Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph

Ben Hammersley, a Number 10 adviser to the Tech City project, said the draft Communications Data Bill could be turned from a force for good into something more sinister under future governments.

The main aim of the Bill is to give security services like MI5 and GCHQ the ability to monitor email traffic, without actually looking at its content.

However, it is currently being revised after a committee of MPs and peers raised privacy concerns about the bill’s intrusion into people’s lives.

Asked for his views on the new laws, Mr Hammersley said the consequences could be “disastrous” in an interview with Tank magazine.

“I don’t trust future governments,” he said. “The successors of the politicians who put this in place might not be trustworthy.

via Snoopers’ laws could be used to ‘oppress us’, says David Cameron technology adviser – Telegraph.

Epic #mustread on DDoS, re: Spamhaus/Cyberbunker and “bringing down the Internet” with DDoS

Extract from the posting:

First off I can confirm a few basic facts, namely that we really did receive a ~300 Gbps attack directed at Cloudflare, and later specifically targeted at pieces of our core infrastructure. This is definitely on the large end of the scale as far as DoS attacks go, but I wouldn’t call it “record smashing” or “game changing” in any special way. It’s just another large attack, maybe 10-15% larger than other similar ones we’ve seen in the past, and I’m certain we will continue to see even larger ones in the future as global traffic levels increase. What made this particular attack notable is where it was targeted, which greatly increased the number of people who noticed it.

In defense of the claims in other articles, there is a huge difference between “taking down the entire Internet” and “causing impact to notable portions of the Internet”. My company, most other large Internet carriers, and even the largest Internet exchange points, all deliver traffic at multi-terabits-per-second rates, so in the grand scheme of things 300 Gbps is certainly not going to destroy the Internet, wipe anybody off the map, or even show up as more than a blip on the charts of global traffic levels. That said, there is absolutely NO network on this planet who maintains 300 Gbps of active/lit but unused capacity to every point in their network. This would be incredibly expensive and wasteful, and most of us are trying to run for-profit commercial networks, so when 300 Gbps of NEW traffic suddenly shows up and all wants to go to ONE location, someone is going to have a bad day.

But, having a bad day on the Internet is nothing new. […]

The whole thing is worth reading, all of which is a response to this Gizmodo article and apparently re: one comment on it from someone looking for primary sources.

I hope the comment’s author feels he got his money’s worth.

tl;dr – breaking the internet is still really hard via DDoS.

ipmi: freight train to hell #security #danfarmer

A paper on IPMI and BMC security:

ipmi: freight train to hell, plain HTML or dangerous PDF (bloated director’s cut; HTML was generated from word and edited down.)

– or –

ipmi: express train to hell, in HTML or PDF (1 page, G-rated version.)

The 2nd link is the express/single page/reader’s digest version, which has various generalities that I try to fully explain in the paper or supporting documents. Added bonus: if you buy now you’ll get free additional supporting materials along with a razor sharp virtual Ginsu knife!

Note – I’ve heard a LOT of people dismiss all this and claim that all you need to do is to secure your IPMI/BMC’s is to ensure that their network interfaces are on their own network and be careful about that critical password. This is simply incorrect. If you haven’t read the paper or heard the arguments within you might read it to find out why I belive you’re dead wrong (and if you still disagree drop me a line and tell me!) Note that any with server admin access can manage the IPMI network settings of its BMC without authentiation, attack the BMC, compromise it, and then pivot through to attack the management network.

Note #2. As if all the above weren’t enough, I just found out that the infamous Cipher Zero (0) is enabled by default on all my systems… this allows anyone to authenticate to the BMC with any password you choose (even you manage to guess the correct one, that still works.) fascinating stuff.

via All the IPMI that’s fit to print.

“Testing Tor Hidden Services with Burp Pro” – /ht @runasand # spooks will be buying burp at speed

Testing Tor Hidden Services With Burp Pro
FEB 25TH, 2013

On February 15, Dafydd Stuttard announced the release of Burp Suite v1.5.05. This release contains a number of feature enhancements and bugfixes, including an extension to the SOCKS proxy support which allows users to specify that all DNS lookups should be done remotely via the proxy. This means that it is possible to test Tor hidden services with Burp.

This feature is currently only available in Burp Pro, but should eventually make its way into the free edition.

Tor hidden services

Tor hidden services, sometimes also referred to as the hidden web, dark web, and deep web, were deployed on the Tor network in 2004. Hidden services allow users to host various kinds of resources, such as websites and instant messaging servers, without having their identity or location revealed…

continues at Testing Tor Hidden Services with Burp Pro –

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.