Forgot your password?

Comment: Re:CloudFlare is a nightmare for anonymity (Score 1) 66

by IamTheRealMike (#48027061) Attached to: CloudFlare Announces Free SSL Support For All Customers

Occams Razor says ...... networks like Tor which are incapable of handling abuse by design ...... get a lot of abuse! So not surprisingly networks that have advanced anti-abuse controls in place throttle it a lot. Otherwise you're just asking to get crawled by SQL injector searchers and so on. This is not CloudFlare's problem, it's inherent in how Tor works and what it's trying to achieve. Solving it means finding a way to trade off anonymity against accountability using user reputation systems or the like, but the Tor project has shown little interest in implementing such a thing, so all Tor users get treated as a whole.

Comment: Re:Now how about the third party ad networks (Score 1) 66

by squiggleslash (#48026031) Attached to: CloudFlare Announces Free SSL Support For All Customers

Looking at the Wikipedia page, the two EOL'd environments that stand out are:

- Android browser on Gingerbread (and older) - hopefully this'll be solved soon, Gingerbread is finally disappearing but it's taken a while.
- Internet Explorer on Windows XP.

Everything else seems to be the kind of environment where if you're still using a browser that cannot support SNI then you're probably running into all kinds of problems anyway.

(I would like to think that Windows XP users are using Firefox these days, but...)

Question: aren't there privacy issues associated with SNI? shows no attempt to munge the server name. So even though a third party might not be able to determine what content you're trying to access, they probably can intercept - albeit with the victim experiencing an interuption in service - the hostname and determine whose content you're trying to view.

Comment: Re:Can someone explain how someone is exploited? (Score 3, Interesting) 323

by squiggleslash (#48019297) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

Kinda. With "Mark 2" it becomes considerably more difficult, as you have to find a way to set an environment variable to the same name as a command that'll be executed - at least, from the proof of concept exploits I'm seeing. So even if a badly configured webserver sets HTTP_HOST to "() { wget ; chmod +x; ./; }", unless your script actually tries to run a program called HTTP_HOST it shouldn't be called.

(If I'm wrong, expecting angry flames now ;-) Please though include details of why.)

Comment: Re:Issue with FSF statement... (Score 2) 208

by squiggleslash (#48009263) Attached to: Apple Yet To Push Patch For "Shellshock" Bug

I suspect large numbers of people saw the bug, but didn't realize the implications and took no action knowing that the last thing you want to do with a programming language (which a shell like a bourne implementation implements) is change what constitutes valid code.

What does this mean? Unsure. It's always been bad practice to use system() or similar calls to start other apps. What this issue has revealed is not so much that bash has a bug in it, but that rather too many applications rely upon bash and shouldn't. Bash is always a vector, and writing code that calls it already means working a great deal on input validation exercises that risk failure.

The scary part is that a significant amount of the *ix community doesn't care - they call system() anyway, or blindly allow the shell environment to be modified, without asking themselves whether this is a good idea.

Comment: Re:Full Disclosure can be found on oss-security... (Score 1) 399

by squiggleslash (#48008409) Attached to: Remote Exploit Vulnerability Found In Bash

One thing missing in all of this is how do I exploit it? In the example you give, that's not clear.

So far as I can determine, the only time this is going to be exploited is if you have some way of manipulating the environment of the shell. I can't think of a CGI variable that's directly set to the content of something the caller has enough control over, pretty much all of them are munged, have mandatory punctuation incompatible with use as a function placed at the beginning, or are impossible to put parentheses and punctuation in.

Perhaps I'm wrong. But I'm inclined to think the entire thing is overblown for two reasons. First, the difficulty of setting the environment in the first place, and secondly the fact making system() calls, etc, is always a red flag for those checking for security holes (and is rare and usually unnecessary) because of the other potential issues with calling a program that literally has direct control over a substantial amount of your computer.

Which is not to say that, for example, the DHCP exploit that's been mentioned isn't terrifying, but even that... why the hell does the DHCPD client, by default, allow the environment to be changed via an insecure DHCP environment anyway?

Comment: Re:There is no political solution. (Score 5, Insightful) 211

by IamTheRealMike (#47991211) Attached to: Australian Senate Introduces Laws To Allow Total Internet Surveillance

It would be nice if that were the case. Unfortunately it's hard to see how it can be. The technology industry has a poor track record of deploying truly strong end to end privacy protections, partly because the physics of how computers work mean that outsourcing things to big powerful third parties that can be easily subverted is very common. E.g. my mobile phone can search gigabytes of email from the last decade in a split second and rank it by importance, despite having nowhere near enough computing capacity to really do that itself, only because it's relying on the Gmail servers to help it out.

That same phone can receive calls only because the mobile network knows where it is. How do you build a mobile phone that is invulnerable to government monitoring of its location? It doesn't seem technically possible. The only solution is to ensure that anonymous SIM cards are easily obtained and used, but many countries have made those illegal as part of the war on drugs.

This trend towards outsourcing, specialisation and sharing of data to obtain useful features is ideal for governments who can then go ahead and silently obtain access to people's information without those people knowing about it. I do not see it reversing any time soon. The best we're going to achieve in the near term future is encryption of links between devices and datacenters, but this doesn't help when politicians are simply voting themselves the power to go reach in to those datacenters.

Ultimately the only long term solutions here can be political, and I fear we will need a far longer and larger history of abuses to become visible before the majority will really shift on this. The problem is a large age skew. Older people skew heavily authoritarian, if you believe the opinion polls, and are much more likely to support this kind of spying. Perhaps they associate it with the cold war. Perhaps the old adage "a libertarian is a republican who wasn't mugged yet" has some truth to it. Whatever the cause, the 1960's baby boom means that demographically, older people can outvote younger people as a block, and for this reason there aren't really any fiscally conservative, economically trusted AND individual rights-respecting parties in the main English speaking countries. People get to pick between borrow-and-spend socialists with an authoritarian bent, and fiscal conservatives with an authoritarian bent, so surprise surprise we end up with people in power who are authoritarians.

Those who can, do; those who can't, simulate.