December 2, 2007

Where is the 'Off' button?

The US recently appeared in UK court to explain that it had the right to kidnap British citizens for alleged financial crimes. So what was once accepted as a relatively upsetting process of "extraordinary rendition" for nabbing criminals under the legitimacy of "fighting the terrorists," has now been surreptitiously downgraded in requirement to simply breaking a law in the US.

So let's clarify: If you are a British citizen on vacation and you jaywalk in the US, you can now be kidnapped if you travel outside the UK. The US will redirect flights, conspire with non-US customs agents, and then spit in the face of another country, in their own court, hiding behind sovereignty and previously uncontested case-law.

Readers, consider the implications if such actions are universalized: What happens if I break a law of another country, like Sudan or UAE, such as free speech or encouraging the progress of women? Do they have the right to grab me once I leave the US? By allowing the US to do this, we are emphatically nodding our heads and smiling. International case law is not unilateral. We're setting a precedent.

I was reading the article comments, and noticed that many non-US citizens have such a strange view of the US. They said things such as "For the Americans to be loved at World level, they will first have to learn to love the World themselves" and "You chaps and chapettes need to put your foot down on this species of judicial arrogance. I would say that most US citizens would be shocked to know that this is the position of its own gov't."

We aren't shocked. We (thinkers) aren't ignorant. It isn't because we want to be informed and our government is making it so difficult. It isn't because we are so scared of the "freedom-hating" terrorists. We have an administration that most Americans disapprove of, most Americans are in favor of impeachment for, and an unresponsive congress that has an even lower approval rating.

It isn't that we aren't hitting the brakes on this crazy ride. We are. It's just that someone cut the brake lines. If it was as simple as "You Americans should do something" and us responding "Oh? Okay. Let me just hit this 'Off' button," don't you think it would have ended? Unfortunately the Off button includes financial repercussions, political demostrations, and now, other acts of "Terrorism" which we've quietly allowed to be outlawed thanks to H.R. 1955. This new law makes true change by the people impossible, by labeling them criminal combatants and terrorists to our current way of life. To put it in short, this is no longer our country. Don't get me wrong. I love the idea of America, and it is the worst country except for all the rest, but the light that has been the beacon for world progress has been snuffed out. We are only such a great country still, because we haven't let time take it's toll, watching the American body atrophy, given our new political environmental conditions: Death, rendition, and the pursuit of militarization. Would America ever have been a great country with the actions and aspirations we have now? No, but it could be great again. So I will stay here and keep fighting, every way I know how. If only it was as simple as an 'Off' button.








November 8, 2007

Hushmail Can Read Your Encrypted Mail


According to Wired Blog, Hushmail, the popular purveyor in secure and encrypted mail, is colluding with the US Federal government, and displays its ability to decrypt your emails and compromise a client's security.

What happened?
Hushmail decided to help US Federal agents bust an alleged Steroid provider.

What does this mean?
If you've ever used Hushmail, all your messages sent and received through them can be decrypted.

How does Hushmail hack into your account?
Hushmail has two techniques. If you access by webmail, they can capture your password to decrypt your messages. If you access by the client-side java, they can feed you a special program which captures your password.

Why did Hushmail cooperate?
The reason they cooperated is they were compelled by a court of law, and they didn't feel like defending the client because it was alleged that they were criminals. They are a Canadian corporation, so their jurisdiction is poor for the point of defense, and it is unclear if they investigated the claim as being legitimate or dubious.

How does this compare to XeroBank?
XeroBank is in a strong jurisdiction, unlike Hushmail. XeroBank also investigates such claims and will not blindly follow a subpoena. However, XeroBank looks forward to busting money scammers and terrorists as well.

What should we learn from this?
If you are doing something illegal by the corp terms of service, jurisdictions won't matter if you use HushMail or XeroBank. If you aren't doing anything illegal according to the terms of service, jurisdictions and court orders will have a very high hurdle, as long as you have XeroBank. In the latter instance, it appears HushMail may sell you out. Honestly, we need to know more about what really happened, because if HushMail found out the steroid claims were true before handing them over, AND it really was a violation of their TOS, they acted with propriety.

Another thing we should learn from this is that HushMails use of client-side encryption is a marketing gimmick, as they can push java code to you that is untrustworthy and can give them access to your emails.

October 24, 2007

Comcast performs Denial of Service attacks against it's customers.

Recently there has been some huff in the news about torrent users getting shutdown. Not police raids, or lawsuits, but by their ISP. It isn't that Comcast is simply traffic-shaping the internet communication of its customers in order to achieve performance standards. It turns out that Comcast is using dark-arts techniques in order to silence data traffic that it doesn't like.

The recent case was an attack against P2P, which is traffic that you and I may share when transferring files between each other. A good portion of the time, this file-sharing technology is used to trade copyrighted media between consumers. However, it is a legitimate technology for sharing files nonetheless. We don't ban the use of money simply because people can buy illegal drugs with it, nor should p2p traffic or torrents be singled out. For example, most of the open-source, free linux distributions are very large; and the most efficient method of sending and receiving them is by sharing it between consumers, instead of everyone downloading it at one central point and 'clogging the tubes'. This is a great way of conveying data, and it doesn't rely on a single point of distribution, but fully independent cells who share information.

So what is the row about? Comcast is sabotaging the communications between users, sending 'disconnect' notices by impersonating the people who are sharing files. Sabotaging 'undesirable' communications is typically done by countries engaged in military warfare, or more recently by hackers attacking computer networks or services. This technique is called Denial Of Service. It is used to disrupt internet communications, often by causing traffic jams. The analogy was well made that if Comcast was a phone company and didn't like what you were talking about, it might break into the conversation and impersonate your voice, telling the other party you had to go and not to call back.
The most interesting thing about this story is that Comcast originally lied about using the tactic of impersonation, then got busted, lied again, and now they have switched tunes and are admitting to it, calling it 'delaying'.

Does this technique benefit Comcast? Obviously so. Is it legitimate, or even legal? Probably not.

UPDATE: Comcast Internal PR-Spin Memo Leaked

October 22, 2007

It's Done. xB Browser 2.0.0.8 is here.


Okay this has been quite a week. I've been taxing the rest of the team to death, and I sense a revolt coming. So here I am, coming up for air, dropping the latest xBB, and giving some hints. This latest xBB is all about the installer. This installer is good for free users, xB Plus clients, and xB Pro clients. It gets even better... new users can create demo accounts and trial xerobank right from the installer! And the download is as small as ever.

Regarding the browser itself, we cleaned it up for vista, and improved some of the structure. Soon it will be getting a much stronger overhaul. We updated everything in it, as per usual, Firefox/Geckos core, plugins, new plugins, tor, etc.

So I'm done with version A, and we're uploading it. Still some planning on how we are going to do upgrades from one installer to another, considering that xB Browser doesn't use the registry for info storage.

Download it from the beta folder here.

October 15, 2007

xB Browser 2.0.0.8

Held back on 2.0.0.7 because it wasn't ready for push, nor necessary [theoretical QT vulnerability for firefox (PLUGINS DISABLED IN XB BROWSER), not critical] and we are in the middle of a bigger/better software build. Should be ready in just a couple more days. We've built an installer for the program, so you can put it on your hard drive or USB drive. I've written some code that allows you to provide your xerobank transaction ID to autodownload your activation keys, and I'm thinking of how to add this into the browser or installer or both. I'm considering combining the software with xB VPN for our new product release. This should be interesting to say the least. Lots of least-resistance design coming up. Perhaps there should be a simple product downloader instead of a pre-packaged downloader?

I edited the software, experimentally, to allow it to run concurrently with firefox. Well, it kind of works. But if you try to start firefox afterwards it just opens up another xB Browser window, which is kind of annoying. Going to need a customized theme for xB Browser once we get it all sorted out.

That way it could look up your product with the transaction ID, and grab the software you need or request.

Still thinking about it...

October 14, 2007

Lunch with the FBI

Last Wednesday I had lunch with the FBI, whom I had run in to at the UTA security conference. We met at Chilis and had blue-cheese burgers and one of the agents had a honey-mustard chicken-finger salad. Amongst some of the things we discussed was XeroBank. I brought it up.

I mentioned that we will shortly be opening up servers in the US, and would like to avoid any unnecessary raids of our data-centers, as they are an inconvenience to all. Such an arrangement would also help them avoid any embarrassing situations where they end up pointing guns at geeky technicians, only to get a hard disk full of encrypted data. The essence is that we want to send a strong message to the money-fraudsters and child-pornographers that they will not be protected or tolerated by XeroBank, as they are violators of our Terms of Service, and costly offenders to all. Of course, we don't care about the activity of non-violators, and I said as much. I had to stress that unless the violators are international 'terrorists' that pose some immediate threat to human life, child-pornographers, or cash/paypal/e-gold fraudsters then we simply can't be bothered with anything less than a court order, which won't trace or identify the client anyway. In the situation there is such a claim of terrorism etcetera, we will have to go to the trouble of attempting to monitor the account first to see if such a claim is valid. If we find out such a claim is valid, then the user is violating our terms of service and isn't protected by our confidentiality agreement. If the user isn't violating our terms of service, we have to decline to provide any assistance. Of course, we also know who we are dealing with, and if it is an issue of terrorism, we don't think we'll be getting a call from the FBI. In that situations the lights will turn on at the NSA, and the potential threat will be neutralized with little or no involvement from xb whatsoever. As I said earlier, if you are trying to hide from a super-powerful omniscient agency with the ability to monitor all traffic on the internet, you've got bigger problems than anyone can help you with.

Striking a balance is difficult, but it means knowing how far both parties are willing to go. It means that an agency knows they have an uphill battle, and to be given a string to pull means they can't abuse it for petty issues, nor burn their contacts, else they will be stonewalled. It also means that xb has to walk a very tight rope when given a legitimate tip that someone is abusing our service, because we have to investigate the traffic live, in addition to potentially violating the user's privacy if the client turns out to be legitimate. I think we would want to notify the user that they were requested for monitoring, and that nothing showed up, so the investigation of their account was closed. I think we should also give them a new account to restore their anonymity in our system. So if the FBI gives us a tip, and it turns out to be no good, then they burned their chance to nab the criminal. Or if they give us a tip, and it turns out to be something petty or nothing at all, then we've all wasted our time and outraged the privacy of a legitimate client. I think it is important to have such an understanding, because XeroBank has communicated to me they won't be subject to politically or financially motivated claims by any agency, regardless of jurisdiction.

October 7, 2007

A beacon in the darkness: Dr. Ann Cavoukian

Dr. Cavoukian recently gave a moving presentation on privacy, at Waterloo University. Simply amazing. Hacktivismo should have awards, just for people like her. Click the picture below to be taken to the page you can view the video at.

Ann Cavoukian