Aug 13 2014

net neutrality

My apologies that this is a few weeks late – but it still bears posting. John Oliver at HBO gave the best description of the net neutrality argument I have seen so far.

Following that broadcast, the FCC servers were, rather predictably, overwhelmed by the outraged response from the trolls that Oliver set loose.

Unfortunately, as John Naughton reports in the Observer, the FCC are unlikely to be moved by that.

Permanent link to this article: http://baldric.net/2014/08/13/net-neutrality/

Aug 11 2014

levison on dime

Ladar Levison and Stephen Wyatt presented the upcoming Dark Internet Mail Environment (DIME) at Defcon22 this week. According to El Reg, Levison, who shut down Lavabit, his previous mail service rather than comply with FBI demands that he divulge the private SSL certificates used to encrypt traffic on that service, said:

“I’m not upset that I got railroaded and I had to shut down my business … I’m upset because we need a mil-spec cryptographic mail system for the entire planet just to be able to talk to our friends and family without any kind of fear of government surveillance”.

I think that puts the problem into perspective.

Permanent link to this article: http://baldric.net/2014/08/11/levison-on-dime/

Jul 28 2014

punctuation matters

There is a nice tweet over at @NSA_PR. It reads:

We take your privacy, seriously.

Beyond parody.

Permanent link to this article: http://baldric.net/2014/07/28/punctuation-matters/

Jul 23 2014

department of dirty

Like most ‘net users I get my fair share of spam. Most of it gets binned automatically by my email system, but of course some still gets through so I am used to hitting the delete button on random email from .ru domains offering me the opportunity to “impress my girl tonight”.

Most such phishing email relies on the recipient being dumb enough, naive enough, or (possibly) drunk enough to actually click through the link to the malicious website. I was therefore more than a little astonished at an email I received today from the open rights group. That email is given below in its entirety (I have obfuscated my email address for obvious reasons).

From: Department of Dirty
To: xxxxxxxx@yyy.zzz
Subject: Cleaning up the Internet
Date: Wed, 23 Jul 2014 07:14:18 -0400 (EDT)

Dear Mick,

Ever thought the internet was just too big? Want to help clean up online filth?

*Welcome to the Department of Dirty*

Watch the Department tackling its work here: www.departmentofdirty.co.uk and share our success, as we stop one man try to get one over us with his ‘spotted dick recipe’:

Department of Dirty Video: http://www.departmentofdirty.co.uk/

The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

*Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
*Girl Guides Essex:
They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
*South London Refugee Association:
This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia

This is just the tip of the iceberg.

We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the internet.

http://www.departmentofdirty.co.uk

Sincerely,

Your Department of Dirty representative

[1] You can find out what we’re blocking at this convenient website: https://www.blocked.org.uk/

[DISCLAIMER] This email has come from the Open Rights Group. This email was delivered to: xxxxxxxx@yyy.zzz If you wish to opt out of future emails, you can do so here.

Now, I’m an ORG supporter (i.e. I am a paying member) and I am sure that someone, somewhere in ORG thought that this email campaign was a great idea. After all, it follows up the ORG’s earlier research on the fairly obvious stupidities arising from the implementation of Dave’s anti-porn campaign, it looks “ironic”, and it uses a snappy domain name which has shades of Monty Python about it. But I’m sorry, in my view this most certainly is not a good idea and I’m sure that ORG will come to regret it.

One of the most fundamental pieces of advice any and every ‘net user is beaten up with is “do not click on links in unsolicited emails”. In particular, the advice normally goes on – “if that email is from an unknown source, or has in any way a supicious from address you should immediately bin it”.

This email comes from an unknown address with a wonderfully prurient domain name. Even if it is successful and gets to the intended email inbox [1], it then relies on the recipient breaking a fundamental security rule. It does this by encouraging him (this looks to be male targeted) to click on a link which the naive might believe leads to a porn video.

How exactly is that going to help?

([1] Note. It got to my email inbox because the email system at e-activist.com which sent it is allowed by my filters.)

Permanent link to this article: http://baldric.net/2014/07/23/department-of-dirty/

Jul 21 2014

drip

I get my domestic ADSL connectivity from the rather excellent people at Andrews and Arnold.

Here’s why. And this is the original reason I moved to them.

They also happily take (and similarly reply to) GPG encrypted support questions.

Good guys. Thoroughly recommended.

Now can you /really/ see BT doing any of that?

‘thought not.

Permanent link to this article: http://baldric.net/2014/07/21/drip/

Jun 30 2014

inappropriate use of technology

I have been travelling a lot over the last few months (Czech Republic, Scotland, France, Germany, Austria, Slovenia, Croatia, Italy). That travel, plus my catching up on a load of reading is my excuse for the woeful lack of posts to trivia of late. But hey, sometimes life gets in the way of blogging – which is as it should be.

