Sunday, 4 March 2012

WHAT? HOW? WHY? *sobs*

Greetings sports fans. Right up front I've had a really bad week, so you know this one's going to be pretty abridged. In short, several things happened this week that really pissed me off, possibly more that usual given that they all came in succession. So what I decided to do is pick the top three and present them to you. I have not done my usual in-depth research (read "googling semi-related crap and funny pictures") so the only links will be the main articles. So, here's this weeks top 3 annoying stories:


In third place: Downloaders of pirated TV shows annoyed by format change. This was just special. I read this articles and then shouted various expletives. These are people who are downloading something they shouldn't be downloading and getting it for free no less and they want to complain about it. It's amazing, and infuriating, how entitled people get on the Internet. But well there you have it.

In second place: Certificate Authority intentionally gives client Man-In-The-Middle capability. When my colleague told me about this I literally just stood there and stared at him for 30 seconds. This was followed by me spluttering half-sentences and ending in "People can't be that stupid can they?" Turns out they can. I really should stop asking that question because the answer is pretty much always yes. The original post is quite detailed and well written, so for more details please follow the link.

And the top spot goes to.......*drumroll*: Elections software still has default password enabled. e-voting can be a good thing, but there are still several issues to consider. Of course people will try to attack the system and rig the elections and you have defenses against that. The first one is you change all the default passwords. It is literally the first thing that is done with any system. It's like installing a lock on your door and leaving a key hanging on the outside. FUN FACT - I punched my table when I read that article.

So, sports fans, there you go. The top 3 things to piss me off in a very shitty week. 5 points to you universe.

Sunday, 26 February 2012

What colour is your hat? OR What is "ethical hacking?"

Morning sports fans! No, I don't care if it's not morning here nor where ever you are, but it's morning somewhere. Also it will eventually be morning, so I'm counting it. Well, my recent increased blogging is due to me being constantly mentioned on the HappyFace podcast, which is done by my friends. They have challenged me to post at least once a week so that they can talk about me more, so let's see how long I can keep it up. Now first (and only) order of business today is ethical hacking.

So, recently this happened (All the articles I have found say pretty much the same thing, so I won't link to anymore). Glenn Mangham has been sentenced to 8 months in prison for computer misuse, more specifically hacking Facebook. "But, wait! He's an ethical hacker. He's one of the good guys!" You say excitedly. No, dear reader, not quite. Yes, yes, there is the whole £7,000/$7,000 from Yahoo! and whatnot, but there is a slight twist to this little tale. So, lets start by clearing up exactly what we are talking about.

An ethical hacker, or white hat, is a hacker who spends their time finding vulnerabilities in systems, applications, websites and pretty much anything that's connected to anything. Once they find such a vulnerability, they record the details of what they did and send it to the creators and/or maintainers of this product. Companies respond in many ways to this, ranging from a thank you e-mail to cash rewards to a job offer.

A malicious hacker, or black hat, is not so nice. Upon finding a vulnerability, they will try and exploit it for personal gain, normally for money. Of course they can record the details and share it with others, but now with the makers of the product. Once they are found out, the companies tend to come down on them pretty hard and fines and jail time normally ensues.

So, that's all nice and clear cut and very much black and white, if you will pardon the pun. Sadly, the real world is not so clear cut, as evidenced by this case. There are times when a person will at times be a black hat and at times be a white hat, somewhat of a grey hat if you will. A white hat may use their skills for some personal gain, in a very black hat kind of way and on the flip side, a black hat may actually do some white hat work.

To illustrate this further, let's look a bit more at Glenn Mangham. He did some white hat work for Yahoo!, which is all well and good. But then he hacked into Facebook in a very devious manner. Now from what I gather, he uploaded some malicious code to the puzzles server which Facebook uses to test potential employees and gained access to the internal system. Now, here's where it gets really devious.

From what I have read it seem he managed to impersonate a Facebook employee, get his password reset and thus gain access to all of Facebook's servers. He then proceeded to download important data to an external drive and delete all evidence of his little visit, or so he thought. Turns out that Facebook actually found out about this and it cost them something to the tune of $200,000. Now that's a pretty penny and a chunk of change.

Two very important things come to my mind here and those are:
1) To the best of knowledge, Glenn Mangham didn't inform Facebook, thus disqualifying him as an ethical hacker
2) He entered a guilty plea
Having considered that, he is definitely guilty of hacking, or computer misuse in legalese, and should be punished for his crime. The whole argument that he is an "ethical hacker" hold no water whatsoever. There's not much more to say, so I;m going to leave it at that. Good night sports fans! (Again same argument as above :P)

Sunday, 19 February 2012

Activism vs. Vadalism, Digitally speaking

Howdy sports fans (this is here to stay), I know I've been away but I'll try and be better. Having said that I realise how often I say that and don't fully go through. Please don't hate me *cute face*. Moving on, let's talk about the difference between digital activism and digital vandalism. Let's start off by talking about a term I hate, which you will know is a long list, if you have been reading my blog. More to the point todays hated word is "hacktivism."

Hacktavism is a portmanteau of "hacking" and "activism" and is basically "activism by means of hacking." Which basically a roundabout way of saying "the (perceived good) ends justify the (blatantly wrong) means." The basic idea is that you, as a hacktavist, hack somebody/something to make a point or a statement, but really you are pretty much doing this. Yes, that sketch does exaggerate for comic effect, but you get the point.

Of course, the very first thing that comes to most people's minds when they hear the word hacktivist is Anonymous. I have written about some of their activities before and as you may or may not know, I'm not really a fan. They started of playing pranks on people and general trolling, which was OK by me. They said we are doing just for lulz (yea LulSec also has the same kind of problem). Then they got a bit more political and most recently, but I still think that they are being a tad juvenile about it.

"But, then what is the grown up thing to do?" you may be asking, oh intrepid reader. Well, let me tell you. There was, and is still some, raging going on about SOPA/PIPA (yes, yes, I'm going to write more about this, after I've done more reading) and quite rightly so. People sent letters to their senators, congressmen/congresswomen and representatives and registered protests in the conventional way. And, then something magical happened - a proper online protest: the SOPA blackout.

Basically a large number of websites, big and small, replaced all their content with a black page explaining what they are protesting and why. Some people didn't get the memo, so this happened, but overall I think it was a success. Almost instantly a SOPA/PIPA lost a lot of support and were then shelved. Normal service resumed the next day and everybody was happy. In all of this, nothing illegal was done and nobody was harmed, inconvenienced maybe, but no real harm was done.


Compare that to the very next day when Kim Dotcom (Who goes and changes their surname to Dotcom? I mean really? Does he want to be mocked?) et al. were arrested and what Anonymous did. They took down the websites for , which is whole other kettle of fish. This is basically vandalism, even though it is not the standard defacement type of vandalism you may be thinking of, but the point still stands. Not to mention the fact that it is illegal, but well. 

Unfortunately, law enforcement really has no idea to deal with these kinds of digital vandals, due to several reasons. I'm not sure there is an easy solution to this, but who knows? So, in short, you can protest via digital means, but there is a right way and a wrong way to do it and sadly the wrong way is more prevalent.

Monday, 6 February 2012

Megaupload (Because I was guilted into it)

Greetings sports fans. So I did say I was going to this post in my last post (I've added a link this in there) and I'm actually doing it. The main reason is that my friend Jamie mentioned me in the his podcast (highly recommended) and said that he would provide his listeners with a link to this if and when I do write it. Commence guilt trip. But, that's enough blabbering from me, down to the matter at hand: Why nobody has Megaupload go-ed bye-bye?

So, if you are reading this, you are either connected to the Internet or I finally got that book deal I wanted. For now, let's assume you have Internet access. One of the really interesting uses of the Internet is storing files online so that they can be accessed by many people. There were several really creative and some down right moronic ways thought of to this, but the one that really took off were called "file lockers."

Anywho, the concept of a file locker is simple: You sign up and you get some storage space on a server. You can then upload files and manage who can access them. You make it public, so that anybody can download it, or private, so that only you and/or selected other persons could download it. Of course, we all know there is no such thing as a free lunch, so "where's the money?" you ask. Well, let me tell you.

Some file lockers charged for their services, but some, like Megauplaod, were freemium. What they did is they put ads on the site and before you download something, unless you paid the membership fees. Sounds reasonable, right? Yes and then it gets hinky. So, not only did you have ads, but it seems that the site paid uploaders every time a file was downloaded. Not only that, but files that were not downloaded frequently enough were removed. But, it gets even more sinister and here's where the illegality comes in.

It's obvious that if somebody uploads illegal copies of TV, movies and music, then it will get downloaded more often than a picture of me on the beach. This pretty much encourages illegal file sharing. If offending content was found, it was removed, however it is alleged that the user accounts were not suspended or terminated. I have a distinct memory of reading somewhere that uploaders could pay to upload anonymously, thus even if the content was marked as illegal, it could be taken down, but not traced back to them. I cannot for the life of me find that article again and thus state this as a recollection that I can not back up. Moving swiftly on.

There was also the related website Megavideo, which was also somewhat devious. It has been alleged that all this infringing content was not searchable through the site's main search functionality, but was accessible to those who had the link. Again there is the same allegations of content being taken down without punishing the offenders and so on and so forth. Although there was a de jure legal use for the site, the de facto primary use was for the distribution of illegal content. So, the United States Government decided to do something about this.

About 2 years ago (2009), criminal investigations were started into the activities of Megaupload Inc., with a whole lot of red tape. The company itself is based in Hong Kong and a lot of the key people, including founder and chief Kim Dotcom, were in New Zealand. Well this went on for 2 years and we arrive in the present. Actually more like the recent past, but here we go.

A few months earlier, the US government had brought forth two acts called the Stop Online Piracy Act (SOPA) and the Proctect IP Act (PIPA) and this got everybody up in arms. That's a whole other kettle of fish, to be fried on another day. The main point is on January 18th 2012, a large number of websites "blacked out" and replaced their normal content with a page explaining why they are protesting SOPA and PIPA. On January 20th 2012, Dotcom and associates were arrested (alt article) and several assets were seized in a multi-country raid.

A large number of people think that this was a sort of backlash reaction to the blackouts, but it was in fact timed to coincide with a party Dotcom was hosting at his house, so that all the eggs would be in one basket, so to speak. These arrests were the culmination of a 2 year long investigation, with the cooperation of the police in all countries involved. Of course, nobody bothered to check that and Anonymous did their usual retaliation bit. Although the charges are being laid by the US, the police in all the countries involved were a part of the investigation, thus solving any jurisdictional issues.

I will be a little evil at this time and point out that there were millions of dollars worth of stuff seized, including some art, tech and a few luxury cars.There were also large accounts frozen and so on. The irony here is a large number of people justify piracy by saying it only affects the super rich guys in the super rich studios/labels, which kind of describes these guys. Not really sure why everybody is so vociferously supporting them, but I'm sure they have some really good reasons. Let's look at how exactly Megaupload is defending themselves.

The main defense that has been put forward is either "The majority of our traffic (and therefore business) was legitimate" or "we always took down infringing content." The first defense is, in my opinion, a big steaming pile of shit. That is like saying "You can't shut down my shop because only 10% of my income is from selling drugs." I don't at all doubt that there were users who were using in a fully legal manner, but that's really beside the point. The point put forward is that those in charge were aware of this infringement and actively promoted it. As for the second argument, takedowns were only effected if provided if a notice was provided and as said before there was no real punishment for the uploaders.

There is sort of the further complication that of them trying to rip off youtube, but that's something I haven't really looked at and don't feel well informed enough to comment. I would recommend that you read the linked article.

So, in all of this a lot of facts got jumbled up and a lot of people assumed things that were not true. There facts a touch murky, but with a bit of time, one can wade through and see what's going on. I guess it was a matter of bad timing on a couple of fronts. The bottom line is that they have been arrested, denied bail and will face an extradition hearing on February 22 2012. For now, Megaupload is gone and I don't think it's going to come back any time soon.

Sunday, 29 January 2012

TVShack (let's get this one out of the way shall we)

Alrighty then sports fans, I'm back. There's been quite a bit of stuff happening and I really hope that I can catch up with it all. So here we go. I'm going have a pick at TVShack and MegaUpload, which have been the focus of the media recently. So, let's start with the earlier story of TVShack shall we?

TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.

By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.

The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.

Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.

Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.

No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.

Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.

Tuesday, 17 January 2012

Yes, yes, I know. Stop with the guilt already!

Greetings sports fans, I know I've missed you. Now you may or may not have missed me but that's not the point. I am currently suffering for a slightly above average workload and and exceedingly large amount "don't give a crap." So, let's compromise: here is my colleauge's blog.

Not enough, you say? OK, OK! Put away the torches and the pitchforks. Remember me complaining about the way scandals are named a while back? Yes? Good! Turns out I am not the only person who thinks it's a stupid idea. None other that David Mitchell and Robert Webb agree with me as evidenced by this sketch.

Now, I hope and pray that I will get the time and motivation to write more, but who knows. See you on the flip side!

Saturday, 26 November 2011

When responsible disclosure is not the responsible thing to do.

Greetings sports fans! (I really like this. Yeah, this is going to be a thing from now on.) Today I want to fill you into one of the most asked question in the field of computer security: "Who should I tell about my latest discovery?" There are few possible answers to that questions, most commonly (in order of size): nobody, the people involved, the people affected, the research community, everybody and for completeness TeH I/\/t3W3bzzz!!1!! It's not always clear what the real answer is, or even if there is a real answer, as we shall soon see.

So, lets start of with the case I am most familiar with, as it is what I do, theoretical constructive cryptography. Sounds fancy, don't it? Basically, what I do is I look at existing schemes and try to make a better one, by either improving the extant scheme or creating a new one. In this case it's obvious that what you have now found should be shared with at least the research community and maybe the whole world if it has any real-world applications/impacts/etc. The same goes for the implementation side of cryptography.

one would assume advances in constructions or protocols are somewhat non-threating to the security of any other system. That is normally, the case, if we consider only the security of a system. A better version of a extant protocol may pose a financial threat to any parties selling the afore mentioned protocol, but it would not compromise it in any other way. The real difference is on "The Other Side of the Coin." (Heyooo!)

All silly self-referencing puns aside, what I am really referring to is cryptanalysis. These are the guys whose job it is to take cryptographic schemes and find ways to break them. They sound evil, right? Well they aren't. The idea behind cryptanalysis is to find out which schemes can and can not be broken by using a variety of techniques. If a given scheme, or indeed a class of schemes, is broken, it gives cryptographers insight to what they should not do. You may think of cryptanalysts as safety inspectors.

Now, here's the problem. Consider this, I make a new and particularly bad crypto scheme, let call it AVeryBadIdea or AVBI (C)(TM)(Pat. Pend.). I publish this scheme and I'm happy. A cryptanalyst has a look at it and breaks it completely within days of its publication. They publish the attack and life goes on. Number of people affected: 2. Doesn't sound like a problem? Well, consider the following scenario: I sell this very same cryptosystem to a couple of small time businesses to secure their data, blah, blah. Now when the attack comes out, number of people affected: 2 + all the people who bought AVBI.

Let's take this a step further. What is AVBI is used for something important, say credit cards. Well, then when if they system is broken, we have a problem. Now every credit card in existence is at threat of being used by malicious parties. Affected people: 2 + banks + credit institutions + everybody who has a credit card. Here the responsible thing to do is to tell the banks and credit institutions and they can try and find a remedy for it. The wrong thing to do is tell everybody else first.

Then you get into more complex issues. A large number of schemes have one "master secret." The gist of it is that if anybody knew this they could do whatever they wanted and not be found out. Suppose AVBI is now an industry standard of some description or the other. Somebody comes up with an attack that allows them to recover the master secret and indeed they do. What do they do? Tell the industry governing body? Sounds like a good idea right?

It is, if the concerned party/parties are not overtly hostile. The classical example of this is HDCP, as explained by Niels Ferguson. On the flip side you have the Stony Brook researchers who released the source code that allows you to do this. It's quite a grey area and I'm not sure there is a real right answer to this. There is a middle ground, which is publishing the idea of the attack, but not releasing the implementation. I believe this is what has been done by my colleagues at the Ruhr University of Bochum wrt their recent work on HDCP. However, this does also leave open the question: Could someone develop a similar attack on their own? It's possible, but then consider that the master secret is already out there, so is it really a bigger threat?

There is scope for even more potential pitfalls and possible permutations of the present problem regarding all participating parties (that's a lot of p's) and the water can get even more murky. Yes, there are clear cut consequences of cryptographic and cryptanalytic creations (and a few c's), but not always. There is so much room for error and personal judgment and it can be quite a burden trying to tackle such a dilemma. So in short, responsible disclosure can be an irresponsible thing to do.