Andrew Breese

Musings of a professional geek

Thwarting hackers with “honey encryption”?

A Boston Globe blog reported that a trickier approach to dealing with hackers might be a better approach. Essentially make the data messy and it will not be as desirable. It certainly sounds interesting as a concept. Brainiac wrote “rather than trying to block hackers, maybe it’s better to distract them.”

The approach is built into a new piece of software called Honey Encryption, created by Ari Juels and Thomas Ristenpart, and it works on a simple model. After hackers steal a trove of encrypted data, they hunker down to crack the code. It can take them thousands of tries before they’re able to guess the right cryptographic key, and Honey Encyyption makes them pay for each failed attempt.

Each time hackers enter the wrong password, Honey Encryption adds a piece of fake data to the dataset—by the time hackers finally get access to the data, it’s swimming with so many fake credit card numbers, for example, they’ll have no idea which ones are real.

Pardon? I think the readers might be missing a key aspect of the information here. This is a very specific circumstance and very unlikely frequency where this is plausible.

For this approach to work the “honey encryption” software needs to be running with the stolen data-set.  In fact it is unlikely that the data would be stolen at all, rather it is being attacked on it’s normal infrastructure. Frequently when data is stolen the database itself is extracted on mass; the encryption used on the information in the database is broken later. A hacker is not going to willingly run an application which does Honey Encryption on the data they are trying to hack. Is the assumption that the software for accessing the encrypted data is somehow packaged with the data in the DB? Huh? No! This means that for the times where the hack attempt is happening on the system live this approach might work, but otherwise it does not apply.

The same software could also alert very quickly to the admin teams that a potential attack is in progress too. This is the approach taken with the “honey words” concept, where a dataset is setup with a number of “deliberately bad” datasets for each user account so that when the hacker tries to decrypt the data an alert or action is triggered. That makes a heap of sense.

So this approach adds junk data into a live system to increase the ratio of bad data to good data for when it gets stolen? Yes, and as long as the good data is not altered by the “honey” then the end user is not affected, but the system owners can know of a potential exposure. Interesting.

Refs:

How to almost sync with BitCasa mirrors

BitCasa is a free cloud backup tool, which has a basic mirroring function for files that you want to be automatically backed up into the cloud instead of scheduling a backup. I was looking for a replacement for SugarSync’s folder synchronisation feature, and BitCasa’s functions are close but not really there yet. It seems that they have a beta app which is based upon bittorrent, but again not for a live sync.

Aside – the BitCasa cloud solution is pretty neat. I’m impressed by what they offer and their price point. The paradigm that it uses is not an attached storage volume really, but more like an external drive which happens to be on a remote server. That drive is almost read-only to your machine, and certainly read only from any other machine that tries to access the files. It is cloud backup, not a sync service.

This is the scenario:

Initial setup was a folder on my laptop and desktop were set to always be kept in sync. This meant that files were always kept in reasonable sync, and I didn’t have to worry about manual copying or a scheduled copy which I might forget.

Now what I have is a folder on each location which are both copied up into BitCasa’s servers (yes, up into that fluffy white cloud of absolute trust). The difference is that each machine is used for slightly different things, so that what I do on the laptop generally isn’t used on the desktop. The sync is for emergencies, so it might work.

The trouble is that each machine uploads the selected mirrored folder into a separate space in that cloud, and the two areas are never sync’ed together. I’d love them to, but for the purposes of having my files backed up somewhere, this is enough.

When it comes to wanting to use one of the files which is on the other machine’s backup it needs to be copied back down to the new machine and stored. Just like an offsite solution, you don’t go editing the back-up tape. Now that I get the mindset, I don’t mind so much. If something exceptional happens in the file-sync space I’ll probably post it here, but till then BitCasa will get a bit of playing around.

Happy backups.

SugarSync goes paid only, darn it

SugarSync has cancelled their free offering, in a similar time frame to LogMeIn. Like LogMeIn the product itself was solid, and it was tempting to pickup a paid service for SugarSync. Unlike LogMeIn though the SugarSync people actually gave a fair warning for the product going to paid only, and offered a humungous discount for the people who are singing up. I reviewed and recommended SugarSync in Feb 2011 and liked their product all this time. Unfortunately the reason I use it is not something that allows me to generate extra income, so it is harder to justify signing up for.

The free equivalent I’ve started trialing is BitCasa. They offer the same sync-a-folder option between two computers which was the key feature I liked. BitCasa offers a staggered set of storage options, including an unlimited one, which I’d be tempted to see really how “unlimited” it was, given that these things usually have some sort of cap written into the fine print.

I’ll write up the impressions of BitCasa shortly. Secretly I’m hoping I can get a few folk on it too, and up my default free storage.

