You are currently browsing the archives for the security category

The Internet in Bangladesh – Corruption, Control and Death

May 7, 2013 Just Interesting / security
No comments

The level of internet usage in Bangladesh has risen dramatically in the last year or so. In fact latest figures now suggest that over 31 million citizens now have some sort of internet connection, in fact the level has risen over 15% in the last nine months. Even given the dramatic figures usually quoted with anything to with the internet – these are pretty impressive. However anyone hoping that this is going to open up a brave new world of communication, opportunity and free expression in Bangladesh is going to be rather disappointed.

The country is not in a good place, corruption is rife, millions live in abject poverty and incidents like the collapse of the clothing factory which killed hundreds are all too common albeit on a smaller scale. Given the many problems the country face – you’d expect that people would be protesting, but perhaps about something other than calling for the death of certain bloggers.

This is what happened in Dhaka last week – thousands took to the streets calling for the execution of bloggers deemed blasphemous against Islam.

Protests in Bangladesh

Depressing isn’t it? Journalists who tried to cover the protests were attacked for various reasons. One woman reporter was attacked and beaten by the protesters who deemed that being a journalist was an unfit profession for a woman. Several bloggers have already been attacked by fundamentalists and indeed one brave young man – Ahmed Rajib Haider was brutally killed by a gang armed with machetes.

The prospects of any sort of freedom or tolerance are looking bleak in this country. The Bangladesh Telecommunication Regulatory Commission (BTRC) are investigating advanced content filtering systems which would be used to block such sites which are morally inappropriate or contain material which is harmful to national unity or religious beliefs. Which in a country as corrupt as Bangladesh means they are going to block whatever they want.

It’s not stopping there though, the Bangladesh Government have already released their own custom search engine called – Piplika which will probably end up being the only allowed search engine. It’s a fantastic place to get a wide array of search results though – try it here. Here’s what you get if you search for sites on information on poor Ahmed Rajib Haider –

A Crap Search Engine

Notice how all the search results point to different articles on the same site – the first two pages of results are all the same – the Bangladeshi newspaper The Daily Sun. You won’t be surprised to hear that the Daily Sun is apparently more of a propaganda tool for the ruling party (the Awami League) than a real newspaper.

It’s a bleak prospect for the country, bloggers are scared to blog, journalists being attacked and intimidated if they speak out and the BTRC already ordering thousands of posts to be removed from websites and blogs deemed to be insulting to Islam.

If any bloggers in Bangladesh need some security and a way to bypass these filters the kind people at Identity Cloaker have given me a few free subscriptions which I’m happy to send out.

National Governments that Censor the Internet

January 15, 2013 privacy / security / technology
No comments

According to Wikipedia, the term “internet censorship” is defined as “the control or suppression of the publishing of, or access to, information on the Internet.” Internet censorship is implemented by national governments or private organizations – delegated by governmental influences – for several reasons, with emphasis on: religion, moral issues and unlawful business schemes.

Enemies of the Internet List

Reporters without Borders (or “RWB”) is a French, non-profit organization that advocates freedom of information and press. This organization has compiled a list of countries that are deemed “Internet enemies” due to their methods of cyber censorship. The flagged nations are: Armenia, Bahrain, Belarus, Burma, People’s Republic of China, Cuba, Iran, North Korea, Saudi Arabia, Syria, Turkmenistan, Uzbekistan and Vietnam.

In 2009, Belarus was added to the “Enemies of the Internet” list, was subsequently removed, and was added again in 2012. In 2011, Egypt was added to the “Enemies of the Internet” list. In 2012, Tunisia was added to the list after being removed in 2011. Egypt was also removed in 2011 and was added again in 2012. The small kingdom of Bahrain was also added to the list in 2012.

Countries under Surveillance

The RWB further compiled an “Under Surveillance” list. Nations under this category are considered to give cause for concern about the possibility of increased Internet censorship. The current list spans the following countries: Australia, Egypt, Eritrea, France, India, Kazakhstan, Malaysia, Russia, South Korea, Sri Lanka, Thailand, Tunisia, Turkey and the United Arab Emirates.

The “Countries under Surveillance” list, introduced in 2008, listed 10 nations which used surveillance on users’ Internet activities or otherwise impeded people’s rights, without blocking massive amounts of information. Between 2008 and 2012 the number of countries listed grew to 16 but subsequently fell to 14. Jordan in 2009, Tajikistan in 2009, and Yemen in 2010 were dropped from the list.

Australia in 2009, France in 2011, Russia in 2010, South Korea in 2009, Turkey in 2010 were added.

Bahrain, Eritrea, Malaysia, and Sri Lanka dropped from the list in 2010, but were added again in
2011. Libya dropped from the list in 2009, added again in 2011, and then dropped in 2012. Venezuela was added in 2011 and then dropped in 2012.

Internet Freedom Setbacks

Azerbaijan, Libya, Malaysia, Pakistan, Rwanda, Russia, and Sri Lanka are seven nations that are at particular risk of suffering Internet freedom setbacks in 2013.  These nations are relatively free of government interference and censorship on the Internet for their citizens; however, they also maintain separate governments either known to be: a) repressive of freedom of the press in traditional forms of media, or b) they have recently introduced laws that significantly affect online freedoms of expression in negative ways for their citizens.

There are two ways to address internet censorship. The first is to change an IP address to an address under a non-censored nation.  The second is to access a search engine website that acts as a host by displaying all results through their site. Governmental censorship reduces freedom of expression, while simultaneously revoking basic, human rights. For more information on this cyber suppressive trend, refer to the Internet Censorship infographic found below.

internet censors

 

Source: http://en.wikipedia.org/wiki/Internet_censorship

Source: http://en.wikipedia.org/wiki/Internet_censorship_by_country
Source: http://march12.rsf.org/i/Report_EnemiesoftheInternet_2012.pdf

An Introduction to SSL

July 3, 2012 security / Uncategorized
No comments

Now I’m sure we’ve all bought something online or done a bit of internet banking.  If you have you’ve probably noticed that little lock picture in the corner of your browser somewhere.But I wonder how many people know what it means and what that little lock signifies.  Well if you’ve ever wondered, then let me explain some of the basics behind SSL and exactly how it works.

To begin with – SSL actually stands for Secure Socket Layer.  It was developed in the Mid-90s by a company called Netscape.  They owned a popular browser of the time called Navigator which was actually the first browser to allow secure and safe ecommerce functionality.  Up to then it was rather a large drawback that your communications should be spied on with the minimum of fuss.  Often it wouldn’t matter but if you were transmitting a credit or debit card number or some other confidential information – then you were risking a lot.

Netscape were well aware of this and what they designed was a new protocol.   That is a way for two different computers to talk to each other, however this protocol was different – the communication was encrypted in transit so they couldn’t be read by anyone.  Making the communication secure and ensuring that whatever information that was transmitted was safe. This was especially important due to the distributed design of the internet – your data could pass through hundreds of hops before it reached it’s destination. Without encryption anyone could just sit on a European, US or UK proxy server and analyse your data.

This works by the owner of the web server, obtaining something called a digital certificate from a company known as a Certification Authority or CA for short. Every certificate is unique and is linked to the company who issued it, this link eventually leads to the Root CA.

So each browser has access to a list of these CAs which are considered safe and secure.   So when you make a secure connection to a web site that owns a digital certificate, your own browser will look up the chain of command and check the validity of each certificate.  If the browser goes all the way back to the Root CA and still doesn’t find the certificate listed then you’ll get a warning that the certificate is not a trusted one.

Public Key Exchange

When a certificate is not trusted then you won’t know for sure if the information listed e.g. company name, address etc is valid.   Trusted Certificate Authorities (CAs) verify all the business and contact information for you. However even if the certificate is not trusted and the contact information unverified, at least the traffic from your browser to the web server is secured.

The next stage after the browser has established the certificate’s trust or you confirm you’re willing to trust it anyway is for the two computers involved to exchange keys.
A ‘Key’ is just a very large number which is related mathematically to another number in a defined way.  The form in which these two numbers are chosen is quite complicated, in fact an explanation of the process involved is likely to start something like this -

Agree on a finite cyclic group G with a generating element g in G.”

Unless you’re very interested in the cryptography behind these calculations, it’s probably just to consider it ‘magic’!

Each of the computers will create it’s own set of two keys.  Because of the special relationship of these two keys, any data encrypted with one key can only be decrypted by the other key.  One key is kept as a secret whilst the second is sent to the other machine.   After these keys are exchanged, each of the machines uses it’s own secret key and the key sent by the other machine to encrypt all data communicated between them.The same process is repeated at the second machine, which will decrypt using the two keys it has.

Remember the keys will only work to decrypt data which has been encrypted with the matching keys.  Each machine knows that the message came from the known source and was only intended for this machine.This effectively secures the data and ensures it cannot be intercepted.

Hope that clarifies a little – if it didn’t well I tried !

