vnstat on my tor node

My last post showed the huge growth in the number of Tor clients since 19 August. Despite much speculation and discussion on the Tor email lists there is still, as yet, no definitive consensus on what is causing the rise. Many commentators seem to favour the botnet theory.

Personally I’m still puzzled by the apparent lack of direct impact on Tor traffic volumes. My own node is currently showing close to 6000 established TCP connections (up from a normal steady state mean of around 2000) yet my traffic has not risen commensurately. Admittedly my node is complaining like hell that it is “too slow to handle this many circuit creation requests!” and top shows Tor consuming around 85% of CPU but I’d still expect to have seen some notable rise in traffic.

Here’s my daily vnstat report for the last 30 days (click image for full size).

bin-vnstat-d

Odd.

Permanent link to this article: https://baldric.net/2013/08/31/vnstat-on-my-tor-node/

tor users up

Along with the longer term upward trend in the usage in tor I noted below, there has now been a large, rapid rise in the number of connected tor clients in the last week or so.

The tor usage statistics graphs show a dramatic doubling of daily connected clients (from around the 500,000 mark to well in excess of 1,000,000 since around the 18th or 19th of August.

tor-users-all

If we look at the same statistics for UK client usage we see a jump from around 16,000 to over 32,000.

tor-users-uk

and in the US we see a rise from just under 100,000 to around 140,000.

tor-users-us

Given such a very sharp and unexpected rise in the number of clients with no corresponding jump in the number of relays or exits we should expect a noticeable degradation in the performance of the network. However, the performance statistics for the same period merely show a slight worsening in the times taken to complete a 50 KiB request over tor.

tor-performance

As Roger Dingledine notes in a post to tor-talk today, it is hard to say whether or not that slight worsening is a real difference.

As yet, no-one on the tor project seems to have a firm view on the reasons for this particularly steep rise at this particular time. Dingledine speculates that the recent release of a browser bundle by the Pirate Bay (a release which is not endorsed by the tor project) or alternatively a botnet could be responsible, but neither seems to me to be that plausible. Pirate Bay users are notorious for their desires to access .iso images of videos, particularly over bittorrent. Whilst many exit relays specifically exclude the usage of torrents, I think a flood of Pirate Bay users on the scale noted would have had a much more serious impact on tor network performance than seems to have been the case. Similarly, if a botnet of the magnitude of around half a million clients suddenly started to use tor (probably in an attempted DDOS of some unfortunate target) I would expect to see a much greater impact on the network than a slight slowing of file retrieval times.

The next few days should be interesting. Might we see a spate of complaints about “attacks” from tor (lending credence to the botnet theory)?

Permanent link to this article: https://baldric.net/2013/08/27/tor-users-up/

openPGP usage

Over at the the cypherpunks mail list, one Tony Arcieri posted a graphic showing an interesting rise in the number of OpenPGP keys registered on the SKS keyserver in the last month or so.

openPGP-keys

The graphic comes from the SKS statistics page. The overall trend is clearly upwards, and has been for some time, but there is an uptick in the rate of addition recently.

As “rysiek” says in a later post:

“Correlation does not imply causation…

…however…

“Nobody really cares about PRISM” my ass.

Perhaps my experience of apparent apathy is wrong.

For anyone inexperienced in the use of personal cryptographic tools, but interested in using OpenPGP, I would recommend this paper on OpenPGP best practice by Riseup Labs’ Privacy and Authenticity Outreach Workgroup. In fact the paper is useful even if you think you know what you are doing with OpenPGP.

Permanent link to this article: https://baldric.net/2013/08/25/openpgp-usage/

thank you citizen

Imagine Dave’s censorship (^W) surveillance program outsourced to G4S.

Permanent link to this article: https://baldric.net/2013/08/23/thank-you-citizen/

untrusted dod certificate

Chris Williams over at El Reg posted a nice article about the kind of crypto best practice you need to follow if you care about privacy. The article questions the wisdom of using David Miranda as what Williams calls a “data mule” to carry physical electronic media (possibly) containing sensitive data through Heathrow and goes on to explain how all of that could have been avoided.

Williams explains the use of the free, open source, cryptographic toolset GPG and suggests that a “cautious” user is advised to:

“generate a Diffie-Hellman/DSS (or RSA if you’re paranoid) key pair that’s 4,096 bits in length, set to expire in one year (or less if you’re planning a short whistle-blowing career), using AES-256 as the encryption cipher and SHA-2-512 as the hash function.”

He points out that the AES-256 cypher is recommended in NSA’s own advice (warning – PDF) on the use of public crypto algorithms.

When following that link, I was delighted to discover that it leads to a server at CNSS which uses an untrusted SSL certificate. My browser (firefox) dutifully popped up the warning:

“Could not verify this certificate because the issuer is not trusted.”

