Hacktivist attack against Obamacare

Just as I was finishing up my previous post, about the seeming self-sabotage involved in the development of the Obamacare website, this interesting piece of news turned up in my feed:

Denial-of-service tool targeting Healthcare.gov site discovered

Here is the message from the supposed hacktivists:

Destroy Obama Care.

This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of this program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience.

Perhaps it is just the coincidence with the other blog post (which I started writing yesterday), but I feel a bit skeptical here. First of all, this is not a serious threat on a technical level (see the article for details), but rather a symbolic action of some kind. The note strikes me as odd, not the kind of thing I would expect either from hacker types or constitutionalist activist types. I generally appreciate this kind of civil disobedience, but given the ineffectiveness of the attack itself, I wonder if this does not play into the hands of the White House, which is already building a narrative where threats of external sabotage is used to explain the failed website launch.

Obamacare - Incompetence or Sabotage?

Government IT is hard. I say this from experience, being an IT contractor with government agencies on the client list. Big IT projects failing is if course a sign of incompetence, but not necessarily of any extreme variety. However, now that more details are coming out about the fiasco of HealthCare.gov, the online interface of Obamacare, I think the problems we are hearing about goes beyond the usual. In this article from the Washington Post we supposedly get some additional inside information, and some of it is fascinating:

[...] the president emphasized the exchange’s central importance during regular staff meetings to monitor progress. No matter which aspects of the sprawling law had been that day’s focus, the official said, Obama invariably ended the meeting the same way: “All of that is well and good, but if the Web site doesn’t work, nothing else matters.

So it seems that Obama had the right kind of focus for a long time, at least since one and a half years ago. How then could things go so wrong, despite the best of intentions? Here are some clues:

“They were running the biggest start-up in the world, and they didn’t have anyone who had run a start-up, or even run a business,” said David Cutler, a Harvard professor and health adviser to Obama’s 2008 campaign

Inside the Department of Health and Human Services’ Centers for Medicare and Medicaid, the main agency responsible for the exchanges, there was no single administrator whose full-time job was to manage the project.

The Medicaid center’s chief operating officer, a longtime career staffer named Michelle Snyder, nominally oversaw the various pieces, but, as one former administration official put it: “Implementing the exchange was one of 39 things she did. There wasn’t a person who said, ‘My job is the seamless implementation of the Affordable Care Act.’ ”

But the problem was not only neglecting to put a proper management structure in place. There was also direct interference to block critical parts of the projects. Here is one example out of several mentioned:

According to two former officials, CMS staff members struggled at “multiple meetings” during the spring of 2011 to persuade White House officials for permission to publish diagrams known as “concepts of operation,” which they believed were necessary to show states what a federal exchange would look like. The two officials said the White House was reluctant because the diagrams were complex, and they feared that the Republicans might reprise a tactic from the 1990s of then-Sen. Bob Dole (R-Kan.), who mockingly brandished intricate charts created by a task force led by first lady Hillary Clinton.

In the end, the White House did not allow the diagrams to be published. Ostensibly, they were protecting the project against potential sabotage, but what they were in fact doing, time after time, was sabotaging the project themselves!

Finally, being a software contractor, this makes my stomach churn:

CGI was issuing warnings of its own. On Aug. 17, about six weeks before the launch date, a company employee sent an e-mail to a CMS staffer — with copies to more than a dozen other CMS staff members — detailing an “updated schedule” for work on the exchange. The e-mail, obtained by The Post, said that, for the tasks that CGI was responsible for, the exchange was 55 percent complete.

Note carefully what is actually being said here: Less than two months before release date, the contractor reported being barely more than half-way done. If this was indeed the case, standing by the original release date was madness.

These anecdotes are line with many other stories from inside the Obama administration - the environment seems to be one of paranoia and insularity. The president has a few advisors that he places an enormous amount of trust in, and these people are the only ones who get to run things, regardless of what skills are needed. t is amazing and somewhat frightening that Obama and his staff could not break out of their bunker mentality even when their greatest signature achievement was at stake. If they act with such recklessness when their own core interests are at stake, how could we possibly trust them to look out for ours?