 

 

Internet Monitoring – UK Snooping Plans

June 14, 2012 security / technology
No comments

The UK Government have decided to take some lessons from the likes of China, Iran and Syria and started implementing increased internet surveillance. It often seems to happen when Governments are having a tough time they roll out the ‘tough on terrorism’ plans and start telling us how it will catch criminals and keep us safe.   After all it sounds good and is easy to implement – even though for the most part it’s completely pointless.

Under these plans, Police, the Government and intelligence agencies will be able to access data on all phone calls, emails, internet useage. They will be able to read through your web mail, Facebook messages, Linkedin posts, forums and gaming boards – just about anything you do electronically will be accessible to these people.

The Metropolitan Police Commissioner says -

Put simply, the police need access to this information to keep up with the criminals who bring so much harm to victims and our society.

Sigh……

What they will have is data and information on people who are doing nothing wrong. The criminals will be using SSH encryption, VPNs, secure proxies or they will simply just use other peoples Wifi connections. The only criminals you’ll catch by this incredibly intrusive internet snooping is thick ones who you should have caught anyway.


For instance I’m quite a careful driver however I live in an area where the Police force seems to have one single aim in life to catch people who exceed speed limits by three miles an hour. As such I have quite a few penalty points on my license which I’m not altogether happy with.

However I know several speed obsessed, thrill seekers who drive like they are on the Le Mons racetrack who have absolutely no points at all. Do you know why – it’s because they all have Warning systems and Radar detectors things in their cars. As such the only speeders that get caught are dozy ones like me who occasionally drift over the limit by a tiny amount.

This is the reality – and in this case too there are lots of easy ways to avoid this surveillance.

All this rubbish about a ‘Total War on Crime’ is just an excuse to further erode our privacy and civil liberties.  For example if I use Identity Cloaker then nobody will be able to see anything I do online, my data is encrypted and all the logs will just contain my fake IP address from the Identity Cloaker proxy server that I use. The logs on those are deleted almost instantly so that makes me just about invisible online.

So what’s to stop a terrorist using any one of these security systems ?

Nothing which is why the British Government will be left spying on ordinary people. That’s going to win the war on crime isn’t it?  Of course if you snoop on enough people for long enough I’m sure you’ll catch some people doing something illegal. But is it worth the cost, are we really expected to believe that this data won’t be routinely accessed to build profiles of individuals.

At the moment, the police can access this information anyway, however they need a warrant from a judge. Of course a judge isn’t going to issue these on the basis of ad hoc requests and idle snooping – which is exactly the way it should be.

We all know these powers will be abused, even if the police and intelligence services only exercise these rights in extreme cases (yeah right) – you can be certain that databases will be hacked, logs left on trains or USB sticks dropped in taxis.  All the time the criminals will be not remotely be worried as they will be the only ones not being monitored.

Bye, Bye Scroogle – We’ll Miss You!

February 25, 2012 security
No comments

Yep  Scroogle has gone alas,  it had a purpose, it was useful and the owner had an attitude.   To be honest it doesn’t come as a big surprise, for the last few weeks it’s been pretty much unusable for a variety of reasons.

A few days ago the owner Daniel Brandt announced  -

“Scroogle.org is gone forever,”

You might thing what a drama queen, or perhaps so f**kin what – but it’s kind of a sad day for all of us with a brain.

But first perhaps we should say what Scroogle actually was – and that is simply a proxy for the Google search engine.  Instead of all your queries being logged, recorded and monitored in order to build up some sort of creepy online profile of you – Scroogle acted as a man in the middle. It was a like a trusted friend who wouldn’t make judgement, wouldn’t log the request for future gains and certainly wouldn’t sell your profile to Tesco to add to their Clubcard profiles (note to US readers – this makes no sense to you)

So if you wanted to search for ‘pornographic pictures of sexy ladies dressed up as members of the Stasi’ , then your East German security fetishes would be strictly private, meaning Google wouldn’t have made a little addition to your online search profile.

Which meant you had a little more privacy, your every internet searching whim was not added to a online profile or buyer’s list held by some bunch of corporate tossers. So for this to Daniel – I say thanks and am very sorry to see him go. Now the reasons for the end of Scroogle where apparently due to two main reasons,

  • Google throttling Requests
  • Many DDOS attacks on the site.

Now both are equally feasible and apparently both were happening.  Scroogle has been around for nearly ten years which is a long time in Internet years and Google could have closed it down at any point.   They have always limited the number of search requests from a single IP address  - so Scroogle would have tripped this many times with only about 6 servers and a limited number of IP addresses.   So did the Google guys finally have enough and tighten the screw?   I’m not sure, it’s not great publicity for them if they did and the impact on their profits were certainly negligible – but this requires further research !

