As Theresa May moves from the Home Office to Number 10, it is perhaps timely to reflect on public attitudes to surveillance as evidenced in Liberty’s campaign film “Show me yours” in April of this year. In the film (shown below), comedian Olivia Lee pursues members of the public with the intention of taking details from their mobile phones of all their recent communications or browsing activity. The reactions of the people approached speak for themselves. Unfortunately, Liberty research suggests that 75% of adults in the UK had never heard of the impending legislation laid out in the Investigatory Powers Bill.
Glenn Greenwald on Newsnight. The full episode of Newsnight’s report including Greenwald’s interview and comment from Sir David Omand (ex Director GCHQ) can be seen here on BBC’s iplayer. Gordon Corera, the BBC’s Security respondent reports here on the Newsnight episode. As an aside, I was amused by Ross Anderson’s claim that many academics had …View full post
A couple of weeks ago I noted that the release of tails 0.20 seemed to be popular – at least if the traffic on my mirrors was anything to go by. The statistics published by the Tor project itself show an interesting rise in (probable) Tor usage since June. The graphic shows that the number …View full post
As I have mentioned in other posts here, I run my own mail server on one of my VMs. I do this for a variety of reasons, but the main one is that I like to control my own network destiny. Back in October last year I noticed an interesting change in my mail experience …View full post
At about the time I decided to move trivia to my own VPS, there was a lot of fuss about a new worm which was reportedly exploiting a vulnerability in all versions <= 2.8.3. Even the Grauniad carried some (rather inaccurate) breathless reporting about how the wordpress world was about to end and maybe we …View full post
This blog comes to you courtesy of those excellent free open source authors who have contributed to wordpress. Unfortunately, in common with all software, wordpress inevitably has some bugs. Worse, some of the those bugs can occasionally be sufficiently bad as to make the software vulnerable to remote exploitation by ne’er do wells and other …View full post
Following a recent discussion about gpg key signing on my local linux user group email list, one of the members pointed out that several of us (myself included) were using rather old 1024-bit DSA GPG keys with SHA-1 hashes. He recommended that such users should upgrade to keys with a minimum size of 2048 bits …View full post
Or “tails” if you prefer, is a live CD/USB distribution based on debian which aims to help you preserve your privacy and anonymity when out and about. As the home website says, tails helps you to: use the Internet anonymously almost anywhere you go and on any computer: all connections to the Internet are forced …View full post
I came across an interesting post on Avert labs site recently. That post pointed to an earlier SANS posting, which in turn, referenced a Symantec discussion of a new Trojan called Trojan.Flush.M. This trojan is an interesting variant of a class of trojans which hijack local DNS settings to force the compromised machine to use …View full post
One of my fixed term savings accounts matured at the end of last week. This means that the paltry “bonus” interest rate which made the account ever so slightly more attractive than the pathetic rates generally available 12 months ago now disappears and I am left facing a rate so far below inflation that I …View full post
Like most people in the UK at this time of the year I’ve been doing some on-line shopping lately. Consequently I’m waiting for several deliveries. Some delivery companies (DHL are a good example) actually allow you to track your parcels on-line. In order to do this they usually send out text or email messages giving …View full post
The revelations of the past week or so have been interesting to me more for what they haven’t said, than what they have. There are a few points arising from Snowden’s story which puzzle me and which don’t seem to have been addressed by the mainstream media – at least not the ones I read. …View full post
The launch of the google nexus one “iPhone killer” reminds me just how prescient Dr Fun’s cartoon of 16 January 2006 (see third cartoon down from the top on the right) really was. I just love the way the google employee in the video says at the end that Verizon and Vodafone have “agreed to …View full post
Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close …View full post
I run my own mail server for a number of reasons. And I rarely regret that decision. However, there have been occasions in the past when relying on a single mail provider (even when that provider is myself) has proven problematic. The first problem arose several years ago when the ISP which I use for …View full post
There is a wonderful advert in today’s Guardian. Most of page 6 is taken up with a Microsoft advert saying: “Aston Martin is now on Office 365 – your complete office in the cloud.” Right. An advert for a cloud based office suite from a major US software supplier. Tough sell. Especially in the Guardian.View full post
For those of you unsure of what might leak where and when using tor and/or https to protect your browsing, there is a useful interactive graphic on the EFF site. As EFF point out, the potentially visible data includes: the site you are visiting, your username and password, the data you are transmitting, your IP …View full post
Today I had a nasty looking problem with my mysql installation. At first I thought I might have to drop one or more databases and re-install. Fortunately, I didn’t actually have to do that in the end. I first noticed a problem at around 15.45 today when I couldn’t collect my mail. My mail system …View full post
I’ve just changed my mobile phone for the first time in nearly three years. I know this makes me unusual, particularly as I am normally a gadget lover, but to me a phone is primarily intended to be communication device. I don’t really need it to be a camera, or a music player, or a …View full post
A recent exchange on the tor-talk mailing list about conspiracy theories elicited this gem from “Ted Smith” (obviously a Bob Heinlein fan). “One of the more Gibsonesque theories I’ve heard is that Snowden is a CIA operative working to destabilize the NSA’s surveillance system on behalf of the CIA and other elite that feel too …View full post
Yesterday I received an email from the Open Rights Group asking me to sign an on-line petition set up in collaboration with nearly 300 other organisations. The email said: In 2013, we learned digital surveillance by governments across the world knows no bounds. Their national intelligence and investigative agencies capture our phone calls, track our …View full post
If and when the teething problems in 10.04 are fixed and the distro looks stable enough to supplant my current preferred version, I will be faced with one or two usability issues. In this version, canonical have taken some design decisions which seem to have some of the fanbois frothing at the mouth. The most …View full post
Last week, El Reg posted an amusing take on the apparent invasion of the NSA by Management Consultants. Nothing new there then. From personal experience I can confirm that UK Government has been completely overrun with the buggers for years.View full post
I’m a big fan of Ben Goldacre’s “bad science” column in the Guardian. He is particularly scathing about quackery and spurious medical science. His views of “Dr” Gillian McKeith in particular are well worth reading. Whilst I was reading one of his columns recently, I was reminded of another “Dr” who seems to get away …View full post
I’m still having a variety of problems with my sheevaplug. Not least of which is the fact that SDHC cards don’t seem to be the best choice of boot medium. I have had failures with two cards now and some searching of the various on-line fora suggests that I am not alone here. In particular, …View full post
I suppose it was inevitable that the Snowden revelations would lead to greater interest in privacy and anonymity. I applaud that. I suppose it was also inevitable that there would be a rash of commercial products emerging from both “entrepreneurs” and the more established “security” companies to take advantage of that increased interest. That, I …View full post
The ascii art in sl was quite cute, this is far more elaborate. To see it in action, telnet to towel.blinkenlights.nl. Why waste your time browsing rubbish websites – fire up a terminal session and waste even more time with telnet. More fun places to try can be found at telnet.org.View full post
In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my …View full post
I have commented in the past how I prefer lighttpd to apache, particularly on low powered machines such as the slug. I used to be a big apache fan, in fact I think I first used it at version 1.3.0 or maybe 1.3.1, having migrated from NCSA 1.5.1 (and before that Cern 3.0) back in …View full post
A recent email exchange with the friend who originally suggested that I take a look at the NSLU2 got me thinking about the machines we currently take for granted. In his email he outlined that he had consolidated a set of services previously run on a couple of old desktops (a Dell and a Shuttle) …View full post
I normally get around 1000 to 1300 hits a day (or 32,000 to 40,000 per month) on trivia. Not a huge hit rate, but consistent and on a slight upward trend over the past year. Today I have seen over double that – most of it this morning. Between 05.30 and 07.00 local time my …View full post
Upgrading the slugs to squeeze killed the webcam. At first I thought that squeeze was missing the necessary gspca drivers, but no, a quick look in /dev revealed an entry for video0 and “lsmod” reported “gspca_zc3xx” loaded correctly. This is a different driver to that which my camera loaded in lenny (spca5xx) but a quick …View full post
Jul 13 2016
Permanent link to this article: http://baldric.net/2016/07/13/show-me-yours/
May 02 2016
I have recently been building a new NAS box (of which, possibly, more later). In fact the build is really a rebuild because I initially built the server about three years ago in order to consolidate a bunch of services I was running on assorted separate servers into one place. That first build was a RAID 1 array of two 2 TB disks (to give me a mirrored setup with a total of 2 TB store). At the time that was sufficient to hold all my important data (backed up both to other networked devices and to standalone USB disks for safety). But I have just upgraded my main desktop machine to a nice shiny new core i7 Skylake box with 16 GB of DDR4 and a 3 TB disk. That disk is already two thirds full (my old machine had a rather full 2 TB disk). This meant that my NAS backup storage requirements exceeded the capacity of my RAID 1 setup. Adding disks wouldn’t help of course because all that would do is add mirror capability rather than capacity. So I decided to upgrade the NAS and bought a bunch of new 2 TB disks with the intention of setting up a RAID 5 array of 4 disks, thus giving a total storage capacity of 6 TB (8 TB minus 2 TB for parity). Furthermore I initially looked at using FreeNAS rather than my usual debian or ubuntu server with software RAID simply because it looked interesting and, with plugins, could probably meet most of my requirements. But I could not get the software to install properly and after three abortive attempts I gave up and decided that I didn’t really like freeBSD anyway….
So I opted to go back to mdadm on linux – at least I know that works. Better still I would be able to retain all my old setup from the old RAID 1 system without having to worry about finding plugins to handle my media streaming requirements, or owncloud installation, for example.
My previous build was on debian (which is by far my preferred server OS) but ubuntu server has recently been released in a LTS version at 16.04 and I thought it might be fun to try that instead. So I did. (For any readers who have not tried installing linux on a RAID system there are plenty of sites offering advice, but the official ubuntu pages are pretty good). During the build I hit what I initially thought was a snag because the installation seemed to get stuck at around the 83% level when it was apparently installing the linux kernel image and headers. Indeed I confess that on the first such installation I pulled the plug after about three hours of no apparent activity because I was beginning to think that there might be something wrong with my hardware (the earlier FreeNAS failures worried me). My on-line searches for assistance were initially not particularly helpful since none of the huge number of sites advising on software RAID installation bothered to mention that initial RAID 5 build (or rebuild) using large capacity disks takes a very long time because of the need to calculate the parity data. Incidentally, it is this parity data and its layout that gives RAID 5 its write performance penalty.
One useful outcome of my research about RAID 5 build times (which in my case eventually took just over 6 hours) was my discovery of the wintelguy’s site providing an on-line calculator (and much more besides) for RAID performance and capacity. There is even a very useful page allowing you to compare two separate configurations side by side – thoroughly recommended. More worrying, and thought provoking, is the reclaime.com calculator for RAID failure. That site suggests that the probability of successfully rebuilding a RAID 5 array of 4 * 2 TB disks after a failure is only 52.8%.
That is why you need to keep backups…….
Permanent link to this article: http://baldric.net/2016/05/02/raid-performance/
Mar 30 2016
For some time mow I have been increasingly fed up with the poor service offered by SMS on my mobile phone. I’m not a hugely prolific sender of text messages, and those I do send are primarily aimed at my wife and kids, but when I do send them, I expect them to get there, on time and reliably. I also expect to be able to send and receive images (by MMS) because that is what I have paid for in my contract. Oh, and I would also like to do this securely, and in privacy.
Guess what? I can’t.
My wife and kids want me to use Facebook’s messenger because that is what they use and they are happy with it. I have signally failed to convince them /not/ to use that application, largely because they already have it installed and use it to send messages to everyone else they know. But then I have also failed to get my kids to understand my concerns about wider Facebook usage. (“There Dad goes again, off on one about Facebook.”).
So, what to do? Answer, set up my own XMPP server and use that. XMPP is an open standard, there are plenty of good FOSS XMPP servers about (jabberd, ejabberd, prosody etc.) and there are also plenty of reasonable looking XMPP clients for both android and linux (the OS’s I care about). And better yet, it is perfectly possible (and relatively easy) to set up the server to accept only TLS encrypted connections so that conversations take place in private. Many clients also now support OTR or OMEMO encryption so the conversations can be made completely secure through end-to-end encryption. Yes, I am aware that OTR is a bit of a kludge, but it is infinitely preferable to clear text SMS over the mobile network. And I like my privacy. Better yet, unlike GPG which I use for email, OTR also provides forward secrecy, so even if my keys should be compromised, my conversations won’t be.
And yes I also know that Facebook messenger itself offers “security and pivacy”, but it also used to be capable of interacting with the open XMPP standard before Zuckerberg made it proprietary a few years ago. And I just don’t trust Facebook. For anything.
So for some time now I have been using my own XMPP server alongside my mail server. It works just fine, and I have even convinced my wife and kids to use it when they converse with me.
I may now move away from using GPG to using OTR in preference. Anyone wishing to contact me can now do so at my XMPP address and may also encrypt messages to me using my OTR key. My fingerprints are published here.
Permanent link to this article: http://baldric.net/2016/03/30/jibber-jabber/
Jan 24 2016
Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close friends or family. Refusing access can make it seem that you don’t trust them. However, as Hunt goes on to point out, it is not the guests per se you need to worry about. Anyone on your network can cause problems – usually completely unintentionally. In my case I have the particular problem that my kids assume that they can use the network when they are here. Worse, they assume that they may access the network through their (google infested) smart phones. Now try as I might, there is no way I can monitor or control the way my kids (or their partners) set up their phones. Nor should I want to.
Hunt asks how others handle this problem. Like him I don’t much trust the separation offered by “guest” networks on wifi routers. In my case I decided long ago to split my network in two. I have an outer network which connects directly to my ISP and a second, inner network, which connects through another router to my outer network. Both networks use NAT and each uses an address range drawn from RFC1918. Furthermore, the routers are from different manufacturers so, hopefully, any vulnerability in one /may/ not be present in the other. My inner network has all my domestic devices, including my NAS, music and video streaming systems, DNS server etc. attached. These devices are mostly hard wired through a switch to the inner router. I only use wifi where it is not possible to hard wire, or where it would make no sense to do so. For example, my Sonos speakers and the app controlling them on my android tablet must use wifi. However, there is no reason why my kids, who insist on using Facebook, need to have access to my internal systems. So I run a separate wifi network on the outer router and they only have access to that. The only systems on the external screened network is one of my VPN endpoints (useful for when I am out and about and want to appear to be accessing the wider world from my home), and my old slug based webcam. My policy stance on the inner network is to consider the screened outer network as almost as hostile as the wider internet. This has the further advantage that bloody google doesn’t get notification of my internal wifi settings through my kids leaving “backup and restore” active on their android phones.
Permanent link to this article: http://baldric.net/2016/01/24/guest-network/
Jan 11 2016
I am a paying member of both Amnesty International and the Open Rights Group. Both those organisations, along with many other Civil Rights organisations, technology companies and concerned individuals are signatories to an open letter to Governments across the world demanding that we retain the right to strong encryption in order to protect our privacy. That letter says:
- Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
- Governments should not mandate the design or implementation of “backdoors” or vulnerabilities into tools, technologies, or services;
- Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
- Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and
- Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
I’ve signed. You should too.
Permanent link to this article: http://baldric.net/2016/01/11/sign-this-now/
Jan 07 2016
I don’t wish to comment on that evidence here, Adrian Kennard has already provided much useful comment on the failings of the Draft Bill. My purpose in this post to highlight the absurdity of the Parliamentary Committee’s request that the ISPA evidence be withdrawn from it’s Website. The Register article ends with this update:
ISPA contacted The Register after the publication of this story to inform us: “ISPA was requested to remove the written evidence it submitted to the Joint Committee on the Investigatory Powers Bill from the ISPA website by the Joint Committee. Their guidance states that submissions become the property of the Committee and should not be published elsewhere until the Committee has done so itself.”
As of now (14.30 on 7 January) that evidence is still on the ISPA Website. Even if removed, it will still, of course, be available from a huge range of sources such as search engine caches (apologies for the google reference, but it is the obvious one). Or you could get it here.
The point is, once such a document has been published electronically on the net, no-one, but no-one, can put the genie back in the bottle and unpublish it.
The officials supporting the Joint Parliamentary Committee should know that. And if they don’t then I would submit that they are not technically competent enough to be supporting the Committee.
Permanent link to this article: http://baldric.net/2016/01/07/idiotic/
Jan 01 2016
Sadly, I read today that Ian Murdock, the “Ian” in Debian, died on Monday, 28 December 2015. He was only 42 years old. Various reports indicate that he had been distressed for some time before his death. The tweets reportedly from Murdock’s twitter account shortly before his death are very disturbing.
Murdock’s contribution to the FLOSS community was immense. The operating system he created with “Deb”, Debra Lynn, his then girlfriend, is the foundation upon which much of today’s internet infrastructure is built. Ubuntu, one of the most popular desktop linux distros, is itself built upon debian. This blog, and all of my web, mail and other servers is built upon debian. His legacy will endure.
Murdock left a wife and two young children. He died much, much, too young.
Permanent link to this article: http://baldric.net/2016/01/01/a-bad-way-to-end-the-year/
Dec 24 2015
It’s trivia’s birthday again (9 years old today!), so I just have to post to wish my readers (both of you, you know who you are….) a Merry Christmas and a happy New Year. Much has happened over the last year or so which has distracted me from blogging (life gets in the way sometimes) but I feel my muse returning so I may write more in the new year. Meanwhile, take a look at Alan Woodward’s update to Scott Culp’s 2000 essay “10 Immutable Laws Of Security” which he posted on the BBC site. It is called
have yourself a merry cyber-safe Christmas.
I’ll drink to that.
Permanent link to this article: http://baldric.net/2015/12/24/merry-christmas-2015/
Dec 08 2015
On sunday, the motherboard intially reported that, in the wake of the Paris atrocities of November 13th, the French Government was proposing to ban Tor and free WiFi. As it turns out, this is not strictly accurate. The report was later corrected – thus:
Correction: The initial headline and copy of this article suggested that the proposals to block Tor and control free wifi were already part of a proposed law. These are in fact points that the French police and gendarmes would like to see included in the bill, according to the document seen by Le Monde. The headline and copy have been updated to clarify this; we apologise for the error.
Nevertheless, the actual story is still worrying. Governments of all shades seem to react badly when they feel that they must be seen to “do something”. We, in the UK, have already seen how the desire to “do something” results in unfortunate over reaction and ill-thought proposals for legislation. So it is sad to see the French (for whom I have much admiration) apparently reacting to Paris by opting to clamp down on civil liberties. I’d like to think that the reality is not as bad as the initial report suggested though. Certainly the motherboard post now makes clear that:
French law enforcement wants to have (my emphasis) several powers added to a proposed law, including the move to forbid and block the use of the Tor anonymity network, according to an internal document from the Ministry of Interior seen by French newspaper Le Monde.
French law enforcement wish to “Forbid free and shared wi-fi connections” during a state of emergency. This comes from a police opinion included in the document: the reason being that it is apparently difficult to track individuals who use public wi-fi networks.
Noting that China actively blocks connections to Tor, the article continues:
If the French really wanted to block Tor, they might have to consider a model similar to the Chinese regime’s. Naturally, that might be worrying for anyone that cares about free-speech, increasing surveillance, or, say, democracy.
Let’s just hope that sense prevails and Western democracies do not react to terrorism in a way which reduces the very freedoms we cherish so much.
Permanent link to this article: http://baldric.net/2015/12/08/knees-and-other-jerks/
Nov 28 2015
Permanent link to this article: http://baldric.net/2015/11/28/cameron-meets-corbyn/
Nov 23 2015
Like most people in the UK at this time of the year I’ve been doing some on-line shopping lately. Consequently I’m waiting for several deliveries. Some delivery companies (DHL are a good example) actually allow you to track your parcels on-line. In order to do this they usually send out text or email messages giving the tracking ID. Today I received an email purporting to come from UKMail. That email message said:
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service. Where the law prevents such exclusion and implies conditions and warranties into this contract, where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again. If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping. You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
I /very/ nearly opened the attached file. That is probably the closest I have come to reacting incorrectly to a phishing attack. Nice try guys. And a very good piece of social engineering given the time of year.
Virustotal suggests that the attached file is a malicious word macro container. Interestingly though, only 7 of the 55 AV products that Virustotal uses identified the attachment as malicious. And even they couldn’t agree on the identity of the malware. I suspect that it may be a relatively new piece of code.
Permanent link to this article: http://baldric.net/2015/11/23/christmas-present/
Nov 10 2015
Yesterday, Kenneth Freeman posted a note to the tor-relays list drawing attention to a new resource called TorFlow. TorFlow is a beautiful visualisation of Tor network traffic around the world. It enables you to see where traffic is concentrated (Europe) and where there is almost none (Australasia). Having the data overlaid on a world map gives a startling picture of the unfortunate concentration of Tor nodes in particular locations.
I recently moved my own relay from Amsterdam (190 relays) to London (133) but the network needs much more geo-diversity. Unfortunately, international bandwidth costs are lowest is the areas where relays are currently located. Given that the relays are all (well, nearly all…..) run by volunteers like me and funded out of their own pockets it is perhaps not surprising that this concentration should occur. But it is not healthy for the network.
There appears to be a particularly intriguing concentration of 16 relays on a tiny island in the Gulf of Guinea. Apparently this is an artifact though because those relays are all at (0, 0) which I am told GeoIP uses as a placeholder for “unknown” (in fact, GeoIP location is a somewhat imprecise art so there may be other anomalies in the data.)
Permanent link to this article: http://baldric.net/2015/11/10/torflow/