Aetheric Research, Ltd.

Some folks may remember the HBGary debacle a short while ago, when HBGary Federal (a wholly-owned subsidiary of HBGary, specializing in government contracts) got themselves cracked by Anonymous after specifically calling them out.  The parent company, HBGary, have published an open letter making certain claims, which Ars Technica has examined.

There’s little surprise in the letter–it’s mostly a reiteration of previous claims about the leaked emails having been ‘altered’ and about how HBGary Federal was a completely separate company with no actual connection to the parent organization other than ownership.  Ars does a good job in dissecting these claims and pointing out which ones hold water and which ones don’t.

Publishing this letter in the first place was likely a bad idea, though.  Anyone who has the least bit of knowledge about Anonymous–which the head of HBGary Federal claimed to have–knows that resurrecting attention to a controversy causes the phenomenon known as “lulz” to occur.  For those unfamiliar with the term, it’s a sort of measurement of attention-worthiness of a particular topic or entity, based on the quality and quantity of reaction to be gained from any interaction with them.  Leaking the HBGary Federal documents produced an extensive amount of this–it gained mainstream media attention and increased the visibility of Anonymous in the public eye.  The Scientology protests were the same–shedding light on the known-bad Scientology organization’s policies and procedures with public protests (and their characteristic purple prose) caused extreme consternation amongst the organization and brought public attention to Anonymous.

Now, HBGary has, essentially, done the same thing that HBGary Federal did–call out Anonymous’ activities, claim to be invulnerable to their attentions, and bring public attention to Anonymous’ interactions with them.  This is the sort of thing that tends to be deemed “lulzy” by Anonymous, and generally tends to bring certain actions.

Westboro Baptist attempted to take advantage of this phenomenon by releasing a fake press release (that claimed to be on behalf of Anonymous) claiming a war against them followed by a press release under their own aegis calling out Anonymous.  The Anonymous collective rather quickly determined the illegitimacy of the first release–there may be no central organization, but there is a fairly distinct style, which Westboro did not emulate perfectly–and (correctly, as it turned out) determined that there were likely specific intentions to trap Anonymim who attempted to DDoS or otherwise infiltrate the servers provided via honeypot servers.  

As it happened, when Westboro pushed the issue, they were rather promptly taken down–just as HBGary is likely to be.  Westboro, like HBGary, made the key mistakes of assuming Anonymous is entirely disaffected teenagers with a modicum of computer skills and a coherent organization with limited membership.  These assumptions miss certain key points–Anonymous is, in essence, a nom de guerre that can be taken on by any person or entity, as is evidenced by th3j3st3r’s participation in the actions against Westboro following his specific attacks against Wikileaks; while not strictly an Anonymous action (as he did claim credit for it), the action against Westboro was compatible with Anonymous’ goals and views.

What HBGary fails to realize is that, by seeking to defend themselves against the ‘blog-o-sphere’, they’ve inadvertently invoked the Streisand effect and drawn specific attention to what they want to keep quiet.  Whether this release has produced enough ‘lulz’–that is, attention to the incident as a cause worthy of working on–remains to be seen, but if they do manage to get away with it without significant infiltration and exposure of more embarassing secrets, they should count themselves lucky.

Anonymous’ actions cannot be predicted specifically, but it’s fairly obvious that calling them out is, as a comedian recently opined, tantamount to inserting one’s genitals into a hornet’s nest–a bad idea, and likely to cause embarassing, painful problems.

SEO–”search engine optimization”–is a set of tools and practices used by both legitimate webmasters trying to jockey for position in the rankings of search engines and by spammers attempting to push up, temporarily or otherwise, fly-by-night domains selling dubious products.  In some less-served areas, SEO-promoted domains may outnumber legitimate domains by many to one; combine this with redirections, link farms, and the like, and it becomes much more difficult to determine a legitimate source for any products, services, or information that you might happen to need.