(The site also insists that you allow cookies, but hey.)

us-dod-not-trusted

Of course the certificate is not valid because it was generated for a server in a different domain (www.ioss.gov, not www.cnss.gov) and I am perfectly prepared to believe that this is simply administrative cockup, but the message that a US DoD site cannot be trusted is just wonderfully apt at the moment.

(As an aside, I too find it bizarre that Miranda should have apparently been carrying any “Snowden related” material through Heathrow. But since the Guardian has gone to the trouble, and expense of a) paying for Miranda’s trip, and b) paying for legal attempts to injunct HMG use of the material seized, I assume that to be the case. Now why Miranda should have agreed to that, or Greenwald permitted/encouraged him to do so is beyond me. I cannot imagine a scenario where I would be asking my wife to attempt to smuggle material which I knew would be of such immense interest to HMG. A discussion with my wife about this confirmed to me that my assumption about her likely reaction to such a request was correct. Her reply was short, and blunt.)

Permanent link to this article: https://baldric.net/2013/08/23/untrusted-dod-certificate/

tor usage on the rise

A couple of weeks ago I noted that the release of tails 0.20 seemed to be popular – at least if the traffic on my mirrors was anything to go by. The statistics published by the Tor project itself show an interesting rise in (probable) Tor usage since June.

tor-relay-stats

The graphic shows that the number of active relays rose from around 3,500 in mid June to around 4,200 in mid August. The trend is clearly upwards so it would seem that more people are becoming sufficiently motivated to fund Tor nodes.

That’s fun.

Permanent link to this article: https://baldric.net/2013/08/22/tor-usage-on-the-rise/

aunty doesn’t get it

The BBC has today commented on the Guardian story about David Miranda’s detention for nearly nine hours at Heathrow under Schedule 7 of the UK Terrorism Act 2000.

The BBC’s on-line report ends with a web feedback form asking:

Have you been detained under schedule 7 of the Terrorism Act 2000 at a British airport, port or international rail station? Please get in touch using the form below.

The form asks potential contacts for their name, email address, town and country of residence, and telephone number before concluding:

If you are happy to be contacted by a BBC journalist please leave a telephone number that we can contact you on. In some cases a selection of your comments will be published, displaying your name as you provide it and location, unless you state otherwise. Your contact details will never be published.

The form is unencrypted.

Permanent link to this article: https://baldric.net/2013/08/20/aunty-doesnt-get-it/

porn over postie

I was browsing the RevK’s blog (originally brought to my attention by David) this morning and came across this gem. It would seem that some UK households have been receiving unsolicited pornographic DVDs through the post. As the RevK says:

Well, obviously the Royal Mail need a default opt-in adult content filtering in place for this – it is just not good enough – my kids could open the post unsupervised and play these DVDs. They should open every parcel and letter and check it is not porn in there. Why is the Royal Mail allowing this? I did not opt-in for the porn version of post did I? The government need to force all postal carriers to filter the mail NOW!!!!

Point well made.

Permanent link to this article: https://baldric.net/2013/08/12/porn-over-postie/

tor users under attack

The Tor network does not just provide anonymous internet access, it also provides for so-called hidden services. These services are not visible outside the Tor network and are only reachable over Tor. The servers are given Tor specific addresses of the form “xyz123.onion” (actually, the addresses are a little more complicated than that because the identifier portion of the address is the first 10 bytes of the SHA-1 digest of an ASN.1 encoded version of the RSA public key for the service – but you get the picture I’m sure.) This naming convention has led to the servers being known as “onions”

On the 4th of August a correspondent on the tor-talk email list posted a message saying:

Noting what is apparently a very large drop in the number of onions online. Still checking…

In response another correspondent posted a reference to the reddit site discussing the recent arrest of the founder of the “Freedom Hosting” sites. Freedom Hosting was apparently widely used for hosting .onions, and allegedly, some of those sites were used to host child pornography. Another correspondent sent a reference to the openwatch post of 4 August which reported that the owner of Freedom Hosting had been arrested in Ireland and was being held pending an FBI extradition request to the USA. It also reported that malicious JavaScript had been discovered on a number of hidden (onion) services.

An early official posting about the incident from the torproject came late on the 4th and was posted to tor-talk on the 5th of August. In that post, phobos said:

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.

That was important, and needed to be said because there was already evidence of some confusion about the status of Freedom Hosting and indeed of hidden services in general. The fact is that the Tor network is simply an enabling mechanism for such services and the project itself has no control over who hosts services, where or why they host them or who uses them. That is the whole point of an anonymous network. It is anonymous.

Phobos went on:

In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.

As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what’s happened. We’re reading the same news and threads you are and don’t have any insider information. We’ll keep you updated as details become available.

A later posting, on 5 August, expanded on the first post, saying that:

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

That post also pointed to a full advisory from Roger Dingledine at torproject. In that advisory. Dingledine notes:

In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable. But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack.

To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack.

He describes the impact of the attack thus:

The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim’s computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.

