Alrighty then sports fans, I'm back. There's been quite a bit of stuff happening and I really hope that I can catch up with it all. So here we go. I'm going have a pick at TVShack and MegaUpload, which have been the focus of the media recently. So, let's start with the earlier story of TVShack shall we?
TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.
By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.
The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.
Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.
Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.
No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.
Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.
Showing posts with label news. Show all posts
Showing posts with label news. Show all posts
Sunday, 29 January 2012
Monday, 20 June 2011
Let's talk money, digital money!
Alrighty then, I'm going to assume that everybody has some basic understanding of the concept of money. Next, I assume you all have some idea of how to spend money online using things like paypal, credit cards, debit cards and so forth. Also, the reason nobody that people shouldn't be able to steal your details and thus your money, if it's all done right, depends heavily on crypto. Best way to explain what I do, is to ask "Have you ever bought anything online?" When they answer in the affirmative, then I say "You're welcome."
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
Sunday, 12 June 2011
Quick post on how I may be kind of wrong.
If you know me at all, you will know that I have strong opinions on some things. If you don't know me, you now know that I have strong opinions on certain things. Now that everybody is caught up, let's all sit back and enjoy me being wrong-ish. I had a post earlier, which really is based on the fact that access to the Internet is a privilege, that some people abuse. Well now the United Nations has declared it a human right. My argument falls flat on it's face. I'm a big boy and I am willing to admit that in light of this, those arguments no longer hold water. Things change, people's ideas are made to be wrong, that's life.
Also, just a minor side-note: read this article!
Also, just a minor side-note: read this article!
Monday, 6 June 2011
Cyberwarfare Part 2 (No more lazy me, for now)
Alrighty then, we had a basic intro to cyberwar in my previous post. In between then and now, the clever chaps at the SIS, commonly incorrectly referred to as MI6, told us about this little gem. This has to be one of the funniest things in existence... EVER!!! But minor state-sponsered hacktivism aside, back to the crux of the matter: the issues arising from cyberwar.
One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.
Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.
Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).
So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.
One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.
Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.
Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).
So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.
Friday, 3 June 2011
Cyberwarfare Part 1 (A post I have been procrastinating on)
Well this post has been in the works for a couple of week now. I have been procrastinating on a epic level about finishing this off. However the universe decide to give me a kick in the backside in the form of these related recent articles (all links to separate slashdot stories)
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
Sunday, 8 May 2011
Password Lockers Part 2
So, this is becoming a trend, well two trends: follow-up posts and data breaches. As you may or may not know, there was a MASSIVE breach involving Sony Entertainment, specifically the Playstation, but more on that later. More the the point you may recall my previous post on password lockers etc. Well, this post is about what can go wrong with a password locker.
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
Sunday, 6 February 2011
IPv4 and 6
Right, last post for today, making it a record 3 in a day. I have a couple of other topics to post on, but seeing as how its 2am, I'm going with the easy one. So what is IPv4? Glad you asked!
If you are reading this, you are connected to the Internet. But what you may not have ever given any thought as to how this is possible. You may know that you plug the LAN cable from the router into your Ethernet port or connect to your wireless network, but what really goes on?
The Internet (capital 'I') came out of the concept of internets (small 'i'), which is a network of networks. So how do you know who is who and who is on which network? Simple assign them all a unique identifier. Then the question arises as to how you do that, because we now have the problem that everybody needs to understand how these identifiers work, so we need a common language, if you will.
And thus was born the Internet Protocol version 4, aka IPv4. Defined in RFC 791, the Internet Protocol is how all devices connected to the Internet identify each other and communicate to each other. So, what's the problem?
IPv4 address are 32-bit address broken into 4 8-bit groups called octates. Now this means there is a finite number of these addresses, approximately 4 billion, which we are now out of. Certain ranges of addresses are restricted for specific purposes, but it is just a small portion. As of February 3rd, all IPv4 addresses had been assigned by the Internet Assigned Numbers Authority (IANA) to the Regional Internet Registries (RIRs), when they assigned the last 5 remaining /8 blocks, which is a set of addresses with the first octate fixed.
This is a real problem, as at some point, new devices will not be able to connect to the Internet. There does exist a solution: IPv6, as defined in RFC 2460 & RFC 2373. Version 6 addresses are 128-bits, broken into 8 hexates or 16-bit groups, as compared to the 32-bit version 4 addresses. This gives us a hugely greater number of addresses and would solve this problem of address exhaustion. Well, there is a small catch.
Despite IPv4 essentially having being exhausted, IPv6 is still not implemented fully. So we are currently in a weird transition period where things are a bit muddled. Almost everybody has implemented support for both IPv4 and IPv6, but there is no strict adherence to IPv6.
My issue with this is that the existence of a parallel legacy system has almost always created some kind of security threat that the new system can not deal with. To my knowledge, there is now such security loophole in IP, yet. I'm sure somebody, somewhere will find something and start exploiting it. It may not be a big hole, but it will probably be there. I would truly be happy to be proven wrong and hopefully we will transition over to IPv6 without incident.
On that note, that is all from me today. I will try and get as many of the latest stories, but they seem to be cropping up faster than I can handle.
*******EDIT*********
So, I may have said I will be catching up on stuff, which I totally am! But, also this came to my attention.
If you are reading this, you are connected to the Internet. But what you may not have ever given any thought as to how this is possible. You may know that you plug the LAN cable from the router into your Ethernet port or connect to your wireless network, but what really goes on?
The Internet (capital 'I') came out of the concept of internets (small 'i'), which is a network of networks. So how do you know who is who and who is on which network? Simple assign them all a unique identifier. Then the question arises as to how you do that, because we now have the problem that everybody needs to understand how these identifiers work, so we need a common language, if you will.
And thus was born the Internet Protocol version 4, aka IPv4. Defined in RFC 791, the Internet Protocol is how all devices connected to the Internet identify each other and communicate to each other. So, what's the problem?
IPv4 address are 32-bit address broken into 4 8-bit groups called octates. Now this means there is a finite number of these addresses, approximately 4 billion, which we are now out of. Certain ranges of addresses are restricted for specific purposes, but it is just a small portion. As of February 3rd, all IPv4 addresses had been assigned by the Internet Assigned Numbers Authority (IANA) to the Regional Internet Registries (RIRs), when they assigned the last 5 remaining /8 blocks, which is a set of addresses with the first octate fixed.
This is a real problem, as at some point, new devices will not be able to connect to the Internet. There does exist a solution: IPv6, as defined in RFC 2460 & RFC 2373. Version 6 addresses are 128-bits, broken into 8 hexates or 16-bit groups, as compared to the 32-bit version 4 addresses. This gives us a hugely greater number of addresses and would solve this problem of address exhaustion. Well, there is a small catch.
Despite IPv4 essentially having being exhausted, IPv6 is still not implemented fully. So we are currently in a weird transition period where things are a bit muddled. Almost everybody has implemented support for both IPv4 and IPv6, but there is no strict adherence to IPv6.
My issue with this is that the existence of a parallel legacy system has almost always created some kind of security threat that the new system can not deal with. To my knowledge, there is now such security loophole in IP, yet. I'm sure somebody, somewhere will find something and start exploiting it. It may not be a big hole, but it will probably be there. I would truly be happy to be proven wrong and hopefully we will transition over to IPv6 without incident.
On that note, that is all from me today. I will try and get as many of the latest stories, but they seem to be cropping up faster than I can handle.
*******EDIT*********
So, I may have said I will be catching up on stuff, which I totally am! But, also this came to my attention.
Saturday, 5 February 2011
Even more Wikileaks
Next order So, the latest nomination for the Nobel Peace prize: Wikileaks! I really thought that nobody could top this. Well done on surprising me World. I disagreed with last year's award, but that's more personal opinion than anything else, but this is ludicrous! I mean at this rate soon I will be nominated for the Nobel Prize in Literature for writing this blog!
Egypt. Let's start there.
So, there's a lot happening right now. Looks like I'm going to have to blog in overdrive, which probably means these posts wont be great, so apologies in advance. First order of business: Egypt. Unless you live in a bubble, or perhaps The Bubble (totally should have gotten a second series) then you will know of the problems in Egypt. Here I'm going to say that the politics of the situation is irrelevant to my blog post, so not even going to go there. Right now on the situation of interest: the Internet!
So, amidst protests and unrest and in general everything not being so hunky dory, the Egyptian government flipped the switch on the Internet. The whole country was sans Internet. There was massive outrage both inside and outside Egypt. And here's my issue with that: Deal with it!
People everywhere have become to accustomed to the Internet being there and available. Everybody is so hooked into the Internet that they just assume it will always be there, that it is a right they have. Access to the Internet is a privilege, the most abused privilege in the world. At some level I guess I sort of believe it to be a right as well, but I am aware that it could be taken away at any point.
So, now a bit of background from recent history: The Iranian "Twitter revolution." The basic gist is that all protests and opposition and so on where coordinated via Twitter, Facebook and other social media sites. Although the Iranian government was able to take down classical telecommunications, the Internet provided a channel for communication. It seems the Egyptian government took this lesson to heart and flipped that switch as well.
The problem with allowing people to broadcast their agenda and/or grievances over Facebook and Twitter is that it tends to skew public opinion one way or the other, generally not in favour of the Government. It seems that anti-government sentiments are more quickly adopted than pro-government sentiments, at least to my observation. This seems to be irrelevant of how valid the grievances are. So in a bid to avoid this, the Egyptian government shut off the Internet.
