Greetings sports fans. So I did say I was going to this post in my last post (I've added a link this in there) and I'm actually doing it. The main reason is that my friend Jamie mentioned me in the his podcast (highly recommended) and said that he would provide his listeners with a link to this if and when I do write it. Commence guilt trip. But, that's enough blabbering from me, down to the matter at hand: Why nobody has Megaupload go-ed bye-bye?
So, if you are reading this, you are either connected to the Internet or I finally got that book deal I wanted. For now, let's assume you have Internet access. One of the really interesting uses of the Internet is storing files online so that they can be accessed by many people. There were several really creative and some down right moronic ways thought of to this, but the one that really took off were called "file lockers."
Anywho, the concept of a file locker is simple: You sign up and you get some storage space on a server. You can then upload files and manage who can access them. You make it public, so that anybody can download it, or private, so that only you and/or selected other persons could download it. Of course, we all know there is no such thing as a free lunch, so "where's the money?" you ask. Well, let me tell you.
Some file lockers charged for their services, but some, like Megauplaod, were freemium. What they did is they put ads on the site and before you download something, unless you paid the membership fees. Sounds reasonable, right? Yes and then it gets hinky. So, not only did you have ads, but it seems that the site paid uploaders every time a file was downloaded. Not only that, but files that were not downloaded frequently enough were removed. But, it gets even more sinister and here's where the illegality comes in.
It's obvious that if somebody uploads illegal copies of TV, movies and music, then it will get downloaded more often than a picture of me on the beach. This pretty much encourages illegal file sharing. If offending content was found, it was removed, however it is alleged that the user accounts were not suspended or terminated. I have a distinct memory of reading somewhere that uploaders could pay to upload anonymously, thus even if the content was marked as illegal, it could be taken down, but not traced back to them. I cannot for the life of me find that article again and thus state this as a recollection that I can not back up. Moving swiftly on.
There was also the related website Megavideo, which was also somewhat devious. It has been alleged that all this infringing content was not searchable through the site's main search functionality, but was accessible to those who had the link. Again there is the same allegations of content being taken down without punishing the offenders and so on and so forth. Although there was a de jure legal use for the site, the de facto primary use was for the distribution of illegal content. So, the United States Government decided to do something about this.
About 2 years ago (2009), criminal investigations were started into the activities of Megaupload Inc., with a whole lot of red tape. The company itself is based in Hong Kong and a lot of the key people, including founder and chief Kim Dotcom, were in New Zealand. Well this went on for 2 years and we arrive in the present. Actually more like the recent past, but here we go.
A few months earlier, the US government had brought forth two acts called the Stop Online Piracy Act (SOPA) and the Proctect IP Act (PIPA) and this got everybody up in arms. That's a whole other kettle of fish, to be fried on another day. The main point is on January 18th 2012, a large number of websites "blacked out" and replaced their normal content with a page explaining why they are protesting SOPA and PIPA. On January 20th 2012, Dotcom and associates were arrested (alt article) and several assets were seized in a multi-country raid.
A large number of people think that this was a sort of backlash reaction to the blackouts, but it was in fact timed to coincide with a party Dotcom was hosting at his house, so that all the eggs would be in one basket, so to speak. These arrests were the culmination of a 2 year long investigation, with the cooperation of the police in all countries involved. Of course, nobody bothered to check that and Anonymous did their usual retaliation bit. Although the charges are being laid by the US, the police in all the countries involved were a part of the investigation, thus solving any jurisdictional issues.
I will be a little evil at this time and point out that there were millions of dollars worth of stuff seized, including some art, tech and a few luxury cars.There were also large accounts frozen and so on. The irony here is a large number of people justify piracy by saying it only affects the super rich guys in the super rich studios/labels, which kind of describes these guys. Not really sure why everybody is so vociferously supporting them, but I'm sure they have some really good reasons. Let's look at how exactly Megaupload is defending themselves.
The main defense that has been put forward is either "The majority of our traffic (and therefore business) was legitimate" or "we always took down infringing content." The first defense is, in my opinion, a big steaming pile of shit. That is like saying "You can't shut down my shop because only 10% of my income is from selling drugs." I don't at all doubt that there were users who were using in a fully legal manner, but that's really beside the point. The point put forward is that those in charge were aware of this infringement and actively promoted it. As for the second argument, takedowns were only effected if provided if a notice was provided and as said before there was no real punishment for the uploaders.
There is sort of the further complication that of them trying to rip off youtube, but that's something I haven't really looked at and don't feel well informed enough to comment. I would recommend that you read the linked article.
So, in all of this a lot of facts got jumbled up and a lot of people assumed things that were not true. There facts a touch murky, but with a bit of time, one can wade through and see what's going on. I guess it was a matter of bad timing on a couple of fronts. The bottom line is that they have been arrested, denied bail and will face an extradition hearing on February 22 2012. For now, Megaupload is gone and I don't think it's going to come back any time soon.
Showing posts with label TV. Show all posts
Showing posts with label TV. Show all posts
Monday, 6 February 2012
Sunday, 29 January 2012
TVShack (let's get this one out of the way shall we)
Alrighty then sports fans, I'm back. There's been quite a bit of stuff happening and I really hope that I can catch up with it all. So here we go. I'm going have a pick at TVShack and MegaUpload, which have been the focus of the media recently. So, let's start with the earlier story of TVShack shall we?
TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.
By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.
The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.
Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.
Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.
No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.
Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.
TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.
By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.
The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.
Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.
Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.
No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.
Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.
Sunday, 6 November 2011
BBM and Siri outages, a failure in more ways that you think.
