AT&T may be the most irritating company ever. They think our account is past due because we’re not paying the setup fee we were told didn’t exist…and guys kept showing up at the door even though we had said we would self-install & they wouldn’t be allowed to touch our devices/network anyway…they’ve apologized & said they’d fix it three times so far. And now they’ve cut off service.

This happened once before, in New Orleans. I’d tell you the story, but I think I’ll work it into fiction…we’ll see how it goes this time. Meanwhile, their office appears to be closed.

Can’t transcribe this morning’s fiction unless I carry my laptop elsewhere (my app lets me use WiFi but depends on JavaScript files that reside in the intertoobz).

So, not much done yet. Will keep working over here, and will hope to have better news tomorrow.

ADDENDUM

(The above was posted from my phone. This part wasn’t.)

See, here’s the thing. It was annoying that I couldn’t access the internet via my laptop–and, due to a recent “update” to iOS, I couldn’t tether the laptop to my phone either. Unless I jailbroke the phone, in which case the Uber app would complain…

I poked around. I noticed that DNS, the system that resolves hostnames like “cnn.com” to IP addresses like 157.166.226.25, was still working just fine via my “suspended” DSL line–it was part of the way AT&T chose to forward all web traffic to their page that tells me I need to call a number they don’t answer on holidays. Most traffic was blocked, but DNS worked fine. Hmm.

Well, okay. DNS traffic uses port 53. What does that mean? Not a lot, really. It’s just a convention. Like, a web server listens on ports 80 (normal http) and 443 (https). If you connect to a web server from your computer, your computer generates a random-looking port number for each request, so it can tell (when the server answers) which data is part of which image or bit of text or whatever. Sound arbitrary and easily messed with? Yep. You’re right.

So I keep a couple of servers out there in cloudland. I told one of them (via my phone) to listen on port 53, just as if it were a DNS server, which it ain’t. Then I told my laptop to listen on a custom port (I chose 9080 for no particular reason) and forward all traffic from there to port 53 on my server out on the internet. Then I told my web browser to use localhost:9080 as what’s called a socks proxy.

Voilà. I’m online! From my laptop. Though I appear, to websites I visit, to be browsing from within someone else’s data center. No skin off my nose, except that it can be tracked back to me. (So I also use Tor, but that’s a separate post…except that it’s actually in a book I wrote.)

Yes, I can do more with this…but I don’t necessarily want all my household’s video streaming to go out via this tunnel–I actually pay for traffic to and from the server I’m using. Upshot: AT&T is annoying, but handled for now. I told them I’d bill by the hour to deal with ’em, too, just for fun. We’ll see how it goes.

Back on track, sort of. Down most of a writing day, though.

Have fun out there!

Well, maybe.

Thing is, I like fooling around with Twitter. Once upon a time I had about 47K “followers” (mostly other writers), and it was fun to play with them online. But I eventually decided I was spending far too much time on that game. I tried to justify it as a business-related thing (you know, “building an audience”?) but that was just BS. I had lots of fun conversations, and I did that instead of working. Something had to give. So I canceled my account.

Then I created a new account, much later. It looks just like the old account, since nobody grabbed my username in the interim. Only it has <100 “followers” and I haven’t tried to increase that number. I’ve been using Twitter mostly for joking around with people, and getting news, and so forth.

The problem? Well, it’s not just Twitter, actually. Lots of sites are claiming recently that they need to harass me because of “suspicious activity”–they’ll go on and say it might be a virus problem or whatever, but in reality it’s a semi-blacklist of Tor exit relays and VPN endpoints. How do I know? Well, because I use both of those, a lot. The number of them that I can use without issues seems to be decreasing.

See, users of Tor and VPNs seem to share IP addresses (stuff that looks like “192.168.1.10”). So in principle it could be that various malicious actors are using these tools to hide their identities–though there are weaknesses to this approach, and if you care? I wrote a book about it–and, since I’m using the same apparent IP addresses, it therefore makes my activity seem “suspicious.” So it’s all sweetness and light, and I should be grateful for this added protection.

But I don’t think that’s what’s going on at all, because these “suspicious activity detected” so-called warnings have become much, much more common of late. And if I get hassled because of a particular VPN’s IP address, and I jump through whatever hoops are required to either view content or log in to a site? And I then use the same IP address for, say, my next login attempt? An hour later? I get hassled again. I see only two plausible reasons for this: 1) Whoever’s developing this technology doesn’t understand that, if I “verified” my login via some other method, it stands to reason that I might not need to be hassled for using that same IP address in the future, or 2) it’s a deliberate attempt to make using IP-cloaking tools more burdensome.

Somebody or other could do a bit of research and try to quantify this stuff. In fact, I could do it…or put some effort into it. But the thing is, I don’t want to. I just did all sorts of research for that book. I don’t want to do any more right now. Other projects, you know?

Instead, I’ll just refrain from speculating as to why this is going on…barely mentioning that advertisers and governments both have a horrible tendency to gather potentially useful data on individuals (and it gets put to surprising uses), and tools like Tor or a VPN may impede that sort of thing under some circumstances…and probably just kill off my Twitter account. Again. I sent ’em an email, and it’s possible they’ll quit hassling me. But I doubt it.

Was this worth a blog post? I don’t know. Maybe. Readers of that book might find it interesting. It’s the sort of thing that can seem paranoid to those who…heh…haven’t read my book, which not only explains what’s going on in situations like this but has hundreds of links to back up my (otherwise?) ridiculous claims. Though you could get much the same information elsewhere. After all, that’s what I did.

Am I telling you to go read my book? Sort of, I guess. Mostly I’m posting this because my private list of sites I won’t go to anymore without taking additional measures–such as viewing those sites’ content via a search engine’s IP address, after I access that search engine via a VPN or Tor or both–keeps growing. I wish people would stop buying the “this is to protect your website from spammers and evildoers” sales pitch. Maybe this post will reach at least one person, and change one site’s policy, and help keep at least one little corner of the internet a bit more free?

Just hoping, is all. It’s what I do.

Have fun out there!

Well, okay, also what if it’s not? But also, what if it’s more complicated than that, and we end up with a continuum between scam and non-scam? What if, because of the way humans work, it’s nearly impossible to tell? What do we do about that? Do we even have a meaningful choice here? Maybe. Maybe not.

I grew up wanting to be a physicist.

I’d read a lot of science fiction, see, and I figured it’d be cool to learn a ton of brain-busting math and figure out a loophole in natural laws that enabled faster-than-light travel. Because why wouldn’t I want to do that?

Then I went to college and met scientists. It turned out a lot of their day was spent in political maneuvering–popularity contests, in other words. I wasn’t too discouraged. After all, I was young and smart and strong (wasn’t I? or if not, why not? could I fix that?), so I could get past that somehow.

