Give Huawei A Chance re: Spark 5G

According to the NZ Herald Spark has been warned of an impending Huawei ban by the GCSB!

Personally I'd like to see the evidence. They have delivered wireless in NZ and Australia for nearly 15 years.

Also, I'd rather our country reject them due to technical reasons rather than just racism/protectionism (if thats what it is).

If the equipment would pose a risk, what is it please? I'd love to know, I like that kind of detail. I heard it was more about vulns than backdoors.

Look, while I'm 100% open to the idea that Huawei routers and network equipment is crappy, vulnerable and has flaws, and can be remotely exploited etc, but I feel this move by , is jumping the gun. To be fair I can understand sensitive networks running "allied country routers" but we missed a good chance to learn what makes a good router. We don't make routers here in New Zealand, so I guess it must be due to our yankee spy friends and Cisco et al.

Basically its protectionism for US companies. Then again, cellphones definitely give you cancer and make you infertile as a man, so perhaps slowing down a little is a good thing? Recently I found out that America either lied when it said they found backdoors in their routers, or the NSA never provided the evidence to prove it.

Brislen added that the national security concerns surrounding Huawei look like "smoke and mirrors", with no hard evidence in public that scenarios such as data exfiltration to China or national-scale "off switches" are feasible. Source: The Register

Here's another story from The Register about how they loose a jury trial about a robot "trade secret" that wasn't even secret nor innovatory.

China has flaws and it's government sucks. But that's no reason to be racist or mean to Chinese companies. This is the perfect time for Telecom and Huawei both to offer to:

  • offer ablated chips for micro-photographic inspection
  • offer binary disassembly code for inspection
  • possibly even offer the source code up to inspectors
  • generally prove there are no back doors in the router

In my quest to end unreasonable government secrecy, I feel Huawei needs a fair trial. Because it would put to the test our ability to understand what network security actually means. rather than just ban it because it's from China, let's ban it for technical reasons and use those to hone our skills of analytics to apply to the other routers from Europe and USA or even a Linux one.

In Other Communist Related News

Recently a report came to light that says at least 10,000 were killed at Tiananmen Square Massacre in 1989

Tiananmen-Massacre

China is one of the most evil countries in the world = Tiananmen Massacre

"Students linked arms but were mown down including soldiers. APCs then ran over bodies time and time again to make 'pie' and remains collected by bulldozer. Remains incinerated and then hosed down drains," said Mr Donald.

"Four wounded girl students begged for their lives but were bayoneted," he added.

Here is the top 100 NZ Government pages on Google about Huawei... a snapshot in time before it all goes to custard...

How to detect if a keylogger has been installed on your machine

A keystroke logger is the worst kind of malicious software (malware) you could possibly hope to be infected with. Why? Because it could be recording each key you type and sending it to a central server, which would include your messages and username passwords!

This is why in some cases a password manager can make your machine more secure: because you are typing your passwords less, if somehow you could an infection it would have less impact.

That point is debatable however, since one needs to be root to install one it's a good reason to have a guest account enabled on your computer if you ever plan to let a bad-ass criminal use it for 5 minutes while your making a cup of tea or similar.

How To Not Get Virus Infection

  • Before double-clicking, check you trust the source of the executable
    • Check the domain name, the person who sent etc
  • Provide to guest users a regular low-privilege user account
    • If a stranger needs to use your machine when you are not around, this will prevent them most badness if it's not an admin account
    • Saved my ass at least once, I know this much
    • Helpfully, this also logs all your web sessions out

How To Detect Keystroke Logger Installation

It's actually quite difficult. I'm going to look into it and update this blog later when I find out more. If you want to take a snapshot of all your system kexts try running Syntella (macOS only presently) then you can search through the report with a text editor to try to find anything that is amiss.

If you're on windows you could try checking this link:

answers.microsoft.com/...how-to-detect-if-a-keylogger-is-installed/... 

 

 

Social Welfare for Kiwi Infotech

Security is always a "nice to have" feature but how does a busy business owner get it done?

It's virtually impossible for one person to do this type of military strength hacking job. The time and effort required is highly non-linear and almost impossible to predict.

It would be cool if the government would tell you if your website was insecure. But they'd prefer to keep the back door in case they need it later. Just kidding CERT has very useful advisories over at cert.govt.nz/it-specialists/advisories/ But they can only do so much.

Bug Bounty Programs != Complete Solution

At first, only the super large software companies like Google and Facebook can afford bug bounty programs, but today 93 companies are listed at bugcrowd.com/programs

Not all companies with websites need super strong security like this. National state level quality network operations. But the citizens of the country would likely hope their government has a plan to protect it's own computers, and also a plan to protect those of important Infosec industries such as banking, finance, healthcare, legal aren't leaking huge quantities of data everywhere.

But it's not a complete solution - its an extreme solution for a super technical area actually - and perhaps not the first solution for medium sized business dabbling in hardening their networks.

False intrusion detection positives are a mega waste of time.

Bruce puts it nicely over at his page on the subject:

Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster?

The reality is that it comes down to branding: if the brand would be harmed by being the victim of a really big hack or data breach, then it puts more effort in. This works pretty well for infosec products. And for the times when it doesn't, I'm not suggesting forcing anyone to start a bug bounty program.

People would still eat pizza at a joint which has a haxored network, but they might not want to visit a doctor or use a lawyer whos network was wide open, with a file servers leaking everywhere etc.

I'm wondering if it would be possible to have a kind of social welfare for hackers government ministry, which pays kiwi researchers for their efforts pertaining to New Zealand headquartered companies directly, without needing the approval of the target company, who's head is likely in the sand anyhow.

Create an extra information stream for CERT. Banks, lawyers, doctors instant fines for leakage events. I'm looking at ACC, remember they had multiple screwups involving a CMS that could fire out emails in bulk, operated by staff!

Remember NOVAPAY? It's probably riddle with bugs, and ya'll know what that means. No incentive to find the but.

Or perhaps an approved proxy one could "hack all the NZ things" through but still be contactable by the authorities. Recording the traffic to disk temporarily would enable maximal value and help the researcher prove if they succeeded or not to claim the bounty reward.

Sometimes I just want to be sure my own bank is safe. Personally.

When the network admin sees the penetration test coming from a New Zealand based IP address - on a government subnet even - they'd visit the IP address and see a message to say it's all legit. Usually when you are being hacked you can't contact the other side like that. This would be different.

Crowd-sourced security outfit Synack use this method. It's required because sometimes there is a dispute about payout of the bounty to the successful researcher - how do you prove such a thing?

Also I hear in the US researchers found a remote-execution jailbreak for iOS and instead of collecting Apples $200,000, they opted for a way bigger million plus payout motherboard.vice.com/.../somebody-just-won-1-million-bounty-for-hacking-the-iphone

Unauthorised Use of a Computer System

I'd like to be able to scan and probe the entire country to find vulnerable machines, as a pre-sales market research information gathering exercise. To build a list of companies at risk to contact and sell my security services to.

But some parts of that probe maybe deemed unauthorised access - if done here in NZ.  It would need to be carried out in another country, and then it would not be investigated further, if I understand the "prosecutorial budget" allocation methods we use here, it would be deemed too hard to bother looking into, unless coming fro a five eyes country, they might find it hard to get at you.

You left your headlights on

For sure, having every doorknob in your house jiggled would be un-nerving to watch, even if its somewhat equivalent to that friendly neighbour telling you your car headlights are still on so you don't flatten your battery: trying to help. But then visiting the probe IP and reading the message would allay fears and maybe boost confidence even. Free network virus check. 🙂

The reason for high standards of evidence in criminal courts and the use of the presumption of innocence, is that it is better to have criminals roaming free due to lack of evidence, than to have innocent people locked up in jail wrongly - just because they looked at your computer the wrong way. You'd need a lot of jails and the economy would suffer. Sound like any country in 2007? Tame Iti is an artistic genius not a terrorist.

HIPAA is the Health Insurance Portability and Accountability Act of 1996 and is United States legislation that provides data privacy and security provisions for safeguarding medical information.

PCI Compliance is the payment card industry code to ensure payment processors use best practices.

CERT and The NZ Police should provide revenge-porn victims their file hashes

They often say the internet has no delete button.

It's a very useful analogy to explain to new users of the internet the gravity of certain areas of their personal computer and information security: maybe think twice before uploading semi-sensitive information, and three times for anything more secret. Once it's on the internet it can be hard to delete.

How to delete files from the internet:

One way could be to create a "hash" of the file you want gone from the internet, and then you know what you don't want to know, without knowing it! Amazing. Example time:

Assume the file is named horrific-revenge-porn.jpg

The following hash (random encrypted strings derived from the picture of an idiot) can be used instead of the actual offensive / suppressed original file data - makes sense if you are trying to delete the file not to hold it! It can be given to administrators to guarantee a system does not have a copy of the file:

Horrific revenge porn

Horrific revenge porn

sha256: c8b3c2a03380f577fa9d6b67ee15e40a9f8f9a076073ea56e5b5adb2e9ffe32c
md5: 79768d44c2aca6ed68d8157130265c05
crc32: b5513fdf
bytes: 50323

For the very most extreme cases, involving criminal contraband information such as the unfortunately case of the kiwi man from Hastings sentenced to 4 years for secretly filming his female Airbnb guests, CERT and The NZ Police should offer to provide file hashes to the victims of criminal data breaches like revenge porn and so forth.

This would enable the following desirable privacy benefits:

  • ensure the banned files are not held on owned computer systems
  • securely provide the means for others to also do so
  • nothing about the files contents can be said from looking at the random letters*
  • a registry of illegal files would help large ISPs to keep their disks clean
  • an infinitely large file - even a 50 GB file - is reduced to a short piece of text
  • its not encryption - it's an irreversible scrambling of any file to a set sized chunk of gibberish

For example, lets say this picture above is some revenge-porn you made once but was posted by your evil ex-partner or stalker, and now you'd like it gone from the nets; in theory if you put the file hashes into a government registry, one day ISPs can do seasonal scans and wipe files matching.

China likely does this to laser target and delete entire sections of internet from it's citizens. They probably have scanners running 24/7 to find old shots from the Tiannamen Square Masacre - and perhaps even this new shot - this time the guy is flat as a pancake after being literally "rolled" by a tank:

China Rogue State

China Rogue State

SHA256 is the current state of the art. You can get SHA512 also but its twice the length.

MD5 was huge for a very long time. Popular for verifying big .iso files after downloading.

CRC32 is not a hash, but its a checksum maintained by your computer in the disk that can also be used in a similar way. It will detect a single bit change, but unlike a true secure hash, you can pad the altered file to get the same CRC32 for a different file easily (if you add a bit, then delete a bit also, it is just each byte added together essentially).

Collisions

While it's theoretically possible for two different input files to create the same hash - a hash collision - if you use two or more different hash types like above or even just also including the filesize in bytes: 50,323 bytes in this case, you eliminate the false positive potential.

Also, any large ISP isn't going to want to automatically delete files based on just one parameter. For use by a sovereign national police force I'd recommend using all four: bytes, crc32, md5, sha256 plus a category eg: kid-porn, espionage, credentials, financial, medical/health, military, government, personal privacy, government, education, entertainment (here we hit a snag: the copyright industry).

The way a hash completely changes with tiny little single bit alterations to the input file, to get a hash collision is going to require a wildly different filesize, say 50 Kb versus 50 Tb!

The commands to get this on my mac were:

shasum -a 256 [bad-file.jpg]
md5 [bad-file.jpg]
crc32 [bad-file.jpg]
ls -la [bad-file.jpg]

What's nice is that you can double check your hash using a different program, openssl:

openssl sha -sha256 [bad-file.jpg]

Now you can quickly compare huge files without transferring them; and detect tiny alterations to big files.

How to use Ping to test your network latency

If bandwidth is the quantity of your connection, then latency must be a measure of the quality of it. Latency is the time it takes for the smallest amount of information to go back and forth between you and a host. If you see packet loss on your trip to your ISP then your line is the issue.

People often talk about the internet connection speed - the bandwidth as measured in megabits - but for certain realtime applications like telephony, gaming, and remote shells - the data quality is more important. Dropped packets in telephony and audio streams leads to static and lost sound.

After installing Fibre Optic at my new place I compare a ping to Google Public DNS (8.8.8.8), and we see packet loss disappear, and the average time drop from a whopping and hard to believe 57 seconds down to just 31 milliseconds, with a minimum of 28 ms.

An example of a good ping time

13inch:~ tom$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=32.911 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=31.874 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=30.760 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=29.730 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=59 time=31.490 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=59 time=29.063 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=59 time=32.466 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=59 time=31.149 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=59 time=32.787 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=59 time=40.585 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=59 time=32.434 ms
64 bytes from 8.8.8.8: icmp_seq=11 ttl=59 time=29.902 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=59 time=29.264 ms
64 bytes from 8.8.8.8: icmp_seq=13 ttl=59 time=31.894 ms
64 bytes from 8.8.8.8: icmp_seq=14 ttl=59 time=32.299 ms
64 bytes from 8.8.8.8: icmp_seq=15 ttl=59 time=30.051 ms
64 bytes from 8.8.8.8: icmp_seq=16 ttl=59 time=32.315 ms
64 bytes from 8.8.8.8: icmp_seq=17 ttl=59 time=28.942 ms
64 bytes from 8.8.8.8: icmp_seq=18 ttl=59 time=31.891 ms
64 bytes from 8.8.8.8: icmp_seq=19 ttl=59 time=30.485 ms
64 bytes from 8.8.8.8: icmp_seq=20 ttl=59 time=29.383 ms
^C
--- 8.8.8.8 ping statistics ---
21 packets transmitted, 21 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.942/31.508/40.585/2.402 ms
13inch:~ tom$

Official worst internet connection ever.

Since I was on dialup at my mums place in Coromandel.

Laptop connected to my Wifi router which is getting its net itself via Wifi tethering from my iPhone 5S which is barely able to make a call or send txt let alone the internet!

491 packets transmitted, 137 packets received, 72.1% packet loss
round-trip min/avg/max/stddev = 4911.674/57951.524/100173.596/21656.897 ms
13inch:pay2c.Xyz tom$

64 bytes from 8.8.8.8: icmp_seq=177 ttl=54 time=52771.304 ms
64 bytes from 8.8.8.8: icmp_seq=178 ttl=54 time=51795.556 ms
64 bytes from 8.8.8.8: icmp_seq=179 ttl=54 time=50792.636 ms
64 bytes from 8.8.8.8: icmp_seq=180 ttl=54 time=49790.734 ms
64 bytes from 8.8.8.8: icmp_seq=181 ttl=54 time=48787.671 ms
64 bytes from 8.8.8.8: icmp_seq=182 ttl=54 time=47787.012 ms
64 bytes from 8.8.8.8: icmp_seq=183 ttl=54 time=46782.079 ms
64 bytes from 8.8.8.8: icmp_seq=184 ttl=54 time=45778.752 ms
64 bytes from 8.8.8.8: icmp_seq=185 ttl=54 time=44782.822 ms
64 bytes from 8.8.8.8: icmp_seq=186 ttl=54 time=43778.280 ms
64 bytes from 8.8.8.8: icmp_seq=187 ttl=54 time=42774.619 ms
64 bytes from 8.8.8.8: icmp_seq=188 ttl=54 time=41773.082 ms
64 bytes from 8.8.8.8: icmp_seq=189 ttl=54 time=40785.548 ms
64 bytes from 8.8.8.8: icmp_seq=190 ttl=54 time=39820.873 ms
64 bytes from 8.8.8.8: icmp_seq=191 ttl=54 time=38818.465 ms
64 bytes from 8.8.8.8: icmp_seq=195 ttl=54 time=35601.609 ms
64 bytes from 8.8.8.8: icmp_seq=196 ttl=54 time=35405.563 ms
64 bytes from 8.8.8.8: icmp_seq=197 ttl=54 time=34595.935 ms
64 bytes from 8.8.8.8: icmp_seq=198 ttl=54 time=34440.231 ms
64 bytes from 8.8.8.8: icmp_seq=199 ttl=54 time=34118.466 ms
64 bytes from 8.8.8.8: icmp_seq=200 ttl=54 time=37025.789 ms
64 bytes from 8.8.8.8: icmp_seq=205 ttl=54 time=33701.815 ms
64 bytes from 8.8.8.8: icmp_seq=232 ttl=54 time=14587.327 ms
Request timeout for icmp_seq 252
Request timeout for icmp_seq 253
Request timeout for icmp_seq 254
64 bytes from 8.8.8.8: icmp_seq=247 ttl=54 time=8570.665 ms
64 bytes from 8.8.8.8: icmp_seq=248 ttl=54 time=7776.425 ms
64 bytes from 8.8.8.8: icmp_seq=249 ttl=54 time=6920.444 ms
64 bytes from 8.8.8.8: icmp_seq=250 ttl=54 time=6515.482 ms
64 bytes from 8.8.8.8: icmp_seq=251 ttl=54 time=5631.024 ms
64 bytes from 8.8.8.8: icmp_seq=252 ttl=54 time=5052.276 ms
64 bytes from 8.8.8.8: icmp_seq=253 ttl=54 time=5014.476 ms
64 bytes from 8.8.8.8: icmp_seq=254 ttl=54 time=5749.126 ms
64 bytes from 8.8.8.8: icmp_seq=255 ttl=54 time=4911.674 ms
Request timeout for icmp_seq 264
Request timeout for icmp_seq 265
Request timeout for icmp_seq 266
Request timeout for icmp_seq 267
Request timeout for icmp_seq 268
Request timeout for icmp_seq 269
64 bytes from 8.8.8.8: icmp_seq=256 ttl=54 time=14185.624 ms
Request timeout for icmp_seq 271
Request timeout for icmp_seq 272
Request timeout for icmp_seq 273
Request timeout for icmp_seq 274
Request timeout for icmp_seq 275
Request timeout for icmp_seq 276
Request timeout for icmp_seq 277
Request timeout for icmp_seq 278
Request timeout for icmp_seq 279
Request timeout for icmp_seq 280
Request timeout for icmp_seq 281
Request timeout for icmp_seq 282
Request timeout for icmp_seq 283
Request timeout for icmp_seq 284
Request timeout for icmp_seq 285
Request timeout for icmp_seq 286
Request timeout for icmp_seq 287
64 bytes from 8.8.8.8: icmp_seq=257 ttl=54 time=31445.453 ms
Request timeout for icmp_seq 289
64 bytes from 8.8.8.8: icmp_seq=258 ttl=54 time=32457.728 ms
Request timeout for icmp_seq 291
Request timeout for icmp_seq 292
Request timeout for icmp_seq 293
Request timeout for icmp_seq 294
64 bytes from 8.8.8.8: icmp_seq=259 ttl=54 time=36411.157 ms
Request timeout for icmp_seq 296
Request timeout for icmp_seq 297
Request timeout for icmp_seq 298
64 bytes from 8.8.8.8: icmp_seq=260 ttl=54 time=39733.101 ms
Request timeout for icmp_seq 300
Request timeout for icmp_seq 301
Request timeout for icmp_seq 302
64 bytes from 8.8.8.8: icmp_seq=261 ttl=54 time=42477.703 ms
Request timeout for icmp_seq 304
64 bytes from 8.8.8.8: icmp_seq=262 ttl=54 time=43441.612 ms
64 bytes from 8.8.8.8: icmp_seq=263 ttl=54 time=43432.266 ms
Request timeout for icmp_seq 307
64 bytes from 8.8.8.8: icmp_seq=264 ttl=54 time=45050.706 ms
Request timeout for icmp_seq 309
64 bytes from 8.8.8.8: icmp_seq=265 ttl=54 time=45137.945 ms
64 bytes from 8.8.8.8: icmp_seq=266 ttl=54 time=45173.820 ms
64 bytes from 8.8.8.8: icmp_seq=267 ttl=54 time=44506.264 ms
Request timeout for icmp_seq 313
Request timeout for icmp_seq 314
Request timeout for icmp_seq 315
Request timeout for icmp_seq 316
Request timeout for icmp_seq 317
Request timeout for icmp_seq 318
Request timeout for icmp_seq 319
Request timeout for icmp_seq 320
Request timeout for icmp_seq 321
Request timeout for icmp_seq 322
Request timeout for icmp_seq 323
Request timeout for icmp_seq 324
64 bytes from 8.8.8.8: icmp_seq=268 ttl=54 time=57362.380 ms
Request timeout for icmp_seq 326
Request timeout for icmp_seq 327
Request timeout for icmp_seq 328
Request timeout for icmp_seq 329
64 bytes from 8.8.8.8: icmp_seq=269 ttl=54 time=61603.631 ms
64 bytes from 8.8.8.8: icmp_seq=270 ttl=54 time=61590.294 ms
Request timeout for icmp_seq 332
64 bytes from 8.8.8.8: icmp_seq=271 ttl=54 time=62326.436 ms
Request timeout for icmp_seq 334
Request timeout for icmp_seq 335
64 bytes from 8.8.8.8: icmp_seq=272 ttl=54 time=65071.367 ms
Request timeout for icmp_seq 337
Request timeout for icmp_seq 338
64 bytes from 8.8.8.8: icmp_seq=273 ttl=54 time=66941.069 ms
Request timeout for icmp_seq 340
64 bytes from 8.8.8.8: icmp_seq=274 ttl=54 time=67932.502 ms
Request timeout for icmp_seq 342
Request timeout for icmp_seq 343
64 bytes from 8.8.8.8: icmp_seq=275 ttl=54 time=69433.195 ms
64 bytes from 8.8.8.8: icmp_seq=276 ttl=54 time=69818.324 ms
64 bytes from 8.8.8.8: icmp_seq=278 ttl=54 time=68618.593 ms
64 bytes from 8.8.8.8: icmp_seq=279 ttl=54 time=68027.879 ms
64 bytes from 8.8.8.8: icmp_seq=280 ttl=54 time=67154.395 ms
Request timeout for icmp_seq 349
Request timeout for icmp_seq 350
Request timeout for icmp_seq 351
Request timeout for icmp_seq 352
Request timeout for icmp_seq 353
64 bytes from 8.8.8.8: icmp_seq=281 ttl=54 time=74049.322 ms
Request timeout for icmp_seq 355
Request timeout for icmp_seq 356
64 bytes from 8.8.8.8: icmp_seq=282 ttl=54 time=76036.362 ms
Request timeout for icmp_seq 358
Request timeout for icmp_seq 359
Request timeout for icmp_seq 360
Request timeout for icmp_seq 361
Request timeout for icmp_seq 362
64 bytes from 8.8.8.8: icmp_seq=283 ttl=54 time=81122.351 ms
64 bytes from 8.8.8.8: icmp_seq=284 ttl=54 time=80909.673 ms
Request timeout for icmp_seq 365
64 bytes from 8.8.8.8: icmp_seq=285 ttl=54 time=82186.723 ms
Request timeout for icmp_seq 367
64 bytes from 8.8.8.8: icmp_seq=286 ttl=54 time=82619.370 ms
Request timeout for icmp_seq 369
Request timeout for icmp_seq 370
Request timeout for icmp_seq 371
Request timeout for icmp_seq 372
Request timeout for icmp_seq 373
Request timeout for icmp_seq 374
Request timeout for icmp_seq 375
Request timeout for icmp_seq 376
Request timeout for icmp_seq 377
Request timeout for icmp_seq 378
64 bytes from 8.8.8.8: icmp_seq=287 ttl=54 time=93182.677 ms
Request timeout for icmp_seq 380
Request timeout for icmp_seq 381
64 bytes from 8.8.8.8: icmp_seq=317 ttl=54 time=65322.352 ms
Request timeout for icmp_seq 383
Request timeout for icmp_seq 384
Request timeout for icmp_seq 385
Request timeout for icmp_seq 386
64 bytes from 8.8.8.8: icmp_seq=318 ttl=54 time=69428.438 ms
64 bytes from 8.8.8.8: icmp_seq=319 ttl=54 time=69204.778 ms
64 bytes from 8.8.8.8: icmp_seq=320 ttl=54 time=68604.710 ms
64 bytes from 8.8.8.8: icmp_seq=321 ttl=54 time=69250.154 ms
64 bytes from 8.8.8.8: icmp_seq=322 ttl=54 time=69024.922 ms
64 bytes from 8.8.8.8: icmp_seq=323 ttl=54 time=68852.795 ms
64 bytes from 8.8.8.8: icmp_seq=324 ttl=54 time=68381.716 ms
64 bytes from 8.8.8.8: icmp_seq=325 ttl=54 time=68460.245 ms
64 bytes from 8.8.8.8: icmp_seq=326 ttl=54 time=67890.598 ms
Request timeout for icmp_seq 396
Request timeout for icmp_seq 397
Request timeout for icmp_seq 398
64 bytes from 8.8.8.8: icmp_seq=327 ttl=54 time=72224.042 ms
Request timeout for icmp_seq 400
Request timeout for icmp_seq 401
Request timeout for icmp_seq 402
Request timeout for icmp_seq 403
64 bytes from 8.8.8.8: icmp_seq=348 ttl=54 time=56707.034 ms
Request timeout for icmp_seq 405
Request timeout for icmp_seq 406
64 bytes from 8.8.8.8: icmp_seq=351 ttl=54 time=56621.675 ms
64 bytes from 8.8.8.8: icmp_seq=352 ttl=54 time=55620.525 ms
64 bytes from 8.8.8.8: icmp_seq=353 ttl=54 time=54887.953 ms
64 bytes from 8.8.8.8: icmp_seq=354 ttl=54 time=54205.236 ms
64 bytes from 8.8.8.8: icmp_seq=355 ttl=54 time=53624.076 ms
Request timeout for icmp_seq 412
Request timeout for icmp_seq 413
Request timeout for icmp_seq 414
Request timeout for icmp_seq 415
Request timeout for icmp_seq 416
Request timeout for icmp_seq 417
Request timeout for icmp_seq 418
Request timeout for icmp_seq 419
Request timeout for icmp_seq 420
Request timeout for icmp_seq 421
64 bytes from 8.8.8.8: icmp_seq=357 ttl=54 time=65797.155 ms
Request timeout for icmp_seq 423
Request timeout for icmp_seq 424
Request timeout for icmp_seq 425
Request timeout for icmp_seq 426
Request timeout for icmp_seq 427
Request timeout for icmp_seq 428
Request timeout for icmp_seq 429
Request timeout for icmp_seq 430
Request timeout for icmp_seq 431
Request timeout for icmp_seq 432
Request timeout for icmp_seq 433
Request timeout for icmp_seq 434
Request timeout for icmp_seq 435
Request timeout for icmp_seq 436
Request timeout for icmp_seq 437
Request timeout for icmp_seq 438
Request timeout for icmp_seq 439
Request timeout for icmp_seq 440
Request timeout for icmp_seq 441
Request timeout for icmp_seq 442
Request timeout for icmp_seq 443
Request timeout for icmp_seq 444
Request timeout for icmp_seq 445
Request timeout for icmp_seq 446
Request timeout for icmp_seq 447
64 bytes from 8.8.8.8: icmp_seq=389 ttl=54 time=59933.766 ms
64 bytes from 8.8.8.8: icmp_seq=390 ttl=54 time=59740.642 ms
64 bytes from 8.8.8.8: icmp_seq=391 ttl=54 time=59882.162 ms
Request timeout for icmp_seq 451
Request timeout for icmp_seq 452
Request timeout for icmp_seq 453
Request timeout for icmp_seq 454
Request timeout for icmp_seq 455
Request timeout for icmp_seq 456
Request timeout for icmp_seq 457
64 bytes from 8.8.8.8: icmp_seq=392 ttl=54 time=66705.322 ms
64 bytes from 8.8.8.8: icmp_seq=393 ttl=54 time=66187.189 ms
64 bytes from 8.8.8.8: icmp_seq=394 ttl=54 time=65313.387 ms
64 bytes from 8.8.8.8: icmp_seq=395 ttl=54 time=65274.663 ms
64 bytes from 8.8.8.8: icmp_seq=396 ttl=54 time=65201.259 ms
64 bytes from 8.8.8.8: icmp_seq=397 ttl=54 time=65043.247 ms
64 bytes from 8.8.8.8: icmp_seq=398 ttl=54 time=64591.833 ms
Request timeout for icmp_seq 465
Request timeout for icmp_seq 466
Request timeout for icmp_seq 467
Request timeout for icmp_seq 468
Request timeout for icmp_seq 469
Request timeout for icmp_seq 470
64 bytes from 8.8.8.8: icmp_seq=399 ttl=54 time=72608.465 ms
64 bytes from 8.8.8.8: icmp_seq=400 ttl=54 time=71606.695 ms
64 bytes from 8.8.8.8: icmp_seq=401 ttl=54 time=70603.331 ms
64 bytes from 8.8.8.8: icmp_seq=402 ttl=54 time=69610.261 ms
64 bytes from 8.8.8.8: icmp_seq=403 ttl=54 time=68606.763 ms
64 bytes from 8.8.8.8: icmp_seq=404 ttl=54 time=67607.793 ms
64 bytes from 8.8.8.8: icmp_seq=405 ttl=54 time=66610.263 ms
64 bytes from 8.8.8.8: icmp_seq=406 ttl=54 time=66066.892 ms
64 bytes from 8.8.8.8: icmp_seq=409 ttl=54 time=65526.582 ms
64 bytes from 8.8.8.8: icmp_seq=410 ttl=54 time=64708.668 ms
64 bytes from 8.8.8.8: icmp_seq=411 ttl=54 time=63938.379 ms
64 bytes from 8.8.8.8: icmp_seq=412 ttl=54 time=62978.977 ms
64 bytes from 8.8.8.8: icmp_seq=413 ttl=54 time=62329.996 ms
64 bytes from 8.8.8.8: icmp_seq=414 ttl=54 time=61685.132 ms
64 bytes from 8.8.8.8: icmp_seq=415 ttl=54 time=60885.822 ms
64 bytes from 8.8.8.8: icmp_seq=416 ttl=54 time=60366.599 ms
64 bytes from 8.8.8.8: icmp_seq=417 ttl=54 time=60080.570 ms
64 bytes from 8.8.8.8: icmp_seq=418 ttl=54 time=59211.712 ms
64 bytes from 8.8.8.8: icmp_seq=419 ttl=54 time=58520.336 ms
64 bytes from 8.8.8.8: icmp_seq=420 ttl=54 time=57832.112 ms
^C
--- 8.8.8.8 ping statistics ---
491 packets transmitted, 137 packets received, 72.1% packet loss
round-trip min/avg/max/stddev = 4911.674/57951.524/100173.596/21656.897 ms
13inch:pay2c.Xyz tom$

SHA1 Collision detected on Github

About 9 days ago something incredibly unlikely happened... something so rare that

If you had five million programmers each generating one commit per second, your chances of generating a single accidental collision before the Sun turns into a red giant and engulfs the Earth is about 50%.

A few weeks ago, researchers announced SHAttered, the first collision of the SHA-1 hash function, at Github. Similar to how a Bitcoin is a series of zeroes in a long row discovered by gradually adding static noise to the signal, this collission is likely a big chunk of random characters and noise.

Amazingly this event now has it's own website, and Y2K style frenzied rush to swap out sha1 for sha256/512. Never fear though because as they say:

Today, many applications still rely on SHA-1, even though theoretical attacks have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011. We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alteratives, such as SHA-256.

Try This At Home?

This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. So give it a go yourself (hehe) the source code is available.

What about SHA256 any chances there of a collision?

The hash input space of SHA256, which to be honest is not something I think I understand because I thought all hash functions have infinite input space, is something like this many terabytes:

120,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

By my calculations, to get even a slim 0.0000001% chance of a collision with SHA256 you'd need to run through 4.8×10 to 29 of hash runs, or this many:

480,000,000,000,000,000,000,000,000,000

That's just for a 0.0000001% chance of collision.

 

Learn To Code Hands-on Computer Tuition

Tom Atkinson - Director, Tomachi Corp.

Tom Atkinson - Director, Tomachi Corp.

Six Week and One-day Classes with Tom

Tomachi Corporation has developed a series of hands-on six week online courses with weekly webinar and 20 minute catch-up phone call:

Week 1 - The Smorgasbord: Intro to programming, Making cool graphics and animations with code, Database-driven websites with Linux, Boost My Business Quick, and Launch Your Own Central Bank and Mint Your Own ERC20 Compliant Ethereum Coin.

    • Small class sizes run via Google Hangouts
    • Content tailored to your knowledge level
    • Requires only macOS Windows or Linux and internet access
    • Step by step class walk throughs
    • To enrol complete the survey below...

Create your own user feedback survey

 

For enrolments please fill in the form above ^^^, if it does not display then try this SurveyMonkey link

Once that survey is complete grab yourself a slot (only 80 available!) on the next available webinar

Reserve Webinar Seat RSVP

Bring Your Own Laptop - Short 6 week Computer Courses
Tomachi Corp needs to do some basic market research… which course would you prefer?

Router Hardening & Lockdown

The following guidelines are distilled from Apple's handy page for it's customers on how to secure their Wifi routers. I've shrunk it down to the minimum:

  • Up to date Wi–Fi router firmware
  • Hope that all Wi–Fi devices you want to use support the settings (WPA2)
  • Back up your Wi–Fi router settings
  • After changing Wifi password, do a Forget or Remove the Wi-Fi settings from all devices
  • You can configure an AirPort Base Station with AirPort Utility. If you have a different router, refer to the manual or to the manufacturer's website to learn how to change the settings.

Use the settings below for best performance, security, and reliability.

SSID

The SSID, or network name, identifies your Wi-Fi network to users and other Wi-Fi devices.

Best: Hidden network
Better: Any unique name
Default: SSID name (eg "Vodafone") may be shared by others (not good)

Choose a name that's unique to your network and isn't shared by other nearby networks or other networks you are likely to encounter. If your router came with a default SSID (network name), it's especially important that you change it to a different, unique name. Some common default SSID names to avoid are "linksys", "netgear", "NETGEAR", "dlink", "wireless", "2wire", and "default".

If your SSID isn't unique, Wi-Fi devices will have trouble identifying your network. This could cause them to fail to automatically connect to your network, or to connect to other networks sharing the same SSID. Also, it might prevent Wi-Fi devices from using all routers in your network (if you have more than one Wi-Fi router), or prevent them from using all available bands (if you have a dual-band Wi-Fi router).

Hidden network

Hidden networks don't broadcast their SSID over Wi-Fi. This option might also be incorrectly referred to as a "closed" network, and the corresponding non-hidden state might be referred to as "broadcast" or "open".

Set to: Disabled

Details: Because hidden networks don't broadcast their SSID, it's harder for devices to find them, which can result in increased connection time and can reduce the reliability of auto-connection. Hiding a network doesn't secure your Wi-Fi network, because the SSID is still available through other mechanisms. Security is enforced by a different setting (see Security below).

MAC address authentication or filtering

Restricts access to a Wi-Fi router to devices with specific MAC (Media Access Control) addresses.

Set to: Disabled

Details: When enabled, this feature allows a user to configure a list of MAC addresses for the Wi-Fi router, and restrict access to devices with addresses that are on the list. Devices with MAC addresses not on the list will fail to associate to the Wi-Fi network. Unfortunately, device MAC addresses can be easily changed, so this can't be relied upon to prevent unauthorised access to the network. Security should be enforced by a different setting (see Security below).

iOS 8 and later uses a randomised Media Access Control (MAC) address when running Wi-Fi scans. The scans are conducted when a device isn't associated with a Wi-Fi network and its processor is asleep. A device’s processor goes to sleep shortly after the screen is turned off. Wi-Fi scans are run to determine if a user can connect to a preferred Wi-Fi network. Enhanced Wi-Fi scans are run when a device uses Location Services for apps that use geofences, like location-based reminders, which determine if the device is near a specific location.

Security

The security setting controls the type of authentication and encryption used by your Wi-Fi router. This setting allows you to control access to your wireless network, as well as to specify the level of privacy you'd like to have for data you send over the air.

Set to: WPA2 Personal (AES)

Details: WPA2 Personal (AES) is currently the strongest form of security offered by Wi-Fi products, and is recommended for all uses. When enabling WPA2, be sure to select a strong password, one that cannot be guessed by third parties.

If you have older Wi-Fi devices on your network that don't support WPA2 Personal (AES), a good second choice is WPA/WPA2 Mode (often referred to as WPA Mixed Mode). This mode will allow newer devices to use the stronger WPA2 AES encryption, while still allowing older devices to connect with older WPA TKIP-level encryption. If your Wi-Fi router doesn't support WPA/WPA2 Mode, WPA Personal (TKIP) mode is the next best choice.

Using WEP isn't recommended for compatibility, reliability, performance, and security reasons. WEP is insecure and functionally obsolete. Use TKIP if you must choose between it and WEP.

For reference, "None" or unsecured mode, provides no authentication or encryption. If you use this security mode, anyone will be able to join your Wi-Fi network, use your Internet connection, or access any shared resource on your network. Also, anyone will be able to read any traffic you send over the network. For these reasons, this security mode isn't recommended.

Due to serious security weaknesses, the WEP and WPA TKIP encryption methods are deprecated and strongly discouraged. These modes should  be used only if it is necessary to support legacy Wi-Fi devices that don't support WPA2 AES and cannot be upgraded to support WPA2 AES. Devices using these deprecated encryption methods won't be able to take full advantage of 802.11n performance and other features. Due to these issues the Wi-Fi Alliance has directed the Wi-Fi industry to phase out WEP and WPA TKIP.

2.4 GHz Radio Mode

This setting controls which versions of the 802.11a/b/g/n standard the network uses for wireless communication on the 2.4 GHz band. Newer standards (802.11n) support faster transfer rates, and older standards provide compatibility with older devices and additional range.

Set to: 802.11b/g/n

Details: Routers that support 802.11n should be configured for 802.11b/g/n for maximum speed and compatibility. Routers that only support 802.11g should be put in 802.11b/g mode, while those that support only 802.11b can be left in 802.11b mode. Different Wi-Fi routers support different radio modes, so the exact setting will vary depending on the Wi-Fi router in use. In general, enable support for all modes. Devices will then automatically select the fastest commonly supported mode to communicate. Note that choosing a subset of the available modes will prevent some devices from connecting (for example, 802.11b/g devices will be unable to connect to a Wi-Fi router in 802.11n-only mode). Also, choosing a subset of the available modes might cause interference with nearby legacy networks, and might cause nearby legacy devices to interfere with your network.

5 GHz Radio Mode

This setting controls which versions of the 802.11a/b/g/n standard the network uses for wireless communication on the 5 GHz band. Newer standards support faster transfer rates, and older standards provide compatibility with older devices and additional range.

Set to: 802.11a/n

Details: Routers that support 802.11n should be configured for 802.11a/n mode for maximum speed and compatibility. Routers that only support 802.11a can be left in 802.11a mode. Different Wi-Fi routers support different radio modes, so the exact setting will vary depending on the Wi-Fi router in use. In general, enable support for all modes. Devices will then automatically select the fastest commonly supported mode to communicate. Note that choosing a subset of the available modes will prevent older devices from connecting (for example, 802.11a devices will be unable to connect to a Wi-Fi router in 802.11n-only mode). In addition, choosing a subset of the available modes might cause interference with nearby legacy networks, and might cause nearby legacy devices to interfere with your network.

Channel

This setting controls which channel your Wi-Fi router will use to communicate. "Auto" allows the Wi-Fi router to select the best channel automatically. You can also manually select a channel.

Set to: Auto

Details: For best performance, choose "Auto" mode and let the Wi-Fi router select the best channel. If this mode isn't supported by your Wi-Fi router, you'll need to manually select a channel. You should pick a channel that's free from other Wi-Fi routers and other sources of interference. Read about possible sources of interference.

2.4 GHz channel width

Channel width controls how large a "pipe" is available to transfer data. However, larger channels are more subject to interference and more prone to interfere with other devices. A 40 MHz channel is sometimes referred to as a wide channel, with 20 MHz channels referred to as narrow channels.

Set to: 20 MHz

Details: Use 20 MHz channels in the 2.4 GHz band. Using 40 MHz channels in the 2.4 GHz band can cause performance and reliability issues with your network, especially in the presence of other Wi-Fi networks and other 2.4 GHz devices. 40 MHz channels might also cause interference and issues with other devices that use this band, such as Bluetooth devices, cordless phones, neighbouring Wi-Fi networks, and so on. Note that not all routers support 40 MHz channels, especially in the 2.4 GHz band. If they are not supported, the router will use 20 MHz channels.

5 GHz channel width

Channel width controls how large a "pipe" is available to transfer data. Larger channels are more prone to interference, and more likely to interfere with other devices. Interference is less of an issue in the 5 GHz band than in the 2.4 GHz band. A 40 MHz channel is sometimes referred to as a wide channel, with 20 MHz channels referred to as narrow channels.

Set to: For 802.11n access points, set the 5GHz band to 20 MHz and 40 MHz. For 802.11ac access points, set the 5GHz band to 20 MHz, 40 MHz, and 80 MHz.

Details: For best performance and reliability, enable support for all channel widths. This allows devices to use the largest width they support, which results in optimal performance and compatibility. Not all client devices support 40 MHz channels, so don't enable 40 MHz-only mode. Devices that support only 20 MHz channels won't be able to connect to a Wi-Fi router in 40 MHz-only mode. Similarly, don't enable 80 MHz-only mode, or only clients capable of 802.11ac will be able to connect. Also, not all routers support 40 MHz and 80 MHz channels. A router that doesn't will use 20 MHz channels.

DHCP

The Dynamic Host Configuration Protocol (DHCP) assigns addresses that identify devices on your network. Once assigned, devices use these addresses to communicate with each other and with computers on the Internet. The functionality of a DHCP server can be thought of as similar to a phone company handing out phone numbers, which customers then use to call other people.

Set to: Only one DHCP server per network

Details: There should be only one DHCP server on your network. This DHCP server might be built in to your DSL or cable modem, a standalone router, or integrated with your Wi-Fi router. In any case, only one device should act as a DHCP server on your network. If more than one device has it enabled, you will likely see address conflicts and will have issues accessing the Internet or other resources on your network.

NAT

Network address translation (NAT) translates between addresses on the Internet and those on a local network. The functionality of a NAT provider is like that of a worker in an office mail room who takes a business address and an employee name on incoming letters and replaces them with the destination office number in a building. This allows people outside the business to send information to a specific person in the building.

Set to: Enabled only on your router; only one device at most should provide NAT services on the network.

Details: Generally, NAT should only be enabled on the device acting as a router for your network. This is usually either your DSL or cable modem, or a standalone router, which might also act as your Wi-Fi router. If NAT is enabled on more than one device—"double NAT"—you'll likely have trouble accessing certain Internet services, such as games, Voice Over IP (VoIP), and Virtual Private Network (VPN), and communicating across the different levels of NAT on the local network.

WMM (Wi-Fi Multimedia)

WMM prioritises network traffic according to four access categories: voice, video, best effort, and background.

Set to: Enabled

Details: All 802.11n and 802.11ac access points should have WMM enabled in their default configuration. Disabling WMM can cause issues for the entire network, not just Apple products on the network.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

UFA Civil Liberties and Privacy Report on the NSA

In August 2013, President Obama announced several initiatives to give the public greater confidence in the oversight of the NSA's foreign intelligence programs. The creation of a full-time Civil Liberties and Privacy Officer at NSA was among the reforms cited, and recently they have issued this report PDF ; the following image is taken from it:

US Freedom Act "Frontdooring" procedure

US Freedom Act "Frontdooring" procedure

To illustrate the process, assume an NSA intelligence analyst identifies or learns that phone number (202) 555-1234 is being used by a suspected international terrorist. This is the “specific selection term” or “selector” that will be submitted to the FISC (or the Attorney General in an emergency) for approval using the RAS standard. Also assume that, through NSA’s examination of metadata produced by the provider(s) or in NSA’s possession as a result of the Agency’s otherwise lawfully permitted signals intelligence activities (e.g., activities conducted pursuant to Section 1.7(c)(1) of Executive Order 12333, as amended), NSA determines that the suspected terrorist has used a 202 area code phone number to call (301) 555-4321. The phone number with the 301 area code is a “first-hop” result. In turn, assume that further analysis or production from the provider(s) reveals (301) 555-4321 was used to call (410) 555-5678. The number with the 410 area code is a “second-hop” result.

Once the one-hop results are retrieved from the NSA’s internal holdings, the list of FISC-approved specific selection terms, along with NSA’s internal one-hop results, are submitted to the provider(s). The provider(s) respond to the request based on the data within their holdings with CDRs that contain FISC-approved specific selection terms or the one-hop selection term. One-hop returns from providers are placed in NSA’s holdings and become part of subsequent query requests, which are executed on a periodic basis. Historical bulk data collected under Section 215 of the USA PATRIOT Act will never be included when querying internal holdings.

Absent information to the contrary, NSA must presume that each user of each of the phone numbers in the above example is a U. S. person, since each phone number has a U.S. area code. NSA’s FISC- approved minimisation procedures for the USA FREEDOM Act prohibit NSA from disseminating any known or presumed U.S. person information that does not constitute foreign intelligence information related to international terrorism or information necessary to understand foreign intelligence information related to international terrorism or assess its importance or is not evidence of a crime. In addition, the minimisation procedures require NSA to destroy promptly any CDRs that are determined not to contain foreign intelligence information. The procedures also set a maximum retention period for CDRs obtained pursuant to the FISC’s orders of no more than 5 years after initial delivery to NSA, except that NSA may retain any CDR (or information derived therefrom) that was the basis of a properly approved dissemination of foreign intelligence information.

How the NSA collects your data

How the NSA collects your data

Filtering out hostname spam in Google Analytics

This is the weirdest kind of spam, I guess that's what it is; Intended to make the people who read the reports check the fake sounding hostnames? Probably so they can get a drive-by infection - makes sense I guess since these are people with websites, quite a good target.

I made a regular expression to help me filter out hostname spam from my reports:

First I exclude my own sites using this regex, the customisations are mostly to deal with .com and .co since many of my sites use the quite unique NZ TLD:

localhost|.nz$|tomachi.co$|(damnative|triptonites|carbonmade|boomboom|design|youtube|googleusercontent|sites.google).com$|.fritz.box$|.guru$|.dev$|auctiontix.net$

This provides a filtered 5 year view with these spam domains showing - great!

Hostname Spam in Google Analytics

Hostname Spam in Google Analytics

From here I created the following regex to outright block TLDs that I don't use, and even the (not set) hostnames I found:

not set|us$|cn$|\.ru$|info$|eu$|br

Luckily the block known bots feature works so well, and removes the need for this type of action, however, this can be useful for looking at historic reports.

GA Bot Filtering

GA Bot Filtering