Category Archives: Techie

HTC’s Dropbox bonus deception

Posted on by
Reply

HTC have been promoting a partnership with Dropbox which gives HTC smartphone customers an additional 3GB of free Dropbox storage space.

The extra storage capacity appears when you activate the Dropbox client on a HTC smartphone with the new HTC Sense 3.5 software.

There’s something they don’t tell you though, which only becomes apparent when you receive the confirmation email from Dropbox:

Congrats on becoming a Dropbox Guru! We’ve awarded you 3GB of bonus space for the next 12 months! You now have 5.25GB on Dropbox. To get even more space, check out our upgrade options.

Thanks again for supercharging your HTC phone with Dropbox!

According to the email, the 3GB bonus space is only awarded for 12 months.

This has been confirmed in the Dropbox support forums by their staffer ‘Michael N’:

We are excited to confirm the announcement from HTC. Owners of HTC phones with a Sense 3.5 ROM will be receiving 3GB of extra space for 1 year, free of charge. All you need do to earn the space is install the Dropbox app on the HTC phone, then complete the Getting Started Quest at www.dropbox.com/gs

So what happens if you are still using the 3GB of bonus space at the end of the 12 months?

Well according to an update from Michael N: “The 3GB extra space goes away, and you’re over quota. Your Dropbox desktop client will stop syncing.

Your options are then to delete files and reduce your storage to under the 2GB free limit or upgrade to Dropbox’s Pro 50 plan at a cost of $9.99/month. How convenient!

While Dropbox themselves have been fairly transparent, HTC have been careful not to mention this built-in timebomb.

The bonus space is time-limited and only available to owners of a HTC phone with the new Sense 3.5 ROM. This is very different to HTC’s announcement: “We’re proud to announce that we’ve partnered with @Dropbox, bringing 5GB of storage to all of our #Android phones.

The Advertising Standards Authority now regulates advertising across all media -including marketing on websites. I wonder if this includes marketing statements made on Twitter from an official company account?

I feel a complaint to the ASA coming on!

BlackBerry Fool

Posted on by
2

This post could perhaps have been more aptly titled ‘BlackBerry Jam’, but actually I don’t want to focus on the widespread service failures so much as the foolish customers who chose to rely on BlackBerry in the first place.

Why is it only now they realise that what they bought into wasn’t the Internet in your pocket, but a totally proprietary email and messaging service with an inherent single point of failure?

For the uninitiated, BlackBerry is a mobile email, messaging and web browsing service provided by Research In Motion Limited (RIM). The difference with BlackBerry services is that you don’t have a direct connection to the Internet like everyone else, instead all your mobile data traffic is tunnelled through RIM’s data centre(s).

The advertised advantage of this approach is that RIM applies data compression techniques to make more efficient use of the available bandwidth, which should result in faster web browsing and quicker email delivery.

For the privilege of using their data optimisation service RIM levies a hefty monthly System Access Fee (or SAF). This hidden per-subscriber BlackBerry tax is usually collected by the mobile operators in the form of higher monthly subscriptions or call charges.

The SAF revenue stream is hugely lucrative for RIM, which is why they are so keen to keep customers tied into their proprietary service model.

But RIM’s unique selling point is also their biggest flaw.

The problem with their architecture is that you are putting all your metaphorical eggs in RIM’s one basket. As we’ve seen with the prolonged service outages over the last two days, if RIM’s servers go down then so does all your connectivity.

RIM have been surprisingly tight-lipped about the problems. There is nothing on their corporate web site, nothing in the press releases. It’s like we imagined the whole thing!

The only source of information I’ve found is RIM’s official Twitter support account.

The news was broken yesterday with:

Some users in EMEA are experiencing issues. We’re investigating, and we apologize for any inconvenience.

This was followed up by:

We apologize to any of our customers in Europe, Middle East & Africa still experiencing issues. We’ll bring you an update as soon as we can.

BlackBerry email services restored. Some users still experiencing delays with browsing and IM. Sorry for inconvenience.

Just when we thought everything was getting better, more problems this afternoon:

Some areas have messaging delays and impaired browsing. We’re working to restore normal service as quickly as possible.

The most recent RIM Tweet says:

Message delays were caused by a core switch failure in RIM’s infrastructure. Now being resolved. Sorry for inconvenience.

Lots of faceless apologies from RIM, which is of little consolation to their customers.

This issue reminds me of my blog post about the Proprietary Internet. The success of the Internet has been that its distributed architecture makes it resilient from individual system failures. It was deliberately designed this way.

If you tie yourself into a single service provider then don’t be surprised if one day you too find yourself cut adrift from the connected world. If this communication tool is so critical to your business then it’s your duty to ensure that you have exercised due diligence in your choice of service provider.

You’ve only got yourselves to blame!

Who do you trust?

Posted on by
Reply

I trust a few people and organisations – my parents, some close friends and a handful of organisations such as EFF. Your personal circle of trust is probably not hugely dissimilar.

I wonder, have you heard of DigiNotar or Comodo before? Do you realise that you implicitly trust them and hundreds of other organisations every time you use your Internet web browser?

What are you trusting these organisations to do? You trust them to vouch for secure web sites that you visit. These 650 ‘trusted’ organisations are SSL Certificate Authorities (or CAs) and they are responsible for confirming that a given domain name and web site belongs to the legal entity named in the web server SSL certificate.

As a result of security weaknesses, the integrity of the Comodo and DigiNotar Certificate Authorities was breached in hacks which made news all around the world. Even the non-tech press realised the significance of these attacks.

The hacker responsible was able to generate a number of bogus web server SSL certificates, which were used by persons unknown to transparently intercept and spy on communications with popular web services such as Gmail, Skype and Facebook.

(Update: This article was written in 2011, before Edward Snowden’s revelations about NSA interception techniques. The paragraph above now has extra significance with regards to the persons unknown!)

This led me to question the role of certificate authorities and how fit for purpose the SSL protocol is in the modern Internet world of web applications.

The original SSL protocol specification was drafted in 1994 by Netscape engineer Kipp Hickman. In the section describing ‘Man In The Middle’ attacks the author simply says:

During the security connection handshake the server is required to provide a certificate that is signed by a certificate authority.

Any good secure protocol requires three elements: secrecy, integrity and authenticity. Apparently Hickman himself has admitted that authenticity was “thrown in at the end” of the SSL protocol specification. This weakness of SSL is a fundamental and critical flaw. This is the element where commercial interests, criminality and good old fashioned human error have all come into play.

In the early days of SSL, VeriSign was the lone certificate authority entrusted to verify that a web server belonged to a particular domain name and legal entity. The problem with a monopoly such as this is that without competition the CA can set an unreasonably high price for the service they provide. To stimulate competition more and more CAs were added to the trusted root certificate lists and over time we now find ourselves with literally hundreds of ‘trusted’ CAs.

So what makes these businesses trusted? Judging by some of the CAs that have bought their way onto the list – not a lot!

StartCom CA for example will issue free SSL certificates with only cursory validation. In their own words:

Class 1 Certificates provide modest assurances that the email originated from a sender with the specified email address or that the domain address belongs to the respective server address. These certificates provide no proof of the identity of the subscriber or of the organization.

Most Internet users naively assume that seeing https and the padlock icon is a guarantee that the identity of the web site owner has been verified and the web site is secure. Actually both assumptions are no longer true.

It is no longer necessary to go through strict vetting procedures to obtain a valid and trusted SSL certificate. With fake certificates having already been created via compromised CAs there is also no guarantee that your communications are safe from a man-in-the-middle attack.

Former Netscape Chief Scientist Dr Taher Elgamal is credited as being one of the co-authors of the original SSL specification. He too has voiced his concerns that a copycat attack against CAs could result in more rogue SSL certificates:

It could happen again. There’s no back-up plan, which is generally a bad security model. The problem of what to do when certificate issuers were compromised never came up when the original work was being done on SSL/TLS. Nobody asked the question of what to do if a certificate authority turns out to be bad. The problem was not so much with the technology as it was with the firms issuing the certificates.

There’s way too many of them.

But what of the Online Certificate Status Protocol (OCSP), which was specifically designed to protect us from rogue SSL certificates? Well that is unfortunately flawed too and can be bypassed using a simple protocol trick.

So are there any workable alternatives to SSL?

Moxie Marlinspike (the security researcher who found the OCSP flaw referenced above) has been giving it some serious thought. He was inspired by a concept called Perspectives which he has improved on and developed into Convergence – “An agile, distributed, and secure strategy for replacing Certificate Authorities“.

Convergence is still in its infancy and it’s not perfect, but with SSL now coming of age it could be a critical enabler for the future of secure communications.

I’m glad that someone who understands the weaknesses of SSL has proposed an alternative to CAs. Let’s hope that this effort gains some momentum in the industry and together we properly solve the issue of web server authenticity.

Security and The BEAST

Posted on by
Reply

The news of supposedly trusted certificate authorities DigiNotar (now bankrupt) and Comodo being penetrated by hackers was a severe blow to the long established SSL/TLS chain of trust security model.

Now there’s another serious web security vulnerability to be concerned about.

Security researchers Juliano Rizzo and Thai Duong have exploited a weakness in CBC (Cipher Block Chaining) based ciphersuites which they have used to create a proof of concept attack on SSL.

Their exploit is called BEAST (Browser Exploit Against SSL/TLS) and it demonstrates how to steal a web browser session cookie that is supposed to be protected by SSL. The implications of this are that your supposedly secure (i.e. HTTPS) web browser sessions can be hijacked by a third party.

How can we protect against this? Well since BEAST exploits CBC then web server administrators need to use a different cipher.

Google have switched to using the RC4 cipher on their web sites and Microsoft has issued an advisory recommending that you “prioritize the RC4 algorithm in server software in order to facilitate secure communication using RC4 instead of CBC“.

Twitter Typosquatting

Posted on by
Reply

I just mistyped twitter.com as twtter.com and was surprised to find that I was redirected to what looked like a Twitter survey / competition page.

The logo at the top of the page is presumably deliberately designed to fool you into thinking that it’s an official Twitter survey:

Congratulations!

You’ve been selected to take part in our short, anonymous 30 second questionnaire. To say “thank you”, you’ll have the opportunity to receive one of our exclusive offers including a Airline Travel Voucher and Win an iPad2. Start this short survey now.

I tried going to twtter.com a few times and was redirected to a number of alternative domains, each with the same fake ‘quiz’:

I got bored of harvesting all the various quiz and survey related domain names (they actually had some really good names), but I collected around 70 and submitted them to the OpenDNS Community tagged as Adware.

Incidentally, if you’re not already using the fantastic OpenDNS service then I highly recommend it.