Categories
CERT Internet

Attacking PalPay, Visa, and Mastercard

The story so far: WikiLeaks posted some secrets, the US governments throws a hissy fit and some spineless companies see it as their “patriotic duty” to withheld service from WikiLeaks. This doesn’t especially endear them to the 4chan/Anonymous crowd which then starts to DDoS the pushovers.

So how is a Civil Libertarian and Network Security guy supposed to react to that?

Two bads don’t make a right. There are better ways to show disgust of and punish those electronic money movers. Attacking their operation cannot be the right answer.

But: I’ve been arguing for years now that one of the few ways to actually shut down some of the real menaces (not the imagined ones like WikiLeadks) of the Internet like Spammers, Fake AV Software scams, Viagra/… sellers, and other frauds would be to deny them the credit card payment option.

Thus, MasterCard and Visa: If you are so eager to distance yourself from WikiLeaks, when nobody can even tell you what actual laws they are supposed to have violated, why are you not able to deny service to the frauds when it is absolutely clear that they violate laws and cost the worldwide economy huge sums of money to clean up their crap?

Categories
Internet

The privacy of fonts on the web

Today, heise wrote about Linotype’s offer in the “fonts for webpages” market.

If I’m not mistaken, that’s not the first commercial offering of licensing fonts for the new HTML/CSS font feature. On one hand, this a really good offer, as it allows amateur sites to use professional fonts for free and commercial, high-traffic sites can use these fonts for a reasonable price.

But one thing bugs me about these offers: In order to enforce the pay-per-pagehit business model, these services need to serve the fonts from their own servers. That means:

  • On the plus side, potentially better caching between different sites.
  • But: the font-servers implicitly track all visitors to the website using these fonts.

Given all the privacy implications that embedded ads and social media gizmos (“click here if you like this”) are starting to raise, fonts seem to be the next thing you need to be careful about if you’re conscious about the traces you leave in third-party access-logs.

Categories
Internet Pet Peeves

Name them and Shame them: paypal edition

c’t magazine runs a biweekly column shining some light on the most egregious customer experiences with IT companies. To no-one’s surprise, thing start to get resolved if the company is facing public outrage and public shaming.

So, in the same spirtit: paypal is worst company in the world.

Further opportunities at Naming and Shaming are the Big Brother Awards.

Categories
CERT Internet Pet Peeves

Da hat wer was falsch verstanden

Laut FuZo baut die Türkei ein Zentrum für IP-Verfolgung. Gut für sie.

Aber könnten die bitte statt Zensur für die eigene Bevölkerung was zum Schutz des restlichen Internets vor Spam und script-kiddies mit Testosteron-Überproduktion aus dem türkischen Internet tun?

Danke.

Categories
Internet

/dev/otmar is now IPv6-enabled

At work, we’ve been running IPv6 for a while and back home I’ve also got v6 on my DSL connection (not native, though, silverserver implemented that with a tunnel). My root-server also got v6 connectivity via a Tunnel from the nic.at network (easy enough to do if you’re the router-admin :-), but I never used that for serious stuff.

Now that Hetzner finally provides native IPv6 connectivity, I made the necessary changes to the configuration of my server and now this blog is reachable via IPv6, too.

Next task: Get cacti to graph how many visitors use v4 versus v6.

Categories
Internet

The effect of soccer on the IXPs

This years soccer Word Cup seems to be the first one for which streaming video is widely available on the Internet. The Austrian public TV (ORF) is offering a decent livestream (or in the case of parallel games, two streams). So what do the public traffic statistics of the Internet Exchange Points show?

This graph is from the Vienna Internet Exchange. Some notable points:

  • Gametime means traffic-peaks. The World Cup schedule is clearly visible in the graphs. Up to the 21th, there were three games per day, two close after each other, then a two hour break and then another game. Starting with the 22nd, there were four games a day, with two running in parallel. (the times in the graph are UTC!)
  • Weekend have smaller spikes than workdays: On the 19th and 20th, the games are less visible than on the other days. It looks like watching the stream over the Internet is more popular in offices than at home. This makes sense as at home the TV screen is most likely the better place to watch soccer.
  • Regarding traffic levels: from looking at the graphs, the biggest spikes seem to be around 8 Gbit/s. Assuming that this is mostly ORF streams for the Austrian public, one can assume that ORF/APA is pushing more than 10 Gbit/s during Word Cup games.
Categories
Internet

Talking about DNSSEC

The Austrian ISP Association (ISPA) had asked me to hold a workshop on DNSSEC as part of their “ISPA Academy” series of events. And as they had complaints that all their events are in Vienna, I agreed to hold it in Salzburg, where I had logistical support from the nic.at headquarter.

I thus spent the Wednesday traveling to Salzburg (actually: I’m usually quite productive in trains, and a good part of the presentation was prepared on the way in), then holding the workshop and riding the train back. Six hours of train for 4 hours of workshop isn’t that bad.

If anyone is interested, here are my slides. My aim was to explain the motivation for DNSSEC, the technical implementation and, most importantly, what introducing DNSSEC means for an ISP. I only touched very briefly on the commercial aspect.

In the end, this room full of techies were not exactly cheering for the adoption of dnssec.

Postscript: Just two days later, we have this: doc.gov, the entity that still has a hand in approving changes to the root zone, messed up their DNSSEC signatures. From http://dnsviz.net/d/doc.gov/dnssec/:

Categories
Internet

Random Link collection

I’ve kept these pages open as tabs in Firefox, meaning to blog about them.

So before I really have to reset Firefox, here are they lest I forget about them:

Categories
Internet

Mail an den ORF Kundendienst

Hallo,

heute hab ich mal versucht, die Entscheidung des Riesentorlaufes via Livestream auf ORF.at anzusehen, aber bekam die “geht nur in Österreich”-Fehlermeldung.

Ich bin in Österreich, und auch mein Netz ist eindeutig auf Österreich registriert:

inet6num: 2001:858:5:900::/56
netname: SIL-LENDL
descr: SILVER SERVER GmbH
descr: Otmar Lendl #1219171
country: AT

bzw

inet6num: 2001:858::/32
netname: AT-SIL-20020725
descr: SILVER SERVER GmbH
country: AT

Ist halt IPv6 und nicht das klassische IPv4.

Kann es sein, dass dort die Ländererkennung nicht richtig funktioniert?

Wenn ich bei mir v6 abdrehe und via v4 komme, dann geht der livestream auch problemlos.

mfg,

otmar lendl

Update: jetzt bekam ich eine Antwort vom ORF:

Sehr geehrter Herr Lendl!

Ich bedanke mich für Ihre E-Mail und Ihr Interesse an unserem Programm. Manchmal kann es vorkommen, dass Sie obige Meldung angezeigt bekommen, obwohl sie sich in Österreich befinden. Dieser Fehler passiert vor allem bei international tätigen Internetprovidern, deren Firmensitze sich im Ausland befinden. Wenn der Server ihre IP-Adresse nicht als österreichisch erkennt, müssen Sie ihren ISP (Internet Service Provider) kontaktieren.

Auf folgenden Internetseiten können Sie herausfinden, welchem Land ihre IP-Adresse zugeordnet ist.

http://www.wieistmeineip.at
http://www.countryipblocks.net

Sollte sich das von Ihnen beschriebene Problem damit nicht erklären lassen, so geben Sie bitte Bescheid, ich leite Ihre Anfrage dann gerne an die Technik weiter.

Ich verbleibe mit freundlichen Grüßen
Stefanie Steinwender

Seufz.

Update 2 (17.2.2010):

Innerhalb des ORF wurde das entsprechend weitergeleitet und auch prompt gefixt. Wirklich verifizieren konnte ich das aber erst jetzt: Vor Olympia war einfach fast kein Skifahren im Fernsehen.

Categories
CERT Internet

MasterCard SecureCode: Just say no.

Sometime the timing is just too perfect.

Yesterday I was trying to book a flight on Brussel Airlines and when I was trying to pay via credit card, they insisted on an on-the-fly enrollment to MasterCard SecureCode. I refused and booked via the AMEX Business Service.

Today a security analysis of the whole scheme was published by British scientists, confirming my reservations.

Money quotes:

“Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders.”

“So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.”