Category: Internet matters

Posts about the internet

Dealing with some MediaWiki malware

I am not sure how it happened, but somebody (or some robot) managed to insert some malicious code into my wiki. Random people were receiving emails with links to URLs within the wiki and when they followed the links, they were redirected to malicious pages.

The URLs within the wiki resembled these:

  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?dhe=fh.dhplh&zazssr=fe.dh&ahf=jgtf
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?er=edo.dhega&rdpy=fm.eza&zso=fbcb
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?vbh=egr.mdjgp&fvsa=fm.dhr&rdvh=ufrv

I removed the whole Labelled_overview.png folder, which it shouldn’t have been possible for a wiki user to upload, given that I had my wiki set up to only allow logged-in users to make edits. In addition to removing the folder, I have also updated MediaWiki to the newest version. I have also set up DreamHost’s system for automatically updating MediaWiki when new versions are released, though that risks breaking extensions that are not compatible with the new software and possibly causing other problems.

I still don’t know how the malware got introduced (perhaps through a vulnerability in an old version of MediaWiki or one of my extensions), so I am keeping the whole wiki inaccessible for now.

My apologies to anyone who followed one of the malicious links.

The whole incident shows one of the annoying things about the internet. Whenever you set up a content management system like WordPress or MediaWiki, you have to be aware that there will be efforts to compromise it. As such, you need to keep it well-updated and keep an eye out for malicious activity. You can’t just set it up and forget about it.

Free speech online

The internet is one of the places where people in free societies get to exercise their right to free speech. It’s also a place where a lot of private communication takes place, and where the protection of the right to privacy is a constant struggle.

For those reasons, I suggest people consider joining groups that work to protect our rights as citizens online, like the Electronic Frontier Foundation.

Also, remember that the only way to preserve rights is to use them. Make use of your right to engage in political speech online (maybe a little anonymity too).

Third rule of the internet

Following up on rules one and two, it seems appropriate to add a third: “You should probably worry more about being attacked online by your own government than by any other organization”.

This is really an extension of the point about how governments are more dangerous than terrorists and how institutions of armed power need oversight.

Based on the open source intelligence available, we have to assume that governments all over the world are constantly monitoring the activity of their citizens online, for reasons both reasonably benign and exceedingly nefarious. It is worth remembering that even if the official purpose of a surveillance program is acceptable, it can be abused by anyone who gains access to it for purposes that may be very dubious. Hackers and rogue government agents are well positioned to use internet surveillance to rob or blackmail people, for instance. It is also worth remembering that data is not only being monitored in real time; it is also being archived for unknown future purposes.

Tools for privacy

Thankfully, we do have some tools to make this ubiquitous surveillance more difficult to carry out. You probably cannot encrypt your hard drive well enough to protect the contents if government agents grab it, but you can encrypt your online communications sufficiently well to make it at least challenging to decrypt them. The more people streaming gigabytes of data via encrypted HTTPS connections, the less feasible it is to archive and crack internet traffic taken all in all.

You can also use tools like Tor. People should be willing to assert their right to anonymous communication.

Concept for a secret communication system

What you need

In order to use this system you will need two computers (which could include phones or other devices) with the same chess-playing software installed on them. The software must always suggest at least two moves for any given board position, and it must always produce the same suggestions based on a particular board arrangement.

For instance, in a game that opens with white moving the king’s pawn two spaces forward (e4 in algebraic notation), the software must always recommend the same set of countermoves. It might recommend the Sicilian Defence (c5) as the highest ranking move, followed by an open game as the top alternative (e5). By choosing c5, the correspondent would indicate a ‘0’ and by choosing e5 they would indicate a ‘1’. It is essential that both players have software that suggests the same moves based on a given board position. It is this determined character that allows the communication system to work.

Sending a message

In order to send a message, it must first be converted into binary code. A simple way of doing this is to start with ASCII text and use an ASCII to binary converter. For example, we might wish to send the message “Your telephone has been tapped”. Converted into binary, this encodes as:

“010110010110111101110101011100100010000001110100011001010110110001100101011100000110100001101111011011100110010100100000011010000110000101110011001000000110001001100101011001010110111000100000011101000110000101110000011100000110010101100100”.

In order to send the message, it is simply necessary to look at the two top moves suggested by the chess-playing software. In the event that you want to transmit a ‘0’ then you should select the topmost move. In the event that you wish to transmit a ‘1’ use the second topmost move. Because the person who you are talking to will also be running the software, it will be immediately obvious to them which digit you intend to transmit. Because both of the top moves are likely to be reasonable chess moves, the game will look fairly ordinary to anyone intercepting the communication.

One option is to have each correspondent make moves in alternating fashion. In that way, each can send a message to the other simultaneously. Alternatively, one person can send a message while the other simply provides countermoves to maintain the impression of a game being played. Alternatively, a single player can transmit moves for both white and black. They could use each to encode a different message, or they could use both together for a single stream.

In order to send a long message, it would take quite a few chess games. There would also need to be a system in place for when there is only one legal move possible, or none at all. I suggest that whenever a situation arises where fewer than two legal moves exist, the ongoing game be abandoned by the resignation of one player and a new one be started.

Automation

The whole thing could be set up to run automatically – for instance, on cellular phones. You could put the text to be transmitted into an app and it could automatically query a database of chess moves. It could then transmit the appropriate move to a chess server which the other correspondent would be connected to. The rate of transmission could be automatically limited in order to maintain the illusion of a game of chess being played, or it could be allowed to run at a high speed in order to send messages quickly. In either case, the data being transmitted would consist of valid chess moves and the game being played would look fairly normal.

Super-encipherment

Naturally, it would also be possible to use an encryption algorithm to turn a plaintext message into a binary string. This could either be a symmetric key cipher with a key that the correspondents have agreed to beforehand, a public key system based on public and secret keys, or an online key exchange system like Diffie–Hellman. This would provide some protection against an attacker who realizes the chess games are being used to transmit a message.

Alternative mechanism

As an alternative to chess-playing software, each player could also look at one of the chess game analyzing websites that ranks moves by popularity. The most popular move could code for a ‘0’ while the second most popular move could code for a ‘1’. Over time, the popularity of moves in the database may change. This shouldn’t be a problem for communication happening in real time, and could be useful insofar as it would make it difficult for anyone trying to decipher the message later to do so.

Obviously, this system could be used for games other than chess. All that is necessary is that both players have access to the same ranking of moves, so that each move can be translated reliably into the appropriate binary digit and from there into plain text. In games where a fairly large number of moves are always possible, the system could be extended beyond binary and longer messages could be concealed in fewer games. For instance, if there were always ten possible ranked moves, each option could be used to convey a decimal digit between ‘0’ and ‘9’.

Instapaper and the Kindle

Instapaper and the Kindle make a good combination.

You can set up Instapaper to assemble a digest periodically from stories that you have identified as interesting. It will email that digest to Amazon’s free conversion service, Amazon will convert the file into a Kindle-friendly format, and the file will download via WiFi when it is ready.

I have it set to produce a daily digest, but the appropriate setting probably varies depending on how often you have time to read interesting but non-essential material.

One Instapaper tip: Always use the ‘Instapaper Text’ browser button before the ‘Read Later’ browser button. When I click the ‘Read Later’ button directly on websites, Firefox often crashes completely. When I click ‘Instapaper Text’ first, then ‘Read Later’, it almost never crashes.

Kindle Keyboard 3G: first impressions

I have had a Kindle Keyboard 3G for four days now and have read a couple of books and long essays off of it.

The device has a good shape and size, and the screen is pleasant to read from. It doesn’t work terribly well with unconverted PDF files, which is quite a pain since the main reason I got it was to read thesis sources with. That being said, you can use Amazon’s free PDF conversion service for files under 50 megabytes. The converted files get delivered to your Kindle via WiFi. Unconverted PDF files load very slowly and clunkily, and sometimes cause the device to freeze up. All told, the interface of the device tends to be frustratingly slow. Even highlighting a passage of plain text can be a patience-trying task. Often, interacting with the Kindle consists of pressing a button and then waiting 5-15 seconds for it to have an effect.

The built-in web browser is poor, but good enough to let you use the free WiFi at Starbucks by clicking the button to accept the terms and conditions. One nice connectivity feature is that you can select a passage, write a short comment on it, and post the whole thing to Twitter. This is available by WiFi only, not over the 3G connection. I also like how the Kindle automatically collects all the passages you highlight in all documents into a single ‘clippings’ file.

The keyboard is tolerable for writing short notes, but you certainly wouldn’t want to write an essay or email on it.

All told, the Kindle is a pleasant and effective way to read plain text files and other properly-formatted documents. It isn’t great as a PDF reader, though perhaps future versions will be better in that way. One thing to be aware of is that – in my experience – the claimed battery life of the Kindle is a vast distortion. Amazon says that it will be good for 1-2 months, based on 30 minutes of reading per day and no wireless connectivity. I have found that I use about 1/3 of the battery every day. Admittedly, I have been using it for a lot more than half an hour. Still, my own use suggests that the battery lasts for about 10-15 hours with wireless turned off, which is better than a laptop or iPad but not sufficient to let you travel without worrying about finding places to charge.

Thinking of leaving GMail

I am thinking seriously about leaving GMail, despite how the email service itself has been extremely valuable to me. This is because of the following:

1) Irritating interface changes

GMail now has two interfaces. There is a maddening ‘modern’ interface that is full of elements that change shapes and sizes annoyingly. Anywhere you might enter text is likely to annoy you with pop-up ‘autocomplete’ suggestions and the chat system built into GMail has been rendered too annoying to use by integrating it into a left sidebar where elements change shape and size for no good reason.

The ‘Invite a friend’ element in the left toolbar breaks all the rules of good design. It’s a button that serves the purposes of Google, not the user. It is prominently placed even though it is never used. Worst of all, it moves and changes shape when you put the cursor near it. I wish I had some kind of supernatural geekish power to blast it out of existence, and yet it is always there annoying me, taking up space, and being a source of distraction.

I want an interface where things stay still! And where I am not being constantly distracted from the thinking I am trying to do.

There is still a ‘basic HTML’ interface, but some of its behaviours are even more annoying. It will still autocomplete email addresses, for instance, but it doesn’t use my whole contact list. It seems to be a random subset of the much-lesser-used contacts within that list. It is also very awkward to file emails into labels using the basic interface, and to deal with archiving messages.

2) Pimping Google+

I hate Google+ and I will never join. Despite that, Google is constantly trying to force me to join or trick me into joining. In the top left corner of both the GMail web interface and the mobile interface there is always a link to join Google+. I frequently click it accidentally, and that simple accidental act has sometimes caused Google to actually create a Google+ account for me, which I then had to delete.

I wish there was a ‘Never tell me about Google+ again’ button somewhere within Google’s settings. I could click it once and stop being annoyed several times a day by solicitations from the unwanted service.

3) I trust Google less and less with my data

I have written before about how sensitive some of the data held by Google is. “Don’t be evil” is a basic standard they need to meet – not a lofty goal for which they should be praised.

It’s not especially clear to me that Google is living up to its own standards. Even if they are, telecommunications law in Canada and the United States seems to have developed rather perversely in recent years, with governments submitting illegal requests to perform unwarranted searches on personal information and large telecommunication companies complying in secret.

Google probably isn’t unusual in terms of the degree to which it complies with such requests, but it is unusual in terms of the vastness of the dataset they have on users. Potentially, this includes everything from their physical location history (Google Latitude) to their web search history to every email they have sent or received since joining GMail.

Using Google’s services involves putting a lot of sensitive eggs into a basket that may not be especially well protected.

Alfa AWUS036H external WiFi adapter

Since I am dependent on WiFi for internet access at the moment, I ordered a Alfa AWUS036H external WiFi adapter. It should get better reception than the internal antenna in my iMac. It also runs on openly documented drivers, so it can be used with some software that Apple WiFi hardware cannot.

I will post a review once I have had the chance to use it for a while.

Suggest a thesis source

As with my M.Phil thesis, I plan on using various technological tools to help with the creation of my doctoral thesis.

Here’s a simple one I am trying: a web form that allows people to suggest thesis sources.

If you come across something that you think would be interesting and useful to me, please put the details in the form and submit it. Google Docs will automatically compile the responses into a spreadsheet for me.

If you have suggestions about how the form could be improved, let me know through the ‘Notes’ field or leave a comment here.

Software defined radio

Software defined radio (SDR) is one of the things I am most curious about. There is just so much data being exchanged via radio these days. It’s strange to think about the constant complex pattern of broadcasting happening all around us.

This video gives a bit of a taste of what is happening in one part of the world and across a fairly narrow range of frequencies:

It’s pretty cool that he is able to identify and analyze Chinese over-the-horizon RADAR. It shows some of the possibilities SDR opens up for hobbyists.

Much of the hardware required to seriously experiment with SDR is expensive. Interestingly, though, someone has figured out how to do the job for the 64-1700MHz frequency band using an $11 digital TV tuner chip.

You could do some very cool stuff with this: set up your own infrastructure independent computer networks, explore what sort of communication is happening around you, conduct intrusion detection (looking for interception devices broadcasting), and experiment with the security of your hardware, such as the Bluetooth chips in your phone and laptop.