Category Archives: Web/Tech

App Privacy Workshop

I gave an application privacy workshop at Code for Boston on Tuesday. They recorded my talk:

I posted the slide deck as a PDF. Feel free to offer suggestions in the comments.

Some of the topics I need to add to the presentation:

  • highlight privacy and security testing;
  • having development/test servers and how to sanitize the data in the development/test database;
  • more about SQL/XSS Injection attacks;
  • review the video for other topics to add.

Patreon made it easier to troll its users

Scott Helme is a Information Security Consultant. He has a Patreon account on which he posts about computer security issues and which he uses to take in donations for each blog post.  Recently he found out that Patreon suspended his account:

He could still post and people could still signup to support him, but, taking a page from Paypal, Patreon prevented him from withdrawing any of the money people donated.  Eventually, Patreon completed their investigation and emailed him that he was good to go.  He eventually discovered that:

He estimates that account withdrawals were suspended for between 18 and 47 days.

Account takeovers are a real problem. Had his account been taken over, it would be good if someone couldn’t take his money out and notifying the account that they think it might be hacked could tip the hacker.  In that light, it could make sense to act as they did.

Having multiple other methods of contacting the user would have helped in this case…. well unless email, phone number and Signal were compromised. Patreon would need to prove they are who they say they are, of course. Phishing is a problem as well.

That all said, going from one fraudulent pledge to account takeover seems a stretch.

But this incident reminded me of Violet Blue‘s reporting in Engadget about a troll campaign against women AMSR video creators:

Capitalizing on entrenched and easily exploitable anti-sex policies by internet giant payment processors and a new internet sex panic ushered in by FOSTA, 8chan trolls have started a campaign to mass-report attractive women who make ASMR videos. Listing names of women making these sound-effect videos in a forum thread called “PayPal lowering the hammer on ASMRtits” they’ve declared war by posting links to report pages for PayPal, and called upon fellow haters to get the women kicked off YouTube and Patreon as well.

… and that Patreon just added another method for trolls to harass Patreon’s users.  If all it takes is for one fraudulent looking donation to pass into someone’s account to flip the Account Hacked bit, trolls will use Patreon’s process to suspend a user’s ability to withdraw their money for two to six weeks. That would screw up the life of anyone who makes a living via Patreon.

Patreon has more than a customer service problem.

Hate your ISP? Help form a community ISP

Today during the monthly Somerville Cryptoparty, will be a discussion on how we can move forward with developing a community mesh network in the Boston area.  It will be from 6-9pm at The Sprouts, 339R Summer Street, Somerville. The Sprouts is in the garage in the back of the drive way. Unfortunately, it is not wheelchair accessible.

On Saturday, February 10th, there will be a Community Meshnet Workshop from 1-4pm at the Somerville Public Library, 79 Highland Ave, Somerville.  The Somerville Public Library is wheelchair accessible. The Somerville Cryptoparty folks put together this flyer for the February workshop. I would appreciate it if you downloaded it and put it up around your neighborhood. You can also share the Somerville Cryptoparty page or the February Facebook event.

Hope you can make it and please spread the word about these events. Thanks!

Downloading your images from Typepad

The transition from Typepad to WordPress has been a bit haphazard, but I should have finally removed most of the references.

One of the things you need to move over are the images Typepad hosts for you. Unless they are in a photo album, they will be in the <your user id>.typepad.com/.a/ directory.  To get them, export the contents of your Typepad blog and save it.  It will be saved as Unnamed_Comet_Asset.txt.

Once I had that file, I used this Bash script (on a Unix OS) to generate another script to get the files. Be sure to replace <your user id> with your Typepad id.

#!/bin/bash
sed -n ‘s/.*\(http:\/\/<your user id>.typepad.com\/\.a\/[a-z0-9]*-[0-9]*si\).*/wget \1/p’ Unnamed_Comet_Asset.txt > wget.sh
sed -n ‘s/.*\(http:\/\/<your user id>.typepad.com\/\.a\/[a-z0-9]*-[0-9]*wi\).*/wget \1/p’ Unnamed_Comet_Asset.txt >> wget.sh
sed -n ‘s/.*\(http:\/\/<your user id>.typepad.com\/\.a\/[a-z0-9]*-pi\).*/wget \1/p’ Unnamed_Comet_Asset.txt >> wget.sh
chmod 755 wget.sh

It is possible that there are other types of files whose filenames do not end with -*si, -*wi or -pi but those seemed to work for me.  Search through Unnamed_Comet_Asset.txt if you want to be sure.