Some have suggested that the whole Obamacare project might have been designed to fail. I don't buy it, since I think lack of competence is a sufficient explanation, but I see where they are coming from. And I think some of these actions are clear examples of self-sabotage, intentional or not.

Deep Packet Inspection as a Service

Deep packet inspection is an advanced method used, among other things, for monitoring data traffic. A strength of this technique is that it enables secret monitoring, since it operates at the network level. In a nutshell, a network operator grabs each packet of data sent, does what it wants with it and then sends it along on its way. To the intended recipient it looks exactly like a normal transfer.

TeliaSonera is the largest telecom operator in Sweden and Finland. The company was created by merging two former state monopolies and is now notorious for providing surveillance technology to foreign states with dictatorial regimes. The company has a page on its website about "Freedom and expression and privacy" where we find these rather vague sentences about customer privacy:

Much of the business of our sector in general is built upon the collection of data about individuals and their communication. [...] In this context, there are technological trends that pose challenges to all kinds of players in the field of ICT, including TeliaSonera. [...] These trends are such as; virtual networks and software available remotely for access by users (the ‘cloud’), behavioral advertising, examination of a data of a computer’s network enabling for instance, network management, security and data mining (‘deep packet inspection’), location awareness and the risk that seemingly anonymous data can be re-identified. [...] We are committed to protect and safeguard our customer’s privacy.

Did you notice the words "deep packet inspection"? Did you interpret that as a commitment from TeliaSonera to protect their customers from this type of monitoring? Think again. Deep packet inspection is actually a service being sold by TeliaSonera to their ISP customers. It is an optional feature that an ISP can buy to increase their control over what traffic is allowed to the end customer.

If you have been following recent events, this should not surprise you. But perhaps it would interest you to see an example of how TeliaSonera markets this technology to their corporate customers. Of course, as always when new methods of Internet control is rolled out, it is sanctified in the name of protecting children. When it comes down to it, what they are selling is, in the exact words of TeliaSonera:

a technical solution combining intelligent routing with deep packet inspection in order to deny access to URLs

 Here is the original document:

Machineries of freedom

Last night I was talking with some fellow anarchists about what kind of practical projects we should be exploring and promoting, to move beyond the usual grind of politics and ideology. There were lots of interesting suggestions of course and over time I would like to explore many of them on this blog. Here are some types of projects that I am currently involved with or seriously exploring:

  • Autonomous wireless mesh networks to complement/compete with/replace the government controlled Internet. I have been talking to people, going to conferences etc to explore this topic, with the goal of building a mesh network in Stockholm. The motivation is primarily to counter government restrictions on information exchange, by creating a parallel network which the state can not control or censor.
  • New technology for small scale production of food. One of the small startups in this space that I am watching closely is AutoMicroFarm. Some friends of mine are building similar setups of their own. Don't know much about energy production, but would love to hear from some solar power enthusiasts or something.
  • The interplay between government services and free software might offer some opportunities. I have personal experience of projects where the implementation of open data standards has made a substantial difference to the allocation of money and other resources. Wider implementation of free software might shift the balance of power in a favorable direction.
  • Setting up secure mail hosting services, systems for encrypted mailing lists etc. I run a full-stack mail server to help friends and acquaintances improve their security, use encryption etc (let me know if you are interested). I provide these services for free, but it could easily be turned into a small business if I wanted it to. Lots of people should be doing this, i.e. making money helping others to become more free and secure.
  • A while ago I collaborated with a friend to create a prediction market, something like a more up-to-date version of Intrade. The project was put on hold, but feels more relevant than ever now that Intrade has been forced by the US government to shut down. Prediction markets are powerful tools for crowd sourcing intel and we should use them.
  • I have created a piece of software called Digital Demokrati, which is a decision making system based on a fluid combination of direct and representative democracy. The general idea is to challenge the conventional idea of politicians representing the people by providing a superior mechanism of representation.

