Category Archives: networking

Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph

Ben Hammersley, a Number 10 adviser to the Tech City project, said the draft Communications Data Bill could be turned from a force for good into something more sinister under future governments.

The main aim of the Bill is to give security services like MI5 and GCHQ the ability to monitor email traffic, without actually looking at its content.

However, it is currently being revised after a committee of MPs and peers raised privacy concerns about the bill’s intrusion into people’s lives.

Asked for his views on the new laws, Mr Hammersley said the consequences could be “disastrous” in an interview with Tank magazine.

“I don’t trust future governments,” he said. “The successors of the politicians who put this in place might not be trustworthy.

via Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph.

Epic #mustread on DDoS, re: Spamhaus/Cyberbunker and “bringing down the Internet” with DDoS

Extract from the posting:

First off I can confirm a few basic facts, namely that we really did receive a ~300 Gbps attack directed at Cloudflare, and later specifically targeted at pieces of our core infrastructure. This is definitely on the large end of the scale as far as DoS attacks go, but I wouldn’t call it “record smashing” or “game changing” in any special way. It’s just another large attack, maybe 10-15% larger than other similar ones we’ve seen in the past, and I’m certain we will continue to see even larger ones in the future as global traffic levels increase. What made this particular attack notable is where it was targeted, which greatly increased the number of people who noticed it.

In defense of the claims in other articles, there is a huge difference between “taking down the entire Internet” and “causing impact to notable portions of the Internet”. My company, most other large Internet carriers, and even the largest Internet exchange points, all deliver traffic at multi-terabits-per-second rates, so in the grand scheme of things 300 Gbps is certainly not going to destroy the Internet, wipe anybody off the map, or even show up as more than a blip on the charts of global traffic levels. That said, there is absolutely NO network on this planet who maintains 300 Gbps of active/lit but unused capacity to every point in their network. This would be incredibly expensive and wasteful, and most of us are trying to run for-profit commercial networks, so when 300 Gbps of NEW traffic suddenly shows up and all wants to go to ONE location, someone is going to have a bad day.

But, having a bad day on the Internet is nothing new. [...]

The whole thing is worth reading, all of which is a response to this Gizmodo article and apparently re: one comment on it from someone looking for primary sources.

I hope the comment’s author feels he got his money’s worth.

tl;dr – breaking the internet is still really hard via DDoS.

ipmi: freight train to hell #security #danfarmer

A paper on IPMI and BMC security:

ipmi: freight train to hell, plain HTML or dangerous PDF (bloated director’s cut; HTML was generated from word and edited down.)

- or -

ipmi: express train to hell, in HTML or PDF (1 page, G-rated version.)

The 2nd link is the express/single page/reader’s digest version, which has various generalities that I try to fully explain in the paper or supporting documents. Added bonus: if you buy now you’ll get free additional supporting materials along with a razor sharp virtual Ginsu knife!

Note – I’ve heard a LOT of people dismiss all this and claim that all you need to do is to secure your IPMI/BMC’s is to ensure that their network interfaces are on their own network and be careful about that critical password. This is simply incorrect. If you haven’t read the paper or heard the arguments within you might read it to find out why I belive you’re dead wrong (and if you still disagree drop me a line and tell me!) Note that any with server admin access can manage the IPMI network settings of its BMC without authentiation, attack the BMC, compromise it, and then pivot through to attack the management network.

Note #2. As if all the above weren’t enough, I just found out that the infamous Cipher Zero (0) is enabled by default on all my systems… this allows anyone to authenticate to the BMC with any password you choose (even you manage to guess the correct one, that still works.) fascinating stuff.

via All the IPMI that’s fit to print.

“Testing Tor Hidden Services with Burp Pro” – blog.encrypted.cc /ht @runasand # spooks will be buying burp at speed

Testing Tor Hidden Services With Burp Pro
FEB 25TH, 2013

On February 15, Dafydd Stuttard announced the release of Burp Suite v1.5.05. This release contains a number of feature enhancements and bugfixes, including an extension to the SOCKS proxy support which allows users to specify that all DNS lookups should be done remotely via the proxy. This means that it is possible to test Tor hidden services with Burp.

This feature is currently only available in Burp Pro, but should eventually make its way into the free edition.

Tor hidden services

Tor hidden services, sometimes also referred to as the hidden web, dark web, and deep web, were deployed on the Tor network in 2004. Hidden services allow users to host various kinds of resources, such as websites and instant messaging servers, without having their identity or location revealed…

continues at Testing Tor Hidden Services with Burp Pro – blog.encrypted.cc.

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.

Haz.

OH MY GOD: THE U.S. GOVT ARE TRYING TO PROTECT THE INTERNET FROM PEOPLE LIKE _ME_ #guardian

No wonder it’s so fucked up:

Screen Shot 2013-02-12 at 23.17.33

Two branches of the US government are introducing cybersecurity legislation on Wednesday but hackers, the very people the government is trying to protect the internet from, have serious doubts about the government’s ability to legislate technology.

President Barack Obama is expected to mention an executive order on cybersecurity in Tuesday’s state of the union, with details on the order to be released Wednesday morning. That same day, congressman Mike Rogers will reintroduce Cispa, the cybersecurity bill that allows private companies to share information about cyberthreats with the government.

Vacuous, ill-informed bloody lede.

Hackers call US government’s latest cybersecurity efforts ‘a train wreck’ | Technology | guardian.co.uk.

When CCIEs Get Bored

It would be better pasted into a wider window, sorry.

$ traceroute 216.81.59.173
traceroute to 216.81.59.173 (216.81.59.173), 64 hops max, 52 byte packets
 1  router (192.168.200.1)  0.538 ms  0.341 ms  0.309 ms
 2  upstream (-)  22.733 ms  22.833 ms  22.119 ms
 3  ge-2-1-0-119.cr2.th-lon.zen.net.uk (62.3.84.209)  75.835 ms  68.930 ms  23.084 ms
 4  10gigabitethernet1-1.core1.lon1.he.net (195.66.224.21)  23.018 ms  27.897 ms  26.900 ms
 5  10gigabitethernet7-4.core1.nyc4.he.net (72.52.92.241)  90.606 ms  554.439 ms
    10gigabitethernet2-4.core1.par2.he.net (72.52.92.42)  29.337 ms
 6  10gigabitethernet7-1.core1.ash1.he.net (184.105.213.93)  109.631 ms  104.663 ms
    10gigabitethernet2-3.core1.ash1.he.net (72.52.92.86)  154.955 ms
 7  10gigabitethernet1-2.core1.atl1.he.net (184.105.213.110)  183.408 ms  160.461 ms  110.334 ms
 8  216.66.0.26 (216.66.0.26)  114.245 ms  178.721 ms  221.875 ms
 9  10.26.26.102 (10.26.26.102)  225.972 ms  144.198 ms  150.501 ms
10  episode.iv (206.214.251.1)  148.014 ms  264.575 ms  151.679 ms
11  a.new.hope (206.214.251.6)  565.561 ms  564.670 ms  180.395 ms
12  it.is.a.period.of.civil.war (206.214.251.9)  142.097 ms  154.004 ms  532.942 ms
13  rebel.spaceships (206.214.251.14)  348.396 ms  579.628 ms  144.179 ms
14  striking.from.a.hidden.base (206.214.251.17)  616.023 ms  474.784 ms  215.513 ms
15  have.won.their.first.victory (206.214.251.22)  154.493 ms  299.686 ms  145.318 ms
16  against.the.evil.galactic.empire (206.214.251.25)  644.404 ms  671.914 ms  152.203 ms
17  during.the.battle (206.214.251.30)  156.688 ms  153.137 ms  563.022 ms
18  rebel.spies.managed (206.214.251.33)  229.392 ms  579.629 ms  145.790 ms
19  to.steal.secret.plans (206.214.251.38)  270.446 ms  658.964 ms  169.195 ms
20  to.the.empires.ultimate.weapon (206.214.251.41)  146.634 ms  153.271 ms  154.447 ms
21  the.death.star (206.214.251.46)  202.452 ms  174.831 ms  153.693 ms
22  an.armored.space.station (206.214.251.49)  151.917 ms  222.810 ms  173.003 ms
23  with.enough.power.to (206.214.251.54)  143.061 ms  164.221 ms  182.547 ms
24  destroy.an.entire.planet (206.214.251.57)  306.596 ms  145.697 ms  146.715 ms
25  pursued.by.the.empires (206.214.251.62)  649.086 ms  667.686 ms  145.531 ms
26  sinister.agents (206.214.251.65)  146.956 ms  172.135 ms  156.997 ms
27  princess.leia.races.home (206.214.251.70)  431.238 ms  152.866 ms  398.611 ms
28  aboard.her.starship (206.214.251.73)  207.987 ms  489.161 ms  251.324 ms
29  custodian.of.the.stolen.plans (206.214.251.78)  154.369 ms  270.057 ms  155.652 ms
30  that.can.save.her (206.214.251.81)  491.232 ms  145.153 ms  710.641 ms
31  people.and.restore (206.214.251.86)  152.278 ms  719.987 ms  162.449 ms
32  freedom.to.the.galaxy (206.214.251.89)  602.526 ms  191.618 ms  680.115 ms
33  0-------------------0 (206.214.251.94)  147.095 ms  184.080 ms  160.935 ms
34  0------------------0 (206.214.251.97)  163.090 ms  334.519 ms  190.740 ms
35  0-----------------0 (206.214.251.102)  154.429 ms  176.559 ms  153.388 ms
36  0----------------0 (206.214.251.105)  145.374 ms  274.739 ms  161.956 ms
37  0---------------0 (206.214.251.110)  153.293 ms  176.701 ms  153.275 ms
38  0--------------0 (206.214.251.113)  270.175 ms  152.928 ms  154.894 ms
39  0-------------0 (206.214.251.118)  373.242 ms  145.288 ms  541.714 ms
40  0------------0 (206.214.251.121)  238.250 ms  683.851 ms  146.784 ms
41  0-----------0 (206.214.251.126)  150.259 ms  187.321 ms  147.090 ms
42  0----------0 (206.214.251.129)  414.688 ms  147.949 ms  152.071 ms
43  0---------0 (206.214.251.134)  471.911 ms  183.576 ms  465.671 ms
44  0--------0 (206.214.251.137)  199.432 ms  409.354 ms  265.451 ms
45  0-------0 (206.214.251.142)  181.472 ms  479.873 ms  301.220 ms
46  0------0 (206.214.251.145)  151.773 ms  293.885 ms  145.574 ms
47  0-----0 (206.214.251.150)  459.381 ms  147.700 ms  665.266 ms
48  0----0 (206.214.251.153)  573.955 ms  235.893 ms  448.826 ms
49  0---0 (206.214.251.158)  187.107 ms  412.364 ms  217.939 ms
50  0--0 (206.214.251.161)  188.000 ms  316.122 ms  434.712 ms
51  0-0 (206.214.251.166)  150.238 ms  476.558 ms  167.450 ms
52  00 (206.214.251.169)  147.140 ms  353.229 ms  147.003 ms
53  i (206.214.251.174)  320.684 ms  439.016 ms  395.035 ms
54  by.ryan.werber (206.214.251.177)  152.798 ms  145.505 ms  477.757 ms
55  when.ccies.get.bored (206.214.251.182)  395.493 ms  378.139 ms  278.545 ms
56  ccie.38168 (206.214.251.185)  293.925 ms  245.653 ms  150.753 ms
57  fin (206.214.251.190)  149.807 ms *  602.977 ms

#StupidOrScam? I was just sent a link about the @hola_org VPN; the @torproject people will waste ages explaining what’s wrong with it

…so I might as well make a start to save them some bother.

http://hola.org/faq.html – some snippets:

Hola is building an overlay network which will change the way the Internet works – for the first time in 40 years. Our ultimate goal is to make the Internet 10x faster!

By slowing it down with a weak anonymising proxy mashed up with an unmanaged P2P CDN?

Hola accelerates HTTP using a combination of patented technologies – caching, multiple sources, compression, P2P protocols and other technologies. Hola also creates a special local cache with the Hola client (your Android phone or Windows PC) so when you reload content (like a YouTube movie) it doesn’t come from the web again, but from the local Hola cache.

“Patented”, yes, of course all the good stuff on the internet is patented – compression and caching for instance! Plus you are happy to propose breaking cache-control directives which your browser would probably be obeying, because of course you know better? If you’re not breaking the cache-control directives (http://hola.org/faq.html#securitycaching) then what is wrong with the in-browser caching that you claim to be improving?

For initial Hola users, the Internet will be fast, but as more people install Hola, the web will get even faster. Faster browsing. Faster Video. Clearer voice and video chat — While the load on the core network will decrease.

So there’s a Core network? You’re not P2P then?

Another nice side effect of the Hola technology is that it provides various levels of anonymity, that ultimately will enable you to view any content from anywhere. This means that you will not be censored by your ISP, your government, your corporation or a web site. Currently Hola does this for a limited set of sites (see the Hola Unblocker for more information).

Anonymous? Sure, except that you only ship HTTP not HTTPS (below) and mention nothing about anonymising / stripping identity out of sessions, so someone’s session cookies could be going anywhere.

Hola is FREE, and we hope to always keep it that way.

Hope?

Does Hola accelerate all web pages?

No. For security reasons, Hola won’t speed up HTTPS pages (such as bank pages). Also, while Hola is still in Beta it does not speed up all HTTP pages – this depends on the number of Hola users in the region, and other factors. Expect improvement in the acceleration as the Beta progresses.

Not HTTPS? Bzzt, wrong answer. Plus: HTTPS pages should be everything, not just “bank pages”.

What is Hola’s goal?

Our goal is to make the Internet much better for you — faster, easier to connect to, more reliable, more available. Your Beta copy is our first step to make this happen. We plan to do this while keeping the product free for our users.

So it’s an app. Where’s the source code? Not available? Is it patented?

How is Hola free?

Hola is the only service of its type that is free

Have you not heard of Tor? Or I2P? Freenet? Any of a bunch of other VPNs?

because Hola’s technology does not require us to have actual servers — as more people join the network, they pool their resources to help each other to make a better Internet for all, and thus we have no additional costs per user.

So there’s a P2P network not a Core… no, wait, not that’s not what you said above?

And that cost savings is translated in to a free product.

Sorry, cost saving? To whom? What? Where? How does that work?

We plan to make our money from premium services we will offer in the future.

Ah, of course. And what would those be?

How is Hola Unblocker free while the other VPN solutions cost money?

Hola is the only service of its type that is free because Hola’s Better Internet technology does not require us to have actual servers.

Hold the phone, isn’t this just the same answer repeated with slightly different words?

As more people join the Hola network, they pool their resources to help each other to make a better Internet for everyone, and so Hola has no additional cost per user. That cost savings is translated into a free product (free for us means no advertising either).

Yes, yes of course it is. I imagine the network is managed by unicorns and narwhal spirit guides?

Most VPN solutions slow down my surfing – how come Hola’s doesn’t?

Hola sends only the traffic to the blocked site through other servers. The rest of your traffic flows to the websites you are visiting without going through a proxy.

Network anonymity doesn’t work like that. As my friend Glyn puts it: anonymity is hard, if you get it wrong then people could die; and this does not smell right to me.

For instance say that you are watching a video through Hola, how do you ensure that other page content attributable to you does not travel by non-Hola means thereby breaking anonymity?  And this is one of the fundamental issues…

If you have the Hola software installed on your computer or phone, your web browsing will actually be faster than without Hola.

Somehow I doubt it.

HT @geoffarnold