Jun 05 2015

why pay twice?

Yesterday’s independent newspaper reports that HMG has let a contract with five companies to monitor social media such twitter, facebook, and blogs for commentary on Goverment activity. The report says:

“Under the terms of the deal five companies have been approved to keep an eye on Facebook, Twitter and blogs and provide daily reports to Whitehall on what’s being said in “real time”.

Ministers, their advisers and officials will provide the firms with “keywords and topics” to monitor. They will also be able to opt in to an Orwellian-sounding Human-Driven Evaluation and Analysis system that will allow them to see “favourability of coverage” across old and new media.”

This seems to me to be a modern spin on the old press cuttings system which was in widespread use in HMG throughout my career. The article goes on to say:

“The Government has always paid for a clippings service which collated press coverage of departments and campaigns across the national, regional and specialist media. They have also monitored digital news on an ad hoc basis for several years. But this is believed to be the first time that the Government has signed up to a cross-Whitehall contract that includes “social” as a specific media for monitoring.”

Apart from the mainstream social media sites noted above, I’d be intrigued to know what criteria are to be applied for including blogs in the monitoring exercise. Some blogs (the “vox populi” types such as Guido Fawkes at order-order will be obvious candidates. Others in the traditional media, such as journalistic or political blogs will also be included, but I wonder who chooses others, and by what yardsticks. Would trivia be included? And should I care?

According to the Independent, the Cabinet Office, which negotiated the deal, claim that even with the extended range of monitoring by bringing individual departmental contracts together they will be able to save £2.4m over four years whilst “maximising the quality of innovative work offered by suppliers”.

Now since the Cabinet Office is reportedly itself facing a budget cut of £13 million in this FY alone, it strikes me that it would have been much more cost effective to simply use GCHQ’s pre-existing monitoring system rather than paying a separate bunch of relative amateurs to search the same sources.

Just give GCHQ the “keywords” or “topics of interest”. Go on Dave, you know it makes sense.

Permanent link to this article: http://baldric.net/2015/06/05/why-pay-twice/

Jun 02 2015

de-encrypting trivia

Well, that didn’t last long.

When I decided to force SSL as the default connection to trivia I had forgotten that it is syndicated via RSS on sites like planet alug. And of course as Brett Parker helpfully pointed out to me, self-signed certificates don’t always go down too well with RSS readers. He also pointed out that some spiders (notably google) would barf on my certificate and thus leave the site unindexed.

So I have taken off the forced redirect to port 443. Nevertheless, I would encourage readers to connect to https://baldric.net in order to protect their browsing of this horribly seditious site.

You never know who is watching……..

cyber wargames

Permanent link to this article: http://baldric.net/2015/06/02/de-encrypting-trivia/

Jun 01 2015

encrypting trivia

In my post of 8 May I said it was now time to encrypt much, much more of my everyday activity. One big, and obvious. hole in this policy decision was the fact that the public face of this blog itself has remained unencrypted since I first created it way back in 2006.

Back in September 2013 I mentioned that I had for some time protected all my own connections to trivia with an SSL connection. Given that my own access to trivia has always been encrypted, any of my readers could easily have used the same mechanism to connect (just by using the “https” prefix). However, my logs tell me that that very, very few connections other than my own come in over SSL. There are a couple of probable reasons for this, not least the fact that an unencrypted plain http connection is the obvious (default) way to connect. But another reason may be the fact that I use a self signed (and self generated) X509 certificate. I do this because, like Michael Orlitzky I see no reason why I should pay an extortionist organisation such as a CA good money to produce a certificate which says nothing about me or the trustworthiness of my blog when I can produce a perfectly good certificate of my own.

I particularly like Orlitzky’s description of CAs as “terrorists”. He says:

I oppose CA-signed certificates because it’s bad policy, in the long run, to negotiate with terrorists. I use that word literally — the CAs and browser vendors use fear to achieve their goal: to get your money. The CAs collect a ransom every year to ”renew“ your certificate (i.e. to disarm the time bomb that they set the previous year) and if you don’t pay up, they’ll scare away your customers. ‘Be a shame if sometin’ like that wos to happens to yous…

Unfortunately, however, web browsers get really upset when they encounter self-signed certificates and throw up all sorts of ludicrously overblown warnings. Firefox, for example, gives the error below when first connecting to trivia over SSL.

firefox-to-trivia-untrusted

Any naive reader encountering that sort of error message is likely to press the “get me out of here” button and then bang goes my readership. But that is just daft. If you are happy to connect to my blog in clear, why should you be afraid to connect to it over an encrypted channel just because the browser says it can’t verify my identity? If I wanted to attack you, the reader, then I could just as easily do so over a plain http connection as over SSL. And in any event, I did not create my self signed certificate to provide identity verification, I created it to provide an encrypted channel to the blog. That encryption works, and, I would argue, it is better than the encryption provided by many commercially produced certificates because I have specifically chosen to use only the stronger cyphers available to me.

Encrypting the connection to trivia feels to me like the right thing to do. I personally always feel better about a web connection that is encrypted. Indeed, I use the “https everywhere” plugin as a matter of course. Given that I already have an SSL connection available to offer on trivia, and that I believe that everyone has the right to browse the web free from intrusive gratuitous snooping I think it is now way past time that I provided that protection to my readers. So, as of yesterday I have shifted the whole of trivia to an encrypted channel by default. Any connection to port 80 is now automatically redirected to the SSL protected connection on port 443.

Let’s see what happens to my readership.

Permanent link to this article: http://baldric.net/2015/06/01/encrypting-trivia/

May 14 2015

what is wrong with this sentence?

Yesterday the new Government published a press release about the forthcoming first meeting of the new National Security Council (NSC). That meeting was due to discuss the Tory administration’s plans for a new Counter-Extremism Bill. The press release includes the following extraordinary stement which is attributed to the Prime Minister:

“For too long, we have been a passively tolerant society, saying to our citizens: as long as you obey the law, we will leave you alone. “

Forgive me, but what exactly is wrong with that view? Personally I think it admirable that we live in a tolerant society (“passive” or not). Certainly I believe that tolerance of difference, tolerance of free speech, tolerance of the right to hold divergent opinion, and to voice that opinion is to be cherished and lauded. And is it not right and proper that a Government should indeed “leave alone” any and all of its citizens who are obeying the law?

Clearly, however, our Prime Minster disagrees with me and believes that a tolerant society is not what we really need in the UK because the press release continues:

“This government will conclusively turn the page on this failed approach. “

If tolerance is a “failed approach”, what are we likely to see in its place?

Permanent link to this article: http://baldric.net/2015/05/14/what-is-wrong-with-this-sentence/

May 08 2015

back on topic

Theresa May hasn’t wasted any time. The Independent reports today that Ms May (Home Secretary in the coalition administration) has said that the new Tory administration will bring the Draft Communications Data Bill, previously blocked by the Liberal Democrats, back to the House of Commons with the intention of getting it passed into law. As the Independent also reports, dear Dave, who is let us say, technically challenged, has in the past expressed the view that no form of communication should be unreadable by the Goverment. This implies severe restrictions on all forms of encryption.

Given that the Tories now have the majority they lacked in the last administration, it is clear that they will see themselves free to attack the kind of liberties I, and millions like me enjoy and cherish. The Open Rights Group maintain a wiki devoted to the relevant points of each political party’s manifesto devoted to surveillance or other possible attacks on privacy. As they point out, the Tory party is committed to:

  • introducing “new communications data legislation”;
  • scrapping the Human Rights Act;
  • requiring internet service providers to block (certain) sites;
  • enabling employers to check whether an individual is an extremist;
  • requiring age verification for access to all sites containing pornographic material.

There are, of course, huge practical and technical difficulties in implementing much of what the Tories wish to do (consider for example the idiocy of attempting to outlaw VPN technology) but that won’t stop them trying. Indeed, some of the technical difficulties may cause the new administration to bring in mechanisms to get around those problems. An obvious example would be the requirement for key escrow for anyone wishing to use encryption.

Excuse me if I find that unacceptable. Time to encrypt much, much more of my everyday activity from now on.

Permanent link to this article: http://baldric.net/2015/05/08/back-on-topic/

May 08 2015

do not be ordinary

The early results of yesterday’s poll are depressing beyond belief. It looks almost certain that the Tory party will have sufficient seats to form the next government.

I don’t often make party political points here (though my political leanings may sometimes be obvious) but I was reminded today of Neil Kinnock’s heart rending speech in Bridgend, Glamorgan, on Tuesday 7 June 1983, two days before the election in which Margaret Thatcher was returned as Prime Minister.

Kinnock said:

“If Margaret Thatcher wins on Thursday, I warn you not to be ordinary. I warn you not to be young. I warn you not to fall ill. I warn you not to get old.”

Those words resonate even more today than they did 32 years ago. I fear for the old, the poor, the disposessed, the weak, the young, the sick and yes, indeed, the ordinary people of this country. David Cameron and his cronies both inside and outside Government will now return to the task of dismantling all that is good and admirable about our society. A society should be judged on the way it treats its weakest and less able members. Cameron’s Tories are, at heart, brutal and uncaring. That frightens me.