A couple of things struck me whilst I have been away though. Firstly, and most bizarrely I noticed a significant number of tourists in popular, and hugely photogenic, locations (such as Prague and Dubrovnik) wandering around staring at their smartphones rather than looking at the reality around them. At first I thought that they were just checking photographs they had taken, or possibly that they were texting or emailing friends and relatives about their holidays, or worse, posting to facebook, but that did not appear to be the case. Then by chance I overheard one tourist telling his partner that they needed to “turn left ahead” whilst they walked past me so it struck me that they might just possibly be using google maps to navigate. So I watched others more carefully. And I must conclude that many people were doing just that. I can’t help but feel a little saddened that someone should choose to stare at a google app on a small screen in their hand than look at the beauty of something like the Charles Bridge across the Vlatva.

The second point which struck me was how much of a muppet you look if you use an iPad to take photographs.

Permanent link to this article: http://baldric.net/2014/06/30/inappropriate-use-of-technology/

May 30 2014

a new app

My newspaper of choice, the Guardian, has for some time produced its own android (and iOS of course) app. I have often used the android app on my tablet to catch up on emerging news items at the end of the day. I also read the BBC news app for the same reason. Yesterday I received an update to the Guardian app. That update was a complete rewrite and gives the user a very different experience to the original app. For example, in the old app I could tailor the home screen to show me just the news categories I wanted (i.e. no sport, no fashion, but plenty of politics, business and UK news). In the new app I can only do that if I subscribe to a paid version. Sorrry, but no, I already pay for the newspaper, I just want this to give me updated headlines, I don’t want to have to buy the newspaper all over again.

In today’s paper (and on-line of course) there is an editorial comment on the new app explaining its background. The writer opens:

Today I am proud to announce the launch of our redesigned Guardian app. It’s been a ground-up reworking to bring you a new, advanced and beautiful Guardian app. For the first time you will have a seamless experience across phones and tablets, with a cleaner, responsive design that showcases the Guardian’s award-winning journalism to our readers around the world.

The article goes on to explain the history of the original app and the thinking behind the redesign. It continues:

We’re also thrilled to announce that GuardianWitness – the Guardian’s award-winning platform through which readers can contribute their own pictures, videos and text – is now integrated into the app, meaning readers can now contribute to assignments seamlessly and directly within the main app.

Hmmmm.

It continues:

Other new features include:

  • A new flexible layout so we can display different stories in different ways, and show readers which stories are the most important in one glance
  • Breaking news and sport alerts and up-to-the-minute live coverage
  • Increased personalisation: readers can personalise their home screen depending on what topics they’re most interested in, and create notifications to follow favourite writers, stories, series and football teams
  • Improved photo galleries and inclusion of interactives for the first time
  • Off-line reading – with intelligent caching readers will now be able to save articles to read later and have more content at their fingertips wherever they are
  • Open journalism has been built into the app, with even easier ways for readers to contribute comments, videos, photos via our new GuardianWitness integration, as well as a better commenting experience
  • New opportunities for advertisers.

I particularly like that last bit.

And of course the app needs access to my location.

Right.

(P.S. The app called “UK Newspapers” by Markus Reitberger gives access to all the UK news sites you could want – and all it asks for is network access.)

Permanent link to this article: http://baldric.net/2014/05/30/a-new-app/

Apr 16 2014

nsa operation orchestra

In February of this year, Poul-Henning Kamp (a.k.a “PHK”) gave what now looks to be a peculiarly prescient presentation as the closing keynote to 2014′s FOSDEM.

In the presentation (PDF), PHK posits an NSA operation called ORCHESTRA which is designed to undermine internet security through a series of “disinformation” or “misinformation”, or “misdirection” sub operations. ORCHESTRA is intended to be cheap, non-technical, completely deniable, but effective. One of the opening slides gives ORCHESTRA’s “operation at a glance” overview as:

* Objective:
- Reduce cost of COMINT collection
* Scope:
- All above board
- No special authorizations
* Means:
- Eliminate/reduce/prevent encryption
- Enable access
- Frustrate players

PHK delivers the presentation as if he were a mid-ranking NSA staffer intending to brief NATO in Brussels. But “being American, he ends up [at FOSDEM] instead”. The truly scary part of this presentation is that it could all be completely true.

What makes the presentation so timely is his commentary on openssl. Watch it and weep.

Permanent link to this article: http://baldric.net/2014/04/16/nsa-operation-orchestra/

Apr 16 2014

more heartbleed

For any readers uncertain of exactly how the heartbleed vulberability in openssl might be exploitable, Sean Cassidy over at existential type has a good explanation.

And if you find that difficult to follow, Randall Munroe over at xkcd covers it quite nicely.

heartbleed_explanation

My thanks, and appreciation as always, to a great artist.

Of course, Randall foresaw this problem back in 2008 when he published his take on the debian openssl fiasco.

Permanent link to this article: http://baldric.net/2014/04/16/more-heartbleed/

Apr 16 2014

pulitzer guardian

The Guardian and the Washington Post have been jointly awarded the Pulitzer prize for public service for their reporting of Edward Snowden’s whistleblowing on the NSA’s surveillance activities.

The Guardian reports:

The Pulitzer committee praised the Guardian for its “revelation of widespread secret surveillance by the National Security Agency, helping through aggressive reporting to spark a debate about the relationship between the government and the public over issues of security and privacy”.

Unfortunately that debate seems to be taking place in the USA rather than in the UK.