It got a little bit worse when I read a book by Thomas Kuhn, who popularized the term “paradigm shift,” which in that book referred to how scientific knowledge tends to progress here in the real world. Unfortunately, it amounted to a couple of things that I found discouraging: (1) With competing paradigms, neither can be understood in the context of the other. Which is likely part of the reason people seem so often to talk past each other rather than communicate. Unfortunately this means that, given two competing paradigms, assuming sincerely-held beliefs…few people will convert from one to the other based on logical arguments alone even though all participants may be being entirely reasonable. Therefore, (2) sadly, scientific advances have generally become accepted through attrition: the old guard dies off and the new kids grow up. Were the new kids even right? Maybe! Maybe not! Nothing about the process is inherently more meaningful than any other popularity contest. Oh, and I guess there’s (3): People who disagree with us are not necessarily as stupid as they might appear. Hmm.

What about the real world, though? Don’t better theories produce better predictions, and doesn’t technology keep getting better as a result? Well, yeah. Mostly, with caveats. But when we look at competing theories and try to design something that actually works, we’re not really doing traditional science. We’re doing engineering. I could expand on that, ’cause I think most of the advances people credit to advances in science are actually advances in engineering. I might even claim that engineers typically lead the way, with scientists most usefully employed in trying to figure out why the engineers’ discoveries actually work. But that’s another post entirely.

Anyway. My ambition withstood all that. I could do it! I could become a scientist and change the world! I just needed better math-fu!

But math has no content

Then I started thinking about implications of something I’d originally read in a book by Heinlein. This was the notion that math has no content. In other words (in case you don’t want to read that Wikipedia article), it’s just something we made up. Which is clearly true…the painful implication, though, is that math exists in a sort of logical universe of its own. We set up the rules of this universe however we wish, and then we (well, a few of us) try to figure out clever but non-obvious “truths” about that universe.

Why is this “painful”? Because we always have to fudge things when we apply these logical mathematical rules to the real universe. Generally this process…has strictly limited utility. We can model some very simple systems, and predict how they’ll behave. But if we want these systems to work in the real world, or IOW to behave as our theories say they should, we tend to have to find or build special shelters that minimize “outside” influences. Or start talking about “entropy” as a stand-in for “all that other stuff that’s going on.”

Let’s start with an obnoxiously simple scenario. Take two numbers. Heck, call ’em “1” and “2” and let’s assume they work exactly the way we all expect them to. So, two is greater than one, right? Er…what if I want to sit down in a chair, though? And I have two chairs available? Two might be greater than one, if they’re perhaps in different places and I might want to sit in either. Or two might be less than one, if they’re crowded too closely. And one of the chairs might be greater than the other, because it’s lighter or more comfortable or greener or…

Ridiculous, I know. I just took “greater than” and pretended it meant “better than” and then made it dependent on context. And pretended “one” also meant “one chair.” But this is exactly what happens all over the place when you think numbers are somehow objectively real and try to apply them to things that (probably) are real. You end up having to make excuses for them. Ick.

So I grudgingly decided it was probably impossible to prove anything at all about the real world using math. All I could do was model it, and see to what extent reality matched my expectations. I was wavering in my convictions, but decided to press on. Somebody would figure out cool stuff. Probably lots of people would! Why not me?

The hits kept coming, though.

Math isn’t as cool as we think it is

I’ll get to more extreme examples, but…let’s look at something apparently very simple. Consider the Moon, the Earth, and the Sun. Given their initial mass, known initial positions, and known initial velocities–and assuming there is nothing else but gravitation affecting any of the three–where will they all be in the future? Guess what? There’s no general mathematical solution to this problem. Sound far-fetched? It’s known as the three-body problem, though, and it’s a real limitation. Gets worse when there are more factors involved, too. Yes, I know you can go look up stuff about planetary orbits. Guess what? The predictions you find are based on approximations, not derived from first principles. Which means that, even with a very simple situation like this, theory can only take you so far. Then you have to start fudging.

Hmm.

Then there’s chaos theory…which is essentially the notion that you can take a very simple system, composed entirely of completely understood bits & pieces, and…fail to make useful predictions. Even though they’re in principle “deterministic” (thus predictable) it turns out that at some point the systems begin behaving in a way that is simply not predictable–even in theory. It’s too dependent on initial conditions, meaning…pretty much anything at all can turn out to make a difference. This is also known popularly as “the butterfly effect,” and it’s kind of a big deal when you want to make predictions, based on math, about the real world.

Then there’s the scientific method

Okay, this one seems pretty straightforward. No brain-stretching involved. In a nutshell, science is about making predictions and testing them against the real world.

Which means, of course, that if you’re either (a) not making predictions, or (b) not validating those predictions vs. real-world events, you’re…not doing science. At all. Which doesn’t mean you’re a bad person. But it does mean that “scientist” is a strange label for people to use when talking about you.

Oh, and about modeling

Another career choice? For some, perhaps. Probably not for me, though. Curse my luck!

Moving on. At first I’d figured “natural laws” were what science was about, and we knew some of ’em, and we just needed to find more. Then I realized that what we generally thought of as “laws” were in fact approximations. Always and forever, amen.

So, okay. I could deal with that. Science is about building models and testing them. Building the model has to do with coming up with a notion that is, or may be, compatible with known past events–and testing it against unknown future events.

The process of building a model compatible with past events is sometimes known as curve-fitting (and in some contexts this term is pejorative). Unfortunately, even perfect curve-fitting offers no guarantee whatsoever that the model has predictive value. That’s what testing, aka “experimentation,” is all about.

Science is what? Testing.

Wow. To do what I wanted to do as a theoretical physicist, I’d have to learn all sorts of crazy math skillz, come up with a notion that might or might not be valuable if tested, get people to listen to me, divert other people’s resources to testing my notion(s)…and then, even if I were ultimately successful? And I actually convinced people of that too? Then I wouldn’t have discovered a law of nature, or proven anything. I would simply have come up with a way to make predictions in some area where previous predictions either hadn’t been attempted or had been unsuccessful. Or perhaps they’d been a shade less successful.

I’m not saying that isn’t noble work. But I am saying it had less appeal for me in my late teens than the idealized (somewhat obscure pun fully intended) notions of science I had had when I was younger.

But…what’s science not?

Lots of things!

Astronomy, for instance, isn’t a science at all by any definition I’d consider reasonable. It’s a field of study, sure. Interesting stuff! But where are the experiments? How do competing explanations, both compatible with observed data, get tested? Answer: they don’t, really. Except by luck, if we get to see some new phenomenon that helps to resolve the question. So why is one notion more popular than another? I dunno. It’s kind of like wondering why one person won an election and another one didn’t. There are lots of competing theories out there, but guess how many tend to be taught in schools? Hmm.

Speaking of that stuff, what about psychology/psychiatry? To the extent it’s about making predictions, it’s a science. When it’s about curve-fitting, though, it’s just not. When it’s about untestable theories, it’s really not. When applied to individuals, as it so frequently is, it tends to be essentially noise. Another book got me all mad about this one…Thomas Szasz was a smart feller.

Where’s the scam, though? You promised a scam!

Also, lots of things.

Let’s look at weather forecasts. There’s clearly stuff to study there! And wouldn’t it be neat to create a tornado on demand? Okay, that link is slightly lame and ends with a silly quote, but still! Cool!

