Rubénerd!

In 2007, it seemed all we read about in crypto circles were successful attacks against the MD5 and SHA family of hashing algorithms. Well after a six year contest, NIST is about ready to announce a suitable replacement to be dubbed SHA-3.

Interestingly, Bruce Schneier isn't so enthusiastic:

It's not that the new hash functions aren't any good, it's that we don't really need one. [..] We didn't know [in 2006] how long the various SHA-2 variants would remain secure. But it's 2012, and SHA-512 is still looking good.

That said, Skein and it's Threefish block cipher look really intriguing. I eschewed Rijndael/AES and use Twofish for all my personal crypto.

If I could be further impressed with my crypto-hero Bruce Schneier, I would be. Richard Stallman on the other hand, I find myself vehemently disagreeing with him for the first time in a long... time.

Siemens Simatic S7-300 PLC photo by Ulli1105 on Wikimedia Commons.

For those who haven't been following, it's been widely reported that the Stuxnet worm was developed by the United States government. Stuxnet took advantage in a vulnerability in Windows and certain Siemens PLCs that Iran used in their nuclear facilities. Of course, it affected plenty of other people as well.

Why am I bringing this up now? Because it's a fascinating look into the brains on two different tech luminaries.

Richard Stallman

Richard Stallman, the champion of the copy-left Free Software Foundation, hasn't made a secret of his policical leanings. While I've largely agreed with his stances on warrentless wiretapping, security theater and the like, I was a a little disturbed by his take on Stuxnet. From his March-June 2012 archives (emphasis added by me):

Stuxnet was made by the US and was approved personally by Obama.

I don't think such an attack against Iran is necessarily wrong. However, it can backfire.

So the man of uncompromising principals lets slip that he condones state sponsored attacks, despite even admitting they can backfire. Not only that, this remark is included on the same page where he asks for diplomacy to resist "being pressured into war".

Hacking a foreign government's computers constitutes diplomacy and doesn't pressure us into war? For once, I find myself unimpressed sir.

Bruce Schneier

Let's take the other side. In the context of proposing a cyber security treaty, Bruce Schneier appealed for restraint in one of his recent posts, which serves as a useful counterpoint to Richard's stance.

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day.

Specifically regarding Stuxnet, he addresses my concerns exactly. Forgive the large blockquote, he just lays it out perfectly here.

[C]ountries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame.

Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.

Richard Stallman and a growing cohort of technically minded people don't necessarily see a problem with exploiting security holes for political reasons, even if they acknowledge the potential for escalation and "collateral damage".

I find that... disturbing.

Chuck Norris doesn't plagiarise, he writes his columns then roundhouse kicks them through subspace into the past for others to publish first. If that isn't a Chuck Norris Fact, it should be.

As a matter of disclosure, the enclosed image is of Bruce Schneier's head superimposed on Chuck Norris, for my Bruce Schneier Facts post from 2006. One of the Bruce Schneier facts you may not be aware of: Bruce Schneier fully discloses his own vulnerabilities: none.

Bruce Schneier just posted about the FBI taking control of botnets and disabling the infections remotely, and being giddy with excitement that I was one of the first to read it, I left a comment :D. I need a blue collared shirt.

Earlier this month, the FBI seized control of the Coreflood botnet and shut it down.

This is a big deal; it's the first time the FBI has done something like this. My guess is that we're going to see a lot more of this sort of thing in the future; it's the obvious solution for botnets.

Leaving Coreflood in place could blow up some important machine. And leaving Coreflood in place not only puts the infected computers at risk; it puts the whole Internet at risk. Minimizing the collateral damage is important, but this feels like a place where the interest of the Internet as a whole trumps the interest of those affected by shutting down Coreflood.

The problem as I see it is the slippery slope. Because next, the RIAA is going to want to remotely disable computers they feel are engaged in illegal file sharing. And the FBI is going to want to remotely disable computers they feel are encouraging terrorism. And so on. It's important to have serious legal controls on this counterattack sort of defense.