In typical Guardian style, one correspondent to today’s letters page says:

Congratulations to all. Can’t wait for the film. All the President’s Men II? Johnny Depp as Alan Rusbridger?

I’d pay to see that. But I’m not sure how it ends yet.

Permanent link to this article: http://baldric.net/2014/04/16/pulitzer-guardian/

Apr 15 2014

boot and nuke no more

I was contacted recently by a guy called Andy Beverley who wrote:

Hope you don’t mind me contacting you about one of your old blog posts “what gives with dban”. Thought I’d let you know that I forked DBAN a while ago, and produced a standalone program (called nwipe) that will run on any Linux OS. That means it will work with any Live CD, meaning much better hardware support.

It’s included in PartedMagic, as well as most other popular distros.

“No I don’t mind at all” is my response. In fact, since DBAN seems to be borked permanently, it is nice to see an alternative out there.

Andy’s nwipe page says that he could do with some assistance. So if anyone feels able to help him out, give him a call.

Permanent link to this article: http://baldric.net/2014/04/15/boot-and-nuke-no-more/

Apr 08 2014

heartbleed

This is nasty. There is a remotely exploitable bug in openssl which leads to the leak of memory contents from the server to the client and from the client to the server. In practice this means that an attacker can read 64K chunks of memory on a vulnerable service, thus potentially exposing security critical information.

At 19.00 UTC yesterday, openssl bug CVE-2014-0160 was announced at heartbleed.com. I picked it up following a flurry of emails on the tor relays list this morning. Roger Dingledine posted a blog commentary on the bug to the tor list giving details about the likely impacts on Tor and Tor users.

Dingledine’s blog entry says:

Here are our first thoughts on what Tor components are affected:

  • Clients: Tor Browser shouldn’t be affected, since it uses libnss rather than openssl. But Tor clients could possibly be induced to send sensitive information like “what sites you visited in this session” to your entry guards. If you’re using TBB we’ll have new bundles out shortly; if you’re using your operating system’s Tor package you should get a new OpenSSL package and then be sure to manually restart your Tor.
  • Relays and bridges: Tor relays and bridges could maybe be made to leak their medium-term onion keys (rotated once a week), or their long-term relay identity keys. An attacker who has your relay identity key can publish a new relay descriptor indicating that you’re at a new location (not a particularly useful attack). An attacker who has your relay identity key, has your onion key, and can intercept traffic flows to your IP address can impersonate your relay (but remember that Tor’s multi-hop design means that attacking just one relay in the client’s path is not very useful). In any case, best practice would be to update your OpenSSL package, discard all the files in keys/ in your DataDirectory, and restart your Tor to generate new keys.
  • Hidden services: Tor hidden services might leak their long-term hidden service identity keys to their guard relays. Like the last big OpenSSL bug, this shouldn’t allow an attacker to identify the location of the hidden service, but an attacker who knows the hidden service identity key can impersonate the hidden service. Best practice would be to move to a new hidden-service address at your convenience.
  • Directory authorities: In addition to the keys listed in the “relays and bridges” section above, Tor directory authorities might leak their medium-term authority signing keys. Once you’ve updated your OpenSSL package, you should generate a new signing key. Long-term directory authority identity keys are offline so should not be affected (whew). More tricky is that clients have your relay identity key hard-coded, so please don’t rotate that yet. We’ll see how this unfolds and try to think of a good solution there.
  • Tails is still tracking Debian oldstable, so it should not be affected by this bug.
  • Orbot looks vulnerable; they have some new packages available for testing.
  • The webservers in the https://www.torproject.org/ rotation needed (and got) upgrades too. Maybe we’ll need to throw away our torproject SSL web cert and get a new one too.

But as he also says earlier on, “this bug affects way more programs than just Tor”. The openssl security advisory is remarkably sparse on details, saying only that “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.” So it is left to others to explain what this means in practice. The heartbleed announcement does just that. It opens by saying:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

During their investigations, the heartbleed researchers attacked their own SSL protected services from outside and found that they were:

able to steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

According to the heartbleed site, versions 1.0.1 through 1.0.1f (inclusive) of openssl are vulnerable. The earlier 0.9.8 branch is NOT vulnerable, nor is the 1.0.0 branch. Unfortunately, the bug was introduced to openssl in December 2011 and has been available in real world use in the 1.0.1 branch since 14 March 2102 – or just over 2 years ago. This means that a LOT of services will be affected and will need to be patched, and quickly.

Openssl, or its libraries, are used in a vast range of security critical services across the internet. As the heartbleed site notes:

OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

That point about networked appliances is particularly worrying. in the last two years a lot of devices (routers, switches, firewalls etc) may have shipped with embedded services built against vulnerable versions of the openssl library.

In my case alone I now have to generate new X509 certificates for all my webservers, my mail (both SMTP and POP/IMAP) services, and my openVPN services. I will also need to look critically at my ssh implementation and setup. I am lucky that I only have a small network.

My guess is that most professional sysadmins are having a very bad day today.

Permanent link to this article: http://baldric.net/2014/04/08/heartbleed/

Older posts «