Link

19 Year-Old Vulnerability Continues to Haunt the Internet

Via Ars Technical:

A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.

Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.

But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.

In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.

Link

How Russia Polices Yandex

From Vice Motherboard:

This year, the “news aggregator law” came into effect in Russia. It requires websites that publish links to news stories with over one million daily users (Yandex.News has over six million daily users) to be responsible for all the content on their platform, which is an enormous responsibility.

“Our Yandex.News team has been actively working to retain a high quality service for our users following new regulations that impacted our service this past year,” Yandex told Motherboard in a statement, adding that to comply with new regulations, it reduced the number of sources that were aggregated from 7,000 to 1,000 with “official media licenses.”

The predicable result of the Russian government’s new law is that the government can better influence what information is surfaced to Russian citizens: when state news outlets release the same press release, en masse, Yandex1 and other major aggregators with a large number of readers are predominantly exposed to what the government wants them to see. So while Russia may interfere with foreign countries’ political processes by exploiting how social network and aggregator algorithms function (along with out-and-out illegal exfiltration and modification of communications data) they, themselves, are trying to immunize themselves to equivalent kinds of threats by way of the liabilities they place on the same kinds of companies which do business in Russia.

More broadly, the experience in Russia and changes in how Yandex operates should raise a warning flag for caution advocates in the Western world who are calling for social media companies to be (better) regulated, such as by striking down or modifying Section 230 of the Communications Decency Act (CDA). While there are clear dangers associated with these companies operating as contemporary digital sovereigns there are also risks associated with imposing harsh liability systems for publishing other persons’ content.

While such regulations might reduce some foreign interference in political systems it could simultaneously diminish the frequency at which legitimate alternative sources of information which are widely surfaced to the public. It remains unclear just how we should regulate the spread of malicious political messaging2 but, at the same time, it’s critical to ensure that any measures don’t have the detrimental effect of narrowing and diminishing the political conversations in which citizens can participate. It’s the very freedoms to have such conversations that distinguishes free democratic countries from those that are more autocratic.

  1. Sidenote: Yandex is the only website I’ve ever had to block from scraping my professional website because it was functionally acting as a DDoS.
  2. One idea would be to deliberately cut down on how easy it is to spread any and all information. By requiring additional manual effort to share content only the most motivated would share it. Requiring actual humans to share content with other humans, if done in a robust way, might cut down on the ability of bots to automatically propagate content as though ‘real’ people were sharing it.
Link

Om Malik on the Blog Post Bribe Scandal

He writes:

The chase for cheap page views to arbitrage against advertising dollars is the real reason everyone at this mega page view factories willingly embraced this trend towards free content, which in turn left the whole experiment open to abuse. If you generate a lot of page views for these sites, you aren’t going away, because, in the end, it is all about page views.

On my other, professional, site I regularly receive requests from marketers to publish their content for some sort of payment. Many are outlandish in their requests whereas others have clearly done their homework and identified a range of posts the given brand wants to be associated with.

Some of the payment rates or product offerings are outlandish, others churlish, but none of them have ever overcome my baseline position: I own my professional web presence in order to build my reputation and brand. That brand is worth more than a few hundred or thousand dollars; it represents, at least in part, my ability to earn money over the span of the coming decades.

While there’s been some comic back and forth about charging marketers tens or hundreds of thousands of dollars to post other parties’ branded content, I think there is legitimately something to the idea. If you view your web presence as a long-term part of your career, and damaging that presence could potentially cost you in terms of future employment opportunities or consulting prospects, then that kind of valuation starts to make some sense.

Link

(In)Security and Scruff

From The Verge:

Ashley: And then, you mentioned it in transit, do you store these on Scruff’s personal servers? When it’s on the server, is it encrypted? What kind of protections do you have on the server?

We take a number of steps to secure our network. Encryption is a multifaceted and multilayered question and process. Yeah, I can say that the technical architecture of Scruff is one that we have had very smart people look into. We’ve worked with security researchers and security experts to ensure that the data that’s on Scruff stays safe and that our members can use Scruff with confidence and know that their information isn’t going to be disclosed to unauthorized parties.

This is exactly the kind of answer that should set off alarm bells: the developer of Scruff doesn’t actually answer the specific and direction question about the company’s encryption policies in an equivalently direct and specific way. Maybe Scruff really does have strong security protocols in place but you certainly wouldn’t know that was the case based on the answer provided.

It’d be a great idea if someone were to develop the equivalent of the EFF’s or IX Maps’ scorecards, which evaluate the policies of digital and Internet companies, and apply it to online dating services. I wonder how well these services would actually fare when evaluated on their privacy and security and anti-harassment policies…

Link

Privacy Enhancing Technologies – A Review of Tools and Techniques

From the Office of the Privacy Commissioner of Canada:

PETs are a category of technologies that have not previously been systematically studied by the Office of the Privacy Commissioner of Canada (OPC). As a result, there were some gaps in our knowledge of these tools and techniques. In order to begin to address these gaps, a more systematic study of these tools and techniques was undertaken, starting with a (non-exhaustive) review of the general types of privacy enhancing technologies available. This paper presents the results of that review.

While Privacy Enhancing Technologies (PETs) have been around for a long time there are only some which have really taken hold over time, and usually only as a result of there being a commercial incentive for companies to integrate the enhancements.

Some of the failures of PETs to be widely adopted have stemmed from the reasons specific PETs were created (to effectively forestall formal regulatory or legislative action), others because of their complexity (you shouldn’t need a graduate degree to configure your tools properly!), and yet others because the PETs in question were built by researchers and not intended for commercialization.

The OPC’s review of dominant types of PETs is good and probably represents the most current of reviews. But the specific categories of tools, types of risks, and reasons PETs have failed to really take hold have largely been the same for a decade. We need to move beyond research and theory and actually do something soon given that data is leaking faster and further than ever before, and the rate of leakage and dispersal is only increasing.

Link

The Problem of Botting on Instagram

Calder Wilson at Petapixels:

Instagram’s Terms of Use make it clear that botting is a no-no. Over the past couple of years the platform has implemented anti-spam/anti-bot restriction, which does things like prevent accounts from liking too many photos in a short amount of time or commenting the same thing again and again. It’s obvious they oppose using bots ideologically, and it’s very easy to determine who’s using them or not, so why don’t they do something about it?

For one thing, Instagram is killing it right now. Every time Facebook reports their financial earnings, they need to show robust growth in their flagship products; almost just as importantly, they need to show healthy engagement. Growth and engagement are the life forces of Facebook’s stock, and any decrease in either can send shares south.

Now, consider that my @canonbw account was liking over 30,000 photos every month along with thousands and thousands of comments. That doesn’t even include the activity generated from people responding and liking my images/following me in return. If I took every Instagram user I know in my life who doesn’t use a bot, it’s more than likely that my single account generated more “activity” than everyone else over the last year combined.

If we take into account the massive number of people botting everyday all around the world, the number of likes and comments are astronomical. It’s very unlikely that this huge engagement engine will ever be shut down by Facebook Inc. The relationship between Instagram and botters is seemingly symbiotic, but I argue that in the long run, Instagram suffers.

The problems linked with false engagements fuels the life of Facebook as a public company, while turning the actual product space into one that is as demoralizing as Facebook itself. A growing number of academic articles are finding correlations between Facebook use and depression, in part linked to how much content is liked. While Instagram use remains relatively strongly correlated with happiness, will this persist with the growing rise of bots?

Link

Supreme Court of Canada to Decide on Protection of Journalistic Material

From CBC News:

The materials at issue relate to three stories Makuch wrote in 2014 on a Calgary man, Farah Shirdon, 22, charged in absentia with various terrorism-related offences. The articles were largely based on conversations Makuch had with Shirdon, who was said to be in Iraq, via the online instant messaging app Kik Messenger.

With court permission, RCMP sought access to Makuch’s screen captures and logs of those chats. Makuch refused to hand them over.

RCMP and the Crown argued successfully at two levels of court that access to the chat logs were essential to the ongoing investigation into Shirdon, who may or may not be dead. They maintained that journalists have no special rights to withhold crucial information.

Backed by alarmed media and free-expression groups, Makuch and Vice Media argued unsuccessfully that the RCMP demand would put a damper on the willingness of sources to speak to journalists.

The conflicting views will now be tested before the Supreme Court.

This case matters for numerous reasons.

First, there has been a real drying up of certain sources, which has prevented journalists in Canada from bringing material to public light. Such material doesn’t just pertain to terrorism and foreign combatants but, also, white collar crime, political scandals, cybercrime issues, and more. The Canadian public is being badly served by the Crown’s continued pursuit of this case.

Second, this case threatens to further diminish relations between the state and non-state actors who may, as a result, be (further) biased against state authorities. It’s important to be critical of the government and especially aspects of the government which can dramatically reshape citizens’ life opportunities. But should the press gallery adopt an unwarranted and more critical and combative tone towards the government there could be a deleterious impact on the trust Canadians have in their government . By extension, this could lead to a further decline in the willingness to see the government as something that tries to represent the citizenry writ large. That kind of democratic malaise is dangerous to ongoing governance and a threat to the legitimization of all kinds of state activities.