Michael N. Dundas

I was having lunch with a friend of mine today. He brought up “The Tiger Effect” that had happened during the U.S.Open. Specifically he asked what is going to happen to service providers in a few weeks when the Beijing 2008 Olympics commences? If the U.S. Open was able to cause a noticable effect, then theoretically the Olympics would be worse.

I think there are many factors that will affect the network response and what service providers will be faced with when people are viewing the Olympics online. Design of the networks used by the Olympics, deployment of the Internet feeds, scaling of the servers, application choices to deliver the content, how everything is configured and many other factors. With the U.S. Open it all culminated to the one event at a specific time. This could happen with the Olympics, but it might be seen as more of a constant increase in streaming protocols and HTTP as there are many events simultaneously. Of course the finals for each event could have similar characteristics to the U.S. Open along with the opening and closing ceremonies, potentially with many more viewers. What I wonder is if any service providers are proactively preparing for this possibility? I guess we will see.

It looks like “The Tiger Effect” had an ‘effect’ on the stock price of Nike as well.

I have commented on this before here and here. EFF just posted a blog entry discussing The Statement of Lee Tien. He testified in a Senate hearing outlining the dangers of random searches of traveler’s digital devices. It is worth the read for those interested.

Although this applies to U.S citizens and the U.S. I suspect whatever the outcome of the permissibility of random searches of electronic devices, someone like myself entering the U.S. as a visitor would be under different rules. My concern is that they are willing to execute random searches period including the copying and imaging of data ‘just because’. And it isn’t just the U.S. either like many claim. With ACTA, random border searches of electronic devices are coming soon to Canada and other participating countries.

A few years ago, I was involved with a client that had a legal case against a Government. My laptop contained data that I was providing analysis on that affected the case. What if the government was to just image my laptop? They would now have information that they should not be privy to. That is bad. It under minds the legal system of all countries involved.

Any sensitive data on my laptop is encrypted and I consciously make sure that a forensic search won’t reveal the passphrases or anything like that. It annoys me that I have to worry about and deal with this prior to travel. The last few months due to ACTA, I now remove any sensitive client data from my laptop till I reach the hotel and then securely download what I need. Some say this is just silly. Most if not all of the data on my laptop I really don’t care if they saw or copied it, nothing really bad or incriminating about it — its the principle I guess.

I’m thinking about going a step further. Take a laptop that has nothing on it, and an O/S that runs from a CD or DVD. Boot off the DVD, download the data you need. Prior to travel back home, upload the data, and forensically wipe the hard drive.

If there is valid suspicion that an individual is doing something which could harm others or is illegal, search away. But random searches just because you can? I’m starting to feel like some of those old Russian movies I watched as a child, where you had to carry “papers” to show officials if requested. Not a free society.

Update(2008-06-20 15:39EDT): A. Alfred Ayache has started a Save CBC’s Search Engine group.

Search Engine is a show that is on CBC (link is here). I listen to this show quite regularly. It is a great show. This particular show had the interview with Jim Prentice, the minister behind bill C-61 (Canada Copyright).

At the end of the show, Jesse Brown announced that the show has been canceled. He didn’t use those words and tried to put a positive spin on it, but essentially that was the message. Another great show canned by CBC. I don’t know what is up with the CBC management, but some serious housecleaning is needed at the top I think.

This post caught my attention. I actually had a call from a customer asking me if I was aware of any internet outages or large scale attacks happening. We pulled data from one of his links. You can clearly see the increase in streaming. The dotted red line shows a typical day on this particular link. Note the times are in Eastern Daylight Saving Time (EDT).

U.S. Open Championship Day

It is easy to see how a service provider might think they are under a DDoS attack. It is important that solutions that detect DDoS attack use behavioural metrics to remove false positives. This is a perfect use case example. Often security vendors that can not differentiate between surges of popular sites or peer to peer files from a DDoS attack will tell you that it can’t be done. This is simply not true. There are products that do this effectively. By combining metrics from different points on a network, using protocol analysis, and other vectors, real DDos attacks can be properly identified from these types of unexpected increases in bandwidth.

If you ever wonder about the ability of a vendor that claims they can detect and block DDoS attacks, this is a great test case.

This article caught my attention. A decision against Universal Music Group (UMG) who was attempting to sue an individual for selling promotional copies of a CD that was distributed on Ebay. The reasoning for the decision was interesting:

Today on CBC Search Engine, there was discussion about companies that read employee e-mail, why companies read e-mail and the fact that many have a manual process for accomplishing this task. The company that was interviewed by Search Engine was Proofpoint. They make several automated solutions to accomplish monitoring e-mail. One of the comments made was that they can monitor e-mails via Hyper Text Transfer Protocol (HTTP) or web based e-mail, such as Gmail, Hotmail or other type of web based mail services. This is all true and very possible.

What I find amusing is there are so many simple ways to smuggle out information from a company that monitoring e-mail seems to be a waste of time and money. One could copy the information to a laptop and download it to a computer at home. Copy the information to a USB key, CD or DVD and take it home. One could print the information out on paper (since most companies don’t monitor what is printed). None of these methods require expensive, or complicated technology. If I wanted to get information out of the office and I even suspected that e-mail, IM or transmissions were being monitored these ways are the simplest and least to arouse suspicion. Unless a company plans to manually search you and your belongings every time you enter or exit the building including checks of laptops, USB keys, and other media investment in technology to monitor e-mail I don’t see the point.

Proofpoint stated that it is often used to watch for employees spending too much time on personal versus work related issues. I suppose this is a valid use, but personally I don’t manage that way and I doubt I would ever work for a company that did manage that way. If people are getting their work done then I’m not going to worry if they send personal e-mail, surf the web or decide to take an extra 10 minutes at lunch. I believe it is important that you can trust your employees and they feel a sense of responsibility towards their work. If this is missing then the company has bigger issues that monitoring e-mail or other flows of information will not solve.

The other concern I have with all this “monitoring” going on is that it will increase the adoption rate of encryption and other stealth technologies . Governments, businesses, and law enforcement wanting to monitor people’s e-mail, web surfing, files shared and download will force software and developers to add encryption and other forms of covert data transmission into the software more quickly. Most E-Mail servers for example have encryption (TLS) support now. As encryption becomes more available in e-mail clients and set to be the default mode of communication the encryption will be transparent to the user. Encryption is something that law enforcement is running into more and more. It hampers their investigations. This is bad when you are actually trying to catch the bad people distributing drugs or child pornography. I picture an Internet where all communication is encrypted or obfuscated in different ways to avoid “monitoring.” What will we do then? Probably have discussions about key escrow,outlawing encryption, and other silly conversations we have had in the past and never worked.

Today, I was trying to find a article that I had recalled reading a couple of months ago. As most do, my first step was to ‘google’ it. The article presented itself in the search criteria. Clicking on the first two results from the search entry gave me results informing me “Sorry, this article is no longer available.”

No reason as to why it is no longer available. Not enough disk space? Too difficult to maintain? I would think that news agencies would want to keep their articles available. I’ve actually started keeping a copy of articles that I reference in my blog just in case the article ever ‘disappears’. This way, I always have a copy and can manually link to it, should it get pulled down for some unknown reason. This of course is completely counter-intuitive to how the Internet is suppose to work. Most websites prefer that you ‘link’ to them instead which I am glad to do. But for that privilege I expect that the site will keep the article available for view. If the article moves, then use a HTTP 302 “Moved Permanently” message with a link to where the article now is. This fuction in HTTP has been around for years for just this purpose and most browsers will automatically follow the link in these requests making it transparent to the user.

Fortunately, after much searching I was able to find the article here. And yes, I’ve extracted a copy just in case it ‘disappears’ in the future.

UPDATE II (2008/06/04 – 12:53EST): An anonymous reader commented that the reason was due to a large outage at a service provider, which coincides with the traceroute.

