Standing Rock and Internet Security

At the peak of the Standing Rock protest, a small city existed where none had before. That city relied on wireless communications to let the world know what was going on, and to coordinate the more mundane day-to-day tasks of providing for thousands of people. There is strong circumstantial evidence that our own government performed shenanigans on the communications infrastructure to not only prevent information from reaching the rest of the world, but also to hack people’s email accounts and the like., an unlikely source of “real” journalism, produced a well-written article with links to huge piles of documented facts. (This was not the only compelling article they produced.) They spent time with a team of security experts on the scene, who showed the results of one attack: When all the secure wifi hotspots in the camp were attacked, rendering them unresponsive, a new, insecure hotspot suddenly appeared. When one of the security guys connected to it, his gmail account was attacked.

Notably, a plane was flying low overhead – a very common model of Cessna, but the type known to be used by our government to be fitted with just the sort of equipment to do this sort of dirty work. The Cessna was owned by law enforcement but its flight history is secret.

What does that actually mean? It means that in a vulnerable situation, where communication depends on wireless networks, federal and state law enforcement agencies have the tools to seriously mess with you.

“But I only use secure Internet connections,” you say. “HTTPS means that people between you and the site you’re talking to can’t steal your information.” Alas, that’s not quite true. What https means is that connections to your bank or Gmail can only be monitored by someone endorsed by entities your browser has been told to trust completely. On that list: The US Government, the Chinese government, other governments, and more than a hundred privately-owned corporations. Any of those, or anyone any of those authorities chooses to endorse, or anyone who manages to hack one of those hundred-plus authorities (this has happened) can convince your browser that there is no hanky-panky going on. It shouldn’t surprise you that the NSA has a huge operation to do just that.

The NSA system wasn’t used at Standing Rock (or if it was, that effort was separate from the documented attacks above), because they don’t need airplanes loaded with exotic equipment. But those airplanes do exist, and now we have evidence that state and local law enforcement, and quite possibly private corporations as well, are willing to use them.

The moral of the story is, I guess, “don’t use unsecured WiFi”. There’s pretty much nothing you can do about the NSA. It would be nice if browsers popped up an alert like “Normally this site is vouched for by Verisign, but this time the US Government is vouching for it. Do you want to continue?” But they don’t, and I haven’t found a browser plugin that adds that capability. Which is too bad.

Edit to add: While looking for someone who perhaps had made a browser plug-in to detect these attacks, I came across this paper which described a plugin that apparently no longer exists (if it was ever released). It includes a good overview of the situation, with some thoughts that hadn’t occurred to me. It also shows pages from a brochure for a simple device that was marketed in 2009 to make it very easy for people with CA authority to eavesdrop on any SSL-protected communication. Devices so cheap they were described as “disposable”.

Life in the Matrix

The other night I had a dream. In that dream I had a truck, but it was the wrong kind of truck. So I changed its CSS.


Authority vs. The Web of Trust

Almost every security system on the Internet has at its core an element of trust. When you point your browser to Bank of Money, how do you know you’re talking to the real Bank of Money and not some impostor? Once you’re certain that the machine on the other end is genuine, your browser can set up a secure connection and keep others from listening in. But that first step, when they have to prove they are who they claim to be, is a problem.

The way Bank of Money proves their identity is by passing to you a special encrypted file that says who they are. But how do you know that certificate file is genuine? Because someone else made the file and they can verify that it’s legit. That “someone else” is a Certificate Authority, and your browser is trained to trust a handful of these companies implicitly. You might have heard of VeriSign, for instance. Bank of Money can go to VeriSign, provide information (and money), and after VeriSign carefully screens the application to make sure it’s really coming from Bank of Money, issues them a certificate.

When you connect to Bank of Money, your browser goes, “oh, hey, VeriSign says this certificate is the real thing,” and you’re good to go.

Unless, of course, the Certificate Authority is controlled by an evil government. Or if a CA gets hacked. Or if a CA is just sloppy. And the crazy thing? If any one of the Certificate Authorities trusted by your browser is compromised, you can’t trust any connection, no matter where the original legitimate certificate came from.

And, well, that has happened. The two cases I know about seem to have been aimed at Iranian dissidents, but it is no exaggeration to say that all of e-commerce depends on the integrity of the Certificate Authorities. That integrity has proven to be shaky lately. Each CA is a separate point of catastrophic failure for e-commerce.

And the pain goes both ways. Let’s say for a moment that Bank of Money got their certificate from DigiNotar. DigiNotar got hacked, wasn’t forthcoming, and lost their ‘automatic trust’ status in most browsers (which is a reason to accept all those annoying browser updates – they might be quietly blacklisting known fraudulent certificates). Even though Bank of Money did nothing wrong, now none of their customers can make a secure connection. The browsers don’t trust their DigiNotar certificate anymore. For good reason. They lose, you lose, I lose.

Is there an alternative to Certificate Authorities? Practically speaking, probably not. But there is another way to establish the legitimacy of Bank of Money’s certificate. If someone you know personally and trust says that BofM’s certificate is valid, then you can choose to trust it, too. Once you decide it’s legit, and confirm it for yourself, you can put your own stamp on it, and then people who trust you can feel confident as well. It’s not about some central authority, it’s about people you know and trust.

If some bogus entity tries to jump in with their own certificate, it won’t have the endorsement of you or your pals on it. You won’t be fooled, and neither will anyone else.

This model is called the Web of Trust. A certificate is only as good as the collection of endorsements it has built up. Bogus certificates (theoretically) have a much more difficult time taking hold. If I was an Iranian dissident, for example, I’d be very, very conservative about which certificates I accepted and endorsed. There’s a pretty good chance that people died as a result of DigiNotar being hacked. The major browsers accepted the false certificates without blinking, and the government read everything the dissidents said.

Bank of Money would love an alternate system that didn’t cost them a lot of money, and protected them from blacklisting because someone else messed up. The problem, if you’re an institution like that, is getting started. You can’t just wait for your certificate to gain acceptance organically before your Web portal becomes useful. To get going quickly you need one powerful, trusted person to vouch for your certificate, someone everyone else will believe. That’s what a Certificate Authority is, and they’re built into your browser, so that you have to go out of your way not to believe them.

Yet, if the Web of Trust were well-developed, new certificates would spread very quickly. If we all had three or four people we trusted, and a bunch more we sort-of trusted (so that if several of them said a certificate was legit, we’d be OK with it), then BofM’s certificate would percolate through the WoT pretty quickly.

But what if none of your trusted people used Bank of Money, so never endorsed its certificate? You can extend your search for endorsement further, and decide for yourself how comfortable you are. This is where a centralized Certificate Authority can come in — you can choose to accept their endorsement if your personal Web of Trust doesn’t cover that certificate. It’s entirely up to you. Not like now.

And, sure, at first people would get fooled. There will be people who endorse certificates lazily. There will be fake people created just to endorse certificates. Iranian dissidents will not be fooled, however. When something inevitably goes wrong, the sloppy people will no longer be trusted, and will learn not to trust people they don’t know. Speaking personally, I already know who my trusted folk would be — I have friends who would take responsibility for their endorsements very seriously, both out of pride and a sense of social responsibility. Shit, I can think of five without even breaking a sweat, and that’s plenty. You know a couple of people like that, too. Ask yourself: Would you rather trust them or a big company in it for the money and subject to political fiat?

This might be the definition of ‘neighbor’ for the information age.

So, people of planet Earth, we have a chicken-and-egg problem. Bank of Money isn’t going to depend on a Web of Trust that doesn’t exist yet. Most of their customers aren’t going to bother building the WoT, because none of the institutions they interact with use it. I talk about the Web of Trust, but I haven’t done much about it myself. We need a catalyst. I just hope it’s not the collapse of the Certificate Authority system, and the disruption that would cause.

I’ll talk more about how we can all work together to build the Web of Trust in a later episode. The takeaway today: We need it. Prepare to do something about it. It won’t be as simple as it ought — something I plan to bring up at work.

A Rambling Blog

A couple of years ago I became fed up with my Web hosting provider. MMHosting had been great, but then came the outages, and the complete lack of response from their support people. (At the start of my stay with them, I had been mightily impressed with their customer care. That ended.) Then there was the time Muddled Ramblings was mentioned on a very popular blog and my hits soared. They turned me off.

I moved to a new, very inexpensive host called iPage. It was great, until the outages, which could last a day or more. When I asked what the problem had been and what they had done, they were vague. “No, really,” I persisted, “I understand the jargon. Tell me what happened and what you did to make sure it won’t happen again.” I never got an answer.

“You get what you pay for,” I reasoned, and iPage was wedging me onto an already overcrowded server and there just wasn’t enough computer there to handle all that traffic. Giddy with a new income stream, I decided to upgrade. The way to avoid getting wedged onto an overcrowded machine is to cough up the bucks and reserve a portion of a machine that is yours and yours alone. It doesn’t matter what any of your neighbors on the box do, they can’t take your resources away from you.

The downside to this approach is that you can’t borrow resources from your neighbors, either. For reasons I still don’t understand, my virtual server went nuts every once in a while, cranking away and eventually running out of ram and descending into a hellish limbo of non-Web-serving confusion. I’ve gone over all my stuff and I can’t find anything that would cause that, but there must be something. (It might be coming from outside; perhaps China still hates this blog, and throws a half-assed attack at it periodically. They do that shit. I expect it’s something more local, however.)

So the money I was throwing at the problem wasn’t helping. It was time to weigh my options again. The step up from renting a dedicated slice of a server is to use the whole damn machine. Naturally, this costs a lot more, since there’s one customer per machine.

Except when it doesn’t. Enter my new best hosting pals, For the price I was paying Green Geeks, I get more than six times the server, and it’s MacOS, which means all my experience setting up servers with MacPorts pays off. (I’m a big fan of MacPorts. It’s not always quite as easy as they make it sound, but usually it is. Tonight I needed to add SSH2 support in PHP, and all I had to do was type sudo port install php5-ssh2 and that was that. I’m not even sure what SSH2 is (as opposed to SSH) but it simplified the WordPress AutoUpdate process.)

There were a couple of hiccups getting everything running (I set up as a WordPress install first to pave the way), but once everyone agreed where the MySQL socket was it was Holiday On Ice the rest of the way. The last step, getting AutoUpdate to work in WordPress, was something I’d not managed on the CentOS virtual server at GreenGeeks. Now it’s cake.

So, I’m pretty happy. I’ll be watching for the midnight-runaway problem, and if the extra horsepower doesn’t solve it (if it even happens at all), at least now I know that there is nothing on this box I don’t control.


Well, THAT Sucked

The last few days my Web host has been having a tough time. I don’t know the exact nature of the problem and I doubt I ever will, but this site has been broken. For a while it would not load at all, and then it was in ‘read-only mode’, Which meant that it was still performing terribly and I couldn’t even put up a notice that I knew things weren’t going well but the solution was out of my hands. Not a good situation when my credibility as a programmer is an important asset.

I couldn’t even make a backup.

Things seem to be getting back to normal (though they are not there yet – the site is still quite slow). There’s even a chance that I’m running on a brand-new server that is not being shared with as many other people. Or at least a brand-new server. Unfortunately, however, while I have come to appreciate iPage the company, which was very helpful and patient getting me up and running, iPage the service has not been so great.

I have vowed that the next move I make will be to a server that I control completely, so I can choose who shares it with me. I’m looking at Co-location deals now, though I might wimp out ant take the middle road. A VPS (virtual private server) gives me all the control of having my own machine, but in fact it’s an illusion — I still share physical hardware with an unknown number of others.


The Drupal Attitude

I’ve been doing some geekery with Drupal lately. Drupal is a free, open-source server application that makes it easier to build really complex Web sites. It allows you to create complex data types and establish relationships and do fancy database stuff… without actually touching the database. That’s not too shabby. Drupal is rapidly becoming more popular, but there are a few things standing between Drupal and world domination. At the top of the list is the Drupal Attitude.

I will illustrate with an example. Things will get geeky for a while as I set the stage, then mellow out as I focus on the human interactions between various groups.

From a technical standpoint, Drupal’s biggest flaw is that it sucks when it comes to many-to-many relationships. Imagine I have a data type called “shirt” and another called “color”. It is very easy for me to set up “shirt” so that it can have several colors. So, when I look at a specific shirt in my database I can see that it has red and yellow in it. That’s all pretty straightforward.

The catch comes when I want a list of all shirts with yellow in them. If I had direct control over the database, many-to-many relationships like this are trivial and do not diminish the performance of the server. Drupal has no built-in way to get a list of all shirts with yellow in them.

But wait! Drupal is open source, and better yet has been built to be easy to extend by outside programers. Into this glaring hole in Drupal several folks have stepped forward with modules that solve the problem in a variety of different ways. Some of these methods are clever (one uses the indexes built by the search engine, for instance), but all have trade-offs and weaknesses.

So, you’re a Drupal developer, and you want a list of shirts with yellow in them. Which module do you use? Each module works differently, each requires some installation and fiddling to get working. Then there are the two modules by the same guy that are for similar but different purposes, yet the actual differences are not spelled out very clearly. What would help a lot would be some concrete examples of when to use which.

Now we’re getting closer to the Drupal Attitude. Remember as I rant about this that all the modules I’m evaluating are free, posted by geeks who wanted to contribute to make Drupal better. So, some slack-cutting is in order. BUT…

I had already spent more time than I had available trying to figure out which module to use, when I found a question posted by a guy asking “can I use this module for x”, where x was very similar to what I needed. “Aha!” thought I, “Now we’ll get a definitive answer!” Except that the response to the question was, “In this discussion (the article was about the differences between two modules) we want to focus on generalities, not specific applications. You should download both modules and fiddle with them for a few hours to determine which is right for you.” Or something like that. Notably absent from the answer was a pointer to where specific questions would be answered.

The guy who asked the question responded a bit harshly, pretty much saying, “Would it kill you to just answer my question? I don’t want to spend hours learning something you already know and could tell me in fifteen seconds.”

Well, this is just the sort of uppity user that the Drupal community loves to hate. Several people piled on in defense of the developer who had refused to answer the question. “He’s doing this for free, he’s helping the community, you should be grateful, blah, blah, blah.” None of them deigned to answer the original question either. There is a real, entrenched cadre in the Drupal community that says, “we learned things the hard way, and you should too.” Who needs documentation when you can read the source code?

Let’s step back for a moment and ask ourselves, “Why did the developer give this code back to the Drupal community?” The obvious answer, the one everyone talks about, is that he wants to make things easier for other Drupal users. That is a noble motivation and one I wholeheartedly support. He wants to be useful. Perhaps he just isn’t aware that a huge part of utility of software lies in the documentation. Perhaps he isn’t aware that a few choice examples of what his modules are meant to accomplish would have cost him an hour of his time and improved the acceptance of his work dramatically. He’s a coder, after all, not a marketer or a technical writer.

Even with all that, however, when someone, in the form of a question, contributes to the documentation by providing a specific example, he didn’t answer the question. No light came on that even if that was not the place for the question, then spending five minutes creating an FAQ would have helped the community far more than adding a new feature to his software. So an opportunity to spend just a few seconds and make his contribution to the community better went completely ignored. His supporters congratulated him for not capitulating to the demands of his potential users for more clarity.

Any of them could have stepped up and helped the newbie, probably in ten words or less, but none did. None of them wanted improved documentation. “We had to learn it the hard way, so you should too,” with a side order of “we make lots of money because we’ve figured all this stuff out.” Ladies and gentlemen, the Drupal Attitude.

If the guy posted his module but doesn’t seem interested in making it useful, then why did he post it? Well, he’s certainly getting lots of love from the people who figured out his work the hard way. They can all feel good about how smart they are.

And in the end, should I be thankful this guy shared his work with the rest of us? Actually, no. In my case, the presence of his modules ultimately had negative value. They cost me time, and never getting an answer about which was appropriate for my task, I went with a module developed by someone else.

So, Drupal contributors: If you don’t want to document your module, and you don’t want to answer straightforward questions from people who need to get a job done in limited time, don’t bother posting your fucking module at all. I don’t have time for endless fiddling and I sure as hell don’t have time for the Drupal Attitude.