Reddit “hacked”!

02/08/2018
reddit

Reddit – “hacked”

Reddit member info was compromised in June this year. Two data-sets were accessed: the first from 2007 containing account details and all public and private posts between 2005 and May 2007; and the second included logs and databases linked to Reddit’s daily digest emails, which was accessed between 3 and 17 June this year. The data includes usernames and email addresses linked to those accounts.

Reddit they are contacting members who may have been affected.  But the way these stories go, it will be revealed soon that everyone’s data has been leaked, so all Reddit members should probably reset their passwords.

And if you are one of the millions of people who re-use user-names and passwords over multiple sites, you’d better change your login info on all accounts.  This time do it properly, with a password manager.  Better late than never, eh!

The Reddit system was compromised through former employee accounts which were “protected” with SMS-based two-factor authentication.

SMS-based two-factor authentication is more secure than using a password alone.  But it is relatively easy to break through. For instance, an attacker can transfer a phone number by supplying an address, last 4 digits of a social security number and perhaps a credit card – exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.

bmc-purple


Google censoring searches in China again

02/08/2018
google-logos

Google has a new logo and updating its image – but under the surface it’s still that pre-2010 half-evil censor

Eight years after Google pulled out of the censored Chinese internet, they’re back.  It’s been reported that the company is working on a mobile search app that would block certain search terms and allow it to reenter the Chinese market.

Google has engaged in the China-controlled internet space before: but in 2010 it pulled out, citing censorship and hacking as reasons.  It didn’t pull out completely – it still offered a number of apps to Chinese users, including Google Translate and Files Go, and the company has offices in Beijing, Shenzhen and Shanghai – But the largest of its services – search, email, and the Play app store – are all unavailable in the country.

Google co-founder Sergey Brin told the Guardian in 2010 that his opposition to enabling censorship was motivated to his being born in Soviet Russia.   “It touches me more than other people having been born in a country that was totalitarian and having seen that for the first few years of my life,” he said as Google exited the Chinese market after 4 years of cooperating with the authorities.

But now they’re back, working on a mobile search app that would block certain search terms and black-listed material.  The app is being designed for Android devices.

According to tech-based news site The Information, Google is also working on a censored news-aggregation app too. The news app would take its lead from popular algorithmically-curated apps such as Bytedance’s Toutiao – released for the Western market as “TopBuzz” – that eschew human editors in favour of personalised, highly viral content.

Patrick Poon, China Researcher at Amnesty International, called Google’s return to censorship “a gross attack on freedom of information and internet freedom.”

In putting profits before human rights, he said, Google would be setting a chilling precedent and handing the Chinese government a victory.

This is important because many computer users will set a search site as their homepage and even find content by entering key-words into the url bar of their browser.  Because of Google’s ubiquity, it is frequently set as default search engine on browsers, meaning that millions of users will find that their experience of the internet is that delivered through the lens of Google.  If that lens is smudged or cracked by censorship, all these users’ internet experience is skewed.  So it is essential to highlight the fact that Google is not the neutral, trustworthy agent that many users think it to be.

GreatFire, an organisation that monitors internet censorship and enables circumvention of the “Great Firewall of China”, said the move “could be the final nail in the Chinese internet freedom coffin” and that “the ensuing crackdown on freedom of speech will be felt around the globe.”

bmc-orange


Cypherpunk: Freedom and the Future of the Internet, free download pdf

19/07/2018

assange-cypherpunks

Just found this download link for Julian Assange’s 2012 book Cypherpunk: Freedom and the Future of the Internet.  I found it literally less than thirty minutes ago, so I’m posting it here before I’ve had a chance to read it myself.  Once I have, I’ll tell you what I think of it.  In the meantime, check it out for yourselves!  And here is an excerpt from a review by Marienna Pope-Weidemann at http://www.counterfire.org:

A watchman’s shout in the night

Since the infamous PRISM surveillance system was exposed by the NSA analyst Edward Snowden, the existence of what the cypherpunks have long called ‘the transnational surveillance state’ is beyond doubt. Conspiracy has become reality, and paranoia has become the number-one necessity of investigative journalism.

