tghttp://tg.gstaedtner.net/2016-04-13T20:32:33+02:00Connecting to an HTTP/2-enabled webserver using Firefox2016-04-13T20:32:33+02:00Thomas Gstaedtnertag:tg.gstaedtner.net,2016-04-13:2016/04/13/connecting-to-an-http2-enabled-webserver-using-firefox/<p>Even though this website [and the other sites hosted on this server] isn't very sensitive, I try to maintain the highest possible security by using up-to-date and secure software, as well as strong ciphers for the connection.
After all, it's nobodys business what you read here, but yours.</p>
<p>I also try to use new technology whenever possible, so it makes sense, that I offer HTTP/2 connections.</p>
<p>Unfortunately, it turns out that combining the two isn't always as easy as it should be.
My nginx cipher suite is configured as follows:</p>
<p><code>ssl_ciphers ECDH+AESGCM:ECDH+AES256:!AES128:!DH:!RSA:!3DES:!aNULL:!MD5:!DSS;</code></p>
<p>This is generally considered close to ideal security [let me know if you disagree], so I figured it should work with HTTP/2 - which emphasizes security greatly - without any problems.</p>
<h1>The issue</h1>
<p>Unfortunately, I was wrong. After enabling HTTP/2 in nginx, Firefox fails to connect to the server.
Even worse, it did not display an error message, log an error to the console, or show any issue in the network debugger.</p>
<p>It turns out, that I missed, that the HTTP/2 standard has a <a href="https://tools.ietf.org/html/rfc7540#section-9.2.2">hard requirement on AES-128 support, specifically <code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></a>.
Apparently firefox does not yet support AES-256 in GCM, which should also allow a connection.</p>
<p>Partially at fault is my not-very-explicit specification of ciphers in the nginx config, because it is non-obvious, that ECDH+AESGCM will be only AES-256 if AES-128 is disabled.</p>
<h1>The fix</h1>
<p>The issue can be easily fixed by re-enabling AES-128, for example as follows:</p>
<p><code>ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH:!RSA:!3DES:!aNULL:!MD5:!DSS;</code></p>
<p>Now Firefox can connect just fine, even if that means a slight downgrade in SSLLabs' SSL Server Test.
It will still get an A+ though and AES-128 certainly isn't problematic by itself.</p>
<p>I filed a <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1264379">bug</a> at Mozilla anyway, because I think Firefox should at least allow you to see what's going wrong without running Wireshark.
Hopefully this article will save you some time should you run into the same issue.</p>Blogofile -> Pelican2014-03-02T01:44:11+01:00Thomas Gstaedtnertag:tg.gstaedtner.net,2014-03-02:2014/03/02/blogofile-pelican/<p>After running blogofile for <em>four</em> years (who knew it was that long with the little posting i've done :) and getting less done with it than I hoped, I finally decided to move on again.
The main reason is, that <a href="http://www.blogofile.com/" title="Blogofile">Blogofile</a> is basically unmaintained and writing custom controllers was harder than it should be (and documentation clearly lacking).</p>
<p>So I looked around for alternatives and found surprisingly few that were interesting to me.
The requirements were:</p>
<ul>
<li>simple static blog compiler</li>
<li>solid templating engine</li>
<li>python</li>
<li>markdown support</li>
</ul>
<p>The only one that fit well was <a href="https://github.com/getpelican/" title="Pelican">Pelican</a> so I decided to give it a go.
Migrating was surprisingly straight forward and done in basically half a day (that includes understanding Pelican, porting the CSS, moving all posts over, and implementing every missing feature I used to have in Blogofile in the Pelican templates.</p>
<p>I'm not 100% happy, but so far Pelican seems nice enough, everything works (even better than before).
A few of the problems I have:</p>
<ul>
<li>the design seems unnecessarily complicated, compared to blogofile</li>
<li>the error handling is quite poor, it is basically impossible to get useful error messages</li>
<li>the documentation could be better (still much better than Blogofile though)</li>
<li>the performance is a bit poor (but acceptable)</li>
</ul>
<p>However, there are also positive points:</p>
<ul>
<li>development seems quite active</li>
<li>jinja2 is a nice templating engine</li>
<li>there are a lot of modules</li>
<li>powerful features</li>
<li>AGPL licensed</li>
</ul>
<p>So all in all I'm happy with my choice, lets see if it stays that way.
To get started, I wrote a tiny deployment tool (in zsh script), that might be useful for others - as everything on here, it is of course <a href="https://gitorious.org/tg/blog-layout/source/ba811653829c6c79de40508c40ac34484b71d5d8:pelitool.zsh" title="pelitool.zsh">publicly available</a>.</p>
<p>Custom modules are planned next.</p>
<p>By the way, in case you're wondering: yes, it looks pretty much exactly like the old site, the CSS was easy to port.
Also, I finally fixed the mobile view, it is now as fully functional as the desktop site.</p>Terminology, Enlightenments fancy new terminal emulator2013-01-29T02:30:00+01:00Thomas Gstaedtnertag:tg.gstaedtner.net,2013-01-29:2013/01/29/terminology-enlightenments-fancy-new-terminal-emulator/<p>Some of you might still know or even use Eterm, a neat terminal emulator that came back when e16 was still new.
A long time there has been nothing new in this area, but Raster apparently found the muse to write another one, based on the Enlightenment Foundation Libraries.</p>
<p>Anyway, I don't need to tell you why you should use it, let me just show you :)</p>
<p>The first one shows a some weeks old version with the basic cool features:
<video width="100%" controls="controls">
<source src="//gstaedtner.net/videos/linux/terminology_overview.webm" type="video/webm" />
Your browser does not support the video tag.
</video></p>
<p>The second video shows the new tcat (which within some hours has been renamed to tycat due to a naming conflict) tool to make more practical use of the features:
<video width="100%" controls="controls">
<source src="//gstaedtner.net/videos/linux/terminology_tcat.webm" type="video/webm" />
Your browser does not support the video tag.
</video></p>
<p>More cool things will certainly come (some I didn't showcase are already there).</p>
<p>Now for the bad news, and the actual reason I wrote this post (the videos I had lying around anyway):
Only terminology 0.2 has been release so far and a lot of features are broken in this one and have been fixed since. The new versions from SVN only run on EFL 1.8 though, which will not be released for some months.</p>
<p>So for you to build it anyway, here's a Quick'n'Dirty patch. The tiling/split-screen feature will still be broken (it needs Elementary 1.8), however all other cool features which don't work in 0.2 work now and also on 1.7 with the patch:</p>
<p><a href="http://gstaedtner.net/patches/terminology_work_on_17.patch">http://gstaedtner.net/patches/terminology_work_on_17.patch</a></p>Trust issues (and the web), 03 - Convergence2011-09-23T01:00:00+02:00Thomas Gstaedtnertag:tg.gstaedtner.net,2011-09-23:2011/09/23/trust-issues-and-the-web-03-convergence/<p>In a <a href="http://tg.gstaedtner.net/2011/09/05/trust-issues-(and-the-web)">previous post</a> I promised that I would check out some of the solutions that promise a safer and thus better web.</p>
<p>This is part two, <a href="http://convergence.io/">Convergence</a>.</p>
<h3>How does it work?</h3>
<p>Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called <em>notaries</em>.</p>
<p>It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries.
These can be added, removed or disabled on personal preference;
so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.</p>
<p>This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.</p>
<p>Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system.
However, the default is to gain a majority validation. This means every active notary will be checked and if most of them (to be exact, the simple majority) validate, convergence accepts the certificate.
The last option is to only accept absolute concensus of all notaries, what makes authentication fail if one notary either gets the wrong certificate or is not reachable.</p>
<h4>Upsides</h4>
<ul>
<li>totally bypasses the CA system with all its issues</li>
<li>makes self-signed certificates fun!</li>
<li>totally user-configurable</li>
<li>usually fast</li>
</ul>
<h4>Downsides</h4>
<ul>
<li>addon needed (could change if browser vendors adopt the concept)</li>
<li>first-time-configuration needed (add notaries - could change if browser and os vendors included a basic few)</li>
<li>can cause slight delays if one of the notaries is slow</li>
</ul>
<h3>Conclusion</h3>
<p>I think convergence is a great idea.</p>
<p>The concept is well-thought, the implementation is solid and a pleasure to use.
Even usually painful self-signed certificates work like a charm because convergence doesn't care about CA's.
You are always in control, which of course means you have to make sure you have a number of notaries that can be trusted.</p>
<p>Of course everything is open source and so far the addon as well as the notary-server are constantly under (very active) development.
It is easy and reasonable to run your own notary, for yourself or for others. It is largely written in python, and light on (very reasonable) dependencies, so if you feel like participating, I don't see any reason why not.</p>
<p>Long story short: great concept, great implementation: get it!</p>Trust issues (and the web), 02 - Web Of Trust2011-09-11T18:00:00+02:00Thomas Gstaedtnertag:tg.gstaedtner.net,2011-09-11:2011/09/11/trust-issues-and-the-web-02-web-of-trust/<p>In my <a href="//tg.gstaedtner.net/2011/09/05/trust-issues-(and-the-web)">last post</a> I promised that I would check out some of the solutions that promise a safer and thus better web.</p>
<p>Let's start with <a href="http://www.mywot.com/">Web Of Trust</a> (WOT).</p>
<p>In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.</p>
<p>It actually works like <a href="http://en.wikipedia.org/wiki/Mandatory_access_control">Mandatory Access Controls (MAC)</a> with a user centric (as apposed to a system centric) approach.</p>
<h3>How does it work?</h3>
<p>WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources".
The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.</p>
<p>The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3.
It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.</p>
<p>Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as an warning dialog (per default) that shows up on untrusted sites.</p>
<p>It can also be set to block access to unwanted sources, e.g. as a porn-filter.</p>
<p>The ratings are based on an algorithm, partially comparable to mechanisms such as Google's pagerank: It doesn't only count and divide the ratings to generate an average; instead different sources have different weight, and if there are only a few ratings and maybe not the most credible ones, no general rating is given at all.</p>
<h4>Upsides</h4>
<ul>
<li>users can easily decide if a site might be trouble</li>
<li>very little performance impact</li>
<li>very practical and easily usable</li>
<li>good protection against malicious-by-design sites</li>
</ul>
<h4>Downsides</h4>
<ul>
<li>does not prevent any serious attacks (MITM and Co.)</li>
<li>does not confirm the authenticity of sites</li>
<li>does not detect compromised sites</li>
<li>serious privacy impact: every domain is transmitted to the WOT servers</li>
</ul>
<h3>Conclusion</h3>
<p>All in all, I'd say WOT can be very helpful.</p>
<p>However, you really should consider if the service is worth the loss of privacy, as every domain is transmitted to WOT servers along with your IP which makes you relatively identifiable.
This usually happens only once per domain, as it is cached afterwards; also, only the domain, not the URL is transmitted. You should take into account, that your IP and all domains you access are logged on the route multiple times anyway, at your ISP at first, but at several routing points as well - so this is clearly a cost--benefit equation you have to do for yourself.</p>
<p>I would however recommend this service to each and every user that has trouble detecting which sites are bad, that includes subscription traps (largely a German problem I guess, here called "Abofalle"), and Freeware download sites. I think here clearly the downsides are neglegible so I would - and will - recommend this to people like my mother.</p>
<p>Lastly, the company behind WOT is in legal trouble with some US companies which claim, that the algorithm behind the WOT rating, is flawed. This is, in my opinion, the proof, that the algorithm works pretty well. If hosters of dubious sites use the courts, it generally means they haven't found an easy way to manipulate their ratings.
And as the "crowd" ratings get the higher weight, no source credible enough to improve ones rating can be bought.</p>Trust issues (and the web)2011-09-05T18:30:00+02:00Thomas Gstaedtnertag:tg.gstaedtner.net,2011-09-05:2011/09/05/trust-issues-and-the-web/<p>The last couple of days, a company named <a href="http://en.wikipedia.org/wiki/DigiNotar">DigiNotar</a> was in the news for issueing fake SSL certificates. I don't need and want to go into details, but what was clear before, has now officially been proven big time: The whole trust concept of SSL certificates and with it a corner stone of http security does not work and thus is completely worthless.
The sad thing is, that this is the <em>only</em> http/web security system supported on a large scale to this day.</p>
<p>Overall the concept of trusting a hand full of companies out of good will is just <em>stupid</em>.
Each and every one of them is very susceptible to single hackers or small groups of hackers, not to mention foreign agencies and more importantly local agencies with proper funding or even a "legal" way to mess with certificates.</p>
<p>So, what is a solution that works? Learn from filesharing.
To this day a lot of filesharing networks have been put down due to the SPOF nature they share with the CA companies.
A single target which can compromise the whole network and system.
What followed was decentralization - and with so many other systems (from network architecture over source code management and storage systems) that prove how good this works, this clearly is the way to go.</p>
<p>So what's out there to accomplish this? Sadly: nothing that works out-of-the-box and/or everywhere.
But there are some concepts:</p>
<ul>
<li><a href="http://www.mywot.com/">Web Of Trust</a>, closely related to GPG/PGP</li>
<li><a href="http://convergence.io/">Convergence</a>, a firefox plugin to allow a completely decentralized web of trust</li>
</ul>
<p>Sadly, all of those come with some effort and are not available for every browser, let alone on every machine.
I will evaluate these and probably other solutions in the next time, and report back.</p>
<p>Update: I forgot to mention this before: the whole situation is actuall <em>that bad</em>, that google decided to <em>hard-code</em> certificates (or probably their fingerprints) <a href="http:--dev.chromium.org-sts">in Chrome</a>, something <a href="http:--noscript.net-">Noscript</a> apparently does, too.
This is a horrible concept, but it seems the only way to make the CA system work as it is.</p>
<p>Of course, in the long run, it would mean, that <em>every single certificate</em> would have to be hard-coded in <em>every single browser(engine)</em> and every CA would have to be distrused. Certainly no system that is desirable.</p>Blackburn Flea Review2011-04-03T19:00:00+02:00Thomas Gstaedtnertag:tg.gstaedtner.net,2011-04-03:2011/04/03/blackburn-flea-review/<p>I usually don't like to do product reviews, but I find the following deserves one because of the misconceptions it is facing.</p>
<p>I recently bought <em>Flea</em> bike lights by <em>Blackburn</em>. In fact, I bought a set a while ago already, but I lost one of the lights.
This is easier than I thought because those things are damn tiny, and I'm not even sure if I lost it on the bike or somewhere else.</p>
<p>As I was pretty happy with the devices, I decided to replace the missing one and got myself a new set; this time the 2011 edition in contrary to the 2009 I had before.</p>
<h2>General</h2>
<p>There are two main differences introduced in 2010 and 2011: The USB-Charger was introduced in 2010 and replaces the included battery-charger so you can recharge the lights on any 5V DC power supply over an USB port. New in 2011 is an additional led under the lights buttons that shows the charging state.</p>
<p>Here's a picture showing the new USB-Charger on the left and the old battery charger (that can be attached by magnets to any standard battery) on the right:
<img alt="Chargers" src="//gstaedtner.net/images/cache/bike/flea/chargers_connected_595.jpg" /></p>
<p>The chargers attach to the devices by 2 magnetic pins that are quite strong, so you can safely put it in any USB port without fearing it might fall off, and you can attach any battery without having to care if the contacts are attached right. What's really amazing however is, that the charging electronics is <strong>inside</strong> the lights housings so you can use any DC source from about 1 to 5 V without any additional electronics. It even allows to attach a solar panel with USB connector (Blackburn themselves offer one, but there's a ton of other similar devices on the market).
With the 2011 edition the new colored LEDs indicate the battery status and also when charging is complete.</p>
<h2>Attachment</h2>
<p>Here's the complete set including straps and USB Charger: <img alt="Flea Set" src="//gstaedtner.net/images/cache/bike/flea/set_complete_595.jpg" /></p>
<p>As you can see on the pictures, the back-light has a clip that is not only used to attach it to one of the straps, you can also clip it to a belt or backpack which I find useful (great if you have a big backpack that might hide a light attached to the saddle, or if you're hiking without a bike at all).
If you pull the strap tight enough, it works well and you can attach the light safely, and it stays in place.</p>
<p>The front light has no clip, only a rail for the strap. Here too, it has to pulled tight so the light keeps in place. It doesn't hold nearly as well as a proper hard mount, but due to the low center of gravity and the light weight it usually stays in place well enough.</p>
<h2>Light</h2>
<p>Every light has a couple of modes:</p>
<p>For the front light, it is <em>normal</em>, <em>high</em>, <em>flashing</em>, <em>off</em>, toggled through repeated pressing of the button.
The back light has <em>normal</em>, <em>flashing</em>, <em>chase</em> and <em>off</em>.</p>
<p>The normal mode is usually good to be seen and to light the road if it's not totally dark. In the high setting it is surprisingly bright and well enough to see in total darkness.
Of course it doesn't compare <strong>at all</strong> to 20 times as big, 40 times as heavy and 5 times as expensive lights with multi-Watt LEDs and so on, but it a) doesn't claim so and b) isn't made for that.
I've seen a number of reviews and opinions that state that the Flea sucks, because it isn't as bright as their 200 EUR lamp with a 1 kg heavy battery pack - if you expect that, move along and get real.
If you drive in darkness for several kilometers every day and don't want to charge twice a week, these lights aren't for you.
If you bike for fun and need a pair of good, light and practical lights, or just a backup light, try the Flea.</p>
<p>I've made some photos in total darkness, no artificial light (besides the Flea) around, no moon and clouded sky without stars, to give you an impression how bright the lights are.
The pictures are <strong>slightly</strong> overexposed, so they seem a little brighter than they actually are, but it still is close to how you actually would see it:
<img alt="Front light" src="//gstaedtner.net/images/cache/bike/flea/action_front_595.jpg" />
<img alt="Back light" src="//gstaedtner.net/images/cache/bike/flea/action_rear_595.jpg" /></p>
<h2>Conclusion</h2>
<p>I guess people like pro/con lists (at least I do), so here it comes:</p>
<p><strong>Pro</strong></p>
<ul>
<li>Tiny</li>
<li>Light</li>
<li>Bright (for the size)</li>
<li>Long battery life (for the size)</li>
<li>Innovative charging concept</li>
</ul>
<p><strong>Con</strong></p>
<ul>
<li>Not allowed as only lights (in Germany)</li>
<li>No hard mount available</li>
<li>A little bit on the pricey side</li>
</ul>
<p>As usual, more pictures in <a href="http://gstaedtner.net/images/index.php?album=machines/panda">my gallery</a>.</p>Here comes the Panda2011-03-10T19:00:00+01:00Thomas Gstaedtnertag:tg.gstaedtner.net,2011-03-10:2011/03/10/here-comes-the-panda/<p>Some days ago my Pandaboard finally arrived!</p>
<p>Currently Digikey is still the only reseller for it and it seems they are permanently out-of-stock since the Pandaboard is for sale.
Anyway, over a month ago I decided to just order it, even though I don't really had enough time for it, because it seemed it could take some months.</p>
<p>Anyway, now it is here, as usually deliveded by FedEx in the blink of an eye.
They did not even charge the usual import fees (EUSt) - it probably did not actually go through customs as a development kit.</p>
<p>As everyone seems to do unpacking pictures, videos and so on, I don't bother, but there are some nice pictures of the device in <a href="http://gstaedtner.net/images/index.php?album=machines/panda">my gallery</a>.
<img alt="Mr. Panda in the Wild" src="//gstaedtner.net/images/cache/machines/panda/front01_595.jpg" /></p>
<p>Anyway, it comes in a box and is very lonely because there is nothing else in it (what is good!).</p>
<p>You just need a 5V powersupply to get it running - according to the wiki it should even be possible to get power over the mini-USB port, though I haven't tried that yet.</p>27c32010-12-31T14:25:00+01:00Thomas Gstaedtnertag:tg.gstaedtner.net,2010-12-31:2010/12/31/27c3/<p>I'm currently sitting in the train from Berlin to Nuremberg, so I got some time to catch up here.</p>
<p>The reason I was in Berlin was, as every year, the <a href="http://events.ccc.de/congress/2010">Chaos Communication Congress</a>.
Unfortunately I couldn't go by car, as I normally do, so I decided to travel by train, to spare me the pains of security checks at the airport (especially because I had quite some electronics and so on with me).
But thinking back, this would have spared me quite some waiting time and other annoyances. On the way to Berlin my train came about 30 minutes late, not to my surprise, so I could live with it. But when it came in, I had to notice, that the train was only half the length, missing some wagons, including the one I had a reservation in.
Luckily I could still get a seat, so no complaints. Anyway, because of the cold weather, the train had to come to a stop only a few kilometers before arriving in Berlin, and even had to turn and take another route to arrive there. In the end, I had over 2 hours delay.</p>
<p>Now, on the way back, my train, including reservation of course, was cancelled, so I had to take the next one over an hour later. Now over the distance it gathered another 15-20 minutes delay, so let's see when - or if - I will arrive in nuremberg.
Well, at least I should get a 50% return for the hassles.</p>
<p>But let's come to the nice part of the journey: the congress iteslf.</p>
<p>After finally arriving, far later than expected, I had a drink (or two) with a mate who couldn't make it to the C3, glad that it worked out, because I'm clearly not often enough in berlin.
On the next day the congress started, as usual we set up our stuff at hour table in the hackcenter, the always basement where you can never tell which time it is. :)</p>
<p>But let's come to the talks first. If you want to see all the talks, just check out the <a href="http://events.ccc.de/congress/2010/Fahrplan">Fahrplan</a>, you can also <a href="http://events.ccc.de/congress/2010/wiki/Documentation">watch the recordings</a>. I on the other hand will only tell you about the talk's I've seen and found interesting.</p>
<p>Day 1</p>
<p>--
The first highly interesting talk was titled <a href="http://events.ccc.de/congress/2010/Fahrplan//events/4060.en.html">SMS-o-Death</a>. It covered vulnerabilities in the implementations of the GSM short text message feature, mainly in so-called featurephones. I won't tell you more, because if you're at all interested in the topic, you should really watch the recording.</p>
<p>The next talk I watched was <a href="http://events.ccc.de/congress/2010/Fahrplan//events/4094.en.html">Netzneutralität und QoS - ein Widerspruch?</a>. It's in german, so no point in watching if you don't understand it.
It basically was a podium discussion between a few people (and later the audience participation) how the technical advantages of QoS can be used without making net neutrality impossiple.
Anyway, even though this was moderated and transmitted by one of the bigger and better information radiostations in Germany, the <a href="http://www.dradio.de/dlf/">DLF</a>, I didn't find it particularily interesting nor very helpful and I doubt that it brought the results that all involved parties hoped for.</p>
<p>Even though I didn't intend to at first, it was brought to my attention that the talk <a href="http://events.ccc.de/congress/2010/Fahrplan//events/4017.en.html">Desktop on the Linux...</a> (yeah, odd title) turned out to be interesting after all.
The concept of the talk was a guy ranting about current and coming desktop technologies on Linux, from consolekit to gdm, but what he probably didn't expect: Lennart Poettering, a RedHat employee, was in the audience and decided to jump into the rant as the oppsite pole. If you don't know Lennart: he's a major engineer of many current technologies on Linux and other unix-alike systems, being responsible for backends from systemd to pulseaudio. Even though the -- let's call him "ranter" :), datenwolf, had some points, and I agreed more often than not, he had no chance against Lennart rhetorically, so it probably didn't go as he expected, too. Anyway. if you find that interesting and always wanted to know what $(random-string)-kit is for, watch the - rant? discussion? Whatever. :)</p>
<p>The last talk on this day was the most surprising. It doesn't happen all to often, that Microsoft sends a speaker to CCC events. And you certainly wouldn't expect that the audience would be that positive. Anyway, <a href="http://events.ccc.de/congress/2010/Fahrplan//events/4245.en.html">Stuxnet</a> is a very interesting topic, and Microsoft
s Bruce Dang does not only seem to know well what he's doing, he's also a great speaker. So all in all it was one of the best talks at the congress and there is just no reason you shouldn't watch it. If you're still not hooked: Bruce had to admitt, that he uses Linux (well, at least from time to time) :P</p>
<p>That was it for Day 1, I will talk about the other talks and other cool things the next days.</p>