Goodbye LogMeIn, maybe Chrome can help?

LogMeIn are stopping their free product dead, effective now. As a user of the free version I’m affected, was unaware it was coming, but I’m not surprised. There are snarky posts and comments starting up all over, but on this choice I kind of agree with LogMeIn.

They’ve given away a reasonable product for free to a very large user base for around 10 years, and now they wish to be paid. There is a kind of grace period for the cutoff too, but that grace period is very short so won’t do much to dissuade the “freeloading” masses. As a freeloader I say meh. My usage was low and irregular enough that I’ll not be paying for the service, and that also means I am certainly not the type of user that LogMeIn wishes to continue to support for free. I’ve had a great run and it is time to cash up or leave.

It is a pity that the base cost is very high.  Superficially I think there is a lost opportunity for a pay-for-use option between the full yearly subscription and nothing. If it were more like a cup of coffee to use, and could be billed adhoc I’d give that some serious thought.

logmein-gone

SO yeah – the “important changes” are that its no longer there. Surprise. I’m uninstalling as I type.

As an alternative I’m first going to look at what Google Chrome Remote Desktop can do, and perhaps even think about a VNC type solution. And there is also TeamViewer which a lot of the LMI ex-users are talking about.

The regular rate of subscription is discounted for now, perhaps as a gesture of encouragement.

They’ve not really informed anyone in advance, and perhaps that was the strategy. There was never going to be a good reaction from the free users on taking away the product. So perhaps they cut them off quickly in the hope that their need for the product is urgent enough that they are kind of forced to pay for the product even if it is just until they get a replacement. But then the subscription is annual, so they’re locking in for a while.

A Twittertape machine

We were blathering at work this morning about a machine to take a twitter feed and print it out like the old ticker-tape devices used in for stock market prices before computers took over. And like most crazy thoughts somebody has already built it, The Twittertape Machine. I want one.twittertape machine

ebay is my curious $2 shop

Over the holidays I wasn’t regularly walking to and from work, and I noticed how it changed my approach to small casual purchases. Previously I’d pop in and out of various stores during lunch breaks and end of day to grab those small widget-things that geeks need to feed their hobbies. Small bags, catches, hooks, cables, connectors, etc. The opportunity to get a small widget straight away was my normal expectation.

Being at home and almost house-bound for the holidays meant that I went looking on the internet. Invariably for each widget I used ebay as a way to see what else is around in a similar vein, and to price the widget.

e.g. The price of importing a bag of 50x Cat5 network cable ends to my house is so much less than what is charged at the tech-chop-shops in the city. It seems at least half, sometimes 5x times less in cost. I now have far more cat5 ends than I think I’ll ever. Thankfully they are really small.

It works exceedingly well for low value items and small things that can be easily posted. For me this is mainly because buying anything unseen is a risk, and buying it from Hong Kong, China, Taiwan, etc are especially risky because there is basically no capacity from Australia to return an item or hold the vendor accountable. It might cost $1 to get a small widget into Australia, but it costs a lot more to get it back to China. That is assuming a refund policy is present and that it would be honored.

It works poorly though for high value items, or items which will incur a large amount of postage. This is two very real crunch points of the distance a large item needs to be shipped and how expensive that is, plus the fact of how much more risk adverse I am when larger amounts of money are involved.

e.g. I’d never buy a high end computer item from ebay. As a purchaser I want a point of local representation for warranty and issue resolution. Or another example of buying power tools, where holding the item is part of the evaluation process. Some tools feel “right” when they are in your hands, and others feel like absolute junk. I can tell by look and feel that something is ok, and nobody can tell from a picture.

The items delivered are sometimes poor versions of what I thought I was getting too. One example was some hair-clips for my daughter, which looked fine in the picture, but were really cheap, nasty, and poorly constructed when I saw them. For a few dollars it was not worth the complaints process.

Lastly and probably most importantly of all is the difference in delivery time for an ebay item. Being in Australia means that most international orders take a very long time to arrive. That means planning or being patient. I guess that is part of the cost of a timely delivery, and something which the old $2 shops do provide. They take the overhead of importing some of the crazy, silly, and junky things that ebay provide and I can get them right when I want to.

A few recently items were purchased from Aussie sellers and that was great – a cabin hook arrived to me for $4 and it saved me walking though a Bunnings or Masters store for 30 minutes plus petrol. Easy communications and fast delivery. The postage might have been a little steep, but we pay a premium here for postage because the post generally always arrives.

For now I have 5x items arriving into Australia from various parts of the world, and I’m looking forward to each little present. Ebay is my $2 shop, and also my own little secret santa as well.

Happy shopping.

Programming Satire

[Language Warning, sensitive folk will not like the words which follow...*]

While flipping through SlashDot I found a link to Programming-Motherfucker, a satirical manifesto for coders.

Programming, motherfucker!

Programming, motherfucker! (Photo credit: d0mix)

Initially I thought it was clever in a snarky “vent their frustration” kind of way. Dev folks frequently get frustrated and seeing something like this might help them keep calm and carry on.

Then I got to reading the site and it is actually be useful. At the moment it derides and talks down the tasks peripheral tasks to the coding, which is kind of a shitty approach but given the target market for developer snarkiness it is acceptable. Preaching to the converted is always easier. That said, by also providing guidance (i.e. not a manifesto, but a link list) for how to code better there is real material to be found within the questionable wrapper.

So as satire, its a good 5 second gag and might realise some value to vent frustration. As a manifesto it is not so much.

If you are a frustrated dev (or a closet try-hard frustrated dev like me) then it might be worth a laugh.

If you are looking for a jump point on how to start learning to code a language from the perspective of a developer, then this is an excellent start. My advice is to totally ignore the blunt manifesto aspect of the site and seriously look into he links and the associated technologies. There are some cool things hiding in there.

* perhaps having a warning of strong language on my blog is a little late or silly, but I can still see the trees in the forest of internet language, and sometimes it is better to say upfront that the blog content will be harsh. Especially if somebody actually click the links.

Clever cartoon by Abstruse Goose – Arithmetic for Beginners

This is how I think most website help is written. I know it isn’t true, but Abstruse Goose » Arithmetic for Beginners’s comic resonates profoundly. Kudos sir.

i_never_would_have_passed_kindergarten

c for Beginners.

via Clever cartoon by Abstruse Goose – Arithmetic for Beginners.

Spammers are not quick learners

Across the three blogs that I write, there is a steady stream of spam comments. Anything from 5 to 200 comments a week which are never published, as they go straight to the spam bin. That is entirely normal for blogs. What I find odd is that it seems the same set of spammers are using automated systems to write clearly junk messages, and despite the fact that none of those messages ever get approved as comments they continue to send them.

For years I’ve seen the same junk arrive in the spam queue, and none has ever been published. I don’t even regularly view the spam comments as (a) it is filled so full of junk that finding a false positive is hard, and (b) I’ve never found a comment that was a false positive in all my years of blogging. A cynic might suggest that the real comments are too low; heh.

For me the spam queue is a funny odd place I visit periodically (once or twice a year) to have a laugh about how poor their systems are, and how good the WordPress spam filter is. It is regularly automatically emptied after a month, so it has a zero maintenance effort.

Why do they bother? Why can’t they learn?

I guess it is due to the fact that sending a spam message to a blog costs almost nothing. Principally once the scripts and URLs are loaded a spam engine could sent garbage through-out the internet with no real cost except the outbound data cost. Piggy-back that cost onto some other bulk subscription and its the same argument as spam email: if you “fool” one person in 100 million, then the cost is justified.

What a shitty system, and what an equally terrible model to try and make money.

If the system is more about trying to get back-links to create some sort of page rank then they’re really barking up the wrong tree trying to leverage from my blogs. Heck, I’d guess my blogs would be amongst the most obscure corners of the Internet.

  • Why don’t they upgrade and actually make a more intelligent system which spends more energy/time targeting the soft targets, and strays clear of the harder ones?
  • Include a check for the comment key phrase on the page where it is made. If after 100 attempts and zero positive links, then stop creating the spam to that server for a while.
  • Why is the content so obviously junk when you quickly cast your eyes over it. If the goal was eyeball exposure or to try and fool somebody into clicking then almost all the messages need a grammar and spell check. This junk must be coming from an engine, so have some pride and spell check your work a little.

I could see a system which trolls the internet looking for regular content updates as valuable to them. If the same system also did a verification check for a useful back-link then you’ve found a great little site where the admin is asleep at the wheel, or thinks any traffic is good traffic. The basic logic of how to run a good exploit is not even being used, and that is a good thing, but it also kind of frustrates me.

Heck, if the spammers could click the right links then some of the pay-per-click fee systems might self-implode in a huge waste of money. The scammers get spammed and create self referential pits of useless comments and content.

Perhaps this is an opportunity for a better comment spam system. I’d not ever want to create that software as ethically I think that is worse than putting gambling ads on pension slips. How in hell do you even market software to spam people? …

In an ideal world the rest of the Internet could get on with what we’re up to, and only have to concern ourselves with the background hiss of the wasted bandwidth from all the re-posts and never-read-comments  buzzing through the routers.

Not a bad thing at all I guess.

Follow

Get every new post delivered to your Inbox.

Join 132 other followers

%d bloggers like this: