Aug 20 2015

update to domain privacy

At the end of last month I noted that I had been receiving multiple emails to each of the proxy addresses listed for my newly registered “private” domains. Intriguingly, whilst I was receiving at least three or four such emails a week before I wrote about it, I have had precisely zero since.

Probably coincidence, but a conspiracy theorist would have field day with that.

Permanent link to this article: http://baldric.net/2015/08/20/update-to-domain-privacy/

Aug 19 2015

why privacy matters

Last month my wife and I shared a holiday with a couple of old friends. We have known this couple since before we got married, indeed, they attended our wedding. We consider them close friends and enjoy their company. One evening in a pub in Yorkshire, we got to discussing privacy, the Snowden revelations, and the implications of a global surveillance mechanism such as is used by both the UK and its Five Eyes partners (the US NSA in particular). To my complete surprise, Al expressed the view that he was fairly relaxed about the possibility that GCHQ should be capable of almost complete surveillance of his on-line activity since, in his view, “nothing I do can be of any interest to them, so why should I worry.”

I have met this view before, but oddly I had never heard Al express himself in quite this way in all the time I have known him. It bothers me that someone I love and trust, someone whose opinions I value, someone I consider to be intelligent and articulate and caring, should be so relaxed about so pernicious an activity as dragnet surveillance. It is not only the fact that Al himself is so relaxed that bothers me so much as the fact that if he does not care, then many, possibly most, people like him will not care either. That attitude plays into the hands of those, like Eric Schmidt, who purport to believe that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

Back in October last year, Glenn Greenwald gave a TED talk on the topic, “Why privacy matters”. I recommended it to Al and I commend it to anyone who thinks, as he does, that dragnet surveillance doesn’t impact on them because they “are not doing anything wrong”.

Permanent link to this article: http://baldric.net/2015/08/19/why-privacy-matters/

Jul 30 2015

get your porn here

Dear Dave is at it again. Sometimes I worry about our PM’s priorities. Not content with his earlier insistence that UK ISPs must introduce “family friendly (read “porn”) filters”, our man in No 10 now wants to “see age restrictions put into place or these (i.e. “porn”) websites will face being shut down”.

El Reg today runs a nice article about Dave’s latest delusion. That article begins:

Prime Minister David Cameron has declared himself “determined to introduce age verification mechanisms to restrict under 18s’ access to pornographic websites” and he is “prepared to legislate to do so if the industry fails to self-regulate.”

It continues in classic El Reg style:

The government will hold a consultation in the autumn, meaning it will be standing on the proverbial street corner and soliciting views on how to stop 17-year-olds running a web search for the phrase “tits”.

and further notes that Baroness Shields (who is apparently our “Minister for internet safety and security”) said:

“Whilst great progress has been made, we remain acutely aware of the risks and dangers that young people face online. This is why we are committed to taking action to protect children from harmful content. Companies delivering adult content in the UK must take steps to make sure these sites are behind age verification controls.”

To which two members of the El Reg commentariat respond:

I give it 5 minutes after the “blockade” is put in place before someone puts a blog post up explaining how to bypass said blockade.

and

Re: 5 minutes

“I give it 5 minutes after the “blockade” is put in place before someone puts a blog post up explaining how to bypass said blockade.”

I can do that now & don’t need a blog.

Q: Are you over 18?

A: Yes

Someone, somewhere, in Government must be able to explain to this bunch of idiots how the internet works. Short of actually pulling the plug on the entire net, any attempt to block access to porn is doomed to failure. China has a well documented and massive censorship mechanism in place (the Great Firewall) in order to control what its populace can watch or read or listen to. That mechanism fails to prevent determined access to censored material. If a Marxist State cannot effectively block free access to the ‘net, then Dear Dave has no chance.

Unless of course he knows that, wants to fail, and plans his own Great Firewall in “reluctant” response.

Permanent link to this article: http://baldric.net/2015/07/30/get-your-porn-here/

Jul 28 2015

domain privacy?

Over the past few months or so I have bought myself a bunch of new domain names (I collect ’em….). On some of those names I have chosen the option of “domain privacy” so that the whois record for the domain in question will show limited information to the world at large. I don’t often do this, for a couple of reasons. Firstly, I usually don’t much care whether or not the world at large knows that I own and manage a particular domain (I have over a dozen of these). Secondly, the privacy provided is largely illusory anyway. Law Enforcement Agencies, determined companies with pushy lawyers and network level adversaries will always be able to link any domain with the real owner should they so choose. In fact, faced with a simple DMCA request, some ISPs have in the past simply rolled over and exposed their customer’s details.

But, I get spam to all the email addresses I advertise in my whois records, and I also expose other personal details required by ICANN rules. I don’t much like that, but I put up with it as a necessary evil. However, for one or two of the new domains I don’t want the world and his dog attributing the name directly to me – at least not without some effort anyway.

Because the whois record must contain contact details, domain privacy systems tend to mask the genuine registrant email address with a proxy address of the form “some-random-alphanumeric-string@dummy.domain” which simply redirects to the genuine registrant email address. Here is one obvious flaw in the process because a network level adversary can simply post an email to the proxy address and then watch where it goes (so domain privacy is pointless if your adversary is GCHQ or NSA – but then if they are your adversaries you have a bigger problem than just maintaining privacy on your domain).

Interestingly, I have received multiple emails to each of the proxy addresses listed for my “private” domains purporting to come from marketing companies offering me the chance to sign up to various special offers. Each of those emails also offers me the chance to “unsubscribe” from their marketing list if I am not interested in their wares.

I’ll leave the task of spotting the obvious flaw in that as an exercise for the class.

Permanent link to this article: http://baldric.net/2015/07/28/domain-privacy/

Jun 05 2015

why pay twice?

Yesterday’s Independent newspaper reports that HMG has let a contract with five companies to monitor social media such as twitter, facebook, and blogs for commentary on Goverment activity. The report says:

“Under the terms of the deal five companies have been approved to keep an eye on Facebook, Twitter and blogs and provide daily reports to Whitehall on what’s being said in “real time”.

Ministers, their advisers and officials will provide the firms with “keywords and topics” to monitor. They will also be able to opt in to an Orwellian-sounding Human-Driven Evaluation and Analysis system that will allow them to see “favourability of coverage” across old and new media.”

This seems to me to be a modern spin on the old press cuttings system which was in widespread use in HMG throughout my career. The article goes on to say:

“The Government has always paid for a clippings service which collated press coverage of departments and campaigns across the national, regional and specialist media. They have also monitored digital news on an ad hoc basis for several years. But this is believed to be the first time that the Government has signed up to a cross-Whitehall contract that includes “social” as a specific media for monitoring.”

Apart from the mainstream social media sites noted above, I’d be intrigued to know what criteria are to be applied for including blogs in the monitoring exercise. Some blogs (the “vox populi” types such as Guido Fawkes at order-order) will be obvious candidates. Others in the traditional media, such as journalistic or political blogs will also be included, but I wonder who chooses others, and by what yardsticks. Would trivia be included? And should I care?

According to the Independent, the Cabinet Office, which negotiated the deal, claims that even with the extended range of monitoring by bringing individual departmental contracts together it will be able to save £2.4m over four years whilst “maximising the quality of innovative work offered by suppliers”.

Now since the Cabinet Office is reportedly itself facing a budget cut of £13 million in this FY alone, it strikes me that it would have been much more cost effective to simply use GCHQ’s pre-existing monitoring system rather than paying a separate bunch of relative amateurs to search the same sources.

Just give GCHQ the “keywords” or “topics of interest”. Go on Dave, you know it makes sense.

Permanent link to this article: http://baldric.net/2015/06/05/why-pay-twice/

Jun 02 2015

de-encrypting trivia

Well, that didn’t last long.

When I decided to force SSL as the default connection to trivia I had forgotten that it is syndicated via RSS on sites like planet alug. And of course as Brett Parker helpfully pointed out to me, self-signed certificates don’t always go down too well with RSS readers. He also pointed out that some spiders (notably google) would barf on my certificate and thus leave the site unindexed.

So I have taken off the forced redirect to port 443. Nevertheless, I would encourage readers to connect to https://baldric.net in order to protect their browsing of this horribly seditious site.

You never know who is watching……..

cyber wargames

Permanent link to this article: http://baldric.net/2015/06/02/de-encrypting-trivia/

Jun 01 2015

encrypting trivia

In my post of 8 May I said it was now time to encrypt much, much more of my everyday activity. One big, and obvious, hole in this policy decision was the fact that the public face of this blog itself has remained unencrypted since I first created it way back in 2006.

Back in September 2013 I mentioned that I had for some time protected all my own connections to trivia with an SSL connection. Given that my own access to trivia has always been encrypted, any of my readers could easily have used the same mechanism to connect (just by using the “https” prefix). However, my logs tell me that that very, very few connections other than my own come in over SSL. There are a couple of probable reasons for this, not least the fact that an unencrypted plain http connection is the obvious (default) way to connect. But another reason may be the fact that I use a self signed (and self generated) X509 certificate. I do this because, like Michael Orlitzky I see no reason why I should pay an extortionist organisation such as a CA good money to produce a certificate which says nothing about me or the trustworthiness of my blog when I can produce a perfectly good certificate of my own.

I particularly like Orlitzky’s description of CAs as “terrorists”. He says:

I oppose CA-signed certificates because it’s bad policy, in the long run, to negotiate with terrorists. I use that word literally — the CAs and browser vendors use fear to achieve their goal: to get your money. The CAs collect a ransom every year to ”renew“ your certificate (i.e. to disarm the time bomb that they set the previous year) and if you don’t pay up, they’ll scare away your customers. ‘Be a shame if sometin’ like that wos to happens to yous…

Unfortunately, however, web browsers get really upset when they encounter self-signed certificates and throw up all sorts of ludicrously overblown warnings. Firefox, for example, gives the error below when first connecting to trivia over SSL.

firefox-to-trivia-untrusted

Any naive reader encountering that sort of error message is likely to press the “get me out of here” button and then bang goes my readership. But that is just daft. If you are happy to connect to my blog in clear, why should you be afraid to connect to it over an encrypted channel just because the browser says it can’t verify my identity? If I wanted to attack you, the reader, then I could just as easily do so over a plain http connection as over SSL. And in any event, I did not create my self signed certificate to provide identity verification, I created it to provide an encrypted channel to the blog. That encryption works, and, I would argue, it is better than the encryption provided by many commercially produced certificates because I have specifically chosen to use only the stronger cyphers available to me.

Encrypting the connection to trivia feels to me like the right thing to do. I personally always feel better about a web connection that is encrypted. Indeed, I use the “https everywhere” plugin as a matter of course. Given that I already have an SSL connection available to offer on trivia, and that I believe that everyone has the right to browse the web free from intrusive gratuitous snooping I think it is now way past time that I provided that protection to my readers. So, as of yesterday I have shifted the whole of trivia to an encrypted channel by default. Any connection to port 80 is now automatically redirected to the SSL protected connection on port 443.

Let’s see what happens to my readership.

Permanent link to this article: http://baldric.net/2015/06/01/encrypting-trivia/

May 14 2015

what is wrong with this sentence?

Yesterday the new Government published a press release about the forthcoming first meeting of the new National Security Council (NSC). That meeting was due to discuss the Tory administration’s plans for a new Counter-Extremism Bill. The press release includes the following extraordinary stement which is attributed to the Prime Minister:

“For too long, we have been a passively tolerant society, saying to our citizens: as long as you obey the law, we will leave you alone. “

Forgive me, but what exactly is wrong with that view? Personally I think it admirable that we live in a tolerant society (“passive” or not). Certainly I believe that tolerance of difference, tolerance of free speech, tolerance of the right to hold divergent opinion, and to voice that opinion, is to be cherished and lauded. And is it not right and proper that a Government should indeed “leave alone” any and all of its citizens who are obeying the law?

Clearly, however, our Prime Minister disagrees with me and believes that a tolerant society is not what we really need in the UK because the press release continues:

“This government will conclusively turn the page on this failed approach. “

If tolerance is a “failed approach”, what are we likely to see in its place?

Permanent link to this article: http://baldric.net/2015/05/14/what-is-wrong-with-this-sentence/

May 08 2015

back on topic

Theresa May hasn’t wasted any time. The Independent reports today that Ms May (Home Secretary in the coalition administration) has said that the new Tory administration will bring the Draft Communications Data Bill, previously blocked by the Liberal Democrats, back to the House of Commons with the intention of getting it passed into law. As the Independent also reports, dear Dave, who is let us say, technically challenged, has in the past expressed the view that no form of communication should be unreadable by the Goverment. This implies severe restrictions on all forms of encryption.

