Gogo Inflight Internet is intentionally issuing fake SSL certificates

Posted on by

In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.

For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

via Gogo Inflight Internet is intentionally issuing fake SSL certificates – Neowin.

Issuing fake SSL certificates is clearly a deceptive practice that should be illegal for providers of wifi.  This article shows a good reminder that an attacker must get your permission from your system to grant the fake certificate and pop up windows explaining this on most systems are very clear.  Never click yes when this window pops up unless on a secure network with prior knowledge as to the purpose for the certificate issuance.

Past reports on Gogo from this blog here and here.

Apparently Gogo’s Terms of Service may claim hijacking SSL connections is an acceptable form of “filtering.”   Beware of any open wifi system that does this.  It’s bad enough with third party script kiddies hijacking your sessions let alone the provider of your network.

Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.

Anthropomorphism Gone Wrong: Poor Motivating Example for OOP

Posted on by

I’d like to show an example of anthropomorphism gone wrong. It was given to me as a classic justification of why so called “Object Oriented Programming” is better than procedural programming. You may have learned it in your first lesson about OOP.

(Note: I’m not disparaging OOP here, just the example. For genuine OOP bashing, see here.)

via Anthropomorphism Gone Wrong: Poor Motivating Example for OOP.

From slashdot comments that I found funny:

Lets say you’re a traveling auto salesman, and you would like to sell your cars to different stores around the state. You could either drive each car, one at a time, to each assigned destination and hitchhike back to your starting point (always with a towel). Or you could come up with an algorithm for taking all the cars, putting them into a truck, and finding the shortest path that visits each auto store, saving gas and giving you the street credibility to comment on the appropriateness of OOP vs procedural languages. Then, after having spent a more fulfilling life than most people by being so efficient, you can watch as people invoke your name, and come up with a poor analogy which doesn’t really explain OOP vs procedural languages that shows up on Slashdot.

Why the above was funny?  See this wiki article on Dijkstra’s algorithm which the first quoted editorial used as a source:

Dijkstra’s algorithm, conceived by computer scientist Edsger Dijkstra in 1956 and published in 1959,[1][2] is a graph search algorithm that solves the single-source shortest path problem for a graph with non-negative edge path costs, producing a shortest path tree. This algorithm is often used in routing and as a subroutine in other graph algorithms.

Why aren’t we using SSH for everything?

Posted on by

A few weeks ago, I wrote ssh-chat.

The idea is simple: You open your terminal and type,

$ ssh chat.shazow.net

Unlike many others, you might stop yourself before typing “ls” and notice — that’s no shell, it’s a chat room!

via Why aren’t we using SSH for everything? — Medium.

I was just thinking about how useful and simple ssh is for doing end to end encryption for various services before being notified of this post.  On a linux box you can ssh -X remotehost and bring up any X-windowed app from a terminal command.  Very simple.  Very useful. Very secure.  For copying files there’s the scp command.  And one final shout out to the sshfs command for mounting remote filesystems.

U.S.: No alternate leads in Sony hack

Posted on by

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

via U.S.: No alternate leads in Sony hack – Tal Kopan – POLITICO.

From:  The FBI’s North Korea evidence is nonsense 

The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

Above article dated 12/19/2014.  It appears the FBI may be doubling down on their theories to save face.  Their conclusions got POTUS to make a speech about this and if it turns out it was all nonsense that makes him look bad too.

As a fan of author Tom Clancy’s early works I found this quote funny.  From: Researcher: Sony Hack Was Likely an Inside Job by a Woman Named “Lena”

This sounds much more plausible to me than a crack North Korean cyber-commando squad, or whichever Tom Clancy wet dream has been floating between the White House and the New York Times.

Clues In Sony Hack Point To Insiders

Posted on by

Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations.

via A New Script: Clues In Sony Hack Point To Insiders | The Security Ledger.

Inside the NSA’s War on Internet Security

Posted on by

The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.

via Inside the NSA’s War on Internet Security – SPIEGEL ONLINE.

The largest vessel the world has ever seen

Posted on by

In Shell’s view, this means avoiding the costly tasks of building a pipeline to the Australian coast and of constructing an LNG facility that might face a long series of planning battles, and require a host of new infrastructure on a remote coastline.

So Prelude will be parked above the gas field for a projected 25 years and become not merely a rig, harvesting the gas from down below, but also a factory and store where tankers can pull alongside to load up with LNG.

via BBC News – The largest vessel the world has ever seen.

How Laws Restricting Tech Actually Expose Us to Greater Harm

Posted on by

Code always has flaws, and those flaws are easy for bad guys to find. But if your computer has deliberately been designed with a blind spot, the bad guys will use it to evade detection by you and your antivirus software. That’s why a 3-D printer with anti-gun-printing code isn’t a 3-D printer that won’t print guns—the bad guys will quickly find a way around that. It’s a 3-D printer that is vulnerable to hacking by malware creeps who can use your printer’s “security” against you: from bricking your printer to screwing up your prints to introducing subtle structural flaws to simply hijacking the operating system and using it to stage attacks on your whole network.

via How Laws Restricting Tech Actually Expose Us to Greater Harm | WIRED.

This amounts to a criminal sanction for telling people about vulnerabilities in their own computers. And because today your computer lives in your pocket and has a camera and a microphone and knows all the places you go; and because tomorrow that speeding car/computer probably won’t even sport a handbrake, let alone a steering wheel—the need to know about any mode that could be exploited by malicious hackers will only get more urgent. There can be no “lawful interception” capacity for a self-driving car, allowing police to order it to pull over, that wouldn’t also let a carjacker compromise your car and drive it to a convenient place to rob, rape, and/or kill you.

Hotel group asks FCC for permission to block some outside Wi-Fi

Posted on by

However, the FCC did act in October, slapping Marriott with the fine after customers complained about the practice. In their complaint, customers alleged that employees of Marriott’s Gaylord Opryland Hotel and Convention Center in Nashville used signal-blocking features of a Wi-Fi monitoring system to prevent customers from connecting to the Internet through their personal Wi-Fi hotspots. The hotel charged customers and exhibitors $250 to $1,000 per device to access Marriott’s Wi-Fi network.

via Hotel group asks FCC for permission to block some outside Wi-Fi | Network World.