Category: Internet matters

Posts about the internet

iTunes updates

The decision of whether or not to update iTunes is always a wary one for me.

On the one hand, it is possible they are patching essential security bugs that are leaving one or more of my devices vulnerable.

On the other, it is likely that the update will include at the very least a gratuitous and confusing user interface change, and at most will be another transformation in the functioning of the whole program. I don’t want to need to learn new software every time Apple decides to mix things up again, and they have an unfortunate habit of eliminating good features and introducing deliberately frustrating ones.

‘backed by certain states’

In a slightly ominous development, GMail is now warning me that: “We believe that attackers backed by certain states may be attempting to compromise your account or computer” and urge me to: “Protect yourself now“.

This is probably just further fallout from the Stratfor hack. I wish it wasn’t happening while I am so completely occupied with urgent school assignments, climate work, and continuing efforts to do paid photographic work.

Phone hacking – everything is a computer these days

This video shows off some of the realistic attacks that can be performed against office-type landline telephones these days:

The presentation in this video was made by by by Ang Cui, a researcher from the Columbia University Intrusion Detection Systems Lab.

More information about the ‘symbiote’ protective software mentioned in the video is on their site. Weird that hacking your own phone to address failures in the firmware might be the best way of improving the security of your network…

I wonder if the Columbia researchers collaborate at all with U of T’s Citizen Lab

Shell ad parody generator

With this website, you can make your own satirical version of Shell’s “Let’s go” ads:

Shell is one of the most enthusiastic companies taking advantage of how climate change is melting the arctic in order to drill for oil there and thus cause even more warming. Shell is also the largest single investment in the portfolio of the University of Toronto.

Toronto 350.org is calling on the University of Toronto to sell its stock in Shell, as a starting point for a general campaign of fossil fuel divestment.

Anyone want to try Silent Circle?

Given the unencrypted email and phone traffic is now likely to be intercepted by state intelligence services, and given that services like Skype probably have backdoors that render their encryption ineffective, would anyone be interested in trying out Silent Circle: a new encryption platform backed by Phil Zimmerman, creator of the original PGP?

According to the people running the service:

We do not have the ability to decrypt your communications across our network and nor will anyone else – ever. Silent Phone, Silent Text and Silent Eyes all use end-to-end encryption and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys. Our encryption keeps unauthorized people from understanding your transmissions. It keeps criminals, governments, business rivals, neighbors and identity thieves from stealing your data and from destroying your personal or corporate privacy. There are no back doors in our systems, nor will there ever be.

The service costs $20 per month and includes encrypted phone, text, email, and video chat capabilities. In recognition of how such services only become useful once they have a certain base of subscribers, each subscription lets you also sign up one friend for the service for free.

The ‘phone’ part of the iPhone can be very distracting

Sometimes, I wish I could uninstall the ‘Phone’ app from my iPhone. It’s amazing to be able to access email and websites from anywhere, without needing to rely on the availability of WiFi. It’s less amazing for people to be able to initiate immediate verbal communication with me at any time of day or night.

Between working as a TA and taking courses, I think it’s pretty difficult for doctoral students in the first couple of years to do much substantive reading and thinking about their thesis topic. In order to counter that, I am trying to do what I can to reduce the number of apparently urgent items popping up in my attention stream.

I wish the iPhone was a bit more granular in terms of which services you can turn off. It’s great that the iPhone has an ‘airplane mode‘ that kills both access to the cellular network and access to WiFi. It’s also great that you can turn on airplane mode with WiFi enabled (for internet access with no phone calls or text messages). I wish you could allow the phone to use the cellular network for email and web browsing but disable it for text messages and phone calls.

Making the best of overlapping WiFi

Most of the places I have lived during the last few years have been permeated by more than ten overlapping WiFi networks. Apartments and businesses each have their own internet connection which they connect to their own devices via a wireless router.

Unfortunately, the effect of so many simultaneously operating networks can be one of disruptive interference between them. Everyone gets slower and patchier internet access as all the routers compete for the relatively small number of communication channels that are part of the WiFi standard.

It would be really neat if people could develop software to allow routers to engage with each other intelligently. Consumers could program in their preferences regarding total bandwidth usage, whether to let strangers use their network, and so on. The routers could then make intelligent use of the infrastructure that is available: turning off less capable WiFi hotspots to reduce interference, directing traffic through the connections of those with large bandwidth caps, and deploying encryption technology to foil some of the illegal surveillance that has become commonplace around the world. There could even be a quid pro quo system implemented; people who are willing to share their internet connection with strangers could be granted priority access by the routers of others. By sharing my home internet connection in Toronto, for instance, I might be given a login credential that I could use with appropriate routers in other cities. With a big enough network of users, such connection sharing could be very useful.

This isn’t a system that would need to be deployed all at once by all router manufacturers. A few could adopt a voluntary standard for cooperation between routers. That would allow for some real-world testing and the identification of any problems related to functionality or security. In the end, the result could be the bottom-up development of a more effective and secure mechanism for wireless internet access in high-density environments.

Web servers are vulnerable machines

Imagine you have rigged up an unusual machine, like a home-made steam engine or a centrifuge. Even if it seemed to be working smoothly, it’s not the sort of thing you would want to leave unattended. It’s quite likely that doing so would break the machine, and quite probably cause damage to nearby property or people.

It’s important to remember that a web server is a pretty sophisticated machine. An entry served up by a WordPress blog is quite a different thing from a printed newspaper article or even a static HTML page. When you view a WordPress page, there is a dynamic interplay between your web browser and the web server. You request particular content and WordPress uses PHP scripts to pull together the necessary data from MySQL databases. The same is true for other dynamic content management systems (CMS), like Joomla or MediaWiki. Underneath all this, there is Apache HTTP Server and whatever operating system the server is running.

All this PHP and MySQL work creates openings for attackers. These can never be completely eliminated, though maintaining an updated version of your CMS and being careful about things like passwords and file permissions is important.

What may be most important, I think, is changing the perception of what kind of machine a web server is. You cannot assume that it will continue to obediently do what you want if you leave it alone. It is quite possible that some malicious human or robot will find a crack, take control of it in whole or in part, and then use it for nefarious tasks like sending spam or joining a botnet. If you aren’t paying any attention to things like your server logs, you might never even know that your site has been compromised.

In short:

  1. If you run a webserver, be aware that it is a constant target for attack.
  2. It is wise to take precautions, like promptly updating software and choosing strong passwords.
  3. Keep an eye open for unauthorized activity.
  4. Have backups in place for recovery after an attack.

Practice safer blogging!