No Borders

I made a mistake this week, or rather a misjudgement. I wrote about a new threat called Goolag, in which a malicious person could use Google to find servers on the Internet that are vulnerable to attack. The servers are infected with malicious code that causes anyone who visits them to be exposed to compromise. This is how many an innocent person’s computer becomes a spam-bot, remotely controlled by hackers and used to send spam, and sometimes to infect its neighbours as well.

I wrote, “Making simple mistakes is the easiest way to expose yourself to attack…. You won’t be targeted so much as stumbled across.”

Within two days of writing about the issue, an online security blog reported a wave of attacks affecting approximately 200,000 web servers. The single most important part of comedy, as they say, is timing.

This latest wave of attacks is important to us for a couple of reasons: It demonstrates that the democratising effect of information on the Web respects no single set of ethics or morality. The very same information-sharing tools that have so empowered people everywhere are being used by vandals and criminals for their own selfish ends as well.

It also means that there are no safe havens online.

Continue reading

Gooooolag

UPDATE: How wrong could I be about the severity of this threat? Very wrong, apparently. I haven’t confirmed it yet, but it’s hard to imagine how this week’s mass server hack could have happened without tools like the one described below. I’ll write more about this in this week’s column….

Heh, cute:

Cult of the Dead Cow Announces Goolag Vulnerability Search Engine.goooooolagOnce you get past the Chinese porn silliness, there’s a real story here:

Google’s effectiveness as a search engine also makes it an effective… well, search engine. Common website weaknesses are exposed by search engines such as Google, and anyone can access them by using specially crafted queries that take advantage of Google’s advanced searching capabilities. As the cDc press release indicates, there are approximately 1500 such searches published and readily accessible on the Internet. And now the cDc has built a(n a)cutely satirical web front end and are offering a downloadable desktop search application for Windows, giving script kiddies the world over something else to do with their time.

What effect has this had on website security? It’s difficult to tell. The principle of using Google as a scanning tool has been common knowledge since at least 2006, but according to Zone-H, who record large numbers of website defacements every year, the only significant increase in website attacks since then was the result of an online gang war between various Russian criminal factions, back in 2006. Ignoring that anomalous rise in activity, the rate of attack actually fell slightly in 2007 compared to recent years, relative to the number of active websites.

Zone-H’s latest report proves only that the percentage of insecurely configured websites scales on a roughly linear basis with the number of available websites, and that the choice of technology has almost no bearing on the likelihood of a successful attack. Indeed, most exploits are simple attacks on inherent weaknesses: guessing admin passwords or copying them when they’re sent in cleartext, misconfigured shares and unsafe, unpatched applications. Attacks requiring any amount of individual effort are not very common at all. Man-in-the-middle attacks rated only fifth place in the list of common exploits, representing only 12% of that total. But researchers have elsewhere noted that cross-site-scripting attacks are on the rise, and are being used mostly by spammers to increase the size of their bot nets.

The lesson here is fairly obvious: Making simple mistakes is the easiest way to expose yourself to attack. And search tools like Goolag make finding those mistakes remarkably easy. You won’t be targeted so much as stumbled across. Given the recent rise in the number of websites being used to inject malicious software into people’s computers, spammers and other online criminals appear to have a strong incentive to use even the less popular websites to ply their trade.

Your choice of technology won’t save you, either. Most popular web servers are fairly secure these days and though not all server operating systems are created equal, the big ones have improved markedly. But the same cannot be said of the applications and frameworks that run on them. The old adage that ease of use is universal still applies. When you make things easy for yourself and your users, you are liable to make things easy for other, less welcome guests as well.

The lesson for the average website owner: Do the simple things well. Don’t waste your time trying to imagine how some intrepid cyber-ninja is going to magically fly across your digital alligator moat. Just make sure your systems are well-chosen and properly patched, pay attention to access control and treat authentication seriously. Statistically, at least, this will drop your chances of being Pwned to nearly nil, or close enough as makes no never mind.

Splash and Ripple

Drop a stone in the middle of the pool. Watch its ripples spread wider and wider across the surface. Inevitably – sometimes sooner than later – the ripples mingle and apparently disappear among the others. Cause and effect: A simple action creates immeasurable, unpredictable and unforeseeable results.

Among development professionals, this provokes roughly equal amounts of fascination and frustration. Fascination, because anyone with a mote of interest and natural curiousity is quickly engrossed by the flow of events as human cultures mingle and change. Frustration, because at some point it will be necessary to say to a donor, ‘Your money will have exactly this effect.’

And that will be a lie, of sorts.

Continue reading

#@)(!*^ing Encryption

A few words about the title: The first seven letters are written using a very simple code, or cypher. Each of the letters in the original word is replaced by the non-alphabetical character to which it is closest on a US keyboard. The process of hiding a message by substituting other letters, numbers or symbols is known as encryption. When the code is reversed, the title reads ‘Explaining Encryption’.

But it also looks like swearing, doesn’t it? In fact, the use of characters like this to denote swearing is a simple (dare we say crude?) kind of encryption. A child too innocent to know such words derives no meaning from the random collection of characters. Someone well versed in the ways of the world, though, can add up the number of characters and quickly deduce what was intended.

On and off over the last two months, we’ve been looking at various aspects of online security. This week, we’re going to consider what steps we can take to make the information we send over the Internet secure from prying eyes.

We’ll also consider why it is that no one uses these measures, and why most of us won’t any time soon.

Continue reading

Idea: Personal Navajo

Instead of exposing the painful ritual of public/private key exchange, software developers should instead be using metaphors of human trust and service.

A ‘translator’ service,  for example. The user ‘invents’ an imaginary language, then decides who among her friends is allowed to speak it with her. She then instructs her ‘translator’ (e.g. her own personal Navajo) to convey messages between herself and her friend’s translator.

(Only the personal Navajos actually need to speak this ‘language’ of course. As far as the two correspondents are concerned, the only change is that they’re sending the message via the ‘translator’ rather than directly, but even that is a wafer-thin bit of functionality once the channel is established and the communications process automated.)

Quick encryption, well understood, and easy to implement. Most importantly, you don’t have to explain encryption, public and private keys,  or any other security gobbledygook to someone who really doesn’t want – and shouldn’t need – to hear it.

Update: Of course, the greatest weakness to this idea is if Microsoft were to create an implementation of this and name it Bob.

On Being Right

A number of recent events have given me occasion to consider what it means to be right.

Viewed through a rationalist filter, humanity can manage itself well (if not easily), provided its curiousity remains strong and its faculties of discernment are not tarnished. This assumes, of course, that humanity as a whole is curious. I am learning, to my dismay, that it is indeed curious, but not at all in the way I thought it was.

Continue reading

MEME: Bitsharks

I’m going to start blaming random network- and computer-related problems on Bitsharks. Get everyone believing in the idea of predatory bots cruising the network, dining on people’s digital transmissions.

USER: “Why didn’t my email go through?”
ME: “Did you receive a failure message?”
USER: “No.”
ME: “Uhhh, you didn’t send it alone, did you?”
USER: “What do you mean?”
ME: “Well… how big was the message?”
USER: “Just a paragraph or so. Why?”
ME: [Dismayed] “And you sent it onto the Internet alone?”
USER: “What, why?”
ME: “Don’t you know what can happen?”
USER: “What? What are you talking about?”
ME: [sighs] “Poor little thing. Probably never had a chance. Hang on a sec….” [Types random commands into console.]
USER: [alarmed] “What’s going on?”
ME: “It’s what I thought. Bitsharks.”
USER: “What did you call me?”
ME: “Nonono. Bit. Shark. A Bitshark got your email.”
USER: “A Bitshark?”
ME: “Yeah. Predatory bots cruising the shallow parts of the Internet. They single out the smaller, more vulnerable bits of data, then consume them.”
USER: “Oh my God.”
ME: [Pained, patient] “Look, just do me a favour. Next time, send your email out in groups. Sometimes the numbers confuse the Bitsharks and the little guys manage to make it through.”
USER: “Oh, the poor thi- I, I… of course.”
ME: “You won’t forget?”
USER: “Heavens, no.”
ME: “Good. Tell your friends.”

Network Neutrality: Not Negotiable

Someone asked:

I’m curious what the[…] community thinks… what if a company such as Comcast were to offer two plans:

1. $30/mo – The internet as we know it today without any preference to content providers, advertising, etc
2. $15/mo – An internet where some content providers get preference, subsidizing the lower monthly bill.

If companies offered a choice would we still care?

Effectively, it would be no choice at all. It would, in fact, be disastrous.

The effects described in George Akerlof’s 1970 paper, The Market for ‘Lemons’ come into play in such a scenario. In a nutshell, the paper states that certain markets (like used cars) favour the sale of ‘lemons’ over quality. The reason is that it’s easier to simply wax and buff a lemon (and rely on the buyer’s ignorance) than it is to do the right thing and service it properly before re-selling.

The reason this approach works is because buyers can’t see what’s under the hood and, generally speaking, wouldn’t know what to look for even if they could. So instead of paying well for quality, they tend to buy the cheapest item, regardless of its condition. The same is true of Internet service. People just don’t know what’s possible. Worse still, they don’t have the ability to recognise whether they’re getting what they’re supposed to or not.

So if the telcos were to foist a divided offering on their customers, they could rely on ignorance to invoke a market for ‘lemons’. People see no extra value in buying the better service, so they flock en masse to the cheaper one. Telco then discontinues the more expensive one, citing lack of consumer interest.

Minimum operating standards such as Network Neutrality were put into place to protect consumers and the market itself. Absent Net Neutrality, the potential for abuse of control over traffic by carriers is far too great. No compromise is possible in this regard, because degradation of Net Neutrality is a degradation of the market itself.

Policing Piracy

The Australian government recently announced that it was taking the issue of Internet piracy very seriously. They were, according to reports, considering their own version of a British proposal to require Internet Service Providers to cut off so-called ‘repeat offenders’. People who were suspected of deliberately and repeatedly downloading unauthorised music and video files would have their Internet accounts suspended.

This is a commendable goal. Respect for the creative works of others is at a low ebb these days. We need to alter our cavalier approach to copyright and to properly reward those who spend their time and effort in creating the music, movies, software and other creations we so enjoy.
Continue reading