I share concerns about outsiders being able to remotely execute code on machines, but in this case if the targets are already infected with botnet software they're effectively already out of their owner's control and can't be trusted anyway. This is in contrast to the RIAA who's argument rests on the owner being complicit in the alleged crime(s).

That said, I agree with Bruce insofar as there must be strict legal rules about when such disabling can be executed. The first step may be to more specifically define what constitutes a botnet, given law enforcement and politicians barely even understand file sharing let alone Borg-esque hives of machines.

I also believe the argument that compromised machines affecting us all is a convincing one for Microsoft to allow patches of pirated copies of Windows.

From the I Can't Believe They're Serious department, Bruce Schneier has blogged about a hilarious memory key product (link fixed) that doesn't get its security from sound, well implemented cryptography, but from.. get this... a two wheel physical combination lock that hides the contact pins!

Make sure your important files are locked up with a Combination Lock USB Flash Drive. Each custom flash drive uses two 10-digit dials to provide access to the USB plug and keep your files safe.

The best (and most revealing) part of the product description is in the second paragraph.

A great gift for technology companies, these logoed flash drives show potential customers how seriously your company takes its security.

Yes, yes it does.

What's worrying is I'd wager a nice sushi lunch that if someone like Senator Conroy saw this, he'd buy hundreds of them and use them to carry around sensitive, confidential government data about us. I'm scared, really scared.

Back in 2006 I posted some of my favourite Bruce Schneier facts. Here we are in 2010 and I still read ones that make me laugh out loud!

• The sum of the ASCII values of the characters in Bruce Schneier's passwords is always a prime number. Their product is too.

• Bruce Schneier; brain the size of a planet.... Reduced to writing about encryption for mortals; gets very depressed.

• Bruce Schneier can read and understand Perl programs.

• There are no prime numbers, only numbers Bruce Schneier lets you factorise.

• Bruce Schneier knows a deterministic algorithm to generate non-pseudo random numbers without need of an entrophy source.

The BBC is reporting Microsoft's opinion of their latest web browser offering: Internet Exporer 8:

Microsoft has stepped up the battle to win back users with the latest release of its Internet Explorer browser.

The US software giant says IE 8 is faster, easier to use and more secure than its competitors.

"We have made IE 8 the best browser for the way people really do use the web," said Microsoft's Amy Barzdukas.

At the end of last year, data from Net Applications showed the software giant's market share dropped below 70% for the first time in eight years to 68%.

I reiterate this one Bruce Schneier quote I've been saying here for years: security isn't claimed, it's proved. Internet Explorer 8 might be easer to use than 7 (and here's hoping the interface isn't as messed up too, for people who have no choice), but real world performance once it's released will be the real test of its security.

Microsoft has a history of delivering the aforementioned claims, but not the results. This is slowly changing, but they've got a very, very steep climb ahead. I'm not Bill Kurtis.

The story was summarised by the BBC in their RSS feed this morning as a question addressed for people who had jumped ship:

Will Microsoft's new browser help persuade users who have flocked to other alternatives come back to Internet Explorer?

A few perhaps, but certainly not me or anyone I advise.

I can't say I ever thought I'd be using Perl as a last resort emergency security tool. Sheesh Servage, get your act together.

My first few days back in Singapore have been eventful to say the least. I could have said they were uneventful, but that would have been inaccurate and would also have contradicted what I just wrote. And the last thing I want to do here is look ridiculous. Well, any more ridiculous than I look now walking down from my apartment building to Orchard Road while I type this post on my iPhone.

ASIDE: I used to mock people who spent more time looking at their phones than paying attention to where they were walking; now with this ridiculously useful iPhone I'm guilty of the exact same behaviour. Walking into light poles seems to be my divine punishment for this hypocricy.

Yes back to eventfulness, since coming back here last Saturday morning, I've had my first major problems with online hacking of my sites, to a degree I never thought possible. So far RubenerdShow.com and the associated subdirectories such as this blog have been the victim of 12 code injection attacks as a result of poor security standards on my webhost. I dislike it when people shift the blame onto others, but all my permissions are set perfectly and the attacks are coming from within my host's IP range, so it's a matter of lax internal security due to what I suspect is poorly enforced group permissions.

As Bruce Schneier said in his Secrets and Lies tome which I admit I've read more than three times, internal threats are often more dangerous than external ones, though they often get placed second in priority. I am a huge fan of Bruce Schneier, I even wrote about the Bruce Schneier Facts website back in 2006. Very fun distraction when all this nasty stuff is going on!

For Servage this isn't new; a quick Google search for Servage Hack returns thousands of results. Even Flickr has a couple of screenshots by people showing their sites and even the Servage host site itself being hacked.

Perhaps as a result of this or because Servage has also been caught hosting hundreds of spam and credit card fraud sites, the StarHub ISP here in Singapore has seemed to start blocking all Servage hosted material. As I sit here at Starbucks now in Tanglin Mall it seems SingTel haven't filtered it, but given Singaporean ISP's general low tolerance when it comes to abuse of their systems I worry they may be next.

ASIDE: For those interested in the attacks themselves, it seems shady Servage users have been inserting javascript into the first line of my index.php files and modifying my .htacess files to redirect to other sites. This despite all my permissions being set to allow myself to read and write, but others in the group to only read. I don't know what else I can do to block these changes.

I've written a trivial Perl script to check the modification dates of every file on the server, and if it doesn't match a list of predetermined values it deletes the hacked/modified file and restores it, then logs the change. This seems to have stopped all the attacks but it really is a clumsy measure. Servage need to get their act together, because it's not just me this is affecting.

Suffice to say, I am already in the process of moving over all my material to Segment Publishing hosting and Ourmedia instead of using Servage as well. I had kept Segpub for use only for my university blog, but they've proven themselves for their stellar reliability and great service. They do cost more than Servage, but as I've learned from this experience cost shouldn't be the primary consideration. As a student I do have a stretched budget, but if I have to pay a few dollars extra a month for peace of mind, a server running FreeBSD and my own dedicated IP address that I don't have to share with hundreds of other sites -- some of which engage in criminal activities -- I think it's worth it.

Segpub Christmas cheer!

What frustrates me is that it's my own home ISP StarHub that has blocked Servage, which means I have to use a proxy to access my own site. I'll be doing some serious cleaning up of my MySQL tables and I'll be exporting them hopefully today or tomorrow.

Interestingly enough, this blog and all the images used within are quite small. Exporting gigabytes worth of Rubenerd Shows recorded since 2005 and re-uploading them to Ourmedia will be a painfully slow process, but I think it will pay for itself pretty quickly.

Will be keeping you up to date, and thank you everyone for your patience. Because of the difficulty I'm having right now accessing this site, if you want to leave comments you may want to just email me instead.

What a great thing to be dealing with over my preciously short Christmas holiday break. Though I guess had this happened during an exam period it would have been much more disastrous to deal with. Bummer though.

The disjointed rambling about indie media and building things episode.

ACT ONE: Recounting childhood memories and obsessions from Melbourne, Ikea furniture, Lego.

ACT TWO: Is Starbucks having a positive effect? My favourite coffee house closing, improved coffee quality.

ACT THREE: Rant about public transport: are we better building new damned giant roads or new train lines?

ACT FOUR: General public's perception of security is wrong: YOU are the biggest security threat! Getting fascinating Bruce Schneier books for my birthday, security companies screwing consumers, using a non-administrative account on Mac OS X.

ACT FIVE: Comparing building your own computer and open source software to hot rod builders, being a 1990's kid, running Windows software on Linux and FreeBSD with Wine, why it's a great time to be alive!

ACT SIX: Comparing open source software developers to independent musicians, thanks to Jim Kloss and Esther Golton for the inspiration, sorry for the sacrilegious comparison! Are people worth what they're being paid? Who's deriving more happiness from what they're doing?

Download MP3 to listen ↓ 1:23:03, 39.0MiB

You can also stream this episode and view its Internet Archive page.