Category Archives: Internet

Shellshock Still Kicking

Posted on September 29, 2014 by Michael Froomkin

arghOh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot

Posted in Internet, Software | Comments Off on Shellshock Still Kicking

Valde Mirum

Posted on August 19, 2014 by Michael Froomkin

This is soooo weird: Krebs on Security, Lorem Ipsum: Of Good & Evil, Google & China.

Posted in Cryptography, Internet | 1 Comment

.ma Meh

Posted on July 22, 2014 by Michael Froomkin

Dog.ma resolves, but isn’t interesting. Opti.ma is parked, which almost seems appropriate.

Enig.ma doesn’t resolve, which also seems appropriate, and it isn’t available. And neither are mag.ma and dra.ma.

Look.ma exists but is boring.

Ma.ma doesn’t resolve and isn’t available. Nor is Kar.ma.

Nor even meh.ma.

OK, back to work now.

Posted in Internet | Comments Off on .ma Meh

MDPLS Search Plugin Restored

Posted on June 24, 2014 by Michael Froomkin

Seems like every time the Miami-Dade Public Library system has a computer upgrade, their nifty search plugin gets lost in the shuffle. The MDPLS website recently had a major face-lift, with equivocal results on the desktop, but a much better look on my cell phone. And yes, again, the link to the search plugin vanished. And again I wrote in to complain. And again they were very very courteous in replying — I got three emails in less than two weeks, each apologizing for the delay in resolving the issue.

And now there is a new Library Tools page, with a link to install the MDPLS Quick Search browser plug‑in.

This is the same library system whose budget the Mayor keeps slashing by the way. The library is one of the rare cultural successes of Miami-Dade county — and if you live here MDPLS deserves your support.

Previously:

Posted in Internet | 1 Comment

Reset The Net

Posted on June 5, 2014 by Michael Froomkin

reset-the-net

Posted in Internet, Surveillance | Comments Off on Reset The Net

IETF’s Habermasian Resolve to Work Against Pervasive Monitoring

Posted on May 16, 2014 by Michael Froomkin

The IETF has issued RFC 7258, aka Best Current Practice 188, “Pervasive Monitoring Is an Attack”. This is an important document. Here’s a snippet of the intro:

Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.

The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.

The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties.

The conclusion is simple, but powerful: “The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.”

I can’t help but see this as a shining example of the IETF living up to its legitimate-rule-making potential, as I described in my 2003 Harvard Law Review article Habermas@discourse.net: Toward a Critical Theory of Cyberspace.

Below, I reprint my abstract: Continue reading

Posted in Internet, Surveillance, Writings | Comments Off on IETF’s Habermasian Resolve to Work Against Pervasive Monitoring