Things That Matter Most

Things That Matter Most

What S.J. Resolution 34 Means For You

by

If you’re reading the news, you’ve probably seen hoards of tech journalists up in arms about S.J. Resolution 34. In a nutshell, this is an agreement by Congress to overturn a rule passed late last year by the FCC. The rule itself prohibited Internet service providers (ISPs) from collecting and sharing data about their customers without said customers’ consent.

The Congressional resolution nullifies that rule.

What happened

Last October, the FCC published a rule aimed at protecting consumer privacy. It dictated specifically that ISPs were required to:

  • notify customers about the data being collected
  • explain for which purposes that data will be used and shared
  • identify the parties with which that data will be shared

The rule identified ISPs as, effectively, telecommunications services. This means that ISPs would fall under the same laws that require other communications agencies to protect their customers’ data. It requires that customers “opt-in” for the sharing of data and further blocked ISPs from refusing service to those who refused to share their information.

The rule was passed in October, published in December, and became effective in early January.

Congress – specifically Republicans in Congress – felt this rule went too far. They elected to void the rule using their power of “Congressional disapproval” as granted through the Congressional Review Act:

The [Congressional Review Act] empowers Congress to review, by means of an expedited legislative process, new federal regulations issued by government agencies and, by passage of a joint resolution, to overrule a regulation. Once a rule is thus repealed, the CRA also prohibits the reissuing of the rule in substantially the same form or the issuing of a new rule that is substantially the same[.]

As soon as President Trump signs the joint resolution into law, the FCC’s rule will no longer exist.

OK … So what now?

The media outcry about the new resolution is a bit misleading. Though the FCC’s rule took effect in January, it hasn’t actually changed anything yet. The new FCC chairman, appointed in the early days of President Trump’s administration, has never been a proponent of this or any other FCC rule enforcing net neutrality.

Though the rule exists and has been “effective” most of this year, it hasn’t been used to change anything about our ISPs behavior. It was still so new, no one had used it for anything yet.

The Congressional resolution rolling things back effectively just said a rule that wasn’t being used cannot be used. In other words, nothing is substantially different today than it was at the end of last year.

Wait, the sky isn’t falling?

Media coverage of the issue has, thus far, neglected to highlight much of the above. The FCC rule is regarded as a long-standing law that protected consumer privacy; unfortunately, this isn’t true. The rule would have protected our privacy, but is being culled from our way of life before it had a chance to effect any change on the way ISPs do business.

Again, nothing is different today from the way things were three months ago.

And that should terrify you.

Happening right now

Rescinding the FCC rule means that ISPs are legally allowed to collect your data without your knowledge or consent. This includes:

  • IP addresses from which you access the Internet (potentially translatable to physical addresses)
  • A list of websites you visit
  • The pages and content on insecure (non-HTTPS) websites you visit
  • The content of forms you submit over non-HTTPS connections
  • And potentially much more

They are also legally allowed to use this data for advertising or even sell it to third parties, again without your knowledge or consent.

Even more chilling, they were already allowed to do this and might have been doing so all along. The FCC rule tried to protect us by preventing this behavior; S.J. Resolution 34 has highlighted the fact that this behavior was already the way of the world and will remain so for the foreseeable future.

What can you do about it?

As always, call your representatives and explain to them why they should care about protecting your privacy. Also, take what steps you can independently to ensure you’re protected even if they do nothing.

  • Use tools like ad blockers and Privacy Badger to block tracking scripts on the sites you visit
  • Always ensure you’re visiting sites over secure, HTTPS connections – your ISP can see the name of the server you’re visiting, but not the individual pages or the content thereof
  • Find a reputable VPN provider and browse the web over an encrypted Internet connection

If you’re a web developer, do everything you can to make sure the websites you build and maintain serve content over HTTPS. You are the first line of defense for your customers, your neighbors, and even yourself. SSL certificates are free, and many hosts will even set them up for you.

No one is more responsible for your privacy than you. No one will fight more for your privacy than you. Not Congress. Not your ISP. You owe it to yourself to understand the world around you, the data being collected about you, and how to proactively protect the privacy of that information.