However, the Internet is a resilient little bastard. There were some very novel ways conjured up to access the Internet. There were several other ways which were fun and creative, but they carried on accessing the Internet and rallying support for their cause. This further compounded the outrage against the "oppressive regime."
Note the quotation marks, as I would like to disagree. The circumstances of the event were not exactly normal. There was some civil unrest, there were protests and there was a curfew in place. The government acted in a way which they believed would not cause the opinions of the rest of the world to be slanted to far against them and they failed.
There have been other countries that have considered having an Internet "kill-switch" (I am oddly undecided if I love or hate that), most notably USA. I think one of my favourite things to come out of this is this post, where an anonymous poster says Australia has a backbone for stating they will not have an IKS (just wanted to try out that acronym, don't think it will stick.) I would strongly disagree and say it's the opposite.
As I have stated before, here and here, the Internet has too little regulation and something like this would bring in some level of regulation. It is not all that's needed and is not necessarily the best way to do it, but it's a start. I would not like it if my Internet was shut off by the government, but I would understand. What we need to understand is that the government has allowed you to access the Internet and they can take that away. They could just as easily ban cars or motorbikes or potatoes, which would probably be meet with the same response. Like I said, somewhere down the line the government said "Yes, we should allow the Internet" and then they gave licenses to ISPs and so on and so forth and you were connected. They can revoke that at any point in time, if they chose to.
Looking at this without the political dimension just points out another case where technology has grown too fast for legislators to keep up, through no fault of their own. Even experts are constantly learning new things and having to keep up. At some point, I hope, there will be some catching up done and we will all be better off for it. Until then, well, things will go on as before.
So, amidst protests and unrest and in general everything not being so hunky dory, the Egyptian government flipped the switch on the Internet. The whole country was sans Internet. There was massive outrage both inside and outside Egypt. And here's my issue with that: Deal with it!
People everywhere have become to accustomed to the Internet being there and available. Everybody is so hooked into the Internet that they just assume it will always be there, that it is a right they have. Access to the Internet is a privilege, the most abused privilege in the world. At some level I guess I sort of believe it to be a right as well, but I am aware that it could be taken away at any point.
So, now a bit of background from recent history: The Iranian "Twitter revolution." The basic gist is that all protests and opposition and so on where coordinated via Twitter, Facebook and other social media sites. Although the Iranian government was able to take down classical telecommunications, the Internet provided a channel for communication. It seems the Egyptian government took this lesson to heart and flipped that switch as well.
The problem with allowing people to broadcast their agenda and/or grievances over Facebook and Twitter is that it tends to skew public opinion one way or the other, generally not in favour of the Government. It seems that anti-government sentiments are more quickly adopted than pro-government sentiments, at least to my observation. This seems to be irrelevant of how valid the grievances are. So in a bid to avoid this, the Egyptian government shut off the Internet.
However, the Internet is a resilient little bastard. There were some very novel ways conjured up to access the Internet. There were several other ways which were fun and creative, but they carried on accessing the Internet and rallying support for their cause. This further compounded the outrage against the "oppressive regime."
Note the quotation marks, as I would like to disagree. The circumstances of the event were not exactly normal. There was some civil unrest, there were protests and there was a curfew in place. The government acted in a way which they believed would not cause the opinions of the rest of the world to be slanted to far against them and they failed.
There have been other countries that have considered having an Internet "kill-switch" (I am oddly undecided if I love or hate that), most notably USA. I think one of my favourite things to come out of this is this post, where an anonymous poster says Australia has a backbone for stating they will not have an IKS (just wanted to try out that acronym, don't think it will stick.) I would strongly disagree and say it's the opposite.
As I have stated before, here and here, the Internet has too little regulation and something like this would bring in some level of regulation. It is not all that's needed and is not necessarily the best way to do it, but it's a start. I would not like it if my Internet was shut off by the government, but I would understand. What we need to understand is that the government has allowed you to access the Internet and they can take that away. They could just as easily ban cars or motorbikes or potatoes, which would probably be meet with the same response. Like I said, somewhere down the line the government said "Yes, we should allow the Internet" and then they gave licenses to ISPs and so on and so forth and you were connected. They can revoke that at any point in time, if they chose to.
Looking at this without the political dimension just points out another case where technology has grown too fast for legislators to keep up, through no fault of their own. Even experts are constantly learning new things and having to keep up. At some point, I hope, there will be some catching up done and we will all be better off for it. Until then, well, things will go on as before.
Thursday, 20 January 2011
I've had about enough of Wikileaks
Well, I've been off silently fuming every time I hear the name "Wikileaks," which is why I haven't posted anything recently. But as promised in my previous post, this post will cover the blame part of the whole Wikileaks issue. (However, as this topic continues to annoy it will not be as lengthy as promised.)
So, here we go. The scenario is simple: Person X (I use an an anonymous name as I have no idea who actually did the leaking, but there are some suspects) had access to the US Diplomatic cables. I think its a safe assumption that X had some sort of clearance and/or was told not to share these cables with any unauthorised person(s). Another safe assumption would be that unauthorised persons includes me, possibly you and of course Wikileaks. Despite this, X decided to give the cables to Wikileaks.
We can see that this is obviously wrong, as in you will go to jail wrong. Blatantly illegal. Now the exact legality depends a few factors, such as if they had access to all the cables or some. If it was one person or many., the post the person is in, if the cables were classified and so on. Knowing now of these we cannot say much more and that is where I will leave it.
Moving on to Wikileaks, the law becomes a bit more grey. There are several issues involved here, the greatest of which being what jurisdiction does Wikileaks fall under? Which nation state's laws apply to them? This is quite a complex issue and still needs some resolving and legal catch up. Countries tend to be very cooperative on certain matters pertaining to the Internet, but there is still no really good legal framework. I still maintain that they are giving away stolen data, so intuitively that is wrong. See previous post for the whole whistle blowing or not issue.
Seeing as how they are now back in the news concerning the release of certain records from Julius Bär or Julius Baer Group. These records where leaked by former employee Rudolph Elmer. Elmer has since been detained and is being extradited to Switzerland to stand trial. Wikileaks has yet to publish the records, so we shall wait until they do so.
And on that note, I will leave this whole mess. I may or may not post something about any further revelations by Wikileaks. It all depends on how I feel about it at the time.
So, here we go. The scenario is simple: Person X (I use an an anonymous name as I have no idea who actually did the leaking, but there are some suspects) had access to the US Diplomatic cables. I think its a safe assumption that X had some sort of clearance and/or was told not to share these cables with any unauthorised person(s). Another safe assumption would be that unauthorised persons includes me, possibly you and of course Wikileaks. Despite this, X decided to give the cables to Wikileaks.
We can see that this is obviously wrong, as in you will go to jail wrong. Blatantly illegal. Now the exact legality depends a few factors, such as if they had access to all the cables or some. If it was one person or many., the post the person is in, if the cables were classified and so on. Knowing now of these we cannot say much more and that is where I will leave it.
Moving on to Wikileaks, the law becomes a bit more grey. There are several issues involved here, the greatest of which being what jurisdiction does Wikileaks fall under? Which nation state's laws apply to them? This is quite a complex issue and still needs some resolving and legal catch up. Countries tend to be very cooperative on certain matters pertaining to the Internet, but there is still no really good legal framework. I still maintain that they are giving away stolen data, so intuitively that is wrong. See previous post for the whole whistle blowing or not issue.
Seeing as how they are now back in the news concerning the release of certain records from Julius Bär or Julius Baer Group. These records where leaked by former employee Rudolph Elmer. Elmer has since been detained and is being extradited to Switzerland to stand trial. Wikileaks has yet to publish the records, so we shall wait until they do so.
And on that note, I will leave this whole mess. I may or may not post something about any further revelations by Wikileaks. It all depends on how I feel about it at the time.
Sunday, 12 December 2010
Gates of Hell
OK Internet, it's time we had a talk. Not every controversy has to end in the word "gate". Seriously, it's getting so annoying.
Firstly, not every little piece of news that is a tad controversial (which is practically all of them) deserves its own name. Learn to tone it down.
Secondly, the only scandal that ends in "gate" is The Watergate Scandal. Everything else can be and should be named after something else. It is named thus as the scandal revolved around a robbery of the Democratic Party Headquarters in the Watergate Complex.
Everything else that doesn't have a "gate" ending object central to it, should be named something else. Bigotgate, Chicanegate, Digggate, Cablegate, Whitewatergate, etc need to stop now.
Firstly, not every little piece of news that is a tad controversial (which is practically all of them) deserves its own name. Learn to tone it down.
Secondly, the only scandal that ends in "gate" is The Watergate Scandal. Everything else can be and should be named after something else. It is named thus as the scandal revolved around a robbery of the Democratic Party Headquarters in the Watergate Complex.
Everything else that doesn't have a "gate" ending object central to it, should be named something else. Bigotgate, Chicanegate, Digggate, Cablegate, Whitewatergate, etc need to stop now.
Wikileaks
So, I've been away for a while. Between having minimal to no Internet and having no electricity, I have been less than connected to the Internet. That and I am fairly lazy, but still TIA. Now on to business.
