HTTP/2.0 – The IETF is Phoning It In

Posted on by

The reason HTTP/2.0 does not improve privacy is that the big corporate backers have built their business model on top of the lack of privacy. They are very upset about NSA spying on just about everybody in the entire world, but they do not want to do anything that prevents them from doing the same thing. The proponents of HTTP/2.0 are also trying to use it as a lever for the “SSL anywhere” agenda, despite the fact that many HTTP applications have no need for, no desire for, or may even be legally banned from using encryption.

via HTTP/2.0 – The IETF is Phoning It In – ACM Queue.

History has shown overwhelmingly that if you want to change the world for the better, you should deliver good tools for making it better, not policies for making it better. I recommend that anybody with a voice in this matter turn their thumbs down on the HTTP/2.0 draft standard: It is not a good protocol and it is not even good politics.

This Robot Is the Best Limit Texas Hold’Em Player in the World

Posted on by

Poker being what it is, the robot, named Cepheus after a constellation in the northern hemisphere, will lose if it’s dealt an inferior hand, but it will minimize its losses as best as is mathematically possible and will slowly but surely take your money by making the “perfect” decision in any given scenario. Heads-up limit Hold’Em, it can be said, has been “solved.”

via This Robot Is the Best Limit Texas Hold’Em Player in the World | Motherboard.

And it was solved by computer scientists at the University of Alberta who don’t actually play the game. That’s because solving the game is more of a math problem than anything else.

This development is like when they discovered Basic Strategy for blackjack.

The unbelievable benefits of the USG CIO’s bottomless bucket of bandwidth

Posted on by

Our private cloud configuration allows our CIOs the luxury of not focusing on bandwidth because it always works. We’ve been able to layer value-added services on top of it — more traditional services like bandwidth as a service, software as a service, backup as a service, and virtual data centers as a service. Our institutions now can focus on students and the value they add to our schools, not on IT as a standalone commodity.

via The unbelievable benefits of the USG CIO’s bottomless bucket of bandwidth | The Enterprisers Project.

Gogo Inflight Internet is intentionally issuing fake SSL certificates

Posted on by

In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.

For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

via Gogo Inflight Internet is intentionally issuing fake SSL certificates – Neowin.

Issuing fake SSL certificates is clearly a deceptive practice that should be illegal for providers of wifi.  This article shows a good reminder that an attacker must get your permission from your system to grant the fake certificate and pop up windows explaining this on most systems are very clear.  Never click yes when this window pops up unless on a secure network with prior knowledge as to the purpose for the certificate issuance.

Past reports on Gogo from this blog here and here.

Apparently Gogo’s Terms of Service may claim hijacking SSL connections is an acceptable form of “filtering.”   Beware of any open wifi system that does this.  It’s bad enough with third party script kiddies hijacking your sessions let alone the provider of your network.

Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.

Anthropomorphism Gone Wrong: Poor Motivating Example for OOP

Posted on by

I’d like to show an example of anthropomorphism gone wrong. It was given to me as a classic justification of why so called “Object Oriented Programming” is better than procedural programming. You may have learned it in your first lesson about OOP.

(Note: I’m not disparaging OOP here, just the example. For genuine OOP bashing, see here.)

via Anthropomorphism Gone Wrong: Poor Motivating Example for OOP.

From slashdot comments that I found funny:

Lets say you’re a traveling auto salesman, and you would like to sell your cars to different stores around the state. You could either drive each car, one at a time, to each assigned destination and hitchhike back to your starting point (always with a towel). Or you could come up with an algorithm for taking all the cars, putting them into a truck, and finding the shortest path that visits each auto store, saving gas and giving you the street credibility to comment on the appropriateness of OOP vs procedural languages. Then, after having spent a more fulfilling life than most people by being so efficient, you can watch as people invoke your name, and come up with a poor analogy which doesn’t really explain OOP vs procedural languages that shows up on Slashdot.

Why the above was funny?  See this wiki article on Dijkstra’s algorithm which the first quoted editorial used as a source:

Dijkstra’s algorithm, conceived by computer scientist Edsger Dijkstra in 1956 and published in 1959,[1][2] is a graph search algorithm that solves the single-source shortest path problem for a graph with non-negative edge path costs, producing a shortest path tree. This algorithm is often used in routing and as a subroutine in other graph algorithms.

Why aren’t we using SSH for everything?

Posted on by

A few weeks ago, I wrote ssh-chat.

The idea is simple: You open your terminal and type,

$ ssh chat.shazow.net

Unlike many others, you might stop yourself before typing “ls” and notice — that’s no shell, it’s a chat room!

via Why aren’t we using SSH for everything? — Medium.

I was just thinking about how useful and simple ssh is for doing end to end encryption for various services before being notified of this post.  On a linux box you can ssh -X remotehost and bring up any X-windowed app from a terminal command.  Very simple.  Very useful. Very secure.  For copying files there’s the scp command.  And one final shout out to the sshfs command for mounting remote filesystems.

U.S.: No alternate leads in Sony hack

Posted on by

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

via U.S.: No alternate leads in Sony hack – Tal Kopan – POLITICO.

From:  The FBI’s North Korea evidence is nonsense 

The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

Above article dated 12/19/2014.  It appears the FBI may be doubling down on their theories to save face.  Their conclusions got POTUS to make a speech about this and if it turns out it was all nonsense that makes him look bad too.

As a fan of author Tom Clancy’s early works I found this quote funny.  From: Researcher: Sony Hack Was Likely an Inside Job by a Woman Named “Lena”

This sounds much more plausible to me than a crack North Korean cyber-commando squad, or whichever Tom Clancy wet dream has been floating between the White House and the New York Times.

Clues In Sony Hack Point To Insiders

Posted on by

Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations.

via A New Script: Clues In Sony Hack Point To Insiders | The Security Ledger.

Inside the NSA’s War on Internet Security

Posted on by

The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.

via Inside the NSA’s War on Internet Security – SPIEGEL ONLINE.