Given that the Tories now have the majority they lacked in the last administration, it is clear that they will see themselves free to attack the kind of liberties I, and millions like me enjoy and cherish. The Open Rights Group maintain a wiki devoted to the relevant points of each political party’s manifesto relating to surveillance or other possible attacks on privacy. As they point out, the Tory party is committed to:

  • introducing “new communications data legislation”;
  • scrapping the Human Rights Act;
  • requiring internet service providers to block (certain) sites;
  • enabling employers to check whether an individual is an extremist;
  • requiring age verification for access to all sites containing pornographic material.

There are, of course, huge practical and technical difficulties in implementing much of what the Tories wish to do (consider for example the idiocy of attempting to outlaw VPN technology) but that won’t stop them trying. Indeed, some of the technical difficulties may cause the new administration to bring in mechanisms to get around those problems. An obvious example would be the requirement for key escrow for anyone wishing to use encryption.

Excuse me if I find that unacceptable. Time to encrypt much, much more of my everyday activity from now on.

Permanent link to this article: http://baldric.net/2015/05/08/back-on-topic/

May 08 2015

do not be ordinary

The early results of yesterday’s poll are depressing beyond belief. It looks almost certain that the Tory party will have sufficient seats to form the next government.

I don’t often make party political points here (though my political leanings may sometimes be obvious) but I was reminded today of Neil Kinnock’s heart rending speech in Bridgend, Glamorgan, on Tuesday 7 June 1983, two days before the election in which Margaret Thatcher was returned as Prime Minister.

Kinnock said:

“If Margaret Thatcher wins on Thursday, I warn you not to be ordinary. I warn you not to be young. I warn you not to fall ill. I warn you not to get old.”

Those words resonate even more today than they did 32 years ago. I fear for the old, the poor, the disposessed, the weak, the young, the sick and yes, indeed, the ordinary people of this country. David Cameron and his cronies both inside and outside Government will now return to the task of dismantling all that is good and admirable about our society. A society should be judged on the way it treats its weakest and less able members. Cameron’s Tories are, at heart, brutal and uncaring. That frightens me.

Permanent link to this article: http://baldric.net/2015/05/08/do-not-be-ordinary/

Mar 30 2015

the russians are back

About four years ago I was getting a huge volume of backscatter email to the non-existent address info@baldric.net. After a month or so it started to go quiet and eventually I got hardly any hits on that (or any other) address. A couple of weeks or so ago they came back. My logs for weeks ending 15 March, 22 March and 29 March show 92%, 96% and 94% respectively of all email to my main mail server is failed connection attempts from Russian domains to dear old non-existent “info”. Out of curiosity I decided to capture some of the inbound mails. Most were in Russian, but the odd one or two were in (broken) english. Below is a typical example:

From: “Olga”
To: Subject: Are you still looking for love? Look at my photos!
Date: Thu, 12 Mar 2015 15:22:08 +0300
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331

Sunshine!
Are you still looking for love? I will be very pleased to become your half and save you from loneliness. My name is Olga, 25 years old.
For now I live in Russia, but it’s a bad time in my country, and I think about moving to another state.
I need a safer place for life, is your country good for that?
If you are interested and want to get in touch with me, just look at this international dating site.
Hope to see you soon!
Just click here!

Sadly, I believe that many recipients of such emails will indeed, “click here”. Certainly enough to further propagate whatever malware was used to compromise the end system which actually sent the above email.

Permanent link to this article: http://baldric.net/2015/03/30/the-russians-are-back/

Mar 30 2015

kidnapped by aliens

An old friend of mine has expressed some concern at the lack of activity on trivia of late. In his most recent email to me he said:

“You really should revive Baldric you know. Everyone will believe it if you just say you were kidnapped by aliens, and then you can just resume where you left off.”

So Peter, this one is just for you. Oh, and Happy Birthday too.

Mick

Permanent link to this article: http://baldric.net/2015/03/30/kidnapped-by-aliens/

Older posts «