Traditionally, the way in which this has been dealt with by blog and forum owners is to filter or delete spam posts.  This particular blog is frequented by any number of spammers who attempt to skew ratings with contentless comments linked to suspicious domains hawking–apparently, as I’m not stupid enough to follow those links–anything from viagra to discount financial instruments to “discount” rolexes.

Another approach has become apparent, though, especially with the advent of certain attempts by search engines of note to restrict the efforts of these “blackhat SEO tactics”–an approach that can be labeled SEP, for Search Engine Pessimization.  

‘Traditional’ optimization techniques seek to raise the ranking of a page through exploiting the algorithms used to generate the pagerank–generally assumed to involve links from external pages, keywords in links pointing to the page, and several other factors; Google is, naturally, reticent about the exact specifications of their algorithms, especially given the amount of money people gain from trying to guess at them.

Blackhat SEO–those tactics which have been developed to exploit these rankings–take advantage of these techniques by exaggerating them, trying to imitate legitimate traffic through spamming fora with spurious links, farming keyworded domains and cross-linking them in giant link farms, etc.  Many of these techniques have been detected, and some have been well publicized by Google and other search engine companies as no longer effective because they are automatically detected and deprecated by the engine.

The attack venue here should be obvious: to pessimize an undesirable domain, promote it through the use of known-bad ‘optimization’ techniques. 

These techniques can be determined by looking through complaints filed about ‘arbitrary’ reductions in pagerank and the like; by determining the cause of the reduction, a list of methods and tactics can be quickly developed that will serve to indicate to the automated algorithms that a site is attempting to ‘game the system’ and gain unjust ranking, triggering the part of the algorithm that punishes those sites.

An interesting supplementary tactic is that of googlebombing.  Googlebombing is the practice of using certain SEO techniques to associate a given keyword–usually one with amusing connotations–with a particular page; one of the more publicized ones involved former president Bush and the word ‘failure’.  Associating unsavory words or those involving illegal activities with a domain could, in this day and age, result in the domain’s siezure by the authorities–a win-win situation, as every domain siezed for the wrong reasons weakens the case of this rather nonsensical practise, and it also neuters the spammers by disabling a venue by which they could potentially make money.

Maximum benefit, though, would likely result from linking in some way the domain to be pessimized with known-bad domains–those serving malware, those known to be scams, etc.–thus alerting the search engines’ spiders of a potentially harmful connection as soon as possible.  Using extensions to report spam is also effective.

There is always a race between those innovating ways to make search and the like more relevant to the user and those seeking to exploit it for their own reasons; manipulating search engines to punish spammers is one way in which anyone who dislikes spam can fight back.

Apologies for the mangled French title.  The BBC reports that several companies are challenging a French law insisting that they keep a record of users’ real names, telephone numbers, addresses, and–most damningly–passwords, to be turned over to police on demand.

In a proper, competent system, passwords themselves are never stored.  Instead, when an account (and associated password) is created, the password is passed through a complex mathematical function to produce what is called a ‘hash’–much like how reconstructing an order of ham hash into the original ham and potatoes is more difficult than anyone can reasonably be expected to accomplish, reconstructing a password from a hash is intended to be next to impossible.

When the user logs in, their password is passed through the mathematical function again, and the result compared with the entry in the password table.  Since the function is tuned to produce a complex but unique result from each input, if the hashes match then the password has been entered properly.

The recent high-profile crack at Gawker, where the password database was compromised, was only possible because their hashing algorithm was weak and most users’ passwords were also weak.  Indeed, the algorithm itself was not actually reversed–instead, a database known as a ‘rainbow table’ was used, which is the result of passing a dictionary of common passwords through a known hashing algorithm.

This French law completely ignores best-practices.  Besides the obvious privacy concerns, it requires that the companies make passwords available to the police–which means that, rather than a database of the hashes, the companies will be required to keep a database of the actual passwords.

This is an unnecessary and badly thought-out requirement, as it lays every single person in France who uses any of these services open to theft of their accounts should anyone be successful at exfiltrating the associated databases.  Worse, given that real names and addresses are associated with these accounts, it provides very nearly one-stop shopping for any French identity that an attacker could wish to have.  

In essence, no company that engages in anything resembling standard security practises can operate in France unless they irreperably damage standard procedures in order to engage in traffic with that country.

This law is badly thought-out and will irreperably damage France’s status in the EU and on the world stage.  Anyone who wishes for security in their dealings should avoid any companies that provide this data, as these databases will be inherently insecure.

Here’s a bit of Monday morning fun: Slashdot reports that SQL.com was cracked via an SQL injection attack.  

SQL is a very prominent database schema used in thousands of installations around the globe.  An SQL injection is when an attacker bypasses the normal front-end for the database and finds a means of executing their own commands, usually with the aim of either stealing information or of corrupting or changing the database in some fashion.

Cross-site scripting, also mentioned in the article, is a means by which such attacks can take place.  This is a slightly more complex vulnerability–essentially, it occurs when the client, rather than the server, is used to validate requests against the server.  If that is the case, then a sufficiently competent attacker can craft a malicious version of the script produced by the webpage in question and serve that to users (via the usual social engineering methods) in an attempt to gain login credentials, session credentials, or other information about how the resources are generally accessed.

Combining the two can lead to a theft of credentials usable for gaining access to the whole of the database for whatever purpose the attacker wishes–the “pwnage” that many attackers seek to gain.

The vulnerability in the SQL databae was apparently, according to the articles linked above, discovered in January by some enterprising folks out of Romania.  Whether it was reported ahead of time is not known to this author at this time–the original resources are protected behind a policy setting at a Romanian exploit site, and the XSS (cross-site scripting) vulnerability has a publication date of April 1–though this could be January 4, and a dd/mm/yy rather than mm/dd/yy confusion.  

The vulnerability in question appears to be something rather obvious; the actual attack is caused via inserting a “script” html tag in the URL of the resource requested.  

The countermeasures to prevent this sort of thing happening are twofold:  first, of course, is never to click on a URL without knowing what it is you’re clicking on.  Think before you click.  There’s no reason to click on a link with an html tag embedded in it, normally; such uses are endemic for exploiting security flaws, but are not often used by legitimate sites.

Secondly, if you are designing a site, assume that any input coming from the client side is unsafe and must be validated–there’s no point putting the validation mechanism out where it could be changed.  Javascript is inherently open-source because the source must be served to the client machine in order to run; as such, any vulnerabilities present in it will be found eventually.  There’s no way to ensure that input coming to your servers is being sent by the same javascript that was served from them originally; take this into account when designing your sites, and you will not be vulnerable to this kind of attack.

The foundation of democracy–the foundation of representative government–is the principle of free access to information required to make effective choice.  Without this information, there’s no way to tell, for instance, which of two candidates is most suited for your particular set of causes–other than the words of the candidates themselves, which are neither reliable nor likely to be accurate.  

Accordingly, without this free access to information, the very founding principles of government will be compromised.  Without free access to information, there is no means of remaining properly informed about events in the world and in the country to make an effective choice.  Without free access to information, there is no effective way to keep educated, to remain competitive in the job market.  Without free access to information, we may as well live in a third-world country, overseen by a dictator.

AT&T, a monopoly already broken up once, has decreed that it will impose arbitrary and undocumented usage caps on its “broadband” offerings.

Leaving aside that there is already an intrinsic cap in place–their internet connections are charged by the alleged peak download speed; rate multiplied by time yields amount, as anybody with a fourth-grade education could tell you–these caps and the associated overage fees are clearly an anticompetitive practise aimed at restricting the entertainment options of the subscribers.

AT&T has been pushing their “U-verse” service–a combined internet and TV package–to subscribers for more than a year now.  UVerse delivers content digitally, so the TV shows that they are pushing use the very same connections that the internet services do–however, only the internet service not directly connected to their TV service–TV that they receive advertising revenue for–is capped.

Their excuse is, as always, that a “small population” of users use a “disproportionate” amount of the bandwidth available.  This is the same excuse that has been tried and has been shot down by numerous other ISPs.  There are numerous reasons why this is fallacious, not the least of which is that the technology already exists to ensure continued QoS during peak hours.

AT&T has been happy to market their connections as “unlimited” for years, and to receive new customers on this basis.  Any change now amounts to the most fraudulent sort of bait-and-switch, especially combined with the obvious anticompetitive, monopolistic capping of all competitive services to their in-house TV service.

This is the very sort of thing that net neutrality was intended to prevent–this erosion both of consumer rights to freely consume whatever content they desire, and to obtain the information they require to make effective choices.  Without free access to information, there is no means to accomplish a democracy.

Gremlins first came to the notice of the public from stories of military pilots who claimed to see small creatures causing mishaps with their machines.  Various media have portrayed these agents of entropy ever since, usually in the context of airplanes but sometimes sinking their fangs into other complex machinery.  

In the Information Age, Gremlins would find that their activities would not impact things quite so much as formerly.  With the variety of sensors and diagnostics available, the old standards of severing cables and cutting hydraulic lines would not be as effective; the activity would not go unnoticed, given the ever-watchful ‘eye’ of various processors that are built into engines specifically to counter any such problems.

However, these very same processors give the Gremlin far more opportunity for their shenanigans; being much smaller scale and more vulnerable to interference, a light touch can go a long way towards interrupting vital processes in a way that is even harder to diagnose and repair than it would otherwise be.

The advent of computers in the office grants them even more opportunity, for the paradigm that the computer enables allows for entire new catagories of chaos.  Viruses and worms could well be their agents of interruption, wreaking havoc with the vulnerable hardware and software and causing more work for the IT analogues of the mechanics of old.  

It may well be that gremlins have infiltrated the offices of Microsoft and other large software vendors–new vulnerabilities come out every week for Microsoft products, but those operating systems based on technology developed before gremlins began to take an interest in computers (and those which are open-sourced and hence have fewer opportunities for a sly tweak of a bit here and there, given the number of eyes watching for that) are less influenced by their attentions.

Given the patterns of virus distribution, it may well be that gremlins’ natural habitat has moved to China, Russia, and other less-industrialized nations–this is perhaps unsurprising, given that the older machinery with which they are familiar may still be in use in some of those locations.  

Perhaps the strongest indicator of gremlin activity may be the Stuxnet worm:  beyond simply infecting systems and slowing or stopping them, the Stuxnet worm caused actual damage to machinery–damage that was difficult to fix and in a location that required deep disassembly, a hallmark of gremlin infestation.  That the worm spread far beyond its “target” is, perhaps, a testament to their other work in finding vulnerabilities–and if it were the work of gremlins, then other examples will be likely to show up in the future.

The internet’s ability to camoflage identity may well assist the gremlins in their work.  Their natural love of mischeif could well result in the sort of childish pranks popularly assigned to ‘hackers’ and the like; their elusive, shifty nature meshing well with the milieu involved.  A large part of Anonymous could well be gremlins, recruiting various regular people to camoflage their operations and to extend their troublemaking to the real world.

Gremlins would mesh quite well with the modern world, so long as they kept up with new technology, and would likely achieve some remarkable successes in troublemaking.

The recent debacle surrounding the approval of usage-based billing plans in Canada seems finally to be coming to a close–the Prime Minister there has taken an interest, and a plurality of parties have realized that quashing this particular bit of regulation is likely in their best interests.

It started when the largest telecom providers–the ones who own all the copper and fiber that the internet travels over in Canada, infrastructure that was paid for in part by the taxpayers–decided that there was no way they could continue to provide so-called “unlimited”* service to their customers.  Accordingly, they sought–and received, from a regulatory body that was mostly composed of persons with strong ties to the telecommunications industry–approval to implement so-called “Usage Based Billing.”  

By itself, as a concept, the idea isn’t quite so bad–you use more, you pay more–but the Devil, as the proverb goes, lies in the details.  Previous plans with an imposed cap allowed usage up to greater than 100 GB; for your typical web surfer, that’s not too onerous and well within their ability to comply.  Under the new regulations, however, the cap above which overages could be charged was lowered significantly; 20 GB was deemed fair–at the same price point, resulting in an effective fivefold increase in cost to the consumer.  

The overages themselves were onerous as well, with costs exceeding $1/GB–unless you live in a French-speaking area, where that cost doubled for some reason–despite the marginal cost to the ISP (the actual resources used to deliver that data) being somewhere around the one or two cent per GB range.  

Add to this that the resellers of bandwidth–those ISPs that did not own the fiber, but instead leased capacity from the major telecoms–were to be mandated to follow the same low-cap structure rather than to continue to offer so-called “unlimited” plans, and the new regulations begin to appear somewhat onerous.  

Absent a wikileaks-style exposure of the internal logic behind the move, there can be only speculation as to the underlying cause–but there are some very suggestive details that may indicate a logical reason why the larger telecom companies would take such steps.

First, there is no real competition between them: each of these top-level telecoms has what amounts to a regional monopoly; there are few markets that are served by more than one of them.  This is much like the cable TV operators in the US; they’ve expanded regionally, and once they were in a region there was no cause for any other operator to arrive.

Second, they also own the content: the programming and other services that the infrastructure carries are sold by the owners of said infrastructure.

Third, these content services directly compete with internet services–and here’s where the strongest evidence for their motivations surfaces.  Pay-per-view programming (as well as the TV programming) is delivered digitally, along the same data connection that is used for the internet services.  It takes up a comparable slice of bandwidth to internet video services (especially those specifically called out–youtube and netflix) but does not count towards the bandwidth caps mentioned above.

Logically, then, if the “preferred” content is delivered without a cap but the non-”preferred” content is capped, and if said “preferred” content is directly owned by the company doing the delivery, and it makes significantly more revenue for the company than the non-preferred content, there is a strong motivation for the delivery company to do everything it can to steer people towards this content–and to penalize customers who do not wish to consume it.  

The evidence here strongly suggests that the large Canadian telecoms are attempting to monetize youtube, netflix, and similar services for their own gain.

This is similar to the tactic that the larger US ISPs have begun suggesting, that of attempting to charge the “large users” of bandwidth–again, netflix, which competes with their own video programming–for the “usage” of their infrastructure.  It is worth noting that certain interested parties are attempting to neuter the FCC’s recent decision to attempt to regulate this sort of activity; “follow the money,” as the saying goes, to determine the influence in this instance as well.

Further, there have been numerous attempts by US ISPs over the past few years to implement low-cap internet plans.  Wireless has had the greatest success here; the noted iPhone plans are limited to a 200 MB quota for normal consumers–a paltry amount of data, barely worth using.  The operators plead infrastructure overload, but have made no moves to upgrade their supply to meet the obvious demand, despite the clear profitability of doing so.

Given that ecommerce increasingly depends upon fairly significant data transfers–most modern online stores have fairly bandwidth-intensive displays with pictures and video of products, flash animations, etc.–the institution of low caps can only serve to harm commercial interests.

*The so-called unlimited plans have an inherent cap built in, which can be determined through multiplying the maximum “allowed” speed advertised for the rate by the number of seconds in a billing cycle.  The resulting product, by simple cancellation of terms, will be the theoretical maximum amount of data that can be transferred during that time.  Given that most advertised connections do not connect at the advertised speed much of the time, and given that usage drops off significantly on ‘non-peak’ hours and, hence, the link is not saturated, the implications as to the reasonableness of the caps in question should become apparent.