In the ensuing, rather confused, round of post and counter post a couple of things became clear. Firstly, the tinfoil beanie hat brigade (TFBHB) were out in force. Speculation as to the source [*] of what was later to become termed “torspolit” was rife, ranging from the NSA or FBI to the Hacker group Anonymous (who it must be said had form with Freedom Hosting having attacked it in the past because of its alleged hosting of child pornography) or even to the owner of Freedom Hosting himself. Secondly, there was increasing concern about the continued validity and utility of Tor as a trustworthy anonymising tool (“is Tor still valid?”).

Many commentators (e.g. Chakravarty, Stavrou and Keromytis or Salo) in the past have noted that Tor is vulnerable to a “Global Passive Adversary” (or GPA – someone who can observe all internet traffic). If the existence of a GPA is accepted then it could reasonably be postulated that such an adversary would be capable of de-anonymising Tor users – largely through traffic analysis alone. However, until recently, the actual existence of such a capable adversary was in some doubt, though there was no doubt that some countries were in a position of de-facto GPA in their local domain (e.g. China with respect to its population).

What seemed to have been less expected was that an adversary would launch an active attack such as “torsploit” with the aim of de-anonymising Tor users. It is this latest attack which seems to have brought the TFBHB out in such force. In the rather febrile atmosphere post Snowden, any such visible attack on Tor users begins to look highly suspicious, particularly if that attack is aimed simply at identifying end users of Tor hidden services. When early analysis of “torsploit” identified the hard coded IP address in the exploit as belonging to US defense contractor SAIC and geolocation of the IP address allegedly corresponded to an SAIC facility in Arlington, Virginia, every TFBHB member on the ‘net screamed “NSA”. Over at El Reg, the conspiracy theorists had a field day (I particularly liked one comment which asked “how long until it turns out that Snowden allegedly owns those IP addresses”).

Since that early analysis by Baneki Privacy Labs and VPN provider Cryptocloud, the researchers have backed off a little from their claims that there is a heavily smoking gun. A post by Cryptocloud dated 7 August says that they no longer believe that they can conclusively state that the IP address in question was allocated by SAIC to the NSA.

Whilst the jury may yet be out on the identity of the actual “torsploit” actors, the impact they have had on actual Tor usage seems likely to be minimal. Yesterday, 9 August, tails 0.20 was released. Whilst tails users themselves would not have been vulnerable to the attack, tails 0.20 fixed several security issues which had been identified in tails 0.19. On checking my own tails mirrors last night I noticed that one was transmitting at a mean rate over 90 Mbit/s (normal mean around 10-12 Mbit/s) the other was running at around 65 Mbit/s (normal mean 7-9 Mbit/s). If my experience is typical of the other mirrors, then tails usage looks to be fairly healthy in future.

I think Tor is here to stay.

[*] Update added 14 September 2013.

According to this report in wired.com, pointing to a report in the Irish Independent of 12 September, the FBI admitted in Court in Ireland that it was behind the seizure of the Freedom Hosting servers. The wired article also implies that the FBI were responsible for the “torsploit” malware attack. However, this claim is not supported by any reporting in the original Irish Independent article.

Permanent link to this article: https://baldric.net/2013/08/10/tor-users-under-attack/

lavabit dead

I run my own mail server for a number of reasons. And I rarely regret that decision. However, there have been occasions in the past when relying on a single mail provider (even when that provider is myself) has proven problematic. The first problem arose several years ago when the ISP which I use for my main VPS (Bytemark) had a few technical problems which took my mail server off-line. Like most ISPs these days, Bytemark do most of their business via email. With my email out, I couldn’t correspond with the provider. My second problem was caused by AOL who cannot run a mail service to save their lives. Oddly many of my old friends use AOL and I correspond with those friends “in bulk” (via a list of sorts – those friends are in my old bike club). For some reason known only to AOL they periodically decide that my email service is hostile (possibly a source of spam). It isn’t and my email server appears on no know RBLs. Only AOL treat it as suspect and bounce my email to multiple friends. Oddly, individual emails addressed to only one or two of those AOL users at a time works fine.

Obviously I needed a backup email system. Gmail? You have to be joking. Outlook? Only if I want to pretend to be Linus. So I needed a backup service which I could trust, which was advert free and which I could use simply as a fallback from my main email on my own domains. Lavabit met that requirement and I have used their service very happily on and off for some time. Yesterday I couldn’t reach their server and a message on their website said that POP3 access was offline. Today I learned that Ladar Levison, the owner/operator has taken the service down completely.

lavabit-dead

Levison says on the front (and now only) page of the Lavabit site:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Silentcircle, another provider of secure communications services has today also decided to shut down its email service. A note on their blog says:

Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

So, as Neelie Kroes said, bang goes the US cloud service model. Fortunately I do not personally have any data I care about in any US based service. My US VMs are only used as Tor nodes or tails mirrors. Unfortunately I do not know whether any third party which holds data about me I care about does hold that data in the US.

But I’ll bet there are a few.

