Category: technology

EU Change Forces iPlayer Rethink

There’s encouraging news that the European Union is going to be forcing the way forward in the market for digital services and one of the biggest impacts could be on the BBC iPlayer.   As you probably know the BBC iPlayer works wonderfully if you’re actually in the United Kingdom but stops working the moment you try and access it from anywhere else.  Which leads to the situation where a BBC license fee payer is blocked simply because they are outside the country,  so you can’t watch the News on holiday or keep up with your favorite soaps.

europe-558828_1280

Obviously there’s now a whole range of VPN and IP proxy products available to circumvent the blocks but should it really be necessary for a valid purchaser to use these just because they happen to be out of the country for whatever reason.

The BBC is not alone, virtually every large digital media company on the internet operates under similar restrictions.  You can’t watch Hulu or HBO from outside the USA, M6 Replay is blocked outside France and so on.  Even supposedly global digital companies do the same, your Netflix account will only work if you are in a country it which it operates,  certainly seems a nonsense in this digital world.

EU Proposals are designed to move towards a single European digital market with the idea that if you legally buy content in one country there should be no restrictions on accessing them in any other country.   Currently there are all sorts of restrictions on digital content usually fuelled by complex copyright rules and regulations.    However these could all be overruled if it became a new right for EU citizens that these digital products were portable across European boundaries.

As it stands it’s just a proposal, the planned implementation if it gains approval is 2017 however we might have to wait a little longer than that.  Firstly there are genuine concerns that some countries will not be keen to support this proposal, particularly those who like to protect their own culture and national media.

There are also some powerful and well funded lobby groups who feel that it is a fundamental right to be able to control production and distribution based on specific territories.  However of course, they would say that because it enables them to operate profit maximisation techniques by selling for different prices in European regions – certainly not the definition of a single market.

For the BBC there will also be some technical difficulties in implementing a system which allows license fee payers the rights to watch wherever they are in Europe, the current BBC iPlayer has no real authentication system like Netflix or Sky. It is likely that the changes required will take some time, perhaps even beyond the 2017 implementation proposal.

However at least there is hope on the horizon that we will genuinely be able to access digital content internationally without having to use a VPN or Smart DNS that we have legitimately bought, without having to pay individually in each country we want to access it from.

Lessons from the Internet of Things – Do you Trust Your Fridge?

The ‘Internet of Things‘ is one of the most discussed topics on technical forums at the moment. The idea that you can enable all sorts of devices with a network card and a bit of memory to attach it online obviously has many benefits. It reminds me of the excitement of the ‘Trojan Room Coffee Machine which was a live video stream of a coffee machine hooked up in Cambridge University, via MPLS and an Acorn Archimedes (remember them!) in 1993. Sure it was just a coffee machine, certainly the picture rarely changed – it was either full, empty or half empty – but the realisation that you could check on it in real time without leaving your chair was kind of exciting at the time. The web cam was switched off in 2001, but many of us can still recall checking that the geeks in Cambridge had enough coffee.

isyourfridge-spamming

Nowadays of course, our devices are increasingly network aware, printers were of course, the logical first piece of equipment to stick online, it saved having them hooked up to computers and people could use them remotely. However it didn’t take long for hackers to target the first network enabled printers to infiltrate networks, distribute malware or just muck about by sending huge print jobs to them.

A story has broken this week in the security press which adds a strange twist with the first reported Spam attack by a fridge. The report released by the security firm, Proofpoint claims that a fridge took part in sending 750,000 email messages in a wide bot enabled Spam attack. It’s actually a little late as there have been similar reports as early as 2013 of this new vocation of our kitchen appliances, however it’s still rather disturbing.

Many of us, will perhaps question the need for kitchen appliances to have access to the internet. I for one can happily live without my fridge tweeting me that I’m out of milk, in fact being nagged by my fridge doesn’t appeal at all!! Manufacturers will point to the fact that internet access will provide a host of other benefits like fault finding and notifying manufacturer of potential problems. Again, the old school method of the fridge simply stopping working seems more than adequate. Imagine getting a call from a Samsung customer representative who has just been notified that your fridge light is not working by your erm fridge. It’s an internet horror story and the benefits negligible at best and in reality pretty much pointless.

Enabling these devices means there’s another headache you are responsible for, you’ll need to configure your fridge to connect, ensure it’s got a strong password and it’s behaving itself online.  How do you connect to your fridge, could you compromise other logins, should you use a VPN to connect?  Coming down in the morning and finding your fridge cornered by the FBI might seem far fetched but it’s not as ridiculous as it might seem.   Using these devices in botnets to attack other machines, send out spam or as proxies to attack other machines is perfectly feasible and it’s actually happening now.

Network security on these enabled devices is normally an after thought, it’s often much easier to hack into a network enabled device than a laptop or computer.   For example how many people would log onto their fridge after purchase to change the default password – but if you’ve bought  a fancy internet enabled smart fridge it’s something you really should do.   Already hackers have demonstrated how to to steal your google login from a Samsung fridge, at this years DefCon conference.  The fridge ran a flawed implementation of  SSL which failed to check false certificates making it vulnerable to MiTM attacks.