UPDATE I (2008/06/04 – 07:25EST): P2PNet is back up. No reason as to the downtime. Must have been a network glitch I guess. When these things happen, I wonder if it is due to the controversial nature of the sites.
—————————-
Looks like p2pnet.net is completely down. I tried going to an article there this morning and it timed out.
Traceroute shows:
……
5 POS5-0.PEERA-CHCGIL.IP.GROUPTELECOM.NET (66.59.191.106) 14.950 ms 14.934 m s 14.911 ms
6 ge-1-7.r01.chcgil09.us.bb.gin.ntt.net (129.250.12.145) 18.847 ms 18.096 ms 18.057 ms
7 xe-0-1-0.r21.chcgil09.us.bb.gin.ntt.net (129.250.3.13) 19.018 ms 18.403 ms 18.380 ms
8 p64-2-2-0.r21.dllstx09.us.bb.gin.ntt.net (129.250.2.22) 42.074 ms 41.378 m s 41.359 ms
9 po-2.r02.dllstx09.us.bb.gin.ntt.net (129.250.2.174) 41.815 ms * *
10 xe-4-4.r03.dllstx09.us.ce.gin.ntt.net (157.238.225.6) 39.827 ms 40.671 ms 40.405 ms
11 et1-1.dsr01.hstntx2.theplanet.com (70.87.253.50) 46.372 ms 46.912 ms 47.4 02 ms
12 * * *

DNS is up, but it appears server used for web and mail is down:
<> DiG 9.5.0a6 <> mx p2pnet.net.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;p2pnet.net. IN MX

;; ANSWER SECTION:
p2pnet.net. 85981 IN MX 10 mail.p2pnet.net.

;; AUTHORITY SECTION:
p2pnet.net. 47234 IN NS ns2.rackspace.com.
p2pnet.net. 47234 IN NS ns.rackspace.com.

;; ADDITIONAL SECTION:
mail.p2pnet.net. 85981 IN A 207.44.164.50
ns.rackspace.com. 125281 IN A 69.20.95.4
ns2.rackspace.com. 125281 IN A 65.61.188.4

;; Query time: 1 msec
;; SERVER: 216.240.1.1#53(216.240.1.1)
;; WHEN: Tue Jun 3 09:54:27 2008
;; MSG SIZE rcvd: 145

;; QUESTION SECTION:
;www.p2pnet.net. IN A

;; ANSWER SECTION:
www.p2pnet.net. 85797 IN CNAME p2pnet.net.
p2pnet.net. 47136 IN A 207.44.164.50

;; AUTHORITY SECTION:
p2pnet.net. 47136 IN NS ns2.rackspace.com.
p2pnet.net. 47136 IN NS ns.rackspace.com.

;; ADDITIONAL SECTION:
ns.rackspace.com. 125183 IN A 69.20.95.4
ns2.rackspace.com. 125183 IN A 65.61.188.4

;; Query time: 1 msec
;; SERVER: 216.240.1.1#53(216.240.1.1)
;; WHEN: Tue Jun 3 09:56:04 2008
;; MSG SIZE rcvd: 142

Sending requests to their server 207.44.164.50 which does both web and email gives no response. Wonder if it was shutdown at month end?

-mike.

I have a facebook account. I use it mainly in fun to keep abreast of my colleagues and friends happenings. It is a great way to quickly post pictures for interested people when you are traveling as well. One of the features is the ability to Import an external RSS feed. I have used this for a while now, to import posts on my personal blog to Facebook. When Facebook imports a post it adds it as a note which will appear in your mini-feed. An individual can click on the note in the mini-feed to see the full note, which is a copy of the post.

Up until the other day, viewing the full note, included a link at the top entitled “view original post.” Selecting this link would bring users off Facebook to where the original post was located. This has suddenly disappeared as an option. Given the recent discussions around Facebook, Google, and others, I hope this isn’t part of a grand plan to “Keep what is their’s” ….. theirs being “your data” and attempt to stop external linking and access. I am of course not naive enough to believe it is not.

There is a general problem that companies and start-ups love the Internet and the openness it brings when they are beginning and it works for them. But as they grow, become more dominate, and business and money become part of the equation the openness of the Internet changes from a benefit to a threat. There arises the need to “protect what is ours.” You can see this in most internet businesses.

I have sent a note to Facebook customer support asking them what has happened to the “view original post”. I am hoping it is just a change in code and the functionality got missed — I’m not holding my breath mind you.

In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.

Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:

“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”

Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.

Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.

In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.

The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.

Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.

Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.