Cloud Computing Considered Subversive
Earlier this week I noted that WikiLeaks was using Amazon's EC2 Cloud Computing servers for distribution of the Iraq War Logs; some argued that it was strange to host the data on US servers - as if putting the data near the people who will download it was a radical, brave, or possibly subversive maneuver. A day later Netcraft reported that some (not all) of WikiLeaks US-based EC2 servers had gone. Insinuations are being made that WikiLeaks may have been "hounded out of the US" - as if de-provisioning of servers when you no longer needed them was only likely to be done under coercion from government authority.
To me it appears WikiLeaks were a normal customer of Amazon, doing normal things, operating with the presumption that an attempt to censor the data would a) be fruitless and b) raise sympathy and so the US Government were not going to do that; and they'd be right.
It's a shame that the paranoid think this exercise of Cloud Computing 101 merits a conspiracy story.
All Your Tweets Are Belong To Firesheep
I've intentionally not written about Firesheep because it's a bloody awful story - every couple of years some new tool comes along which presages the death of the Internet: COPS, Crack*, SATAN, Kismet, Metasploit, ... the list is enormous; criticisms typically pass quickly through these stages:
- the software is too easy to use
- the software should be banned/withdrawn
- the software should only be given to trustworthy individuals
- the fault is in the victims
- the fault is in the victim's software
- the fault is in the victim's network
The first few arguments are easily dismissed - complexity is not security, you can't ban a vulnerability, there is no trustworthy subset of all internet users - but the latter sound convincing since they appear to offer solutions when in fact they are pushing agendas:
- Users should stop using Facebook, Twitter, Tumblr, Flickr, etc - good for contrarians seeking limelight
- Users should use a VPN - good for VPN companies but merely shifting the problem
- Users should avoid using open Wifi networks - bad advice as some encrypted networks are still 'sniffable'
The root cause of Firesheep are the decades of crummy software where possession of a cookie, session-id or some other forgable identifier was considered adequate to permit access to a service. CW nicely summarises:
Ultimately, moves users make to plug the holes Firesheep exposes are stop-gaps. The elephant in the room, said Butler and Gallagher as they defended the release of the add-on, is the lack of full encryption. And only the sites and services can fix that.
"The real story here is not the success of Firesheep but the fact that something like it is even possible," Butler wrote in his blog on Tuesday. "Going forward, the metric of Firesheep's success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."
Big Brother Wants To Watch You. Again.
So everybody in the world should demand to use SSL encryption to access services like blog-authoring and twitter-tweeting, not to mention for it to be deployed for all those service-to-service OAuth-authenticated connections such as Facebook-linked-to-Twitter.
Regrettably for the government the increased deployment of crypto will multiply the effort (and cost) required to record every e-mail, tweet and blogpost that you read and write; if you don't know about this plan then you really should check out the Cambridge University Security Research Group article and browse the Open Rights Group site where you can watch the first shots of Crypto Wars v2.0.
The Labour government floated the idea in 2006/8 under the Interception Modernisation Programme (IMP) moniker and cited a £2billion price tag, but shelved it after public consultation. The Coalition have resurrected these plans, but as the Guardian notes:
Julian Huppert, the Liberal Democrat MP for Cambridge, invited Cameron at PMQs today to confirm that the government was not reviving Labour's original proposal for a centralised Whitehall database, which he was happy to do.
Of course the Prime Minister was telling the truth when he said this - the new IMP proposal does not use a centralised database.
* disclosure: I'm responsible for that one