The revelations of the past week or so have been interesting to me more for what they haven’t said, than what they have. There are a few points arising from Snowden’s story which puzzle me and which don’t seem to have been addressed by the mainstream media – at least not the ones I read. …
Category: security
Permanent link to this article: https://baldric.net/2013/06/15/edward-snowden/
Jun 10 2013
PRISM – we had it first
I can exclusively reveal that the UK government had a PRISM database long before those upstarts in the USA. In the late 1970s I worked in the Statistics Division of what was then the UK Civil Service Department. We used a database of Civil Service personnel called PRISM (Personnel Record Information System for Management). I …
Permanent link to this article: https://baldric.net/2013/06/10/prism-we-had-it-first/
May 29 2013
another good reason not to buy one
Back in November 2011 I wrote about the TP-Link TL-SC3130G IP camera. I had some trouble getting that device to work properly over wifi so I returned it and got my money back. Today, Core Security released an advisory about this device (and several others from TP-Link) about a remotely exploitable vulnerability arising from “hard-coded …
Permanent link to this article: https://baldric.net/2013/05/29/another-good-reason-not-to-buy-one/
Mar 27 2013
gchq recruitment site stores plaintext passwords
I can’t resist this. El Reg today points to a blog post by a guy called Dan Farrall who has commented on his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall’s blog post is worth reading. Whilst he acknowledges that …
Permanent link to this article: https://baldric.net/2013/03/27/gchq-recruitment-site-stores-plaintext-passwords/
Mar 26 2013
using an ssh reverse tunnel to bypass NAT firewalls
There is usually more than one way to solve a problem. Back in October last year I wrote about using OpenVPN to bypass NAT firewalls when access to the firewall configuration was not available. I have also written about using ssh to tunnel out to a tor proxy. What I haven’t previously commented on is …
Permanent link to this article: https://baldric.net/2013/03/26/using-an-ssh-reverse-tunnel-to-bypass-nat-firewalls/
Dec 19 2012
no sites are broken
Or so the wordpress post at wordpress.org would have us believe. However, I think there is flaw in both their logic, and their decision making here. I spotted the problem following an upgrade to wordpress 3.5 on a site I use. One of the plugins on that site objected to the upgrade with the following …
Permanent link to this article: https://baldric.net/2012/12/19/no-sites-are-broken/
Dec 14 2012
password theft
I have mentioned odd postings to bugtraq before. Today, one “gsuberland” added to the canon with a gem about the Netgear WGR614 wireless router. He says in his post that he has been “reverse engineering” this router. Now for most bugtraq posters (and readers) this would mean that he has been disassembling the firmware. But …
Permanent link to this article: https://baldric.net/2012/12/14/password-theft/
Dec 10 2012
tor and the UK data communications bill
As a Tor node operator, I have an interest in how the draft UK Data Communications Bill would affect me should it be passed into law. In particular, I would be worried if Tor ended up being treated as a “telecommunications operator” within the terms of the Act (should it become an Act). Fortunately, Steven …
Permanent link to this article: https://baldric.net/2012/12/10/tor-and-the-uk-data-communications-bill/
Nov 27 2012
what gives with dban?
Recently I have been faced with the need to wipe a bunch of hard disks removed from some old (indeed, in one or two cases, very old) PCs before disposal. Normally I would have used DBAN to do this because it gives me a nice warm feeling that I have taken all reasonable steps and …
Permanent link to this article: https://baldric.net/2012/11/27/what-gives-with-dban/
Oct 27 2012
using openvpn to bypass NAT firewalls
OpenVPN is a free, open source, general purpose VPN tool which allows users to build secure tunnels through insecure networks such as the internet. It is the ideal solution to a wide range of secure tunnelling requirements, but it is not always immediately obvious how it should be deployed in some circumstances. Recently, a correspondent …
Permanent link to this article: https://baldric.net/2012/10/27/using-openvpn-to-bypass-nat-firewalls/
Oct 13 2012
password lunacy
One of my fixed term savings accounts matured at the end of last week. This means that the paltry “bonus” interest rate which made the account ever so slightly more attractive than the pathetic rates generally available 12 months ago now disappears and I am left facing a rate so far below inflation that I …
Permanent link to this article: https://baldric.net/2012/10/13/password-lunacy/
Sep 09 2012
iptables firewall for servers
I paid for a new VPS to run tor this week. It is cheaper, and offers a higher bandwidth allowance than my existing tor server so I may yet close that one down – particularly as I recently had trouble with the exit policy on my existing server. In setting up the new server, the …
Permanent link to this article: https://baldric.net/2012/09/09/iptables-firewall-for-servers/
Aug 08 2012
oops
An attempted quick search this morning using ixquick over tor drew a blank. In fact I hit a brick wall as the screenshot below will show. The commentary provided by ixquick is self-explanatory (click the image if you have difficulty reading the snapshot), but I can’t help feeling that this problem should have been foreseen …
Permanent link to this article: https://baldric.net/2012/08/08/oops/
Jul 24 2012
coercion
David commented on my gpg upgrade post saying: “How does one ensure that they are not coerced into signing a transition statement with a new (but compromised) key?”. Well, you can never be sure I can’t be coerced, and this is why I can’t be sure I cannot be coerced: My thanks as always to …
Permanent link to this article: https://baldric.net/2012/07/24/coercion/
Jul 22 2012
the accidental stupidity of good intentions
For some years now I have used what used to be the freecycle system to dispose of unwanted, but otherwise useful items from my home. In return I have sometimes used the same mechanism to get hold of things like books which someone else wishes to get rid of. A couple of years or so …
Permanent link to this article: https://baldric.net/2012/07/22/the-accidental-stupidity-of-good-intentions/
Jul 20 2012
gpg key upgrade
Following a recent discussion about gpg key signing on my local linux user group email list, one of the members pointed out that several of us (myself included) were using rather old 1024-bit DSA GPG keys with SHA-1 hashes. He recommended that such users should upgrade to keys with a minimum size of 2048 bits …
Permanent link to this article: https://baldric.net/2012/07/20/gpg-key-upgrade/
May 22 2012
tor abuse
I have been running at least one tor exit node for about three years now. Over that period I have occasionally had to move provider following one or more abuse reports. Most ISPs like the quiet life, and you can’t really blame them for not wanting the hassle of dealing with complaints from other ISPs …
Permanent link to this article: https://baldric.net/2012/05/22/tor-abuse/
Apr 24 2012
cheap?
Michal Zalewski (aka lcamtuf) has just announced that google is changing the terms of its vulnerability purchase program. The google announcement says: Today, to celebrate the success of [the program] and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs: $20,000 …
Permanent link to this article: https://baldric.net/2012/04/24/cheap/
Apr 18 2012
now switch it back on
Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television …
Permanent link to this article: https://baldric.net/2012/04/18/now-switch-it-back-on/
Apr 17 2012
battle for the internet
This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen …
Permanent link to this article: https://baldric.net/2012/04/17/battle-for-the-internet/
Mar 19 2012
unlinked
Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and …
Permanent link to this article: https://baldric.net/2012/03/19/unlinked/
Mar 06 2012
banking stupidity
When I logged on to my new bank site this morning, I tried the “help” offered on the opening screen just to see what they had to say about the range of options available. I was not best pleased to be greeted by the message “Flash is not installed, is not enabled or is not …
Permanent link to this article: https://baldric.net/2012/03/06/banking-stupidity/
Mar 04 2012
am I kidding myself
I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a …
Permanent link to this article: https://baldric.net/2012/03/04/am-i-kidding-myself/
Jan 12 2012
t-mobile resets its policy?
As I have mentioned in other posts here, I run my own mail server on one of my VMs. I do this for a variety of reasons, but the main one is that I like to control my own network destiny. Back in October last year I noticed an interesting change in my mail experience …
Permanent link to this article: https://baldric.net/2012/01/12/t-mobile-resets-its-policy/