Owning My Internet

by

Whenever I’m away from home, I connect to an anonymous proxy VPN to protect my Internet traffic. It’s not that I’m doing anything illegal or necessarily anything private, I just don’t want to advertise my activity to the entire world.

I pay for this VPN because it’s fast and presents me with a wide array of potential data centers through which I can connect. If I’m near home, I connect through a data center in Seattle. If I’m visiting friends on the East Coast, through New York. If traveling abroad, whichever international location yields the highest throughput.

Wherever I am, it means my traffic is safe from inspection regardless who else might be eavesdropping on the network.

Why This Matters

In the earlier days of secure Internet browsing, every secure website could be expected to have a unique IP address. This meant you didn’t need to specify the hostname when initiating a TLS handshake to create a secure connection.

As the Internet matured and more sites came online, we quickly exhausted the available address space of the IP protocol. 1 To get around the limitations, we started hosting multiple sites on the same physical server, reusing the server’s IP address. To still route traffic appropriately, we have to leverage Server Name Identification (SNI) and eavesdroppers can intercept  unencrypted hostnames.

So anyone looking at the logs will know what sites you’re viewing, even if they don’t know what pages you’re viewing on those sites. For most traffic, this isn’t too revealing … but it’s still additional information that can be used to fingerprint an individual based on their web habits.

Where Things Stand Now

Even using an anonymous proxy is not enough because various media producers – and remember, the web itself is media – are starting to track the IP addresses used by these proxies and is blocking them entirely. Though I’m a paying Hulu subscriber, I can’t watch Hulu over my paid VPN.

hulu-vpn-block

This past weekend, a friend noticed something curious about one of the news apps he uses. While connected to my home network, the app began displaying intermittent pop-over ads in an attempt to block access to various stories because the publisher detected, and apparently dislikes, my ISP.

Frankly, this behavior is beyond ridiculous.

Solutions

I will still use my paid, anonymous VPN when connecting to various sites as I travel. The bandwidth available is fantastic and, for the small but growing number of sites blocking access, something I can live with for the moment.

For other sites – like Hulu – I have a basic alternative. Thanks to amazing open source projects like Sovereign, I’ve been able to convert a Raspberry Pi 3 into a private “cloud” server running on my home network. 2 I have a self-hosted ownCloud instance, Git repository server, and most importantly an OpenVPN instance. My machines can now connect securely to my home network and will encrypt any traffic I need remotely, proxying it instead from my home.

It’s not the fastest connection in the world, but to any external viewers I’m using the same resources I would be if I were at home on my PC.

I’m also working with a few friends to set up a SoftEther cluster across various datacenters worldwide so we can host our own private replacement for a distributed commercial VPN. Like the commercial option, we would have the ability to connect to whichever node has the fastest speed. Unlike the commercial option, our IP addresses won’t be indexed and blocked by media providers.

The point is that the publishing world is becoming increasingly hostile to the notion of personal privacy. These are just some of the steps I’m taking to keep my data secure. What steps are you taking?

Notes:

  1. I’m specifically talking about IPv4 here. The newer IPv6 address space is so large it is unlikely to be exhausted in my lifetime. Unfortunately, support for IPv6 is still … spotty.
  2. This is a new build from the one I’ve documented before. Last time I used a first-generation Pi (which was painfully slow) and was very limited in terms of functionality. The new machine is unparalleled. For example, the Pi 1 took 26 hours to generate a Diffie-Hellman keypair. The Pi 3 took 10 minutes.

Device Security

by

I’m a big fan of the TV show Shark Tank, and I watch just about every new episode live when it airs. There’s something about entrepreneurs risking it all to make a dream come true that resonates with me. 1

This past season, though, saw some absolutely insane products pitched in the tank. One I found the most ridiculous was a product called eyebloc.

Eyebloc is a small, plastic cover that fits over the top of your laptop, covering the camera and preventing prying eyes from seeing what you don’t want them to see.

Why It’s Ridiculous

My home network is incredibly secure. I use unnecessarily tough encryption for connections, only allow a known set of devices to connect in the first place, and use strong passwords changed regularly to protect administrative tools. Considering I don’t do anything warranting that kind of protection in the first place, the lengths I go to when securing my information are a bit extreme.

Then again, I do this because I don’t know for sure how a nefarious individual might use information I otherwise consider “safe.” I’d rather they just not have my information in the first place.

I’m also very cautious when I use software online. All of my devices are networked together in such a way that if any of them changes state (software downloads, updates, system configuration changes, etc) I’m notified immediately. 2

The chances anyone could hack in to my system in the first place are remote. The chances of a successful hacker then installing camera-aware spyware are even more so.

Paying even $5 (the current price of Eyebloc on Amazon.com) to protect against such a remote eventuality seems insane.

Why It’s a Good Idea

Last night, something a bit odd happened.

I use HipChat for work. Because I’m lazy, I’ll usually leave it 3 running when I head out of the house after work. I lock my machine before leaving the desk, but otherwise things are set up so I can quickly get back to work the next day.

Yesterday was no different. My last Skype/HipChat call was around 3. I finished work a little after 4 and locked my machine before heading out the door. 4 After spending some time downtown and dining out with my wife, I came home and turned the computer on to finish a few things before calling it a night.

The blue light on my laptop camera was on.

I pulled up a few systems diagnostic tools and was able to narrow down HipChat as the application responsible. A network trace showed the camera was actively streaming. To where? I have no idea, nor do I care.

I killed HipChat. Rather than pay $5 on Amazon and wait a few days for an eyebloc, I folded an old business card over the camera.

It will stay there until my next video call.

To be clear, no one hacked my network. I installed HipChat and, likely, the program has a bug that just randomly enabled the camera. I’ve noticed since the last update that HipChat randomly steals control of my audio and mutes other applications as well.

Nothing nefarious is going on – but it could be.

We install applications all the time that have deep access to our machines. Even some that explicitly call out what they do and do not have access to also feature automated update mechanisms that can pull down new “features” and wider access without our intervention. 5

You can have the most secure network in the world, but once you let someone else in to that network, they have the ability to run amok without your oversight. Just think, this misuse of my camera was an accident triggered by a bug that will likely be fixed in a week or so – but what if it wasn’t a bug? What if it was intentional?

We exercise a high level of security when it comes to the sites we browse and the applications we install. Often, the applications running on our machines a week or so later bear little to no resemblance to the ones we installed in the first place. How much control are we really giving up to anonymous developers with access to an update hook?

How secure are our machines?

Notes:

  1. I would go absolutely bananas to see a WordPress-related or inspired pitched on the show!
  2. This shocked my wife when she tried to order a Christmas present online and accidentally clicked a button to update Java. It wasn’t really Java, so I shut the machine down remotely and fixed things. She was a bit confused, and disappointed I’d spoiled her surprise, but our machines stayed safe.
  3. And Chrome. And PHPStorm. And Vagrant. And Skype. And Terminal. And Toggle. And Git Gui. And …
  4. I know the camera was disabled at this point as there was no little blue light on the top of my laptop. The office was dark save the yellow lights on the router.
  5. When is the last time you really looked at what was installed when Chrome last auto-updated?

The Effect of Privacy Violation

by

This week has seen an interesting move by Russia – the passage of legislation requiring all Internet-based data about Russian citizens to be hosted on servers physically hosted in Russia.

The effects of the bill, if passed, would be wide-ranging, touching just about every international service used by Russians. Essentially, it would mean that Facebook, Google or any other international online service – including apps – used by people in Russia would need to have physical servers inside Russia’s borders. 1

I say “interesting” because of both the triggers and ramifications of this move. The potential precedents set by this legislation are enormous!

Causes

This move by the Russian government is undoubtedly a direct response to (not so) recent revelations of American government spying. Companies like Google, Facebook, and Yahoo store massive warehouses of consumer data – sometimes on Russian servers, sometimes on American servers. This data is so comprehensive that companies have been able to use advanced analytical tools to predict everything from purchase behavior to teen pregnancy.

It’s a chilling amount of data that, in the wrong hands, could be used for all sorts of nefarious purposes. Knowing that American agencies like the NSA likely are those wrong hands has many people up in arms. The NSA’s ability to reach into the data vault of American companies (with warrants issued by secret courts) means they have the ability to grab data not just about American citizens but Russian ones as well.

Hosting Russian data physically in Russia means the government there can better block American agents’ access to their citizens’ information. It’s a play by Russia to protect its citizens and, while I might disagree with the legislation itself, I can understand and even admire the sentiment that built it.

Effects

Unfortunately, the effects of this law are somewhat paralyzing for web developers.

Already, we must alert European visitors if our sites use cookies to store personal information – and present visitors with the ability to opt-out of such storage. Forcing Russian data to be stored on Russian servers will require us to:

  • Maintain separate physical servers in Russia (in addition to any servers we set up elsewhere in the world)
  • Determine the citizenship of site visitors so we can direct Russians to Russian data stores regardless of the network location from which they access the site

The first challenge is easy. The second is nearly insurmountable. The legislation at hand is meant to protect all citizens of the Russian Federation, and it will do so, but perhaps at the risk of merely blocking Russians from accessing new (read: bootstrapped) network tools. Other countries are likely to follow Russia’s lead to protect their citizens from American overreach.

I can’t blame them. The NSA infuriates me as well. But there must be better ways to protect our information from prying eyes. Blocking the NSA from spying on Russians by merely forcing Russian data to live in Russia will help block non-Russians from spying. But it doesn’t solve the problem of keeping that data safe, just in the country.

Notes:

  1. Russia Moves To Ban Online Services That Don’t Store Personal Data In Russia

Is Your TV Watching You?

by

My parents just got a new TV, and for this year’s super bowl I thought I’d check it out.

The sports fan that I am, I’d throw my arms in the air every time my team did something cool.  When I did this, a menu would pop up on the screen.

Apparently, they bought a “smart” TV that uses a camera to detect visitor motion – raising your hand launches a menu that allows quick channel switching or swapping cable for NetFlix.

I thought it was pretty cool … until I realized it meant a camera was watching me the entire time I was watching the super bowl.

It Gets Creepier

Another time, my brother wanted to show off the voice recognition of the machine.  He walked in the room and just announced “TV on!”

To my surprise, it turned on.

He can also change the channel just by speaking.

Is This Secure?

After a few media reports that TVs and webcams can be controlled remotely, I took some time to investigate.

If you know me, you know how much I care about network security; as a result, I run a fairly secure network in my home.  We have a couple of smart TVs wired to the network, my work machines, smart phones, eBook readers.  When I stopped to think about just how wired my house has become, it actually caught me off guard.

Setting up network connectivity has become so common in new device “unboxing” that we don’t even realize we’ve connected until later.

Despite my work on network security, the occasional threat crops up.  Someone borrowing a computer in the other room clicks a link and I’m inundated by trojan horse notifications as the web app they just installed starts broadcasting an open backdoor’s whereabouts online.

This past week a friend fell for a “speed up your computer” scam that infested their computer – on a trusted network – with hundreds of viral trojan horse programs.  Had we not caught it early, the infection could have easily spread to my laptop – my Kindle – my phone – my iPod …

My network is fairly secure and, despite our best efforts, there are still holes all over the place.  How easy would it be for one of these holes to let someone control my TV?  My webcam?

Easy.

This week I took a stand on this site to support online privacy and fight against government data surveillance.  I care very much about not just my privacy, but yours, too.  Being paranoid about potential security threats helps keep my home secure – so while this question might come across as overly tin-foil-hat: have you considered your new TV might be spying on you?

If you care as much about this issue as I do, you should contact your legislators today.

Web Requests and Data Leakage

by

When I wrote earlier on securing images and solving mixed content issues on websites, my friend Mike Schinkel asked if I could explain why it mattered.  I briefly covered information leakage in the comments, but wanted to go over things a bit more in detail for anyone interested.

The Tools

I use a variety of network tools to monitor requests going back and forth from the browser to the server.  Seeing exactly what the browser sends and exactly what the server returns helps debug interactions, detect potential optimization routes, and gain a better sense of what’s going on under the hood.

On my Windows machine, I use Fiddler as a proxy so I can see every piece of data passing over the wire.  On both my Windows and Mac I use Wireshark to monitor both web requests and, well, everything exchanged over the network.

