Assigning Blame Accurately

sdfsdfsdfsdf By evan on May 09, 2017

As a followup to the last articles; CBC has today published a new take on the security camera incident at a Cape Breton School last week.

“We are actually going to be sending letters and reaching out the manufacturers in the very near future,” said Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada.

The office wants all manufacturers to make devices that require users to change the default password when they plug the surveillance camera in. It also said the boxes the cameras come in should have strongly worded warnings about the privacy risks if the device is not secure.

These simple steps would make Canada a world leader in IoT security. They’re not without precedent though; in March of this year, a California Senator introduced a cyber-security bill. 

As WCSR reported just last month; the bill would require manufactures to design devices in such a way that they will

– … indicate to the consumer when it is collecting information
– obtain consumer consent (presumably through some form of user interface) before the device collects or transmits information

CBC spoke with experts again;

“Some of them have very strong security. Some have no security at all. Some have very weak and hackable security settings,” said Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University.

Tom Redford of Wilson’s Security in Dartmouth said … “If it’s just left at factory default, you’re leaving yourself susceptible to being hacked,” he said.

The default is transmit, with no password, and no authentication. It’s working as designed.  To call it a “hack” implies those viewing the public feed are at fault.

Redford suspects a lack of passwords may be to blame.

The lack of passwords is an issue, and was certainly relevant. The question is why were there no passwords? The user manual for the device in question recommends setting a password and protecting the video feed.

If the device had defaulted to password protected, as the Office of the Privacy Commissioner of Canada requested in 2015; this may not have been an issue.

Nova Scotia’s privacy commissioner and the Cape Breton-Victoria Regional School Board have launched investigations into how the security camera was left open to the internet.

School officials have not revealed the results of their inquiry, but are calling it an “isolated incident.”

From discussions with another school board; It appears likely that a hole was explicitly opened in the schools firewall to allow it through. That would imply there was a conscious decision to make the cameras available publicly.

I strongly recommend reporters dig a bit deeper on this issue. For example;

  • Who requested the cameras?
  • For what purpose?
  • Who requested they be available publicly?
  • Did the IT department read the manual, and make appropriate recommendations?
  • If they did, were they overruled, and if so, by whom?
  • Who’s responsibility is the security of the devices attached to the network?

The Russians are Coming

sdfsdfsdfsdf By evan on May 08, 2017

Last week several webcams at a Cape Breton school were discovered to be broadcasting publicly, and indexed by a search engine, at insecam.org. The camera was taken down after the incident was reported; but CBC’s coverage by Susan Bradley and Jack Julian leaves much to be desired.

(Privacy Commissioner) Tully said passwords need to be encrypted and the length of time images are kept should be limited so they are less likely to be accessed.

The recommended practice is to hash passwords not encrypt them. That being said this advice is inapplicable to the issue at hand; and doesn’t address the issue that the device was using the default password, as evidenced by the screenshot that says change password.

Charlene Chaisson, a parent of two children at thea school, spoke to CBC:

“All I can add is that although it’s my son in the image and it’s alarming, I don’t blame anybody for it happening. Things get hacked all the time and hopefully now the cameras are secure.”

Nothing was “hacked.” One can find default passwords for most devices online in aggregated list of passwords, or in the user manual for the device. In fact, the manual for the camera in question details how to password protect the camera feed, and explicitly says to set a password for security reasons.

CBC did talk with a cybersecurity expert:

Daniel Tobok, a cybersecurity expert in Toronto, said the problem of webcam images being streamed around the world is common…

… He blames the way the webcams are connected directly to the internet.

With the ever-impending migration to IPv6, more and more devices will be connected to the internet. The issue is not connecting devices to the internet. IP security cameras are designed to connect to the internet, and restricting it with a firewall, would have only resolved this issue by rendering the device inoperable at best, or limiting the exposure to the school’s own network at worst.

Not once in the article did the CBC or the cyber-security expert mention ‘changing the default password’ on devices, which in 2014 Infoworld ranked one of the Top 10 Colossal Security Mistakes.

Insecam.org’s FAQ does tell users both how to fix their camera, and provide users with information on removing their camera from their site.

Q: How to remove my camera from this site
A: If you want to leave your surveillance camera public accessible but want to remove it from this site send the URL of your camera to email from contacts section. But remember that your camera still will be available to all internet users that use surveillance camera search software and sites like Shodanhq.com .The only solution to make your camera private is to set up a password!

As of May 4, it was longer linking to the Cape Breton camera.

Kris Klein, a privacy lawyer in Toronto, had this to say:

You don’t know who was looking at them,” Klein said. “It’s not to say that they were necessarily doing anything wrong, it’s just the fact that they had their own personal image broadcast and made available to the public at large via these shady characters.

Appeal to emotion aside, the feed was available only because the school board’s own IT staff didn’t read the manual. With accurate reporting of the issue, one realises the school board employees that set up the camera, are the “shady characters” whom made the broadcast public.

Trusting people on the internet.

sdfsdfsdfsdf By evan on May 29, 2016

An issue;

Who do you trust on the internet? It’s a simple question, with a horrendously complex answer.

Some of the key underpinnings of the internet like DNS and Certificate Authorities are trust based. You believe that https://google.com isn’t impersonating the real google because GeoTrust vouched for them. They believe Google because someone submitted a request from webmaster@google.com (yes that’s a bit of an oversimplification but accurate in most cases)

You can’t really trust DNS, at least, without something like DNSSEC. It also leaks a lot of information, like a list of every single website you’ve ever visited. Worst case scenario someone could man-in-the-middle a Certificate Authorities DNS provider and get certs for anything by ‘proving’ that they’re really webmaster@yoursitehere.com. In short, yes, the CA’s that you trust to vouch for people themselves trust DNS, something with no encryption or validation or verification in any way shape or form.

Cool.

This would be fine if all the big players were trustworthy. You can trust the CA because a vendor vouched for them (or their friends); And of course, vendors are always trustworthy. Yes, that is sarcasm.

Faith might be a better word than trust.

After the BlueCoat news, I started thinking about how the internet would look without faith. That is, instead of the implicit belief that any given agent/actor/person is trustworthy, simply have them prove whatever it is you want to know. There’s also the pesky issue of expiry dates being abused for revenue generation, but I digress.

A good place to start thinking about this is Tor hidden services. It’s an entire encrypted network, without any external DNS provider, without any external CA, but it still allows you to prove you’re talking to someone and that you’re talking to the same someone every time. The problem is that Tor is anonymous by design which is awesome if you want to buy drugs on the internet (that’s a fair statement, if incomplete), but for any tangible transactions I need to *prove* who the other person is and hidden services explicitly prevent that (unless you’re at https://facebookcorewwwi.onion which is a whole other issue.) Tor also has root servers, though very resilient, are still root servers.

The end goal is really having verifiable evidence, or proof that abc.xyz is at 172.217.4.78, and proof that abc.xyz is actually ‘Alphabet, Inc.’ In the current faith-based model, DNSSEC provides the former, and Certificate Authorities provide the latter. 

A solution.

The question becomes, how do we do that? The answer is blockchains, and it’s very simple. Every block is a DNS record at a point in time, contains a public key for https (this would be akin to HPKP), and is signed by the organization with the same keypair. When you look up a DNS record (a block), you search from most recent to oldest and stop when you get a hit. Every DNS record contains a hash of the one before it, making it infeasible to falsify any records.

In short, the bastard lovechild of DANE and namecoin.

The only real downside of this is losing vanity domains. I’m not sure that’s a real problem, given the recent explosion of tld’s and the massive abuse of domain resellers. Browsers are starting to remove the URL from the address bar anyways. The obvious loss is writing domains down on business cards, but that’s a solved problem with QR codes. It has no bearing at all on links or bookmarks. There’s always the potential for adding an alias, but that becomes subject to cybersquatting. But then, that’s no worse than what we have now.

In addition to the privacy afforded by local DNS lookups, we also effectively have local X.509 Certificates.  A client doesn’t need to ask for a cert in the clear, it already has one. That is actually a thing and it has been used to track down hidden service operators on the public internet, when they share a keypair. We can skip the first two parts of the SSL handshake, and go right to key exchange.

This becomes figuratively impossible to spoof. There are simply no records over the wire to MITM,  every record is verifiable, and the client simply can’t connect to the server without the right record. Zooko’s triangle aside, this is nearly a holy grail.

This is also impossible to tamper with, at least, without the right keypair. Politically driven domain seizures would be a thing of the past.

The only element of trust left, is on a site by site basis, that is, do you trust the operator? That’s simply not a technical issue.

Skipping the SSL handshake breaks SNI, so we need to address that as well. SNI does have other issues, like the unintended side effect of allowing a third party to see what website you’re requesting. Since this system values authenticity AND privacy, that needs dealt with. The best method I’ve come up with (and this could also be applied to the internet as it exists now) is to store an SNI public key in the DNS record. The client then encrypts the domain it’s requesting with that key, and a salt. The salt is important otherwise there’s still a 1:1 relationship between the raw domain and it’s encrypted equivalent. This solves the privacy issues with SNI while also ensuring compatibility with alternative DNS schemes.

Open to comments or thoughts, this would be a fairly radical change to the basic underpinnings of the internet, but a necessary one in my opinion.

 

Makerspace Survey Results

sdfsdfsdfsdf By evan on Mar 18, 2016

I put together a survey and sent it to the HMS mailing list, reddit, linkedin, etc.

As of writing there are 81 responses, one of which is an obvious troll. The raw data is available here 

TL;DR: a space will never work for *everyone* but it can work for a lot of people.

Some key points:

  • Tech is far more popular than fine arts
  • 70% want there to be about 1000sqft, 80% want 1500sqft. The other 20% want more.
  • Dartmouth requires less people (~40) than Halifax or Burnside do to be sustainable (~53)
  • 70% of respondents have a car
  • 83% of respondents are over 22 years old (most students are <22)
  • There’s a clear willingness to pay extra for perks (like a locker)
  • People are interested in drop-in fees, like a gym
  • 9-5 Monday to Friday is not entirely necessary (and thus creates opportunities for shared space with business)
  • 20% of respondents want studio space, but want it at unsustainable rates.

The Actual Space

The first few questions were designed to find out what people wanted to use a space for, and how much space they think is needed. There’s a reason I didn’t specifically tie size to location, which I’ll get back to in a bit. What people think is needed and what is actually needed are two entirely different things. The former I can find out with a survey. The latter depends what people want to use it for.

Planned use
72% of 81 respondents want 3D printing and/or CNC. We’ll call that ‘Automated Making’ for lack of a better phrase.
65% want Soldering and Electronics.
58% want woodworking
44% Welding / Metalworking

on the other end of the scale,
17% want fine art and textiles,
8% want ‘other’, which a few included sewing.

How Often?
38% would use a space weekly,
33% biweekly,
23% monthly.

Just a few would use it daily.

Time of day
90.1% want access on the weekend during the day,
81.5% want access through the week in the evenings.

Compare that with
34.6% who want access 9-5 Monday to Friday.

This implies a business partnership or colocation could work.

Studio Space
One question that a board member had me add was ‘would you pay for studio space?’

21% of the 43 people that responded said yes. Of those, about half said what they would pay and for what, and answers varied wildly, but were around $0.50 to $1 per square foot (or about 5-10% of actual commercial rents)

Financials

50% of respondents would pay $10 a month for a locker;
16% would pay $20;
8.6% would expect one to be included.

43.2% of respondents would pay $25/month
33.3% would pay $50/month
6.2% would pay $100/month

Many of the write-in responses were $10/visit. Based on these numbers, and on the use numbers, tiered access is feasible. I would say modelling it after gym memberships isn’t a horrible idea.

Assuming people were charged exactly that; we can consider the average base income per person to be $41.90.

Demographics

These questions were added early on and didn’t capture the first few respondents.

81.4% of respondents were male, 17.4% female, 1.4% were other.

Their age ranges are
15% 16-22,
55% 22-35,
28% 35-65%
0% 65+

This is entirely unsurprising as most of the 22-35 crowd are (statistically) living in apartments and have no space to work on projects or hobbies.

Only 10% of respondents have children that would participate. Of those, 7.5% are in elementary school.

50% of respondents have a university degree.
25% have a college or trades diploma
19.7% have some post secondary.

 

Location

74% of respondents have a car.
18% of respondents rely on the bus.

The location was asked in the way ‘where are you willing to go?’

81% would travel to the peninsula
58% would travel to Dartmouth
53% would travel to Burnside.
49% would travel to Clayton Park
46% would travel to Bayers Lake

Sackville, Spryfield, and Cole Harbour are all around 20%.

It definitely seems to follow commute patterns, and is clustered. If someone will go to Cole harbour they’ll almost always go to Dartmouth, and if someone will go to Bayers lake they’ll almost always go to Clayton Park. People without cars generally choose the peninsula and Dartmouth. Nobody without a car chose Burnside.

Looking at only those who rely on transit, 65% are willing to go to Dartmouth.

I will admit, the data does show a measurable preference for the peninsula. Now the question is, is it feasible?

I’ll look at the numbers to break even on gross space costs here, suffice to say that’s only part of the story and doesn’t include internet, insurance, power, etc. This chart makes many assumptions but is a good starting point. It’s based on the number of people who *want* a makerspace, if 100 want one, and 19 of those wouldn’t go to halifax, I’m weighting the results by that percentage. As before, the average revenue per person was $41.90.

In short, it’s the bare minimum threshold at each size to have a viable makerspace.

500sqft / 5% 750sqft / 29% 1000sqft / 69% 1500sqft / 80% 2000sqft / 100%
Peninsula (~$22) 81% 916 / 27 people  1375 / 41 people  1833 / 54 people  2750 / 81 people  3666 / 108 people
Dartmouth (~$15) 58%  625 / 25 people  937 / 30 people  1250 / 41 people  1875 / 62 people  2500 / 82 people
Burnside (~$14) 53%  583 / 26 people  875 / 40 people  1167 / 52 people  1750 / 79 people  2333 / 105 people

 

Interestingly enough, even after weighting for ‘who would go there’, Dartmouth is feasible with less numbers.

Now, no one wanted a 500sqft or a 750sqft makerspace. Based on the intended usage; 1000sqft is probably fine and more is better as it grows.

Based on these numbers, the same space would need 80% as many people to be sustainable in Dartmouth as it would on the peninsula or Burnside. Realistically, many of those that are willing to travel to Burnside are probably also willing to go to north end Dartmouth, especially along windmill and near the new bridge. To be fair, Halifax Peninsula is more desirable, but only really once we’re over about 80 paying members and only if a perfect spot were to come up, with parking for the 75% with cars, and substantial floor space.

 

Partnership

The other part of this survey was about retail sales, looking at what people would be willing to spend on components / as markup.

Having quality parts nearby was more important than price, and in fact people are willing to accept a reasonable markup from as high as 100% on smaller items to 25% on more expensive items. There is definitely an opportunity for a space to derive revenue from component and supplies sales. 94% of people were willing to go pick up parts, be it at a makerspace or elsewhere. More people buy things locally than order overseas, and nearly as much as ordering domestically. 23% of people do mail order purchases.

A question that *should* have been asked, “how much do you generally spend on components and raw materials each month” unfortunately wasn’t, so I can’t derive an estimated revenue.

RIP Twitter; 2006 – 2016

sdfsdfsdfsdf By evan on Feb 10, 2016

It has been reported that Oceania Twitter has appointed a Ministry of truth trust and safety council.

As if that’s not ungood bad enough, it’s spearheaded by none other than Anita Sarkeesian, of Feminist Frequency, well known for her fair and impartial views utter bullshit.

Jack must be insane.

Twitter will be tumblr with the year. A psychotic echo chamber where trigger alerts and perceived offense trump reality. Where mental disorders foxkin are celebrated. Where objectivity and reason are unallowed strongly discouraged.

At the risk of invoking Godwin’s law, I’ll leave it on this note.

image

Tor Rate Limiting

sdfsdfsdfsdf By evan on Jan 31, 2016

If you know much about Tor, you know that all connections come from localhost. Even though it’s old news (I first heard about this a year ago) it has come up in the news recently.

It reminded me of a proof of concept I wrote for rate limiting hidden services, or alternatively, any service where you can’t distinguish users. Basically, you have them prove they did some amount of work (and therefore spent a certain amount of time between requests)

Factoring a semiprime, for example. It’s slow, which is why it is the basis of RSA encryption. More on that in the near future 😉

Full source at github

Update (Feb 15): There’s now another version of this concept available, which operates more similarly to bitcoin.

Prosody

sdfsdfsdfsdf By evan on Mar 13, 2015

Was trying out a few XMPP servers recently. Prosody was the easiest to set up by far.

Five min, stop to finish, using the same certs as my Apache server.

http://prosody.im/

Save the library; Its our only hope

sdfsdfsdfsdf By evan on Feb 25, 2015

Update: I ended up hearing back from Waye Mason right away, and Savage a month later saying the information in The Coast was inaccurate.

 

Dear Mr. Mayor, Councillor Watts, and Councillor Mason,

Regarding this news article: http://www.thecoast.ca/RealityBites/archives/2014/12/09/volta-labs-wants-the-old-library

Halifax, as I’m sure you’re aware, is bleeding population. Our past is dying of old age, and our future is moving out west; to Ontario, to Alberta. There is one industry that isn’t running away as fast as they can. Tech. As I’m sure you’re aware, even Google has recognized Halifax as a (as much as I hate to say it) world-class city.

Up until just last week, I was planning on leaving Halifax forever. I didn’t particularly want to, I had no choice. I’m having a child in a month, and want to do whats best in the long run. I got lucky, and found a very good job at the last second here in Halifax.

There are hundreds of people with million dollar ideas, but don’t have the opportunity to flesh them out. A million dollar idea without the ability to follow through is worth less than the paper it’s printed on.

Mayor Savage, every time you speak at a tech or startup related event, you make sure to mention how important the tech industry is, how you support it, and how you want people to succeed. Ever since the very first Apps4Halifax hackathon at Volta.
Volta is basically at capacity right now. There are far more applicants than can be housed. The companies are also limited to a small office, with little to no infrastructure other than a couple of boardrooms and a common area. This is great for those software companies that can get in. Hardware unfortunately, not so much. There are many people in Halifax who are at the forefront of hardware development.  We have a huge ICT student population, we have dozens of IT companies. We have military contractors, biomedical companies.. Did you know one of the designers of the Commodore 64 works in Burnside?

Yet we have a city that claims to be on board with “open data” yet stonewalls any attempt to use it to the citizens benefit.  we have a community workshop, Halifax Makerspace, that can barely sustain itself and is at the whim of discretionary spending by quasi-governmental organizations. Mayor Savage, I’ve sat in an audience at least three times in the last year and you made it clear you want the tech industry to succeed.

I want you to live up to that.

I recently traveled to Waterloo, Ontario. What I saw there was a tech mecca. Not only is the ICT industry encouraged, it’s actively supported by the local and provincial governments. Things that programmers do for fun in Halifax, are well funded startups in Waterloo.  Google chose to make it’s home there. Facebook is moving in. Twitter is moving in. There are billions of dollars of investments going into the city. In two days there, I was approached about employment no less than three times. I’m still getting calls, asking me if I’d move there. In those same two days, I saw the bleeding edge of tech in North America. Canadian Tire, TD, Manulife, all of these companies are pouring money into R&D.

Why not here?

Waterloo is only the size of Dartmouth, but with four hundred tech companies. They have not one, but three startup incubators, (Communitech, Communitech Hub, and Velocity Garage, which specalizes in hardware). They are easily 15 years ahead of us right now, and I truly believe we can do better.

The old library is a huge stepping stone. It would provide Volta the opportunity to expand into hardware, to bring in more companies, and to better support the local ICT industry. Plus, from my understanding, the plan is to have the hardware lab and common areas open to the public. This is a $200,000 hardware lab that would make the Makerspace look like a playschool. The only thing they need is a place to set up shop.

Why tear the building down to build a park? This could be game changing! We have parks. In fact, we have a lot of parks. But I can’t think of a single multi-million dollar company started in a park. I can’t think of any high paying jobs created in a park. Volta was founded by self made men. They started with nothing, and turned their knowledge into millions.

People aren’t going to come back for a stroll in yet another park downtown. They’re going to come back because they can support their family. Waterloo doesn’t have any innate advantage over Halifax. They just have support. People want to move here, but they don’t have opportunities. People don’t have a future here.

Mayor Savage, I ask that you give them that future.

Sincerely,
Evan d’Entremont

HexBed

sdfsdfsdfsdf By evan on Jun 17, 2014
10431790_240298809502306_3046061_n

Bed sitting in place before installing mounting hardware

As some people may know, Chris MacDonald and I have been building a Rostock style 3D printer.

When it came time to pick up a bed, (more…)

Halifax 1:1 Minecraft Server

sdfsdfsdfsdf By evan on May 09, 2014

It’s back! Screen Shot 2014-05-09 at 2.55.26 PM Hopefully this time for good, seems every time I put it up I had to move two weeks later.

It’s down. Likely for good this time, I don’t have the time to maintain it and the server software isn’t being updated on a regular enough basis. I still have the world files if someone wants to take it over.

It’s back again. world.minecrafthfx.ca Bukkit isn’t supported anymore so it’s JUST the halifax map.

This is a 1:1 representation of Halifax created from the 1m LIDAR data available upon request from HRM Link to 5m

It’s running an older version of bukkit at the moment, I hope to update everything over the next few weeks. You can connect with Minecraft 1.6.2 (I think)