My last post noted that the Guardian had posted a series of articles on the Tor network and Snowden’s latest revelations about how the NSA has been attacking that network. All those posts are worth reading, but my favourite is the one by Bruce Schneier explaining how the NSA has attacked Tor users through browser …
Category: security
Permanent link to this article: https://baldric.net/2013/10/05/the-guardian-on-tor/
Oct 05 2013
good news for tor
The past couple of days have seen a flurry of news stories about Tor. Some of the news has hit the mainstream media, some of it hasn’t. Yet. A couple of day ago, a rather plaintive post to the tor-talk mailing list read: “looking for a way to contact silk road.Site shut down.money at stake.” …
Permanent link to this article: https://baldric.net/2013/10/05/good-news-for-tor/
Sep 23 2013
just for rob
Shortly after the launch of the new iPhone 5S, my old friend Rob emailed me trying to goad me into writing a post about it. After all, it was made by one of my least favourite companies and it contained a supposedly funky bit of kit in the shape of its fingerprint scanner. Rob pointed …
Permanent link to this article: https://baldric.net/2013/09/23/just-for-rob/
Sep 20 2013
that’s another password I have to change
Michael Horowitz has posted an interesting article over at Computer world. In it he points out that, by default, most android devices (tablets and ‘phones) routinely ‘phone home to Google to back up Wi-Fi passwords along with other assorted settings. Google sells this option as a convenience to help you regain settings after you upgrade …
Permanent link to this article: https://baldric.net/2013/09/20/thats-another-password-i-have-to-change/
Sep 20 2013
RSA says don’t use RSA
A report in wired today says that RSA Security [*] have released an advisory to developer customers noting that the Dual Elliptic Curve Deterministic Random Bit Generation (or Dual EC DRBG) algorithm (the one which is subject to speculation about NSA interference) is the default in one of its toolkits and strongly advised them to …
Permanent link to this article: https://baldric.net/2013/09/20/rsa-says-dont-use-rsa/
Sep 12 2013
add ssl to lighttpd server
For some time now I have protected all my own connections to trivia with an SSL connection. I do this to protect my user credentials when managing trivia’s content or configuration. In fact my server is configured to force any connection coming from my IP address to a secured SSL connection so that I cannot …
Permanent link to this article: https://baldric.net/2013/09/12/add-ssl-to-lighttpd-server/
Aug 25 2013
openPGP usage
Over at the the cypherpunks mail list, one Tony Arcieri posted a graphic showing an interesting rise in the number of OpenPGP keys registered on the SKS keyserver in the last month or so. The graphic comes from the SKS statistics page. The overall trend is clearly upwards, and has been for some time, but …
Permanent link to this article: https://baldric.net/2013/08/25/openpgp-usage/
Aug 23 2013
thank you citizen
Imagine Dave’s censorship (^W) surveillance program outsourced to G4S.
Permanent link to this article: https://baldric.net/2013/08/23/thank-you-citizen/
Aug 23 2013
untrusted dod certificate
Chris Williams over at El Reg posted a nice article about the kind of crypto best practice you need to follow if you care about privacy. The article questions the wisdom of using David Miranda as what Williams calls a “data mule” to carry physical electronic media (possibly) containing sensitive data through Heathrow and goes …
Permanent link to this article: https://baldric.net/2013/08/23/untrusted-dod-certificate/
Aug 22 2013
tor usage on the rise
A couple of weeks ago I noted that the release of tails 0.20 seemed to be popular – at least if the traffic on my mirrors was anything to go by. The statistics published by the Tor project itself show an interesting rise in (probable) Tor usage since June. The graphic shows that the number …
Permanent link to this article: https://baldric.net/2013/08/22/tor-usage-on-the-rise/
Aug 20 2013
aunty doesn’t get it
The BBC has today commented on the Guardian story about David Miranda’s detention for nearly nine hours at Heathrow under Schedule 7 of the UK Terrorism Act 2000. The BBC’s on-line report ends with a web feedback form asking: Have you been detained under schedule 7 of the Terrorism Act 2000 at a British airport, …
Permanent link to this article: https://baldric.net/2013/08/20/aunty-doesnt-get-it/
Aug 10 2013
tor users under attack
The Tor network does not just provide anonymous internet access, it also provides for so-called hidden services. These services are not visible outside the Tor network and are only reachable over Tor. The servers are given Tor specific addresses of the form “xyz123.onion” (actually, the addresses are a little more complicated than that because the …
Permanent link to this article: https://baldric.net/2013/08/10/tor-users-under-attack/
Aug 09 2013
lavabit dead
I run my own mail server for a number of reasons. And I rarely regret that decision. However, there have been occasions in the past when relying on a single mail provider (even when that provider is myself) has proven problematic. The first problem arose several years ago when the ISP which I use for …
Permanent link to this article: https://baldric.net/2013/08/09/lavabit-dead/
Aug 03 2013
security failure at digital ocean
This morning I received an email from Digital Ocean titled “Avoid Duplicate SSH Host Keys”. The email said: “If you have created an Ubuntu Droplet or snapshot prior to July 2nd, DigitalOcean recommends regenerating the SSH host keys. Droplets based on standard images now create unique SSH host keys.” (This, of course, implies that they …
Permanent link to this article: https://baldric.net/2013/08/03/security-failure-at-digital-ocean/
Jul 28 2013
repeat after me – snowden is not the story
John Naughton has an interesting column in his “networker” series in today’s Observer. In it he laments the fact that the majority of the world’s mainstream media seem more intent on reporting on Snowden the man than on what Snowden has revealed. He starts: “Repeat after me: Edward Snowden is not the story. The story …
Permanent link to this article: https://baldric.net/2013/07/28/repeat-after-me-snowden-is-not-the-story/
Jul 26 2013
soldier available cross magnet
I am in the process of changing passwords on a bunch of different systems/applications and have been pondering my algorithms, so to speak. Like my friend David, I have an internal model of varying password schemes which I can use in different places. This means that I can happily pick a password for a low …
Permanent link to this article: https://baldric.net/2013/07/26/soldier-available-cross-magnet/
Jul 21 2013
ubuntu forums compromised
Right now (21.00 today), the ubuntu forums site says it is “down for maintenance”. It appears to have been down since yesterday. The site reports: There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly …
Permanent link to this article: https://baldric.net/2013/07/21/ubuntu-forums-compromised/
Jul 17 2013
save your money – just use tails
I suppose it was inevitable that the Snowden revelations would lead to greater interest in privacy and anonymity. I applaud that. I suppose it was also inevitable that there would be a rash of commercial products emerging from both “entrepreneurs” and the more established “security” companies to take advantage of that increased interest. That, I …
Permanent link to this article: https://baldric.net/2013/07/17/save-your-money-just-use-tails/
Jul 15 2013
tor and https at eff
For those of you unsure of what might leak where and when using tor and/or https to protect your browsing, there is a useful interactive graphic on the EFF site. As EFF point out, the potentially visible data includes: the site you are visiting, your username and password, the data you are transmitting, your IP …
Permanent link to this article: https://baldric.net/2013/07/15/tor-and-https-at-eff/
Jun 24 2013
more irony
This is lovely. On a whim I have just checked the DNS for the Guardian. I got the following results: MX records: guardian.co.uk mail exchanger = 30 guardian.co.uk.s200b1.psmtp.com. guardian.co.uk mail exchanger = 40 guardian.co.uk.s200b2.psmtp.com. guardian.co.uk mail exchanger = 10 guardian.co.uk.s200a1.psmtp.com. guardian.co.uk mail exchanger = 20 guardian.co.uk.s200a2.psmtp.com. So – all four MX records point to SMTP …
Permanent link to this article: https://baldric.net/2013/06/24/more-irony/
Jun 17 2013
trivial traffic bump
I normally get around 1000 to 1300 hits a day (or 32,000 to 40,000 per month) on trivia. Not a huge hit rate, but consistent and on a slight upward trend over the past year. Today I have seen over double that – most of it this morning. Between 05.30 and 07.00 local time my …
Permanent link to this article: https://baldric.net/2013/06/17/trivial-traffic-bump/
Jun 16 2013
prism opt-out
In all the noise on the ‘net about the alleged NSA PRISM program, this new site offers an amusing, but nonetheless useful, list of free alternatives to proprietary software. In part the site sort of misses the point about PRISM, but it is still good to see someone taking the time to point out that …
Permanent link to this article: https://baldric.net/2013/06/16/prism-opt-out/
Jun 15 2013
Edward Snowden
The revelations of the past week or so have been interesting to me more for what they haven’t said, than what they have. There are a few points arising from Snowden’s story which puzzle me and which don’t seem to have been addressed by the mainstream media – at least not the ones I read. …
Permanent link to this article: https://baldric.net/2013/06/15/edward-snowden/
Jun 10 2013
PRISM – we had it first
I can exclusively reveal that the UK government had a PRISM database long before those upstarts in the USA. In the late 1970s I worked in the Statistics Division of what was then the UK Civil Service Department. We used a database of Civil Service personnel called PRISM (Personnel Record Information System for Management). I …
Permanent link to this article: https://baldric.net/2013/06/10/prism-we-had-it-first/