pki.net.in.tum.de/crossbear.org

You might have found this article because we have scanned your SSH server - welcome to our site, and apologies in advance if we have disturbed your network activities! If you want to be blacklisted, please reply to the abuse address in the WHOIS or write straight to our LIR abuse address. Please note that we are not affiliated with LRZ Munich, who operates the Munich Research Network.

We have released the first implementation of Crossbear v1.5 for OONI - nicknamed OONIBear. Check it out on github. There are a few known issues, and we will continue to develop the software. The scheduled full release is September 2013. OONIBear is supported by a grant of the Information Security Coalition.

We gave two talks at 29C3. Your can find videos and slides here:

We have started a new IPv4-wide SSH scan 12 hours ago. This is the same kind of scan that we have conducted in September, November and December. Once again, the purpose is purely scientific. The scanning machine is 188.95.234.6.

It is not infected, nor is an attack intended (we do not attempt to login, in fact we send the most harmless username ever). However, this is a large-scale scan, which we expect to last about a week.

If you feel we should not scan you, we are happy to add you to our blacklist. Please drop us a mail: pki AT net.in.tum.de.

We will present a Proof-of-Concept implementation of CrossbearSSH in (at least) a Lightning Talk at 29C3 - see us there on Dec 28th, 12:55 UTC+1. CrossbearSSH is currently a pure notary (we still need to add the hunting feature). We host the server component on our infrastructure, and provide a patch for openssh for live querying the notary during the SSH handshake. Note however, that the live notary is not beyond PoC status at the moment - meaning the code works, but very little attention has been paid to security.

Our team at the Network Architectures and Services Dept. (I8) of TU München, Germany, is going to start an IPv4-wide SSH scan in about 12 hours. This is the same kind of scan that we have conducted in September and November. Once again, the purpose is purely scientific.

The scanning machine is 188.95.234.6.

It is not infected, nor is an attack intended (we do not attempt to login, in fact we send the most harmless username ever). However, this is a large-scale scan, which we expect to last about a week.

Nadia Heninger and her team have finally published their survey at www.factorable.net. I have only found the time to skim-read it so far I have read it quite thoroughly now, and it seems very complete (and terrific) work. The most important observation to me is that they can explain why weak RSA SSH keys occur, which makes Lenstra et al's hypothesis much more unlikely (I also thought there was a leap in their argument). It's all down to weak entropy in embedded devices, as they have already pointed out in their blog post from February.

Our paper has been accepted for ESORICS 2012. Expect the full PDF to be available very soon The PDF is available now. Here is the abstract.

Here are the slides as one PDF.

Following Trustwave's admission of having issued certs that can be used as sub-ordinate CAs and thus as the necessary ingredient in transparently monitoring SSL connections and also the recent Verisign breach, we have decided to make Crossbear available as of now. The main functionality is all there.