If you are interested in this kind of stuff, feel free to get in touch. I am especially interested in talking to people who have practical experience of building and maintaining wireless mesh networks.

The title of this post is a reference to The Machinery of Freedom by David Friedman, one of the classic works on anarcho-economy. If you have not read it, you should check it out.

Robotrubriker?

Har kvällstidningarna mjukvarusystem för att generera rubriker? Gör de a/b-testning med algoritmer som med varierande frekvens inkluderar ord från särskilda ordlistor, t.ex. "skräck" och "bajs"? Ger de algoritmerna feedback från besöksfrekvenser för att utvärdera olika strategier?

Jag har ingen aning, men jag vet att Schibsted är bra på dataanalys. Vissa av deras bolag är rena datacrunchningsfabriker, och samtal med folk på insidan ger mig intrycket att hela koncernen jobbat länge och medvetet med att analysera sina egna data och bygga sina företag därefter.

Idag hittade jag följande fyra rubriker på aftonbladet.se som alla refererar till samma händelse, tre av dem på en och samma indexsida (två separata länkar). Oavsett om det är avsiktligt testas alltså multipla rubriker på en och samma nyhet på en och samma sida. Det börjar oskyldigt men trappas gradvis upp till nivån då man inte bara använder "skräck" och "bajs" utan dessutom kombinerar dem till ett ord:

Tv-mammans kärleksmöte - i vinglig kanot

"Ensamma mamma"-Thereses guppiga kanothångel

Hemliga skräcken under kyssen i tv

Hemliga bajsskräcken under mammans kanothångel i tv

Jag ska erkänna att jag har svårt att greppa att det över huvud taget finns både producenter och konsumenter av den här typen av information, så jag är inte den bästa tänkaren på området. Kanske sitter journalister helt enkelt och tävlar om att sätta mer och mer skruvade rubriker? Jag föreställer mig att de för det mesta har roligt, men att de ibland är irriterade över att deras CMS-system kräver att man matar in rubriken på fyra ställen istället för ett.

Encrypted mailing lists with Schleuder

I recently needed to have a way for a group of people to send encrypted messages to each other. Regular PGP is designed for one-to-one communication, so this is a bit of a tricky problem. Multiple strategies are possible, but they all involve some kind of trade-off in regards to security or practical feasibility.

One option is to use a secret key which is shared by all members. The benefit of this model is that it provides proper end-to-end encryption. The drawback is the practical problem of securely distributing the shared secret. If there is geographical separation and few other secure channels, this can be a very difficult problem. What happens if you need to revoke access for one of the members - do you create a new secret and go through the process of securely distributing it to everyone again?

The second option is to have users encrypt messages with a special public key, the list key. The list server receives messages, decrypts them with the private list key and immediately re-encrypts them with the public key of each member of the group. One benefit of this approach is that key management is a non-issue (same as normal PGP mail). The drawback is that messages will be decrypted and at some point held in cleartext before reaching the recipients. So there is not end-to-end encryption - in effect, the server does a benevolent version of a man-in-the-middle attack.

The drawback of the first option is huge - I don't think I could convince anyone to participate in my mailing lists if they were so cumbersome to manage. The drawback of the second option on the other hand is rather limited. Temporarily decrypted messages need only be stored in RAM, and never for more than a few seconds. Given that we have some degree of trust in the list server, this is probably not one of our primary security concerns.

With this decision made, I started looking for specific software to use. I quickly found a very nice open source project called Schleuder (meaning 'slingshot' in German), which had exactly the features I was looking for, a few little extras that I hadn't thought of but liked, and basically nothing else - perfect! And when I downloaded the source I got another nice surprise: Schleuder is written in Ruby which happens to be my weapon of choice for everyday scripting.

Thus began my love affair with Schleuder. About a week later it was consummated when I had a server set up and could start playing around with encrypted lists. So far there are a couple of small groups keeping in touch through the Schleuder lists on my server, and I'm working on getting more people to start using encryption and joining lists. I have also written my first Schleuder plugin and hopefully I will find the time to write a few more.

Some of the extra features that Schleuder comes with:

  • Anonymous remailer. Lists can act as mail gateways for groups, exchanging mail with any external address. Might be useful e.g. for info-type addresses or for anonymity purposes.
  • Lists are to a large extent managed by sending text commands in emails to the list server. Commands include things like adding new members, listing current members, requesting a specific public key etc.
  • Flexible plugin system, which has worked without a hitch for me. Very easy to create new mail based commands. My first plugin experiment was a mail based web browser.

For more information about Schleuder, check out the project web site. And by all means, if you are interested in this kind of thing and want to share your thoughts, please send me an email. To anyone interested in having an encrypted mailing list for some project or just messing around, let me know and I will create a list for you on my server. The only requirement is that you are able to send and receive PGP encrypted mail.

IS4WCN 2013

This is a travel report I sent to a private mailing list after attending the 2013 International Summit for Wireless Community Networks in Berlin.

Jag har begränsat med tid att skriva, så här kommer några slumpmässiga reflektioner:

  • Konferensen hölls på c-base i Berlin, vilket är ett otroligt coolt ställe. Om ni inte känner till det bör ni googla. Sedan jag kom hem har jag inte kunnat släppa tanken på att jag vill skapa en ny plats i Stockholm... Vi kommer nog aldrig att kunna skapa något i Sverige som liknar c-base, men vi skulle kunna ta både ett och två blad ur deras bok...
  • Deltagarna på konferensen var extremt trevliga, öppna, ödmjuka typer. Alla var generösa med sin tid och när jag t.ex. nämnde för någon att jag ville prata med folk från Aten, kom någon helt annan fram en timme senare och presenterade två greker. Jag är van att hänga på programmeringskonferenser och i någon mån politiska konferenser, så för mig har kanske ett visst mått av asociala beteenden blivit normala. Det var hur som helst en mycket trevlig upplevelse i Berlin och jag knöt många intressanta kontakter.
  • Det finns massor av stora meshnätverk runt om i världen. Jag blev förvånad över hur många det var som jag aldrig hittat i mina försök att göra research. Det finns både stor spridning i vilken teknik folk använder, och anmärkningsvärda likheter. Folk använder t.ex. ganska olika sorters hårdvara, routingprotokoll osv, men tjänsterna som möter slutanvändare är ganska lika.
  • De flesta nätverksprojekt står inför ett dilemma när wifi-uppkopplingar plötsligt är väldigt tillgängliga. Normala svenskar har ju obegränsat 3G-internet i sina telefoner, och ofta dessutom tillgång bra wifi-nät på offentliga platser osv. Så dessa projekt som marknadsfört sig som leverantörer av internetuppkoppling kan plötsligt se överflödiga ut. Folk pratade väldigt mycket om hur man kan få människor att stanna kvar på communitynäten, men det slog mig att man nästan aldrig pratade om varför man ville hålla kvar folk.  För mig som vill bygga meshnät som ett försök till politiskt självförsvar, framstår städer som Aten, Barcelona och Bogota som extremt lyckligt lottade i det att de redan har en parallell infrastruktur på plats. Jag undrar om de här nätverken kan ges nytt liv med ett mer aktivistiskt syfte.
  • Det är ofta mer intressant att lära sig om projekt i utvecklingsländer. Deras lösningar är lo-tech, billiga, flexibla, robusta och ofta mindre ideologiska, helt enkelt för att det krävs. Snackade ganska mycket med en person från Kamerun vars internetuppkoppling var 10 b/s (sic!). Vissa av projekten från rikare länder verkar vara mer fluff och lägger energi på t.ex. att migrera från den ena hipsterteknologin till den andra (byte från MongoDB till CouchDB diskuterades).
  • Jag är inte längre lika intresserad av att installera OpenWRT på commodity-routrar. Var på en workshop med en snubbe från Bogota som visade hur man kunde sätta upp en extremt flexibel meshnod på en Raspberry Pi med wifi-anten, minimal Debian-installation och några enstaka normala unixdemoner för OLSR-routing, DHCP-server osv. Ett exempel han visade var att med några knapptryckningar installera en Mumble-server som vi fick testa att VoIPa genom. Såklart busenkelt att köra webserver eller precis vad som helst. Och det finns bättre/billigare mikroarkitekturer än Raspberry Pi, och jag tänkte börja experimentera med några sådana.
  • De flesta projekt verkar använda en splashscreen, lite som när man surfar på hotell-wifi, men med de två alternativen "Lokala tjänster" respektive "Internet". Om man gör en sådan splashscreen bra kan den räcka som det enda standardiserade gränssnitt man behöver. Tänker att det vore en smal sak att baka in service discovery (via OLSR-lagret) och visa direkt på splashen vilka tjänster som finns på närliggande noder. Mycket mer än så behöver man inte.
  • Har inte direkt kommit på något som känns som en killer app, men tror fortfarande att grundläggande kommunikation är vad jag personligen vill försöka utveckla till att börja med. Textmeddelanden, t.ex. genom Bitmessage, VoIP-tjänster, fildelning. Det man egentligen vill är att hitta saker som inte går att göra på vanliga internet, men som går på ett lokalt nätverk, men trots alla smarta kreativa personer på konferenser fanns det förvånansvärt få idéer i den riktningen.

Whole disk encryption and the boot partition

In most cases, so-called "whole disk encryption" does not in fact encrypt the whole disk. A small part of the disk is used for the boot partition, which must be stored unencrypted. This creates a potential attack vector. One description of this problem comes from Micah Lee in an interesting report originally published in 2600:

Pwning Past Whole Disk Encryption

In a nutshell: If an antagonist gets physical access to your computer (say, if you go to the bathroom and leave your laptop laying around, even if it is powered off), malicious software can be installed on the boot partition, e.g. a keylogger which grabs your hard drive decryption password the next time you enter it and/or any other kind of malware.

The suggested solution to this problem is to eliminate the local boot partition. Instead, have the boot partition on a flash drive which you insert temporarily every time you reboot your compuer (much like you insert a physical key to start your car). To prevent tampering with the flash drive, and to make sure it is not close to the computer when you are not, buy a nice and durable one and keep it on your keychain.

My personal setup costs less than $10 and involves the following hardware:

Kingston DataTraveler SE9

Stainless Steel 2.9mm Curb Chain

Own your mail

Most people use email addresses under domain names owned by their mail hosting provider, e.g. gmail.com or hotmail.com. This makes it very easy for providers to revoke access to personal mail accounts. For one thing, all the archived mail will be inaccessible if the user has not taken care to make an independent backup. More importantly, the user can be denied access to all future incoming mail. At any point such a provider has the capacity to intercept messages, impersonate the user etc.

This is no way to manage such important personal tools as ones email addresses!

Fortunately, it is easy to solve the problem:

  1. Register your own domain name and use it for your personal mail account. Most email providers (e.g. Google) will provide this as a free add-on service, i.e. you can continue to use the Gmail web interface or whatever. Now, if Google suspends your account, you can simply point your domain to another provider and immediately start recieving your mail through them.
  2. Have backups of your mail history. The easiest way to achieve this is probably to set a normal desktop mail client to store all messages locally. There are also several tools for exporting mail data from e.g. Gmail. Now, if Google shuts your mail down, not only can you continue to use the same email address, you will also have access to  your mail archive.
  3. Use cryptography to sign and encrypt messages as often as possible. Encryption takes away the ability of the mail provider to read the contents of messages sent through and stored on their servers. Signing removes the ability of external parties to impersonate you after taking control of your mail account. (This assumes, of course, that your private key remains private.)