At the very dawn of the blogosphere, Ken Layne gave voice to what became a war cry heard across the internet: “We can fact check your ass”… and being American, he was not referring to examining the veracity of donkeys.
And that continues to be true, with that ethos is being applied by sites such DeepFreeze (dealing with Gamergate) and of course Guido (who has a category of his own in the sidebar). The internet never forgets, but it sure helps to have those memories nicely collated.
I am certain it comes as no surprise to Samizdata readers that States are interested in penetrating your computers and stealing private communications without bothering about the legal niceties of search warrants issued by judges whom they do not own. But some things come as a surprise to even those of us who watch such things. I had not heard of this particular attack before. Spoofing, in conjunction with other attacks to pin down the real source while the spoofer gets in, have been around awhile. Some were dependant on analysis of the generated packet sequence numbers to allow a complete hijack.
None seem as practical as the web page substitution technique discussed in this Wired article. It is somewhat technical but useful reading if you want to keep up with what the enemies of liberty and rule of law are up to. Even more importantly, the article shows there are ways of keeping the bad guys out of your computers. The method may not be as satisfying as dropping a nuke on the SOB’s, but hey, you work with what you got.
This evening I went to a well attended informal meet-up in Islington of #GamerGate supporters. This proved to be very interesting indeed, hearing what by any reasonably definition were ‘libertarian’ views about tolerance and objective truth being widely trumpeted, but being agreed on by people from a broad section of the political spectrum. I listened to a thoughtful self-described left-winger deliver an angry critique of the Guardian, not just their contra-evidence based reporting of #GamerGate, but also the deeply intolerant culture being propagated there. It appears such folks are not just shocked by what they see, they are serious pissed off by the ‘Social Justice Warriors’ doing it. The very rationally argued animus was palpable.
It seems clear to me that over the eight months #GamerGate has been going on, it is now leading diverse people to re-evaluate long standing social and political views and alliances. An articulate young lady I spoke with said she has lost friends over this, and now saw certain people very differently. Even if #GamerGate was over tomorrow (fat chance), there has clearly been a tectonic social event, and the aftershock is going to be felt for quite some time. New and very spontaneous networks are forming and it will be interesting to see where this leads.
As the world is ever more wired together, so too are the threats. So if Russian security companies like Kaspersky cannot be trusted when it comes to Russian state spying, and US companies like CrowdStrike and FireEye cannot be trusted when it comes to US state spying, seems to me that companies based in places like Finland, Switzerland or India might actually be able to parley that into a meaningful competitive advantage.
I anticipated something along those lines for quite some time myself.
The Internet is working well, so it’s not obvious that the FCC needs to help it. American companies own 10 of the world’s 15 largest websites (Google, Amazon, and Facebook to name an obvious few); the United States has greater access to advanced cable and fiber networks than any large country except Japan; it was the first to deploy advanced 4G/LTE mobile networks; it has more smartphones than anywhere else in the world; and it exports more digital goods per capita than any other nation.
These facts are indisputable, so they’re simply disregarded by the Internet regulation advocates campaigning for net neutrality. Among the arguments they use to make their case are that some foreign cities and small nations have built extremely speedy residential networks; many of these offer Internet services for a fraction of U.S. prices; rural American communities have slower and less reliable networks than cities do; and many older people have no interest in venturing onto the Internet at any price.
A core problem with these arguments is that they are, in truth, unrelated to net neutrality.
The FCC says it’s not passing new rules in hopes of improving the Internet but to preserve it as it is with “light touch regulations.” The agency is taking action because courts have voided all but a sliver of its three previous sets of rules. And President Obama raised the stakes by publicly urging the FCC to impose the “strongest possible rules” on the Internet to fill the regulatory vacuum.
– Richard Bennett
“Oh cool, lets drag this fascinating item of modern art inside our gates!
After all, we are technically savvy guys and not credulous fools.
What could possibly go wrong?”
It appears the government in Hungary wants to ensure than there is essentially no significant IT sector within their borders, with all the knock on joys to a modern economy that will bring.
Hungary’s government plans to levy a new tax on Internet data transfers, according to the draft 2015 tax bill submitted to parliament late on Tuesday, which could hit Internet providers and the country’s telecommunications companies.
The draft tax code contains a provision for Internet providers to pay 150 forints (60 US cents) in tax per gigabyte of data traffic, but would also allow companies to offset corporate income tax against the Internet tax.
To tax data is like subsidising idiocy by taxing insight. All states do amazingly stupid things but this one is a real doozy.
In a comment on my previous post, Mastiff wrote, “It is easier for me to buy stock in Microsoft than it is for me to buy equity in my friend’s clothing design business down the street, thanks to the state of securities law. So which will I tend to do?”
Which is a very good point indeed, and something I had not really considered that now seems obvious. It is just another way that large incumbents can use the state to stifle competition.
However, I have not read the Financial Conduct Authority’s policy statement on crowd funding, but there do seem to be some interesting ways of investing in small companies. Have a look at Abundance Generation, Seedrs, Bank To The Future and Crowdcube.
In the USA, there was the Jumpstart Our Business Startups Act, and Rock The Post offer startup investing.
Is this the start of something world-changing, or is it set to be stifled by too much regulation?
The Heartbleed bug is one of the more serious computer security vulnerabilities I have seen. It was discovered yesterday and is just starting to hit mainstream media now, so I will summarise my understanding of it.
It affects some web sites that use HTTPS secure connections. The purpose of HTTPS is, among other things, to encrypt data sent between your computer and the web server, so that anyone who sees the data in transit across the internet cannot read it. So it is used whenever you log in to a web site or enter personal information. You know you are using it when your web browser displays a little padlock icon somewhere.
The bug is in a software library that implements HTTPS, called OpenSSL. Not all web sites use this library, but many do. The bug affects certain versions of the library. Importantly, though, the bug has been in the library since December 2011, and has only recently been detected and fixed.
During this time, an attacker who knew about the bug could send a request to a web server, and get back some random information from the server’s memory that should not be public. This information could be almost anything known by the web server software. It is a lucky dip: the attacker can not choose what information he will get. Importantly, though, it can include server certificates, and user names and passwords of the web site’s users.
Having obtained a certificate, an attacker could spy on data transferred from the user to the web site, including passwords and any information entered. This is not trivial, but can be quite easy in certain circumstances. For example, anyone can sit in a coffee shop and intercept WiFi traffic of other customers using WiFi in the shop, but they will only get information about the other coffee shop customers. On the other hand, the NSA can presumably spy on all data sent to any web site. There will be attackers with levels of sophistication between these extremes. Normally a web browser will shout warnings at you if a HTTPS connection has been intercepted. Having a web site’s certificate enables an attacker to silence such warnings.
User names and passwords can also be obtained directly using the Heartbleed bug. This only happens on certain web sites, and the details retrieved are random. It is not possible to quickly obtain all details of all users. Rather, every time the attack is made, one or two users’ details might be revealed. That said, the attack can be repeated, and in two years it can be repeated a lot. So a determined attacker could gather details of many people in this time. This is real. Users on Reddit were claiming to have seen Yahoo Mail passwords as recently as a few hours ago. Right now, Yahoo Mail is fixed.
So what can you do? Realise that you are affected, but don’t panic. There is a very good chance none of your details have leaked. You can not be certain, but you already were not certain. There are likely many more security holes that are not yet common knowledge. However, on services that you have particularly sensitive information, it would be wise to first check that the bug has been fixed, and then change your password.
You can check if the bug currently affects a given service with an online tool. If the service is at all high profile, it is a fairly safe bet that it is already fixed. But you can not tell if your details or a service’s certificate have been leaked in the past. Unless a service takes action, credentials and certificates obtained in the last two years can still be used by attackers to log in or spy on communications. Hopefully web administrators will communicate whether they have been affected and whether they have changed their certificates, so watch for announcements.
When you change your passwords, now is a good time to stop using the same password for every service you use. Start using a password manager such as LastPass, 1Password or Password Safe. All of these are acceptably safe in my opinion, but there is some interesting discussion on this topic. The great thing is that a password manager will generate a different, random, impossible to guess password for each site you use, meaning that if someone does find out your password to one service, the damage is limited to that service.
If a service offers two factor authentication, where you use a smartphone app which generates an ever-changing code, use that, because it means knowing your password alone is useless to an attacker.
If you run a web server that uses HTTPS and handles users’ information, educate yourself, upgrade, and inform your users.
More generally, if you can possibly arrange to live your life under the assumption that everything you have ever done on the internet could become public knowledge tomorrow, you could save yourself a lot of trouble. Keeping secrets is hard.
The government lost the crypto-wars. Crypto is now freely available, but in a sense they won because there are so many ways at people’s data that bypass the cryptography. What we’re learning from the Snowden documents is not that the NSA and GCHQ can break cryptography but that they can very often render it irrelevant… They exploit bad implementations, bugs in hardware and software, default keys, weak keys, or they go in and break systems and steal data.
– Bruce Schneier
There is an interesting article in the Guardian titled US and UK spy agencies defeat privacy and security on the internet:
- NSA and GCHQ unlock encryption used to protect emails, banking and medical records
- $250m-a-year US program works covertly with tech companies to insert weaknesses into products
- Security experts say programs ‘undermine the fabric of the internet’
The second point is to me the most interesting as it suggest that open source is really the only way to fight back against this and as a result, I fully expect Open Source to eventually become illegal in the more panoptic parts of the world.
The first point however will be the driver of effective and widespread counter measures. The internet is simply too important to too many economic interests to allow the US and UK governments to have the ability to embed what will be catastrophic weaknesses in its underpinning architecture
The spooks are not stupid. There are two ways they can respond to this in a manner consistent with their current objectives. They can try to shut down the press — a distinct possibility within the UK, but still incredibly dangerous — or they can shut down the open internet, in order to stop the information leakage over that channel and, more ambitiously, to stop the public reading undesirable news.
I think they’re going for the latter option, although I doubt they can make it stick. Let me walk you through the early stages of what I think is going to happen.
In the UK it’s fairly obvious what the mechanism will be. Prime Minister David Cameron has thrown his weight behind mandatory opt-out porn filtering at an ISP level, to protect our children from a torrent of filth on the internet. (He’s turned to Chinese corporation Huawei for the tool in question.) All new domestic ISP customer accounts in the UK will be filtered by default, unless the owner opts out. There’s also the already-extant UK-wide child pornography filter operated by the Internet Watch Foundation, although its remit is limited to items that are probably illegal to possess (“probably” because that’s a determination for a court of law to make). And an existing mechanism — the Official Secrets Act — makes it an offense to possess, distribute, or publish state secrets. Traditionally newspapers were warned off certain state secrets by a process known as a Defense Advisory Notice, warning that publication would result in prosecution. It doesn’t take a huge leap of the imagination to foresee the creation of a law allowing for items subject to a DA-Notice to be filtered out of the internet via a national-level porn filter to protect the precious eyeballs of the citizenry from secrets that might trouble their little heads.
On the other hand, the UK may not have a First Amendment but it does have a strong tradition of press freedom, and there are signs that the government has already overreached itself. We’ll know things are really going to hell in a handbasket when The Guardian moves its editorial offices to Brazil …
– Charlie Stross