Once wget.sh is generated, look it over and make sure that it looks right, then run it:

./wget.sh

It will dutifully download all of your images.  I copied them over to a .a directory on my hosting provider then updated the references to in the blog posts.  Ideally, you should do it in a copy of Unnamed_Comet_Asset.txt, then import it into your site.

You will need to run this script for each blog you have hosted at Typepad.  Be sure to have a different directory for each blog so that you don’t overwrite either script.

I have a script for getting all of the files from your Photo Albums that I will post about in the future.

SSL Migration Progressing (Updated)

Update: I have installed SSL certificates for all of my sites which have images on this site. All of the side bar images are back up.

One of the reasons I migrated from Typepad to another hosting provider, was so I could enable SSL on my site. Making sure your site supports SSL is the one of the basic efforts you can do to support encrypting the web.

I set it up for my main domain a few weeks ago, but since some of the images I use are on sites that didn’t use https, my blog did not appear to be completely secure.

I have adding SSL to two of my (sub-)sites, and will finish the rest tomorrow. I have removed the non-SSL widgets so the site shows a nice green lock and will add them back then they are all set. As an added bonus, I removed a bunch of tracking javascript that Typepad adds to their photo galleries that I don’t need.

One up shot of this effort is that I have a nice set of instructions that work for my setup which will help speed the process in the future.

How to kill standalone social networks

Yasssu has an interesting interview with Eben Moglen about a variety of topics including government surveillance, privacy, and sharing:

The topic that drew my attention to the video was his contention that Facebook would only last for about ten years before the open web and open alternatives to it won out. He cites Diaspora, GNU Social and other efforts as the tools that are leading the way to that change and I generally agree with him. However, the flaw I see with that approach is that the variety of social services that are available is increasing at a rate that a canned aggregation service will not be able to keep up. What is needed is an api for:

  1. who is your friend or who you follow and thus who you trust;
  2. the different services to share updates you make on the service;
  3. the different services to talk to talk to an aggregator.

Item 1 can leverage OpenId and OAuth and there are projects such as Portable Contacts, DiSo, FOAF and XHTML Friends Network that can be built upon (or rebuilt) to provide the secure social connection information.
Item 2 requires a defined api and a willingness for social services to support it. However, RSS is pretty prevalent, so building off of that shouldn’t be a complete jump into the dark.
I am not convinced that Item 3 is desirable even on a local level. Rather, the only thing I think we need to host is our public and private connection information. Once we have that information, it would be possible to use a javascript browser plug in that pulls in our connection information and builds a status page of what our friends are doing.
With these tools in place, we won’t need Facebook, Google+ or other specific social network services to act as a man in the middle to our social lives on the net.
I do like his suggestion that we all have our own plugin computers running a server like FreedomBox that act as VPN, host our website, etc.
He touches on a wide variety of other points that I find useful and his quotes are direct and pithy, so please to take the time to watch it.

I’ll be at the Liquid Feedback Hackathon this Sunday, 3pm

The German Pirate Party created Liquid Feedback over a year ago to allow party members to debate and decide on their platform and other issues. They have been using it successfully. Here is a video explaining it (in English):

On Sunday, 7/1, I will be helping with the Massachusetts Pirate Party’s hackathon to get our own copy of Liquid Feedback running. We will start at 3pm and will go until we are done or until asked to leave, whichever comes first.  The hackathon will be at 45 Bromfield #2, Somerville 02144.

Please sign up if you want to help so we know who will be there.

If you cannot make it in person, then you can join us on the #masspirates irc channel at pirateirc.net.  We will also post our progress at the #masspirates twitter hashtag.

Links 6/25/2012

Slides of my copyright talk available. Comments welcome.

I had a great time presenting my talk at the Play-jurisms conference this last Saturday. I stayed up late until 3:30 am to finish the slides for the talk.  Considering that I was typing away in bed while my wife slept, she was very understanding.  The talk didn't suffer for the fact I was up so late writing it, but no doubt I can improve it.  I did end up changing the title from what I had originally envisioned, but I felt the new title better matched the spirit of the conference.

You can view the slides as a pdf if you want.  Comments are most welcome.