forkb0mb.org - Cryptography/Privacy

The nerd-net

nospam@example.com (TJE) — Fri, 03 Feb 2012 18:58:19 -0500

The nerd-net

Notice:

I do not yet have all of the hardware and networking gear set up on my network; so this is merely a description of what I'm looking to do, to gather some ideas and feedback, and then figure out how to proceed. If, after reading the details below, you want to join, or have suggestions, please let me know!

History / Ideas

I've been thinking about starting a "nerd net" for quite some time. I have many friends that use a Linux/*BSD machine at their border, and typically have some kind of services running inside the network. I'd like to link these networks together and share access to services. This opens up all kinds of possibilities...

Network

To avoid a single point of failure, and saturation of any one network's bandwidth, we would avoid linking in a hub-and-spoke fashion. Instead, I propose that we maintain a list of active nodes (essentially, each person's gateway box) and try to maintain at least 3 active VPN connections at a time. In other words, each node on the network would have a VPN tunnel to at least 3 other nodes. It would be very useful to have control of a DNS zone for maintaining this list. Each node would have it's own A record; say, mynode.domain.com. Each time a node wants to connect to the network, it would request the A record for something like connect.domain.com, which would hand out A records of each of the registered nodes in a round-robin fashion.

Authentication will be central in this; so some knowledge of SSL will be beneficial. I, and possibly a few key others, would maintain access to a CA signing key and the nodes would be authenticated to the network via certificates signed by that CA key. Any node that you attempt to connect to should trust you based on that certificate; and, based on the certificate presented, you should trust any connection attempt with a valid, signed certificate. I, and possibly others, can assist with any certificate-based configuration issues that you might have.

Routing

To allow for a private network that's going to be potentially changing topology on a regular basis, we'll need a routing protocol, such as RIPv2. For simplicity, each network would receive it's own /24 of RFC1918 space, with the gateway box running the VPN software being the "node" on the network. Most likely, you'd want to set up split-tunneling on the gateway box so that any requests going to the private network route over the VPN and the rest of your traffic (web surfing, email, etc) goes out your normal internet connection.

With each node on the network being connected to at least 3 other nodes at any given time, that requires us to keep track of the various routes from one network to another. Instead of trying to keep track of this by hand, we could easily set up RIPv2 and announce the routes we "know". I imagine using netblocks in the 172.16.0.0/12 range, with each network having a /24 and being multi-homed (connected to 3+ other nodes), there could potentially be several routes from one network to the other. A light-weight, distance-vector routing protocol like RIPv2 seems to be a good fit; open-source implementations, simple, and proven. The route to any network from yours would be the one with the least intermittent hops.

Another, more complex, possibility would be using OSPF and OpenBSD's open-source implementation. Given that each node will have different bandwidth, this may be a good idea to try.

Services and other ideas

This would be the whole reason for the network!

I would be interested in providing several services to the network, but not publicly. For one, a Linux- or FreeBSD-based shell server with access to the internet, compilers/development tools, documentation, email (anyone remember pine+procmail?), etc. A (small-ish) public web space to let people know that you're part of the network; something like Apache's mod_userdir. A blog application accessible only from within the nerd-net.

I would also maintain the internal network's intranet site. This could be a site used to post updates of system maintenance, new services being offered/tested, and a way to maintain an up-to-date list of all of the nodes.

A private IRC server is definitely on the TODO list. Any and all bots would be allowed; if anyone would be interested in linking the IRC daemons, I'll likely be using the Blackened or UltimateIRCd.

I could provide SMTP services for the network. If we find a zone to use, I can provide email services for that zone. Technically, unlimited user@zone email addresses. I would also be willing to host DNS services for the internal network; providing dynamic DNS and a "view" for those coming in via the network.

Another service I'd consider offering would be your own PostgreSQL database for development and testing. A big part of what I envision for this network is that it'll be a big collection of computer-savvy geeks; what better place to deploy and test code than on a network inhabited solely by those with the clue to help you in debugging, vuln testing, etc.

Other possibilities include shared-CPU time using tools like distcc(1). Maybe remote storage (NFS/iSCSI)?

Requirements

a public IP address to allow for incoming VPN connection requests

a Unix-like machine (Linux, Solaris, *BSD, MacOS/X)

OpenSWAN, FreeSWAN, OpenVPN, etc for creating the VPN

Zebra for RIPv2, OpenBSD OpenOSPFd for routing

Benefits

The benefits of a private network are many, and extend beyond just the sharing of services. This is a chance to build a real-world, potentially large-scale network with changing topology. Any member wishing to add/configure new services or features is welcomed to; and the services could be advertised/listed on the internal network's intranet site.

Other benefits include the ability to policy-route certain traffic. For instance, I would be interested in routing my DNS traffic over the VPN to be routed out someone else's connection; it's low traffic, but my ISP mangles my DNS traffic to route to their servers regardless of what server I point to. Such configuration could even be set up where my DNS traffic goes out through a different VPN's node each time (i.e., a type of load-balancing).

Responsibilities

As the network uses a VPN to set up, exactly what it is, a Virtual Private Network, we should seek to keep the network private. Configuring an Apache reverse-proxy, or some type of port-forward from your external IP address into the network would be frowned upon. Any need to create such accesses for the outside should be discussed with the entire group, and hopefully some sort of consensus reached.

It would also be the responsibility of each node's owner to keep the machine secure and up-to-date. Any breach of one of the nodes would lead to an open route to the network.

Users/Networks

I will create the CA key used to sign all certificates used to access the VPN; but, as I do not wish to be the sole decider in who is allowed on the network and who is not, I plan to create a handful of sub-CA certificates to be distributed to trusted associates who may also sign certificates for potential users. If you've been given a sub-CA certificate, you're being trusted to know who you're letting into our private little clubhouse. :) Using multiple sub-CA certificates will also allow for anyone to validate who provided access for this particular user/network; and the ability to revoke access as necessary (hoping that it wouldn't ever become necessary).

Conclusion

A "nerd net" would be a fun project to gather a bunch of us geeks together and share services. This is the first time I'm really throwing the idea out there (beyond mentioning it to a few people here and there), so if anyone else thinks it would be fun, get ahold of me!

Tunneling nmap through Tor

nospam@example.com (TJE) — Thu, 28 Jul 2011 12:11:34 -0400

Tunneling nmap through Tor

I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.

/*
I checked this out and it seems to work well. Other than the fact that Tor doesn't seem to carry UDP traffic (other than DNS) or ICMP traffic, you're limited to TCP traffic alone, which isn't too much of a limitation.

It is a little slow getting your scan results back - especially if you don't pass -p<port1>,<port2> to nmap(1), but it's certainly more secure than just trying to use an open proxy server out on the 'net.

All in all, a neat trick.
*/

Common Threads: OpenSSH Key Management, part One

nospam@example.com (TJE) — Sun, 16 Jan 2011 16:03:46 -0500

Common Threads: OpenSSH Key Management, part One

Many of us use the excellent OpenSSH [...] as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.

/*
Yet another of the DeveloperWorks! series. I love these articles.

The vulnerability in question has to do with pub-key (RSA/DSA) authentication and leaving a null/blank passphrase on the keypair. This article describes how to configure ssh-agent to cache the decrypted private keys so you only have to type the passphrase once per session. This has the benefit of allowing you to use scripted SSH logins without being prompted for a password, but also means that the keypair is still relatively secure even if someone else manages to compromise them via the filesystem.
*/

OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.

While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we'll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I'll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security.

/*
A more in-depth description of what I mentioned above.

Highlights include:

What is RSA/DSA authentication?

How RSA/DSA keys work

Two observations

ssh-keygen up close

The quick compromise

RSA key pair generation

RSA public key install

DSA key generation

DSA public key install

For those already familiar with ssh-agent(1) - which you should be - then you can skip ahead to Part Two and Part Three.
*/

Linux Software RAID 1 Setup

nospam@example.com (TJE) — Sun, 31 Oct 2010 06:27:03 -0400

Linux Software RAID 1 Setup

/*
This is the article I used in creating my 2-device (2 x 250 GB SATA) RAID1 in my desktop.

The documentation is fairly straight-forward and easy to follow. One thing this article assumes is that you're going to boot off a soft-RAID. This was not the case in my scenario; I just wanted a redundant storage slice.

Now, to enable crypto on the slice.
*/

Secret Forum Reveals Oz Firewall Backroom Dealing

nospam@example.com (TJE) — Mon, 17 May 2010 00:56:52 -0400

Secret Forum Reveals Oz Firewall Backroom Dealing

Circumvention legal, but you can't tell anyone how[.]

/*
Emphasis is theirs.

Now say what? It will be legal to circumvent (technical details at the bottom), but illegal to explain to someone else how to perform this perfectly legal configuration. I wonder how this might affect a corporate or ISP helpdesk perform VPN connectivity setup?
*/

Australia’s plans for a firewall to protect its population from smut on the internet are rapidly evolving from farce to total chaos. Weekly revelations on bulletin boards suggest that Stephen Conroy, the man behind the big idea, does not know what forthcoming legislation on the topic will say, when it will be introduced or how the firewall will work in practice.

/*
This time, emphasis is mine. I want to continue to point out how big of an asshat this particular Australian politician is. He is the "Minister for Broadband, Communications and the Digital Economy." He's the one that floated the idea of this nation-wide "firewall" (which is technically a proxy since it will be filtering at layer 7 - hence the technical problems) to "protect" citizens from illegal, immoral, or "dangerous" content. This is nearly the same thing the Chinese and Iranians are doing, just using layer 7 proxy devices instead of what's assumed to be basic layer 3 IP filtering of destination hosts. Skip to the very end of the post for the technical details behind this.

To say this whole thing began as a farce is hitting the nail right on the head.
*/

Meanwhile, it turns out that the Minister’s own Department of Broadband, Communications and the Digital Economy (DBCDE) has been hosting a secret forum for discussions with ISPs likely to be affected by proposals. Along the way it floated the idea of making it a crime to advise surfers on how to do things that are perfectly legal to do. Confused? You will be.

First up is the time scale for plans to introduce the new firewall. As already reported, the question of when legislation will be introduced has now been bouncing between the offices of Prime Minister Kevin Rudd and Communications Minister Stephen Conroy. Severe wriggling from Conroy’s office suggests that plans for an early introduction of legislation have been put on the back burner for now.

/*
Conroy wants to shelve the legislation until after the elections. He's technically incompetent, but he's smart enough to realize that this is going to be a screw-up of biblical proportions and it will likely cost him the election. It's "on the back burner for now," but it's by no means dead.
*/

Meanwhile further digging inside this forum revealed that departmental officials appear to have been discussing the possibility of making it a criminal offen[s]e to advise individuals of means that would enable them to circumvent the filter – even where the means themselves were perfectly legal.

/*
I would say that this equates to information being illegal. In a way, that's in the same league as banning books.
*/

As the EFA suggests, this answer raises more issues than it addresses, and relies on the degradation of the Australian network being gradual, rather than catastrophic. It does appear, however, that the government has no plans to deal with a possible overload of its firewall bringing the Australian internet to its knees – beyond setting up a review when such an event actually happens.

/*
Why should there be any degradation of bandwidth at all? I suspect that if this goes through, there's going to be a noticeable difference in download speeds and initial access to websites.
*/

/*
Details:

Circumvention:
Circumvention of these filters will be trivial; you can wrap your request in SSL (such as https:// if the website supports it), by using a VPN provider outside Australia (many more found on the link for the word "using"), by using Tor (which uses a technique known as Onion Routing), or even by viewing blocked pages via the Google cache.

Technical Considerations:
This filtering is to take place with proxies (at the Application [7] layer) as opposed to the traditional large-scale deployments of firewalls (at the Network [3] and Transport [4]) layers). The deeper you have to inspect a packet, the more CPU and memory required to process the filters. It costs - in many ways, from actual dollars for the hardware and software, to performance impact, to configuration complexity to man-hours of maintenance - considerably more to filter at layer 7 with a proxy than layers 3/4 with a firewall.

The one benefit to filtering at layer 7 is that you block only what is intended to be blocked. In today's world (where we've been running out of IPv4 space for a dacade now) a lot of websites are configured using virtual hosts. This allows web hosting providers to host a virtually unlimited number of websites on a single IP address. Let's say there are two websites, both hosted on the same virtual host IP address, where one is banned and the other is not:

www.bannedwebsite.co.au (banned)
www.momsrecipies.co.au (allowed)

With a layer 7 proxy, when the user attempts to reach a website, the proxy intercepts the request, checks the request (including hostname and URI), and then either blocks the request, or requests the page on behalf of the end-user and returns her the requested webpage. So your mom can still access www.momsrecipes.co.au while nobody can access www.bannedwebsite.co.au. With a proxy, you can return HTML to the end-user explaining why access to this particular website is blocked and possibly a method of contact to dispute the denial of access.

Pros:
() Finer-grained control of what's filtered
() Less "false positives"
Cons:
() Expensive in many aspects (mentioned above)
() Complex configuration
() Considerable service impact due to use of DPI at Application [7] layer
() Slightly easier to circumvent; using https is the only circumvention measure mentioned that does not tend to work with the firewall approach - the rest should work against both types

With a layer 3/4 firewall, access to the virtual host IP address (or even the subnet it's part of) will be blocked. When anyone tries to go to www.bannedwebsite.co.au, they are unable to, which is the intended result. They will get a different error; the browser will just report that website was unreachable. End of explanation. If anyone tries to go to www.momsrecipies.co.au, they will also be denied with the same uninformative unreachable error. Since both websites are on the same IP address, the firewall has no way of knowing which website you're looking for, so it blocks everything.

Pros:
() Cheaper to deploy
() Simpler configuration - hundreds of hosts/subnets vs. thousands of hostnames
() Can often be implemented on existing hardware - edge or core routers utilization IP ACLs
() Faster, more responsive access to allowed websites; less service impact
Cons:
() Collateral damage - legitimate sites on the same virtual host as banned site are also blocked
() Slightly more difficult to circumvent (a websites https site will likely be in the same blocked subnet)

Comparison with Other Instances of State-Controlled Internet Access:
I see three major differences in the Australian proposal as opposed to the other major regimes implementing state-wide filtering of websites (China and Iran). They are as follows:

The use of layer 7 proxies instead of layer 3/4 firewalls and route filtering

In China and Iran the responsibility of implementing and maintaining the filters rests on the tier-1 to tier-2 network providers who bring capacity into the country. By filtering at this level, you are enforcing that ISPs block these sites along with everyone else in the country. By placing the responsibility on the ISP, who provides the access to the end-user, you are going to find that ISPs (a) will add/remove entries from the blocked list to fit their own agendas; (b) will suffer varying performance impact and quality of service based on their investment in the filtering technology and correctness of the implementation; (c) will raise prices to pay for increased hardware/software components, man-hours maintaining the systems, and extra capacity required to maintain a reasonable quality of service; and (d) some will become popular with a certain customer base due to being lax in their filter list updates and tendency to allow some banned content.

Another side effect of this proposal, from an economic standpoint, is that it is likely to put smaller ISPs out of business. Instead of putting the smaller burden on the backbone providers, with considerably more capital, it will place a more expensive burden on ISPs with less resources at their disposal. If these filters become legally mandatory, this will likely put smaller ISPs out of business. A smaller provider may not have access to the resources (money, manpower, and know-how) to meet these requirements and will thus have to shut down operations.

The third difference is in the legality and enforcement of the filters. In the Australian proposal, it will be legal to circumvent the filters provided you know how. In China, they are known for randomly allowing then blocking then allowing access to certain websites and enforcement is relatively low. Occasionally they will decide to make an example of someone, and they will end up in prison. In Iran, enforcement is rather strong, with penalties ranging from prison time to possibly "disappearing".

Other Thoughts:
There is one other somewhat commonly used filtering technique involving DNS. The ISP or corporate gateway will transparently route all DNS requests by the end-user to DNS servers under their control. The DNS servers will be configured as authoritative for the blocked domains; typically configured to return an IP address that connects you to a website telling you that your access is blocked and possibly why. This is similar to the Walled Garden approach.

*/

European Swift Bank Data Ban Angers U.S.

nospam@example.com (TJE) — Fri, 12 Feb 2010 01:25:18 -0500

European Swift Bank Data Ban Angers U.S.

The European Parliament has blocked a key agreement that allows the United States to monitor Europeans' bank transactions - angering Washington.

/*
I'm sure the nanotech engineers are currently working on the world's tiniest violin.
*/

The US started accessing Swift data after the 11 September 2001 terror attacks on New York and Washington.

But the fact that the US was secretly accessing such data did not come to light until 2006.

/*
My fear is not that this data mining was used to track terrorists; far from it. I'm inclined to believe that this monitoring was used for other purposes. Purposes such as finding and prosecuting tax cheats. That, in itself, isn't a bad thing either. My belief is that the only tax cheats that will be prosecuted will be the ones who failed to line the campaign coffers of our elected officials; the ones who've paid off the right people will continue to get away with whatever it is they're getting away with.
*/

Swift handles millions of transactions daily between banks and other financial institutions worldwide. It holds the data of some 8,000 banks and operates in 200 countries.

TSA Withdraws Subpoenas Against Bloggers

nospam@example.com (TJE) — Fri, 01 Jan 2010 18:04:50 -0500

TSA Withdraws Subpoenas Against Bloggers

In the wake of public outcry against the Transportation Security Administration for serving civil subpoenas on two bloggers, the government agency has canceled the legal action and apologized for the strong-arm tactics agents used.

Travel writer and photographer Steven Frischling, who was served with a subpoena by two TSA agents on Tuesday, told Threat Level that he received a phone call Thursday evening from John Drennan, deputy chief counsel for enforcement at TSA, telling him the administration was withdrawing its subpoena.

/*
"Strong-arm tactics;" couldn't have said it better myself. I'm glad to hear that, given the publicity, they decided that they didn't want the negative PR and would do The Right Thing(tm). If only every case of over-reaching abuse of power could get this level of publicity. Sadly, people's privacy rights are trampled nearly every day, it just doesn't get the press that this case did.

In case you missed it, Slashdot linked to an article on the New York Times regarding the TSA subpoenas entitled "TSA Subpoenas Bloggers, Demands Names of Sources". You may want to read it first to familiarize yourself with the issue before reading the article about the TSA withdrawing the subpoenas.
*/

...

A second blogger who was also served a subpoena on Tuesday, Christopher Elliott, was also told his subpoena was being withdrawn. Elliott had refused to cooperate with the agent who served him the subpoena and had indicated to the TSA that he would be challenging the subpoena in federal court next week.

..

Frischling said the two agents who visited him arrived around 7 p.m. Tuesday, were armed and threatened him with a criminal search warrant if he didn’t provide the name of his source. They also indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job.

"They came to the door and immediately were asking, 'Who gave you this document?, Why did you publish the document?' and 'I don’t think you know how much trouble you’re in.' It was very much a hardball tactic," he told Threat Level.

/*
So much for the First Amendment which includes freedom of the press. Granted, he was not obligated under any law to turn over the name(s) of his source(s), but they made it clear that if he did not cooperate, they would make his life unnecessarily difficult.
*/

The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices.

The agents then tried to image his hard drive, but were unable to do so.

/*
There goes the Fourth Amendment, as well. The Fourth Amendment states, and I quote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, ..."
*/

/*
I have the utmost respect for those who protect us from would-be attackers; I just feel that they go about it in the wrong way and overstep their boundaries. The TSA, CIA, NSA, FBI, and ATF have to be right every single time; while an attacker only needs to be right 1 time to be effective. That certainly makes the job of those who protect us very difficult.

"An ounce of prevention is worth a pound of cure" is most certainly true; but it also doesn't make sense to use a cannon to kill a mosquito.

If I were to be traveling, I would use the internet to transfer all files to before heading to the airport, and use strong encryption on my hard drive. That way, I am not entering the airport with any data on my computer, and anything left on the hard drive for the operating system and applications would be inaccessible due to the strong encryption. Unfortunately, if they cannot access the data easily, I believe the TSA has the ability (but I don't think the right) to confiscate your laptop indefinitely. If it takes them a thousand years to break your encryption and search your data - only to find nothing of use - you may never get your equipment back. Might I recommend GPG (for files) and the Linux cryptoloop driver (for file-systems - I recommend at least AES-256, if not AES-384, AES-512, or Twofish - all of which available in the Linux kernel)? It appears that FreeBSD also supports encrypted partitions. A Google search reveals several options for protecting your privacy on Windows; one appears to be a feature built into Windows XP, though I'm not sure I'd trust it to be free of back-doors. If you're looking for free, you might look into TrueCrypt. DISCLAIMER: I've never used TrueCrypt myself, so I cannot comment on it's features.
*/

Two Centuries On, a Cryptologist Cracks a Presidential Code

nospam@example.com (TJE) — Fri, 03 Jul 2009 01:12:14 -0400

Two Centuries On, a Cryptologist Cracks a Presidential Code

For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.

/*
An interesting read; a mix of cryptography and history.
*/

C Secure Coding Tasks, Skills and Knowledge

nospam@example.com (TJE) — Sat, 17 Jan 2009 04:04:25 -0500

GSSP (GIAC Secure Software Programmer): C Secure Coding Tasks, Skills and Knowledge

/*
This is a PDF file from the SANS Institute on secure C-coding practices.
From the PDF...
*/

This document enumerates common C coding tasks and identifies rules, recommendations, and guidelines for accomplishing these tasks securely.

/*
A lot of the material I've seen so far has been common-sense stuff (input validation, mistrust of environment variables, etc), but it's nice having it in a form not unlike a checklist. You write a new function or new class, and then run down the list; making sure you've followed each item. There's also one of these for Java ("booo") and .Net ("hisssssss").

Weighing in at only 10 pages, I think this one is worth wasting dead trees on.
*/

DNA Database Violates Privacy

nospam@example.com (TJE) — Fri, 05 Dec 2008 04:50:45 -0500

DNA Database Violates Privacy

/*
All I'll say is you're damn right it does.
*/

Europe's human rights court ruled on Thursday that Britain had violated two people's privacy by storing their DNA profiles, even though they had not been convicted of a crime.

The decision calls into question rules governing use of the DNA database under which police can take samples from anyone arrested for a recordable offence.

Civil liberties groups jumped on the ruling to demand a change in the law, which the government rejected.

/*
It's nice to see someone trying to put things in check over there. While I've never been to England, everything I see and read tells of more cameras and massive databases. Seems very Orwellian to me.
*/

New CAPTCHA Concepts

nospam@example.com (TJE) — Wed, 16 Jul 2008 03:54:48 -0400

/*
There was an article on Slashdot earlier today bemoaning the uselessness of CAPTCHAs. While I don't agree that they're useless, they have been fairly fruitless at stopping comment spam on my blog here.

The article mentions two possible "successors" to the standard image and audio CAPTCHA, let's take a look at them.

The good:
This one comes from a site called spamfizzle.com. Their approach to going beyond the standard 2-dimensional image is to go 3D. Each object in a scene will be represented by a letter. Hundreds, if not thousands, of 3D images can be created using the exact same 3D "scene" but shown from different angles and with different lighting sources. You will then be required to enter, in order, the letter on the cat's tail, the letter in the upper left window pane, and the number of branches on the tree. Using only letters, no numbers, the possible combinations of the CAPTCHAs requiring only 3 letters is as follows: 26*25*24 = 15,600. At 4 letters, it becomes 358,800 possibilities. At 5 letters, it's now 7,893,600 possible combinations. There are also several other features that make nuking CAPTCHA-cracking programs obsolete within minutes; as well as features for making it easier for humans to work with. I really don't feel that I can do justice to this article by summarizing it here. I strongly encourage you to read the article itself (even though it is hosted on a Windows platform).

The bad:
This site requires that you really know your math. How many people are going to know enough geometry, trigonometry, and calculus to figure out this challenge/response?

The ugly:
What can I say?
*/

Seizing Laptops and Cameras Without Cause

nospam@example.com (TJE) — Thu, 26 Jun 2008 02:13:36 -0400

Seizing Laptops and Cameras Without Cause

Returning from a brief vacation to Germany in February, Bill Hogan was selected for additional screening by customs officials at Dulles International Airport outside Washington, D.C. Agents searched Hogan's luggage and then popped an unexpected question: Was he carrying any digital media cards or drives in his pockets? "Then they told me that they were impounding my laptop," says Hogan, a freelance investigative reporter whose recent stories have ranged from the origins of the Iraq war to the impact of money in presidential politics.

Shaken by the encounter, Hogan says he left the airport and examined his bags, finding that the agents had also removed and inspected the memory card from his digital camera. [...] When customs offered to return the machine nearly two weeks later, Hogan told them to ship it to his lawyer.

...

Citing those lawsuits, Customs and Border Protection, a division of the Department of Homeland Security, refuses to say exactly how common the practice is, how many computers, portable storage drives, and BlackBerries have been inspected and confiscated, or what happens to the devices once they are seized. Congressional investigators and plaintiffs involved in lawsuits believe that digital copies -- so-called "mirror images" of drives -- are sometimes made of materials after they are seized by customs.

...

"As a businessperson returning to the U.S., you may find yourself effectively locked out of your electronic office indefinitely." While Hogan had his computer returned after only a few days, others say they have had theirs held for months at a time. As a result, some companies have instituted policies that require employees to travel with clean machines: free of corporate data.

/*
This is one of the likely scenarios I would use if I was to travel abroad with my laptop and/or digital camera. I'd upload everything to a machine at home while I'm away, and work exclusively off shared-storage applications (i.e., Google Apps, Wiki, etc). When I came back through customs, the camera would be blank, and the laptop would be stock-as-a-rock. I don't think I could let them take the laptop, I think that could turn into a bad situation.
*/

The security value of the program is unclear, critics say, while the threats to business and privacy are substantial. If drives are being copied, customs officials are potentially duplicating corporate secrets, legal records, financial data, medical files, and personal E-mails and photographs as well as stored passwords for accounts from Netflix to Bank of America. DHS contends that travelers' computers can also contain child pornography, intellectual property offenses, or terrorist secrets.

/*
Now this is assuming you're running that one OS. ;) My laptop might be a little more difficult for them to "duplicate" things off of.

This brings me to my other idea. Encrypt the entire disk. Many Linux distributions now support a cryptoloop root file-system (using an initrd).

Notice how they manage to bring out three of the Four Horsemen of the Apocalypse. They forgot the drug dealers out there on the internet.
*/

It makes practical sense to X-ray the contents of checked and carry-on luggage, which could pose an immediate danger to airplanes and their passengers. "Generally speaking, customs officials do not go through briefcases to review and copy paper business records or personal diaries, which is apparently what they are now doing now in digital form -- these PDA's don't have bombs in them," says Marc Rotenberg, executive director of the Electronic Privacy Information Center.

/*
Neither does hair gel, but apparently that's a problem, too. If they're worried about the PDAs, cameras, and laptops, just let the dogs sniff 'em. That's all they need to know about what's on my digital devices.
*/

More troubling is what could happen if other countries follow the lead of the United States. Imagine, for instance, if China or Russia began a program to seize and duplicate the contents of traveler's laptops. "We wouldn't be in a position to strongly object to that type of behavior," Rotenberg says.

Indeed, visitors to the Beijing Olympic Games have been officially advised by U.S. officials that their laptops may be targeted for duplication or bugging by Chinese government spies hoping to steal business and trade secrets.

/*
How is it that these asshats get to host the Olympics? Maybe it's just me, but if I'm in a situation where I think someone is trying to "steal my secrets," I would remove myself from that situation as quickly as possible. We're told we can't trust them, but we're having a world-class event there?
*/

Steganography of VoIP Streams

nospam@example.com (TJE) — Tue, 10 Jun 2008 23:05:06 -0400

Steganography of VoIP Streams

In this paper, we circumscribe available steganographic techniques that can be used for creating covert channels for VoIP (Voice over Internet Protocol) streams. Apart from characterizing existing steganographic methods we provide new insights by presenting two new techniques.

First one is network steganography solution and exploits free/unused fields of the RTCP (Real-Time Control Protocol) and RTP (Real-Time Transport Protocol) protocols. The second method provides hybrid storage-timing covert channel by utilizing delayed audio packets.

The results of the experiment, that was performed, regardless of steganalysis, to estimate a total amount of data that can be covertly transferred in VoIP RTP stream during the typical call, are also included in this article.

/*
I've reformatted the overview here for readability. This is a truly brilliant idea. I'm already a huge fan of cryptography; steganography in particular. There are plenty of applications out there for "hiding" messages in the least-significant-bits of images, MP3s, and several other file formats. This article brings steganography into the realm of real-time, two-way communication.

I've not yet had the chance to read the entire paper (16 pages), but it's loaded with formulas and figures that should give you a fairly realistic estimate of exactly how much bandwidth you have. The conclusion states that they were able to achieve 1.3 Mbit/sec of one-way throughput. A typical POTS telephone line requires only 64 Kbit/sec to carry voice.

Picture this: The modem in your computer places an outbound call, you pick up your headset and put it on. The other end answers, and you're immediately placed on hold. Are you? While you're listening to the muzak on the other end, your computer is pulling out bits here and there. You hear a voice say "Hello?" You speak, and the "hold" music stops; now your computer is playing music to the other party. The person on the other end hears your voice, and upon recognizing it, responds with a hearty "hello!"

Couple this technique with a strong, public-key-based encryption algorithm and you've got truly secure real-time communication. Using this technique in combination with strong cryptography makes your conversation exponentially more secure. Obfuscated amongst the elevator music playing back and forth is PKI-encrypted voice. Assuming someone is snooping on your communications, this in itself makes it difficult to detect the "out of band" voice chatter. With the added benefits of PKI cryptography, you have the ultimate in caller ID (only the caller's public key would decrypt any useful voice data; and in theory, only the caller would have access to their private key to encrypt that voice data), confidentiality to an extreme degree, and guaranteed integrity (any altered data would not checksum out correctly and would immediately be identified as having been altered).

I would expect to see some implementation of this theory very soon. A likely project to be "first to market" with it would be Asterisk.
*/

Bank Loses Tapes with Data on 4.5M Clients

nospam@example.com (TJE) — Sat, 31 May 2008 19:10:31 -0400

Bank Loses Tapes with Data on 4.5M Clients

Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.

The bank informed the Connecticut State Attorney General's Office that the tapes belonging to its BNY Mellon Shareowner Services division were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

/*
Well, it looks like the government doesn't have the monopoly on data loss these days. If I were to hire a "third-party vendor" to transport and store my backups, I'd insist on unlimited liability in the contract. I'd also encrypt the data on the tapes. Strong crypto is easily obtainable in the U.S.; it's often free in software form, and relatively cheap in hardware form, especially when compared to the cost of a loss of data such as this.

No doubt that BoNYMC's PR machine is going into high-gear at this very moment. Expect to see plenty of commercials for them on TV in the coming months. They have a lot of negative publicity to drown out.
*/

BNY Mellon Shareowner Services, which includes handling employee stock option plans, said that it has begun notifying affected clients. It contended that none of the unencrypted data has been accessed or used.

/*
Now with the data being unencrypted, and the tapes being "lost," how do they have any assurance that this data has not been accessed or used? I say they are in "damage control" mode, saying anything they can to save face. They have absolutely no way of verifying that this information is not in the wrong hands; likely the hands of identity thieves.
*/

Blumenthal said that the bank's offer of a year of freed credit monitoring to those affected by the breach is "grossly inadequate." He also slammed the bank for not promptly notifying customers of the security breach.

/*
A year's worth of free credit monitoring is essentially equivalent to calling the police after having your home burglarized, only to have them show up and say "yeah, we'll watch your house for the next year, but we can only notify you that you've been burglarized again after the fact." There is absolutely no deterrent here, only letting you know that you've been compromised after-the-fact.

This is truly sickening. It seems that the only people safe these days are the illegal immigrants that don't have social security numbers and are unable to get credit already. I guess they can't steal from you what you don't have. For the rest of us, it appears that it's only a matter of time.
*/

AJAX Security Tools

nospam@example.com (TJE) — Sat, 31 May 2008 18:51:25 -0400

AJAX Security Tools

Certain vulnerabilities within Ajax applications can allow malicious hackers to reek havoc with your applications. Identity theft, unprotected access to sensitive information, browser crashes, defacement of Web applications, and Denial of Service attacks are just a few of the potential disasters Ajax applications can be prone to and which developers need to guard against when building Ajax capabilities into their applications.

/*
This DeveloperWorks article has some interesting tools. One, aSSL, is an AJAX add-on that allows you to tunnel your AJAX requests back to the server over AES encryption. Very nice. It's licensed under the MIT license.

There are also links to several Firefox add-ons and extensions, such as Session Manager, that allows you to re-establish sessions on demand.
*/