Wireshark, in particular, is a fun tool to run when connected to any network as it lets me see not just the traffic from my machine but any machine on the network.  If you want proof that people are still using insecure network connections to send sensitive data, spend 5 minutes reading a Wireshark feed.  It’s a sobering experience.

The Experiment

To demonstrate how information could leak with images, I did a quick experiment on my own site.  I made a web request to http://eamann.com/biz/does-the-fold-still-matter/?username=testing&password=1234.  This is to demonstrate two things:

  1. The relative insecurity of GET parameters (variables passed in a URL)
  2. How data passed in a referrer header can be intercepted by an eavesdropper

Once upon a time I worked on a stateless REST-based web application that still authenticated users on each request.  The user authentication required the username and password of the current user to be passed as GET parameters in every request.  Every. Request.  This experiment recreates that environment as an illustration.

Assume, though, that we’re requesting an https url. 1  The document will be passed over an encrypted connection and eavesdroppers won’t grab anything.  The images, however, could be passed over HTTP and can be viewed by anyone intercepting network traffic.  If the browser is passing a Referrer header, eavesdroppers will now know exactly what page you’re viewing, can see any cookies on the site, and can see your GET parameters – your username and password. 2

The Results

After making the request and taking a look in Wireshark, it was fairly easy to find an image request on the page. 3

Screenshot-Request

If this were truly an SSL site, the other requests in this image wouldn’t appear (I’m filtering on HTTP requests only), but the GET for the image would still be present and (in most browsers) would still contain the same headers.  The image itself is an innocuous request.  It doesn’t expose anything vital.

The headers are a different story:

Screenshot-Referrer

I’ve highlighted the referral header in the example above.  In plain text, it would be Referer: http://eamann.com/biz/does-the-fold-still-matter/?username=testing&password=1234.  Here we have, exposed for all the world to see, the original web url and it’s plaintext GET parameters. 4

The Implications

Honestly, few of us are ever going to send a username and password pair via GET parameters.  But there are situations where this could still cause an issue.

I use a plugin on my WordPress site called “Share a Draft.”  This plugin allows me to very easily draft a post, and share a private link for that post with peers to review content before publishing anything.  This private link contains a hash, affixed to the URL via a GET parameter, that tells WordPress to give a visitor access to a not-yet-published post.

Again, my site doesn’t contain any sensitive information – but what if it did.  What if, instead of blogging about personal topics, I was writing news articles about major international affairs for a news media organization?  What if I sent a Share a Draft link to a colleague to proofread a post on not-yet-public international policy decisions?  What if my colleague read the post in a Starbucks over open WiFi?

Even if the site itself is encrypted and transferred over SSL, any non-SSL images in the post body can be intercepted by anyone else on that network, potentially revealing the referrer URL, exposing the GET parameter, and allowing an eavesdropper access to sensitive news data before it’s available to the public.

Is this a major security flaw?  No.  But it’s a flaw nonetheless and something security-minded developers and publishers should keep in mind.  I’ll be among the first to admit that thinking about security in this way is extremely paranoid.  I’d also like to point out, though, that professional paranoia is the mark of a good security engineer.

Have I convinced you that “mixed content” warnings are a valid security concern yet?

Notes:

  1. I don’t have an SSL certificate set up for my site because I’m cheap. Also, none of the data on this site is of a sensitive nature, so encryption isn’t a big deal.  If, however, I decide to ever host sensitive data the first thing I’ll do is lock everything down over SSL.
  2. Good browsers are now locking down on this and beginning to omit the Referrer header when making an http asset request on an https page. But there’s no guarantee here, and you’ll never know what browser your visitors are using.  If the page needs to be secure, make sure your assets are secure as well or you’ll be leaking information to would-be attackers!
  3. Remember, we’re taking the example of an SSL site that contains a vanilla HTTP image in its body.
  4. I want to point out once more this will still be exposed on most SSL-secured websites if the image is requested over HTTP.  I requested the page over HTTP because my site doesn’t currently have an SSL certificate.  However, I wanted to present a real demonstration from a real website with data captured live over an open WiFi network.  This is a real request, captured remotely, using readily-available tools and eavesdropping over a real network.  I used my own site as an example so no one can accuse me of hacking their data.