Morning sports fans! Yes, I've missed you too, but I'm having a super perfectionist phase and none of my posts seem good enough to publish. This should all blow over and there will quite a few post some time in the future. So, let's wind the clock back a smidge and remember one of the biggest fails of the year: The Great BlackBerry Outage of 2011! (Yeah, I'm expecting more to come.)
So, cast your mind back to October 10th-ish when the first reports of a RIM server crash came in. Millions of people were left without access to BBM and some Internet services, such as Facebook. Ah, the many jokes we made that they didn't see. Well it quickly spread to North America and then other planets! (BONUS QUESTION: How many of these planets do you know?) It was somewhat fitting that BlackBerry users who were fairly vain about BBM had it ripped from them for a couple of days. It was a good thing.
Eventually, RIM apologised, service and the status quo were restored. There was still the great debate of BlackBerry vs. iPhone, (as explained here by Jimmy Carr and Sean Locke on 8 out of 10 Cats) but the iPhone users had a little chip on their shoulder that said "We never have service outages." This was compounded by the fact the release of the iPhone 4S, and with it Siri, was imminent. Just to catch you up, Siri is the voice activated personal assistant that comes with the iPhone 4S. (For further details see this)
Anywho, Siri is now here and people are enjoying asking it silly questions, demonstrating which accents it can't understand and showing that it's only fully functional in USA. What I was, until recently, unaware of is that Siri runs in the cloud. I have no love for cloud computing, but will ignore that at this juncture. A couple of days a ago a failure caused Siri to be unable to connect to the Apple servers and thus not work. Wait, you mean Apple has service outages as well? *le gasp*! Well of course they do! The reason is simple,they seem to have overlooked a very basic principle of computer security: critical infrastructure.
What is critical infrastructure you ask? Good question! Critical infrastructure is an old-ish field which studies an setup and sees what it would take for that to stop working. The classical example is a very nice graph theoretic problem, which is quite nicely demonstrated by the London Underground map. Assume this your only means of transport. Pick any station and/or section of the map. The problem is can you make a single cut and isolate that station/section from the rest of the map? There are variants, such as the minimum number of cuts needed to isolate a station/section and also on other things such as electricity, water and gas supply. You get the gist of it all, right?
The same can be done for communication and telecommunication networks. This is normally done, but it can be a bit tricky. With wired communications, it's easy to draw up a graph-style map, with each wire as an edge and each node as a vertex. However the same is not really true of wireless communications. To stop wired communications between point A and B, you need to sever the wire joining them. It's not as clear what the equivalent for wireless communication is. There is also the issue that unlike wired devices, which are immobile, wireless devices by definition are mobile.
So, now do we consider simply the connection between the devices or do we also have to consider the location? Can we only consider one or do we have to consider both? If I go into a lift and lose wireless connectivity is that a failure of the network or the device or both or neither? If you are thinking such distinctions are a moot point, then you are pretty much correct. Yes, it's not a major issue, but it should not be completely overlooked. There are a lot more examples of this, but that would mean delving into technicalities, which I would rather not do.
And there is the issue of time. These things take time, quite often a lot of it. There are so many contingencies to consider, such as the classic CTO chokes on sushi, rest of the department is killed in a meteor strike and the only other guy who knows the password gets retrograde amnesia. Yes, that is a tad far-fetched and one should probably stop when retrograde amnesia is the most likely event in your scenario. The digital market thrives on speed. You need to get the next product out there 2 weeks before the previous one is launched.
So, as you can see, owing to several issues, the critical infrastructure analysis is possibly not done as well as it should be, which can cause these kinds of issues. On the other hand, you can do the most thorough analysis and the worst case scenario may still occur, thus causing an outage. So basically it's all a roll of the dice and remember "God doesn't play dice!"
So, cast your mind back to October 10th-ish when the first reports of a RIM server crash came in. Millions of people were left without access to BBM and some Internet services, such as Facebook. Ah, the many jokes we made that they didn't see. Well it quickly spread to North America and then other planets! (BONUS QUESTION: How many of these planets do you know?) It was somewhat fitting that BlackBerry users who were fairly vain about BBM had it ripped from them for a couple of days. It was a good thing.
Eventually, RIM apologised, service and the status quo were restored. There was still the great debate of BlackBerry vs. iPhone, (as explained here by Jimmy Carr and Sean Locke on 8 out of 10 Cats) but the iPhone users had a little chip on their shoulder that said "We never have service outages." This was compounded by the fact the release of the iPhone 4S, and with it Siri, was imminent. Just to catch you up, Siri is the voice activated personal assistant that comes with the iPhone 4S. (For further details see this)
Anywho, Siri is now here and people are enjoying asking it silly questions, demonstrating which accents it can't understand and showing that it's only fully functional in USA. What I was, until recently, unaware of is that Siri runs in the cloud. I have no love for cloud computing, but will ignore that at this juncture. A couple of days a ago a failure caused Siri to be unable to connect to the Apple servers and thus not work. Wait, you mean Apple has service outages as well? *le gasp*! Well of course they do! The reason is simple,they seem to have overlooked a very basic principle of computer security: critical infrastructure.
What is critical infrastructure you ask? Good question! Critical infrastructure is an old-ish field which studies an setup and sees what it would take for that to stop working. The classical example is a very nice graph theoretic problem, which is quite nicely demonstrated by the London Underground map. Assume this your only means of transport. Pick any station and/or section of the map. The problem is can you make a single cut and isolate that station/section from the rest of the map? There are variants, such as the minimum number of cuts needed to isolate a station/section and also on other things such as electricity, water and gas supply. You get the gist of it all, right?
