Tag: security

Dark data experiments?

Untitled - man in the dark
I have a lot of curiosity and one of the things which has consistently got me curious, is the challenges of the hidden. Hidden being the trick, the data, the technique, the place or the knowledge. This is why I’m very interested in Hacker House (it was almost added to my new years resolutions for 2017 even).

Currently data is the hidden which intrugued me the moment, hence my massive interest in data ethics. There’s been 3 experiments which have really got me jumping up and down about this all… thought I’d share while I eat cheese and drink wine on Christmas day

  • Click Click Click
    A perfect and fun demonstration of mouse tracking on websites using just JavaScript. This is the data the likes of Facebook, Google, Amazon, etc use to track users dwell time and implicit actions on the website. Found via some folks on our BBC R&D internal slack.
  • I know what you downloaded (…last summer or even last Christmas)
    This site collects IPs from public torrent swarms by parsing torrent sites and listening to the DHT network. They have more than 500.000 torrents which where classified and have data on peers sharing habits. The slightly twisted feature is the ability to share a link and see what people have been sharing. I promise not to do this but highlights the problem with shortern urls and long query strings you can’t be bother to read or don’t understand how they work (knowledge). Found via Torrentfreak
  • Find my phone
    Man’s smartphone is stolen in Amsterdam, so the same man decides to root another phone and deliberately track the phone. Along with the person who stole it! The results are turned into a video which you can watch on youtube.
    Found via Schneier

Worm attacks over unsecured protocals

Philips Elevation Ambilight+hue

Bruce Schneier isn’t the only person worried about this type of attack. I already turned off external access to my Hue lights following the IOT bot net news.

This is exactly the sort of Internet-of-Things attack that has me worried:

“IoT Goes Nuclear: Creating a ZigBee Chain Reaction” by Eyal Ronen, Colin OFlynn, Adi Shamir and Achi-Or Weingarten.

Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

Why I stopped caring about what most people think about privacy

PUBLIC DOMAIN DEDICATION - Pixabay-Pexels digionbew 14. 01-08-16 Feet up LOW RES DSC07732

Simon Davis’ post about “Why I’ve stopped caring about what the public thinks about privacy” is such a great piece. I’m sorry to Simon but I had to copy a lot to give the full context.

To put it bluntly, I’ve stopped worrying about whether the public cares about privacy – and I believe privacy advocates should stop worrying about it too.

Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.

I’ll go even further. Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.

I’m aware that these thoughts might sound wildly contradictory – if not insane. Over the past three years I’ve tested them out on audiences across the world and experienced waves of disbelief. That’s one reason why I’m certain those ideas are on the right track.

In summary, my belief is that too many of us are obsessing about whether X percent of people change their default privacy settings, or whether Y+4 percent “care very much” about privacy – or indeed whether those figures went up or down in the last few months or were influenced by loaded questions, etc etc.

As advocates, we should never buy into that formula; it’s a trap. And for funding organisations to think that way is a betrayal of fundamental rights. A program director for a medium sized philanthropic foundation told me earlier this month that her board had “given up” on privacy because “we can’t measure any change in people’s habits”. I don’t see that equation being used as a measure of the importance of other rights.

In the failed rationale of opinion and user behaviour statistics, the relative importance of privacy depends on the level of active popular interest in the topic. According to some commentators, privacy is a non-issue if only a minority of people actually adopt privacy protection in their social networking or mobile use.

Imagine if that logic extended to other fundamental rights. It would mean that the right to a fair trial would be destabilized every time there was a shift in public sentiment. And it would mean that Unfair Contract protections in consumer law would never have been adopted – replaced instead with a “Buyer Beware” ideology.

Just to be clear, I’m not saying public opinion isn’t relevant. Nor am I saying that public support isn’t a laudable goal. We should always strive to positively influence thoughts and beliefs. It’s certainly true that for some specific campaigns, changing the hearts and minds of the majority is critically important.

The struggle for human rights – or indeed the struggle for progress generally – rarely depended on the involvement of the majority (or even the support of the majority).

However, on the broader level, there’s a risk that we will end up cementing both our belief system and our program objectives to the latest bar talk or some dubiously constructed stats about online user behaviour. Or, at least, the funding organisations will do so.

It seems to me we’ve been collectively sucked into the mindset that privacy protection somehow depends on scale of adoption. That populist formula is killing any hope that this fragile right will survive the overwhelming public lust for greater safety and more useful data.

I’ve noticed an enduring (and possibly growing) argument that public support for privacy is largely theoretical because relatively few people put their beliefs into practice. Conversations on that topic tend to dwell depressingly on public hypocrisy, with detractors pointing out that the general population fails to use the privacy tools that are on offer. Even worse, whole populations avidly feed off the very data streams that they claim to be wary of. Apparently this alleged public disinterest and hypocrisy invalidates arguments for stronger privacy.

(As a side point, I don’t believe that the situation is so black and white. People have become far more privacy aware in recent years, and their expectations of good practice by organisations have increased. People change their behaviour slowly over time, and yet there has been real progress in recent years.)

I also (generally) am less caring of what the general public think about these issues. In recent times, people have convinced me to join different services and tactfully decline. I do sometimes forget my world isn’t the mainstream, and wonder why are we still having these discussions.

Don’t get me wrong, its always interesting good to have the discussion, especially because most people still see privacy in a binary way but when pressed are much less binary about their decisions. A while ago I started calling it data ethics as privacy alone leaves the door open to worries about security for example.

Context and experience has a lot to do with it and in the discussion this becomes much clearer. Just ask anyone who has had their idenity stolen, hacked or abused. Most of the public will never (luckily) experience this.

I’d chalk this one up as listen to the experts

Your own personal cloud

The personal or private cloud is growing in popularity and I’m starting to see it spring up in the popular tech press more and more. Interestingly I keep starting a blog post then not finishing it because theres not quite enough to talk about. Then I heard Bruce Sterling’s 2012 South by south west talk (recommended to me by Imran)

The bit which really got me was the 5 stacks part.

“[There’s] a new phenomena that I like to call the Stacks [vertically integrated social media]. And we’ve got five of them — Google, Facebook, Amazon, Apple and Microsoft. The future of the stacks is basically to take over the internet and render it irrelevant. They’re not hostile to the internet — they’re just [looking after] their own situation. And they all think they’ll be the one Stack… and render the others irrelevant. And they’ll all be rendered irrelevant. That’s the future of the Stacks.

People like the Stacks, [because] the internet is scary now — so what’s the problem there? None of them offer any prosperity or security to their human participants, except for their shareholders. The internet has users. Stack people are livestock — ignorant of what’s going on, and moving from on stack to another. The Stacks really, really want to know you’re a dog.

They’re annihilating other media… The Lords of the Stacks. And they’re not bad guys — I’d be happy to buy them a beer. But really, a free people would not be so dependent on a Napoleonic mobile people. What if Mark Zuckerberg trips over a skateboard?

This structure won’t last very long… But you’re really core people for them and their interests. You are them. I’m them.

Bruce is right on the money. The 5 stacks have been trying to outdo each other for many years and see the whole thing as a zero-sum game, death to the end. This is not the way the internet or human society has to work or has to be. On the face of it, they are friendly but like a vicious dog (remember I’m not really a fan of them) they need a certain amount of caution.

Even myself are weary of how much data I hand over to Google. It may seem like I don’ t care but you would be very wrong. If I didn’t care I would sign up for Google Drive storage (I like the idea of being able to search across all my files, something which is tricky with Dropbox), would have moved from Evernote to Google Keep, etc, etc… I tend to keep my data across different stacks and deal with the migration and syncing myself. Its a bit of a pain and boy would it be easier to just dump it in Google’s cloud/stack. But I don’t want that.

I have been experimenting with my own cloud but not found anything yet which works the way I really want it to. The thing about clouds is they should merge and split or in other terms they should seamlessly blend. A personal cloud should consume and work with the other clouds. Now I understand the 5 stacks don’t really want to work with anyone else and will make there clouds/stacks difficult to inter-operate with but it can be done.

Some of you may say “Ian your dreaming…” but I point you at Trovebox which use to be Openphoto. The original idea was that you could store the photos in your own cloud and simply using an a bit of http linking and authentication, build your own decentralised flickr without handing over your actual photos. Another example is the absolute power of ifttt.com.

The lure of having a cloud which is as powerful and ubiquitous as other the other 5 clouds would be amazing. The advantages are all there but unlike the 5 clouds, you wouldn’t have to worry about it snooping on you and selling data to others. Increasingly more and more of us post Edward Snowdon.would like to something which we could exist and support our own ambitions not the shareholders.

Revelations that many governments of the world are able to collect personal data on-demand has called into question our desire and need to keep everything online. While we want to access and share our content, we want privacy and security as well. Whether it is photos on a social network or work documents in an online storage account, we want to know that we have absolute control of our data because it is ours, regardless of what services we use and regardless of how they choose to manage their Terms of Service.

Ok so were all down with Personal clouds? What are the projects I have been keeping an eye on? Cozy.io, Sparkleshare, Owncloud, Tonido and Amahi. Weirdly the last one isn’t really a Cloud but I’ve looked into turning it into a personal cloud platform.

The problem with the personal clouds is they are a long way off that ready state. They require a lot of hand cranking and can be a massive time and money hog. Which means only those knowledgeable and with enough money can afford the privacy…?

Its a shame but whats new?

Well nothing much but its fascinating what else you can do with your own cloud. I have seen a lot of activity around the idea. For example you have things like tent.io and you got to admire what Bit Torrent inc are doing in the labs, if only it was open source. Would love to use Bittorrent sync across the board but I just don’t trust it more than dropbox. In which case I might as well keep using dropbox? At least they have 2 factor authentication now and full support for Linux. Plus the amount of other cloud services which support dropbox is very high.

Ultimately if the personal cloud is going to really make a dent. It needs to be super flexible, work with others and support features which the others wouldn’t dare (bit torrent is one such feature)

When Paul Rogers sucked the air out of the room

Been wondering what happened to the video of Paul Rogers at TedXBradford.

Well no need to wonder any more, Imran just posted it on the site and listening to it again its pretty sobering but theres a light at the end.

I originally said this

This talk was like no other. Most of the talks were pretty neutral about the web. However Paul literally sucked the air out of the room with his talk about the political mess and security woes the internet has accelerated. Afterwards there was a level of what just happened in the cinema.

Now you can hear/watch and judge for yourselves… but bear in mind this was the last talk after a number of very positive talks about life online

Paul Rogers is Professor of Peace Studies at Bradford University. He worked originally in the biological and environmental sciences, including lecturing at Imperial College, London, but has worked for the past 30 years on international security. He is a consultant to Oxford Research Group, an independent UK think tank, and also writes a weekly analysis of international security issues for www.opendemocracy.net

Do I TRUST mint with my money management?

Mint - refreshing money management

So I've been using Microsoft Money for quite a while to manage my money but since moving to gnu/Linux, I've not really converted the money file over to anything else. I was checking out the KDE application Money2 but started thinking there has got to be a better way to do this?

Well in steps Mint fresh faced from the Techcrunch conference. When I first heard rumours about it, I thought it was something to do with that terriable credit card company in the UK with the same name. However Mint.com promises to refresh money management by adding all the goodness of Web 2.0.

So I've been checking it out, and to be honest I like what I see but I'm not convinced they can be trusted with my finanical information. Now don't get me wrong I'm no hot shot with millions in the bank but I still wouldn't want what how much I pay for lunch (not a lot thanks to Tesco) in the public domain. I'm not saying Mint are leaking this information, I'm just not sure. I've been reading there Privicy policy and it all looks ok but I have this naggy feeling that this is dangerious and should be avoided for a while longer, at least let someone else be the test muppet. I had this feeling when I first heard about Paypal and to be honest I do use it but tend not to keep money in it for long and I use its most basic features. All those advanced features like hooking it into your bank i've avoided because it worries me. Although in a recent episode of Security now, Paypal's Director of Account protection was on talking about the levels of security and privicy they have for users of their service. SecureID was one of the solutions and to be honest, if my bank offered that, I would gladly use it.

I guess my fear of using Mint is a little overboard but like linking my facebook profile to some of the other sites I use, I think somethings are maybe left alone till I can trust them. Trust is a funny thing, I mean I trust my bank, paypal, amazon, Tesco, Plaxo, etc. But I don't trust Facebook, Mint, etc with my credit card details. They haven't been around long enough to prove their trustworthness. There rep is 0 in my book. I need Facebook to stop mining my information and start offering me real uses. Mint I guess will have to rely on good feedback from people on there own blogs before I start using it.

Its all useless anyway, mint is american centric, requiring a zip code before you can sign up. Have they never heard of Open ID? Simon Wilison was right, all startups should use Open ID if they want people to use their service. Now Mint you've lost a customer because although I could make up a zip code, why the hell should I?

Comments [Comments]
Trackbacks [0]

Serious Window Problem indentified by Microsoft

After listening to Security now Episode 58, I had write a quick blog post to warn people about this very (I would say) critical flaw in Windows XP and IE. I have temporarily patched my systems by unregistering the VGX DLL. I would highly suggest everyone do the same by copying the following code into your run dialog box and restarting your machine.

regsvr32 -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll”

Much more information and another flaw affecting only Windows 2000 users can be found at the security now notes page.

Comments [Comments]
Trackbacks [0]

About Ben’s disclosure of the BBC’s weather feeds

Ben Metcalfe

I forgot I haven't publicly said anything about Ben Metcalfe highlighting the direct urls of the weather feeds. My take on the whole thing is simple – Security through obscurity.

A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.

Security through or by obscurity, is generally a bad idea. By the BBC developer putting the urls inside a plain text javascript file, he or she was relying on Security through obscurity. Ben simply disclosed this information to the world. You could say well he should have let the BBC know, but like software vulnerabilities company's will sit on this information for years because its not important enough. Nope theres no douht in my mind that Ben did the right thing, and maybe taking down the blog post was a good idea for the BBC. We should be thankful and hell this might have spurred some movement on the backstage front? I do wonder if the javascript file in question still has the urls inside of it?

Comments [Comments]
Trackbacks [0]

95 Theses of Geek Activism

In the vein of the cluetrain manfesto, Devanshu posted a great post with 95 points about geek activism. Honestly there pretty awesome, but here's my favorate…

  • Violating a license agreement is not theft.
  • All corporations are not on your side.
  • Everything will enter the public domain some day- even Mickey Mouse.
  • Trusted computers must not be trusted.
  • Proprietary data formats must never store public information.
  • Fair use is a good thing.
  • Use multiple operating systems regularly so you truly understand interoperability.
  • Data mining will not stop terror.
  • Express your opinion in public
  • Blog
  • Security is a trade-off- what are you willing to give up?
  • Use Creative Commons
  • Understand the difference between civil disobedience and breaking the law.
  • Support the free, public domain archives of information.
  • Undermine censorship by publishing information censored in oppressive countries.
  • Voicing your views in a Slashdot comment thread is good, in your own blog is better, but in places that non-geeks frequent is best.
  • Have a global perspective in ideas of geek civil liberties, intellectual property rights and so forth. Do you like your country’s policies in this respect? Can you help people from another country?
  • Read more
  • Make sure that if a vendor locks you in, you lock them out.
  • Linux is no longer a philosophy- it is a good piece of software. Use it if it fits your needs.
  • More information available to the most number of people is a good thing.
  • Vote
  • Read our modern geek philosophers- read Bruce Perens, Cory Doctorow, Bruce Sterling and even Richard Stallman. Read Schneier to find practical reasons why stupid security mechanisms are stupid. Read them even if you disagree with them- it will help frame your point of view.
  • DRM only keeps an honest user honest.
  • Be proud of being a geek, a gamer, a privacy advocate, promoter of free speech and an innovator without fear of litigation, of government or restrictions on liberties- a geek activist.

Comments [Comments]
Trackbacks [0]

Steve Gibson says Windows Metafile was a backdoor

So while in the shower today I was listening to Leo Laporte and Steve Gibson's Security now number 22. I almost fell in the shower after hearing the possibility that Microsoft maybe covered up a backdoor in Windows. Simply put Steve Gibson is suggesting that Microsoft or some people involved in the code for the Windows Metafile (WMF) put in a backdoor. Aka it was not a flaw or vunerability, a backdoor! If this is true I'm speechless.

Its easy to think of this as a conspiracy and put on your foil hats now but this deadly serious. Even Steve has admitted if he's wrong he will be the first to admit he's wrong but he really doesnt believe this. He's actually put a lot on the line for this. Personally I think this is just a long line of the mainstream lying to us. Think about it Sony and there badly written DRM and worst still badly written Rootkit. Lies and more damm lies. Even when there pants were down they tried to cover it up by saying people didnt even know what a rootkit was so why tell them. I remember quoting Miles in my post about the Rootkit saying Apple and Microsoft must be pissing themselves with laughter. Well its now Microsoft's time and Apple are not getting away clean. Theres lots of talk about iTunes in the context of useage patterns feedback and the reduction of uses of the sharing feature across the versions. So Apple users don't even laugh because Apple are hardly saints either.

But back to this claim of a backdoor in Windows. If it turns out to be true (and honestly Steve's explaining actually makes a lot of sense I have to say). We have to wonder how many more there are? Who put this backdoor there and who actually knows about it? I expect by the time this gets out there it will make the large news sources quickly. I've not looked on Digg, slashdot, boingboing yet because I'm on the 10am train into London Bridge. Tell a lie, I just did a search through Digg on the my aggregator and this came up (which is close but not the same) this came up.. I'll digg it when I get back online in about 20mins. Looking at the date of the Digg story (7:30am) its still too early for most of the Western world and may not have had time to circlate yet. Steve did say this was a exclusive to Security now and he's only known about it for about a day at most. Anyhow, we shall see what happens. By the way the people who came out of this smelling pretty sweet has to be Hackers. If it wasn't for hackers and reverse engineering we would never know. This is critical to remember no matter how it turns out.

Comments [Comments]
Trackbacks [0]

Messy haxoring with metasploit caught on iptv

Its not quite as cool as it may sound from the title. I just watched epioside 13 of my lame-ass iptv soap, The scene. yes everyones got there weakness but if you put this against other soaps like Hollyoaks then it comes out quite well. Anyhow, I got a real kick out of main character trying to get root on windows box hosting a FTP server. They used the well established metasploit to find a flaw and exploit it. To be fair its one step up from the hack in the matrix reloaded and they did do a little homework to use the nice opensource framework metasploit. Its certainly a fine line between security tester and exploiter but the best tools always are.

Talking of which if you didnt catch the Security now podcast number 9 about rootkits, please do as it will give you a good old wake up call. I've been personally aware of rootkits for quite a long time but I didnt know spyware, adware applications were starting to use them just so they cant be removed from a computer. Its crazy, but its true. Honestly I wouldnt wish a rootkit on my worst enemy, I just cant imagine anything worst. Anyhow, Steve and Leo do a great job explaining how rootkits work. It is however really good to know Microsoft and Sysinternals are working on the problem. I did try out SysInternal's Rootkit Revealer on all my machines and I'm clean as expected but its good to be sure. I suggest everyone should give it a try, at least till Microsoft add rootkit scanning to there malicious software removal tool. No one likes to be rooted…

Comments [Comments]
Trackbacks [0]