blog.world3.net

Phorm: the smoking gun

11/03/2008 – 13:22

Re-posted with permission from http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?632. Needs as much publicity as possible.

Many thanks to The Other Steve at the regester message board

http://www.theregister.co.uk/2008/03/10/isps_phorm_comment_target_market/comments/

Hey I said they wer lying to us all the time.

OK PHORM PR GET OUT OF THIS you have been spreading lies over the internet, yet your patent says otherwise.

Posted Monday 10th March 2008 13:36 GMT

http://www.politicalpenguin.org.uk/blog/p,295/

Including information from Etregul’s patent, which at least one of us ought to have thought of, oh well.

Juiciest bits from the patent, because I know you’ll all love this, but go have a look, it’s a truly excellent piece. See if any of this sounds familiar…

“Furthermore, though the present disclosure discusses HTTP traffic in many examples, it will be appreciated that other types of protocols and traffic may be employed in connection with the targeted advertising system and method described herein.”

Woops.

“Context reader 40 is not limited to acquiring keyword or other contextual information pertaining to a given web page. Indeed, the browsing information may be collected so as to also include historical data pertaining to the browsing performed ”

Ouch.

“Based on analysis occurring at the proxy server, the proxy server may modify client-requested data it receives so that a targeted advertisement appears on a web page requested by a client”

Oh dear.

“As explained above, the context reader may be configured to more than just keyword and other contextual data pertaining to a given web page. The context reader may also include behavioral data (e.g, browsing behavior), other historical data collected over time, demographic data associated with the user, IP address, URL data, etc.”

Oh Phorm, have you been telling us some MASSIVE porkies or what ?

The patent (linked at the above blog) is pretty dense, as you would expect, and contains plenty more of this kind of stuff. No doubt Phorm’s hapless spinmeisters will be around to tell us that this isn’t the technology they are going to implement NOW, and who knows, they might even be telling the truth*. But Phorm have lodged a patent application for technology that does indeed do all the things they have just assured us that they definitely won’t do, ever, honest, we promise, cross our hearts.

Phail !

Props to Political Penguin for digging this up, looks like a smoking gun to me. Why patent a technology that you aren’t going to use ?

* Really, they might. After all they did have Simon Davies look at it.

By mojo | Posted in Uncategorized, networking, privacy, security | Comments (0)

Traffic shaping with pfSense

10/03/2008 – 18:54

A while back I wrote a guide to traffic shaping with pfSense. The pfSense wiki got broken, so I’m re-publishing it here for posterity. There is at least some useful info about calculating required upload bandwidth for a given download speed.

It is recommened that you use the Traffic Shaping Wizard to create a default set of rules from which to start. The rules the wizard creates can sometimes cope well with VOIP traffic, but need tweaking to accomodate other traffic.

As an example, let’s look at shaping P2P traffic. Assuming you used the wizard, there will be qP2Pup and qP2Pdown created already. When you launch a P2P app, you should see traffic in these queues. They are designed to carry the bulk P2P traffic, which normally slows your connection down. Other generic traffic, like web pages (HTTP), email, IM, VOIP etc will go into other queues.

Initially, the wizard sets all queues to 1% bandwidth. This is not enough. In particular, the queue qwanacks certainly needs more bandwidth if you do a lot of downloading. First, a quick note about ACK packets.

When you download, your computer needs to send (upload) ACK packets. These are basically saying “yep, I got that part of the download OK”. If the computer you are downloading from detects that an ACK has not been received, it assumes that the data was not received and sends it again. The rate at which ACKs are sent back is also used to help determine the maximum speed that you can download data at, so it’s important that ACKs get sent as soon as possible and don’t get dropped in order to keep your downloads flowing fast. Also, repeatedly dropped ACKs can result in dropped connections, web page time-outs etc.

When you download, qwanacks is where the ACK packets your computer sends out go. You need to make sure this queue has enough bandwidth to maintain your downloads. To work out how much bandwidth you need, there are two options. You could simply experiment, keeping an eye on the queue while downloading as fast as your connection will allow, or you could try and work it out. As a rough starting point, an NTL 10Mb/512Kb cable connection needs about 260-270Kb/sec of ACK packets to download at full speed.

Taking the above example, we can see that ACKs can consume 60% of the available upload bandwidth. Thus, qwanacks should have at least 60% bandwidth available (I use 65% for the above). If you set qwanacks like this, you should not see any drops in that queue. However, you will see a lot in qP2Pup, but that’s OK. P2P upload packets are just bulk traffic, not really important so it doesn’t matter if they drop a bit. qP2Pup will now be using what is left of the available upload bandwidth, after qwanacks has used up to 65% of it. You will probably want to increase the bandwidth allowance for qwandef as well, since this is where HTTP requests and other general uploads go, which chances are you want to be higher priority than qP2Pup. Bandwidth percentages need not add up to 100%, but unless you have a very slow connection you don’t need too much for qwandef since it is mainly small requests or the odd few kb of email.

By mojo | Posted in networking | Comments (4)

Avira Labs fail to identify malware, even when the analysis is done for them

10/03/2008 – 18:16

As a follow-up to to my blog post about g-archiver, I submitted g-archiver to Avira Labs (makers of Anti-Vir) for analysis so it can be added to their database. Their web form didn’t have anywhere to add additional information, so I submitted by email instead with a link to the dissection of the code.

Despite being handed it on a plate, they failed to identify the threat:

This demonstrates exactly why you can’t trust anyone when it comes to computer security, even the good guys. g-archiver is a trojan, stealing your login details, but anyone using Anti-Vir or in fact any other AV program wouldn’t know just by scanning it. A test of 32 different AV programs showed they all passed it.

I will submit the file and the analysis to other AV vendors, hopefully eventually some of them will figure it out. I’m more hopeful open source and freeware software like ClamAV and Spybot will take notice.

By mojo | Posted in idiots, privacy, security, software | Comments (0)

Dephormation Firefox Add-On

10/03/2008 – 18:05

A new tool to fight Phorm: http://www.dephormation.org.uk/

This Firefox plug-in cannot stop Phorm from monitoring every web site you visit, reading your web mail (unless you use gmail via secure http) etc but it can at least mess up the tracking system. It’s a start.

What is really needed is a program to randomly surf the net while your PC is idle, filling Phorm’s logs up with rubbish. If enough people did it, their data would become worthless and their ad click rate would drop. Hitting them in the wallet is the only language these asshats seem to understand :(

By mojo | Posted in networking, privacy, security | Comments (1)

UK ISPs allowing Phorm fraudsters to track everyone!

08/03/2008 – 13:53

I was horrified when I read about Phorm. Virgin Media, BT and TalkTalk are teaming up with Phorm to track all web browsing on their networks. The tracking info will be used to spam subscribers with targeted ads. The privacy implications are mind bloggling…

I have already written a few letters of complaint, but it seems what it boils down to is there is no easy way to escape being monitored by Phorm – a company run by a fraudster who used to run the PeopleOnPage spyware. Their business is based on raping users privacy, and they clearly don’t give a damn. They do offer a rather patheitic “opt-out”, but people people who regularly clear their cookies it’s next to useless.

The bottom line is what they are doing is most likely illegal, breeching either the Data Protection Act, RIPA or the Human Righs Act. It seems moves are already under way to bring private prosecutions.

See http://www.badphorm.co.uk for more details. More good info here: Spyblog

So, how can we fight back? Well, aside from avoiding ISPs that use Phorm (not an option for many people unfortunately) tracking can be avoided either by using Tor or signing up with an encrypted VPN provider like Relakks or Perfect Privacy. Using a VPN is probably not a bad idea anyway, as is using OpenDNS, because it ensures UK agencies can’t spy on you without going to a lot of effort. Certainly, it should prevent any causal monitoring or censorship, and of course block Phorm.

I also recommend blocking Phorm cookies by adding the following to your blocked list in Firefox:

*.oix.*
*.phorm.*
*.sysip.*
*.webwise.*

By blocking cookies, Phorm will find it impossible to track your specific browsing habits. They will still see what sites you visit and deliver ads, just not be able to join all the dots.

Also sign the petition at: http://petitions.pm.gov.uk/ispphorm/

By mojo | Posted in idiots, law, networking, privacy, security | Comments (5)

G-Archiver stealing login details – a cautionary tale

08/03/2008 – 12:25

Today’s Coding Horror blog entry is rather disturbing, but not particularly surprising. In short, Dustin Brooks downloaded the free G-Archiver program to backup his gmail account. It didn’t work exactly as he wanted, so he used a .NET disassembler to check the source code. Amazingly, not only were the author’s login details hard coded in, but the program was sending an email with the login details of everyone who used the program to his account!

This kind of security breach is very hard to defend against, because no anti-malware software will detect it. Your firewall will need to allow the program access in order to backup your account. It’s not a virus, and even heuristic scanning probably wouldn’t see much wrong with a program sending emails too. I suppose it would be nice to at least warn the user that the program can do that.

The company that produces the software looks pretty dodgy. I suppose the lesson here is stick to open source software, where it’s hard to get away with that sort of thing.

By mojo | Posted in Uncategorized | Comments (1)

Defence against capturing passwords from memory

08/03/2008 – 00:09

I spotted this interesting bit of software on Hack a Day. The basic idea is to do a hard reset and boot a Linux environment, which can then dump the contents of the computers RAM which will still contain any encryption keys and decrypted documents the user was working on.

It’s an old idea, in fact I used to do it when ripping music on the Amiga. Wait till it’s in memory, reboot and then scan for mods in RAM. However, there is a fairly simple defence too, which also worked on the Amiga.

All BIOSs offer the option to do a full memory check. That involves writing to every address in RAM and reading it back, which of course would overwrite any remnants of data left there. On many BIOSs there is no way to skip or disable this action before it has happened (typically you can only access the BIOS menu after the RAM check) and it would certainly not be hard to develop a BIOS module which would be impossible to disable.

On the Amiga a similar trick was possible using the Soft Reset Vector, which allowed you to run any code you like at reboot time.

By mojo | Posted in privacy, security | Comments (0)

USB HID descriptors and Windows

06/03/2008 – 20:03

While working on my USB/PSX joystick controller project I noticed that a) Windows isn’t very tolerant of some things and doesn’t care about other stuff, and b) MAME was giving some weird results.

In the end, the Windows thing came down to needed to pad out the reports the microprocessor was sending back to a multiple of 8 bits. It seems that Windows can’t cope with not being told what to do with unused bits in a byte, so you specifically have to mark them as usage type “undefined” to keep it happy. E.g. if you have 12 buttons, one bit each resulting in sending a two byte report you have to mark the unused 4 bits in the second byte as undefined. Linux and MacOS seem to be more tolerant. Maybe it’s just the existential quandary Windows is trapped in, forced to ask “why?” and so unable to cope with not knowing what those extra bits to.

Or, it’s just slack programming.

I’m thinking the latter. Windows copes quite well with other problems in the HID descriptor, like forgetting to change collection or usage page which was causing MAME to give the fire buttons funny names. It still insists on number buttons from zero, but that seems to be normal behaviour as it happens with all USB devices. In that sense USB is a minefield of off-by-one errors, because you count bits from 0 yet need to number your buttons starting at 1, and indeed Windows shows them in the control panel applet starting at 1. Unfortunately the official HID descriptor tool validates these kinds of errors so it’s easy not to notice them.

PS. I will update the site soon with new schematics (true 3.6V signalling instead of the old 5V stuff) and firmware.

By mojo | Posted in hardware, windows | Comments (0)

Movie industry doing well depite piracy and shite movies

06/03/2008 – 19:23

Amazingly, according to Ars Technica, despite all the whining from the movie industry / MPAA they are actually turned a $9,630,000,000 profit in the US last year, setting a new record. Arguably, Hollywood is chruning out more more crap than ever these days, and internet connections are slowly getting faster meaning more piracy. It’s even more amazing when you consider that pirate movies are usually better quality than the cinema or DVD, having equal picture quality but none of the irritation like DRM, forced viewing of adverts or morons giving a running commentary in the row behind you.

By mojo | Posted in idiots, networking | Comments (0)

Plastic bags – what's wrong with paper?

01/03/2008 – 21:15

The current hot topic here on Airstrip One seems to be plastic bags. Much as I hate to find myself agreeing with the Daily Hate Mail, they really should go. What I can’t understand is why everyone seems to dismiss paper bags out of hand.

The main complaint seems to be that they disintegrate in the rain. That simply isn’t true, as anyone who had ventured further than the channel and dared learn something of the bizzare alien culture they find themselves in will know. Those not so brave need to think it through a little. Milk cartons are made of cardboard, yet do not seem to disintegrate. Amazingly, paper can be treated, or simply made thick enough not to instantly turn into papier mache when damp.

As usual, the solution to the problem is not to simple do the obvious thing and give out free paper bags, but to turn it in to a money making scheme and charge for the plastic ones. Turn a small loss on free bags into a profit on then and still put hundreds of millions of bags in the ground every year. Only in Britain.

By mojo | Posted in idiots, politics | Comments (0)

たとえ溺れても梦はゆめでしかない