Category: network (in)security

ssl cipher check

My recent explorations of how to strengthen the ssl/tls certificates I use on both trivia and my mail service have given me cause to look for tools to help me test my configuration. The Calomel firefox plugin and sslabs site are very useful for checking HTTPS configurations, but they are fairly specifically aimed at that …

Continue reading

Permanent link to this article: https://baldric.net/2013/12/10/ssl-cipher-check/

that’s another password I have to change

Michael Horowitz has posted an interesting article over at Computer world. In it he points out that, by default, most android devices (tablets and ‘phones) routinely ‘phone home to Google to back up Wi-Fi passwords along with other assorted settings. Google sells this option as a convenience to help you regain settings after you upgrade …

Continue reading

Permanent link to this article: https://baldric.net/2013/09/20/thats-another-password-i-have-to-change/

tor node upgrade

I have switched my tor node to the experimental branch and it is now running version 0.2.4.17-rc. The huge load on the network seen since the botnet starting using it on about 19 August last has forced the tor project team to recommend that all relay operators move to the 0.2.4 branch (and this release …

Continue reading

Permanent link to this article: https://baldric.net/2013/09/10/tor-node-upgrade/

thank you citizen

Imagine Dave’s censorship (^W) surveillance program outsourced to G4S.

Permanent link to this article: https://baldric.net/2013/08/23/thank-you-citizen/

tor users under attack

The Tor network does not just provide anonymous internet access, it also provides for so-called hidden services. These services are not visible outside the Tor network and are only reachable over Tor. The servers are given Tor specific addresses of the form “xyz123.onion” (actually, the addresses are a little more complicated than that because the …

Continue reading

Permanent link to this article: https://baldric.net/2013/08/10/tor-users-under-attack/

security failure at digital ocean

This morning I received an email from Digital Ocean titled “Avoid Duplicate SSH Host Keys”. The email said: “If you have created an Ubuntu Droplet or snapshot prior to July 2nd, DigitalOcean recommends regenerating the SSH host keys. Droplets based on standard images now create unique SSH host keys.” (This, of course, implies that they …

Continue reading

Permanent link to this article: https://baldric.net/2013/08/03/security-failure-at-digital-ocean/

soldier available cross magnet

I am in the process of changing passwords on a bunch of different systems/applications and have been pondering my algorithms, so to speak. Like my friend David, I have an internal model of varying password schemes which I can use in different places. This means that I can happily pick a password for a low …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/26/soldier-available-cross-magnet/

how not to hide

I have written several times in the past about the tedious crud which hits my blog spam filters. Of late I have seen an increase in spam which looks, at first sight, plausible comment, but on closer inspection turns out to have the usual links to sites flogging cheap copies of western luxury goods. A …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/26/how-not-to-hide/

ubuntu forums compromised

Right now (21.00 today), the ubuntu forums site says it is “down for maintenance”. It appears to have been down since yesterday. The site reports: There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/21/ubuntu-forums-compromised/

save your money – just use tails

I suppose it was inevitable that the Snowden revelations would lead to greater interest in privacy and anonymity. I applaud that. I suppose it was also inevitable that there would be a rash of commercial products emerging from both “entrepreneurs” and the more established “security” companies to take advantage of that increased interest. That, I …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/17/save-your-money-just-use-tails/

tor and https at eff

For those of you unsure of what might leak where and when using tor and/or https to protect your browsing, there is a useful interactive graphic on the EFF site. As EFF point out, the potentially visible data includes: the site you are visiting, your username and password, the data you are transmitting, your IP …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/15/tor-and-https-at-eff/

base64 gets past omani deep packet inspection

Back in December 2011 Roger Dingledine and Jacob Applebaum of the torproject gave a talk at the 28th Chaos Communication Congress titled “How governments have tried to block Tor“. That talk focused on the arms race between privacy campaigners and technologists working on tor and the actions of oppressive governments. The presentation gave many examples …

Continue reading

Permanent link to this article: https://baldric.net/2013/07/14/base64-gets-past-omani-deep-packet-inspection/

prism opt-out

In all the noise on the ‘net about the alleged NSA PRISM program, this new site offers an amusing, but nonetheless useful, list of free alternatives to proprietary software. In part the site sort of misses the point about PRISM, but it is still good to see someone taking the time to point out that …

Continue reading

Permanent link to this article: https://baldric.net/2013/06/16/prism-opt-out/

gchq recruitment site stores plaintext passwords

I can’t resist this. El Reg today points to a blog post by a guy called Dan Farrall who has commented on his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall’s blog post is worth reading. Whilst he acknowledges that …

Continue reading

Permanent link to this article: https://baldric.net/2013/03/27/gchq-recruitment-site-stores-plaintext-passwords/

no sites are broken

Or so the wordpress post at wordpress.org would have us believe. However, I think there is flaw in both their logic, and their decision making here. I spotted the problem following an upgrade to wordpress 3.5 on a site I use. One of the plugins on that site objected to the upgrade with the following …

Continue reading

Permanent link to this article: https://baldric.net/2012/12/19/no-sites-are-broken/

password theft

I have mentioned odd postings to bugtraq before. Today, one “gsuberland” added to the canon with a gem about the Netgear WGR614 wireless router. He says in his post that he has been “reverse engineering” this router. Now for most bugtraq posters (and readers) this would mean that he has been disassembling the firmware. But …

Continue reading

Permanent link to this article: https://baldric.net/2012/12/14/password-theft/