The Market Ticker
Commentary on The Capital Markets- Category [Technology]

An update to my post on the bust of Silk Road 2, because there apparently are some folks who read my article and recently emailed me trying to claim that there's some magical incantation that I didn't know about (and was attempting to pin the entire thing on an unencrypted laptop.)

Since it's a slow news day and I'm bored let me respond to the handful of emails I received over the last few weeks on this topic:  If you're too stupid to read for content you definitely shouldn't be doing drug deals (or anything else illegal) on the Internet.  You will get caught.

As for how Forbes had an interesting article on it at the time that I didn't cite for a simple reason -- I wrote about this attack vector back in May of 2013 based on my own work over the previous several years including an examination of the code itself.  This is what I said at the time (yes, the link is aged off and you can't read the whole article, so I won't bother linking it):

Tor.  Tor is a package comprising what is known as the "Onion Router" that encrypts traffic and routes it through multiple computers all over the globe, and is used for web surfing.  It sounds good, but there are risks associated with it.  

First, because of the multiple encryption steps (one for each "hop" the traffic takes) it materially slows down your browsing.  In addition in order to actually conceal who you are it is absolutely necessary that you not sign into a web site or otherwise transmit a set of credentials.  Next, you are trusting strangers, some of who may not be trustworthy.  In particular if there is a "strategic" compromise of nodes on the Tor network you could find yourself being monitored anyway while believing you're "safe." This is a fairly significant risk if you're worried about governments; if you're worried about common cybercriminals, not so much.  Because the network (by natural process) routes the most traffic through the highest bandwidth nodes and bandwidth costs money (and thus there aren't very many high-bandwidth nodes) the number of actual nodes that have to be compromised before the odds are your traffic is no longer secure is relatively low.

In short Tor might be useful but it is not a panacea.  If you're trying to hide from the owner of a web site who is not savvy to what you're up to it will probably work.  If you're trying to hide from a government and it's a backwoods tin-pot dictator, you might be successful.  If you're trying to hide from the NSA, good luck.

Read that second paragraph very, very carefully.

As if that wasn't enough a few months later we knew that this attack vector not only worked but was actively exploited; I wrote about that on 9-12-2013 as well when a kiddie porn ring apparently got nailed through exactly this sort of attack.

Obviously Mr. Silk Road 2 didn't read either of those articles or he didn't understand the implications of them.  If I can trace packet flow I can determine the exit point and unfortunately to prohibit unencrypted traffic from flowing to such a "hidden" point it must be coincident with the terminus.  Determining that a given machine is the terminus of such a "hidden" site is not difficult at all if I can compromise a sufficient number of nodes in the middle as part of a confederacy because simple traffic analysis (without having to decrypt the payload!) will allow me to determine in a relatively short period of time (for a busy site this might only take minutes) exactly which node probably holds the hidden service.

Let's say I have 500 "nodes" in this theoretical "encrypted" network.  Of them 20 or 30 have very high bandwidth connections compared to the others, and thus will bear the lions share of the traffic.  If I compromise half of those, say a mere 15 hosts, I can then, using a known set of computers I control, start connecting to the so-called "hidden" service and through nothing more than analysis of the traffic pattern I intentionally generate I can determine with a high degree of reliability where the terminus likely is.  If I then go further and start tampering with the packets in transit through those 15 machines once I develop a hypothesis I can prove my guess is correct without having to actually be able to decrypt the traffic itself!

Once I know where that terminus is ordinary government means (e.g. go kick in the door with a warrant in-hand) work perfectly well and you are

smiley

Now who has the money to put up a bunch of high-bandwidth "encrypted" servers and task a few bright folks to do this sort of thing when they get sufficiently motivated?  Gee, that'd be The Feds and their counterparts in other countries, right?

Uh huh.

Go read the last paragraph of that quoted passage again.  The FBI broke "Tor" because you don't need to break the encryption to be able to find the terminus of a communication and once you know where a communication path is ending up you don't need anything more-fancy than an old-fashioned warrant.

As I have repeatedly said for years despite people's claims to the contrary Tor does not secure your traffic against governments provided they're sufficiently interested in whatever you're up to -- and it never has.

View this entry with comments (registration required to post)
 

How idiotic can you be, America?

The latest technology used by Apple and Google to meet consumers’ demands on securing private data is hitting a nerve with the Department of Justice.

In a meeting last month with Apple executives, the No. 2 official at the Justice Department said the company’s new encryption technology that locks out law enforcement would lead to a tragedy, The Wall Street Journal reported. A child would die and the police would not be able to search the suspect’s phone, the official allegedly said.

Note two things:

  • The scaremongering using children, the typical way that the government shuts down anything reasoned debate.

  • Not even a pretense that the desired change would prevent the death -- it would only be the post-hoc search of the phone that would be curtailed!

In a word, so what?  If little Suzy is dead then we have a suspect and a body; the fact that there was a murder hasn't changed.  That the police have to actually do their work the old-fashioned way doesn't change anything either, nor does access to someone's phone (or lack thereof) change DNA and other physical evidence.

Apple's executives apparently took this the same way I did, which is good.  Credit where credit is due.

But pay attention folks, because there are some 330 million of us here and complying with the DOJ's demands will get a hell of lot more of us killed than just little Suzy!

Washington (CNN) -- China and "probably one or two other" countries have the capacity to shut down the nation's power grid and other critical infrastructure through a cyber attack, the head of the National Security Agency told a Congressional panel Thursday.

Admiral Michael Rogers, who also serves the dual role as head of U.S. Cyber Command, said the United States has detected malware from China and elsewhere on U.S. computers systems that affect the daily lives of every American.

These attacks are possible because of crap, hole-ridden so-called "security" and the use of off-the-shelf garbage that is riddled with back doors and just plain old-fashioned shoddy programming.

I used to write bespoke software -- ground-up, from the operating system level that ran on bare hardware, to run fairly-critical infrastructure.  It was not only air-gapped it ran out of PROMs that could not be field-programmed in the first place.

For convenience and cost reasons most modern command and control, along with many process-control systems, run not only on commodity hardware (which could be tampered with at manufacturing time) but also on commodity commercial software as well.  The latter is potentially disastrous because such machines and software are designed to be field-upgraded.

The capacity for anyone to override the user's security measures, including cryptographic integrity of the operating system and applications themselves, places that machine at the risk of compromise by malicious third parties who can be half a world away -- including nation-state third-parties.

Just a couple of days ago I detected and successfully interdicted a high-intensity attempt to break into my infrastructure here at The Ticker coming from Germany.  There are dozens of attempts daily that hail from China, Russia and parts of what were previous the USSR, but they tend to be low-intensity attacks that are in the noise level and, other than a nice report that I get every morning with a litany of failures, are unremarkable.  This one was different; it was high-intensity and sustained over the space of several hours, and was a clear probe attack aimed at penetrating SSL negotiation.

It is highly likely that the actual machines assaulting my infrastructure were not the "true source"; that is, those systems were under control of someone else -- and that "someone else" may well be in China or Russia somewhere.  They might even be part of or paid by the government.  In fact, I'd bet on it.

But there's not much here at stake if, by some chance, I screw up and someone gets in.  Oh sure, it's a hassle and maybe something gets stolen that's here, or a disk gets scrambled.  That would be annoying, but not fatal to anyone.

The same problem at a nuclear power plant or large substation could have critical or even catastrophic consequence.

As I wrote the other day for our government to demand this sort of "back door" access will get Americans -- and large numbers of them -- killed.  It might get a significant percentage of our population killed, and might result in the collapse of our economy and society -- all because of the ignorant arrogance of people in our government.

We must not permit this to happen.

View this entry with comments (registration required to post)
 

This post will be somewhat technical, so if you're not really into that, well skip to the next one.

Some ISPs are removing their customers' email encryption in a practice that threatens their privacy of communications, claims digital civil liberties group the Electronic Frontier Foundation.

Incidents in the US and Thailand over recent months have seen service providers intercepting their customers' data to strip a security flag (called STARTTLS) from email traffic, the group says.

The STARTTLS flag is used by email servers to request encryption during the process of talking to another server or client.

Without this flag, email is sent in the clear, as a blog post by the Electronic Frontier Foundation (EFF) explains.

Before you freak out you need to understand how this works in the real world.

I'll use two examples -- you, as a consumer, and a business (small or otherwise.)

As a consumer you use a tablet, laptop, desktop or phone with an email client.  That client talks to a server to send and receive email.  Normally, for consumer broadband accounts, that server is on the ISP's infrastructure.

If your email is "Joe.Schmoe@cox.net" you're one of these people.

When your email client connects to a server it can do so through one of three modes:

  • Clear text.  This sends the entire transaction in the clear, and is typically conducted over TCP port 25.

  • Encrypted.  This is on a different port, often 465 or 587, and comes up in SSL.  There is no possibility to send a clear-text email via this path since if you cannot negotiate a connection over SSL no connection and thus no transmission happens at all.

  • STARTTLS.  This usually happens over port 25 also.  The client connects to the server and as part of its initial connection startup it transmits the string "STARTTLS", as the name implies.  This asks the server to shift over to encrypted mode; if it is capable of doing so (not all are) it acknowledges this with a "200" response and then initiates an encryption handshake.  If it cannot do so (e.g. it has no security certificate, TLS is turned off, it doesn't know how to handle a TLS connection at all, etc) it comes back with a "500" response code, refusing the request.

What's being alleged here is that there are ISPs that are "listening" to the client part of the connection sequence and when they see the "STARTTLS" request they are eating it and sending back a 500 response.  The client will then proceed (unless you have told it otherwise, and not all can be told otherwise!) to send in clear text.

Now here's the rub -- there are virtually no consumer devices, especially those running Windows, MacOS or common handheld operating systems (e.g. Android, IOS, BlackBerry, etc) that directly look up and transmit email.  They instead go through "their" server.  The reason this is done is that if you have an open receiver for email it will be abused mercilessly to send spam.

So what happens is that the server you connect to validates you in some fashion.  It may look at your IP address (did you connect from a network known to be "inside" that ISP?) or it may accept an authentication first (e.g. login ID and password.)  It may also look at your incoming email transactions and attempt to match them against your IP address; if you just asked to receive email, for example, and signed on, you're probably a customer.

Now there is no reason for an ISP to block STARTTLS from their own customers to their own mail servers.  Why?  Because in the process of accepting the email and forwarding it by necessity it must decrypt it, and it has the key to do so since you connected to it.

Many "consumer" ISPs prohibit you from connecting over port 25 (the usual unencrypted email port) unless you're talking to their email server.  They do this because that's what spammers do -- they look for "open" Port 25 servers and send through them, and spam is a serious (and very real) problem.  This, incidentally, is why you can't run your own mail server on your own infrastructure using a consumer account from most ISPs.

Where it becomes a potentially bigger problem is with small business connections which may have the ability to run their own mail server.  Here that sort of interdiction is potentially serious and at least somewhat-difficult to detect.

Some of us (moi, for one) run our own infrastructure.  And I have my email server (that also does spam filtering) configured so that it explicitly identifies TLS/SSL emails with the following tag:

Received: from mx2.freebsd.org (TLS/SSL) [8.8.178.116] by Spamblock-sys;
Wed Nov 12 13:52:02 2014

That nice little tag, if present, tells me that the message transport was encrypted in the process of being sent to me -- but few servers tell you.

All of them should.  And I can configure my end to refuse to talk except to a SSL-encrypted other end, but if I do that then anyone who doesn't have SSL capability can't get email from me at all.

I don't know how you get around this, because without encryption of the payload (e.g. via PGP or S/MIME) the option here is that if you disable the ability to send without TLS then you get no email from places where server-to-server encryption can't be used either due to lack of capability, configuration or law.

As a result I think the EFF is blowing a fair bit of smoke here, and the referenced article is less than informative -- and veers dangerously close to scaremongering.

But -- it is something to keep an eye on.

View this entry with comments (registration required to post)
 

Because monopolistic practices, including forced connections, are good for customers.

"We are stunned the president would abandon the longstanding, bipartisan policy of lightly regulating the Internet and calling for extreme" regulation, said Michael Powell, president and CEO of the National Cable and Telecommunications Association, the primary lobbying arm of the cable industry.

Obama, in his statement, called for an “explicit ban” on “paid prioritization,” or better, faster service for companies that pay extra. The president said federal regulators should reclassify the Internet as a public utility under Title II of the 1934 Communications Act.

"For almost a century, our law has recognized that companies who connect you to the world have special obligations not to exploit the monopoly they enjoy over access in and out of your home or business," Obama said in his statement. "That is why a phone call from a customer of one phone company can reliably reach a customer of a different one, and why you will not be penalized solely for calling someone who is using another provider. It is common sense that the same philosophy should guide any service that is based on the transmission of information -- whether a phone call, or a packet of data."

Except that's a lie.

For a very long time (and probably still today) in Illinois, for example, there were several laws bearing on this and they were are not what Obama claims.

One of them was that a call between two local providers required the payment of money on a per-minute basis from one to the other.  Yes, that's not only forced interconnection it's forced interconnection with a fee attached.

Now I was able to exploit knowledge of this (greatly!) while I ran my ISP, since calls terminated on my equipment -- always.  Guess what sort of leverage this gave me with the competitive local exchange carriers, who would (as long as I had a high utilization ratio) make LOTS of money from my customers calling into my modems?

Uh huh.

Here's the problem with such mandates -- they benefit some people and screw others.  I benefited.  You got screwed.  You got screwed hard if you called people between "zones", which were as little as 7 miles apart!  You got charged on a per-minute basis for a local landline call.

So what did we learn with even the not-really-very competitive world of cellphones?  I can call across the damn country for no additional charge -- while it was (and may still be) a literal nickel a minute to call 10 miles down the road on said regulated landlines run by Ameritech!

What's going on now is that certain companies such as Netfux have driven you into a frenzy to think that negotiation and shared value is a bad thing, and that force (literally at gunpoint, since prosecution and/or fines are involved) should mandate that your ISP cannot charge Netflix for a one-way benefit -- theirs.

You may think this is of benefit to you but it is not.  It is not of benefit to you because you may not want to buy Netflix service, but if this mandate is imposed you will be forced to pay for the transport of their bits over your ISPs pipe whether you buy their service or not!

Now you may say "but I want Netflix so I win -- and **** you!"

Ok.

Tomorrow, if this mandate is imposed, I am going to start a 50Mbps 3d-porno service that will serve up virtual pornography to you on demand.  It will, of course, require very high quality Internet connections, all of which I can force to be provided over this "open Internet on which there are no tolls and no discrimination" and your bill will be forced higher to pay for my ability to get those bits to anyone who wants it, whether you subscribe to my service or not!

Still think this is a good idea?

PS: No, I'm not kidding and neither are many other people who are likely thinking of similar things.  The only gating factor right now is that if I started such a service the odds are very high I'd wind up paying for all the transport to get the bits to your door, one way or another.  If this becomes law that will no longer be true and I may well take a crack at making a billion dollars by stealing it from all of you via your broadband charges.

Yes, by the way, I'm completely serious.

View this entry with comments (registration required to post)
 

Oh Hell no that thing is not coming into my house.

The utter failure of the Fire Phone apparently hasn’t curtailed Amazon’s huge ambitions in hardware. The company today unveiled Amazon Echo, a slightly quixotic, 9-inch tall speaker that plays music, fields voice commands and Internet queries, responds in a pleasant conversational voice, and of course (since this is Amazon, after all) will obey instructions to put various products into your Amazon.com (AMZN) shopping cart.

Oh yeah, I want a "speaker" that's always on, always listening and "obeys commands."

I utterly trust this always listening device to only process anything when I address it, never do so on command of someone else (like the pigs, the NSA, Amazon themselves, etc) and to never, under any circumstances, make what it hears available to anyone without my explicit authorization.

Riiiiiiiight.

smiley

View this entry with comments (registration required to post)
 

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.