SECRE.TS

I started developing a random idea over the holidays but never finished it. I’m releasing its description here with the hope that someone will steal and then implement it :)

a hybrid social media platform using rss feeds, twitter style messaging and public, private, and group key pair cryptography. it also solves the paradox of eventual decryption through the use of one time pads and very precise randomization.

secre.ts enables the user to share cryptographically protected messaging to allow use over untrusted publicly accessible networks like the Internet.

As a messaging solution secre.ts produces the greatest assets of email like services with the most secure traits of a virtual private network connection. vpn solutions are fragile connections and cumbersome on both bandwidth and the processor. secre.ts hybrid approach consumes processor but the messages are broadcast in public so connectivity is hugely increased and bandwidth isn’t impacted because the messages are received in cleartext.

Musings on Cara Duckworth’s Post

Some opinions about the Tenenbaum case, for those interested:

OPINION: The RIAA stands for Recording Industry Association of America

OPINION: The RIAA has filed many cases against file sharers as civil actions and not criminal

OPINION: In the US, civil actions do not guarantee the defendant representation by an attorney

OPINION: The RIAA has compared copyright infringement to stealing many times in the press

OPINION: Copyright infringement and shoplifting are two distinct and separate crimes

OPINION: 30 average songs could be contained in 2 CD’s

OPINION: The average cost of 2 CD’s in a store is < $100

OPINION: In Massachusetts the fine for shoplifting under $100 is a fine up to $250 the first time

OPINION: There is a huge discrepancy between the punishment for shoplifting and infringing an equal amount of music

Project EquillibRIAA

For the last few years I’ve talked quietly of a project to connect artists with the victims of lawsuits in the name of their bands. After the verdict handed down by the latest case of Sony vs. Tenenbaum I think it is time to put this plan to action. I’ve emailed Joel and received a list of the bands he was sued for and what I’d like to do is draw national attention to the public interfaces these bands have set up for
themselves.

I’ve created a public document which contains a list of the bands and any Twitter, Myspace, Facebook, or other public forums the bands have set up for themselves. I could use help tracking down some of the missing links in this list. In some cases the bands no longer exist but members of the original band still live on in other bands or on their own.

To be clear the purpose of this project is not to harass these musicians. It is to remove the wedge of the RIAA from artists and their fans and ask them to communicate. The one question I’d like to see the artists answer is “Do you support the actions the RIAA has taken on behalf of your band in destroying the life of Joel Tenenbaum?”

Joel is being fined $22,500 for each of the 30 songs that he downloaded
from KaZaa. His total fine is $675,000 for an activity that a majority of the Internet users in this country have and still participate in. This isn’t to say that we should advocate copyright infringement but that we shouldn’t agree with the penalties associated with infringement.

This project is still being assembled and I would appreciate any feedback and help the FC community can muster. I’d like to coordinate a massive feedback storm requesting comment via Twitter, Myspace, etc so these artists can’t escape without saying something. Anything. What we need is dialog from musicians about what is happening to their fans.

The working spreadsheet of bands and their online identities is here:
 http://spreadsheets.google.com/ccc?key=0…

If you would like access to edit the spreadsheet please email me (oliver.day@gmail) and I will add you to the access list.

Friendless at Facebook

I finally met someone whose privacy settings were as high as mine. If Facebook has a privacy setting I have it pushed to the highest possible value. The end result is that I’m practically a ghost on the popular social media website. You won’t find me using search functionality and I have absolutely no public footprint. Last night I decided to friend some of the researchers working with myself and Prof Bambauer on an academic paper about shielding security researchers due out this fall.
The two of us appeared to be unable to “friend” each other because of our high privacy settings. I wasn’t really sure how to proceed. We tried messaging each other a few more times in an effort to prove to Facebook our intentions but to no avail. One of us would have to sacrifice a bit of our privacy in order to allow for this seemingly obvious functionality.

Since I initiated I went ahead and dropped my guard a bit and allowed anyone from the Harvard network to see me (thankfully she is an alum!) Of course now that we are friends the curtains have been drawn again around my profile but this is definitely one of the more interesting experiences I’ve had with Facebook.

While I’m glad they offer me so many privacy settings they really need to think about this particular edge case where two privacy loving individuals happen to want to friend each other.

James Atkinson is speaking at MRL Thursday (June 25) at 6:30 PM

Midnight Research Labs Boston will have a special guest speaker: Mr.
James Atkinson, who will be giving his “Kill Your Cordless Phone” talk.

***This talk will be announced and open to the general public, and WILL
REQUIRE AN RSVP as space is limited. Given the size and layout of MRLB,
we’ll be doing a bit of re-arranging to accommodate attendees.***

Please RSVP to  rsvp001 at n0where.org

Here’s a brief bio on Mr. Atkinson (more at http://tscm.com/biojma.html)

South Koreans not allowed to upload to Youtube

While digging through youtube html for another project I came upon this interesting error message.

msg[“koreaFail”] = “본인확인제로 인해 한국 국가 설정시 동영상/댓글 업로드 기능을자발적으로 비활성화합니다. We have voluntarily disabled this functionality on kr.youtube.com because of the Korean real-name verification law.”;

I looked into this a bit more and South Korea seems to have rallied around the death of a popular actress who killed herself due to online comments about her. The new “anti bully” law requires all sites with at least 100,000 users to verify the posters real name.

“The Cyber Defamation Law, as it’s called, went into effect on April 1st. According
to officials at the Korea Communications Commission (KCC), the country’s
broadcasting and telecommunications regulator, the law is an attempt to
quell the cyber-bullying and spread of misinformation on the internet.”

source: readwriteweb

Google is unwilling to collect this kind of data about its users and instead has opted to disable upload (and I assume comment) capabilities from South Korean IP addresses.

Personal Disclosure Update

I’ve decided to step down from the Advisory Board of the SourceBoston conference. I still think that it is a fantastic project but I have been so busy with academic projects and class work that I couldn’t give them enough time.

I’m also not going to be a regular columnist at SecurityFocus after this month. This was more a decision on their part than mine however I am not going to fight it. I could use the extra time to focus on two very exciting academic papers I have lined up for this year.

Storing IP Addresses in MySQL with ruby/rails

A recent project has me thinking about storing of IP addresses in mysql. The natural tendency is to store it as text. My first attempt stored the address as char(16) with a normal index to help speed searches against it. After some reading about high performance MySQL techniques I was reminded that IP addresses in dotted quad form are the least efficient. Instead of storing as a string of characters I could instead convert the dotted quad into a 32 bit integer.

The magic of converting it is pretty easy to find online however if you are using ruby simply install the IPAddr gem.

>> ip = IPAddr.new(‘255.255.255.255’)
=> #
>> puts ip.to_i
4294967295
=> nil

Reversing the process isn’t quite as easy and the documentation fails to mention this possibility. A little digging online will unearth this additional parameter that is needed:

>> ipnum = 4294967295
=> 4294967295
>> ip = IPAddr.new(ipnum, Socket::AF_INET).to_s
=> “255.255.255.255”

When I first tried to store this in MySQL I ran into another problem. In my haste I created the column ip_num as an int(11). The code I ran didn’t raise an exception and converted all the ip addresses in the database. However when I viewed the results a large number of ip addresses came back as 127.255.255.255. This ip address converts to 2147483647 as an integer.

If this number looks familiar it is because it is exactly half of the value of 255.255.255.255. It is also the limit of a signed integer.
“The signed range is -2147483648 to 2147483647”

Ensure that you create an unsigned int column for ip addresses to hold the max value of 4294967295.
The unsigned range is 0 to 4294967295.

Judge vacates RIAA win in Thomas case, calls damages awarded oppressive

U.S. District Judge Michael Davis of Duluth, Minnesota has declared a mistrial in the only win in RIAA’s long legal fight against consumers. He also commented on the laws behind the copyright infringement claims of RIAA stating that they were “unprecedented and oppressive” for

    non commercial p2p users

and intended only for operations which sought to compete with record labels.

Full quote from the Thomas ruling[pdf]:

While the Court does not discount Plaintiffs’ claim that, cumulatively, illegal downloading has far‐reaching effects on their businesses, the damages awarded in this case are wholly disproportionate to the damages suffered by Plaintiffs. Thomas allegedly infringed on the copyrights of 24 songs ‐ the equivalent of approximately three CDs, costing less than $54, and yet the total damages awarded is $222,000 – more than five hundred times the cost of buying 24 separate CDs and more than four thousand times the cost of three CDs. While the Copyright Act was intended to permit statutory damages that are larger than the simple cost of the infringed works in order to make infringing a far less attractive alternative than legitimately purchasing the songs, surely damages that are more than one hundred times the cost of the works would serve as a sufficient deterrent.
Thomas not only gained no profits from her alleged illegal activities, she
sought no profits. Part of the justification for large statutory damages awards in
copyright cases is to deter actors by ensuring that the possible penalty for
infringing substantially outweighs the potential gain from infringing. In the case
43 of commercial actors, the potential gain in revenues is enormous and enticing to potential infringers. In the case of individuals who infringe by using peer‐to‐peer networks, the potential gain from infringement is access to free music, not the possibility of hundreds of thousands – or even millions – of dollars in profits.
This fact means that statutory damages awards of hundreds of thousands of
dollars is certainly far greater than necessary to accomplish Congress’s goal of
deterrence.
Unfortunately, by using Kazaa, Thomas acted like countless other Internet
users. Her alleged acts were illegal, but common. Her status as a consumer who
was not seeking to harm her competitors or make a profit does not excuse her
behavior. But it does make the award of hundreds of thousands of dollars in
damages unprecedented and oppressive.

Internet Mob Justice Tracks Down Cat Abuser

avenge me

EDIT: If you are visiting this post from Encyclopedia Dramatica your PC may be infected by a drive by download. I captured this pic from a vmware image infected from that site

Denizens of 4Chan’s /b/ spent the better part of yesterday coordinating a search for the identity of a teenager who was stupid enough to upload video of himself abusing a cat to Youtube. Dubbed “Operation Dustyce” anonymous agents gathered in #catraid2 on the EFNet irc network and scoured Facebook and other websites matching photos to portions of the video which showed the interior of the house.

An anonymous person then set up www.kenny-glenn.com with details about the abuser and his immediate family including physical addresses and phone numbers. Local news station KSWO is covering the story and has recently reported that Kenny Glenn was arrested then released to his parents.

A post to a Facebook group supporting the abused cat, “Dusty”, states Oklahoma laws can punish animal cruelty of this magnitude with a felony offense:

Oklahoma Statutes, Title 21, Chapter 67
Section 1685: Acts of Cruelty to Animals
Any person who shall willfully or maliciously overdrive, overload,
torture, destroy or kill, or cruelly beat or injure, maim or mutilate,
any animal in subjugation or captivity, … shall be guilty of a felony and shall be
punished by imprisonment in the State Penitentiary not exceeding five
(5) years, or by imprisonment in the county jail not exceeding one (1)
year, or by a fine not exceeding Five Hundred Dollars ($500.00). Any
officer finding an animal so maltreated or abused shall cause the same
to be taken care of, and the charges therefor shall be a lien upon
such animal, to be collected thereon as upon a pledge or a lien.

It is difficult to predict the outcome of the court in matters like this however the online community is easier to predict. The outrage of the community is inversely proportional to the punishment he receives by the State. That is to say, if he is only fined $500 and given a “slap on the wrist” the same mob that tracked him down will demand justice in other ways. Should he register an account with any service they will be there to “out” his past actions. Kenny Glenn, and all those around him, will be haunted by his cruelty for a long time by any means the community can muster. Hate mail, prank phone calls, and possibly even visits in person are not out of the question.

One thing is for sure. Dusty will be avenged.