Thursday, October 17, 2013

Breaking Affiliations

Although Andrei does not know it yet, I am breaking affiliations with Kriegsphilosophie.

It was nice to write here when the going got tough.

Wednesday, October 16, 2013

The Death of Thomas Paine and Civic Duty

Dead is the age of pamphleteers. Hard data brings to mind visions of science fiction movies and the Utopian surveillance state which has - and this is a cliche - used Orwell's "1984" as a training manual as opposed to a warning. We do not have Huxley on the six o'clock anymore and Tupac is not around except in hologram form to remind us that slavery days are hardly an age past.

Here are some koans instead.

Q: Why has the fifth estate experienced mass surveillance through the centuries?
A: It's easy

Q: What do you call a non-Russian speaker who quotes Tolstoy and Dostoevsky?
A: Typical Blogspot user

Q: How many software updates does it take before you blame it on the compiler?
A: I don't know, it's still compiling

edit: If you're in Calgary, make sure you vote for your school trustee, councilor and mayor. I'm sure if Andrei was living here, he'd vote Mr. Naheed Nenshi as well. Nenshi has a strong Public Policy background from Harvard and was a professor of many years at Mount Royal University. His leadership was instrumental during the city flooding and may have been key in saving the town from a massive shutdown.

Tuesday, October 15, 2013

Media Crawling

Spoof attacks, MITM and outdated certificates

On the subject of network ethics, we often want to ask how fraudulent digital fingerprints may manifest themselves over a particular domain. Whether you are using Chrome, Internet Explorer or Firefox, it is very easy to access the SSL certificates you have access to. As it turns out, the layer is not so secure.

The investigation started when I got onto campus this morning and decided to check the key chain on the Windows 7 machines in the library. A quick Google search turned up (using the keywords "fraudulent certificates") a few articles on spoofs, phishing and man in the middle (MITM) attacks over outdated certificate authorities. While some Tom can (and do) access information over web sockets between Alice and Bob's computers, we must keep in mind that most of these certificate authorities over SSL were instantiated in the 21st century. You can usually find certificates from Mozilla, Microsoft, Yahoo and Google. Other typical objects in the key chain usually come from international telecommunication networks, like Turkish and Dutch roots.

Typical adopters of web browsers will never give these objects much thought, they just kind of run in the background as artifacts of SOCKS routing. It is a matter of course that an attacker would use the path of least resistance and spoof or else forge a digital fingerprint for malicious means using what, prima facie, look like trusted certificates.

Although the latest documentation says that browser updates usually circumvent attacks on outdated or fraudulent authorities, it seems like it may not be the case after all. Attacks have been cited in 2011 onward by sources worldwide (a quick Google will turn up thousands of results). At the cost of bashing Microsoft (which is not the intent), the interesting case is that you usually do not find such digital fingerprints on even what figures like RMS call "spyware operating systems" (like Ubuntu). Indeed, a quick look at my home network does not turn up any fraudulent or else outdated certificate authorities.

Now, a colleague did make mention of some back-doors like this back when we were studying at the University of Calgary Health Sciences department, and it seems to have been patched, but IT in general here seems to allow for more than just MITM attacks - often unwittingly. Dangers of unauthenticated or non-secure SSL channels could be a 'black hat' digital signature, which implicates unknowing end users as perpetrators - not victims - of MITM or spoofs, and also allows prying eyes to look into your email. As an example, we trust our service providers to keep our banking information secured. I can say that my bank account information has been left as a starred item on Gmail since 2010 or so and there have been no worries. What does cause worry is when geographic metadata itself releases malicious digital fingerprints into cyberspace, particularly as a University student, and the next thing you know some police choppers are flying over an entire sub-net to investigate what is believed to be bad traffic.