1=
    set g=%2
    if not "%g:~,1%%g:~9,1%%g:~14,1%%g:~19,1%%g:~24,1%%g:~37%" == "{----}" goto :eof
    @set p=%g:~8,1%%g:~7,1%%g:~6,1%%g:~5,1%%g:~4,1%%g:~3,1%%g:~2,1%%g:~1,1%
    @set p=%p%%g:~13,1%%g:~12,1%%g:~11,1%%g:~10,1%%g:~18,1%%g:~17,1%%g:~16,1%%g:~15,1%
    @set p=%p%%g:~21,1%%g:~20,1%%g:~23,1%%g:~22,1%%g:~26,1%%g:~25,1%%g:~28,1%%g:~27,1%
    @set p=%p%%g:~30,1%%g:~29,1%%g:~32,1%%g:~31,1%%g:~34,1%%g:~33,1%%g:~36,1%%g:~35,1%
    set %1=%p%
    goto :eof

  • Considered Harmful

    I can't wait until quantum computers trivialize factoring large numbers.

    Actually, if the government develops them, I imagine it would be kept classified like when Enigma was cracked. tinfoilhat



  • @joe.edwards said:

    I can't wait until quantum computers trivialize factoring large numbers.

    That would really suck.

    @joe.edwards said:

    Actually, if the government develops them, I imagine it would be kept classified like when Enigma was cracked. tinfoilhat

    You just got yourself on a drone kill list, buddy.



  • @morbiuswilters said:

    How much is the smartcard?
    Like I said, I paid 48€ for smartcard (SIM-sized) and reader together. Just the smartcard was around 30€ (there are cheaper smartcards and tokens, but those usually require middleware to be installed, which means you can't use them on machines without that middleware).
    @morbiuswilters said:
    I have the 32gb and it's not too slow. I'm not usually storing much on it, though, it's just for stuff that must remain confidential.
    Specs say 31MB/s read, 24MB/s write for the faster version, which is slower than most USB3 keys (I don't know what the specs for mine are, but a quick test says it reads at 80MB/s and writes at 60 - and it cost less than the 1GB IronKey).



  • @ender said:

    Like I said, I paid 48€ for smartcard (SIM-sized) and reader together. Just the smartcard was around 30€ (there are cheaper smartcards and tokens, but those usually require middleware to be installed, which means you can't use them on machines without that middleware).

    No, I was asking how big it is. I assumed most smart cards wouldn't be as big as 1gb.

    @ender said:

    Specs say 31MB/s read, 24MB/s write for the faster version, which is slower than most USB3 keys (I don't know what the specs for mine are, but a quick test says it reads at 80MB/s and writes at 60 - and it cost less than the 1GB IronKey).

    I have a 64gb USB3 thumbdrive, which they claim does 190 mb/s. I use that for stuff that doesn't need to be encrypted. The IronKey is more for stuff like passwords, private keys, company secrets, etc.. It works great for that. Can plug it into any computer, it's very durable and very compact. $90 really is such a small amount, I wouldn't consider it a problem.



  • @morbiuswilters said:

    No, I was asking how big it is. I assumed most smart cards wouldn't be as big as 1gb.
    Oh, I misunderstood. Since it's a smartcard, it can only store certificates - there's no data storage (I currently have no need to carry secure data with me, but I do need the certificates on several machines).


  • Discourse touched me in a no-no place

    @ender said:

    @morbiuswilters said:
    IronKeys aren't too bad: $89 for 1gb on Amazon. Also, it works out-of-the-box with Windows, OSX and Linux (which is what I'd primarily need, anyway). No special reader and the stick itself is durable as all get-out. And it self-destructs if you enter the wrong password 10 times. All-in-all, smartcards and IronKeys both sound fine.
    $89 is anything but reasonable for 1GB IMHO, no matter the security features (also, $599 for a slow 64GB stick?!).

    Well, you're not paying $89 for the flash, but for the additional security.

    Amusingly, if you go to the ironkey website, the spelled "encrypted" wrong on the page title (on the en-US version, at least.)


  • Trolleybus Mechanic

    @FrostCat said:

    Amusingly, if you go to the ironkey website, the spelled "encrypted" wrong on the page title (on the en-US version, at least.)
     

    Was expected Encripted. Still satisfied.

     



  • @Lorne Kates said:

    @FrostCat said:

    Amusingly, if you go to the ironkey website, the spelled "encrypted" wrong on the page title (on the en-US version, at least.)
     

    Was expected Encripted. Still satisfied.

    Ugh. Yeah, they got bought out by someone like SanDisk recently. I suspected quality would plunge and I am not disappointed.



  • @morbiuswilters said:

    Ugh. [...] I am not disappointed.

    ?



  • @Ben L. said:

    @morbiuswilters said:
    Ugh. [...] I am not disappointed.

    ?

    What? I'm saying that once they got bought out by some large, incompetent, probably-Chinese manufacturer, I expected quality to plunge. And it apparently has started slipping already.


Log in to reply