Category: Internet matters

Posts about the internet

The ‘phone’ part of the iPhone can be very distracting

Sometimes, I wish I could uninstall the ‘Phone’ app from my iPhone. It’s amazing to be able to access email and websites from anywhere, without needing to rely on the availability of WiFi. It’s less amazing for people to be able to initiate immediate verbal communication with me at any time of day or night.

Between working as a TA and taking courses, I think it’s pretty difficult for doctoral students in the first couple of years to do much substantive reading and thinking about their thesis topic. In order to counter that, I am trying to do what I can to reduce the number of apparently urgent items popping up in my attention stream.

I wish the iPhone was a bit more granular in terms of which services you can turn off. It’s great that the iPhone has an ‘airplane mode‘ that kills both access to the cellular network and access to WiFi. It’s also great that you can turn on airplane mode with WiFi enabled (for internet access with no phone calls or text messages). I wish you could allow the phone to use the cellular network for email and web browsing but disable it for text messages and phone calls.

Making the best of overlapping WiFi

Most of the places I have lived during the last few years have been permeated by more than ten overlapping WiFi networks. Apartments and businesses each have their own internet connection which they connect to their own devices via a wireless router.

Unfortunately, the effect of so many simultaneously operating networks can be one of disruptive interference between them. Everyone gets slower and patchier internet access as all the routers compete for the relatively small number of communication channels that are part of the WiFi standard.

It would be really neat if people could develop software to allow routers to engage with each other intelligently. Consumers could program in their preferences regarding total bandwidth usage, whether to let strangers use their network, and so on. The routers could then make intelligent use of the infrastructure that is available: turning off less capable WiFi hotspots to reduce interference, directing traffic through the connections of those with large bandwidth caps, and deploying encryption technology to foil some of the illegal surveillance that has become commonplace around the world. There could even be a quid pro quo system implemented; people who are willing to share their internet connection with strangers could be granted priority access by the routers of others. By sharing my home internet connection in Toronto, for instance, I might be given a login credential that I could use with appropriate routers in other cities. With a big enough network of users, such connection sharing could be very useful.

This isn’t a system that would need to be deployed all at once by all router manufacturers. A few could adopt a voluntary standard for cooperation between routers. That would allow for some real-world testing and the identification of any problems related to functionality or security. In the end, the result could be the bottom-up development of a more effective and secure mechanism for wireless internet access in high-density environments.

Web servers are vulnerable machines

Imagine you have rigged up an unusual machine, like a home-made steam engine or a centrifuge. Even if it seemed to be working smoothly, it’s not the sort of thing you would want to leave unattended. It’s quite likely that doing so would break the machine, and quite probably cause damage to nearby property or people.

It’s important to remember that a web server is a pretty sophisticated machine. An entry served up by a WordPress blog is quite a different thing from a printed newspaper article or even a static HTML page. When you view a WordPress page, there is a dynamic interplay between your web browser and the web server. You request particular content and WordPress uses PHP scripts to pull together the necessary data from MySQL databases. The same is true for other dynamic content management systems (CMS), like Joomla or MediaWiki. Underneath all this, there is Apache HTTP Server and whatever operating system the server is running.

All this PHP and MySQL work creates openings for attackers. These can never be completely eliminated, though maintaining an updated version of your CMS and being careful about things like passwords and file permissions is important.

What may be most important, I think, is changing the perception of what kind of machine a web server is. You cannot assume that it will continue to obediently do what you want if you leave it alone. It is quite possible that some malicious human or robot will find a crack, take control of it in whole or in part, and then use it for nefarious tasks like sending spam or joining a botnet. If you aren’t paying any attention to things like your server logs, you might never even know that your site has been compromised.

In short:

  1. If you run a webserver, be aware that it is a constant target for attack.
  2. It is wise to take precautions, like promptly updating software and choosing strong passwords.
  3. Keep an eye open for unauthorized activity.
  4. Have backups in place for recovery after an attack.

Practice safer blogging!

Dealing with some MediaWiki malware

I am not sure how it happened, but somebody (or some robot) managed to insert some malicious code into my wiki. Random people were receiving emails with links to URLs within the wiki and when they followed the links, they were redirected to malicious pages.

