Tuesday, December 30, 2008

MD5 demonstrated very broken; but worse, some CAs were still using it

Now, a proof-of-concept showing that the long-known MD5 vulnerabilities can be actually used to fake a CA certificate.  This could be really bad if done by a bad guy.  And it has long been known that to hedge your bets, your certs should use either both MD5 and SHA-1 or just SHA and drop MD5 altogether.  But apparently some ridiculous CAs didn't get that message and should not be in the business they are in IMO because of such a collossal error.  Equifax Secure Global eBusiness CA-1 is one of the certificates shown to use md5rsa.  From the slashdot discussion, here is a reposting of other CAs still using MD5:
RSA Data Security (!)
Thawte (!)
I expect this kind of thing from Equifax because they seem to do everything but the right thing in any interaction I've had with them online (e.g. why would they decide it a good idea to direct people to http://consumerinfo.com as an Equifax property? That seems like the phishiest thing I've come across. Seriously?) But RSA? Thawte?

I'll repeat again my analogy I have used in the past for those who don't get the implications:
"If you used a daycare for your child that you found to have strewn about broken glass, hypodermic needles, frayed electrical cords, etc. would you not switch to a new daycare?"

"Okay, now assume for example, that the bad daycare in the above example cleaned all of that up and pleaded that they would never be so careless again.  Would you bring your child back to that daycare?  If so, why?  If they were so careless in the past, and there are so many other better daycare facilities, why should you risk your child's security on someone so careless and clueless?"
Now, there is a caveat that is possible and I call it the Jack-in-the-box caveat.  In the aftermath of the E-coli illnesses attributed to Jack-in-the-Box restaurants many, many years ago, when they reopened I was not hesitant to have a burger there.  Why?  Because it was clear that they were under very tight scrutiny from the government and health agencies due to what they went through.  But, other restaurants were potential ticking timebombs.  It's the devil you know vs. the devil you don't.

Emergent Chaos: Now will you believe MD5 is broken?

BPA safety in plastics for your baby

I've heard lots of information about BPA in plastics (aka Bisphenol-A), and a little misinformation. So I figured that it was time to crosscheck these concerns against the other chain-email-brand hysteria about plastics that I have debunked before.

Turns out that there is some right to be concerned about BPA in plastics. BPA was used as a synthetic hormone replacement and is combined with other ingredients to create many of the clear plastics used today. However, not all of the BPA is locked into chemical bonds and so some of it can leech out, especially when heated.

The question then becomes, what level of human safety is there for BPA and what should you do about it? Well, there is a recent rebuke of the FDA methodology that seems to be the most arresting information to date.

Panel Rebukes F.D.A. on Plastic Safety - Well Blog - NYTimes.com  With a link to the PDF written by the panel of scientists.  They found several problems with the FDA methodology.

Bottom line: Infants should not directly use BPA plastics but whether there are effects in larger, more developed adults, is unknown.

Myth #1: Avoid all plastics that have #7 on the bottom. As this note on the Nalgene website points out, the reality is a bit more complex than that:

What does the #7 represent?

The #7 recycling label is a catchall indicator for plastics made with a resin other than those in the #1 to #6 designations, or made of more than one resin. The #7 category not only includes polycarbonate, but also includes compostable plastics made of organic material and other types of plastic that do not necessarily contain BPA (Bisphenol-A). For example, our new Everyday™ line manufactured with Eastman's Tritan™ copolyester is a #7, but does not include BPA.

So, you should be cautious of older plastics with #7, but most likely, new plastics will be specifically marketed as "BPA free" so that you will know if that bottle is okay.

Recent information from a trusted scientific publication, Scientific American:
Just How Harmful Are Bisphenol-A Plastics?: Scientific American

Information from a blog that has a great name:


Some older information from earlier in the year, but lots of timelines from around April 2008 when things started happening, including Nalgene reluctantly pulling their BPA products. Canada was on the verge of declaring BPA a toxin.

Bisphenol A (BPA) information

But beware of the plastics council and other misinformation out there, as this blog posting points out:

Dept. of Propaganda: BPA Facts.org | SierraDescents Blog

Monday, December 22, 2008

Trouble selling your home? St. Joseph to the rescue!

But you have to be a believer or it won't work.  Well, even then it won't work. 

I wonder what kind of anti-scientific process that lead someone to postulate that it isn't enough to just _pray_ to St. Joseph -- no -- you have to a) make a mini-me version of him
b) bury him in your yard
c) Oh, don't forget the most important part -- bury him _upside down_.

Funny how products you buy on TV from hacks have a supposed "Guaranteed to work or your money back" promise, yet religious cruft from the local "Christan Supply" store doesn't...  Think about it...

Some homeowners resort to outside help to sell their property: Consumer Reports Home & Garden Blog