Permanent link to this article: https://baldric.net/2013/08/09/lavabit-dead/

security failure at digital ocean

This morning I received an email from Digital Ocean titled “Avoid Duplicate SSH Host Keys”. The email said:

“If you have created an Ubuntu Droplet or snapshot prior to July 2nd, DigitalOcean recommends regenerating the SSH host keys. Droplets based on standard images now create unique SSH host keys.”

(This, of course, implies that they didn’t before. Bad news.)

It went on to say how to do this, but rather disappointingly didn’t say either why I should, or why I should need to do so. A naive user might see the, in my view rather weak line “…recommends regenerating the SSH host keys”, and not take the issue as seriously as it needs to be taken. Fortunately the email gave a link to a blog post giving more detail. But even that blog post didn’t really do the subject justice. Fortunately however, one of the commenters to that posting provided a link to a separate earlier posting by Joshua Lund, a DO customer, explaining how he had discovered that all the ubuntu images he created seemed to come up with the same ssh host keys. This is not a good thing (TM).

DO seem now to have fixed the problem and it seems only to have affected ubuntu images. I use debian, and I’ve checked mine and they are all different, but I’ll regenerate anyway just for good form. But there is a wider lesson here. As Lund says in hs post:

“this problem might affect other VPS providers as well. It would also be easy to fall into the same trap if you are using disk images to rapidly provision new hardware.”

I am about to regenerate keys on all my other VPSs.

Permanent link to this article: https://baldric.net/2013/08/03/security-failure-at-digital-ocean/

repeat after me – snowden is not the story

John Naughton has an interesting column in his “networker” series in today’s Observer. In it he laments the fact that the majority of the world’s mainstream media seem more intent on reporting on Snowden the man than on what Snowden has revealed.

He starts:

“Repeat after me: Edward Snowden is not the story. The story is what he has revealed about the hidden wiring of our networked world. This insight seems to have escaped most of the world’s mainstream media, for reasons that escape me but would not have surprised Evelyn Waugh:”

He then goes on:

“In a way, it doesn’t matter why the media lost the scent. What matters is that they did. So as a public service, let us summarise what Snowden has achieved thus far. Without him, we would not know how the National Security Agency (NSA) had been able to access the emails, Facebook accounts and videos of citizens across the world; or how it had secretly acquired the phone records of millions of Americans; or how, through a secret court, it has been able to bend nine US internet companies to its demands for access to their users’ data.

Similarly, without Snowden, we would not be debating whether the US government should have turned surveillance into a huge, privatised business, offering data-mining contracts to private contractors such as Booz Allen Hamilton and, in the process, high-level security clearance to thousands of people who shouldn’t have it. Nor would there be — finally — a serious debate between Europe (excluding the UK, which in these matters is just an overseas franchise of the US) and the United States about where the proper balance between freedom and security lies.”

Then comes his complaint:

“These are pretty significant outcomes and they’re just the first-order consequences of Snowden’s activities. As far as most of our mass media are concerned, though, they have gone largely unremarked. Instead, we have been fed a constant stream of journalistic pap — speculation about Snowden’s travel plans, asylum requests, state of mind, physical appearance, etc. The “human interest” angle has trumped the real story, which is what the NSA revelations tell us about how our networked world actually works and the direction in which it is heading.”

Now I like Naughton, and I have a lot of sympathy with his viewpoint. But I confess that I am surprised that he is surprised at the media reaction. He rails:

“The obvious explanations are: incorrigible ignorance; the imperative to personalise stories; or gullibility in swallowing US government spin, which brands Snowden as a spy rather than a whistleblower.”

Well, I’m with him on the ignorance bit. But I would also add that most people, i.e consumers of the media he rails against, couldn’t care less about what Snowden has revealed. After all, I am a privacy advocate and I have a /really/ hard time convincing my friends and family that there is any problem here. They just shrug and say “Why should I care? The NSA isn’t interested in me.” Those same friends and family happily share excruciating details about themselves, their friends and family on facebook and just pull bored faces whenever Mick “goes off on one again”. If the readers don’t care then the media won’t either. Bread and circuses are more interesting – that and Snowden’s pole dancing girlfriend.

In an attempt to show why what Snowden has to say is more important than Snowden the man, Naughton concludes:

“the Snowden revelations also have implications for you and me.

They tell us, for example, that no US-based internet company can be trusted to protect our privacy or data. The fact is that Google, Facebook, Yahoo, Amazon, Apple and Microsoft are all integral components of the US cyber-surveillance system. Nothing, but nothing, that is stored in their “cloud” services can be guaranteed to be safe from surveillance or from illicit downloading by employees of the consultancies employed by the NSA. That means that if you’re thinking of outsourcing your troublesome IT operations to, say, Google or Microsoft, then think again.

And if you think that that sounds like the paranoid fantasising of a newspaper columnist, then consider what Neelie Kroes, Vice-president of the European Commission, had to say on the matter recently. “If businesses or governments think they might be spied on,” she said, “they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes? Front or back door — it doesn’t matter — any smart person doesn’t want the information shared at all. Customers will act rationally and providers will miss out on a great opportunity.”

Spot on. So when your chief information officer proposes to use the Amazon or Google cloud as a data-store for your company’s confidential documents, tell him where to file the proposal.”

I think that last point is the most important one. Commercial pressure upon US “Cloud Service” providers in terms of loss of business from non US customers is going to focus some minds. And I can’t help thinking that there is a huge opportunity here for domestic service providers throughout Europe and the rest of the world if they can set up competing services which abide by strict data privacy laws. Even if that means new legislation in some jurisdictions.

Permanent link to this article: https://baldric.net/2013/07/28/repeat-after-me-snowden-is-not-the-story/

soldier available cross magnet

I am in the process of changing passwords on a bunch of different systems/applications and have been pondering my algorithms, so to speak. Like my friend David, I have an internal model of varying password schemes which I can use in different places. This means that I can happily pick a password for a low risk site which will be easy to remember but relatively secure (for some definition of secure) but which will be very different in structure to one used on a high risk site, such as one giving access to my meagre savings. This means that even if a bad guy compromises a “low hanging fruit” web site which may hold one of my passwords I don’t have to panic and run around figuring out which other sites I may have to worry about. Not only will the password be different, but the algorithm generating that password will be different.

As ever, Randall Munroe over at xkcd has an interesting take on password algorithms. xkcd 936 offers the view that a phrase of four random common words is both easier to remember and more secure than a seemingly strong password of the traditional mixed case, alphanumeric, minimum length type favoured by some of our sillier financial institutions.

I was therefore delighted to find Jeff Phreshing’s xkcd passphrase generator.

In future all my passwords will be of the form seen in the title of this post.

No really. They will. All of them.

Permanent link to this article: https://baldric.net/2013/07/26/soldier-available-cross-magnet/

how not to hide

I have written several times in the past about the tedious crud which hits my blog spam filters. Of late I have seen an increase in spam which looks, at first sight, plausible comment, but on closer inspection turns out to have the usual links to sites flogging cheap copies of western luxury goods. A recent analysis showed that around 60-70% of all that crud was coming from IP addresses in the ranges 173.44.37.0/24 and 96.47.224.0/22. These blocks are both owned by a company called IPTelligent, based (apparently) in Miami, Florida. In fact IPTelligent seems to own the larger blocks 173.44.32.0/19 and 96.47.224.0/20 (or over 12,000 IP addresses).

The logical first step in investigating the company was to check the website for the domain listed in the whois record (iptelligent.com) but oddly, there is nothing there that looks at all professional – just a directory listing showing a cgi-bin and an images sub-directory. There is also fairly extensive on-line discussion about failed attempts to contact the “abuse@” email address for the domain. Most commentators seemed to end up blocking the entire netblocks. Of course the spam went away.

However, blocking all traffic from over 12,000 IP addresses simply to stop spam from some of them strikes me as possibly somewhat over zealous, particularly when a fairly well known and high volume tor exit node uses an IP address in the range in question. Further analysis of my logs showed that all of the spam from the addresses I had seen used a common user agent “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5”. That agent looks perfectly plausible, if perhaps a little old and it could conceivably be in use by a whole bunch of people using, say, an old installation of FF on XP.

But I struck lucky. The spammers are stupid. Not only is that user agent clearly identified by a number of discussion sites as being used by prolific spammers, it turned out from further analysis of my logs that it was only used by the same spamming IP addresses I had noted earlier, and by no-one else.

If you really want to hide in a crowd, don’t use a unique identifier.

Permanent link to this article: https://baldric.net/2013/07/26/how-not-to-hide/

this one is for dave

Our dear PM seems to have caved in to the obsessions of mumsnet and the daily mail.

porn-hunt

As someone in the grauniad pointed out today, at least we can be sure that Lynton Crosby has no connections to the pornography industry.

Here’s one of my favourites…..

It is interesting that whilst Dave thinks pornography on the ‘net is so all pervasive that ISPs must be forced to introduce censorship (with all that implies), he is not in the least concerned about the all pervasive sexual images in daily newspapers such as the Sun.

And the hypocrisy evidenced in the Daily Mail website is just breathtaking.

(Note to international readers. Melanie Phillips, the Daily Mail columnist referenced above, makes Mitt Romney look rational.)

Permanent link to this article: https://baldric.net/2013/07/23/this-one-is-for-dave/

ubuntu forums compromised

Right now (21.00 today), the ubuntu forums site says it is “down for maintenance”. It appears to have been down since yesterday.

ubuntu-forums-down

The site reports:

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.

It goes on:

Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.

I’d say that was good advice. Change your passwords now.

