Google

Google outrage at ‘NSA hacking’

Friday, November 1, 2013 

Outrageous, OUTRAGEOUS I says!

Yeah yeah, the NSA didn’t pay you for the data this time?

Google outrage at ‘NSA hacking’

Posted at 01:18:25 GMT-0700

Category: FreeBSDtechnology

India to Impose eMail Restrictions

Thursday, October 31, 2013 

The cloud is public and ephemeral. Never trust important data to anyone else’s hardware.

India and Brazil are getting it. Finally.

The USG is still moving data to the cloud. It will be an interesting day when it is realized the US isn’t the only country companies like Google and Amazon do business in that have national security data access requirements.

India to impose email restrictions

Posted at 00:33:10 GMT-0700

Category: politicstechnology

Iraq Blocked For Many Android Apps

Sunday, March 3, 2013 

I’m not sure who decides what apps are blocked on a country by country basis, but an awful lot of apps are blocked in Iraq and it seems like more and more.

iraq_blocked_play_viber.JPG

OTT apps like Whatsapp and Viber sort of make sense. These apps are at war with the carriers, who claim the app is making money somehow on the backs of the carriers*, and they seem to be largely blocked from install in Iraq. One would imagine that was Asiacell’s doing, but I changed SIMs and that didn’t help.

Iraq_blocked_whatsapp.JPG

But then I noticed that weird apps like Angry Birds are not allowed in Iraq—apps that makes no sense for a carrier to block.  The advertising model actually works and ad-supported apps show (some) relevant, regional ads, as they should, in theory generating at least some revenue for the developers. Part of the problem may be that there’s no way for in-app payments to be processed out of Iraq and therefore developers of even “freemium” apps may choose to block their apps in the country reasoning that if they can’t make money, why let people use the app?

Iraq_blocked_angry_birds.JPG

If so, it seems short sighted: ultimately payment processing will be worked out and even if it isn’t, Iraqis are allowed to travel to countries where in-app payments do work. Establishing a beachhead in the market, even without revenue seems prudent. Blocking users who represent neither revenue nor cost seems arbitrarily punitive.

* The carrier’s business should be to transport bits agnostically.  They have no business caring what we do with our bits; no bit costs more than any other bit to carry.  If they can’t figure out how to make money carrying bits, they have no business being in the bit carrying business. When they whine about a business like WhatsApp or Viber or Free Conference Call or Skype or Google hurting their profits what they really mean is that these new businesses have obviated a parasitic business that was profitable due to a de facto monopoly over what people could do with their bit carrying business.

If the bit carriers were competent application layer developers, they’d have developed their own versions of these “OTT” applications.  But they’re not competent developers and so they have not and they’ve squandered the expertise and market control they once had and are now crying that they can’t even make the core bit carrying business work. This should not inspire sympathy or legislative support.
Dear telco, I will pay you a fair market price for carrying my bits.  You have no right to worry about what bits I choose to send after I’ve paid my bit toll.  If you can’t do that, we the people have every right to build our own information highways collectively without you.  And we probably should anyway.

Posted at 05:29:54 GMT-0700

Category: cell phonesplacespoliticstechnology

Overthrow the Cert Mafia!

Friday, January 4, 2013 

The certificate system is badly broken on a couple of levels and the most recent revelation that Turktrust accidentally issued two intermediate SSL CAs which enabled the recipients to issue presumptively valid arbitrary certificates. This is just the most recent (probably the most recent, this seems to happen a lot) compromise in a disastrously flawed system including the recent Diginotar and Comodo attacks. There are 650 root CAs that can issue certs, including some CA‘s operated by governments with potentially conflicting political interests or poor human rights records and your browser probably trusts most or all completely by default.

It is useful to think about what we use SSL certs for:

  • Establishing an encrypted link between our network client and a remote server to foil eavesdropping and surveillance.
  • To verify that the remote server is who we believe it to be.

Encryption is by far the most important, so much more important than verification that verification is almost irrelevant, and fundamental flaws with verification in the current CA system make even trying to enforce verification almost pointless. Most users have no idea what what any of the cryptic (no pun intended) and increasingly annoying alerts warning of “unvalidated certs” mean or even what SSL is.

Google recently started rejecting self-signed certs when attempting to establish an SSL encrypted POP connection via Gmail, an idiotically counterproductive move that will only make the internet less secure by forcing individual mail servers to connect unencrypted. And this is from the company who’s cert management between their round-robin servers is a total nightmare and there’s no practical way to ever be sure if a connection has been MITMed or not as certs come randomly from any number of registrars and change constantly.
cert_stupidity_google_perspectives.JPG
What I find most annoying is that the extraordinary protective value of SSL encrypted communication is systematically undermined by browsers like Firefox in an intrinsically useless effort to convince users to care about verification. I have never, not once, ever not clicked through SSL warnings. And even though I often access web sites from areas that are suspected of occasionally attempting to infiltrate dissident organizations with MITM attacks, I still have yet to see a legit MITM attack in the wild myself. But I do know for sure that without SSL encryption my passwords would be compromised. Encryption really matters and is really important to keeping communication secure; anything that adds friction to encryption should be rejected. Verification would be nice if it worked.

no secure encryption unless you pay the cert mafia

Self-signed certs and community verified certs (like CAcert.org) should be accepted without any warnings that might slow down a user at all so that all websites, even non-commercial or personal ones, have as little disincentive to adding encryption as possible. HTTPSEverywhere, damnit. Routers should be configured to block non-SSL traffic (and HTML email, but that’s another rant. Get off my lawn.)

Verification is unsolvable with SSL certs for a couple of reason, some due to the current model, some due to reasonable human behavior, some due to relatively legitimate law-enforcement concerns, but mostly because absolute remote verification is probably an intractable problem.

Akamai certs error har har.JPG

Even at a well run notary, human error is likely to occur. A simple typo can, because registrar certs are by default trusted globally, compromise anyone in the world. One simple mistake and everybody is at risk. Pinning does not actually reduce this risk as breaks have so far been from generally well regarded notaries, though rapid response to discovered breaches can limit the damage. Tools like Convergence, Perspectives, and CrossBear could mitigate the problem, but only if they have sufficiently few false positives that people pay attention to the warnings and are built in by default.

But even if issuance were somehow fixed with teams of on-the-ground inspectors and biometrics and colonoscopies, it wouldn’t necessarily help. Most people would happily click through to www.bankomerica.com without thinking twice. Indeed, as companies may have purchased almost every spelling variation and point them all toward their “most reasonable” domain name, it isn’t unreasonable to do so. If bankomerica.com asked for a cert in Ubeki-beki-beki-stan-stan, would they (or even should they) be denied? No – valid green bar, invalid site. Even if misdirections were non-SSL encrypted, it isn’t practical to typo-test every legit URL against every possible fake, and the vast majority of users would never notice if their usual bank site came up unencrypted one day with a DNS attack to a site not even pretending to fake a cert (in fact, studies suggest that no users would notice). This user limitation fundamentally obviates the value of certs for identifying sites. But even a typo-misdirection is assuming too much of the user – all of my phishing spam uses brand names in anchortext leading to completely random URLs, rarely even reflective of the cover story, and the volume of such spam suggests this is a perfectly viable attack. Verification attacks don’t even need to go to a vaguely similar domain let alone go to all the trouble of attacking SSL.

cert_stupidity_google.JPG

One would hope that dissidents or political activists in democracy challenged environments that may be subject to MITM attacks might actually pay attention to cert errors or use perspectives, convergence, or crossbear. User education should help, but in the end you can’t really solve the stupid user problem with technology. If people will send bank details to Nigeria so that a nationality abandoned astronaut can expatriate his back pay, there is no way to educate them on the difference between https://www.bankofamerica.com and http://www.bankomerica.com. The only useful path is to SSL encrypt all sites and try to verify them via a distributed trust mechanism as implemented by GPG (explicit chain of trust), Perspectives (wisdom of the masses), or Convergence (consensus of representatives); all of these seem infinitely more reliable than trusting any certificate registry, whether national or commercial and as a bonus they escape the cert mafia by obviating the need for a central authority and the overhead entailed; but this only works if these tools have more valid positives than false positives, which is currently far from the case.

cert_stupidity_google_cross_bear.JPG

Further, law enforcement makes plausible arguments for requiring invisible access to communication. Ignoring the problematic but understandable preference for push-button access without review and presuming that sufficient legal barriers are in place to ensure such capabilities protect the innocent and are only used for good, it is not rational to believe that law enforcement will elect to give up on demanding lawful intercept capabilities wherever possible. Such intercept is currently enabled by law enforcement certificates which permit authorized MITM attacks to capture encrypted data without tipping off the target of the investigation. Of course, if the US has the tool, every other country wants it too. Sooner or later, even with the best vetting, there is a regime change and control of such tools falls into nefarious hands (much like any data you entrust to a cloud service will sooner or later be sold off in an asset auction to whoever can scrape some residual value out of your data under whatever terms suit them, but that too is a different rant). Thus it is not reasonable for activists in democracy challenged environments to assume that SSL certs are a secure way to ensure their data is not being surveilled. Changing the model from intrinsic, automatic trust of authority to a web-of-trust model would substantially mitigate the risk of lawful intercept certs falling into the wrong hands, though also making such certs useless or far harder to implement.

There is no perfect answer to verification because remote authentication is Really Hard. You have to trust someone as a proxy and the current model is to trust all or most of the random, faceless, profit or nefarious motive driven certificate authorities. Where verification cannot be quickly made and is essential to security, out of band verification is the only effective mechanism such as transmitting a hash or fingerprint of the target’s cryptographic certificate via voice or postal mail or perhaps via public key cryptography.

Sadly, the effort to prop up SSL as a verification mechanism has been made at the compromise of widespread, low friction encryption. False security is being promoted at the expense of real security.

That’s just stupid.

Posted at 15:18:25 GMT-0700

Category: technology

Google APIs Suck

Friday, January 4, 2013 

Off-Site scripts are annoying.

To explain – I use noscript (as everyone should) with Firefox (it doesn’t work with Chrome: I might consider trusting Google’s browser for some mainstream websites when it does, but I don’t really like that Chrome logs every keystroke back to Google and I’m not sure why anyone would tolerate that).  NoScript enables me to give per-site permission to execute scripts.

The best sites don’t need any scripts to give me the information I need.  It is OK if the whizzy experience is degraded somewhat for security’s sake, as long as that is my choice. Offsite scripting can add useful functionality, but the visitor should be able to opt out.

Most sites use offsite scripting for privacy invasion – generally they have made a deal with some heinous data aggregator who’s business model is to compile dossiers of every petty interest and quirk you might personally have and sell them to whoever can make money off them: advertisers, insurance companies, potential employers, national governments, anyone who can pay.  In return for letting them scrounge your data off the site, they give the site operator some slick graphs (and who doesn’t love slick graphs). But you lose.  Or you block google analytics with noscript.  This was easy – block offsite scripts if you’re not using private browsing or switch to private browsing (and Chrome’s private browsing mode is probably fine) and enjoy the fully scripted experience.

But I’ve noticed recently a lot of sites are borrowing basic functionality from Google APIs.  Simple things, for which there are plenty of open source scripts to use like uploading images – this basic functionality is being sold to them in an easy to integrate form in exchange for your personal information: in effect, you’re paying for their code with your privacy. And you either have to temporarily allow Google APIs to execute scripts in your browser and suck up your personal information or you can’t use the site.

Posted at 07:34:36 GMT-0700

Category: politicstechnology

Google Street View ReflectoPorn

Tuesday, March 6, 2012 

Google drove past our little village in Italy and caught themselves in the turning mirror just about perfectly.

The coverage they have is getting pretty impressive.

street_view_reflecto_porn.JPG
Posted at 22:59:11 GMT-0700

Category: mapphotoplaces

The Cloud is Ephemeral

Sunday, January 1, 2012 

Never trust your business, applications, or critical data to a cloud service because you are at the mercy of the provider both for security and availability, neither of which are terribly likely. Cloud services are the .coms of the 2nd decade of the 21st century, they come and go and with them so go your data and possibly your entire enterprise. Typically the argument is that larger brands are safer, that a company like Google would not wipe out a service leaving their customers or partners high and dry, that they would be safe.

That would be a false assumption.

“The cloud is great when and while your desired application is present – assuming it’s secure and robust – but you are at the mercy of the provider for longevity.”

It is necessary to understand the mathematics of serial risk to evaluate the risk-weighted cost of integrating a cloud-provisioned service into a business. It is important to note that this is entirely different from integrating third party code, which just as frequently becomes abandonware; while abandonware can result in substantial enterprise costs in engineering an internally developed replacement, a could service simply vanishes when the provisioning company “pivots” or craters, instantly breaking all dependent applications and even entire dependent enterprises: it is a zero day catastrophe.

Serial risks create an exponential risk of failure. When one establishes a business with N critical partners, the business risk of failure is mathematically similar to RAID 0. If each business has a probability of failure of X%, the chances of the business failing is 1-(1-X/100)^N. If X is 30% and your startup is dependent on another startup providing, say, a novel authentication mechanism to validate your cloud service, then the chances of failure for your startup rise from 30% to 51%. Two such dependencies and chances of failure rise to 64% (survival is a dismal 36%).

Posted at 22:34:08 GMT-0700

Category: odd

SOPA/Protect IP: Retarding Progress

Tuesday, November 22, 2011 

If you have ever found the internet useful for anything other than browsing corporate web sites, for example if you’ve ever looked up an independent review or enjoyed a post like this one by anyone at all, then you must contact your representative and insist they reject SOPA and Protect IP.

This act is the most inane, repressive, anti-progress, anti-civil-rights, special interest protecting, bought and paid for legislation I’ve ever had the displeasure of reading.  Every site that has an opinion that might offend anyone with an in-house lawyer will be erased from the DNS system.  The primary opponents of the bill point out that sites like Google and Youtube are targets, but the tactic will not be to strike at targets that can afford lawyers, the tactic will be to wipe out small sites that aren’t generating much revenue first and establish precedent before taking out the big guys.  First all the fun sites will go, then youtube, but, hey, you’ll still have Hulu and Microsoft.com.

Anyone who is favorable to this bill does not understand the constitution and is not fit to stand in office.  It is an absolute rejection of the constitutional mandate to “promote progress and the useful arts” solely to enable short-term profiteering by absurdly wealthy studio execs.

The bills primary sponsors, Patrick Leahy and Lamar Smith: whatever you can do to get these tools of the studio execs out of office, please do.  They’re not from my state, but if they were I’d back anyone who challenged them.

Co spononsors must also be ejected as forcefully as possible.

Protect IP Cosponsors

Sen Alexander, Lamar [TN] – 5/25/2011
Sen Ayotte, Kelly [NH] – 6/27/2011
Sen Bennet, Michael F. [CO] – 7/25/2011
Sen Bingaman, Jeff [NM] – 10/19/2011
Sen Blumenthal, Richard [CT] – 5/12/2011
Sen Blunt, Roy [MO] – 5/23/2011
Sen Boozman, John [AR] – 6/15/2011
Sen Brown, Sherrod [OH] – 10/20/2011
Sen Cardin, Benjamin L. [MD] – 7/13/2011
Sen Casey, Robert P., Jr. [PA] – 9/7/2011
Sen Chambliss, Saxby [GA] – 11/2/2011
Sen Cochran, Thad [MS] – 6/23/2011
Sen Coons, Christopher A. [DE] – 5/12/2011
Sen Corker, Bob [TN] – 6/9/2011
Sen Durbin, Richard [IL] – 6/30/2011
Sen Enzi, Michael B. [WY] – 9/7/2011
Sen Feinstein, Dianne [CA] – 5/12/2011
Sen Franken, Al [MN] – 5/12/2011
Sen Gillibrand, Kirsten E. [NY] – 5/26/2011
Sen Graham, Lindsey [SC] – 5/12/2011
Sen Grassley, Chuck [IA] – 5/12/2011
Sen Hagan, Kay [NC] – 7/5/2011
Sen Hatch, Orrin G. [UT] – 5/12/2011
Sen Isakson, Johnny [GA] – 11/2/2011
Sen Johnson, Tim [SD] – 10/3/2011
Sen Klobuchar, Amy [MN] – 5/12/2011
Sen Kohl, Herb [WI] – 5/12/2011
Sen Landrieu, Mary L. [LA] – 10/17/2011
Sen Lieberman, Joseph I. [CT] – 7/7/2011
Sen McCain, John [AZ] – 7/26/2011
Sen Menendez, Robert [NJ] – 10/31/2011
Sen Nelson, Bill [FL] – 9/23/2011
Sen Risch, James E. [ID] – 11/7/2011
Sen Rubio, Marco [FL] – 5/26/2011
Sen Schumer, Charles E. [NY] – 5/12/2011
Sen Shaheen, Jeanne [NH] – 6/30/2011
Sen Udall, Tom [NM] – 7/7/2011
Sen Vitter, David [LA] – 11/7/2011
Sen Whitehouse, Sheldon [RI] – 5/12/2011

SOPA Cosponsors

Rep Amodei, Mark E. [NV-2] – 11/3/2011
Rep Barrow, John [GA-12] – 11/14/2011
Rep Bass, Karen [CA-33] – 11/3/2011
Rep Berman, Howard L. [CA-28] – 10/26/2011
Rep Blackburn, Marsha [TN-7] – 10/26/2011
Rep Bono Mack, Mary [CA-45] – 10/26/2011
Rep Carter, John R. [TX-31] – 11/3/2011
Rep Chabot, Steve [OH-1] – 10/26/2011
Rep Conyers, John, Jr. [MI-14] – 10/26/2011
Rep Deutch, Theodore E. [FL-19] – 10/26/2011
Rep Gallegly, Elton [CA-24] – 10/26/2011
Rep Goodlatte, Bob [VA-6] – 10/26/2011
Rep Griffin, Tim [AR-2] – 10/26/2011
Rep King, Peter T. [NY-3] – 11/3/2011
Rep Lujan, Ben Ray [NM-3] – 11/14/2011
Rep Marino, Tom [PA-10] – 11/3/2011
Rep Nunnelee, Alan [MS-1] – 11/3/2011
Rep Owens, William L. [NY-23] – 11/14/2011
Rep Ross, Dennis [FL-12] – 10/26/2011
Rep Scalise, Steve [LA-1] – 11/14/2011
Rep Schiff, Adam B. [CA-29] – 10/26/2011
Rep Terry, Lee [NE-2] – 10/26/2011
Rep Wasserman Schultz, Debbie [FL-20] – 11/3/2011
Rep Watt, Melvin L. [NC-12] – 11/3/2011

Posted at 07:54:21 GMT-0700

Category: politics

Oh Google… you’re so cute.

Friday, November 4, 2011 

Sure you’re the largest data harvester in the world and you’ve convinced more people than even microsoft to migrate their personal and business data away from their relatively secure and relatively private personal computers and company servers onto your public, ephemeral servers where you make their data to every government in the world you do business with and all the hackers in China, and even in those circumstances where you do actually provide some measure of security, your services have helped eliminate any residual rational discomfort people might have had about giving Big Brother direct editorial review of every communication they have, every document they create, every question they think about. More than any other company, if only by dint of your scale, you have made an Orwellian informational panopticon reality.

But who can stay mad when you’re so damn cute.  Barrel roll 🙂

Posted at 03:51:05 GMT-0700

Category: funnypolitics

Fight ProtectIP/SOPA

Thursday, October 27, 2011 

I am a constituent and I urge you to reject the Internet Blacklist Bills (PROTECT IP Act in the Senate and the Stop Online Piracy Act in the House).

This bill is deeply, deeply flawed and fails completely to live up to the fundamental constitutional basis for copyright: “to promote the progress of science and the useful arts.”

I am deeply concerned by the danger these bills pose to Internet security, free speech online, and innovation. The Internet Blacklist Legislation is dangerous and short-sighted, and I urge you to join Senator Wyden and other members of Congress in opposing it.

If this bill passes, those entire “middle class” of moderately successful collaborative and user-generated sites will be driven out of the internet. The 1% sites like Google or Facebook can afford tier one lawyers to protect themselves from the prima facia unconstitutionality of this absurdly ill-considered bill, but the vast 99% can’t afford the legal resources or the infrastructure resources this bill mandates and they will vanish, hobbling the internet as the most fruitful incubator of science and the useful arts so far created.

Promote science and the useful arts by blocking ProtectIP/SOPA.

Posted at 16:19:49 GMT-0700

Category: Negativepolitics