The URLs within the wiki resembled these:

  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?dhe=fh.dhplh&zazssr=fe.dh&ahf=jgtf
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?er=edo.dhega&rdpy=fm.eza&zso=fbcb
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?vbh=egr.mdjgp&fvsa=fm.dhr&rdvh=ufrv

I removed the whole Labelled_overview.png folder, which it shouldn’t have been possible for a wiki user to upload, given that I had my wiki set up to only allow logged-in users to make edits. In addition to removing the folder, I have also updated MediaWiki to the newest version. I have also set up DreamHost’s system for automatically updating MediaWiki when new versions are released, though that risks breaking extensions that are not compatible with the new software and possibly causing other problems.

I still don’t know how the malware got introduced (perhaps through a vulnerability in an old version of MediaWiki or one of my extensions), so I am keeping the whole wiki inaccessible for now.

My apologies to anyone who followed one of the malicious links.

The whole incident shows one of the annoying things about the internet. Whenever you set up a content management system like WordPress or MediaWiki, you have to be aware that there will be efforts to compromise it. As such, you need to keep it well-updated and keep an eye out for malicious activity. You can’t just set it up and forget about it.

Free speech online

The internet is one of the places where people in free societies get to exercise their right to free speech. It’s also a place where a lot of private communication takes place, and where the protection of the right to privacy is a constant struggle.

For those reasons, I suggest people consider joining groups that work to protect our rights as citizens online, like the Electronic Frontier Foundation.

Also, remember that the only way to preserve rights is to use them. Make use of your right to engage in political speech online (maybe a little anonymity too).

Third rule of the internet

Following up on rules one and two, it seems appropriate to add a third: “You should probably worry more about being attacked online by your own government than by any other organization”.

This is really an extension of the point about how governments are more dangerous than terrorists and how institutions of armed power need oversight.

Based on the open source intelligence available, we have to assume that governments all over the world are constantly monitoring the activity of their citizens online, for reasons both reasonably benign and exceedingly nefarious. It is worth remembering that even if the official purpose of a surveillance program is acceptable, it can be abused by anyone who gains access to it for purposes that may be very dubious. Hackers and rogue government agents are well positioned to use internet surveillance to rob or blackmail people, for instance. It is also worth remembering that data is not only being monitored in real time; it is also being archived for unknown future purposes.

Tools for privacy

Thankfully, we do have some tools to make this ubiquitous surveillance more difficult to carry out. You probably cannot encrypt your hard drive well enough to protect the contents if government agents grab it, but you can encrypt your online communications sufficiently well to make it at least challenging to decrypt them. The more people streaming gigabytes of data via encrypted HTTPS connections, the less feasible it is to archive and crack internet traffic taken all in all.

You can also use tools like Tor. People should be willing to assert their right to anonymous communication.

Concept for a secret communication system

What you need

In order to use this system you will need two computers (which could include phones or other devices) with the same chess-playing software installed on them. The software must always suggest at least two moves for any given board position, and it must always produce the same suggestions based on a particular board arrangement.

For instance, in a game that opens with white moving the king’s pawn two spaces forward (e4 in algebraic notation), the software must always recommend the same set of countermoves. It might recommend the Sicilian Defence (c5) as the highest ranking move, followed by an open game as the top alternative (e5). By choosing c5, the correspondent would indicate a ‘0’ and by choosing e5 they would indicate a ‘1’. It is essential that both players have software that suggests the same moves based on a given board position. It is this determined character that allows the communication system to work.

Sending a message

In order to send a message, it must first be converted into binary code. A simple way of doing this is to start with ASCII text and use an ASCII to binary converter. For example, we might wish to send the message “Your telephone has been tapped”. Converted into binary, this encodes as:

“010110010110111101110101011100100010000001110100011001010110110001100101011100000110100001101111011011100110010100100000011010000110000101110011001000000110001001100101011001010110111000100000011101000110000101110000011100000110010101100100”.

In order to send the message, it is simply necessary to look at the two top moves suggested by the chess-playing software. In the event that you want to transmit a ‘0’ then you should select the topmost move. In the event that you wish to transmit a ‘1’ use the second topmost move. Because the person who you are talking to will also be running the software, it will be immediately obvious to them which digit you intend to transmit. Because both of the top moves are likely to be reasonable chess moves, the game will look fairly ordinary to anyone intercepting the communication.

One option is to have each correspondent make moves in alternating fashion. In that way, each can send a message to the other simultaneously. Alternatively, one person can send a message while the other simply provides countermoves to maintain the impression of a game being played. Alternatively, a single player can transmit moves for both white and black. They could use each to encode a different message, or they could use both together for a single stream.

In order to send a long message, it would take quite a few chess games. There would also need to be a system in place for when there is only one legal move possible, or none at all. I suggest that whenever a situation arises where fewer than two legal moves exist, the ongoing game be abandoned by the resignation of one player and a new one be started.

Automation

The whole thing could be set up to run automatically – for instance, on cellular phones. You could put the text to be transmitted into an app and it could automatically query a database of chess moves. It could then transmit the appropriate move to a chess server which the other correspondent would be connected to. The rate of transmission could be automatically limited in order to maintain the illusion of a game of chess being played, or it could be allowed to run at a high speed in order to send messages quickly. In either case, the data being transmitted would consist of valid chess moves and the game being played would look fairly normal.

Super-encipherment

Naturally, it would also be possible to use an encryption algorithm to turn a plaintext message into a binary string. This could either be a symmetric key cipher with a key that the correspondents have agreed to beforehand, a public key system based on public and secret keys, or an online key exchange system like Diffie–Hellman. This would provide some protection against an attacker who realizes the chess games are being used to transmit a message.

Alternative mechanism

As an alternative to chess-playing software, each player could also look at one of the chess game analyzing websites that ranks moves by popularity. The most popular move could code for a ‘0’ while the second most popular move could code for a ‘1’. Over time, the popularity of moves in the database may change. This shouldn’t be a problem for communication happening in real time, and could be useful insofar as it would make it difficult for anyone trying to decipher the message later to do so.

Obviously, this system could be used for games other than chess. All that is necessary is that both players have access to the same ranking of moves, so that each move can be translated reliably into the appropriate binary digit and from there into plain text. In games where a fairly large number of moves are always possible, the system could be extended beyond binary and longer messages could be concealed in fewer games. For instance, if there were always ten possible ranked moves, each option could be used to convey a decimal digit between ‘0’ and ‘9’.

Instapaper and the Kindle

Instapaper and the Kindle make a good combination.

You can set up Instapaper to assemble a digest periodically from stories that you have identified as interesting. It will email that digest to Amazon’s free conversion service, Amazon will convert the file into a Kindle-friendly format, and the file will download via WiFi when it is ready.

I have it set to produce a daily digest, but the appropriate setting probably varies depending on how often you have time to read interesting but non-essential material.

One Instapaper tip: Always use the ‘Instapaper Text’ browser button before the ‘Read Later’ browser button. When I click the ‘Read Later’ button directly on websites, Firefox often crashes completely. When I click ‘Instapaper Text’ first, then ‘Read Later’, it almost never crashes.

Kindle Keyboard 3G: first impressions

I have had a Kindle Keyboard 3G for four days now and have read a couple of books and long essays off of it.

The device has a good shape and size, and the screen is pleasant to read from. It doesn’t work terribly well with unconverted PDF files, which is quite a pain since the main reason I got it was to read thesis sources with. That being said, you can use Amazon’s free PDF conversion service for files under 50 megabytes. The converted files get delivered to your Kindle via WiFi. Unconverted PDF files load very slowly and clunkily, and sometimes cause the device to freeze up. All told, the interface of the device tends to be frustratingly slow. Even highlighting a passage of plain text can be a patience-trying task. Often, interacting with the Kindle consists of pressing a button and then waiting 5-15 seconds for it to have an effect.

The built-in web browser is poor, but good enough to let you use the free WiFi at Starbucks by clicking the button to accept the terms and conditions. One nice connectivity feature is that you can select a passage, write a short comment on it, and post the whole thing to Twitter. This is available by WiFi only, not over the 3G connection. I also like how the Kindle automatically collects all the passages you highlight in all documents into a single ‘clippings’ file.

The keyboard is tolerable for writing short notes, but you certainly wouldn’t want to write an essay or email on it.

All told, the Kindle is a pleasant and effective way to read plain text files and other properly-formatted documents. It isn’t great as a PDF reader, though perhaps future versions will be better in that way. One thing to be aware of is that – in my experience – the claimed battery life of the Kindle is a vast distortion. Amazon says that it will be good for 1-2 months, based on 30 minutes of reading per day and no wireless connectivity. I have found that I use about 1/3 of the battery every day. Admittedly, I have been using it for a lot more than half an hour. Still, my own use suggests that the battery lasts for about 10-15 hours with wireless turned off, which is better than a laptop or iPad but not sufficient to let you travel without worrying about finding places to charge.