This ‘internet of things’ basically sounds like a huge pain, introducing fairly pointless benefits at the cost of loads of hassle and vulnerabilities.  Of course for things like printers and using my Smart TV to access online entertainment then it makes sense.  However I for one will not be upgrading my fridge anytime soon.

Global Internet War – Chinese Great Cannon

We’ve all seen those scaremongering stories on mainstream media, about cyber wars and the internet becoming a battlefield.  Usually these are rather over the top,  however a story is breaking now which is making these seem much more of a reality.

The story starts with a web site called greatfire.org which provides news and information around Chinese censorship in general and the Great Firewall of China specifically.  It contains lots of information and links to VPN and proxy tools like Identity Cloaker which can be used to circumvent the Chinese firewall and surf without restrictions.
Now obviously sites like these are not very popular with the Chinese authorities and generally can be difficult to access directly (although the site is mirrored across several locations).  It comes as no great surprise that sites like these are routinely blocked, but what has happened next is a significant escalation by the Chinese authorities.

Unleash the Great Cannon 
cannon-308996_640

On the 16th March the greatfire servers came under a huge DDoS attack, 10 days later an open source developer’s site called github came under a similar attack.  Basically the sites experienced a huge surge in traffic which their servers were unable to cope with and simply fell over.

The origin of these attacks were from thousands of computers mainly from across Asia (although outside China).   The source were thousands of clients and some injected JS scripts from traffic which appeared to be destined for Baidu (the Chinese search engine).

At first it was unclear who was responsible for coordinating these attacks, until Citizen Lab, a group based in the University of Toronto, investigated the attacks and released this report.  It is from their hard work that we can see the real culprit behind these attacks.

Basically the Chinese have developed a system which can intercepting foreign unencrypted traffic destined for any location in China, then insert malicious javascript to attack any target they specify.  This offensive system has been dubbed as the Great Cannon of China and in this instance  performed this man in the middle attack on the two sites greatfire and github.  A large proportion of unencrypted traffic was intercepted and diverted to these sites in order to overwhelm them.

So just to explain, if you had perhaps used Baidu on the 16th March, your browser may have been involved in the attack completely without your knowledge.  The Chinese have developed a system which is able to leverage internet traffic to basically destroy any web site they wish for a limited time.

Of course those worried about a one sided war where the Chinese obliterate sections of the internet, should be aware that the UK and USA intelligence services have already developed and tested similar technology.  However for free speech and internet neutrality it’s an extremely worrying development.

Summary 

It’s an extremely aggressive and high profile attack, the report seems fairly conclusive that it was conducted by the Chinese state, with parts of the code from libraries identified from the Great Firewall and several confirmed locations on the firewall injecting the scripts.

The worry is that the Chinese will so openly inject malware into any inbound traffic and redirect it at any target it likes.   This man in the middle attack could easily be redirected at any target they wish. Although larger sites may be able to cope in the short term, effectively it could finish any web site without significant resources.  The bandwidth bill of greatfire.org shot up by tens of thousands of dollars during the attack, costs that most web owners wouldn’t be able to cope with.  In fact small sites could easily be subverted quickly and efficiently using these methods – read this post which records the demise of Tomaar.net, a Saudi Arabian discussion forum.

Technically there is an even more worrying possibility, in that any computer can potentially be compromised by simply visiting any Chinese website without encryption.  The code could be altered to identify specific computers (perhaps IP addresses used by foreign Government computers)  and then infect them directly rather than launching an attack on a third party.

The possibilities and threats are endless, so unless you want to be involved in an attack it’s probably not a wise move  to visit any Chinese (Non-HTTPS) based website without using encryption.  Although this can be difficult to identify with adverts and analytics often embedded into websites which you can’t see.

Commercial pressure will hopefully cause some damage to stop the Chinese attacks, internal pressure stopped the attack on Github as it’s a powerful resource used by many Chinese programmers.  It’s not going to do a great deal for any Chinese based internet commerce or technology company either, who wants to risk being directly involved in the crazed attacks of the Chinese State on free speech websites?

Superfish Vulnerability – Free Gift from Lenovo

This week saw some staggering news, which even now a couple of days later I still find hard to believe. It’s something you might expect happening in North Korea or China, but not here!

The hardware manufacturer Lenovo, who sell millions of laptops and PC all over the world has been installing an adware program called Superfish on all their new machines. That’s right, no longer do you have to worry about getting malware installed from visiting dodgy porn or torrent sites, just buy a Lenovo laptop and they’ll pre-install them for you.

So let’s just state that again –

A computer manufacturer called Lenovo is pre-installing adware on new computers.

It’s that incredible, I think it’s worth repeating. It doesn’t matter that it has a cute cartoony name like Superfish, this is an incredible abuse of trust powered simply by greed.

superfishThe adware installs adverts into your browsing which make Lenovo money everytime you click on them.  You know adware, the stuff we all hate and go to great lengths to avoid installing.

Lenovo justified themselves in pretending that these ‘MONEY MAKING ADVERTS’ were actually for the customer’s benefit – describing Superfish as advanced technology which helps customers find different products at lower prices using image analysing techniques. I’m sure everyone capable of operating a laptop is able to see through that pathetic justification.

Unfortunately it get’s worse, not only Superfish is happily inserting damn annoying adverts into your browsing but the method it uses is actually making your computer even more vulnerable.

Superfish inserts a self-signed root certificate onto your computer giving it the capacity to intercept all your HTTPS encrypted traffic

It’s called a Man in the Middle attack and it’s something I have demonstrated on this blog previously. But basically they’re intercepting even your secure traffic so that they can insert their money making adverts. They’re apparently using the same default certificate on every single machine which effectively compromises security on each of these. Each Lenovo machine which is affected basically has a pre-installed vulnerability waiting to be used by anyone who wants to intercept your traffic.

It’s truly incredible and it’s been allegedly going on since mid-2014 so who knows how many millions of machines are riddled with this program.

Here’s a tool from the security company Last Pass which checks if you are at risk – Superfish Checker.

Hopefully Lenovo suffer a huge commercial loss due to this incredibly greedy and sneaky act – I for one will never consider buying anything from this company ever again.

Saving Money with Google

I unfortunately have a reputation of being a bit careful with money. It’s not something I’ve deliberately cultivated or crave, indeed it’s simply been thrust upon me out of necessity. Anyway, the last few years I’ve abandoned all sense of being a relaxed, free spending individual and embraced penny pinching. So here’s a short tale which has saved me money and might help someone else. It sounds quite obvious, but it wasn’t to me initially so perhaps someone else will feel the same.

thrifty

I have foolishly promised my family a trip out to the US next year, as they’re complaining that they’d never been. So I was planning a trip to include New York, the awful sounding Disney parks and a few highlights from the West Coast. It is while researching the West Coast tours that I had my epiphany, trying to organise seeing a few sites in a limited time, without spending a small fortune. Of course, I started online and began to look for tours across the West Coast of America – here’s my first search page. google-holiday

 

Seems ok, but have you noticed something ? Please click to enlarge if you can’t read it properly, there’s a point to be made here.  I noticed it a few minutes after checking out some of the links, every one of the results where UK based travel companies.  To be more precise they were UK travel companies reselling tours of the West coast of America.  The majority of these tours were run by US companies, all resold through companies based in the UK.

So what’s wrong with this, you may ask?  Well my investigations continued and I discovered that all these services were much more expensive when bought through UK companies.  Which of course makes sense, they’ve got to mark up the price to include their profit margins.  Then the penny dropped, slowly and painfully my brain came up with the idea – why can’t I just search and book these tours directly with the companies that are running them?   We all know that the more people involved in the transaction, the more fingers in the pie and the higher the costs will be – so why not book direct?  The first stumbling block is actually finding them – Google deliberately directs you to suppliers local to you.  This is of course fine when you’re searching for plumbers and local tradesmen, but why bother if you want to book a trip with a company across the globe?

After all –

  • All these companies are on the internet.
  • An email from me will arrive in California as quickly as it will in Liverpool
  • There’s no language barrier.
  • It must be cheaper!

Makes sense, doesn’t it ?  So first let’s get Google to show us local suppliers from the West Coast of the US rather than travel agents reselling me the same thing.   My first thought was to use Identity Cloaker to open up a US VPN, which of course would then make me look as though I was in the US and show me the same results.   This will work but it’s not actually necessary as all you need to do is to stop Google redirecting you when you ask for the US version of Google – here’s the url you need, just add NCR (no country redirection) like this –

http://www.google.com/ncr

Without adding the NCR switch , Google will decide that you’re a confused muppet and redirect you to your local version of the search engine instead of the US one.  But if you use it you can search on google.com with US based results – like this (again click to enlarge):

westcoasttours-google-ncr

 

This time I get local companies, that is US companies local to the West Coast not ten miles from me.  When investigated, they are all much cheaper, all are happy to accept booking direct and are just as easy to deal with as the British companies.  In fact they’re a whole lot nicer than the UK companies to be honest.

In reality using a VPN actually works a little better than using the NCR switch as you still seem to get better localised results.  But using the switch is perfectly adequate for initial research.  In my instance I booked the exact same tour for my family with a US company and save about $1600 from the UK based price.

Ok so it’s only a small personal example, but it’s indicative of how the internet giants and search engines are controlling how we access the internet.  We are being funneled down a computer generated personalized and commercialized version of the internet.  The internet does get bigger by the day, but do you often find yourself on the same old web sites every day?  I certainly do, the internet is expanding whilst I seem to be constantly railroaded into the same old sites.

Step back and think of what you want to achieve online, it does help and can greatly expand the possibilities that the search engines will offer.