I'm sure you have all heard of Wikileaks, the purported whistle blower website. It provides people with an anonymous "drop boxes", where they can submit documents detailing any wrongdoing. The site then goes on to state "our accredited journalists assess the submission. If it meets the criteria, our journalists then write or produce a news piece based on the document." It goes on further to describe ways of ensuring your anonymity when sending it via post and so forth. In theory this has provided whistle blowers with a way to expose wrongdoings. In theory.
I say purported as I do not believe it is a whistle blower site. Firstly, let us examine the concept of whistle blowing. It derives from the practice of policemen blowing a whistle to alert people around of the commission of a crime. It refers to a person who highlights something wrong that is happening, most in an organisation. Now, when I say wrong I mean illegal, but some people consider it includes immoral wrongdoings. So the site first came to prominence when it published Iraq/Afghanistan War Diaries. These gave details of operations and on the ground realities of the wars. They did bring to light some, for lack of a better term, disconcerting revelations. These could be considered whistle blowing, but there are many grey areas, which we overlook for the sake of argument and say this is valid whistle blowing. That, my friends, is where it all ends.
The next major publication was swiftly dubbed Cablegate (hate that name, cf.this post for the explanation). This was the leak of several secret diplomatic cables between Washington DC and diplomatic missions in several countries. Here's where we go from the legally ambiguous to outright illegal and the legitimacy of these leaks as whistle blowing is a little more than questionable.
To explain, let us detail the job of a diplomatic mission to another country. Most of us are familiar with the consular services, that is issuing visas, passports, etc, but that is only their public facing role. Diplomatic envoys are representatives of their sovereign government in a, presumably, friendly nation. It is their duty to not only represent their country, but also provide their country with information about the people, mainly politicians, of that country. As part of this duty, they send back profiles, if you will, on politicians to their government. These are sent in cables, which are private communications.
Notice the emphasis on private. Not only are these communiques private, but some of them are even classified. Granted, they may not be highly classified, but classified all the same. Only a limited number of people have access to these cables and presumably such access comes with a "do not tell anybody about this" clause. This is where the illegality comes in.
Whomsoever gave these cables to Wikileaks is guilty of a few crimes, depending which way you spin it. These range from the banal mail fraud to my personal favourite espionage. It's not even debatable if what these people did is wrong, it just is. Most of these cables do not expose any sort of wrongdoing at all.
As stated before diplomatic envoys report on local politicians. Although I would like to believe that these people are trained for and/or good at judging people, most of what they report is still personal opinion and conjecture. It is just inherent in this type of data. This is essentially office gossip at an international level. I'm pretty sure that someone somewhere has called their new Head of PR an "mistake-prone control freak" (my personal favourite quote out of all of the cables) and that is considered to be normal. Hence, no wrongdoing and thus no whistle blowing.
Furthermore, some of the "data" sent in the cables in nothing more than well crafted misinformation (this is completely ignoring the false cables that were released). Governments are aware that diplomats report back to their capital, as they have their own diplomats doing the same. So they may choose to feed a diplomat false information in the hope that their parent country will believe it and thus be manipulated into behaving a certain way. I will swiftly avoid any ethical or political debate by saying that all of that falls outside my purview.
Yes, I agree that there may be some cables whose leaking may have proved beneficial, but they are a minority. There is a saying in the security industry: "Even f you secure 99% of the system, you have still failed." The cables that potentially have a detrimental effect, though small in number, will have the greatest impact. Barring these, most of the cables' leakage and then release lead to nothing more than embarrassment for the governments involved.
And thus we see that the recent Cablegate (*shudder*) was basically neither legal nor legitimate whistle blowing. Effectively, Wikileaks are just fences for stolen digital data. Now this leaves us with the question of where the blame/responsibility lies. For that, I will put up another post, as it is quite a lengthy matter. That and you are probably really bored of reading this by now.
***SIDENOTE***
Just found this. No real relevance, but it's funny!
I'm sure you have all heard of Wikileaks, the purported whistle blower website. It provides people with an anonymous "drop boxes", where they can submit documents detailing any wrongdoing. The site then goes on to state "our accredited journalists assess the submission. If it meets the criteria, our journalists then write or produce a news piece based on the document." It goes on further to describe ways of ensuring your anonymity when sending it via post and so forth. In theory this has provided whistle blowers with a way to expose wrongdoings. In theory.
I say purported as I do not believe it is a whistle blower site. Firstly, let us examine the concept of whistle blowing. It derives from the practice of policemen blowing a whistle to alert people around of the commission of a crime. It refers to a person who highlights something wrong that is happening, most in an organisation. Now, when I say wrong I mean illegal, but some people consider it includes immoral wrongdoings. So the site first came to prominence when it published Iraq/Afghanistan War Diaries. These gave details of operations and on the ground realities of the wars. They did bring to light some, for lack of a better term, disconcerting revelations. These could be considered whistle blowing, but there are many grey areas, which we overlook for the sake of argument and say this is valid whistle blowing. That, my friends, is where it all ends.
