DNS Fuckery

2016.03.21

Cloudflare on how they’re mitigating reflection attacks. The tl;dr: optimized crypto (elliptic curve instead of RSA) for signing DNSSEC, refusing the ANY request and keeping responses with the constraints of a 512-byte UDP packet to mitigate amplification.

Detecting DNS Tunnelling via PacketBeat and Watcher and Elasticsearch

RandomDNS for randomizing use of DNSCrypt

 

Inconvenient Message Detection

2015.03.02

via http://topchicksdigengineeringguys.blogspot.com/2015/03/the-inconvenient-message-detection-imd.html

Steganography that requires computing effort. Steganography is the idea of hiding data in the unimportant bits of an image. This is an old idea. The new twist is that with ‘Inconvenient Message Detection’ (IMD) that data can only be found if the decoder does an amount of computational work that’s decided by the encoder.

Let’s look at how this solved our problem: If some people use IMD, it makes every image suspect. When a mass-observer wants to see what communication is going on, they must use compute power to check every image. Furthermore, because the compute effort needed to find an image is set by the encoder, it is uncertain to the mass-observer; they never knows for certain if they’ve worked hard enough. By contrast, the intended recipient of a message presumably got the single datum that a message exists in some public image and will put in as much compute effort as is needed to find the data in that single image. Having every image on the internet be a potential carrier of secrets makes the mass observation of communication meta-data expensive and uncertain.

Furthermore, even a individual under direct observation can increase their protection with IMD. An individual may own thousands of images of which only one contains an secret. Until the secret is found by an observer, the individual has plausible denyability of the secret’s existence. The observer may even give up before spending the necessary compute effort to find it. This increases their resistance to coercion.

furbo.org · Grass Mud Horse

2015.01.29

The Chinese government is not only being deceitful with IP addresses, they’ve also begun cracking down on a mechanism that lets its citizens avoid the bullshit: VPN. Grass Mud Horse!

This action, combined with the DDoS floods, is beneficial to a government that’s intent on isolating its citizens from the free and open Internet. They make it hard to get a packet out of China, but even if you succeed, it’s likely to be blocked by a server that’s been victim of their DDoS.

On the surface, this seems like a good strategy for creating your own private Internet: a network where no packets can enter the west or leave the east.

via furbo.org · Grass Mud Horse.

I’ve been seeing a lot of probes in my logs — mostly search engines, but a fair bit that wasn’t — from China. And here you go.

Newly published NSA documents show agency could grab all Skype traffic | Ars Technica

2014.12.31

The full capture of voice traffic began in February of 2011 for “Skype in” and “Skype out” calls—calls between a Skype user and a land line or cellphone through a gateway to the public switched telephone network (PSTN), captured through warranted taps into Microsoft’s gateways. But in July of 2011, the NSA added the capability of capturing peer-to-peer Skype communications—meaning that the NSA gained the ability to capture peer-to-peer traffic and decrypt it using keys provided by Microsoft through the PRISM warrant request.

via Newly published NSA documents show agency could grab all Skype traffic | Ars Technica.

An Unprecedented Look at Stuxnet, the World’s First Digital Weapon | WIRED

2014.11.03

Holder urges tech companies to leave device backdoors open for police – The Washington Post

2014.10.01

Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

via Holder urges tech companies to leave device backdoors open for police – The Washington Post.

 

TL;DR: “we need to snoop on everything, for the kids”. Shameless, spineless, embarassing.

Categories : News  News  Privacy

The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED

2014.10.01

The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope.

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

via The Criminal Indictment That Could Finally Hit Spyware Makers Hard | WIRED.

Categories : News  News  Privacy

Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED

2014.09.03

The web forum 4chan is known mostly as a place to share juvenile and, to put it mildly, politically incorrect images. But it’s also the birthplace of one of the latest attempts to subvert the NSA’s mass surveillance program.

When whistleblower Edward Snowden revealed that full extent of the NSA’s activities last year, members of the site’s tech forum started talking about the need for a more secure alternative to Skype. Soon, they’d opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code.

Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.

via Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED.

 

It’s a shame that w.a.s.t.e. died such an ignoble death — mostly because it was hard to set up, I think. Even so, IM was just a side-feature, not it’s raison d’etre, so you can still make an argument for Tox and against w.a.s.t.e., despite the very nice Pynchon reference.

A Google Site Meant to Protect You Is Helping Hackers Attack You | Threat Level | WIRED

2014.09.02
Categories : News

Official Gmail Blog: A first step toward more global email

2014.08.25

But all that could change. In 2012, an organization called the Internet Engineering Task Force IETF created a new email standard that supports addresses with non-Latin and accented Latin characters e.g. ?????.????. In order for this standard to become a reality, every email provider and every website that asks you for your email address must adopt it. That’s obviously a tough hill to climb. The technology is there, but someone has to take the first step.

via Official Gmail Blog: A first step toward more global email.

 

The TL;DR is: Google is enabling non-latin chars in email addresses (cf RFC6530). Whether this will encourage widespread acceptance of this is going to be interesting to see; like IPv4, everyone’s gotten used to The Way We Do It Now. And like IPv6, I doubt there’s going to be much switchover unless it’s forced.

One obvious benefit would be to employ char-sets in the email header as part of heuristic anti-spam measures in a more nuanced way (as opposed to “anything non-LATIN-1 gets more weight when spam/ham score is being calculated”) — you’d be able to say “well, we have customers in Russia, so Cyrillic is OK, but we have no market in Asia so Asian languages have a higher spam score”.

Categories : News