Cypherpunks: Freedom and the Future of the Internet, published last year, describes itself as ‘a watchman’s shout in the night’. An apt description, given everything we have learned lately. What the book is trying to hammer home is the immense importance of the internet as a new political battleground: how it is structured, monitored and used has serious ramifications for political organisation, economics, education, labour, culture and just about every other area of our lives, because increasingly, their world is our world. And if knowledge is power, and it is never been as ubiquitous as it is in cyberspace, there is a great deal at stake.

Who are the cypherpunks?

Begun by a circle of Californian libertarians, the original cypherpunk mailing list was initiated in the late 1980s, as individuals and activists, as well as corporations, started making use of cryptography and, in response, state-wide bans were introduced (p.64). For the cypherpunks, the use of encryption for anonymity and secure communication was the single most important weapon for activists in the internet age.

Their rallying cry was ‘privacy for the weak, transparency for the powerful’; the dictum to which Wikileaks has dedicated itself. As discussed in the book, the subsequent evolution of the internet has taken it in the opposite direction: citizens, politically active or otherwise, law-abiding or otherwise, have lost all right to privacy, while the powerful hide increasingly behind secret laws and extrajudicial practices.

Cypherpunks is a collective contribution of four authors, three of them leading figures in the cypherpunk movement. First we have Julian Assange, who needs less and less introduction as time goes by (there are even two films now devoted to this problematic figure, the independent Australian feature, Underground, and the highly inaccurate box-office disaster We Steal Secrets). Assange has been hacking since the age of seventeen, when he founded the Australian group, the International Subversives, and wrote down the early rules of this subculture: ‘Don’t damage computer systems you break into (including crashing them); don’t change the information in those systems (except for altering logs to cover your tracks); and share information.’ Next we have German journalist Andy Müller-Maguhn of the Chaos Computer Club, co-founder of European Digital Rights and writer for Bugged Planet. Jacob Appelbaum, also a member of the Chaos Computer Club, is the developer who founded Noisebridge, an award-winning educational hackerspace in San Fransisco and international advocate for the Tor Project. Finally, we have the co-founder of the La Quadrature du Net advocacy group, Jérémie Zimmerman, a leading figure in struggles for net neutrality and against the Anti-Counterfeit and Trade Agreement (ACTA) who does not seem to be able to get on a plane without being harassed by government officials over his ties to Wikileaks.

assange4

Julian Assange, founder of Wikileaks, has been holed up in the Ecuadorian embassy in London since 2010 to avoid extradition to Sweden and USA. Pic from http://www.extremetech.com


Darknet Part 3: How people got caught

10/07/2018

Part 3 of an occasional series of videos about the Darkweb, hidden services, anonymity… all the good stuff that we need, and need to know about!

Excellent Defcon presentation by Adrian Crenshaw detailing how some Tor users got caught.  TL;DR: it’s all down to faulty OpSec.  Be careful all the time, use your common sense, and all well be well.  So long as there aren’t 0days in Tor Browser that the Man knows about and the devs don’t…

But this isn’t too long to watch.  So watch it!  Even if you don’t use the darknet it is hugely informative and entertaining.  And if you do use Tor or otherwise have an interest in anonymity (which means you!), it is doubly informative and entertaining… in fact it is essential for everyone to watch.  So watch it!

tor-browser1

There’s a special browser that leads to a secret web…

bmc-yellow


Python: Automated login to local hot spot

27/06/2018

BTWifi-page

I’ve been using a BTWifi-with-FON hot spot for internet access.  The way it works is: user clicks on connect in wifi manager, then browses to https://www.btopenzone.com:8443/home, fills in the form with User email address and Password.  This lets the user access the internet for anything between 1 and 3 hours, depending on time of day and day of week.  Then access runs out and the user must sign in again.

If you’re using the hotspot for an extended period of time, having to go through this palaver can be pretty irritating.  Luckily I’ve started learning python, which is an excellent language for automating this kind of procedure.  So this is the script I have written to make my use of the hot spot a little less stressful:

import pymsgbox
import requests
import time
import sys

def log_in():

    url = “https://www.btopenzone.com:8443/tbbLogon”
    values = {“username”: “foo@bar.com”,
    “password”: “foobar”}
    requests.post(url, data=values)

def vpn_check():
    p = requests.get(“http://www.icanhazip.com/”)
    ip = p.text.rstrip()
    if ip == “!!!.!!!.!!!.!!!”:
        # uncomment line below for vpn connection confirmation
        #pymsgbox.native.alert(“Logged into VPN”, t)
        sys.exit(0)

test_url = ‘https://www.btopenzone.com:8443/home’
response = requests.get(test_url)
html = response.content

page_start = str(html[0:1000])

t = time.strftime(“%X”)

if “DANTE” not in page_start:
    vpn_check()
    pymsgbox.native.alert(“Signed OUT, click me to sort it”, t)
    log_in()
    #uncomment following lines for signed-in confirmation
#else:
    #pymsgbox.native.alert(“Signed in”, t)

At the top of the script I import the modules I need. Pymsgbox provides pop-up message functionality. Requests handles the webpage parsing and filling in the online form.  Time enables the script to display the time in the pop-up boxes. And it uses sys so it can drop out of the vpn_check() function.

Next up, it defines the log_in() function.  Although the user navigates to https://www.btopenzone.com:8443/home to sign in, the form url is http://www.btopenzone.com:8443/tbbLogon.  The values to be provided are username (the user’s email address) and password (a password).  According to the ancient custom, here I have used foo@bar.com as user’s email address, and the password is foobarRequests delivers these values to the form url.

The script goes on to define the vpn_check() function. As this is a public wifi hotspot I use a vpn service, Invisible Browsing VPN aka ibVPN.  The vpn_check() function checks whether the computer is using a vpn by comparing the public ip address to that used by the vpn service.  Here the vpn ip address is represented by X.X.X.X.  If the ip address is the same as the vpn’s address, the script terminates.

Now the script proper starts.  It checks whether we are already signed in to the BTWifi service.  This is performed by going to a particular url – https://www.btopenzone.com:8443/home and examining the html source code.  If the computer is already signed in, that webpage will redirecte us to http://home.bt.com/bt-wifi-01364197228851.  The first thousand characters of that page’s html source code contains the string “DANTE”.  If the string is present, we know we are signed in and the script terminates.  If the string is not present, the computer is either using a vpn or is not signed in to BTWifi.

 

So the script performs the vpn_check(), using the online service at http://www.icanhazip.com to check the computer’s public ip address.  If this matches the vpn ip address, X.X.X.X we know the computer is signed into BTWifi and using the vpn.  If the public ip address does not match the vpn ip address, we deduce that we are not using the vpn and therefore we are not signed in.  So a pop-up message tells the user that we are not signed in, and if the user wants to sign in he should click the OK button.  If he clicks the button, the script goes on to the log_in() function, to sign in to BTWifi.

With log_in() the script navigates to the sign-in form at https://www.btopenzone.com:8443/TBBLogon, and fills in the form fields with the values.  We are signed in, and the script terminates.

On my computers, which use either Windows 7 or Windows 8.1 operating systems, I have scheduled this script to run every 5 minutes.  It regularly checks the computer’s signed-in status, putting up a message if the computer is no longer signed in. The message box says : “Signed OUT, click me to sort it.” Click the button and the script signs into the wifi.  This is much less stressful than having the palaver of going to the wifi sign-in page and dealing with the form.

This script is very much a work in progress.  Look at the code and you will see a number of lines commented out.  Uncommented, these lines of code provide confirmation when the script finds out it is signed into the wifi or using the vpn.  These were used for testing.  I intend to comment out the message that we are not signed in, and have the script deal with it in the background.  This will allow me to work online or watch a streaming video without interruption – unless a connection problem arises!

I have found that sometimes there is a connection error, python raises an exception and program exception is interrupted. If I’m running the script in IDLE the exception output is printed in the interactive shell, but if it is working in the background, scheduled to run every 5 minutes I won’t get any error info.  I am going to see if a try/except block will deal with it. I plan to have basic error info printed in a pymsgbox pop-up.  I can then investigate what’s up with the connection, whether the problem is with the hot-spot or my own hardware. Sometimes when I’m experiencing connection problems, I run diagnostics on network connection and Windows resets my network adapter and that fixes the problem!

If anyone has any suggestions about this script please let us know in Comments.  Constructive criticism is welcome.  If anyone else finds this helpful (perhaps you also use a BTWifi-with-FON hot spot?), let us know!  And maybe buy me a coffee…?  🙂

Buy Me A Coffee


Download Windows for FREE!!

28/04/2018

Do you use a Microsoft Windows operating system (eg Windows 7, Windows 8.1, Windows 10) but you’ve lost the installation DVD? Or maybe your computer came with Windows pre-installed and you never had the DVD?  This may have never presented a problem before, but if something goes wrong with your computer you may need that disk to fix it.  And I’m sure you realise just how expensive Windows software can be.

Fortunately Windows installation media can be downloaded for free.  And I’m not talking about “pirate” software from a dodgy torrent uploaded by someone in Uzbekistan.  No, you can download Windows operating system DVD images – Windows 7, 8.1 and 10 – from Microsoft’s website, for free, zero, nada, and it’s not a crack, a “hack” or a hijack!

Of course we’re talking about Microsoft here, which means you ain’t really getting something for nothing.  You can download the installation disk image, and it even comes with the disk-burning software to put it on a DVD or USB stick – but to install the operating system you need to already have a product key/license for the computer you wish to install it on.  But hey, this is pretty good nonetheless.  I know people who have bought a new Windows DVD because their computer got screwed up and they needed to re-install the operating system.  If we’d known about this at the time we could have saved our friends a pretty penny (as new Windows DVDs cost many pretty pennies!).

So, here are the links to the download pages – Windows 7, Windows 8.1, and Windows 10.  Remember, to re-install your OS you will need to know your product key – so find out what it is now, don’t wait until your computer is screwed up!  There’s a guide at this link that describes how to discover your product key (a 25-character alphanumeric code that looks like this -> PRODUCT KEY: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX). It can be as simple as copying the code from a sticker on the bottom of the laptop, or as involved as writing and executing a powershell script. My preferred method is the command prompt method:

  • open up a command promp with administrative privileges (done by right-clicking the cmd icon and choosing “Run as administrator”
  • paste in this command wmic path softwarelicensingservice get OA3xOriginalProductKey
  • you’ll get the product key in a response that looks like this:

OB6xOriginalProductKey
6XX6X-8XX88-XXX2X-44XXX-XX33X

However, although all this is perfectly legal and even encouraged by Microsoft, you must remain aware and beware the nasty proprietary software pushers!  PC reseller and recycling advocate Eric Lundgren was sent to prison for 15 months for copying and selling these DVDs.  Officially his crime was “conspiracy to traffic in counterfeit goods and criminal copyright infringement”.

The tech-ignorant judge, and the patently-disingenuous prosecution and Microsoft-supplied “expert” witness, made out that he was selling pirated software even though the software is available legally on Microsoft’s own website.

Afterwards Microsoft and the court said this was about infringement of copyright because Lundgren had printed Microsoft logos on his DVDs.  But  if that was the issue, why didn’t they prosecute him for this charge?

What it boiled down to, was this: these disk images can be downloaded free of charge.  But Microsoft also make money on the side by selling these disks to resellers for $25.  This can’t make Microsoft a huge amount of money.  But there are resellers who can’t be bothered to download and burn the disks themselves so they buy these ridiculously expensive disks and pass the cost on to their customers.  Lundgren saw a way to make himself some cash as well as encourage reuse of old computers.  But (in my opinion) Microsoft saw this as leveraging their own petty-cash-on-the-side racket and went after him in court, painting him as a pirate and counterfeiter, with the aid of a dishonest prostitute I mean prosecutor, and a judge who is at best pig-ignorant and at worst also in Microsoft’s pocket.  (In my opinion.)

Anyway.  Although this free download service may save you some money, make sure it doesn’t save you too much money. Or Microsoft and its paid-for lackeys in the legal profession might come after you.  After all we can’t be allowed to threaten Microsoft’s bottom line can we?  There are far too many vested interests there.

 bmc-purple


“Guerilla Open Access Manifesto” by Aaron Swartz

29/07/2017

Aaron_Swartz_profile

Aaron Swartz was a computer programmer, writer, political organiser, hacker, and hacktivist of note.  Amongst other accomplishments he founded Watchdog.net, “the good government site with teeth,” to aggregate and visualize data about politicians, was a co-founder of the Progressive Change Campaign Committee and Demand Progress; with Virgil Griffith he worked on Tor2web, an early (2008) HTTP proxy for Tor-hidden services and with Kevin Poulsen he created Dead Drop (now known as “Secure Drop”), a mechanism allowing whistleblowers to send files to the media anonymously.  He was prosecuted for making the data in JSTOR, a digital repository of academic journal articles, available to users for free.  He refused a plea bargain that would have seen him serve 6 months in a low-security prison, preferring to make the authorities justify the prosecution.  He faced a possible 50 years of imprisonment and $1 million in fines, for pursuing the hacker belief that all information wants to be free.  Swartz committed suicide on January 11, 2013. After his death, federal prosecutors dropped the charges. [Thanks to Wikipedia.org for the above.]  He was a champion for freedom, in the best hacker tradition, and nine years ago he wrote the following manifesto.

Guerilla Open Access Manifesto

Information is power. But like all power, there are those who want to keep it for
themselves. The world’s entire scientific and cultural heritage, published over centuries
in books and journals, is increasingly being digitized and locked up by a handful of
private corporations. Want to read the papers featuring the most famous results of the
sciences? You’ll need to send enormous amounts to publishers like Reed Elsevier.

There are those struggling to change this. The Open Access Movement has fought
valiantly to ensure that scientists do not sign their copyrights away but instead ensure
their work is published on the Internet, under terms that allow anyone to access it. But
even under the best scenarios, their work will only apply to things published in the future.
Everything up until now will have been lost.

That is too high a price to pay. Forcing academics to pay money to read the work of their
colleagues? Scanning entire libraries but only allowing the folks at Google to read them?
Providing scientific articles to those at elite universities in the First World, but not to
children in the Global South? It’s outrageous and unacceptable.

“I agree,” many say, “but what can we do? The companies hold the copyrights, they
make enormous amounts of money by charging for access, and it’s perfectly legal —
there’s nothing we can do to stop them.” But there is something we can, something that’s
already being done: we can fight back.

Those with access to these resources — students, librarians, scientists — you have been
given a privilege. You get to feed at this banquet of knowledge while the rest of the world
is locked out. But you need not — indeed, morally, you cannot — keep this privilege for
yourselves. You have a duty to share it with the world. And you have: trading passwords
with colleagues, filling download requests for friends.

 

Meanwhile, those who have been locked out are not standing idly by. You have been
sneaking through holes and climbing over fences, liberating the information locked up by
the publishers and sharing them with your friends.

But all of this action goes on in the dark, hidden underground. It’s called stealing or
piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a
ship and murdering its crew. But sharing isn’t immoral — it’s a moral imperative. Only
those blinded by greed would refuse to let a friend make a copy.

Large corporations, of course, are blinded by greed. The laws under which they operate
require it — their shareholders would revolt at anything less. And the politicians they
have bought off back them, passing laws giving them the exclusive power to decide who
can make copies.

There is no justice in following unjust laws. It’s time to come into the light and, in the
grand tradition of civil disobedience, declare our opposition to this private theft of public
culture.

We need to take information, wherever it is stored, make our copies and share them with
the world. We need to take stuff that’s out of copyright and add it to the archive. We need
to buy secret databases and put them on the Web. We need to download scientific
journals and upload them to file sharing networks. We need to fight for Guerilla Open
Access.

With enough of us, around the world, we’ll not just send a strong message opposing the
privatization of knowledge — we’ll make it a thing of the past. Will you join us?

Aaron Swartz

July 2008, Eremo, Italy

bmc-orange


%d bloggers like this: