Category Archives: Information security

Meetup.com DDOS attack continues, March 3, 2014

Meetup.com has had a series of bad days. Their site has been under a distributed denial of service (DDOS) attack for a number of days. To mitigate the problem, they are using the CloudFlare service, but even that has not been working great.

The net effect is that sometimes the Meetup.com site is unavailable, making it hard to sign up or schedule or reschedule events. The Meetup periodic announcements about the problem emphasize how hard they are working to fix it and how user credit cards are not at risk.

I’ve been happily using Meetup to organize the A2B3 weekly Thursday lunch series that I run, as well as a monthly Ann Arbor civic technology meetup and a monthly Web Analtyics Wednesday meetup. Of the three, only the a2civictech group doesn’t really have any other infrastructure; the other two have existing web sites or mailing lists to carry on even if meetup is down.

I wish Meetup well and look forward to them sorting out the problems they are having. The Meetup blog is a source of news, as is the Meetup twitter account.

African National Congress Secret Communications: “Operation Vula”

Talking to Vula is the story of the secret communications network of Operation Vula, a project of the African National Congress that facilitated clandestine messaging between South African exiles in London and leaders of the resistance in Zambia and in South Africa. The account (which was pointed out to me by Finn Brunton) talks of an inventive use of encrypted text transmitted via analog modem tones recorded to cassette tape and then played back via untraceable pay phones. It’s a remarkable tale of late 80s underground crypto, leading up to the release of Nelson Mandela from prison.

From the text, to give you a flavor of it:

To test this hypothesis I wrote a little program to send some computer output to the modem. Sure enough the sounds came out of the modem`s speaker. These I recorded and played back into the microphone end of the modem while running a communications program on the computer. Eureka! The characters appeared on the screen. I had done with a modem what we were attempting to do with our tone machine.

This seemed to be the real breakthrough. I adapted our encryption program to work with the acoustic modem and recorded the output on a tape recorder. This I took to a public telephone booth and played back to my answering machine. Then I played the answering machine message back into the modem and the computer deciphered it successfully. As the plaintext message appeared on the screen I realised that we had finally discovered an absolutely safe method of communicating with the underground using computers.

The work originally appeared in a series of six articles in the ANC`s monthly journal Mayibuye from May 1995 to October 1995.

More: Operation Vula: ICT versus Apartheid (2008).

More: Garrett and Edwards (2007): “[Revolutionary Secrets]: Technology’s Role in the South African Anti-Apartheid Movement,” Social Science Computer Review, 24(4). Preprint at U of Michigan.

Slow Obamacare registration: denial of service attack, or self-inflicted injury?

The new healthcare marketplace for the Affordable Care Act, Healthcare.GOV, has been operating slowly under the weight of open enrollment for “Obamacare” plans. The question then comes up: is this some kind of coordinated denial of service attack on the system, or is the system architecture simply slow under heavy load?

Screen shot 2013-10-06 at 10.31.25 PM

Reuters took a look at the issue, and found some problems with the healthcare marketplace’s systems design.

Five outside technology experts interviewed by Reuters, however, say they believe flaws in system architecture, not traffic alone, contributed to the problems. For instance, when a user tries to create an account on HealthCare.gov, which serves insurance exchanges in 36 states, it prompts the computer to load an unusually large amount of files and software, overwhelming the browser, experts said. If they are right, then just bringing more servers online, as officials say they are doing, will not fix the site.

The New York Times reported on the site’s debut

While the site took three years to build, it took only a few minutes for it to break down when it went live at 8 a.m. E.D.T. Some consumers said they were met with an error message in the early morning when trying to visit the Web site, which seemed to be overwhelmed with traffic and limited by apparent programming issues. Many people took to Twitter and Facebook to note that the site was down.

And MSNBC asks – disaster or routine maintenance?

HHS officials said that they will be taking down the “application part of the website” for scheduled maintenance this weekend, according to NBC News’ Kristin Welker. The announcement was red meat for critics of Obamacare, who have been largely silent since the health care law rolled out earlier this week. Speaker John Boehner said the administration’s announcement was proof that “the president’s health care law has been an unmitigated disaster.”

So far, no reliable reports that I’ve been able to find blame the problem on a specific denial of service attack; rather, it appears to be a combination of sudden demand for the service, teething pains for a new site, and system complexity. I did not note any commentary from the Arbor Networks ASERT weblog, which writes about DDOS attacks. Renesys, usually a useful view on problems, is reporting on Internet downtime in Sudan and Syria. My heads-up site for Internet-wide problems, the outages mailing list, is silent. Strangely, the place I’d expect to have seen this show up – the automated news aggregator Techmeme – is also quiet (Update: see below for Techmeme coverage). The Obamacare Reddit subboard has some reports from people who made it through the system, and others who are having problems.

More insights:

  • Washington Post interview with Jyoti Bansal, the founder of AppDynamics, an application management company that, among other things “makes sure essential software applications of customers such as Netflix stay up and running.”

Most of the problems like these are in the software. Hardware is the easy part. You can add more hardware and do it easily. Software takes more time. In the rush of getting this out, it seems like testing wasn’t done completely. My expectations from this is that these problems should go away in the next few weeks. The site still won’t be as fast as something like Netflix, but it should work.

I find it so telling of Americans if you can’t get it within 4 days when you have 6 months to sign up we throw up our hands, have a temper tantrum and take our toys and go home. How about waiting a couple weeks and try again.

  • Techmeme weighs in leading with a Wall Street Journal story –

Six days into the launch of insurance marketplaces created by the new health-care law, the federal government acknowledged for the first time Sunday it needed to fix design and software problems that have kept customers from applying online for coverage.

Spy vs spy: Tor (US Naval Intelligence designed anonymous network) attacked by NSA

ImagesThe Tor Project runs Tor (“The Onion Router”), a network designed to provide its users with anonymity when using the Internet. Tor was originally developed by US Naval Intelligence, and a large part of support for the network still comes from government interests.

Tor was in the news recently as the high profile Silk Road anonymous marketplace for drugs was shut down. Silk Road had been hosted as a hidden node reachable only through Tor, and it ran openly on that network for years until a dedicated effort unmasked the organizer. The description of the resources used to take down Silk Road did not mention any specific attacks on Tor; the proprietor of Silk Road left behind enough clues through sloppy tradecraft that it was possible through diligent efforts to identify him based on his public postings. The takedown of Silk Road caused a disturbance in the Force as seen through the volatility in Bitcoin prices seen right after the system was taken down.

Most recently the Guardian printed a Bruce Schneier piece on Attacking Tor: how the NSA targets users’ online anonymity. It goes into detail on the flaws in browser implementations that can be used to attack Tor anonymity as well as the peculiar attacks that only the NSA can take out by doing monkey-in-the-middle attacks on the Tor (and Internet) infrastructure. It’s a good read, and exposes such lovely NSA code names as “EgotisticalGiraffe”.

The conclusion of the Schneier piece is that it’s not impossible to unmask the anonymity of Tor users, especially if they are sloppy in any way in their use of the system; there are enough bugs to go around in the components that make up a typical Tor browser bundle that it’s likely that a dedicated effort to entrap a specific user will succeed. But it’s hard work, and thus the Tor system works as its Naval Intelligence designers intended – only the most determined state actor can foil typical use of the system.

Need: A login and registration system for a free WiFi network

A note from Steve Pierce regarding a request for ideas and code to help people log into a free WiFi mesh network. Contact him for details at bottom.


HDL.com and volunteers have deployed a free WiFi network in SE Michigan over the last 5 years. With over 1,000 access points deployed and 650,000 unique devices connected, Wireless Ypsi and companion networks such as Detroit Enabled are averaging over 2,500 users per day, making it one of the largest free WiFi networks in the country.

The equipment and connections are paid for by local community groups like Focus Hope and Public Housing along with business owners and community champions. No money is charged to use the WiFi service, nor is there any advertising revenue.

The free network, called Wireless Ypsi and Detroit Enabled is HDL.com’s way of giving back to the community. We help secure Internet bandwidth and donate time and equipment to support the free network.

The struggle we face is making sure we comply with Internet Service providers terms of service agreements. One recent requirement is to not have anonymous access to the network. While we would love to have open and free Internet for everyone, the reality is Internet service costs money and the major carriers like Comcast and AT&T don’t provide the service for free. So while Wireless Ypsi and Detroit Enabled offer free WiFi for residents, business and visitors, someone still needs to pay for the connections.

To continue to use these paid connections we need a system that will allow people to sign up for free accounts to use the service. We want something akin to Facebook or Twitter that will allow for instant sign up and use of the free WiFi network.

Users would provide their name, address, phone and email address and chose a secure password. They would immediately be granted access to the network for one day. A confirmation email link is sent to the email address and it must be confirmed to continue to use the service beyond the first day.

Authentication would use a RADIUS server or similar service which would need to be selected, as well. We must insure proper data security and programming techniques are used to protect the data.

Not having a login and registration system is the single largest barrier we face today to continued large scale deployments of free WiFi. We have proven with our 5 year success story that the network is reliable and sustainable. Yet not having a login and registration system has virtually stopped us from expanding services into new areas until we can address this need.

Contact: Steve Pierce, Steve@HDL.com or 734-274-4602

TOR network anonymity compromised by Javascript exploit

TOR is an anonymous network set up originally by the US Navy in order to support cloaked access by the US Government to the Internet. Users access the network through a computer or browser set up to point traffic towards a network of "onion routers", which scramble the path that the packet takes to eventually reach the Internet. There are also provisions for "dark" web sites or hidden service operators to exist within the TOR network, which should in theory be reachable anonymously by TOR users but not the great outside Internet. A 2005 era web site describes the theory behind onion routing.

The TOR network operators have encouraged a broad spectrum of users to participate in the system, and it has become favored of several unsavory business enterprises that take advantage of the anonymity provided to transact business that would be shut down on the public Internet. (Or so it is alleged; I haven't seen that first hand).

In early August, 2013, the TOR network was compromised. A popular browser for the system, the Tor Browser Bundle, was attacked with a Javascript exploit that causes the nominally anonymous system to report its real IP address and MAC address to a central server, thus decloaking the device. The allegations are flying around as to who did this attack, but it's been alleged that a government is behind it because there are no indications that the exploit inserts any malware – just this deanonymizing task.

More reading via Techmeme: Alleged Tor hidden service operator busted for child porn distribution (Ars Technica); Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit (Boing Boing); Freedom Hosting Taken Down, Founder Arrested, Users fed Javascript Exploits (Bitcoin Magazine); Hidden Services, Current Events, and Freedom Hosting (Tor Project).


Collected Articles on Code Reconstruction, Katharine Swift, 1976, as announced in CRYPTOLOG

The National Security Agency has declassified a number of issues of CRYPTOLOG, their in-house magazine. Here's an example from 1977, announcing the publication (for anyone with a Top Secret Codeword clearance) of Katharine Swift's "Collected Articles on Code Reconstruction".  "It is hoped that managers as well as book-breakers and programmers, and senior analysts as well as neophytes, will find material that will help each in making his individual contribution on the job."

Screen shot 2013-03-29 at 10.42.31 PM