The next major publication was swiftly dubbed Cablegate (hate that name, cf.this post for the explanation). This was the leak of several secret diplomatic cables between Washington DC and diplomatic missions in several countries. Here's where we go from the legally ambiguous to outright illegal and the legitimacy of these leaks as whistle blowing is a little more than questionable.
To explain, let us detail the job of a diplomatic mission to another country. Most of us are familiar with the consular services, that is issuing visas, passports, etc, but that is only their public facing role. Diplomatic envoys are representatives of their sovereign government in a, presumably, friendly nation. It is their duty to not only represent their country, but also provide their country with information about the people, mainly politicians, of that country. As part of this duty, they send back profiles, if you will, on politicians to their government. These are sent in cables, which are private communications.
Notice the emphasis on private. Not only are these communiques private, but some of them are even classified. Granted, they may not be highly classified, but classified all the same. Only a limited number of people have access to these cables and presumably such access comes with a "do not tell anybody about this" clause. This is where the illegality comes in.
Whomsoever gave these cables to Wikileaks is guilty of a few crimes, depending which way you spin it. These range from the banal mail fraud to my personal favourite espionage. It's not even debatable if what these people did is wrong, it just is. Most of these cables do not expose any sort of wrongdoing at all.
As stated before diplomatic envoys report on local politicians. Although I would like to believe that these people are trained for and/or good at judging people, most of what they report is still personal opinion and conjecture. It is just inherent in this type of data. This is essentially office gossip at an international level. I'm pretty sure that someone somewhere has called their new Head of PR an "mistake-prone control freak" (my personal favourite quote out of all of the cables) and that is considered to be normal. Hence, no wrongdoing and thus no whistle blowing.
Furthermore, some of the "data" sent in the cables in nothing more than well crafted misinformation (this is completely ignoring the false cables that were released). Governments are aware that diplomats report back to their capital, as they have their own diplomats doing the same. So they may choose to feed a diplomat false information in the hope that their parent country will believe it and thus be manipulated into behaving a certain way. I will swiftly avoid any ethical or political debate by saying that all of that falls outside my purview.
Yes, I agree that there may be some cables whose leaking may have proved beneficial, but they are a minority. There is a saying in the security industry: "Even f you secure 99% of the system, you have still failed." The cables that potentially have a detrimental effect, though small in number, will have the greatest impact. Barring these, most of the cables' leakage and then release lead to nothing more than embarrassment for the governments involved.
And thus we see that the recent Cablegate (*shudder*) was basically neither legal nor legitimate whistle blowing. Effectively, Wikileaks are just fences for stolen digital data. Now this leaves us with the question of where the blame/responsibility lies. For that, I will put up another post, as it is quite a lengthy matter. That and you are probably really bored of reading this by now.
***SIDENOTE***
Just found this. No real relevance, but it's funny!
Sunday, 6 June 2010
Really, Google? Really?
So it has recently come to light that Google will, according to this article, phase out Microsoft Windows in favour of Mac OS-X or Linux on the company machines. They are claiming that this is a security measure, citing the attacks on Google's Chinese operations recently. At this point in time I really have to wonder, what in the name of the seven deep dark pits of Hell are you not thinking Google? you could not be more wrong if you tried (yes, this annoys me so greatly my grammar is out the window.)
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
- Windows
- IE6
- Buffer overflow attack
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
Friday, 5 March 2010
Slight edit on Chip-and-Pin
cf. my post on 25th Feb, there is a small correction. It adherently is possible to fool online terminals, however the point still remains that you can not fool the bank verifying the PIN
Saturday, 27 February 2010
The Nobel Peace Prize, quickly turning into a joke.
(Straight off the bat, the security based stuff will not be covered. There's just way too much and it would deviate from the point.)
I sincerely hope that all of you are familiar with the Nobel Prize, more specifically the Nobel Peace Prize. This is awarded annually to the person(s) who have, to quote Alfred Nobel's final Will & Testament, "who shall have done the most or the best work for fraternity among nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses."
So, as we have seen in history there have been some very deserving candidates, such as the International Committee of the Red Cross, President Woodrow Wilson, UNHCR, Mother Theresa, Archbishop Desmond Tutu, Kofi Annan and so on. It can truly be said to be the most coveted award known to man.
