Category Archives: Security

Digital Economy? Disingenuous Explanation.

Posted on by
Reply

It’s election time in the UK. This will probably not be the last political post I make here in the next few weeks.

At least this one is still heavily tech-related. It’s about the Digital Economy Act, which I wrote an angry letter to my MP about. (Incidentally – no response to that latter, although he has contacted me on Twitter asking to explain himself.)

One of the provisions in the Act was to allow disconnection of ‘persistent’ file-sharers. That’s people who have been caught by the BPI and other rights holder groups and have had a series of increasingly sternly-worded letters posted, or possibly just emailed, out to them. There is no court involved in this procedure, and if you want to appeal it you’ll have to pay the costs yourself – legal aid is not available.

It’s basically a presumption of guilt based on the say-so of a commercial organisation, and is pretty appalling. That’s why Willie Rennie’s lost my vote, even pushing me to reach out to the Labour candidate (who sadly doesn’t reply to his email).

When defending this provision the government has always made it clear that this would only be used as a last resort against the most persistent offenders. It’s not something that ‘normal people’ would ever have to be concerned with. I suppose that sounds reasonable enough – while the metrics used by the affected industries (one download = one lost sale) are faulty, there’s obviously some sales lost to illegal downloading and there are people who never buy music or DVDs and just download absolutely everything.

At the same time, people of a more technical nature have pointed out that it’s not that hard to work around the kind of IP address tracking the BPI and others use to track down people sharing their material. You can get a VPN connection to another country that has no laws regarding this – I’ve not looked into this too much, but I believe you can get a suitable connection to a European country for around €5 a month. Configure your computer to send all traffic through that and there’s no reasonable way for anyone to trace it back to you.

The government’s response to this has been to point out that no normal person would ever bother with such a set-up and that only the most hardened and technical users would even try.

Again, that seems entirely reasonable. Most people have trouble using the basic functions of their computer, nevermind configuring a VPN client (at least without the aid of corporate IT support). Similarly, they’re not likely to pay even €5 a month for it, since the whole point to them is that the internet provides free things for them.

Except that when you look at both of these arguments together, it doesn’t make any sense at all. If disconnection only applies to the most hardcore users, and those same hardcore users are the ones likely to route around detection entirely, then almost no one will be disconnected.

The disconnection provision has easily been the most controversial thing in the Act. If it had been dropped the Bill would have had a much easier ride through parliament. The government could have used it to show that it was making major concessions and earned brownie points with the very vocal internet crowd who now hate them. I think that keeping that provision has hurt the government in the upcoming election more than it has helped them. So why has it been kept?

It’s not secret that this bill was largely pushed through parliament by media industry lobbyists. The front bench of both of the government and opposition wanted it passed, even though the opposition claimed to not support it. I guess everyone got a pile of money they needed to fund their election campaigns. Whoever wins will probably get a pile more money to ensure that Ofcom’s investigation into how ‘technical measures’ (such as disconnection) are applied produces a report which fits the media industry’s requirements.

The Act doesn’t set out the details for how disconnection will be applied. That’s going to be determined over the first six months or so of the next parliament. My expectation is that it’s going to apply a lot more widely than just a handful of ‘extreme’ file-sharers. Those people weren’t going to be caught by this anyway. It’s going to be aimed at making disconnection an eventual outcome for anyone who downloads any material the BPI’s members don’t want shared.

Expect it to be an automatic process – after some number of reports by the rights holders, you get a letter. After a number of letters, you get ‘technical measures’. Remember that there’s no court involved here – just a claim by a commercial organisation or a trade body that you’ve been doing Naughty Things. Enough claims, true or not, and you’ll have to pay for your chance to oppose it.

The big content producers are scared of the internet. They don’t know how to make money off of it yet. They wish they could make it go away. Passing a law that could allow them to bully you entirely off of the internet gives them a chance to do just that.

Crypto Question

Posted on by
Reply

I was initially going to ask this question on my twitter account, but it’s a bit longer than I can get into 140 characters.

Unrelated to my project management software, I’ve been wondering about securely storing files in systems like Amazon’s S3. It seems like a great way to store files that you want to keep for your application but don’t need instant access to, but there’s trust issues. It’s not that I think Amazon are untrustworthy, but it’s my (or my customer’s) data in someone else’s hands. That makes me nervous.

The obvious answer is encryption, but it’s not an area I’ve terribly much background in and there’s always that fear of doing something silly and obvious which introduces gaping security holes.

Like, for example, using the SHA-1 hash of a file as its AES-256 key. I’d need to store the hash anyway to ensure that the file wasn’t mangled by Amazon (or the encryption/decryption process), and it’s quite long, so why not use it as the key?

I can’t think of anything obvious – you can’t derive that hash from the encrypted file and if you have the unencrypted file to generate the hash then you don’t actually need to decrypt anything.

But in my crypto inexperience I might be missing something. Am I?

Secure Passwords.

Posted on by
1

Everyone knows that security is important. I’ve talked before about DenyHosts, which watches for attempts to brute-force your SSH passwords and blocks them.

I could probably live fairly happily without DenyHosts, since my passwords aren’t going to be caught by a brute-force attack based on dictionary words and while every password is vulnerable to a brute-force attack across the total possible search space, most of the time the bad guys won’t dedicate that much time – they’ll try a dictionary-based attack, and go and find someone more vulnerable.

So life is great, and we all use passwords like ‘;D}A(RpLk#~4‘, right?

Even if I could remember that, which I couldn’t, I’d be mad to expect my users to be happy with that kind of password policy. If my users were my employees, then I might not care about their happiness – but they’re my customers, and if they get unhappy they might leave and then I’ll have really secure passwords protecting an empty server.

In my day job, where the users are also customers, I’ve come across some of the worst passwords imaginable, including ‘password‘. Mostly, these passwords are useless unless you’re already inside someone’s local network and most people take better care with their remote-access passwords, but slips can happen and a poorly chosen password can be a weak spot that lets an attack onto a trust machine, and from there you can lose your entire network.

Finding a method of producing secure passwords which users can remember is absolutely vital. In order for the passwords to remain secure, it’s best to avoid obviously ‘memorable’ password techniques, such as pronounceable strings. While that’s a much bigger search space than dictionary words, it’s harder to include punctuation – or even some numbers – in those passwords and it’s still a much smaller space than ‘eight random characters’.

For my own passwords, I use the following technique. It’s not something you can strictly enforce on users, but it is something you can include when training them on security policies.

I start with a phrase. For this example, I’m going to use ‘Stop Me If You Think You’ve Heard This One Before’, solely because the Smiths song is in my ‘Party Shuffle’ list in iTunes.

This is a nine-word phrase, which will give us a nine character password. This is a good length, and at the upper bounds of what you’d expect someone to be able to memorise using traditional techniques. This technique is simple to apply: for each word in the phrase, you substitute a character.

One possible password generated from our sample phrase could be ‘$m!y7Yht1b‘. I’ve used number and symbol replacements for the initial letters of each word where it’s possible, but not every time so as to keep a range of characters in use. With this particular example, you could push it to 10 characters by using ‘b4‘, which is one of the benefits of this technique – you have the flexibility of the whole English language to help generate the password. You can make full of use text- and leet-speak, where appropriate, to produce a password that both looks random and is easy to remember.

But that’s not all you can do with this technique. It happens to be an excellent example of Technopagan practice.

Before I explain why, I’m going to digress a bit about what ‘magic’ means to me.

I am what you might call a pragmatic Pagan. I’m not really concerned if ‘magic’ is ‘real’ or not – I’m concerned about the end result. It doesn’t matter if it’s spiritual forces or psychological forces. It doesn’t matter if I get a job because supernatual forces intervene on my behalf or if it’s because my believing in the possibility of supernatural forces simply makes me more confident and that confidence gets me the job.

This technique is a good example of pragmatic Paganism. By picking a suitable phrase you can reinforce a particular thought, or desire, every time you type your password. This is effectively the same as a daily affirmation, reinforcing a particular idea. Does it matter if you’re invoking a spirit or simply creating a positive mental attitude?

In my personal experience, I’ve found that using the same phrase for too long causes it to lose its effectiveness. Ideally you should change it every few months or so – and conveniently this coincides with good security practices too.

The only down-side to this technique that I’ve found is that it’s extremely difficult to discuss what you’re doing, as telling anyone the key phrase you’re using would compromise your password!

Brute-force.

Posted on by
2

I just realised that my CentOS hosts don’t have Denyhosts running on them. cPanel is supposed to include some sort of anti-brute-force protection, but I don’t think it’s terribly reliable, since after installing Denyhosts on my main cPanel VM, I received the following in my admin email:

Added the following hosts to /etc/hosts.deny:

222.66.76.146 (unknown)
59.60.6.202 (unknown)
85.186.25.39 (unknown)
134.34.33.30 (unknown)
59.106.17.100 (unknown)
217.39.150.194 (pbx.altmore.co.uk)
202.63.105.91 (unknown)
202.65.218.140 (static-ip-140-218-65-202.rev.dyxnet.com)
201.28.114.173 (201-28-114-173.customer.tdatabrasil.net.br)
211.112.95.3 (unknown)
220.225.147.101 (unknown)
218.248.1.163 (unknown)
58.53.194.72 (unknown)
72.233.71.101 (101.71.233.72.static.reverse.ltdomains.com)
121.151.178.9 (unknown)
194.244.37.210 (unknown)
220.225.40.205 (unknown)
83.15.231.245 (eot245.internetdsl.tpnet.pl)
200.91.217.75 (200-91-217-75-host.ifx.net.co)
67.110.178.197 (67.110.178.197.ptr.us.xo.net)
58.211.137.77 (unknown)
62.111.247.77 (host-ip77-247.crowley.pl)
89.106.12.190 (reverse-89-106-12-190.grid.com.tr)
148.245.173.248 (unknown)
82.127.123.140 (LSt-Amand-152-31-44-140.w82-127.abo.wanadoo.fr)
200.253.204.134 (seliga.maracanau.ce.gov.br)
85.125.68.108 (85-125-68-108.work.xdsl-line.inode.at)

This VM has been running for less than a month, too.

Random brute-force attacks on SSH are as common as the spam in your inbox – anything with SSHd running and a public IP address is vulnerable to this, and unless you make a habit of reading your security logs (and who really has time to do that?) you need something like Denyhosts.

Ubuntu Server ships with only a bare minimum of packages, so I can understand why I have to install it myself there – but I’m a bit disappointed that CentOS doesn’t come with anything. It’s not the fault of CentOS, since they just repackage Redhat Enterprise – does RHEL 4 ship with nothing watching over SSH? I’d be really unimpressed if that were the case and I’d bought an RHEL licence.

As an aside, while I know that my CentOS installs are not the same as a standard install-from-the-DVD install, due to the method in which Xen VMs are created, my day job involves installing CentOS 4 systems, and I know that it doesn’t ship with Denyhosts. X11, Gnome, and a ton of junk, but no Denyhosts.

The moral of this story is: no matter how good your passwords are, a brute-force attack will eventually compromise them, your machine – virtual or otherwise – will be pwnd and used to compromise other machines, perform DDoSes for the Russian Mafia, host kiddie porn, or one of a thousand other things that are Seriously Bad News. Unless you’ve disabled password authentication entirely and just use SSH keys, you need Denyhosts (or something like it).