The same can be done for communication and telecommunication networks. This is normally done, but it can be a bit tricky. With wired communications, it's easy to draw up a graph-style map, with each wire as an edge and each node as a vertex. However the same is not really true of wireless communications. To stop wired communications between point A and B, you need to sever the wire joining them. It's not as clear what the equivalent for wireless communication is. There is also the issue that unlike wired devices, which are immobile, wireless devices by definition are mobile.
So, now do we consider simply the connection between the devices or do we also have to consider the location? Can we only consider one or do we have to consider both? If I go into a lift and lose wireless connectivity is that a failure of the network or the device or both or neither? If you are thinking such distinctions are a moot point, then you are pretty much correct. Yes, it's not a major issue, but it should not be completely overlooked. There are a lot more examples of this, but that would mean delving into technicalities, which I would rather not do.
And there is the issue of time. These things take time, quite often a lot of it. There are so many contingencies to consider, such as the classic CTO chokes on sushi, rest of the department is killed in a meteor strike and the only other guy who knows the password gets retrograde amnesia. Yes, that is a tad far-fetched and one should probably stop when retrograde amnesia is the most likely event in your scenario. The digital market thrives on speed. You need to get the next product out there 2 weeks before the previous one is launched.
So, as you can see, owing to several issues, the critical infrastructure analysis is possibly not done as well as it should be, which can cause these kinds of issues. On the other hand, you can do the most thorough analysis and the worst case scenario may still occur, thus causing an outage. So basically it's all a roll of the dice and remember "God doesn't play dice!"
Sunday, 11 September 2011
(Distributed) Denial of Service attacks, intentional or otherwise.
So, I have been away for a bit and thus the lack of posting. So to make that up, there will be two posts today and at least one more this week. Right, lets get into its shall we? Today's topic is (Distributed) Denial of Service attacks and how they can be inadvertently caused. So, first off, what exactly is is a Denial of Service (DoS) and indeed a Distributed Denial of Service (DDoS) attack.
A Denial of Service (DoS) attack involves sending an excessive amounts of data/requests/pings to a server with the aim of overloading the server so that legitimate users can not access the server. Imagine the following scenario: there is an office with an information counter. Normally, people would walk up tot he counter, get the information they need and then leave. After this the next person does the same and so on and so forth. A DoS would essentially be one person standing at the counter and asking so many questions that nobody else can get up to the counter.
A Distributed DoS (DDoS) is the same thing, except with one minor difference. In a standard DoS, there is only one attacker and one attacking system. In a DDoS, there may still be one attacker, but there are several systems that involved in the attack. For all intents and purposes, DoS attacks really only exist in textbooks, so we will only consider DDoS attacks.
So, now that we know what DDoS attacks are, let's look at how they happen. The normal scenario is that our attacker(s) pick a target and then bombard them with request. At a technical level, there are several ways to this in an intelligent ways, but the simplest is just overwhelming the server with requests. I would rather not get into the details, because to be quite honest, I find them inane and boring. SO, let's just say there are many ways of doing it.
Now, if you recall I did say we were going to discuss how one may inadvertently perform a DDoS. First off, we need to realise that different websites require different levels of hardware. Right at the top you have the likes of Google, who require server farms of sizes that are difficult to fathom. Then you go down to the bottom, where you have tiny websites that get a couple of hits a week, which probably run on a single machine. Obviously, the smaller the server, the easier it is to DDoS.Now, the unintentional DDoS attacks happen to theses smaller sites. How you ask? Well simple, they get very popular, very fast.
There a few ways you can achieve this. Firstly, start off a small website and then becomes popular. Then when you post new content, number of people accessing your site goes through the roof and your site becomes temporarily unavailable. Don't think this is possible? I refer you to a delightful webcomic (in a manner of speaking) The Oatmeal, run by Matthew Inman. He even says something about it on his Facebook page. He does somewhat DDoS himself, by being awesome!
Another way is best explained by using Stephen Fry as an example. Stephen had built up quite a fan base as an entertainer and television personality over the years, so when he ended up in Twitter, well naturally he had a smattering of followers (myself included). He is quite an avid user and apart from the usual tweets of his current activities (and of course his tweets for charity), he does tweet links to amusing content from time to time. The moment that tweet hits the net, there are thousands of people clicking that link and well it has caused more that one site to go down.
As we can see in both cases, neither party had any malicious intent towards the sites that they inadvertently DDoS'ed, but it did happen. The unfortunate part of this is that there is no way to defend against it. Well, there is the no practical way to defend against it. Of course, everybody could use industrial size server farms, but that is not really practical. There may be some sort of gains made if everything was hosted in the cloud, but I'm not sure how feasible that is.
A Denial of Service (DoS) attack involves sending an excessive amounts of data/requests/pings to a server with the aim of overloading the server so that legitimate users can not access the server. Imagine the following scenario: there is an office with an information counter. Normally, people would walk up tot he counter, get the information they need and then leave. After this the next person does the same and so on and so forth. A DoS would essentially be one person standing at the counter and asking so many questions that nobody else can get up to the counter.
A Distributed DoS (DDoS) is the same thing, except with one minor difference. In a standard DoS, there is only one attacker and one attacking system. In a DDoS, there may still be one attacker, but there are several systems that involved in the attack. For all intents and purposes, DoS attacks really only exist in textbooks, so we will only consider DDoS attacks.
