On (Internet) Privacy …

“You might not have anything to hide, my friend. But you have everything to protect”

Kevin Mitnick @kevinmitnick / Mikko Hypponen @mikko

Or more bluntly out by Jacob Applebaum @ioerror

“If you have nothing to hide, and therefore nothing to fear, hand me your phone and pull down your pants.”

Advertisements

On net neutrality and true-speak

On this day and age when everyone strives for individuality, people are less individual as ever.

I believe that technology is neutral. It’s the utilization of the technology by people that makes it good or bad.

A bridge can be used to communicate two countries or to invade one another, dynamite can be used for blowing up enemies in a war or for building a canal.

The internet has the potential to connect people world wide in real time, we can have virtual friendships across the globe, but we don’t talk to our neighbors.

In the Internet you can always find your niche, someone else that thinks or believes  in the same things that you do. But now everyone feels as isolated as ever.

With the revolution on mobile and portable technologies, we have the internet in the palms of our hands, conveniently, and immediately. People are now with their eyes fixed on our little screens, and with headphones isolating them (more!) from the world. We have now portable reality bubbles, where we can see what we want to see, when we want to see it. Imagine a near future with enhanced reality, and with complete virtual reality.

Never the less, without net neutrality, your service provider can choose what you see and how you see the internet. The service providers are the pipes that deliver the content, but that is whatever content we choose, not them. The service providers should not prioritize certain content, neither slow or censor content, according to their priorities.

The service providers cannot become the Ministry of Truth, delivering true-speak and alt-history.

We should be free to access whatever we want over the internet, the good, the bad and the ugly, not the “version” of the internet of someone corporation wants to impose on us.

#NetNeutrality

Heartbleed and Shellshock are a good thing.

In this article by the Huffington Post titled ¨Apple joins rush to fix Shellshock bug affecting the internet” it seems like Apple users are in panic on how to patch their beloved and “more secure” computers from something that they hardly understand. And at the same time Apple, says, keep it cool, you are not affected as bad as you think you are.

For once, the joke (or bug) is on us Linux users. For those that don’t remember, Apple OS X in any of their versions, have a common root, BSD. BSD, has always been the quirky cousin of Linux, and all are descendents from the Unix family tree. Bash (Bourne Again Shell), is one of the many implementations of a “shell” (Family Tree Here) and BSD as all of the Unix descendents use some sort of a shell implementation.

Now, what is a shell? A shell is a command interpreter, It’s what would be used before the times of retina displays, graphical user interfaces, and mice. In Windows terms, it’s the command prompt. Is the way a user interacts with a computer with text commands typed on a black screen. I am old enough to remember a Internet driven by commands in green-over-black dumb Hayes VT-400 terminals.

“Shellshock”, the bug that bring us here, it’s a 26 year old bug in the Bash implementation of a shell. One of the things you want in a shell is the ability to define variables (text strings, numeric values, names of files, or the return value from a program or process), the bug is that when defining a variable you can also pass along a command, that can do anything, from listing the defined users for a computer, to erasing the hard drives. Basically, by calling a compromised variable defined in a shell, you can unwillingly execute commands that can gather information about the computer or compromise its information. Bad enough is that it not only can be run locally on the computer, but also remotely, from anywhere, as long as the computer is connected to the internet, and (for example) a web page calls a shell routine in the background to do something.

Most of the operational systems out there, descendents of Unix, Linux, BSD, OSX are implementing or have implemented patches for their shells to fix this vulnerability, and that is the easy part. There are millions of devices out there that build the internet itself, switches, routers, firewalls, load balancers, all components that make the internet work, all of those devices run some sort of operational system, most of them, Unix  descendents, in it’s miriad of implementations. All of those networked devices that make the infrastructure that makes the internet work are vulnerable and need to be patched.

And why “Heartbleed” and “Shellshock” are a good thing? Because it levels the field, makes us aware that there are no immune operational system, all needs to be checked, verified, and corrected; because a exposed vulnerability is better than an undocumented backdoor; because open source code can be checked, verified, and fixed by anyone with the knowledge, not hidden behind the closed doors and secrecy of a corporation.

But Apple users can sleep better tonight, knowing that there is a dedicated army of system and network administrators, around the world, testing, and patching, and working when you are sleeping, to make sure that tomorrow, you can read “The Huffington Post” securely in your tablet, sipping your espresso, in your bed.

NSA ANT Shopping List

As per the latest of the Snowden saga, the NSA’s ANT Division (Advanced Network Tradecraft?) has a catalogue of hardware, software and remote exploits for all kinds of devices, PC, Laptops and mobile phones, all custom made. Some even have prices.

http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

It’s old information (@markrussinovich says 2009), but it gives an idea on the methods used to gather SIGINT.

Porn runs on Linux

Extracted from this article on the Internet.

(Debian) … host around 2% of the top 100,000 websites on the Internet. In other words, Wheezy’s release will interest large numbers of people and directly affect millions more (20% of Debian’s websites state their business as ‘Adult’).

According to Wikipedia, Apache runs 53% of web servers, followed by Microsoft at 17%.
Also according to Wikipedia , Unix / Linux runs 60% of servers, Microsoft the other 40%.
Therefore we can assume that most Apache installations run natively on Linux.

If 20% of Debian’s hosted websites state their business as “Adult”, I think we can translate the numbers to say that 20% of all Linux Web hosts are “Adult”.

That are a lot of servers, hosting a lot of “Adult” content.

Ergo, Linux is used to host reliably, critical core services across the enterprise, and Porn.

Linux offers a vital service to human kind.

 

Clicktivismo no es activismo

Kony 2012 la campaña en internet por la ONG Invisible Children, para difundir las atrocidades de Joseph Koni; criminal de guerra fugitivo condenado en ausencia por la Corte Penal Internacionál y eventualmente capturarlo; es el ùltimo ejemplo de la viralidad y vacuidad de las campañas que usan las redes sociales.

Internet es tal vez el medio mas efectivo y económico para diseminar información y realzar interés en una causa, pero tal vez el peor para generar un activismo real. La mayoria de las personas simplemente ven el video, enlazan en twitter o facebook, hacen click en “Me gusta” y otro en “compartir” y ya. Nada mas, es simplemente otro tuiteo de corta vida, con dos click y algo de mouse, ya se participó en la causa, ya te consideras un activista, ya diseminaste la idea, pero poco mas que eso.

De que le vale a un niño soldado de guerra en Congo o Colombia, o en cualquier otra parte que una ONG tenga un millon de “amigos” en facebook?

A las pocas personas que se atreven a pensar y preguntar (ver enlaces abajo), como se utilizan los recursos financieros de la ONG, los cuales parecen que mas de un 60% se utilizan para la campaña publicitaria en si, con agencias de relaciónes públicas y publicidad de primera linea en Nueva York, son automaticamente juzgadas como simpatizantes de criminales de guerra o como carecer de humanidad y compasión por las victimas.

Cada vez hay mas pruebas de que en realidad poco o nada llega a las verdaderas victimas del conflicto.  No es mas que un gigantesco ejecicio de relaciones públicas que beneficia a todos, la ONG, la agencia de relaciones públicas, y la agencia de publicidad, etc.  menos a las victimas.

Nunca dejes de preguntar.

Enlaces en Inglés: Al-Jazeera, Winnipeg Free Press

Soberania Colombiana Perdida en Internet

Ante la amenaza de Anonymous Colombia de atacar la página de la Registraduria de Colombia con motivo de las elecciones de Alcaldes , parece que la registraduria se asustó y decidió migrar su página de Internet a un servirdor en los Estados Unidos, bajo la siguiente lóigica; si atacan la página web de la Registraduria alojada en un servidor en los Estados Unidos, esto se convierte en un delito Federal (en los Estados Unidos, no en Colombia), y por lo tanto el FBI lo investigará. Nos resignamos a no poder ni siquiera proteger una página de Internet, y corremos a protegernos bajo las faldas del Tio Sam, que tristeza.
Segun Anonymous Colombia en Twitter, ellos decidieron no atacar, y al final solo actuar como observadores de las elecciones documentando y denunciando delitos electorales, de la típica forma de compra de votos por televisores, alcohol, rifas, o utilizando esferos borrables para marcar la papeleta electoral.
Igualmente, Anonymous Colombia, afirma que el costo de la migración de la página de Internet costó 600 millones de pesos … y estoy de acuerdo con ellos, esa plática se perdió.
Me preocupa mas el precendente, de simplemente delegar la presencia del estado en internet a un ISP norteamiericano, como si eso fuera garantia de seguridad. En los Estados Unidos se hackea la página del pentagono y no se dan ni cuenta por años. A la larga, al FBI le importa un pito la página de la Registraduria de Colombia, al fin y al cabo, ellos no trabajan para gobiernos extranjeros. Y es la típica solución en Colombia, arreglos a corto plazo, y no crear una verdadera política de TI en el gobierno.

Triste porque ganó Petro la alcaldía de Bogota, y mas triste aún, porque el gobierno colombiano delega su presencia en Internet a un ISP en los Estados Unidos.

P.S: Segun el twitter de LulzSecColombia, el ataque no fue realizado, porque un miembro de AnonymousColombia fue contratado por la Registraduria para proteger la página Web. A quien creerle?