Category Archives: Security

Computer Security Related topics

SP3

I started running a public sp3 server today. It’s a small side-project I’ve hacked together over the last couple weeks to make it easier for people to play with packet spoofing. The server works similarly to a public proxy, but with the trade-off that while it won’t send high-volumes of traffic, it will allow you to send arbitrary IPv4 packets from any source you want.

There are a few fun applications that need this capability that I’ve been thinking of: helping with NAT holepunching of TCP connections; characterizing firewall routing policies; and for cover traffic in circumvention protocols. I think there are others as well, so I wanted to start running a server to see what people come up with.

The code is on github.

The state of Internet Censorship

I’ll be presenting next week at 32C3 on the state of Internet access, transparency, and measurement. Lots of the work is done each year on measuring and learning about the state of access, but this phenomenon with growing relevance to many countries is poorly publicized. Much of this is a fear that being too public about what can be measured will make the network operators move to even more opaque techniques, since in many instances these systems are seen to thrive in structures without accountability.

Needless to say, it has been a busy year in the space, with increased funding for the measurement community and a multitude of new policy in response to ISIS and other perceived threatening uses of Internet Speech.

I’m excited to be heading back to Germany for the holidays, and hope to provide a reasonable survey of what’s out there and make the network measurement field a bit more accessible!

IETF and the HRPC working group

The Internet Engineering Task Force, the multi-stakeholder organization which shepherds the standards process for many of the technologies used on-line, is continuing to evolve that process. Protocol standards are already expected to include discussions on their security and privacy implications, in order to force an explicit conversation on those issues and hopefully encourage the development of secure systems. Beyond these, a new working group, the Human Rights Protocol Considerations group, was chartered last week. The group exists as part of the process of having another conversation around new protocols as they exist: what are the implications for freedom of expression and freedom of assembly that are wrapped up in our protocol design.

It seems like a question worth considering, especially as the IETF’s major contribution will be increasingly international. Many protocols emerging today are build by individual companies and are proprietary. We can hope however that it is at the boundaries of these walled ecosystems we create that standard protocols will need to be agreed upon. These boundaries will parallel our cultural discontinuities, and represent important places to have these conversations.

The group is drafting a methodology document as part of the background for proposing the update to the standards process. It’s an interesting way of thinking about protocols – how do they control or support individual expression? – that I hadn’t thought of before in those terms.

Lets Encrypt

I’ve begun to transition this site to use Lets Encrypt! for signing of SSL. Because the site has specified an HPKP previously, a transition period is needed where clients can see the old certification signing the intention to transition to the new certification.

That process has started, and the full transition will happen in a couple months. The good news is that the letsencrypt setup process was otherwise painless.