So, now that we know what DDoS attacks are, let's look at how they happen. The normal scenario is that our attacker(s) pick a target and then bombard them with request. At a technical level, there are several ways to this in an intelligent ways, but the simplest is just overwhelming the server with requests. I would rather not get into the details, because to be quite honest, I find them inane and boring. SO, let's just say there are many ways of doing it.
Now, if you recall I did say we were going to discuss how one may inadvertently perform a DDoS. First off, we need to realise that different websites require different levels of hardware. Right at the top you have the likes of Google, who require server farms of sizes that are difficult to fathom. Then you go down to the bottom, where you have tiny websites that get a couple of hits a week, which probably run on a single machine. Obviously, the smaller the server, the easier it is to DDoS.Now, the unintentional DDoS attacks happen to theses smaller sites. How you ask? Well simple, they get very popular, very fast.
There a few ways you can achieve this. Firstly, start off a small website and then becomes popular. Then when you post new content, number of people accessing your site goes through the roof and your site becomes temporarily unavailable. Don't think this is possible? I refer you to a delightful webcomic (in a manner of speaking) The Oatmeal, run by Matthew Inman. He even says something about it on his Facebook page. He does somewhat DDoS himself, by being awesome!
Another way is best explained by using Stephen Fry as an example. Stephen had built up quite a fan base as an entertainer and television personality over the years, so when he ended up in Twitter, well naturally he had a smattering of followers (myself included). He is quite an avid user and apart from the usual tweets of his current activities (and of course his tweets for charity), he does tweet links to amusing content from time to time. The moment that tweet hits the net, there are thousands of people clicking that link and well it has caused more that one site to go down.
As we can see in both cases, neither party had any malicious intent towards the sites that they inadvertently DDoS'ed, but it did happen. The unfortunate part of this is that there is no way to defend against it. Well, there is the no practical way to defend against it. Of course, everybody could use industrial size server farms, but that is not really practical. There may be some sort of gains made if everything was hosted in the cloud, but I'm not sure how feasible that is.
Thursday, 18 August 2011
rankmyhack.com - WHY?
So, recently it has come to my attention that there is a website called rankmyhack.com [twitter account] (at last attempt the site was unreachable and isup.me said it looks down) which basically encourages the general populous to hack stuff, post details of it and get points based on how good it was. So, something simple like logging into a system where they left the guest account open would score minimal points, but a more complex exploit, such as say a SQL injection, would score more. Sounds fun right?
WRONG! I for one will tell how important it is to secure your web-facing interfaces, devices and any combination thereof till the cows come home, but there is a proper way to do that. There are some standard known practices and counter-measures against exploits that you can put in place. Of course this process is fairly mechanical and does not account for human ingenuity.
Tiger Teams (that term always makes me think of this), enter stage left. Now a Tiger Team or Red Team is a bunch of inhouse or outsourced hackers whose sole job is to attack the system. They do this in a contained environment and report all the exploits the the developers who then correct any flaws. Ideally, they will find everything, but there is no guarantee of that. If they are good, they will find most of them.
That's the normal way of doing it. This site however basically sets the dogs loose on every single person on the Internet. You, my dear beloved reader are at risk. If you are reading this, it is a safe assumption that you have access to the Internet. A further safe assumption is that you have at least one e-mail account. BOOM! Target numero uno. But it gets better. Do you have: Facebook? Twitter? Social media sites? Other sites? Your own website? Smartphone? All targets. There are a plethora more and I will not list them all but you get the idea.
The very idea that a website would be dedicated to this kind of malicious and illegal behaviour is utterly beyond me. Why don't we have a website dedicated to videos of us crashing our cars into walls and rate those? ratemycrash.com! Brilliant idea! And as I typed that, I realised that it probably exists, which it does. When I saw that page, my soul died a little bit. But I digress.
This website is the digital equivalent of a bunch of mobsters gathered around a dinner table bragging about all the crimes they have committed. Yes, I know I have shown a little bit of annoyance at the Black Hat conferences and the like, but in the end it is serious security research. I know they sexy it up and throw in a bit of FUD but at the end of the day it is valid research with some useful insights and is helpful in the design of future systems.
This site, not so much. It also helps further perpetuate the whole image of hackers portrayed in the media. You may remember my previous comment about the green on black terminals. Yeah, that's all there. There are times when people do things which we don't agree on and we move on. Then there are times when people do things and it just about turns you into a misanthrope. This isn't one of the latter, but it sure as hell ain't helping!
WRONG! I for one will tell how important it is to secure your web-facing interfaces, devices and any combination thereof till the cows come home, but there is a proper way to do that. There are some standard known practices and counter-measures against exploits that you can put in place. Of course this process is fairly mechanical and does not account for human ingenuity.
Tiger Teams (that term always makes me think of this), enter stage left. Now a Tiger Team or Red Team is a bunch of inhouse or outsourced hackers whose sole job is to attack the system. They do this in a contained environment and report all the exploits the the developers who then correct any flaws. Ideally, they will find everything, but there is no guarantee of that. If they are good, they will find most of them.
That's the normal way of doing it. This site however basically sets the dogs loose on every single person on the Internet. You, my dear beloved reader are at risk. If you are reading this, it is a safe assumption that you have access to the Internet. A further safe assumption is that you have at least one e-mail account. BOOM! Target numero uno. But it gets better. Do you have: Facebook? Twitter? Social media sites? Other sites? Your own website? Smartphone? All targets. There are a plethora more and I will not list them all but you get the idea.
The very idea that a website would be dedicated to this kind of malicious and illegal behaviour is utterly beyond me. Why don't we have a website dedicated to videos of us crashing our cars into walls and rate those? ratemycrash.com! Brilliant idea! And as I typed that, I realised that it probably exists, which it does. When I saw that page, my soul died a little bit. But I digress.
This website is the digital equivalent of a bunch of mobsters gathered around a dinner table bragging about all the crimes they have committed. Yes, I know I have shown a little bit of annoyance at the Black Hat conferences and the like, but in the end it is serious security research. I know they sexy it up and throw in a bit of FUD but at the end of the day it is valid research with some useful insights and is helpful in the design of future systems.
This site, not so much. It also helps further perpetuate the whole image of hackers portrayed in the media. You may remember my previous comment about the green on black terminals. Yeah, that's all there. There are times when people do things which we don't agree on and we move on. Then there are times when people do things and it just about turns you into a misanthrope. This isn't one of the latter, but it sure as hell ain't helping!
Wednesday, 27 April 2011
Why the movies are wrong (Surprise, Surprise)
On the lighter side of life, my friend @zarino tweeted this link, which got me thinking about hackers in popular culture. Think about your favorite movie and/or TV hacker. My vote goes to Alec Hardison, but that's irrelevant. In any "hacking sequence" you see the hacker typing away furiously on a keyboard and all sorts of random green text on a black background. The green on black dates way back to the old days and I have no clue as to why they used those colours, but everybody loves it.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
IT'S ALL WRONG!
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Wednesday, 20 April 2011
Why you are not dead from the robot-induced nuclear apocolypse (or why CAPTHAs still wotk)
If you are reading this then you are not dead. That is generally a good thing. Now, you may ask yourself as to why you should be dead. Well according to the popular Terminator series of movies, 18th of April the day when we all bite the big one. Unless you happen to be John Conner.
The original premise of the movie was that the Artificial Intelligence (AI) known as "Skynet" became self aware and decided that it reaaaaallly hated humans. So, it decided to get rid of them the best way it knew how; it nuked the living daylights out of EVERYTHING (Barring John Conner and the other lucky guys) and then some. And then we have time-travel and fights and craziness spread over 4 movies and a TV series. Why, you may ask, do I care about this. Well, apart from being a massive geek?
There is a mild connection between the Skynet and computer security. What Skynet represents is a sentient AI, which is basically a computer that can think for itself. Now, having personally worked with an AI (for my undergraduate thesis) I now look at all movies/TV shows that have real full AI with a great amount of scepticism. I know I am not an expert by any metric, but it took me close to 2 months to write an AI agent that learns to play blackjack. Nothing fancy at all, just plays a basic strategy. The upshot: it's really really hard.
I know that they have made some massive leaps in the field, such as Watson and Deep Blue, but that's not quite the same. There are supervised AI agents that can just do one thing and had to be fed a ton of data before hand. Watson for example has the whole of Wikipedia stored, which is in my books cheating just a little bit. Although these are very impressive, they are still far away from full self-awareness and sentience.
The only way that could happen is if we had an unsupervised agent, that is, an AI agent who is given only knowledge of the problem and needs to learn how to solve it. For example, you could tell an agent what a maze it and then put it in a maze and tell it to find it's way out. It will (eventually) learn how to do that. Then you give it another maze and it will learn and so on and so forth. And then you have to make it able to learn new tasks. But once you hammer out those little details, then you have the computer that will end the world.
To, the main point: the reason AI is interesting from a computer security point of view is several things, but the main is CAPTCHAs. Now, it's a little bit of an abuse of the term, but for simplicity I use CAPTCHA to mean all the systems and implementations thereof. The general idea is that you are shown a picture of somewhat distorted letters and you have to enter the letters in to prove you are a human.
The reason for this is that computers, such as automated sign-ups and spambots etc were use to make THOUSANDS of false email accounts for the purpose of spreading spam, viruses, boredom, marketing maybe, but generally evil stuff. IF you can prove you are human, then all will be hunky-dory and you can sign up. A computer will almost always fail these tests. AIs can try to learn these things, for example, using neural networks. And some of these algorithms have had some reasonable success. This is exactly why you sometimes get a CAPTCHA that is completely unintelligible, to protect against smart AIs, with the side effect of annoying the humans, ironically, as the machines wanted.
But, if we could for a second just shift back to self-aware AI. Well, the upshot is if the AI were self-aware, it's well beyond breaking CAPTCHA. We would basically have a robot with human cognitive skills, but much more computing power. I leave it to your imagination (mostly sculpted by TV and movies) to do the rest.
SIDENOTE: More real/relevant blog posts to come soon.
The original premise of the movie was that the Artificial Intelligence (AI) known as "Skynet" became self aware and decided that it reaaaaallly hated humans. So, it decided to get rid of them the best way it knew how; it nuked the living daylights out of EVERYTHING (Barring John Conner and the other lucky guys) and then some. And then we have time-travel and fights and craziness spread over 4 movies and a TV series. Why, you may ask, do I care about this. Well, apart from being a massive geek?
There is a mild connection between the Skynet and computer security. What Skynet represents is a sentient AI, which is basically a computer that can think for itself. Now, having personally worked with an AI (for my undergraduate thesis) I now look at all movies/TV shows that have real full AI with a great amount of scepticism. I know I am not an expert by any metric, but it took me close to 2 months to write an AI agent that learns to play blackjack. Nothing fancy at all, just plays a basic strategy. The upshot: it's really really hard.
I know that they have made some massive leaps in the field, such as Watson and Deep Blue, but that's not quite the same. There are supervised AI agents that can just do one thing and had to be fed a ton of data before hand. Watson for example has the whole of Wikipedia stored, which is in my books cheating just a little bit. Although these are very impressive, they are still far away from full self-awareness and sentience.
The only way that could happen is if we had an unsupervised agent, that is, an AI agent who is given only knowledge of the problem and needs to learn how to solve it. For example, you could tell an agent what a maze it and then put it in a maze and tell it to find it's way out. It will (eventually) learn how to do that. Then you give it another maze and it will learn and so on and so forth. And then you have to make it able to learn new tasks. But once you hammer out those little details, then you have the computer that will end the world.
To, the main point: the reason AI is interesting from a computer security point of view is several things, but the main is CAPTCHAs. Now, it's a little bit of an abuse of the term, but for simplicity I use CAPTCHA to mean all the systems and implementations thereof. The general idea is that you are shown a picture of somewhat distorted letters and you have to enter the letters in to prove you are a human.
The reason for this is that computers, such as automated sign-ups and spambots etc were use to make THOUSANDS of false email accounts for the purpose of spreading spam, viruses, boredom, marketing maybe, but generally evil stuff. IF you can prove you are human, then all will be hunky-dory and you can sign up. A computer will almost always fail these tests. AIs can try to learn these things, for example, using neural networks. And some of these algorithms have had some reasonable success. This is exactly why you sometimes get a CAPTCHA that is completely unintelligible, to protect against smart AIs, with the side effect of annoying the humans, ironically, as the machines wanted.
But, if we could for a second just shift back to self-aware AI. Well, the upshot is if the AI were self-aware, it's well beyond breaking CAPTCHA. We would basically have a robot with human cognitive skills, but much more computing power. I leave it to your imagination (mostly sculpted by TV and movies) to do the rest.
SIDENOTE: More real/relevant blog posts to come soon.
Tuesday, 8 February 2011
Computer Security Experts; The Doctors of the Digital Age?
So, there's a lot going on and I really need time to compose my thoughts. And by that time, more will have happened. Loop infinitely. But until the end of time or death, whichever comes first, I will try and keep up. While I do that, I have a not so significant post on a random train of thought from my brain.
So, this idea struck me while watching an episode of House MD. If you are not familiar with it, I will give you the overview: Dr. Gregory House is a genius and an ass of the highest order. He diagnoses and cures patients with conditions that have baffled and/or escaped other physicians. They use a method know as "differential diagnosis" (DDx), which is basically saying "the patient has the following symptoms, therefore they must have the following condition." While watching one of these, I realised that there is only one kind of human body. Yes, there are differences from person to person, such as eye colour, height, weight, allergies, etc, but the basic abstract framework, if you will, is the same. Arguably there are two, one for each gender, but there really aren't more than that.
Then I thought if any parallels could be drawn between computer security and medicine. Here's where I drew a blank. There were some superficial comparisons, but those were a stretch of the imagination at best. It dawned on me that the level of complexities in the systems we deal with are so high, that the human body looks like a wind-up toy in comparison. In no way do I mean to trivialise medicine, which is a very complex field in its own, but all that complexity is constrained to at most two basic frameworks. In computer science in general, there are an near infinite number of potential frameworks.
If we begin at the most basic level and just examine the hardware. Right there you have so many components to consider and several of them with potential security issues. First off, the components have to compatible. Next we need to insure that none of these components, on their own or in combination, will cause a security threat. This is easier said than done, as components from different manufacturers can behave differently and have side-effects that others don't. At this point we have so many ways we can fail, and yet we only have a box that does nothing. Zilch! Without any software to run the hardware, you just have an expensive and oversized paperweight. Which takes us to the next point software.
Even in software, we have two basic groups: operating systems (OS's) and application software. Well first you need an OS to run your computer. There is a HUGE potential location for security holes here. Every OS available has security holes, every one of them. Yes, every single one, that especially includes MacOS. I am sick and tired of Mac users sanctimoniously claiming that there are no viruses from Macs! This is often swiftly followed by a comment on how Macs are more secure than Windows. I have one word for that:
I know you must be thinking, but when I installed my operating system it had all these programs installed already. I could play games, connect to the Internet, and so on. Yes, that is true, but the software that enabled you to do so was not part of your OS, generally speaking. It was bundled in and included with your installation media, but it is technically not part of the OS. Now we come on over to application programs. This anything you install on your computer, no matter how small or large, it all matters.
The thing with most software is it does a lot of stuff that you never see. Most of the time it's stuff you want it to do, but you really have no way of knowing. There are two scenarios here, where the software is doing what you asked, but as a side-effect has made you vulnerable to certain attacks and where the software is deliberately making you vulnerable. In either case you are vulnerable. This is assuming just one program, it gets even more fun with multiple programs. Some applications connect to each other, such as your PDF reader and your web browser. Here it becomes really fun!
It may turn out that on their own the programs pose no threat, but when combined they are potentially lethal. A sort of the reverse of salt, whose components are lethal, but the combination is not. I think you can see where this is leading to. If your head is spinning trying to imagine the countless possibilities of interaction between programs on your computer and/or that you know of, well then my job is done.
Now, I would like to point out that the same applies for smart phones. Have fun running over that one. Then consider when you connect your smart phone to your computer. This whole path leads you to a really messed up place where you are building a house of cards, using cards of different shapes and sizes. It's almost like you want it to fall down, just so you can stop building.
But enough gloom and doom, silver lining time. Here you go! Seriously, although there are a plethora of threats to your computer and its safety, if you are smart and keep your wits about you, then you should be fine.
So, this idea struck me while watching an episode of House MD. If you are not familiar with it, I will give you the overview: Dr. Gregory House is a genius and an ass of the highest order. He diagnoses and cures patients with conditions that have baffled and/or escaped other physicians. They use a method know as "differential diagnosis" (DDx), which is basically saying "the patient has the following symptoms, therefore they must have the following condition." While watching one of these, I realised that there is only one kind of human body. Yes, there are differences from person to person, such as eye colour, height, weight, allergies, etc, but the basic abstract framework, if you will, is the same. Arguably there are two, one for each gender, but there really aren't more than that.
Then I thought if any parallels could be drawn between computer security and medicine. Here's where I drew a blank. There were some superficial comparisons, but those were a stretch of the imagination at best. It dawned on me that the level of complexities in the systems we deal with are so high, that the human body looks like a wind-up toy in comparison. In no way do I mean to trivialise medicine, which is a very complex field in its own, but all that complexity is constrained to at most two basic frameworks. In computer science in general, there are an near infinite number of potential frameworks.
If we begin at the most basic level and just examine the hardware. Right there you have so many components to consider and several of them with potential security issues. First off, the components have to compatible. Next we need to insure that none of these components, on their own or in combination, will cause a security threat. This is easier said than done, as components from different manufacturers can behave differently and have side-effects that others don't. At this point we have so many ways we can fail, and yet we only have a box that does nothing. Zilch! Without any software to run the hardware, you just have an expensive and oversized paperweight. Which takes us to the next point software.
Even in software, we have two basic groups: operating systems (OS's) and application software. Well first you need an OS to run your computer. There is a HUGE potential location for security holes here. Every OS available has security holes, every one of them. Yes, every single one, that especially includes MacOS. I am sick and tired of Mac users sanctimoniously claiming that there are no viruses from Macs! This is often swiftly followed by a comment on how Macs are more secure than Windows. I have one word for that:
NONSENSE.
Seriously, every operating system has security issues. Some have more that others, some have more critical ones than others. Now another concern is which operating system are you using? Which version of it? Which patches and updates are installed? Is there any issue arising from the hardware/software combination? These are just some of the questions you have to ask. At this point we have a computer that can switch on and let you log on and not much more.I know you must be thinking, but when I installed my operating system it had all these programs installed already. I could play games, connect to the Internet, and so on. Yes, that is true, but the software that enabled you to do so was not part of your OS, generally speaking. It was bundled in and included with your installation media, but it is technically not part of the OS. Now we come on over to application programs. This anything you install on your computer, no matter how small or large, it all matters.
The thing with most software is it does a lot of stuff that you never see. Most of the time it's stuff you want it to do, but you really have no way of knowing. There are two scenarios here, where the software is doing what you asked, but as a side-effect has made you vulnerable to certain attacks and where the software is deliberately making you vulnerable. In either case you are vulnerable. This is assuming just one program, it gets even more fun with multiple programs. Some applications connect to each other, such as your PDF reader and your web browser. Here it becomes really fun!
It may turn out that on their own the programs pose no threat, but when combined they are potentially lethal. A sort of the reverse of salt, whose components are lethal, but the combination is not. I think you can see where this is leading to. If your head is spinning trying to imagine the countless possibilities of interaction between programs on your computer and/or that you know of, well then my job is done.
Now, I would like to point out that the same applies for smart phones. Have fun running over that one. Then consider when you connect your smart phone to your computer. This whole path leads you to a really messed up place where you are building a house of cards, using cards of different shapes and sizes. It's almost like you want it to fall down, just so you can stop building.
But enough gloom and doom, silver lining time. Here you go! Seriously, although there are a plethora of threats to your computer and its safety, if you are smart and keep your wits about you, then you should be fine.
Saturday, 5 February 2011
Egypt. Let's start there.
So, there's a lot happening right now. Looks like I'm going to have to blog in overdrive, which probably means these posts wont be great, so apologies in advance. First order of business: Egypt. Unless you live in a bubble, or perhaps The Bubble (totally should have gotten a second series) then you will know of the problems in Egypt. Here I'm going to say that the politics of the situation is irrelevant to my blog post, so not even going to go there. Right now on the situation of interest: the Internet!
So, amidst protests and unrest and in general everything not being so hunky dory, the Egyptian government flipped the switch on the Internet. The whole country was sans Internet. There was massive outrage both inside and outside Egypt. And here's my issue with that: Deal with it!
People everywhere have become to accustomed to the Internet being there and available. Everybody is so hooked into the Internet that they just assume it will always be there, that it is a right they have. Access to the Internet is a privilege, the most abused privilege in the world. At some level I guess I sort of believe it to be a right as well, but I am aware that it could be taken away at any point.
So, now a bit of background from recent history: The Iranian "Twitter revolution." The basic gist is that all protests and opposition and so on where coordinated via Twitter, Facebook and other social media sites. Although the Iranian government was able to take down classical telecommunications, the Internet provided a channel for communication. It seems the Egyptian government took this lesson to heart and flipped that switch as well.
The problem with allowing people to broadcast their agenda and/or grievances over Facebook and Twitter is that it tends to skew public opinion one way or the other, generally not in favour of the Government. It seems that anti-government sentiments are more quickly adopted than pro-government sentiments, at least to my observation. This seems to be irrelevant of how valid the grievances are. So in a bid to avoid this, the Egyptian government shut off the Internet.
However, the Internet is a resilient little bastard. There were some very novel ways conjured up to access the Internet. There were several other ways which were fun and creative, but they carried on accessing the Internet and rallying support for their cause. This further compounded the outrage against the "oppressive regime."
Note the quotation marks, as I would like to disagree. The circumstances of the event were not exactly normal. There was some civil unrest, there were protests and there was a curfew in place. The government acted in a way which they believed would not cause the opinions of the rest of the world to be slanted to far against them and they failed.
There have been other countries that have considered having an Internet "kill-switch" (I am oddly undecided if I love or hate that), most notably USA. I think one of my favourite things to come out of this is this post, where an anonymous poster says Australia has a backbone for stating they will not have an IKS (just wanted to try out that acronym, don't think it will stick.) I would strongly disagree and say it's the opposite.
As I have stated before, here and here, the Internet has too little regulation and something like this would bring in some level of regulation. It is not all that's needed and is not necessarily the best way to do it, but it's a start. I would not like it if my Internet was shut off by the government, but I would understand. What we need to understand is that the government has allowed you to access the Internet and they can take that away. They could just as easily ban cars or motorbikes or potatoes, which would probably be meet with the same response. Like I said, somewhere down the line the government said "Yes, we should allow the Internet" and then they gave licenses to ISPs and so on and so forth and you were connected. They can revoke that at any point in time, if they chose to.
Looking at this without the political dimension just points out another case where technology has grown too fast for legislators to keep up, through no fault of their own. Even experts are constantly learning new things and having to keep up. At some point, I hope, there will be some catching up done and we will all be better off for it. Until then, well, things will go on as before.
So, amidst protests and unrest and in general everything not being so hunky dory, the Egyptian government flipped the switch on the Internet. The whole country was sans Internet. There was massive outrage both inside and outside Egypt. And here's my issue with that: Deal with it!
People everywhere have become to accustomed to the Internet being there and available. Everybody is so hooked into the Internet that they just assume it will always be there, that it is a right they have. Access to the Internet is a privilege, the most abused privilege in the world. At some level I guess I sort of believe it to be a right as well, but I am aware that it could be taken away at any point.
So, now a bit of background from recent history: The Iranian "Twitter revolution." The basic gist is that all protests and opposition and so on where coordinated via Twitter, Facebook and other social media sites. Although the Iranian government was able to take down classical telecommunications, the Internet provided a channel for communication. It seems the Egyptian government took this lesson to heart and flipped that switch as well.
The problem with allowing people to broadcast their agenda and/or grievances over Facebook and Twitter is that it tends to skew public opinion one way or the other, generally not in favour of the Government. It seems that anti-government sentiments are more quickly adopted than pro-government sentiments, at least to my observation. This seems to be irrelevant of how valid the grievances are. So in a bid to avoid this, the Egyptian government shut off the Internet.
However, the Internet is a resilient little bastard. There were some very novel ways conjured up to access the Internet. There were several other ways which were fun and creative, but they carried on accessing the Internet and rallying support for their cause. This further compounded the outrage against the "oppressive regime."
Note the quotation marks, as I would like to disagree. The circumstances of the event were not exactly normal. There was some civil unrest, there were protests and there was a curfew in place. The government acted in a way which they believed would not cause the opinions of the rest of the world to be slanted to far against them and they failed.
There have been other countries that have considered having an Internet "kill-switch" (I am oddly undecided if I love or hate that), most notably USA. I think one of my favourite things to come out of this is this post, where an anonymous poster says Australia has a backbone for stating they will not have an IKS (just wanted to try out that acronym, don't think it will stick.) I would strongly disagree and say it's the opposite.
As I have stated before, here and here, the Internet has too little regulation and something like this would bring in some level of regulation. It is not all that's needed and is not necessarily the best way to do it, but it's a start. I would not like it if my Internet was shut off by the government, but I would understand. What we need to understand is that the government has allowed you to access the Internet and they can take that away. They could just as easily ban cars or motorbikes or potatoes, which would probably be meet with the same response. Like I said, somewhere down the line the government said "Yes, we should allow the Internet" and then they gave licenses to ISPs and so on and so forth and you were connected. They can revoke that at any point in time, if they chose to.
Looking at this without the political dimension just points out another case where technology has grown too fast for legislators to keep up, through no fault of their own. Even experts are constantly learning new things and having to keep up. At some point, I hope, there will be some catching up done and we will all be better off for it. Until then, well, things will go on as before.
Wednesday, 7 July 2010
Another side-note
Well, I have previously pointed out how TV tries use cryptography as a plot point and fails massively, but I found a counter-example. I have recently started watching Numb3rs, and by recently I mean I'm only on Season 1 Episode 5. Which is the exact episode I want to talk about, well not really talk about in as much as I want to mention that they pretty much got the details of how cryptography works. There was a slight lack of finesse in it, but overall the general idea was conveyed. Needless to say this made me happy. Apart from that, as far as I can tell most of the math they do/show/explain on the show is fairly accurate. Looks like I have a new TV show to watch.
*EDIT*
Season 1 Episode 6, same as above.
*EDIT*
Season 1 Episode 6, same as above.
Friday, 26 March 2010
Small side-note
As I have been very busy the past couple of weeks, I haven't been keeping up-to-date with most of my TV viewing. I just recent managed to watch FlashForward S01E11. What made me laugh was the part where Dr. Simon Campos is trying to "brute force" an encryption algorithm. Their attempted accuracy made me laugh a little. As with the portrayal of most computer-based security in the media, they try, but fail at accuracy. Points for trying though.
Tuesday, 9 March 2010
Bloggers!
cf. my post on the 24th of feb, mainly the part about bloggers. Now somebody important actually reads this and decided to capture this phenomenon in a TV series . Well truly the sarcasm was that they got the idea from my blog. However this weeks epsiode of House MD dealt with this issue, albeit wrapped in the usual medical drama. Highly recommend this episode, and the show in general.
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments