Mar 292017
 

As noted here it’s likely that if not already, soon not only will you be paying exorbitant monopoly rates for internet access, the ISP will also sell your web browsing history.

There are many ways you can protect yourself, TOR comes to mind however the performance trade offs are often not worth it.  Personally I block java/javascript, cookies, 40,000 or so domains, ads, tracking sites AND often pipe traffic through Privoxy and TOR.   These tactics assure that my ISP is not getting a complete picture.   However all of this is a hassle, so my wife/guests/etc are not likely to put up with it.

There’s another option, fill their database with so much garbage that it’s useless.  This will not defend against ISP’s selling your data, however if enough people shovel enough shit into the system the buyers will eventually realize the data is useless and stop buying.

Introducing Obfuscatron GIGO 0.1.0.12 this is a start.  I would love to see more people create more systems like this, run them all!  Fill their databases with garbage that is indistinguishable from real data!

If there’s enough interest I’ll keep enhancing this.  One idea I have is to provide a list of Zip codes for the U.S. and allow URL’s in the ‘seeds.txt’ list to contain place holders like %ZIP% that the system replaces with a random zip code..  May be useful for weather and travel sites.

If you have any questions/concerns or would like source code, leave a comment here.

NOTE: this works best if you have a computer that’s on 24×7.  If your computer goes to sleep, so will this.  It’s likely still helpful, just a bit less due to leaking your PC active hours (that may reveal when you work, got to school, come home, etc).

Jul 102013
 

UPDATE: Google is rolling out blocking/warning of deceptive site practices Good for Google, hopefully this type of blocking will become more common.

I like to think programmers for the most part try their best to protect the end users from ‘bad things’.  With the announcement of DevShare SourceForge shows that they no longer give a single shit.  I’ll start with the introductory paragraph

Today SourceForge it is [sic] excited to launch DevShare, a new opt-in, revenue-sharing program aimed at giving developers a better way to monetize their projects in a transparent, honest and sustainable way.

Sustainable isn’t even a word that means anything in this context.  The only ‘opt-in’ is on the part of the project so end-users don’t have that choice.  And how about ‘transparent’? If by that they mean invisible to end users that would be correct.  And honest???  Bullshit. If you go to the FileZilla download page with javascript disabled you’ll get a link to the proper clean installer.  Enable javascript and you get something entirely different:fzdownload java

If you click on that nice big green recommended button, you’ll download an ‘installer’ from ASK.com which will in turn try to download something else from ASK.com.  The installer was presumably created by ASK.com as it’s signed with their code signing certificate.  This means that ASK.com has full control over this crapware installer and no mention of oversight on the part of SourceForge.

Further down in the announcement we find this:

We take our role at SourceForge as the trusted source for open source very seriously. That is why we spent considerable time looking for partners we could trust and building a system that does not detract from our core user experience.

Trusted???  Nobody that knows anything trusts ASK.com, they have been surreptitiously installing their crapware on people’s machines using every trick in the book.  I’m pretty sure they invented the ‘industry’.

We know many open source users are skeptical about monetization initiatives. SourceForge will always respect the rights of our users and we will never infringe on them. DevShare offers a transparent installation flow that gives users all the necessary information to make educated choices about what software to install.

What?? This installation ‘flow’ doesn’t give users any information in the beginning.  And there’s the main problem.  If you click the nice big green download button and run that application you will have to give it elevated privileges to your computer (for Vista and beyond) before you will necessarily even know that it’s actually a crapware installer from ASK.com. In addition to that it immediately attempts to contact ASK.com’s servers for some purpose.  My network has blocks in place for bad servers and ASK.com and related are part of that blocking.  All I know is that it tried to do something.

Thanks to DevShare, we are now able to offer a bundle program that is fully compliant with Google’s strictest policies. This includes a solid compliance process for both open source applications and third party offerings. The whole installation flow is clean and has no misleading steps. Uninstallation procedures are exhaustively documented and all applications are verified to be virus and malware free. You can see this on the latest version of FileZilla, our largest DevShare partner to date.

And more bullshit.  Perhaps the part where ASK.com downloads crapware from their servers with full administrator permissions and no notice or choice on your part is outside of what they consider ‘installation flow’.  There is no way they can verify this as virus and malware free, period.

So basically if you download anything from SourceForge there is a serious risk to your systems if you are not careful.  I used to trust SourceForge, I have 3 projects hosted there and I’ve been a developer and contributor for over 11 years.   That ends now.

UPDATE 06/02/2015: this issue has finally hit the mainstream, here and here

UPDATE 06/03/2015: And now they’ve taken over nmap..   Sourceforge is dead, there’s no way they’ll recover from this round of stupid.

Feb 112013
 

A lot of hoopla is going around about ‘Silent Circle’.  They have done an exemplary job of getting people to promote their software in blogs, etc..

Just one example: http://www.disinfo.com/2013/02/silent-circle-the-new-encryption-app-terrifying-the-government/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+disinfo%2FoMPh+%28Disinformation%29

So far they refuse to provide details.  Anyone who is involved in security/encryption and the like knows that security through obscurity is no security at all.  If they can’t publish their algorithms, key exchange protocol and means of transfer then any claims of security are suspect and I for one would not trust them at all.  In addition to that flaw, many of the people involved come from various acronym agencies of the government.

If you rely on this you are a fool.

Dec 132012
 
One tactic that is commonly used to block bad websites, ad servers, click trackers and others is to add them to your local hosts file so that when your browser attempts to contact the naughty host they get directed to 127.0.0.1.  This worked well enough, and worked fine for me too.. until something changed in Firefox.  In this case Internet Explorer will try to connect and times out in about 1 second.  Firefox on the other hand takes 30+ seconds before it gives up, I’ve seen it actually try a dns query anyway.  I’m sure someone thought that would be a ‘nice feature’, however it pretty much destroys this tactic if you want to support Firefox on your internal network.
I had to find a better way. Continue reading »
Dec 072012
 

Kill the password

UPDATE: Wired article that contradicts the call to ‘kill the password’.  Much more accurate information there.

This article is wrong on so many levels it’s ridiculous. Everything he talks about in his article are problems with poor programming and security practices.  Passwords are not the problem, never have been and never will.  If you listen to him a 1024bit SSH key is vulnerable.. sure if you don’t take proper steps to secure it.  The sky if falling…auuugh!!!!!!

Here’s a particularly lame example:

Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

Blaming passwords on the above is.. well..just wrong… completely wrong. That’s a simple failure on the part of AOL, and YOU.  Putting all of your ‘eggs’ in one basket (in this case AOL) and tying that in with your banking..etc.. is just stupid and relying on any third party to secure your information is again.. stupid. Continue reading »

Jul 122012
 

Far too often I see advice/questions from novices that doesn’t get the point of security.   How do I protect from ‘X’ for example.  Security isn’t about protection from any particular threat, if you go down that path you’ll end up playing a game of whack-a-mole for the rest of your life.  In this post I will try to describe the important layers of internet connected computer security for the fairly advanced techy user (corporate users have additional needs/tools) and try to explain the purpose of each. Continue reading »