Tag: Technology

Setting Up An XMPP Server, Check Back Later

Between recovering from the plague, some server issues on the old server, and setting up an XMPP server I didn’t have time to get posts up.

Setting up XMPP is interesting. The first task is finding a server of which there are surprisingly few good ones to choose from. Originally I was going to use ejabberd as I’ve used it long ago. But I saw the developers have split it into “community” and “business” editions with the former lacking a lot of features (such as compatibility with other instant messenger services). My second choice was Openfire, which I settled on. The downside of Openfire is that it’s written in Java and I’m not of fan of installing Java on systems anymore (because I hate Oracle). Java aside, Openfire is pretty solid. The initial setup is a bit of a pain because it’s not available in any CentOS repositories and you have to do a little manual setup for the MariaDB database. After that you gain access to a web interface that makes everything else simple.

Because the universe likes to make my life stressful the virtual machine I initially setup became corrupted when VMWare fucked up a snapshot operation. So I had to redo all of the work mentioned above again.

Right now I’m doing a beta test with friends. Once I’m satisfied it’s solid I might make it available for others.

Cyberfailure At The Cyberdepartment Of Cybersecurity

Do you ever get the idea China’s ability to breach United States’ networks isn’t so much due to their skill as to their adversary’s incompetency? After the breach of the Office of Personnel Management’s (OPM) network it was revealed that government networks are woefully out of date. In fact China was focusing its efforts of non-milistary federal agencies. But even though other federal agency’s network security is lackluster we were told time and again that the Department of Defense (DoD) is held to a higher standard. That wasn’t true either:

The United States Department of Defense is still issuing SHA-1 signed certificates for use by military agencies, despite this practice being banned by NIST for security reasons nearly two years ago. These certificates are used to protect sensitive communication across the public internet, keeping the transmitted information secret from eavesdroppers and impersonators. The security level provided by these DoD certificates is now below the standard Google considers acceptable for consumer use on the web.

Few things amuse me more than when one federal agency, in this case the DoD, fails to abide by the recommendations issued by another federal agency, in this case the National Institute of Standards and Technology (NIST). This shouldn’t be surprising though, the DoD’s e-mail servers don’t even support STARTTLS so any e-mails traveling between their servers are being sent in the clear. If the DoD can’t even take basic measures like that why would anybody assume they would utilize secure certificates?

We keep hearing about the coming cyberwar. When that finally comes the United States is going to be taken out in the initial volley. Every bit of news we hear indicates the computer security capabilities of the entire federal government are nonexistent.

Apple Doing More For China’s Environment Than China’s Government

I continue to be amazed by people who believe governments are an effective way to protect the environment. It’s such a stupid belief because governments are the biggest polluters whose only interest in regulating pollution is getting a piece of the action through permit issuances. The only way to reduce pollution, which is the only way to change anything, is direct action. Oftentimes direct action to reduce pollution involves individuals whose property has been damaged by a polluter filing a lawsuit (of course such action has been illegal in the United States ever since the federal government started involving itself in pollution licensing). But that’s not the only way.

Apple has announced a plan to build solar power plans in China:

Six months after Apple said it wanted to stop climate change, rather than debate the issue, the company has announced two new programs that it says will reduce the carbon footprint of its manufacturing partners in China. The two schemes aim to avoid the production of more than 20 million metric tons of pollution between now and 2020 by building solar energy sources in the country’s northern, eastern, and southern grid regions, and by partnering with suppliers to install clean energy projects over the coming years.

At the same time, Apple also announced that it has completed 40 megawatts of solar projects in China’s Sichuan province, capable of producing the same amount of energy used by Apple’s retail stores and operations offices in the country. Apple says the completion of the projects makes the company carbon neutral in China, but that doesn’t factor in the energy used by its manufacturers and suppliers. The two new schemes are intended to offset that energy usage, producing more than 200 megawatts of electricity through the new solar sources — enough to power 265,000 homes in China for a year — and by helping suppliers build projects that will offer more than 2 gigawatts of clean energy.

This move by Apple will do more good than any amount of petitioning the Chinese government. In fact if companies did similar things in the United States it would do more good than any amount of Environment Protection Agency (EPA) regulations.

Overcoming Advertisement Reliance

As more consumers tire of footing the bill for advertisers content producers are being forced to look into other revenue generation models. Yesterday Google joined the legion of content producers experimenting with directly charging for content by announcing a YouTube subscription service:

At a press event this morning in San Francisco, livestreamed in from the YouTube Space in Los Angeles, the video-sharing company announced YouTube Red, a subscription service for the site’s most dedicated viewers. For $9.99 a month (or $12.99 if you order through iTunes; iOS users can pay the normal price if they sign up through the web), the YouTube Red membership gives users ad-free videos, and original shows and movies from YouTube creators (including PewDiePie, Joey Graceffa, Fine Brothers Entertainment, and more). It also opens up access to the recently launched Gaming app, and YouTube Music, a new app that will be available soon. Crucially, a YouTube Red subscription will be interchangeable with a Google Play Music subscription, making this as much a streaming music investment as anything.

I think this is a sensible approach. Google will still maintain the ad supported service but is now adding a subscription service that removes ads and gives subscribers access to premium content. Sweetening the deal is the fact that a YouTube Red subscription also gains you access to Google Play Music, so subscribers are really getting some Nextflix and some Spotify for the price of one of those services individually.

In addition to premium content subscribers to YouTube Red will enjoy a more secure experience since ad networks are a common vector for malware, better battery life since ads consume a notable amount of power, and lower bandwidth bills since ads eat up a lot of bandwidth. For heavy YouTube users $9.99 per year might prove to be a savings compared to the cost of buying additional data for ad usages.

Although most media outlets are focusing on Google offering premium content for subscribers the big news, in my opinion, is the fact Google is offering a subscription service at all. For the longest time Google was the name in Internet advertising. In fact it still is. But even it’s seeing the writing on the wall. Through the pervasive use of ad blockers consumers are signaling the market that they’re no longer satisfied with being the product. Unlike many businesses, which stick their head in the sand when their business model starts dying, Google is at least experimenting with alternative revenue sources. I hope it proves successful because I want to see the advertising model die in a fire.

It’s Called A Legacy Of Ashes For A Reason

John Brennan, the director of the ironically named Central Intelligence Agency (CIA), had his personal e-mail account breached, supposedly by a 13 year-old. You might not think the personal e-mail account of a government stooge would contain much interesting information but the dummy forwarded a lot of e-mail from his CIA e-mail account! Wikileaks was good enough to post his e-mails for our amusement.

Some may find it odd that a 13 year-old could social engineer the director of the CIA. But anybody who has read Legacy of Ashes: The History of the CIA knows that it’s titled Legacy of Ashes for a reason. The history of the CIA is the history of failure. Brennan’s failure to keep his work and personal e-mail separate and no be outwitted by a 13 year-old are just another chapter in the agency’s long, proud history of failing. In fact this failure isn’t even a blip on the radar, which includes such gems as the Bay of Pigs Invasion.

I look forward to the dirty secrets that are gleamed from this leak and the butthurt that will inevitably emanate from neocons who will cry about this leak being damaging to national security or some other such nonsense.

The Privacy Arms Race

The National Security Agency (NSA) is listening in to every phone call. Closed circuit television (CCTV) cameras are seemingly in every businesses and on every street corner. Police cars have cameras that automatically scan the license plates of other vehicles they drive by. Surveillance is so pervasive that we must accept the fact that privacy is dead.

Or not. Doomsayers will declare the death of privacy but the truth is privacy is an arms race. This has always been the case. When aerial surveillance came into its own so did camouflage canopies and hidden shipyards. Criminals kept tabs on the movement of beat cops so their activities wouldn’t be spotted and now surveil the location of CCTV cameras for the same reason. Electronic forms of communication lead to the development of taps, which lead to the development of encrypted electronic communications.

The privacy arms race is alive and well today. As the State and corporations utilize more surveillance technologies markets are springing up to offer countermeasures. One market that is starting to dip its toes into modern counter-surveillance is the fashion industry:

Last spring, designer Adam Harvey hosted a session on hair and makeup techniques for attendees of the 2015 FutureEverything Festival in Manchester, England. Rather than sharing innovative ways to bring out the audience’s eyes, Harvey’s CV Dazzle Anon introduced a series of styling methods designed with almost the exact opposite aim of traditional beauty tricks: to turn your face into an anti-face—one that cameras, particularly those of the surveillance variety, will not only fail to love, but fail to recognize.

Harvey is one of a growing number of privacy-focused designers and developers “exploring new opportunities that are the result of [heightened] surveillance,” and working to establish lines of defense against it. He’s spent the past several years experimenting with strategies for putting control over people’s privacy back in their own hands, in their pockets and on their faces.

Admittedly many of the fashion trends and clothing shown in the article look silly by the average standard. In time counter-surveillance fashion will either begin to take on an appearance to appeals to our sensibilities or our sensibilities will change to view this counter-surveillance fashion as fashionable.

Using fashion as counter-surveillance is as old as surveillance itself. Spies always try to dress to blend into their surroundings. Street criminals often choose a manner of dress that is unlikely to catch the attention of police. Undercover police select clothing that doesn’t scream “I’m a cop!”

Privacy isn’t dead. Far from it. It’s true that surveillance technology appears to have the upper hand for the time being but counter-surveillance technology will overcome it and then the cycle will repeat itself.

Need Your Friend’s Wi-Fi Password? Ask Their Kettle!

A lot of companies are making a big deal out of the Internet of things. The Internet of things is just a fancy phrase for adding Internet connectivity to everything from lightbulbs to tea kettles. Theoretically this could enable some pretty neat functionality but it also means every device in your home could become an attack vector for malicious hackers. Not surprisingly the security record of current Internet of things manufacturers leaves a lot to be desired:

Following our recent demonstration at the Infosecurity Show and with Rory Cellan-Jones on the BBC here’s a write up and more technical detail on the Smarter iKettle hack.

[…]

For those of you who haven’t seen the demo in person, here’s how it works.

The brief version:

De-auth kettle from its usual access point. Use aireplay-ng
Create fake AP with same SSID
Kettle joins
Connect to telnet service, authenticate using default PIN of ‘000000’
Enter ‘AT-KEY’
Plaintext WPA PSK is then disclosed
Yes, it’s that easy

Oy vey! For some reasons each market appears dead set on learning the hard lessons the hard way. Software developers learned the mistakes of not taking security seriously. Automobile manufacturers are now learning that lesson. Manufacturers that produce Internet enabled devices will probably be the next in line to learn this lesson.

My advice for everybody is to wait a bit before diving too far into this Internet of things. Let the early adopters suffer the pain and misery of immature products. Then, when the time is right, move in and thank all those poor souls for their sacrifice.

Password Managers Compared

Now that LastPass is owned by a company nobody trusts a lot of interest in alternatives has been generated. I looked at several alternatives, ultimately settling on 1Password, but my time is limited. Fortunately I found a surprisingly complete chart comparing the features of numerous password managers. If you’re interested in moving away from LastPass or you just want to start using a password manager this chart has you covered.

Socialized Loses, Private Profits

A quip about government bailouts of private corporations is “Socialized losses, private profits.” When these companies fail it is at the tax victims’ expense but when they succeed it is to their personal profits. But government bailouts aren’t the only situations where this phrase is applicable. Public universities receive a great deal of tax victim money and often profit from it tremendously:

Apple Inc could be facing up to $862 million in damages after a U.S. jury on Tuesday found the iPhone maker used technology owned by the University of Wisconsin-Madison’s licensing arm without permission in chips found in many of its most popular devices.

The jury in Madison, Wisconsin also said the patent, which improves processor efficiency, was valid. The trial will now move on to determine how much Apple owes in damages.

Representatives for the Wisconsin Alumni Research Foundation (WARF) and Apple could not immediately be reached for comment.

WARF sued Apple in January 2014 alleging infringement of its 1998 patent for improving chip efficiency.

Ask yourself this, why should a publicly funded university be allowed to declare a legal monopoly on an idea? Taxes, which is to say the public, paid for the research so the only fair trade would be for any findings to be placed in the public domain. But that’s not the case. Universities can socialize the losses of research and privatize the profits.

Why do so many people whine when private corporations get away with this shit but say nothing with a public university does? I’m part of the club that views both with equal revile but, sadly, it is a very small club.

Your Daily Reminder To Uninstall Flash

No matter how many times security researchers recommend that people uninstall Flash people keep using it. Yet again Adobe released an update to address a slew of critical vulnerabilities in Flash only so more could be discovered the next day:

Now today, Security researchers have disclosed a new zero-day vulnerability in fully patched versions of Adobe Flash, which is currently being exploited in the wild by a Russian state-sponsored hacking groups, named “Pawn Storm”.

That means, even users with an entirely up-to-date installation (versions 19.0.0.185 and 19.0.0.207) of the Flash software are also vulnerable to the latest zero-day exploit.

When people ask me for some easy recommendations to improve their security I tell them to uninstall Flash. Along with simple things like using a password manager to ensure you’re not reusing passwords and using two-factor authentication on websites that support it uninstalling Flash is easy and greatly reducing your vulnerability when browsing the Internet.

So once again I implore you, if you haven’t already, purge Flash from all of your computers.