Michael N. Dundas

I live in Canada.  The current Winter Olympics of 2010 are in Vancouver B.C. which last time I checked was in Canada. According to NBC I am not permitted to view the Olympics due to Copyright.  The 2010 Winter Olympics in Vancouver B.C. Canada is restricted to viewers within the United States.

Of course I was able to view the videos.  Amazing what you can accomplish with a simple proxy plus some software to save the video to disk for normal viewing.  This is the Olympics – where the world comes together to compete share and all that.  Yet there is copyright being applied nationally.  Just silly. Geo-IP is silly as well for this type of enforcement.  When it comes to content delivery networks, Geo-IP is very beneficial to delivering data efficiently, but its use for copyright between borders needs to go away.

Normally I wouldn’t bother to tune in specifically to listen to Tiger Woods apologize, but I happened to be somewhere where it was on the radio so I listened.  I watched his apology again last night.  To me it didn’t feel sincere, it felt scripted, controlled.  I admit that would be a tough thing to do without some preparation, that isn’t what really bothered me.  What really bothered me about his apology I have been bothered with before.  I have observed it previously in other apologies, interviews and statements from individuals in the public eye.

Tiger was upset about the media probing his family and following his daughter to her school.  He made statements such as:

“what we say will remain between the two of us”

“everyone one of these questions and answers is a matter between Elin and me”

“these are issues between a husband and wife”

I have seen this many times before and here is the thing; when you choose a path which moves you more in the public eye, you loose some of your private life, period, full-stop.  It has always been this way.  More specifically, if you choose to become a politician, police officer, actor, sports professional, appear on a reality TV show, CEO of a major company, popular blogger or anything else where you increase your exposure in the public eye, you choose to sacrifice some if not all of your private life.  This choice extends in different degrees to your family, friends and anyone else connected to you.  Grasp, think about, and understand this concept.   Seriously consider it and the possible repercussions.  Now make your decision.  Choose wisely, because you, your family, and everyone involved with you will live with this decision.

While I understand the frustration this probably causes these people to feel, and I personally feel bad for Tiger’s daughter, I do, Tiger made that choice.  Consciously or not, when Tiger decided to pursue a career as a golf professional he made that choice for himself, his family, his daughter and anyone else involved in his private life.  Right or wrong that is what happened.

Especially in todays world of the Internet, blogging, twitter and other social media, the expectation of a private life that remains private is just silly.  Loosing some or all of your private life is part of the choice when you decide to do something that puts you more in the public eye, and it is not negotiable.   If you have made a choice to be in the public eye then when you apologize to the public, don’t expect a private life.  To me it shows a lack accepting responsibility for your choice and maybe a little bit of stupidity.  Instead, consider the public eye a risk factor when making decisions and give it the appropriate weight because it is a factor and this factor is not in your control.  Deciding where to go with your wife for dinner, where to take your family for vacation, what dentist to use, what school to send your daughter to, purchasing your son that Iphone, having an affair, or whatever the decision is, all require a risk assessment of the public eye factor.  Assess the risk and decide accordingly.  Yes, that probably sucks, but you chose that when you chose to be in the public eye.   Ignoring, downplaying, pleading or trying to control it won’t make it go away.  When you use your credit card, you accept the terms of service.  Even if you didn’t read them, they don’t go away.  The credit card company will still hold you to them.  It is the same when you choose something that will knowingly or not put you and your loved ones in the public eye.

I personally do not care about Tiger Woods’ private life.  I have enough trouble keeping up with my family and friends lives.  I typically don’t read gossip articles or posts.   I have no real interest in private lives of people that I do not have a relationship with.  I do feel bad for his daughter.  For her that must really suck.  I dislike the paparazzi and could never do that job and feel good about myself.  I hope Tiger as her dad has learned to factor his daughter into his decisions in the future.  But don’t expect a private life when you make a choice that puts you more in the public eye.  That is just silly and history shows that it never works.

photo credit

Once again I have been experimenting with the Tor network.  In doing so I have set up some Tor nodes. I have received a few notifications that my computer ‘may be infected’. Google for a brief period of time requested I enter a capcha to confirm I am human.  These are all expected minor nuisances when running Tor as an exit node. My main reason for setting up Tor this time, is to obtain a better understanding of what happens to behavioural and static detection when a Tor exit node is present.

If you want privacy or anonymity on the Internet, there are many things you can do. Proxies, Tor, encrypted tunnels, compromised systems, and many other techniques are available.  None of these will guarantee you anonymity or privacy, but they each help and the more you can do the better.  There are caveats of course and in several cases while consulting I have come across scenarios where a client thought they were being anonymous but were in fact not as anonymous as they thought.  When you are trying to be anonymous, use of monitoring techniques and system checks really help.

I’ve realized that running a Tor exit node but not using it yourself gives you anonymity.  I’ve always known this inherently, but I’ve realized that it is even better than I thought.  Say you are an evil person doing something evil on the Internet.  If your activities were being tracked by your service provider due to a warrant from law enforcement or laws were put in place that required all service providers to track and retain your Internet surfing activities for a period of time, they would be recording the surfing habits of every connection that selected your Tor node as its exit node.

If they accused you of illegal activity, you could easily say that was not me, it must have been someone using my Tor node.  While this is not a guarantee the criminal would not get caught, it would increase the cost of the investigation significantly.  More investigation time, more forensics to prove that the suspect is the criminal.  Add in anti-forensics on your terminals and systems you use for the crime and the costs for investigation again will increase, forcing them to assess if it is worth the time, money, and resources required.

If countries are going to deploy the retention laws similar to the above, it will only be a matter of time before they will have to outlaw services such as Tor in order to make them effective at catching the serious criminals.  From a Tor network perspective, these laws might help increase the node count of the Tor network on the Internet which is a good thing for them.

I wonder if law makers consider these questions when suggesting these laws?

There are some interesting events and decisions happening in the restaurant, finance, and healthcare industries.  These and similar events of course affect any companies in other countries such as Canada with international customers in these industries.  A part of me hates to say this, but these data breaches are a good thing.  Breaches force laws which in turn force companies to spend appropriate time and monies on security research, secure software development, secure network architecture, secure deployment and proactive monitoring that should be done.  It puts financial and legal obligations on private companies, which causes the risk factors to change when assessing security.  Far to often, security is one of the first things to be ‘adapted’ when costs get higher than expected or time lines become critical.  If you ask any company they will say security is a primary consideration at all points in the development and release process and in some cases they are being truthful.  However, in many cases the minimum bar with security needs to be raised significantly.  Simply running your code through some basic buffer overflow checks, installing a IPS or firewall, and checking off your ITIL checklist is not enough, not even close.

The private sector has a long way to go with security in software development, network infrastructure, and international laws.  Security breaches force laws and public scrutiny, which in turn holds corporations and individuals accountable.  They are a catalyst which unfortunately I believe is necessary for appropriate change to occur in this area.  What I sincerely hope is that these and similar events cause large corporations and software vendors become much more proactive when it comes to security than is currently the case.  If done properly and pro-actively, less government regulation will be required.   I believe the choice as to how this plays out is with the private sector.  If private sector companies continue doing the minimum, than I suspect regulation will eventually be forced upon us.  I hope that too much regulation is not required.

Does your company lessen security requirements due to costs or project time-lines?

photo credit

http://www.flickr.com/photos/tiffanyhoran/4288875968/

Most people have come to expect that when an email is sent it will arrive at it’s destination.  Over the last decade, email delivery has become much more reliable due to many factors such as better network architecture, better mail server design, load-balancing and fail over design, all driven by increased reliance on email in todays world.  There is also the ability to request a delivery receipt on most email clients although users typically disable this feature themselves, or the security policy of the organization disables it.  Email however is not a guaranteed delivery service.  The SMTP protocol as well as the process of email delivery on the Internet does not guarantee delivery.

One technique that I have used when someone has either not responded or indicated that they did not receive my email is to check the server delivery logs.  While this does not guarantee that the email was placed in the destination users mailbox, it does indicate acceptance at the mail exchanger of the ISP or company.

Above is an email I sent to a friend last week confirming plans for dinner.  By viewing the headers and looking for the SMTP “Message-ID” field, I can then search for that ID in the log files of the mail server.

# cat maillog | grep -i "4B618D6A.2070804"
Jan 28 08:13:19 mailsvr sendmail[20093]: o0SDDGVS020093: from=<xx@xxxxxxxxxx.org>, size=399,, nrcpts=1, msgid=<4B618D6A.2070804@xxxxxxxxx.org>, proto=ESMTP, daemon=MTA, relay=eee.dddd.ca [216.bbb.ccc.12]
#
# cat maillog | grep -i "o0SDDGVS020093"
Jan 28 08:13:19 mailsvr sendmail[20093]: o0SDDGVS020093: from=<xx@xxxxxxxxxx.org>, size=399,, nrcpts=1, msgid=<4B618D6A.2070804@xxxxxxxxx.org>, proto=ESMTP, daemon=MTA, relay=eee.dddd.ca [216.bbb.ccc.12]
Jan 28 08:13:20 mailsvr sendmail[20098]: o0SDDGVS020093: to=<yyyyyy@gggggggg.com>, ctladdr=<xx@xxxxxxxxxxx.org> (501/501), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120399, relay=ttttttt.hhhhhhcom. [142.fff.rrr.227], dsn=2.0.0, stat=Sent (Ok: queued as 51E02514002)
#

In this case the server logs are using Sendmail, so depending on your server, the procedure might be slightly different.  Using the SMTP Message-ID field as a search parameter, I obtain the entry of the unique ID of the Sendmail delivery process for that message, in this case “o0SDDGVS020093″.  Searching the log file for that unique ID, shows me the remote mail server that accepted the email for delivery.  The status is “sent” and confirmed by a Deliver Status Notification (dsn) of 2.0.0.

There are many other fields and status messages with server logs, some you can see above, which are useful resources when troubleshooting or doing forensic activity involving an email transmission in an investigation.   Although this might appear to be too technical for a general user, I have used the logs to confirm myself if email is getting to at least the mail exchanger.  These records can assist in determining if the email arrived.  At the very least, you can use it as evidence the email was received by the destination company.  While it is not 100% proof, it is typically a good indicator.

In one instance, I was not getting a response from my daughter’s school concerning a particular issue.  After several attempts, I sent a new email asking why they were not responding, as it appeared obvious the school board was receiving the emails and I attached the log.  I had a response within the hour.  I am sure the users didn’t fully understand each field, but it was enough to get a response.   I don’t know of any service providers or companies that provide an on-line interface to check status of messages, but it might not be a bad service to offer.