Permanent link to this article: https://baldric.net/2013/07/21/ubuntu-forums-compromised/

save your money – just use tails

I suppose it was inevitable that the Snowden revelations would lead to greater interest in privacy and anonymity. I applaud that. I suppose it was also inevitable that there would be a rash of commercial products emerging from both “entrepreneurs” and the more established “security” companies to take advantage of that increased interest. That, I confess, I am less happy with.

El Reg reports that AV firm AVG (purveyor of antivirus and internet security products for most platforms) “reckons the market for products that safeguard online freedoms will be huge.”

El Reg’s report quotes Siobhan MacDermott, chief policy officer at AVG as being “astonished by the reaction to the scandal of the web-snooping NSA PRISM project.” (You have to ask why….)

The report goes on to say that MacDermott “predicted a world in which consumers were obsessed with protecting their own digital communications from prying eyes, as well as making sure their kids aren’t press-ganged into handing over reams of sensitive data to fraudsters and other undesirables.”

It goes on:

“MacDermott has been in discussions with five major banks, including Goldman Sachs, Morgan Stanley and JP Morgan, about how best to tackle this emerging market. She asked them to estimate the size of the burgeoning privacy sector – and they had no idea.”

(Smell the money….)

MacDermott reportedly “asked [the Banks] to size up the privacy market and all five told me that although they knew it was huge, they couldn’t yet give me a proper estimate of its size. They were super-excited though, because there are a lot of new companies popping up in this space.”

(So, lots of money….)

She went on: “My argument is that privacy will soon rival cyber-security in terms of market share. It’s about device control and protecting the online experience. It’s a nascent industry, so we’re still in the awareness phase and initial products phase. It’s going to be a big industry.”

(What, even bigger than the “Cyber Security” bandwagon? Oh boy. Lots and lots of money.)

So expect lots of new advertising for “privacy enhancing products” to protect you from “snoopers”.

Oh look, here’s one.

A company called Ninjastik is selling USB sticks with lubuntu preloaded, and what appears to be the tor browser bundle included. You can buy an 8 Gig stick for $56.95 or a 16 Gig stick for $69.95. And, for a limited time only, you get free shipping. Bargain.

I worry that anyone would go to the trouble of creating what is effectively a paid alternative to the free tails distribution provided by the (very clueful) guys at the torproject. I worry even more when the FAQ on the site says that no bittorrent client is included because:

“torrents use up a huge amount of bandwidth and will overwhelm the TOR network. Because of this, the NinjaStik does not come with a torrent client installed. You could install one yourself, but most exit server operators block torrent traffic anyway.”

With no mention that the bittorrent protocol leaks IP address information and can destroy your anonymity. This suggests that the builder may be somewhat less clueful than the guys over at the torproject.

I guess I just don’t understand free market capitalism that well either. After all, I fund two tails mirrors out of my own money when apparently I could be flogging USB sticks with the (free) tor browser bundle on for about 50 quid each (given the normal USD to UKP exchange rate for tech products.)

Permanent link to this article: https://baldric.net/2013/07/17/save-your-money-just-use-tails/

nokia lumia 1020

I have been a Nokia fan for many years. Like many people, I guess, my first mobile phone was made by Nokia. I have certainly owned more Nokia mobiles than those from any other single company. One of my favourite mobiles (which I still own as a backup) is the 6500 slide. I also still use my N800 tablet (though sadly not the N900 I bought at the end of 2009) which I have had since the beginning of 2009. I was therefore rather sad when the company seemed to lose its way after Maemo and floundered before getting into bed with Microsoft. I still wouldn’t buy a Windows smartphone, but I have to say that I love the technology that Nokia has managed to cram into its latest device. A 41 megapixel camera for heaven’s sake. That is absolutely amazing.

Congratulations Nokia. You have just raised the bar on smartphone technology far higher than I thought possible.

Now please can you drop windows.

Please.

Permanent link to this article: https://baldric.net/2013/07/15/nokia-lumia-1020/

tor and https at eff

For those of you unsure of what might leak where and when using tor and/or https to protect your browsing, there is a useful interactive graphic on the EFF site. As EFF point out, the potentially visible data includes: the site you are visiting, your username and password, the data you are transmitting, your IP address, and whether or not you are using Tor. But, other information can also be collected.

By selecting either or both of the “tor” or “https” options on the interactive graphic you can see what information is potentially exposed to an adversary at various points in the path between you and the website you wish to view. It is instructive to note that even where you use both tor (to provide locational anonymity) and https (to provide data privacy) the end node will, of necessity know the following things about you:

  • your site uid/password
  • the data you accessed or provided
  • the date and time at which you did so
  • the fact that you used tor to reach the site

Depending upon the way you use tor (i.e. which anonymising software, be it tails, whonix, liberte, TBB or whatever) that end site may also be able to fingerprint your browser in some detail. (Full disclosure, the browser I use daily, and indeed used for this post, “appears to be unique among the 3,137,502 tested so far” according to panopticlick.)

Now a snooper on the path to the end website also knows that at date/time “X” a tor user connected to the site. If that adversary can also gain access to the detail known to the end website and you have been lax enough to re-use a uid/password pair from elsewhere and you use that uid/password pair when NOT using tor, then your anonymity is over.

UID/password re-use is extremely common *.

(* Note, the study referenced, ironically, provides an an excellent example of why you should not trust so-called “security plugins”. Imagine using that plugin whilst using tor.)

Permanent link to this article: https://baldric.net/2013/07/15/tor-and-https-at-eff/

base64 gets past omani deep packet inspection

Back in December 2011 Roger Dingledine and Jacob Applebaum of the torproject gave a talk at the 28th Chaos Communication Congress titled “How governments have tried to block Tor“. That talk focused on the arms race between privacy campaigners and technologists working on tor and the actions of oppressive governments. The presentation gave many examples from Syria, Oman, Egypt, China, Tunisia etc, of how the use of DPI techology developed in western democracies (largely the USA) was being used to monitor and/or censor internet usage around the world. Dingledine and Applebaum are passionate about their work and know how to present to best effect. There are some delightfully funny anecdotes (including that used in the title of this post) scattered throughout the talk. To some extent the presentation was “preaching to the choir” because CCC attendees are a somewhat specialist demographic. However, the recent peaking (and piquing) of interest in the reported activity of the NSA has resulted in a flood of new interest in tor from people less familiar with the topics they addressed (as evidenced by the spate of new questions arising on lists like tortalk). The video of the presentation is about an hour and half long, but it is well worth watching.

Thoroughly recommended. Even if it is on youtube…..

And for any readers unfamiliar with tor, there is a pretty good overview of “How Tor Works” on the torproject’s “favourite videos” site.

Permanent link to this article: https://baldric.net/2013/07/14/base64-gets-past-omani-deep-packet-inspection/

bizarre searches

Today I stumbled across what appears to be a Vietnamese search engine called coccoc. The front page shows the typical search box as pioneered by google, but underneath that box is some text which seems to comprise text terms, mathematical formulae and (perhaps) chemical symbols.

coccoc

Sure enough, passing that page through microsoft’s on-line translator at bing we learn that the text immediately beneath the search box says: “For example:” followed by some text. Intriguingly, however, the line immediately below that which reads: “Lần đầu tiên bạn đến Cốc Cốc? Hãy thử một vài từ khóa được tìm nhiều nhất tháng qua” translates as: “The first time you arrive Disposable Cups? Try a few keywords are search most popular last month.”

OK, the translation may not be idiomatic english, but it is clear that the intention is to list the most popular searches from the previous month. So it would appear that users of coccoc have a high tendency to search for such specialist information as combining sodium hydroxide with hydrochloric acid or the production of silver nitrate.

Wierd. Why don’t they just search for kitten videos or porn like the rest of us?

Permanent link to this article: https://baldric.net/2013/07/09/bizarre-searches/

more irony

This is lovely. On a whim I have just checked the DNS for the Guardian. I got the following results:

MX records:

guardian.co.uk mail exchanger = 30 guardian.co.uk.s200b1.psmtp.com.
guardian.co.uk mail exchanger = 40 guardian.co.uk.s200b2.psmtp.com.
guardian.co.uk mail exchanger = 10 guardian.co.uk.s200a1.psmtp.com.
guardian.co.uk mail exchanger = 20 guardian.co.uk.s200a2.psmtp.com.

So – all four MX records point to SMTP servers at psmtp.com. Now what are the IP addresses of those servers?

> guardian.co.uk.s200a1.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: guardian.co.uk.s200a1.psmtp.com
Address: 207.126.147.10

> guardian.co.uk.s200a2.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: guardian.co.uk.s200a2.psmtp.com
Address: 207.126.147.12

> guardian.co.uk.s200b1.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: guardian.co.uk.s200b1.psmtp.com
Address: 207.126.147.13

> guardian.co.uk.s200b2.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: guardian.co.uk.s200b2.psmtp.com
Address: 207.126.147.14

And where are those IP addresses?

Well the netblock 207.126.144.0 – 207.126.159.255 is owned by Postini which is based in Mountain View, California.

NetRange: 207.126.144.0 – 207.126.159.255
CIDR: 207.126.144.0/20
OriginAS: AS26910
NetName: POSTINI-ARIN2-ASSIGNMENT
NetHandle: NET-207-126-144-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
RegDate: 2004-11-30
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-207-126-144-0-1

OrgName: Postini, Inc.
OrgId: POSTI
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2002-11-15
Updated: 2012-01-05
Ref: https://whois.arin.net/rest/org/POSTI

and robtex confirms that all four of the MX servers are also in Mountain View.

So, mail to anyone@guardian.co.uk goes to a mail server in California.

Now where is (or are) the webserver(s)?

> guardian.co.uk
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: guardian.co.uk
Address: 77.91.252.10

So “guardian.co.uk” resolves to 77.91.252.10.

But an HTTP request to that address gets a permanent redirect (via HTTP) to “www.guardian.co.uk” as follows:

wget https://guardian.co.uk
–2013-06-24 21:46:02– https://guardian.co.uk/
Resolving guardian.co.uk (guardian.co.uk)… 77.91.252.10
Connecting to guardian.co.uk (guardian.co.uk)|77.91.252.10|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.guardian.co.uk/ [following]
–2013-06-24 21:46:03– https://www.guardian.co.uk/
Resolving www.guardian.co.uk (www.guardian.co.uk)… 103.245.223.192, 103.245.223.129
Connecting to www.guardian.co.uk (www.guardian.co.uk)|103.245.223.192|:80… connected.
HTTP request sent, awaiting response… 200 OK

So – “www.guardian.co.uk” is on one of two IP addresses (103.245.223.192 and 103.245.223.129). This is confirmed by another lookup of “www.guardian.co.uk”.

Non-authoritative answer:
www.guardian.co.uk canonical name = www.guardian.co.uk.global.prod.fastly.net.

So “www.guardian.co.uk” is on a machine at fastly.net called “www.guardian.co.uk.global.prod.fastly.net”

and that resolves to:

> www.guardian.co.uk.global.prod.fastly.net
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
www.guardian.co.uk.global.prod.fastly.net canonical name = global.prod.fastly.net.
Name: global.prod.fastly.net
Address: 103.245.223.192
Name: global.prod.fastly.net
Address: 103.245.223.129

And where are 103.245.223.192 and 103.245.223.129?

Well netblock 103.245.223.0 – 103.245.223.255 is, as you would expect, owned by Fastly Inc based in San Francisco California.

whois 103.245.223.192
% [whois.apnic.net node-2]
% Whois data copyright terms https://www.apnic.net/db/dbcopyright.html

inetnum: 103.245.223.0 – 103.245.223.255
netname: FASTLYINC-AP
descr: Fastly, Inc
country: SG
admin-c: FIA3-AP
tech-c: FIA3-AP
status: ASSIGNED PORTABLE
mnt-by: APNIC-HM
mnt-routes: MAINT-FASTLYINC-AP
mnt-irt: IRT-FASTLYINC-AP
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20130124
source: APNIC

role: Fastly Inc administrator
address: PO Box 78266, San Francisco, CA, 94107, San Francisco CA
country: US
phone: +1 410 703 8240
fax-no: +1 410 703 8240
e-mail: chris@fastly.com
admin-c: FIA3-AP
tech-c: FIA3-AP
nic-hdl: FIA3-AP
mnt-by: MAINT-FASTLYINC-AP
changed: hm-changed@apnic.net 20130124
source: APNIC

Netcraft reports:

Linux Apache 11-Jun-2013 103.245.223.129 Fastly, Inc
Linux Apache 9-May-2013 199.27.77.129 Fastly
Linux Apache 9-May-2013 199.27.77.192 Fastly
Linux Apache 8-May-2013 199.27.76.129 Fastly
Linux Apache 9-Apr-2013 199.27.77.129 Fastly
Linux Apache 8-Apr-2013 199.27.77.129 Fastly
Linux Apache 9-Mar-2013 77.91.248.30 www.guardian.co.uk
Linux Apache 6-Mar-2013 77.91.249.30 www.guardian.co.uk
Linux Apache 8-Feb-2013 77.91.248.30 www.guardian.co.uk
Linux Apache 30-Jan-2013 77.91.249.30 www.guardian.co.uk

(Well, at least they are running on Linux)

Way to go Guardian! Not only is their mail handled in the US, but all traffic to and from the website also appears to go the same way.

I assume that they knew that of course……

Permanent link to this article: https://baldric.net/2013/06/24/more-irony/

ironic advert

There is a wonderful advert in today’s Guardian. Most of page 6 is taken up with a Microsoft advert saying: “Aston Martin is now on Office 365 – your complete office in the cloud.”

Right. An advert for a cloud based office suite from a major US software supplier.

Tough sell.

Especially in the Guardian.

Permanent link to this article: https://baldric.net/2013/06/24/ironic-advert/

facebook login searches

About 18 months ago I posted a note objecting to facebook’s apparent new policy of insisting that its users hand over a mobile phone number in order to continue using its “service”. In that post I included a png image which I labelled “facebook-login.png”. Oddly enough I note that over the past two weeks my logs show that image (and only that image – i.e. not the post) being requested just over 2000 times. The referer field shows that all of those requests are the result of deliberate searches for “facebook login” or “my facebook login”. Even more oddly, most of the referrals came from bing (c. 1200) rather than google (c. 350).

I cannot see anything remotely interesting in my image and a search on bing or google for “facebook+login” simply brings up the expected multitude of images.

I guess that there must be a robot or robots searching for facebook login images for some reason.

Permanent link to this article: https://baldric.net/2013/06/24/facebook-login-searches/