Permanent link to this article: http://baldric.net/2015/05/08/do-not-be-ordinary/

Mar 30 2015

the russians are back

About four years ago I was getting a huge volume of backscatter email to the non-existent address info@baldric.net. After a month or so it started to go quiet and eventually I got hardly any hits on that (or any other) address. A couple of weeks or so ago they came back. My logs for weeks ending 15 March, 22 March and 29 March show 92%, 96% and 94% respectively of all email to my main mail server is failed connection attempts from Russian domains to dear old non-existent “info”. Out of curiosity I decided to capture some of the inbound mails. Most were in Russian, but the odd one or two were in (broken) english. Below is a typical example:

From: “Olga”
To: Subject: Are you still looking for love? Look at my photos!
Date: Thu, 12 Mar 2015 15:22:08 +0300
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331

Sunshine!
Are you still looking for love? I will be very pleased to become your half and save you from loneliness. My name is Olga, 25 years old.
For now I live in Russia, but it’s a bad time in my country, and I think about moving to another state.
I need a safer place for life, is your country good for that?
If you are interested and want to get in touch with me, just look at this international dating site.
Hope to see you soon!
Just click here!

Sadly, I believe that many recipients of such emails will indeed, “click here”. Certainly enough to further propagate whatever malware was used to compromise the end system which actually sent the above email.

Permanent link to this article: http://baldric.net/2015/03/30/the-russians-are-back/

Mar 30 2015

kidnapped by aliens

An old friend of mine has expressed some concern at the lack of activity on trivia of late. In his most recent email to me he said:

“You really should revive Baldric you know. Everyone will believe it if you just say you were kidnapped by aliens, and then you can just resume where you left off.”

So Peter, this one is just for you. Oh, and Happy Birthday too.

Mick

Permanent link to this article: http://baldric.net/2015/03/30/kidnapped-by-aliens/

Dec 24 2014

merry christmas 2014

As I have noted before, 24 December is trivia’s birthday. Since my first post dates from 24 December 2006, today is trivia’s eighth birthday. It seems like only yesterday.

I haven’t posted much in the last few months. I have a lot of material I need to cover, and a backlog of articles I want (or at least wanted) to write so I will endeavour to get back into a writing routine as soon as I can. Meanwhile, since it is yet again christmas time, and it’s trivia’s birthday, I couldn’t let today pass unblogged.

Let’s hope 2015 brings all that you wish for.

Best Wishes

Mick

Permanent link to this article: http://baldric.net/2014/12/24/merry-christmas-2014/

Dec 13 2014

solidarity with the tor project

On Thursday 11 December, Roger Dingledine of the Tor project posted the following email to the “tor-talk” mail list (to which I am subscribed).

I’d like to draw your attention to

https://blog.torproject.org/blog/solidarity-against-online-harassment
https://twitter.com/torproject/status/543154161236586496

One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start.

Roger asked those who deplored on-line harassment (of any person, for any reason) and who supported the Tor project’s action in publicly condemning the harassment of one of the Tor developers to add their name and voice to the blog post.

I am proud to have done so.

Permanent link to this article: http://baldric.net/2014/12/13/solidarity-with-the-tor-project/

Nov 27 2014

independent hit

On trying to reach the website of the Independent newspaper today (the Grauniad is trying my patience of late), I received the following response:

Screenshot-www.independent.co.uk - Chromium

Closing the popup takes you to this page:

Screenshot-Hacked by SEA - Chromium

I haven’t checked whether this is simply a DNS redirect or an actual compromise of the Indy site, but however the graffiti was added, it indicates that the Indy has a problem.

Permanent link to this article: http://baldric.net/2014/11/27/independent-hit/

Sep 26 2014

CVE-2014-6271 bash vulnerability

Guess what I found in trivia’s logs this morning?

89.207.135.125 – – [25/Sep/2014:10:48:13 +0100] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.0″ 404 345 “-” “() { :;}; /bin/ping -c 1 198.101.206.138″

I’ll bet a lot of cgi scripts are being poked at the moment.

Check your logs guys. A simple grep “:;}” access.log will tell you all you need to know.

(Update 27 September)

Digital Ocean, the company I use to host my Tor node and tails/whonix mirrors, has posted a useful note about the vulnerability. And John Leyden at El Reg posted about the problem here. Leyden’s article references some of the more authoritative discussions so I won’t repeat the links here.

All my systems were vulnerable, but of course have now been patched. However, the vulnerability has existed in bash for so long that I can’t help but feel deeply uneasy even though, as Michal Zalewski (aka lcamtuf) notes in his blog:

PS. As for the inevitable “why hasn’t this been noticed for 15 years” / “I bet the NSA knew about it” stuff – my take is that it’s a very unusual bug in a very obscure feature of a program that researchers don’t really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on.

Permanent link to this article: http://baldric.net/2014/09/26/cve-2014-6271-bash-vulnerability/

Older posts «