Thing is? Weather’s complicated. Very. It’s one of the classical examples people point to when they start talking about chaos theory and complexity. So…what does that mean? It means that accurate predictions are probably impossible in principle (if we eliminate luck as a factor, anyway).

This is very far from saying there’s nothing to study, or nothing to learn. But it does mean we should be very, very careful about believing anyone who claims to know what will happen next week. Or tomorrow, even.

Generally weather models are engineered to fit past data…at least an attempt is (often, and I’d like to think always) made to do so. This process necessarily involves simplifying both the data input and output. Given the chaotic/unpredictable nature of the underlying system, how useful is the output likely to be? What sort of predictive value will it have? In, you know, theory?

So “climate scientists” take this a step further and talk not only about accurate forecasts they can’t produce, but about how those forecasts change in relation to some specific change in the input. To which I have to say: wow. That’s really nifty. You can predict an average temperature 100 years out even when you’re clueless about next month.

It gets worse when testable stuff like “global warming” goes away in favor of undefined “climate change,” ’cause another thing about useful science is that a hypothesis is defective unless it’s falsifiable. Meaning: if it can’t be disproven, it’s not about science. Because…how can it be tested? So “climate change” needs specific numbers, or it’s just noise.

I have a theory. It’s this: anybody who actually understands what a complex system is, and who is involved in publicly predicting climate changes today, is in it for some reason unrelated to scientific discovery. Because honest people who “get it” will choose some other line of work. Which, if I am correct, means that the entire field is very likely chock-full of people who either (1) don’t understand the basic problems they’re dealing with, or (2) are willing to lie about them.

Unfortunately, my theory isn’t easily testable. Damn. So in all honesty I have to content myself with saying that it seems plausible but I can’t prove it. Therefore you should feel entirely free to discount it. Oh well.

Weirdly, this will be seen by some as a political position on my part. Here’s what I have to propose: can we quit thinking computer models have validity because of the credentials of their creators, and instead measure the accuracy of their predictions? ‘Cause that’s actual science, there.

Meanwhile I have a friend who got his Ph.D. via a dissertation that, among other logical issues, used math that assumed the human body was a perfect sphere. This apparently was no problem for him at any point. So does he enjoy my company because my body has in the past closely matched his theory? Possibly. It’s an interesting notion…maybe I should follow him around and see who else he hangs out with. For science.

Meanwhile? Have fun out there!

Wow.

I didn’t really want to post anything else related to online security so soon after getting into it the other day, but…sheesh. I looked into the services a couple of VPN providers actually–you know–provide.

TLDR: Many VPN providers do not actually offer what I would call strong encryption. At all. Though this doesn’t mean they won’t throw buzzwords at you.

I checked out TorGuard.net to start with (turns out that “Tor” in the name is short for “torrent” btw). Turns out they offer a choice of protocols: OpenVPN, PPTP, and L2TP. The PPTP link goes to a Wikipedia article about its “security”…which is minimal at best. Though…spoiler…as actually implemented by VPN providers, the PPTP option may be your best protection against casual traffic decryption. Weird but true. It would at least require some computing resources, whereas the others just don’t.

The L2TP method requires what’s called a pre-shared key, which can mean very strong encryption–unfortunately, the key used with TorGuard is “torguard” and is the same for all users. OpenVPN can use client certificates or a pre-shared key, or even both…but TorGuard’s implementation uses the same certificate for everybody, and it’s freely downloadable by anyone at all from their website. They’ll throw buzzwords about the encryption they do, but if the key is known, none of that necessarily matters.

What does this mean? It’s really just this simple: if anyone at all (ISP, wifi hotspot operator, NSA, MPAA, whoever) records your VPN session (from the beginning), you should assume they can decrypt the whole thing at their leisure. This doesn’t necessarily mean they can get everything. But how do you know?

Note: if someone comes in late and records sometime after your session has started, they’re probably out of luck with decrypting your traffic–for the moment. Some people store this stuff forever, just in case a way to break a cipher comes along later on. Regardless…the next time you connect, if they’re still logging…well. A confession: OpenVPN, if properly configured, can (probably) defeat this. Is it properly configured? Not by default, and not without effort. Can PPTP sessions be secured, at all? No. How about anything relying on a pre-shared key? Not if the key is known. Oh well.

I took a quick look around. Overplay.net seems to offer a cool service, but it has precisely the same limitations. In addition, if you want to configure a connection with a router using the freely available dd-wrt firmware? They’ll give you an easy application you can download to set it up for you! The catch: each time your router reboots, it goes to overplay.net and downloads the code. Which means…well, in addition to the fact that your ISP (or other “attacker”) can possibly decrypt your VPN traffic if they want to? They can also run arbitrary code on your router. Or an attacker who pretends to be overplay.net can do so. Which means, in principle, that they can access your private (home?) network too.

Does this mean no VPN is worth the bother? Not quite, and for two reasons:

1. They obscure your IP address from the websites and other internet resources to which you connect. This is still far from an anonymity guarantee (I recommend browsing to torproject.org and reading their recommendations), but it’s something.
2. They also help you to get past ordinary filters and logging software. This can be very convenient. Not everybody is going to be out to get you, after all, and this is (currently) non-trivial snooping I’m talking about. But did you click on that earlier link? Seems the NSA thinks that if your traffic is encrypted that means they can store it until they can decrypt it. No warrant or active investigation needed. No matter how long that takes. So…hmm.
3. (Who’s counting, anyway?) Not all VPN providers are quite so deliberately misleading. Or at least I hope they’re not. But if they’re not generating a certificate just for you, or a pre-shared key that’s clearly associated with you only? All the caveats in this article apply. That’s not all they’d have to do to protect you, but…at least they’re trying. You know?

I looked around a bit more, and checked out Cryptohippie‘s site because I like a lot of what Paul Rosenberg writes. They actually (appear to…how would I audit this?) go to more effort than most to protect you…but do they actually offer either unique client-side certificates or unique per-user pre-shared keys? I couldn’t tell from the documentation. I’d think it would be a selling point. So…if they do, well, Cryptohippie will cost you a few hundred a year. If they don’t, the benefit of their complex system (which generally protects you against their own ability to know what sort of browsing you’re doing, which I do think is very cool of them, but again…audit?) is meaningless vs. snooping by an ISP. Or hotspot operator. Or, you know, anybody with access to your internet traffic before it reaches their VPN.

You know what? Personally I won’t trust any VPN service until it does allow an audit, or some other form of verifiable transparency. I want to see all config files, and have some assurance that they’re real. Otherwise? This stuff is all based on trust. Do you know these people personally, and fully trust their competence? Me neither.

So, well, there you are. If you want to browse the internet at all, I strongly recommend using one browser (possibly configured to use Tor) for all the sites to which you log in, and another (ideally the Tor Browser Bundle) for everything else. I see nothing wrong with adding a VPN to the mix–but I’d use both the VPN and Tor.

Did you want streaming video or audio? Well, I guess a VPN may be better than nothing. But possibly…not much better. Bear it in mind, okay? Also bear in mind that I’m currently trying really hard not to post a bunch of stuff about “secure” browsing with an iPhone vs. doing the same via Android. Also, I should probably get back to writing fiction.

And have fun out there! {8′>

So here I am, innocently writing a novel. Well, two novels plus a minor rewrite of a third. An issue arises: in addition to various supernatural shenanigans, this trilogy (at least?) also deals with government-agency shenanigans and issues relating to online privacy. This means…research. Figured I’d share some stuff with you guys.

Note: I could have included lots of links in this here post. However…I chose not to. First, I’m busy, and dictating it, and I’d have to add the links afterward due to software limitations. Second, you can Google (though I prefer StartPage) this stuff for yourself if you actually care, and that ought to be more convincing than stuff I cherry-pick. Third, I’m kinda lazy. It is what it is.

To Begin

There are a lot of snake-oil salesmen operating out there just lately. For example, you can Google “Onion Pi” (I’m not going to help their page rankings with a direct link here) and find quotes like “Browse anonymously anywhere you go with the Onion Pi Tor proxy” floating around. This is horse-puckey. Using this software (without understanding it fully and modifying your online behavior accordingly) is actually considerably worse than useless as far as protecting your privacy/anonymity goes. More on that in a bit.

Next, you can Google something like “BitTorrent Sync: The NSA-Resistant File Sharing Service You Might Have Missed” and find pages that sort of go with that headline. The catch? If anything, this sort of thing makes the NSA’s job easier in many use cases.

Want more? You can find VPN services like TorGuard (frankly I don’t understand the name) that purport to offer you a different sort of anonymity–the kind you get by paying someone else to fail to log your online traffic, and to protect their non-records from other interested parties. As far as I know they’re totally legit–but using them strongly implies that you trust them to keep your secrets (if any). So…do you trust them? Are you sure you know whom they’re working for?

Here’s Where I Get to Debunk Some Stuff

Okay, let’s start with the Onion Pi. What it will do (if it is configured correctly and if it works) is hide your IP address from the websites you browse to. (Oh, and it’ll also hide lots of stuff from your ISP, but not the fact that you’re using Tor, or how much data you’re up/downloading, or when you were doing any of it. And even this assumes there are no DNS leak issues, and no inconveniently revealing code on any of the sites you use, knowingly or otherwise.)

Unfortunately, this does very little to aid anonymity. I’ve spoken before about browser fingerprinting, and people tend not to believe me. Truth, though? You can go to this site and see just how much information your browser is currently giving to websites. Chances are good that you’re (at least potentially) uniquely identified. If you are logging into any sites whatsoever with information that can be tracked back to you? That’s likely to be logged, and combined with your browser fingerprint in a database. Therefore, there is almost certainly somebody out there selling information about your browsing habits. Chances are good, not that it matters for most advertisers, that they can identify you by name. Oh, and they likely have a mailing address. So what good did hiding that IP address do? There are ways around this–but routing traffic over Tor will do very little to help. It’s a useful piece of an overall strategy, but all claims of “anonymity” from this simple measure are bogus.

Actually it’s worse than that. The NSA (among, I strongly suspect, many other groups/agencies) specifically targets users of Tor software. Since Tor cannot automatically provide end-to-end encryption, and anyone at all can set up a Tor “exit node” (which you must use in order to use Tor at all), spying on the Internet traffic of Tor users is actually much easier to do than spying on traffic of people who didn’t buy claims of “anonymity” and are simply browsing the Internet normally.

Next? BitTorrent Sync. Again, this is a nice idea. But…the way this works, see, is that users’ computers share information between themselves. In order to do this, they must publicize their IP addresses and other information. There are some neat ideas built on top of this, like “SyncNet,” but as soon as you start using a network like this for anything other than sharing truly private and/or restricted information, you begin to publicize exactly which information you have chosen to download or view.

Okay. Now we come to a VPN, such as (as mentioned earlier) TorGuard. A VPN will hide your IP address. It will also encrypt all traffic between your computer or network and your VPN provider’s servers. If you believe your VPN provider about its no-logs policies, you can believe it will obscure your identity more effectively than a device such as the Onion Pi can manage (although with the same caveats about actual anonymity and fingerprinting).

Now I’ll Point out the Obvious

Decentralization is good, for reliable dissemination of online information. Having a single point of failure for anything, given the capabilities of our current technology, is pretty silly of us. Any attempts at gaining online anonymity and privacy that are based on trusting a company or government agency are…well, again they’re just silly.

Ideally? We would all start using something like BitTorrent for most internet traffic, only running it over a network something like Tor. Unfortunately, these technologies have a history of not playing well together. It’s not a technical issue, except for Torrent-freaks’ insatiable desire for bandwidth and the limited bandwidth currently available for users of Tor, given that all Tor nodes are currently free for all users–so there aren’t that many of them. As far as I can tell, it’s either a sense of competition or an example of the Not-Invented-Here phenomenon in the open-source software world.

Along with this we need web browsers that give out less of our private information. I believe they’re on the way. I believe current browsers are widely recognized to need improvement here. Should be fun to see what happens.

Here’s Where I Dive into Other Issues

Okay, you know that thing where you log into your bank’s website and something turns all green or otherwise reassures you that your connection is “secure”? More horse-puckey. Truth: your connection is encrypted. But who has the key to decrypt it? Enter a browser plug-in like “Perspectives,” which will actually give you some information about your encrypted session. Turns out ISPs, and some other companies, and hackers, will sometimes sit in between your computer and the Web server you think it’s talking to. Oh, and the NSA does this too. This is called a “Man in the Middle” attack, and they’re fairly common. Some are even carried out with what purport to be good intentions. So…we need systems to deal with this sort of problem as well.

I’m going to throw some stuff about Bitcoin in here too. Bitcoin, by design, is absolutely not “anonymous.” In fact, no Bitcoin transactions can occur in secret at all. That’s how it works. Worse yet? There aren’t that many Bitcoins, and–again by design–there never will be all that many. So if you’re buying or selling things with a value of a fractional Bitcoin, you’re not even using the Bitcoin protocol. Instead, you’re trusting an exchange provider of some sort with your money. And probably believing that something magical about Bitcoins protects you. This has already started work out badly for some people.

Are online virtual currencies a good idea? Yes, for privacy and anonymity. Bitcoin doesn’t really have what it takes to work for us in the long run, but people are jumping on the bandwagon because they don’t understand its limitations. I guess, even if they do understand, it’s still fine as long as enough other people are going along with it–sort of like the stock markets, right?

All that being said?

Tor is pretty nifty, if and only if used correctly. So is stuff like obfsproxy. And .Bit. And Bitcloud. Even BitTorrent Sync has its uses. VPNs are cool too, and could become more so if we had a truly anonymous online currency in general use. Hey, I love the cool tricks I can get my personal email server to do, too. There’s a Wild West of ideas out there right now, and many people are hard at work solving bits and pieces of our online privacy/reliability/redundancy/free-from-interference-and-monitoring issues. Sooner or later? They’ll start talking to each other a bit more, and more complete open-source systems will become available.

Nobody gets to decide whether this will happen–it has to. All we can decide is how we will react to it.

Now I’m Done

There is room for hope here, and some ideas along these lines are finding their way into the books I’m writing. I hope this has been at least vaguely interesting, because–after all–that’s what I’m here for: your entertainment.

My recommendation? Have fun out there!

So here we are. If only I knew where that was. Or do I mean where that were? And even if I do (did?), you might reasonably ask why I bother. Oh, this post isn’t about a new release.  If you were wondering. Instead…

WARNING: This is a nuts-and-bolts kind of post, or it would be if nuts and bolts had a tendency to hang up in mid-air, and it’s very likely dealing with a bunch of goofy and unrealistic expectations. And badly at that. Read at your own risk. Or, if possible, have your computer read it to you. That would be at least semi-appropriate.

Lots of goals going on in my neck of the woods. Lots of aspirations. Lots of hoping. Mainly, though, I just want to make sense. And it’s harder than you might think–though of course that may be a result of a peculiar mind. Meaning, of course, mine. ’Cause frankly I can’t tell what’s what anymore.

Here are the issues I’m currently allowing to take over said brain:

• I want to write new fiction on a regular basis.
• I want to learn to dictate that fiction.
• I want to dictate that fiction remotely, without being remotely near a computer.
• I want to use software for transcription–meaning that I don’t want to have to hire or train someone to transcribe my dictation.

Frankly I may have bitten off more than I can chew. I am dictating this, right now. But…I’m having trouble with the dictating-new-fiction bit. It works, but it’s very slow. And even making the attempt may well be flying in the face of lessons I would like to think I’ve learned about writing fiction. To wit:

• I generate fiction much more quickly when I don’t stop to edit as I go. Weird tricks such as unreadable fonts and an audibly ticking timer encourage me to rush forward.
• I seem to generate better fiction when I write more quickly. I’m constantly amazed at how few typos I create. And the story moves quickly, in more than one sense,  possibly because I’m focusing on just that: the story. Rather than the words or other odd characters (?) thereof.
• Dean Wesley Smith, among others, writes about the creative mind versus the critical mind. The idea seems to be that we can operate either one way, or the other.  Thus, we shouldst not mix our editing-crap activities with our writing-crap mission. All of my experimenting thus far seems to back this up.

So…what’s the problem? Here it is: as I dictate, I have to verbalize punctuation marks. Hmm.

Okay, that was fun to say (rather than type, and how’s this for a bit of extraneous punctuation?), but there may actually be something worse than the obvious awkwardness involved here. Verbalizing punctuation, and thus visualizing individual sentences, definitely slows me down, which is at least a mild problem. But it may be that even thinking about punctuation interrupts the creative flow–which, yeah, it clearly does–but in a way that is not actually amenable to training.

For contrast: when I blindly type a story, as quickly as I can, I’m not thinking about sentences at all. I’m thinking about the story. About what’s happening at the moment, and what might be happening next. So…clearly this means my fingers are well-trained to manage the details for me. I am therefore considering two possibilities:

1. This (by which I mean dictating sentences, punctuation and all) is a new skill, and it will take time to learn to do it well.
2. All this fussing with the details of punctuation means what I’m trying to do is fundamentally stupid, and I should therefore quit messing with it as soon as possible.

I guess a reasonable person might at this point ask: what’s the point? Why even bother with all this? And I’m not sure I have a good answer.

I really, really want to teach myself to write fiction in some setting other than sitting at my desk. I love the idea of wandering down a trail and muttering into a microphone. But does this make sense at all? Wouldn’t learning to dictate while hiking be yet another new skill?  And don’t I live in a freaking rain forest? So…what kind of equipment do I expect to use, exactly?  A waterproof microphone? Plus a waterproof recorder? Am I in fact doing this only for the new-toy factor? Because: yes…I’m like that. Sometimes.

FWIW, I have figured some of this out. I use an Android tablet rather than a dedicated recorder. I use software called “DictaDroid,” after experimenting with approximately 10 alternatives. I use a Plantronics USB headset. When I dictate as I stand at the large-type (?) computer, the transcription software works very very well. It’s getting a lot better at transcribing my recordings too. But the limiting factor doesn’t appear to be hardware or software except in the sense that software doesn’t usefully handle punctuation for me–the problem is me.

And it’s extraordinarily stupid of me to let this become an issue just now. For Crom’s sake, I only recently figured out how to write new fiction, both quickly and regularly. Or, actually, either. It’s a mind-blowing level of success. And yet I’m messing with it. Instead of using it.

Yes, I got sick and the fever did strange things to my mind. But no, I don’t have a fever now. Except metaphorically.

Am I asking too much, not only of myself but also of the world of possibilities? Am I essentially being a spoiled brat? Is it just that proceeding to write normally is too much like, for God’s sake, work? Maybe so.

OTOH, if this works…well, maybe I’ll be very happy. Or maybe I’ll use it as an excuse to go off on another ridiculous adventure of some sort. Maybe this sort of reality-denying behavior is endemic to writers of fiction.

Beats me, folks. I’m giving myself through Friday of this week to figure it out. We’ll see how it goes.

Meanwhile, have fun out there. Or else I may punctuate you unmercifully.

Hi-

This post isn’t for everybody. It’s about data backups, and an idea I got this morning. Not the most exciting topic ever…for most people. I have a special interest in it, but if you don’t? Might be better to skip this one.

Okay, here’s the setup:

• I’ve liked a company called SpiderOak for a while now. I’ve often recommended them to others.
• I liked them a lot better than something like Dropbox, even though their software is (necessarily) a bit slower and more cumbersome to use. Because they (say they) encrypt all user data with the user’s password, and (they say) they don’t ever know user passwords, and (they say) therefore they have no way to know what data is being stored with them. So they (say they) can’t provide your info to any third party either.
• One caveat I’ve always had with this is that you have to give your password to their web server to set up your account. Which means that each and every password in fact flows through their web server’s memory at least once. It’s a strange design choice IMO. Seems to me that using a separate passphrase for encryption would be a (much!) better idea.
• Another issue is that if you access your stuff via their web interface at any time after account setup…the password is again available to their server, for as long as your session lasts. They’re aware of this issue, and warn against it for those who care. But they don’t warn about the account-setup bit. Hmm.
• Basically you have the same issue if you access any of your stuff from a mobile device. And if you store your password automatically it’s no more secure than your mobile device. Which is always true with any device that can access your data…but still, it’s worth thinking about.
• You have to trust the company a lot to use the software at all. It’s not open-source, so it’s unclear how well they’ve implemented their ideas. There’s no way to verify that the version of the software you download is the same as the version other people are getting (I’ve suggested digital signatures on their download page & a BitTorrent “download” option to mitigate this, but they’ve preferred not to implement either…and since they’re both very easy to do, this concerns me somewhat). In fact as soon as you start the app the first time, it (reasonably!) asks for a username and password. Thing is, if I slipped someone a fake version it wouldn’t be hard to–for instance–fake that login window. Nothing good can happen from there. Plus, by default the app updates itself (and I know of no easy way to verify the company can’t update bits or all of it regardless of user preference, or even run arbitrary code on a per-user basis) and for all I know they have utilities to grab the password–always assuming they don’t already have it–upon request from a gov’t agency…which also means employees may have access, and the system as a whole may be hackable. Unless they’re the first to develop one that isn’t. If it were open-source and easy to inspect I’d feel better…but it isn’t.

All that said? I still thought they were a  better bet than other backup storage providers. I liked them so much that I’ve been voluntarily paying them for double the storage space I’ve actually used for over a year. So all the caveats above were no big deal for my use case. And, y’know, I like playing with this “security” stuff but mostly I just needed backups that just worked. So I could…you know…do my thing and not worry about hard drive failures or accidentally deleting a month’s worth of effort.

Oops. They got me on that one.

I have a folder I backed up that has a few hundred subfolders. It’s about 18GB in total, with a few thousand files. I used to be able to, as part of setting up a new computer, “sync” that folder to the new machine. Everything would (slowly but surely) come to me, wherever I was. It was nice.

Unfortunately it no longer works for that folder. I’ve set up multiple new operating systems, both 32-bit and 64-bit, both various flavors of Linux and plain ol’ Windows…and that data will no longer sync. I don’t know why–could be data corruption (which is a very bad thing from a backup provider), or it could just be a software glitch with their current version.

All is not lost, for two reasons:

1. I can choose to download that data instead of setting up a “sync,” and it sort of works. I get some of the files, anyway, but I may never wait around to find out whether I could get all of them. I have a fairly good internet connection at the moment, and it looks as if it will take roughly 10 days to get all 18GB. Downsides: (1) if I shut down the app, its “Download Manager” doesn’t remember what it was doing, so I’d have to leave a computer running without shutting it down for the entire 10 days. (2) I actually have much more data than that 18GB stored with SpiderOak. So…bad news, there. Um, and also (3) Seriously? Ten days?
2. I’m kind of a geek. So I actually have everything backed up on an external drive anyway. Downside: what am I paying SpiderOak for? What about all the people to whom I’ve recommended their service? I need to publicly disrecommend them ASAP. Thus, this.

Unfortunately, it gets much worse than that. I sent their tech support an email about all this on 11/7. They responded the same day, telling me the issue had been “escalated” and I’d hear back within two days.

Since then I’ve sent a few more messages. I’ve heard nothing. For two weeks. Which, to me, means there’s no reason to do business with them anyway. Sheesh. What a pain. I’m disappointed, because I’d thought much better of them.

Okay, moving on: I have a fairly quick solution in mind for my own use, and here’s where some feedback might be useful. I used to run a service (called “Scarecrow”) that backed up small-business websites in the cloud. (It also checked website availability from various locations around the US–thus the image for this post–and sent user-defined alerts when files changed or a site didn’t respond, but that’s a side issue in this context.)

Scarecrow used Amazon S3 for storage, but all files were given UUID filenames in a single “bucket” and all files were also encrypted with various keys, so nobody at Amazon could read their contents or even determine which of my customers owned which file. I liked that feature a lot.

Here’s what I can do fairly quickly, for my own use:

1. Set up a file server
2. Set up a Scarecrow virtual machine (only takes about 128MB of RAM, because all uploads/downloads/encryption/decryption are streamed in small chunks) to monitor that file server. Scarecrow can use FTP or SFTP…but plain old SSH is its first choice. So…easy.
3. Sit around smirking while it backs up everything to S3
4. Separately, encrypt and back up the Scarecrow database so I can still do restores if something happens to my Scarecrow instance.
5. Look into LAN-based folder-sync software so I don’t have to write a client app and my wife and I don’t have to remember to transfer important stuff to the file server.

Now…this will give me everything I need, and will cost far less than SpiderOak did…never mind that I was paying them double; I appreciated the convenience of their solution. Until, and all.

With Scarecrow, since it has a web interface already built, I can actually view all versions of all files if I want to. I can see a snapshot of all backed-up files at any given time, and if I want to download a version of a file or restore everything from, say, last Tuesday at 10:43:27PM I can do it whenever I want…and still keep all other versions of all files around in case I decide I need them. Plus, if something unforeseen happens to my S3 account or the Scarecrow db, I’ll still have a backup in the form of my file server.

What I’m wondering is: should I open-source Scarecrow, and maybe make the whole virtual machine into a downloadable appliance? Hell, it could be set up to run as a Windows service (for you Windows people) without much effort on my part. I’d want to do some work on it, ’cause some things (like my S3 account info) are stored in ways I found reasonable and I never chose to build any sort of application interface that had access to read or change that stuff. And I’d want the LAN folder-sync part to be simple to set up. Right now I know absolutely nothing about that end of things…but it looks like I’ll have to learn.

It’d be fun to do this. Of course it would also take time, which is a problem when I’m trying to get a lot of writing done. So, does anybody but me care about this stuff? I mean, some people obviously do, but they mostly don’t read my blog. And I’m not sure doing all this is worth the time it’d take away from my other projects. Especially if I then have to go out and find a way to let people know about it. What a pain.

It’s an idea. I get them sometimes. Often they pass without ill effect. We’ll see what happens this time.

The main takeaway from all this, for me: I’ve argued against people who said the cloud was a bad place for personal data. Um…SpiderOak used to be my primary example of a company that was doing it right. Could be I was wrong. I hate that.

Sigh. I still think that, with caution and awareness, that anti-cloud position is not totally correct. However, I simply don’t know of a backup solution out there (besides my proposal) that’s (1) reliable, and (2) verifiably prevents people who aren’t me from seeing my data. Even when I ran Scarecrow for money, in principle I had access to my customers’ files…I had to, so the app would be able to restore them “from the cloud” without customers’ having to run it all from a client application on their own computers. But if everybody ran their own version of Scarecrow, with their own Amazon accounts–funny how often Amazon crops up in discussion around here, isn’t it?–and with their own app-generated encryption keys…hmm!

So, noodle on that for a bit if you’re of a mind to do so. And have fun out there!

UPDATE:

They now say, via Twitter, that they’re really sorry. And have hired new help. And at least one employee is working as hard as he can. Well…tough. What are we, children on a playground? They didn’t respond to me at all until I went public–even though I told them I would. But they responded within an hour after I did. I don’t like that at all. What about the customers who don’t post complaints in public? I already established what happens to them…

And this clearly means they’ve got at least one very badly designed system within their company. Doesn’t it? I mean, not letting stuff like this sit for weeks with no comment/response is a no-brainer. Why didn’t an automated system pop up and say or do something about it? If their systems and culture allow/encourage this sort of thing where I can see it, what do they do where I can’t? Sheesh. Anyway, I’m done with ’em. I think you should be done with ’em, too. So…how ’bout Scarecrow? {8′>

Hi! Here’s a spoiler: I think those are interdependent concepts, meaning it’s sometimes hard to do one without also doing the other. Which has interesting implications. Or at least they’re interesting to me.

A reader sent me a link to the video on the right (well, it’s supposed to be on the right, but if that doesn’t work for you it’s available on YouTube here) because of the “2R3v” notion I threw into this week’s story. Thanks, He/She/Other Who Wishes to Remain Nameless!

Anyway, this guy BSS has a lot of good thoughts to offer in the video. And yes, I briefly mentioned a “Second Revolution” in which normal folk used technology to mind their own business, and strongly implied that meant that the previous form of government in the US had essentially died out from disuse (but there were still people trying to get out in front and try to make it be about them as it happened…natch).

Which may seem a bit “out there”…but frankly I think it’s inevitable. Either access to the means of production (3D printers, home CNC machines, whatever) will become democratized/widespread just as access to information has been (and will continue to be, ’cause that process is far from finished), or that process will be stopped by some sort of catastrophe or apocalypse, which will also mess with what we currently think of as the normal state of affairs. (Just for the record, I’m kinda hoping that if it comes it’ll be zombies. Because they’re cool.)

Good, bad, or indifferent…fundamental change is just as inevitable today as it was for the feudal systems of yore. And yet…inevitably, change surprises nearly everybody when it arrives, regardless of how quickly they can say “disruptive technology” five times in the shower on Wednesdays. (Or is that just me? ‘Cause I’m getting much better at it, if you want to compare times.) Also, change tends to be a messy process. Oh, and it’s been coming much faster lately. Ready for the ride?

Few companies have historically survived paradigm shifts (aka “disruptive technologies” in this context) in their industries. When they have, they’ve generally (possibly even “always” but I’m not sure enough to say so) managed it by creating a new division to deal with the new tech, and at some point the dog/tail balance shifted, so…did the original company survive? Sort of, I guess. Some investors got their value preserved or enhanced, anyway, which is the point as far as they were concerned. Why should governments be different? Especially if most of what they currently do (in fact, as opposed to theory) is essentially irrelevant to the ways we’ll learn to spend our time as our individual empowerment inexorably moves forward?

Still, some readers will be rolling their eyes at this post, and some won’t have gotten this far. But think back, if you’re old enough. Remember when “the news” was what you saw on the four TV channels available in your town? Or read in a newspaper? This was before blogging. Before YouTube and Twitter. Before we started creating our own hometowns and carrying them with us via Facebook. Before people started building lots of open-source software and distributing whatever information they wanted on the Internet. Now…imagine when something similar happens to people’s ability to make stuff. As BSS puts it, there are entire 3-letter agencies that do nothing but ban physical objects. Good luck with that, guys! It simply can’t last. Somewhere in there, too, taxation gets a bit difficult to enforce. So do rules about currency. See, stuff like Bitcoin is just the tip of the iceberg.

In fact, Bitcoin’s a bit of a bad joke in the process of being played on us all. Because of the way it’s designed, there simply won’t be enough coins–ever–for it to remain a major player once significant numbers of people start to get involved. Coins will soar in value in the short term, but Bitcoin is destined to fade away at some near-future point (says me and only me but I’m still saying it damnit). Actually this “flaw” led me to dismiss Bitcoin as soon as I first heard of it a few years ago…but I didn’t realize just how strong the demand for truly digital money already is. In fact, many libertarian types have bemoaned the rise of digital dollars in the US for years, on the grounds that they’re easier for the government to track and manage than paper money. Boy were they wrong too! Which is the point: the actual change we observe over time is always more fundamental than we expect.

So, lately the Snowden/NSA thing has made it seem that technology is basically used to reduce people’s privacy (and thus their capacity for effective independent action). And in fact this is often true. But not always. There are things like Tor (which it turns out the NSA specifically targets, meaning they don’t like for us to use it, which makes me smile a little). But using Tor is complicated…I got into what I’ll call “a discussion” a few weeks ago, just prior to the Snowden leaks, on someone else’s blog when a guy wanted to offer a router for sale that moved all network traffic via Tor for those who connected to it via wifi. Neat idea, sort of, but the thing is? Tor protects the privacy of your data in transit. Technically speaking, the term for what  it does, by itself and used as this guy planned, to enhance your privacy once you start actually using websites is this: fuck-all. And by design. Tor itself doesn’t even try to play in that space.

Okay, caveats exist, and the Tor Browser Bundle (or perhaps Whonix?) does in fact help a lot with privacy if used correctly, but that doesn’t mean half-measures are useful just because someone wants them to be. Also the guy with the plan probably meant well, but he didn’t know what he was doing and proposed to make money from people by promising stuff he couldn’t deliver. Which I dislike. So: using Tor is likely to actually make your internet life less private unless you know exactly what you’re doing. Which is not the same as connecting to a wifi network. Want to do it right? Most people can’t.

For instance: Hey guys, guess what? The entire operating system I’m using to write this post is dedicated to browsing to websites to which I log in under my own name, or doing web searches for stuff to which I intend to refer in public. I don’t use it for anything else. I have lots of others for other purposes, though. And even this one denies lots of information to whoever’s snooping and recording. I figure I’m totally hackable still, but…my data is somewhat compartmentalized. Let me be more explicit: I’m using stuff like Tor, Ghostery, Bleachbit, NoScript, HTTPSEverywhere, Perspectives, and lots more right now. For this operating system. And I still assume everything I’m doing is essentially public. And I don’t even have a reason to play with this stuff, except that it’s a fun game for me.

If you, in your internet life, doubt you can be easily tracked? Try the Panopticlick! Chances are good your browser is going to have a unique signature. It “fingerprints” you wherever you go on the web. So…are you visiting websites? Do you think that’s your own business and nobody else’s? Last time I went to CNN.com I saw there were twelve (12) separate companies attempting to record my visit. These guys sell and trade information, too. Most people have no idea of just how thoroughly their activity is being monitored. And no, turning on “Do Not Track” in your browser won’t help. Because most people don’t, so it just makes you that much easier to identify. Neat, huh? Oh, and who says any cookie-blocking will really help, anyway? ‘Cause a lot of info, plus a browser footprint, can easily be logged on the web server itself. So I saw twelve companies, and they distribute information, but for all I know there were 40 others dealing directly with CNN.

All the sites you go to that show you little Facebook icons? Or Twitter, or Pinterest, or LinkedIn, or whatever? Often that stuff is coming from web servers owned by…Facebook, Twitter, or whoever. So lots and lots of people can get access to much of your browsing history. I think that’s technologically cool, and I think it’s awesome that it’s generally used only to show you better-targeted ads, but still. It’s just a tad bit of a privacy problem. Isn’t it?

Thing is…privacy tech really is getting better. Browsers can get MUCH better with little effort, and I expect those that are open-source to improve the fastest and most dramatically in the near future. ‘Cause the kind of people who work on them often care about this stuff. And the NSA’s more direct forms of snooping (meaning the stuff they don’t just get from the companies that themselves just wanted to show you ads but actually ALSO know all about you and the things you like to watch monkeys do on rooftops) generally–though not always–seem to rely more on operator error than on anything fundamental (such as the oft-speculated notion that they have backdoors into common encryption algorithms…IMHO they just don’t).

Concern over data privacy is becoming more widespread. Tools to achieve it are, perforce, going to become much more pervasive and user-friendly. It’s very cool that the computers we use have so much more capacity than most of us ever use for watching videos and web-surfing and typing blog posts or tweets. Because it means they can begin to devote more time to protecting us.

Here’s what I say: monitoring impedes free speech. It restricts the flow of information. And enough people already care about this to change everything for the rest of us. Within five years I expect truly anonymous digital currencies (which Bitcoin isn’t, quite, though that may change if Zerocoin works and is widely implemented) to become widespread. Combine that with distributed means of production and bigger info-hoses (yeah, I made that up just now) and none of us can predict just how huge the changes will be.

So here I am, writing my little stories. Science fiction, some of ’em, I guess. But I’m barely scratching the surface. I mean…I’ve been around since the 1960s and I started getting excited about the internet in the early 90s. But I didn’t predict Ebay or Wikipedia or even Google. Hell, I didn’t predict what Amazon did to publishing…well, okay, that one I sort of saw coming but I didn’t think it’d be so soon. I’ve been talking about how distributed systems are more robust than centralized systems for years, and I’m still predicting the death of Amazon (or at least of their importance in selling digital content) in the fairly near future, but I know damn well I’m barely scratching the surface.

It’s fun to watch this stuff happen. I can’t wait to see what’s next!

Have fun out there.

[UPDATE, later on 10/12: the weird cert error for my SSH login to the web server (yes, this one) went away today sometime today. No apparent changes to relevant certs/files on either side since January. Which looks exactly like a discontinued MitM attack. Interesting…no conclusions here; just a mystery. Plus, you know, a need to move my stuff elsewhere just in case.]

I’ve heard back from Rackspace, multiple times. They say they can’t replicate the cert issues with their Java applet. Perhaps that’s a browser misconfiguration issue–though of course I used multiple browsers on two computers.

Treating my SSH login-via-cert troubles as a separate matter, they suggest perhaps my servers have been compromised, or my desktop & laptop have been compromised, as they don’t have a pattern of similar complaints. I say this: that sort of server-side compromise (changing the server’s certificates) would be just plain silly, as it lets me know the server has been modified…the attacker would already need access to be able to pull it off. However, this is exactly how a “Man in the Middle” attack works. And if the desktop and laptop were compromised, booting into a LiveCD (which I’ve done) would not produce the same results unless it were a hardware issue.

So I’m left with two possibilities: (1) Somebody hacked both my servers simultaneously (aiming this at me specifically–one server is in Dallas; the other is in Chicago) via some other means and thought it would be funny/helpful to make it look like a MitM attack for some reason–assuming I noticed it, and the cert error on Rackspace’s side combined with the restored access on the box I actually logged into via their Java applet is mere coincidence, or (2) Rackspace knows exactly what’s going on but won’t tell me. Oh, okay, (3) some super-secret spy types broke into my house and secretly installed hardware into all my computers. Er…I ain’t gonna buy that one, but feel free to have fun with it if you like.

If (2), that could be a corporate decision on their part to use a product like Blue Coat (as used by Iran and Syria…heh), and of course they wouldn’t tell me about it ’cause that’d lead to customers deserting them en masse. Though if they’re using Blue Coat messing with their own cert is kind of silly. OR it could be some sort of semi-competent government-required action that they’re not allowed to disclose to me. There’s been a lot of that in the news lately.

Now…the fact that things happened at the same time does not mean they’re otherwise related. It could be a series of strange exercises in hackery and misconfiguration. Personally I’m going with Occam’s Razor on this one but YMMV.

No matter what…I view my servers on Rackspace as compromised. And I am permanently suspicious of the company & all other servers hosted with them. Since my email goes through one of those, please don’t send me anything sensitive unless you encrypt it. Not that you were going to before, right? {8′>

Have fun out there! {8′>

This has nothing to do with fiction, but I figure people ought to know. As I say below, I doubt this is aimed at me specifically.

Originally I intended to give them time to respond, but then I wondered: What would Bruce Schneier say about that? Sunlight is the best disinfectant.

Of course it’s possible that I’m being targeted specifically, though that’d be weird. And it’s possible that I’m misinterpreting the data/events below. And it’s possible that I’m making this up, for all you know.

So, with those caveats, here’s the text of a ticket I opened with Rackspace this morning:

Figured you guys might be interested to know you’re probably being hacked by someone with access to your datacenters.

A while back (maybe a month?) I suddenly couldn’t log in via SSH to either of my virtual machines. They both require a cert for login. I got an error for both VMs that said there was a cert problem. I subsequently contacted you guys via chat & was told you weren’t doing any sort of MitM stuff, which left either somebody local to me, my ISP, or somebody who has access to both datacenters. (Neither of my VM had been “touched” by me).

Simultaneously I got a certificate warning when trying to use your web console app to take a look at my mail server. I chose not to proceed…but somehow the console opened anyway. Since I don’t actually have anything all that sensitive on either VM anyway, I logged into my mail server via the console.

Now I’m a few thousand miles from my previous location. The mail server suddenly accepts my cert for SSH login again (I haven’t tried for some time). All appears to be well. I could choose to believe it was a mysterious glitch that fixed itself, but I think it’s significant that I actually provided a password via the web console, via SSL using what purported to be your certificate, and only then was I mysteriously able to log in via whatever method I choose.

Because there’s a new wrinkle as of yesterday (at least that’s when I noticed it): My web server (different datacenter) suddenly has a new “fingerprint” for its key. The record on my laptop remains unchanged, and is in fact “synched” to other computers via encrypted online storage, so it can’t be an issue on the laptop itself. I don’t see how this can be anything but a MitM attack, carried out via various methods over a period of weeks (at least). Since I’ve tried connecting via multiple ISPs, from locations thousands of miles apart, I can only conclude the attack is fairly likely to originate within your own network–though if it’s not, it means somebody with serious backbone access is targeting at least one of your customers. Which sucks even harder.

As for me? I used to do “secure” web app development for various corporations & startups, and I still play around with Tor and VPNs terminating in different countries (of which neither affects the results I get when attempting to log in via SSH, pointing again to something local to your datacenters) and various other goofy stuff…but I’m doing it all strictly as a game. I mean, I write fiction these days. Damn near everything about me is now public (google “David Haywood Young” and you’ll see what I mean), so I doubt anybody cares about “hacking” me or my VMs specifically. I’ll bet the issue(s) is (are?) affecting lots of your other customers, though, and not in a good way.

Are you already aware? Do you have a plan to fix it? I’m willing to talk to you guys first, but I’ll be blogging about it all fairly soon. I think people should know. ATM I have to assume anything in either the Dallas or Chicago datacenter is compromised.

More on their cert below. No details about mine are forthcoming.