The other problem which hastened the demise much more quickly was the increasing number of DDOS attacks.  These are just blunt attacks designed to bring servers to their knees,  easily orchestrated either with minimal technical knowledge or a few bucks to spend.  Daniel Brandt apparently was very outspoken and frequently upset people so he’d probably made a lot of enemies.  It’s a sad blow though, again showing that cyber bullies exist on all sides of the divide – the fact is you can use a DDOS attack on any web server in existence.  It’s the lead pipe of the cyber world, if you disagree with someone online you can just pay a few bucks to take out their web site/blog etc.

I don’t know who Daniel upset or why – but the loss of Scroogle is surely an own goal!!  I was going to rant further on this issue and put in a selection of secure search engines that still exist but I’ve suddenly discovered a rather full bottle of 10 year old Laphroaig whisky – if you’ve tasted it you know why I can’t concentrate now.   Adieu……………

 

PS

Will post up the list of secure search engines in my next post.

The Need For a Ninja Proxy

June 24, 2011 security
No comments

Protecting yourself online has never been so important.  The need to use common sense and adequate security and privacy tools is vital.   If you’ve come here looking to become an online ninja, surfing securely through the electronic ether well perhaps I can point you in the right direction.

But First the Danger

Finding any sort of anonymity is difficult online, you’re tracked and logged through your ISP, company firewalls, web sites you visit and a thousand other devices in between.

Your IP address can be tracked back to the very PC you’re sitting at and the logs stored and backed up in your ISP contain virtually everything you’ve done online for the last two years.

When I say everything, I’m not kidding – and yes it does include the fact that you watched the Kylie Minogue Agent Provocateur ad 6 times in a row last Friday when you came home from the bar.

Now the Inconvenience

Sometimes it’s not actually the paranoia (oh and yes they are watching you), but the inconvenience that drives people in search of a Ninja proxy to surf through.  This is down to the increasing pervasiveness of a system called geotargeting – I’ll add a better description of this but it’s basically the way that websites restrict what you can watch depending on your location.

You’ve probably seen it in action -

  • Want to watch BBC Iplayer but are not in UK – Sorry blocked by IP address
  • Catch up on some shows on Hulu while on holiday in France – Nope blocked by IP address
  • View the news on ABC whilst in Canada – Nope blocked by IP address again.

The real list is much, much longer – from accessing Youtube, just about any big media site, or if you’re unlucky to live in a country where it’s considered bad for you to access Facebook  - it’s likely you’re going to get blocked for not having the right IP address.

So people are fed up with being blocked, monitored, logged and basically having their online experience controlled and analysed – so they look online and read about ninja proxies.   What they find is loads of web pages called Ninja something or other and a basic install of a web proxy called Glype.  They will promise you all sorts of super, secret ninja surfing via their little browsing frame – but I’m afraid it’s not true.

Computer Admin Watching Someone Search Through a Ninja Proxy Site

The Truth About Ninja Proxies

Unfortunately that’s what the majority end up doing, searching in Google and finding some Ninja web site or something like that.  In the middle of the page their will be a little box inviting you to search via their site – something like this

Not Really Ninja At All!

Is it secure ?

In a word – No.

Well if you trust a complete stranger who has set up a free server, installed Glype and covered it in ads – to look after your data then of course it’s fine. It doesn’t bypass most firewalls, it certainly doesn’t give you anonymity – it does add many more risks to your browsing.

For those of us who prefer reality it’s a complete waste of time, all you are doing is funneling your data through another unknown, insecure point.  In some circumstance the setup may obscure your IP address slightly but that’s about it – you also be leaving yet another log of your activities on this guys server.

Don’t think you’ll be able to stream previously blocked video either like BBC Iplayer or Hulu because you can’t watch these through a little Iframe window and besides the servers are normally basic ones that would struggle to stream video to one person not the thousands who’ll probably be trying.

The real ninja proxy experience will obscure your IP address completely through an advanced network of high speed, highly secure servers across the planet.   It will be high speed and high performance allowing media streaming direct to your PC from wherever you are – so watch the BBC Iplayer or Hulu or any site you care to try.

It can be set to automatically switch your browsing data across to a different server across the globe every few minutes.

But finally it will also encrypt your data meaning that you really can be anonymous, your ISP logs included.  In fact  the only readable logs of your online existence are briefly on the secure servers and are deleted immediately.

You can find it here.