#HeartBleed Bug is a Pun You Should Care About

Your passwords used on the Internet are likely known to bad people if you’ve recently logged into Yahoo, the CRA, or other popular websites. You should consider changing all of your passwords next week if you’ve used them on the Internet, in case they were exposed by an attack using the “heartbleed” bug. This flaw in OpenSSL security allows attackers to get a “heartbeat” response from affected servers, including your password in an unencrypted form.

With computer security, if you have high convenience, you’re likely experiencing a low level of security. So throw away those old passwords, and pick some new ones to use with different websites. The more passwords you have, the fewer sites you’ll lose access to if one password is learned by an attacker.

Passwords Holding the Web Together

I noticed another person with a CIBC 2-factor authentication fob on their key chain last week. It displays a seemingly random number that actually only a special server knows, so if a password is stolen, so too must the fob containing the random number code that changes every minute. Without both the password, and the fob, a thief is unable to log into a stolen account.

Passwords make the Web work, so we can have ‘our’ stuff, and keep unwanted and very unwelcome people from viewing it and changing our own information. So a title like “Kill the Password: Why a String of Characters Can’t Protect Us Anymore” should be very, very concerning to people and businesses depending upon computers alike.

This Forbes headline caught my eye recently, and I have mixed feelings about it. “Kill the Password: Why a String of Characters Can’t Protect Us Anymore”. Is it going to work to keep computer information secure? My scepticism is sky-high following the Snowden leaks of NSA and related world spying agencies overstepping their constitutional bounds. Could we really design a technology where it’s secure enough to trust the government to implement it for us? I’d trust it only after an intelligent group of individuals who understand encryption very well, give it a thumbs-up. Someone who has worked with WikiLeaks, and works on an anonymous Web system called Tor is Jacob Appelbaum. If Jacob gave a system the thumbs up, or a thumbs down, I’d take his word for it. Even better, he could explain why a system works, or does not.

Is another security technology on the horizon going to change the Web almost overnight in a very drastic or revolutionary way? I wish I had the answers. Maybe the NSA has the answer already? We can’t trust them, however.

ConCalls: Andrew Prescott Responds to Meier’s Proxy Finding #RoboCon #cdnpoli

With the Robocalls trial under way, some newer information is becoming public. That’s no thanks to the judge who has imposed a partial publication ban on investigative documents.

One person with a legitimate account to make robocalls at RackNine, was Andrew Prescott. On Thursday he wrote me to bring to my attention a new detail other than Rogers’ IP mistake brought up in court. Apparently Matt Meier of RackNine made an error initially in linking Prescott’s RackNine robocall account to a proxy server in Saskatchewan. The same proxy server was used by Pierre Poutine to order illegal robocalls for Guelph’s non-Conservative electors.

[Investigator] Mathews had traced the misleading calls in Guelph to an account with RackNine, a company that provides clients the ability to make automated phone calls to thousands of people at once. The account, under the pseudonym “Pierre Jones,” accessed RackNine using a specific IP address,

“The true subscriber for [the IP address] during the timeframe requested was ‘The Marty Burke Campaign,'” Mathews said.

ADDED: Catch additional details to this timeline in an update.

All times ET.

April 30, 2011 5:30 p.m.

Andrew Prescott, the campaign staffer who dealt with RackNine for voice broadcasts, or robocalls, replies to an email by Ken Morgan, the campaign manager, and Sona. Morgan and Sona had asked Prescott to provide the contact information for RackNine. RackNine President Matt Meier only provides his direct line to current clients.

6:49 p.m.

A $75 pre-paid Visa card is purchased at the Shoppers Drug Mart on Scottsdale Drive in Guelph.

7:04 p.m.

A pre-paid cell phone, or burner phone, is bought at Future Shop on Stone Road West in Guelph for $45.30. The buyer pays cash and activates the phone under the name “Pierre Poutine,” using the same gmail address that later communicates with Meier. Mathews says in the affidavit that he has driven between the Shoppers and the Future Shop, and they are 1.3 kilometres apart, nearly in a straight line.

7:19 p.m.

The pierres1630@gmail.com account is created. Mathews says in his affidavit that Google has confirmed the email account was created at the same IP address used by the Burke Conservative campaign.

Below is the information Prescott asked me to share with my readers. (His first email is at the bottom.)


Date: Fri, 30 Aug 2013 09:23:02 -0600
Subject: Re: EC’s correction RE: Proxy Servers
From: andrew christianconservative.ca
To: saskboy hotmail.com

Because EC finally “officially” verified my side of things re: the proxy server. Not much point trying to wave my hands in the air screaming “BUT IT WASN’T ME!” when the printed “evidence” looked pretty convincing.
Again, no hard feelings… You were going only on what info was out there, and you didn’t know me well enough to know any better. A number of prominent Libs and CPC bloggers have reached out to me in private to offer their support, but that’s only cause they know the integrity of my character.
All the best,
AP

>>
On Friday, August 30, 2013, Saskboy From SK wrote:

Hi Andrew,

May I ask why you waited until now to contact me to ask me to reveal your version of what happened? That article is nearly a year old.

John

>>
I wrote it, of course, assuming that you would… Thanks for asking though. ;-)
Be nice. ;-)

>>
On Friday, August 30, 2013, Saskboy From SK wrote:

Hi Andrew,
Do you mind if I post this email to my blog?
John

Sent from my unlocked iPad

>>
On 2013-08-29, at 5:26 PM, “Andrew Prescott” wrote:

Hey man,

You went pretty hard at me back in December, over the issue of proxy server use. (http://saskboy.wordpress.com/2012/12/12/concalls-proxy-investigation-robocon/)
Yesterday, EC corrected the record… they confirmed what I’ve said all along, that I in fact never used a proxy server. (http://news.nationalpost.com/2013/08/29/robocalls-investigator-suspected-that-others-were-involved-elections-canada-sworn-statement-reveals/)
While I don’t expect that I’ll ever be able to convince you of my innocence, it’s the truth.

That being said, no hard feelings… based on the information that was printed, I can see why you jumped to the conclusions you did. Heck, as an IT guy myself, even I’d think that I must have done it.
But my moral code would never let me do anything like that.

Just hoping to appeal to your sense of right, and see if you’d like to correct the record on your blog.

Thanks for your time,
Prescott

Here’s the last of the CBC timeline as learned from court.

May 2, 2011, 4:54 p.m.

“Pierre Jones’s” account accesses RackNine but the access is stored in internal RackNine logs as Prescott’s user number. The session is left logged in as Prescott’s user ID.

==

The Conservative Party has been giving Elections Canada a hard time during the investigation.

Friday Night Hardware Hacking

Last night I fixed a Vista laptop (It wouldn’t finish booting into Windows normally because I’d installed another hard drive, and ran ClamAV which possibly changed a file it was depending on after I removed the other hard drive. I ran startup repair, and then the system restore option, and that fixed it, easily.)
Declawing CueCat
This evening I noticed an old barcode scanner that Dad got in some online deal, and it never worked. It had DRM built into it, and wouldn’t read barcodes as plain text as they should be. Instead it encrypted the text and relied upon decryption software from a spyware server to give useful output. I learned this (again) tonight, trying to find out if plugging the USB device into Ubuntu would just work, since it’s the future, 2013. I had the hardest time figuring out the proper name for the scanner, but the Cat. No. 68-1966 on the bottom finally helped. It’s a CueCat. The IBM.com/eserver branding on the side was useless.

CueCats can be bought on eBay still for about $10.

Declawing CueCat

Then I found some really great information about how easy it is to modify the pins of an IC, to eliminate the encryption[PDF] of the plain text barcode! Lots of hackers have done it.

This hacking project is about 8 years behind cutting edge, but now Dad has a working bar-code scanner for his desktop computer. And defeating DRM is a good way to pass the time.

Declawing CueCat

PRISM: Does Government Have a Sense of Humour?

No.

I never realized the famous voice that said, “You’ve Got Mail” on AOL, was actually some guy from the NSA.

Do you ever feel like no one is listening to you? Just pick up a phone, & dial. The NSA is there no matter what number you call. You probably shouldn’t find that comforting, however.

Government Can Watch You Have Sex

Here’s how to let the NSA know when you’re having sex:

1.) Buy a Nike (or related) workout monitor, or keep your (smart) cell phone (or tablet) on your person or the soft surface where you are engaged in intercourse.
2.) Ensure the workout arm band or cell phone is turned on and uploading your statistics to the Net.

You’re done. You’re an accidental exhibitionist in the NSA’s all seeing electronic eyes.

I’ve described cell phones as “digital leashes” for spouses, for years. It’s not too far off from the truth, is it?

bike odo
-Not wired to the Internet, but uploaded anyway. Yes, there are privacy implications with this too.

iPhones have had apps available for years now, which track sleeping patterns based on bed movement, in order to set off an alarm to wake a person up at an ideal point in their sleep cycle. They do not all filter out bed movement from activities other than sleeping.
Continue reading

PRISM: Prepared for Exposure

More details are out on PRISM, Tempora, and other illegal spying schemes by the NSA and friendly intelligence agencies, apparently even in Germany.

The NSA even has a special department for such cooperation, the Foreign Affairs Directorate, he says. He also exposes a noteworthy detail about how government decision-makers are protected by these programs. The partnerships are organized in a way so that authorities in other countries can “insulate their political leaders from the backlash” in the event it becomes public “how grievously they’re violating global privacy,” the former NSA employee says.

Interviewer [Jacob A. @ioerror]: Are German authorities or German politicians involved in the NSA surveillance system?

Snowden: Yes, of course. We’re in bed together with the Germans the same as with most other Western countries. For example, we tip them off when someone we want is flying through their airports (that we for example, have learned from the cell phone of a suspected hacker’s girlfriend in a totally unrelated third country — and they hand them over to us. They don’t ask to justify how we know something, and vice versa, to insulate their political leaders from the backlash of knowing how grievously they’re violating global privacy.

This is how it’s obvious that what’s happening is illegal, because populations don’t consent to it if politicians fear retribution when the truth is out.

Data Remains Buffered for Three Days

The scope of this “full take” system is vast. According to Snowden and Britain’s Guardian newspaper, Tempora stores communications data for up to 30 days and saves all content for up to three days in a so-called Internet buffer. “It snarfs everything in a rolling buffer to allow retroactive investigation without missing a single bit,” Snowden says.

Asked if it is possible to get around this total surveillance of all Internet communication, he says: “As a general rule, so long as you have any choice at all, you should never route through or peer with the UK under any circumstances.”

In other words, Snowden says, one can only prevent GCHQ from accessing their data if they do not send any information through British Internet lines or servers. However, German Internet experts believe this would be almost impossible in practice.

The UK government has a complete backup of all Internet traffic through its countries, for 3 days? Wow.

PRISM: Greenwald on CNBC

Encrypt your shit:

The world is not sliding, but galloping into a new transnational dystopia. This development has not been properly recognized outside of national security circles. It has been hidden by secrecy, complexity and scale. The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen. The internet is a threat to human civilization.
[...]
In the new space of the internet what would be the mediator of coercive force?
[...]
It is easier to encrypt information than it is to decrypt it.
[...]
Cryptography is the ultimate form of non-violent direct action.
[...]
No amount of coercive force will ever solve a math problem.

Good Ol’ American Sex Scandal

The American media is very primitive, which is why it avoids complex and important issues, and instead resorts to tabloid topics like sex scandals. While their country is embroiled in an unprovoked war in Iraq, occupies Afghanistan (along with Canada), and itches to bomb Iran for oil, they’re worried more about where the wiener Petraeus has been.

It pretty much doesn’t matter, and it’s par for the course, yet it’s popular to talk about because it involves powerful people being shamed. It’s not exactly Wikileaks’ level of interesting, yet it will lead to many old stories being looked at in a slightly new, sexy light.

So far it only offers scant hope to Republicans that they can somehow embarrass Obama or impeach him over an unrelated event in Benghazi, Libya, and a shirtless FBI male agent whose photo was published today with shot-up dummies. No photo bombing, or anything remotely interesting. Expect this scandal to blow over in a month if no new tie-ins are made.

It’s not directly related, but Greenwald had an interesting email exchange with a US Army Colonel years ago.

Intel Driver Error Causes Blue Screen of Death

If you have an Intel Centrino wireless adapter, and get a Blue Screen of Death, update the driver to version 15. 13.x and 14.x can generate BSODs especially when connecting to commercial Access Points, like Alcatel’s.

netw5ns64.sys (or related errors) come up on the BSOD screen. Windows doesn’t update to the latest Intel driver, that’s the problem. Microsoft Update tells you it’s got the latest, but that’s untrue. You have to go to www.intel.com and check there for the latest driver for your Intel WiFi card.