Comcast performs Denial of Service attacks against it's customers.

Recently there has been some huff in the news about torrent users getting shutdown. Not police raids, or lawsuits, but by their ISP. It isn't that Comcast is simply traffic-shaping the internet communication of its customers in order to achieve performance standards. It turns out that Comcast is using dark-arts techniques in order to silence data traffic that it doesn't like.

The recent case was an attack against P2P, which is traffic that you and I may share when transferring files between each other. A good portion of the time, this file-sharing technology is used to trade copyrighted media between consumers. However, it is a legitimate technology for sharing files nonetheless. We don't ban the use of money simply because people can buy illegal drugs with it, nor should p2p traffic or torrents be singled out. For example, most of the open-source, free linux distributions are very large; and the most efficient method of sending and receiving them is by sharing it between consumers, instead of everyone downloading it at one central point and 'clogging the tubes'. This is a great way of conveying data, and it doesn't rely on a single point of distribution, but fully independent cells who share information.

So what is the row about? Comcast is sabotaging the communications between users, sending 'disconnect' notices by impersonating the people who are sharing files. Sabotaging 'undesirable' communications is typically done by countries engaged in military warfare, or more recently by hackers attacking computer networks or services. This technique is called Denial Of Service. It is used to disrupt internet communications, often by causing traffic jams. The analogy was well made that if Comcast was a phone company and didn't like what you were talking about, it might break into the conversation and impersonate your voice, telling the other party you had to go and not to call back.
The most interesting thing about this story is that Comcast originally lied about using the tactic of impersonation, then got busted, lied again, and now they have switched tunes and are admitting to it, calling it 'delaying'.

Does this technique benefit Comcast? Obviously so. Is it legitimate, or even legal? Probably not.

UPDATE: Comcast Internal PR-Spin Memo Leaked

It's Done. xB Browser 2.0.0.8 is here.

Okay this has been quite a week. I've been taxing the rest of the team to death, and I sense a revolt coming. So here I am, coming up for air, dropping the latest xBB, and giving some hints. This latest xBB is all about the installer. This installer is good for free users, xB Plus clients, and xB Pro clients. It gets even better... new users can create demo accounts and trial xerobank right from the installer! And the download is as small as ever.

Regarding the browser itself, we cleaned it up for vista, and improved some of the structure. Soon it will be getting a much stronger overhaul. We updated everything in it, as per usual, Firefox/Geckos core, plugins, new plugins, tor, etc.

So I'm done with version A, and we're uploading it. Still some planning on how we are going to do upgrades from one installer to another, considering that xB Browser doesn't use the registry for info storage.

Download it from the beta folder here.

xB Browser 2.0.0.8

Held back on 2.0.0.7 because it wasn't ready for push, nor necessary [theoretical QT vulnerability for firefox (PLUGINS DISABLED IN XB BROWSER), not critical] and we are in the middle of a bigger/better software build. Should be ready in just a couple more days. We've built an installer for the program, so you can put it on your hard drive or USB drive. I've written some code that allows you to provide your xerobank transaction ID to autodownload your activation keys, and I'm thinking of how to add this into the browser or installer or both. I'm considering combining the software with xB VPN for our new product release. This should be interesting to say the least. Lots of least-resistance design coming up. Perhaps there should be a simple product downloader instead of a pre-packaged downloader?

I edited the software, experimentally, to allow it to run concurrently with firefox. Well, it kind of works. But if you try to start firefox afterwards it just opens up another xB Browser window, which is kind of annoying. Going to need a customized theme for xB Browser once we get it all sorted out.

That way it could look up your product with the transaction ID, and grab the software you need or request.

Still thinking about it...

Lunch with the FBI

Last Wednesday I had lunch with the FBI, whom I had run in to at the UTA security conference. We met at Chilis and had blue-cheese burgers and one of the agents had a honey-mustard chicken-finger salad. Amongst some of the things we discussed was XeroBank. I brought it up.

I mentioned that we will shortly be opening up servers in the US, and would like to avoid any unnecessary raids of our data-centers, as they are an inconvenience to all. Such an arrangement would also help them avoid any embarrassing situations where they end up pointing guns at geeky technicians, only to get a hard disk full of encrypted data. The essence is that we want to send a strong message to the money-fraudsters and child-pornographers that they will not be protected or tolerated by XeroBank, as they are violators of our Terms of Service, and costly offenders to all. Of course, we don't care about the activity of non-violators, and I said as much. I had to stress that unless the violators are international 'terrorists' that pose some immediate threat to human life, child-pornographers, or cash/paypal/e-gold fraudsters then we simply can't be bothered with anything less than a court order, which won't trace or identify the client anyway. In the situation there is such a claim of terrorism etcetera, we will have to go to the trouble of attempting to monitor the account first to see if such a claim is valid. If we find out such a claim is valid, then the user is violating our terms of service and isn't protected by our confidentiality agreement. If the user isn't violating our terms of service, we have to decline to provide any assistance. Of course, we also know who we are dealing with, and if it is an issue of terrorism, we don't think we'll be getting a call from the FBI. In that situations the lights will turn on at the NSA, and the potential threat will be neutralized with little or no involvement from xb whatsoever. As I said earlier, if you are trying to hide from a super-powerful omniscient agency with the ability to monitor all traffic on the internet, you've got bigger problems than anyone can help you with.

Striking a balance is difficult, but it means knowing how far both parties are willing to go. It means that an agency knows they have an uphill battle, and to be given a string to pull means they can't abuse it for petty issues, nor burn their contacts, else they will be stonewalled. It also means that xb has to walk a very tight rope when given a legitimate tip that someone is abusing our service, because we have to investigate the traffic live, in addition to potentially violating the user's privacy if the client turns out to be legitimate. I think we would want to notify the user that they were requested for monitoring, and that nothing showed up, so the investigation of their account was closed. I think we should also give them a new account to restore their anonymity in our system. So if the FBI gives us a tip, and it turns out to be no good, then they burned their chance to nab the criminal. Or if they give us a tip, and it turns out to be something petty or nothing at all, then we've all wasted our time and outraged the privacy of a legitimate client. I think it is important to have such an understanding, because XeroBank has communicated to me they won't be subject to politically or financially motivated claims by any agency, regardless of jurisdiction.

A beacon in the darkness: Dr. Ann Cavoukian

Dr. Cavoukian recently gave a moving presentation on privacy, at Waterloo University. Simply amazing. Hacktivismo should have awards, just for people like her. Click the picture below to be taken to the page you can view the video at.

UTA Security Conference

Greetings viewers!

I had a few requests for me to post the presentation and tips that I gave earlier today. You can download the presentation by clicking here.

Social Network - Clean House / Search and Destroy

• Separate - Only use your real name for professional work. Don't link to you aliases.
  
• Articulate - OMG, will you be LOLing when your interviewer finds out you have a 5th grade speech equivalency?
  
• Obfuscate - Cover your past indiscretions with false information. Need help finding your indiscretions? Check the bottom of this post.
  
• Delete - Give Google 4 months to archive your false identity, then destroy it.
  

Separate Your Networks

• Real name for professional networks - LinkedIn : Steve Topletz
  
• Fake name for friend networks - MySpace: Arrakis
  

Learn how to write a resume - distract your interviewer from your alias of "partydude04"

Stop unsolicited credit card / insurance offers

• http://www.optoutprescreen.com

Lock down your credit report from unauthorized access

• http://www.tiny.cc/PcqjD

Engage in Best Practices

• Keep your drivers license in your car
• Carry cash instead of plastic cards
• If you have to carry a card, carry only 1 payment card, credit card preferably
• Shopping Online: Use FREE one-time-use credit card numbers from your bank's website.
  
• NEVER carry your social security card
• Shred bills, receipts, documents, contracts, etc.
  
• Use history / tracks erasing software (like xB Browser)
  
• Use encryption (ex: TrueCrypt)
  
• Be careful what you use the internet for
• USE XEROBANK SOFTWARE! (It's free and has 0 calories)
  

SPY ON YOURSELF

Did grandma's photo-album sell you out? Try out some of these social-network search engines on yourself. I was able to easily locate political donations, church welcomings, blogs, photos, home addresses, phone numbers, resumes, and a litany of other information about my colleagues.

1. Wink
2. Spock
3. Pipl
4. YoName