However recently its integrity of late has been highly questionable. Of course there is the glaring omission of Mahatma Ghandi, despite 5 nominations. The year Ghandi died, there was no prize awarded, as "there was no suitable living candidate." Of course it must be noted that there is a rule that no person may receive a Nobel Prize posthumously. This rule was bent in the case of Secretary General Dag Hammarskjöld, who was nominated while alive, but passed away before the award was given. Not to take from Secretary General Hammarskjöld's work, for he truly deserved the prize, despite his unfortunate demise prior to its award.
As we get a bit closer to home, chronologically speaking, we move to 2009. As most people will know President Barack Obama received the Nobel Peace Prize. It was awarded to him a scant 9 months after he assumed office. Now not only is that an exceptionally short period of time, but he very quickly afterwards announced INCREASES in troop numbers in Iraq/Afghanistan. I'm no expert, but that is not very peaceful, apart from being contrary to his election promises.
Now we jump forward just a shade to 2010. (Still love the fun people are having trying to say it out.) The nominations are in and they are: Russian activist Svetlana Gannushkina et al., Chinese dissident Liu Xiaobo and the Internet.
No, really, this actually happened. I know it was a while ago, but I thought I might as well throw my 2 cents into the mix.
UTTER TRIPE!
The Internet is full of nonsense, garbage, crap, trash and a variety of other things I can not bring myself to describe. Agreed there is a small percentage of it which is, as the citation goes, a tool to advance "dialogue, debate and consensus through communication" and to promote democracy. But, really? This is the equivalent of nominating an entire University for the work that 1 single academic has done.
Of course Svetlana Gannushkina is nominated with her activist group, but that is a group of individuals who share a common goal. Most of the people on the Internet really do not care about "dialogue, debate and consensus through communication." Don't believe me, then pop over to a public forum. It's really bedlam over there, with uniformed, irrational and uninhibited people arguing in the most disjoint manner possible.
Then there is the small idea that the Internet is an abstract concept. It's not a single person, nor represented by a single person and/or small enough group. The anthropormorphisation just makes me sick to the core. Of course there is also the issue of "what is the Internet?"
The term internet (notice the lower case 'i') is simply a network of networks. Glossing over the technical details, a network is several computers connected to share resources. Connect networks together and you have an internet. Now we have a special case of an internet, the Internet (notice the upper case 'I'). Yes, the terminology is horrible, but nobody saw it coming.
The 1st internets were DARPA-NET (Defence Advanced Research Projects Agency - NETwork) and JANET (Joint Academics NETwork). The use of these is obvious: military communication and sharing of academic data respectively. Somebody got the idea to make it global, and hence the World Wide Web was born.
Now herein lies the problem, there was no legislation to control this. People joined and did whatever they wanted. Hence the Internet is in the form it is known to all today.
If the Internet were to win the Peace Prize, then I would be exceptionally distressed.
I sincerely hope that all of you are familiar with the Nobel Prize, more specifically the Nobel Peace Prize. This is awarded annually to the person(s) who have, to quote Alfred Nobel's final Will & Testament, "who shall have done the most or the best work for fraternity among nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses."
So, as we have seen in history there have been some very deserving candidates, such as the International Committee of the Red Cross, President Woodrow Wilson, UNHCR, Mother Theresa, Archbishop Desmond Tutu, Kofi Annan and so on. It can truly be said to be the most coveted award known to man.
However recently its integrity of late has been highly questionable. Of course there is the glaring omission of Mahatma Ghandi, despite 5 nominations. The year Ghandi died, there was no prize awarded, as "there was no suitable living candidate." Of course it must be noted that there is a rule that no person may receive a Nobel Prize posthumously. This rule was bent in the case of Secretary General Dag Hammarskjöld, who was nominated while alive, but passed away before the award was given. Not to take from Secretary General Hammarskjöld's work, for he truly deserved the prize, despite his unfortunate demise prior to its award.
As we get a bit closer to home, chronologically speaking, we move to 2009. As most people will know President Barack Obama received the Nobel Peace Prize. It was awarded to him a scant 9 months after he assumed office. Now not only is that an exceptionally short period of time, but he very quickly afterwards announced INCREASES in troop numbers in Iraq/Afghanistan. I'm no expert, but that is not very peaceful, apart from being contrary to his election promises.
Now we jump forward just a shade to 2010. (Still love the fun people are having trying to say it out.) The nominations are in and they are: Russian activist Svetlana Gannushkina et al., Chinese dissident Liu Xiaobo and the Internet.
No, really, this actually happened. I know it was a while ago, but I thought I might as well throw my 2 cents into the mix.
UTTER TRIPE!
The Internet is full of nonsense, garbage, crap, trash and a variety of other things I can not bring myself to describe. Agreed there is a small percentage of it which is, as the citation goes, a tool to advance "dialogue, debate and consensus through communication" and to promote democracy. But, really? This is the equivalent of nominating an entire University for the work that 1 single academic has done.
Of course Svetlana Gannushkina is nominated with her activist group, but that is a group of individuals who share a common goal. Most of the people on the Internet really do not care about "dialogue, debate and consensus through communication." Don't believe me, then pop over to a public forum. It's really bedlam over there, with uniformed, irrational and uninhibited people arguing in the most disjoint manner possible.
Then there is the small idea that the Internet is an abstract concept. It's not a single person, nor represented by a single person and/or small enough group. The anthropormorphisation just makes me sick to the core. Of course there is also the issue of "what is the Internet?"
The term internet (notice the lower case 'i') is simply a network of networks. Glossing over the technical details, a network is several computers connected to share resources. Connect networks together and you have an internet. Now we have a special case of an internet, the Internet (notice the upper case 'I'). Yes, the terminology is horrible, but nobody saw it coming.
The 1st internets were DARPA-
Now herein lies the problem, there was no legislation to control this. People joined and did whatever they wanted. Hence the Internet is in the form it is known to all today.
If the Internet were to win the Peace Prize, then I would be exceptionally distressed.
Thursday, 25 February 2010
Chip-and-PIN payement System "broken"
For those of you not familiar with the concept, I will go over it quickly. The "Chip-and-Pin" or EMV(Europay, MasterCard, VISA) system is the usage of Smart Cards, which is basically a card with a tamper-resistant chip on it, for payments via Debit/Credit cards. That is the "chip" part, so now for the "PIN", which a 4-digit code, which you use to verify that you are indeed authorised to use this card. (Some people give thier card and PIN to family members, friends, etc., which is an entire discussion in itself.)
So this system is in wide use in the United Kingdom and has become a vital part of everyday life. So obvioulsy any sort of major security failure woulde be catastrophic. Professor Ross Anderson has published such an attack, or so he claims. Even Bruce Schneier thinking its a big thing
He uses what is known as a Man-In-The-Middle attack. The basic concept is that the attacker places himself between two parties who wish to communicate. He then intercepts all communications and distorts them to serve his purposes, what ever they may be.
I would advise you watch the video demonstration which was aired on BBC Two, with the accompanying article. Go on, watch it, I can wait.
So after having seen the video, I would like to tell you why this is not the end of the world:
Agreed, that this is a technical flaw and indeed a security hole, at least from a theoretical point of view. Practically speaking, this can be done on any stolen card (doing it to your own card, while possible is pointless), but there are worse things you could do. As a consumer, if my card is stolen I perosnally don't care how my money was stolen, just that i get it back. So taking a slighty pragmatic view-point, I would say that this is an issue, but nothing to lose sleep over, that is unless you have already lost your Credit/Debit Card.
So this system is in wide use in the United Kingdom and has become a vital part of everyday life. So obvioulsy any sort of major security failure woulde be catastrophic. Professor Ross Anderson has published such an attack, or so he claims. Even Bruce Schneier thinking its a big thing
He uses what is known as a Man-In-The-Middle attack. The basic concept is that the attacker places himself between two parties who wish to communicate. He then intercepts all communications and distorts them to serve his purposes, what ever they may be.
I would advise you watch the video demonstration which was aired on BBC Two, with the accompanying article. Go on, watch it, I can wait.
So after having seen the video, I would like to tell you why this is not the end of the world:
- You need someone else's card. Arguably it is easy to get one, but the point is that if somebody has stolen your card, there are far worse things they can do than buy a bottle of water. There are several ways to use a card, without knowing the PIN, over the phone for example. Physical possesion of the card would allow you to use it in several circumstance without knowing the PIN.
- It only works in offline terminals. So you can't put it in an ATM or use it in any store where the transaction is verified online witht he bank. In that case, a cryptogram contain the PIN is sent to the bank which will then verify the PIN. You would well pressed to be able to fake that.
- You need a specific setup of reader, as the one used in the demo. Ofcourse one could get better at hiding the wire and the actual "performance" of the attack, but no amount of practice would allow you to hand a card with a wire on it to a merchant and not raise suspicions.
- The hardware and software is really non-trivial to construct. The script is in Python, which is a difficult language to master and all the harware is custom built. So really the kit is not absolutly accessible.
- If the card has been cancelled, this attack will not work. So again, because the attacker needs to steal your card, they only have the time between stealing the card and you reporting it stolen and cancelling your card.
Agreed, that this is a technical flaw and indeed a security hole, at least from a theoretical point of view. Practically speaking, this can be done on any stolen card (doing it to your own card, while possible is pointless), but there are worse things you could do. As a consumer, if my card is stolen I perosnally don't care how my money was stolen, just that i get it back. So taking a slighty pragmatic view-point, I would say that this is an issue, but nothing to lose sleep over, that is unless you have already lost your Credit/Debit Card.
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments