UnblueUnblue

One trillion dollars

Alex — Sat, 12 May 2012 16:23:05 +0000

It always riled me that, with so much crap in the world, the powers that be can piss away money on nothing but greed. I remember reading an article a year or two ago that discussed oil control being the real reason for the second Iraq war, and specifically the cost of that war. It noted that the cost to date was in the trillions of dollars (I seem to recall approximately $3tn), but that an estimate for the cost of: developing an environmental alternative to oil, developing and building the distribution infrastructure, developing the cars to use it, and giving one of those cars to every family in America for free… would come to somewhere around $1-2tn. Of course it also noted that neither shareholders and CEOs of weapons and arms companies, nor those in the military establishments, nor those in oil companies, would make their quick buck if that were to happen. All of which saddens me.

So, I like it when I read other peoples’ comments expressing that same sentiment. From Slashdot today:

So why spend 20 years and 1 trillion dollars building a ship to explore the solar system?

Because it’s better than spending a trillion dollars to kill brown people with oil.

Hear hear!

For more ideas, see http://pol.moveon.org/trillion/

Secure file transfer

Alex — Thu, 10 May 2012 06:34:09 +0000

Recently the conversation again came up about how to send big files to/from a customer. Over the past decade, this subject has cropped up every year or so, and one thing is constant: every client-facing consultancy has file transfer issues with their clients, and (almost) every client-facing consultancy does nothing to facilitate this. This ongoing lack of functionality is the very reason I built nFTP.

The most recent debate on this subject highlighted criticism of nFTP on a few points:

You have no idea what happens to information stored there. They really don’t provide much information on their key management, even with passphrase protected files … Who are their sys admins and what background checks do they perform, how are USB ports controlled, do they have Wireless IPS, etc … Should also question how a site provides this for free, for personal and corporate use.

These points are all valid concerns, though some of them are already clearly answered in the site’s blurb: If you provide a passkey, the file is encrypted as it is written to disk, and only a double-hashed version of that passkey is stored. It is also clearly stated that the site is free because it’s provided using excess server capacity, and that it’s not a guaranteed service because this free excess might become exhausted.

The sysadmins and background checks bit is all good and well, but the blurb also clearly states something else that is precisely what’s kicked off my current thought processes:

If you are truly concerned about security, you should encrypt your files before using any service – including ours – regardless.

You see, background checking sysadmins is a nice-to-have, but there are many published examples of rogue sysadmins/trusted parties. Relying on background checks is pretty dumb. As is relying on IPS, key management, USB device prevention, or anything else…

The recent debate criticized the fact that nFTP doesn’t reside on corporate-managed IP space… but it turns out that an alternative tool that does has no password protection – anybody in the world with the link can download the content regardless of whether they should be able to. I seriously question how this is more secure?!

So what does it take to securely send a file?

For all the reasons above you cannot trust a service, since it might be rogue or cracked. I built nFTP and while I know I’m ethical and the site is pretty secure, I agree that Joe Public shouldn’t implicitly trust me. But, that doesn’t differ from any other transfer medium: what makes you trust the WiFi hotspot in the office any more when the £20k/year IT monkey who put it in hasn’t been background checked either? So what if a server is in a particular IP space if it doesn’t protect the data and allows any global user to download it unchallenged?

So, I return to the original advice on nFTP. You should manually encrypt anything before you transmit it such that the plain text data is never beyond your personal control, even if the transfer mechanism further encrypts it. Should that encrypted data be compromised, either through cracking or rogue agents, what does it matter? (assuming you don’t encrypt it with a simple password!, and for that matter assuming your local machine isn’t already compromised also!).

You’ll want to know – to the best extent you can – who has downloaded your encrypted data; and, you’ll want to be able to delete that encrypted data once it’s transferred to minimize residual risk.

So, let’s cross those off:

You want a managed server in managed IP space? nFTP provides dedicated services precisely for this reason. What makes you think that your internal IP space is secure? It’s a risk.
You want to know that the service is run by honest parties? Well, you can’t. You’d have to know and trust the checking agency. You’d have to know and trust the agency that checks that agency, etc. Just look at the TSA and their staffing issues. Ultimately, it’s a risk.
You want to know the data is secure in transit (eg. over SSL)? Well, you can’t. You can try, and you can believe assertions by all means, but you ultimately have to trust the certificate authority… which is a risk.
You want managed access controls, either by user or network address? nFTP does this.
You want to be able to password protect/encrypt the download. nFTP does this.
You want to be able to track when your data is downloaded and by whom. nFTP does this.
You want to be able to delete your data once it’s downloaded. nFTP does this.
And finally, and most importantly, you want to be able to encrypt your data before transmission so its value (to an attacker who defeats all of the above) is reduced to zero. Use 7Zip (or any other compression/encryption tool).

I’m struggling to see the problem here. You see, perfect security implies zero functionality (you can’t produce the data in the first place without some risk of exposure!), but perfect functionality does not imply zero security: the trick is to realize it’s a risk management exercise. And ultimately, when the end user takes responsibility for that risk – say, by encrypting their data properly – then the transfer mechanism for sending that data shouldn’t really matter.

Paypal… a company with issues?

Alex — Wed, 09 May 2012 06:47:01 +0000

Back in the day I used Paypal a few times. Not because I had any desire to, but rather because I once purchased an item or two on eBay. And, back then I also got a load of Paypal-related spam and phishing attempts.

In the almost-10-years since I’ve not used them, and have also have zero Paypal-related spam. Until last week.

I logged in to review my account since it was used to make a single donation to Kiva. And in the intervening week, I’ve had a flood of spam and phishing attempts – which I can only attribute to Paypal having released my email address as again useful for such purposes. Unless it’s one hell of a coincidence, there’s only three options I can see, and none are good!:

Paypal employees sell my email address and its ‘active-ness’ to spammers and/or phishers.
Paypal is completely compromised by hackers/crackers/spammers/phishers.
Paypal IS spamming/phishing (though that seems rather absurd given they have my details anyway).

It’s a good thing I’m well-versed at binning spam and identifying phishes. I worry for those who are not.

Photos: Matt & Debs’ Wedding

Alex — Tue, 08 May 2012 18:45:29 +0000

T’was a lovely weekend at a lovely wedding down south.

Photos can be found at http://unblue.co.uk/g/mdwedding

Bat-crap crazy.

Alex — Fri, 04 May 2012 06:06:57 +0000

Courtesy of Boingboing (my endless supply of the weird, wacky, and inspiring) I have today discovered a whole new class of crazy.

The Freedom Of The Land Movement are quite literally … er … erm … hmm …

Nope, I’m lost for words. I think this quote from RationalWiki (my ultimate destination when Googling what the hell they were about) might in fact be the best summing up:

…their theory of the world is utterly spurious, and their practical approach is made entirely of magic beans and crack.

Cloud. Boom. Must be a thundercloud!

Alex — Tue, 01 May 2012 22:30:06 +0000

Since we’re so clearly in the midst of the dotcom bubble 2.0 I’ve been thinking about domain registration recently, and the bubble evidence has only been reinforced by the high number of parked/squatted domains around.

That got me thinking: unblue is a pretty good ‘cloud’-ey domain name.

Was I ten years early to the party?

Photos: Verona

Alex — Sun, 29 Apr 2012 11:32:06 +0000

Photos have now been posted online at http://unblue.co.uk/g/verona. Enjoy.

Photos: Dominica & Antigua

Alex — Sun, 29 Apr 2012 11:07:45 +0000

Photos have now been posted online at http://unblue.co.uk/g/caribbean. Enjoy.

Major server failure

Alex — Tue, 24 Apr 2012 11:41:27 +0000

A disk failure has meant the outage of all services today. Please refer to http://status.unblue.co.uk for live status updates, both now and in the future.

Just who are you servicing?

Alex — Mon, 23 Apr 2012 12:15:17 +0000

On 640 pending redundancies at CSC:

This action is necessary because the IT services market is changing, and our customers want competitive, new services with different contract and delivery models.

You mean to say, your customers didn’t want competitive services before? Or you mean that now they want ones that actually deliver something?