Thursday 24 September 2015

Tor is Broken

For a long time in my mind there's been no doubt that Tor is broken, at least with respect to the powers available to the United States and its allies. Think about it. There are no where near a million Tor nodes and even fewer exit nodes, and a million servers is a rounding error in the DoD black budget for a year.

Sure, non DoD Tor nodes exist, but what % of them are p0wned? (Zero Day Exploit) I'll hazard a guess; just that % required to make it statistically implausible that, combined with traffic analysis, context gleaned from exit nodes a handful of zero-days etc. etc. no one can use Tor and expect sustained anonymity from the government.

I actually think that's a good thing. Hear me out. For the general Tor user who just wants their ISP , nosy Shark Wire aware neighbor, political opponents, large corporations, website owners land various databrokers to fuck off, they have what they want For dissidents in oppressive nations, those nations probably can't muster the resources to de-anonymize Tor users. For very bad people who want to do very bad things, we can get them, with some effort.

I know this is a minority opinion, but I think that the opposing opinion is regressive. Once, it wasn't possible for a small group of non-nation-state individuals to wreak mayhem on millions of people at once.

Once, the amount badness that could be achieved by Bad Guys was a trade-off between the number of people the Bad Guys wanted to effect, the number of people the Bad Guys could enlist to help them and the degree of severity of the Badness itself. Not any more. This changes everything.

We are living more and more in a world in which a few or even one really fucked up person can reach out and kill. This is nothing but the advancement of technology, and it's not going to stop. That means the power of small groups gets larger and broader even as the size of that group spiral down to one.

How are we going to counter this general phenomena? I agree, that giving any government unchecked, unobservable, unlimited powers is always a bad idea. (Ironcially, I believe this because of the actions members of administrations who profess to want to "get government off our backs" and told us "government isn't the solution, it's the problem"- Oliver North, James Secord, Dick Cheney, Alberto Gonzales etc etc. )

But in the face of this hypothetical and not-always hypothetical threat we still have the facts on the ground with respect to advancing technologies and the leverage it gives just anyone.

I don't think the answer is to limit the power of government. We need that power to exist. I think the answer lies in the people being able to hold the government accountable and their actions rendered transparent to a degree that would shock most people today, both in and out of government. We need to radically re-think the national security 3rd-rail issues like national security classifications, clearances, Presidential directives, etc. etc.

It will tear this country apart if the government continues to do what it knows it needs to do in order to avert terrorism and societal chaos and the people continue to feel like they have no faith in the integrity of the processes and powers of the government- that it could at any moment turn the death ray on them, and probably will. That whole dynamic, the whole world view needs to be addressed and not just addressed but actually resolved by some radical out of the box thinking no one had done yet.

We can have both security and freedom, but it's not going to just arise naturally by continuing on with the status quo conceptual categories we are using now.

Friday 18 September 2015

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."

IMPORTANT ONE IS GROUP POLICY (gpedit.msc):

Go to Computer Configuration, Administrative Templates, System
Internet Communication Management, Internet Communication Settings

ENABLE (to turn it on, it is a disabler)

"Turn off Windows Customer Experience Improvement Program"

---

TO REMOVE THE BOGUS OPTIONAL TELEMETRY HOTFIXES MANUALLY:

Open command prompt
Type powershell
issue these commands

---

TO SEE WHAT ONES ARE INSTALLED:

get-hotfix -id KB3035583, KB2952664,KB2976978,KB3021917,KB3044374,KB2990214

---

TO UNINSTALL THEM (these for sure, per url next below):

wusa /uninstall /kb:3035583
wusa /uninstall /kb:2952664
wusa /uninstall /kb:2976978
wusa /uninstall /kb:3021917
wusa /uninstall /kb:3044374
wusa /uninstall /kb:2990214

per http://www.ghacks.net/2015/04/... [ghacks.net]

---

DESCRIPTIONS OF EACH (these uninstalled properly):

KB3068708 (Telemetry)
KB3075249 (Telemetry)
KB3080149 (Telemetry)

KB3022345 (Telemetry)
KB2977759 (Windows 10 Upgrade preparation)
KB3021917 (Windows 10 Upgrade preparatioon + Telemetry)
KB3035583 (Windows 10 upgrade preparation)

---

I GOT "NOT INSTALLED ON THIS COMPUTER" ON THESE INITIALLY SINCE I HAD IE11 installed (PROBABLY ONES FOR IE9/10/11):

KB3075249
KB3080149
KB2505438
* KB2670838 (See IE 9/10/11 notes below)
KB3044374
KB2990214 (Windows 10 Upgrade preparation)
KB2505438 (Although it claims to fix performance issues, it often breaks fonts)
KB2976978 (Windows 10 Upgrade preparation)

---

I GOT "NOT INSTALLED ON THIS COMPUTER" ON THESE (*PRIOR* TO PULLING KB2670838 which is IE 11):

* KB2670838 (This update often breaks AERO on Windows 7 and makes some fonts on websites fuzzy. A Windows 7 specific update only
                        (do not install IE10 or 11 otherwise it will be bundled with them, IE9 is the max version you should install to avoid this).

THESE RE-APPEAR AFTER UNINSTALLING IE11 RIGHT ON RESTARTING & CHECKING WINDOWS UPDATE:

* KB2952664 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3021917 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3068708 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3092627 (Windows 10 Upgrade preparation prior to IE9/10/11 install)

---

run cmd as administrator

sc stop Diagtrack
sc delete Diagtrack

---

*Task Scheduler Library:

Everything under "Application Experience"
Everything under "Autochk"
Everything under "Customer Experience Improvement Program"
Under "Disk Diagnostic" only the "Microsoft-Windows-DiskDiagnosticDataCollector"
Under "Maintenance" "WinSAT"
"Media Center" and click the "status" column, then select all non-disabled entries and disable them.

*services.msc:

"Remote Registry" to "Disabled" instead of "Manual".

Friday 26 June 2015

How secure is your bank?


The more traditional banks, do all offer internet banking (when they can keep their IT working - Yes I’m looking at you RBS Group) and all offer “helpful” tips about how you can be secure online… from installing software like Trusteer Rapport or Trust Defender, to keeping your system and security software up-to-date.


However, your connection with your banks online banking service, can only be as secure as they make it. The question is… with more and more of us using online banking, is your bank doing everything it can to make those transactions secure?

To test this, I have been using a tool provided by SSL Labs, called the SSL Server Test.  It inspects the configuration of any public SSL web server (such as those used by banks for their online banking services) and grades them from A+ - F.

From the results below you will see that security implementation is hit and miss with only one bank scoring higher than B (mainly because they maintain backward compatibility).

Most UK banks do not seem to support TLS 1.1 or 1.2 despite those standards being ratified in 2006 and 2008 respectively and being supported in all modern browsers.  Some banks still support the very antiquated and insecure SSL3.0 protocol.

The problem is that everyone stuck on Windows XP and still using IE6 (IE: Mum & Dad) do not have support for TLS1.0+.  It is the desire to support of these antiquated OS’s and browsers which has resulted in most banks also supporting RC4 which SSL Labs have described as a “lesser evil” for those antiquated browsers which only support SSL3.0 or TLS1.0.

My view is that they should just be left without support… after all, they could install firefox… Or upgrade their machine… But as there are no publicly-known feasible attacks against RC4 I suppose it is not unreasonable to keep that cipher alive for a little longer, although Mozilla and Microsoft recommend disabling it and TLS1.3 will ban it from use in the standard.

There will shortly be a new “challenger” bank called Atom which, will not have any physical branches or ATM’s, customers interaction with their bank will be entirely through a mobile phone app.


If there are any banks which I have missed, let me know and I’ll add them in (All scores correct as of 26 June)

The Winner!

Virgin Money - A
https://www.ssllabs.com/ssltest/analyze.html?d=uk.virginmoney.com
Everyone else seemly need to copy what Virgin Money have done here and the world of internet banking would be a much better and safer place.  The only bank to Score an A rating.

The Rest

Barclays - B
https://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk&s=157.83.96.200
This is going to be a common theme… Barclays use the RC4 protocol, which SSL Labs do not like one bit and are advising that sites drop RC4 or see their score capped at B.
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan

Barclays have dropped support for the insecure SSL3 protocol and support both TLS 1.2 & 1.0.  They don’t currently support forward secrecy (more about that is available here: https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) simply dropping RC4 would see them achieve an A-.

Nationwide - B
https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk
Again, the grade is capped to a B for RC4 support.

Smile - B
https://www.ssllabs.com/ssltest/analyze.html?d=banking.smile.co.uk
A current internet only bank (although part of the Co-op). It has the same RC4 support as Barclays & Nationwide though and for the same reasons is only a B.

Co-operative Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk
Much the same as smile - not surprising as they are part of the same organisation.

Metro Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.metrobankonline.co.uk
Metro bank also supports RC4 but only at the bottom of a long list of other Cipher Suites. 

Natwest - C
https://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4!! Proof that you can drop RC4 support and your customers can still access your service.

HSBC - C
https://www.ssllabs.com/ssltest/analyze.html?d=hsbc.co.uk&s=193.108.75.106&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

Royal Bank of Scotland - C
https://www.ssllabs.com/ssltest/analyze.html?d=rbsdigital.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4.

Halifax - C (I personally think that Halifax should have been rated lower that C.)
https://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk
Vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.


Lloyds Bank - C

https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk
Another which is vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

First Direct - C
https://www.ssllabs....firstdirect.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

Clydesdale Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=home2.cbonline.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

Marks & Spencer Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

TSB - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

Handlesbanken - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting RC4

Santander - C
https://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk
Supports RC4 but also orders the Cipher suites badly, resulting in RC4 being used in modern browsers instead of a more secure alternative, this downgrades Santander from B to C (NOTE: From September onwards this may result in a downgrade to an F).

Sainsburys Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.sainsburysbank.co.uk&s=195.171.195.119&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

Failures

Tesco Bank - F
https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com
Oh dear, oh dear that pesky POODLE.  This is an SSL/TLS problem which came to light in October 2014 (and December 2014 for TLS) and had all decent sysadmins patching their servers as soon as humanly possible.  The patching is simple and doesn’t require protracted down time… there is no excuse not to apply it and because of the severity of the consequences (particularly the TLS version), SSL Labs cap any site with this problem to a FAIL.

If Tesco Bank fixed that, they would still be capped at C as for reasons only known to them, they only support TLS 1.0.

John Lewis: Partnership Card - F
https://www.ssllabs.com/ssltest/analyze.html?d=secure.partnershipcard.co.uk
Another big red F - This time for insecure client side renegotiation, but again there is only support for TLS1.0 and SSL3.

The Post Office - F
https://www.ssllabs.com/ssltest/analyze.html?d=pofssavecredit.co.uk
Vulnerable to both POODLE attacks, this site also only supports SSL3 and TLS1.0, it also supports RC4, abjectly bad implementation. 

Thursday 23 April 2015

Thoughts on Oil price for 2015 and beyond

1. The Saudi’s are pumping from strategic oil wells
2. A bigger income equality and rise to middle class in the developing world creates much bigger demand, it’s where China’s growth numbers keep coming from even as the west is declining.
3. Fracking is not economical viable in a few more years when all the easy stuff is gone and the first environmental problems pop up.
4. Inflation in general.
Deflation is only a local problem in certain communities that where lousy a decade ago. There’s more places where inflation is a bitch. 
Oil will be at 70 plus at year end, 90 by the end of next year and it will keep rising. 
All this CEO is talking the markets down so Exxon can do a few takeovers.
And there’s a even way bigger story that’s been under reported all over, and that’s the Saudi’s buying up huge oil field all over the world right now. 
They’re running low on oil and they’re pumping what they've got to lower prices to secure future income.
And why is nobody wonder why oil storage is rising in the US while it still needs to import oil?.....

Monday 13 April 2015

Investing in Gold

1. Daily gold gains are capped at 1 percent (limit up) or 2 percent (expanded limit up).
2. Gold isn't allowed to have any follow-through rallies.
3. Gold is attacked at specific times -- 3 a.m. ET, pre-Comex and Comex open, NYSE open, London close, Comex close, 6 p.m. access trade open, and any opportune, thinly traded access markets.
4. Gold is attacked on all significant government data releases, especially the monthly nonfarm payrolls Friday report.
5. Gold is attacked on any ordinarily bullish news -- war, turmoil, economic crises, and Wall Street jitters.
6. Gold is attacked on all significant Comex option expiration and first-notice days, assuring that the maximum number of calls expire worthless, mitigating deliveries.
7. An attack on gold is frequently signaled by attacking either silver, HUI stocks, or both.
8. Flash crashes with no corresponding explanation always keep speculative longs stopped out or in losing positions.
9. New York and London are the centers of gold price suppression, so the London PM fix will be lower or no higher than $5 from the AM fix.
10. Comex margin changes, both higher and lower, are always to the detriment of gold longs.
11. Gold is never allowed to anticipate any bullish developments, nor is it allowed to be a barometer for currency largesse.

Saturday 11 April 2015

Finding the right spot for position opening positions

Solution for such a common problem as finding the right spot for position opening is fairly simple – a confirmation candle. The first candle always triggers the strategy or indicator’s signal that informs you how you should open position according to the strategy rules. You have to wait for this candle to end in order to know what you deal with.

This is where most of inexperienced traders make a mistake. They think how signal is activated; they open position just to see the candlestick to go in the opposite direction. So, the first step is to wait for candle to close. It is so-called alert candle which alerts you that strategy conditions are fulfilled. Then it’s necessary to wait for confirmation candle to confirm everything’s fine. This is when you open position.

Use candlesticks in all the strategies and always wait for the second one to confirm the good signal you are receiving. If the signal is fake don’t open position. You should always wait for the second confirmation candle regardless of whether you use support and resistance lines, channels, pivot points or applying rules of any other strategy.

When I say confirmation, what I mean is waiting for the second day, following the signal day, to prove the move.

In other words, if a sell signal is given, traders who wait for confirmation, would take the trade on the third day, after the signal was created (day one), only if the day following the signal (day two), the instrument in question, closed below the signal day’s low.

There are ‘Four Corners of Confirmation’ that must be addressed at this
point.

1. Waiting for confirmation takes patience…and can sometimes lead to missing a trade.

2. Missed money is always better than lost money. Even if waiting for confirmation means letting an opportunity slip by, it’s a whole lot better than jumping the gun into a losing trade.

3. Confirmation does not mean a trade is a sure thing. Pre-determined stops are vital to profitable trading and effective money management.

4. Even with confirmation, more work is required. Traders must take the time to research underlying fundamentals and news with every signal generated. Trading blindly on technicals is just plain stupid.

Here’s what it all really comes down to, waiting for confirmation can save you money and potentially increase your profitability. Why?

When a signal is ‘confirmed’, the market is saying Wall Street believes in the signal and a trend is likely to ensue.And that’s what it all really comes down to…knowing that a signal is more than volatility, something that happens all too often in today’s market.

I want to now take a moment to show you a chart where the ‘signal’ lied, and traders who jumped the gun, probably may be losing.

Signal called a Hammer. The signal is widely accepted as alluding to a pending reversal (the opposite of a Hammer bottom would be a Hangman top.)

Confirmation traders, however, would have never taken a position at all, and would most likely be very happy that they didn't, as of now. At the end of the day, waiting for confirmation is just good housekeeping, at least when trading from candlestick chart-derived signals.

Thursday 9 April 2015

Moving the blog onward....

I am going to move this blog along, Rather than Tech which is my main interest I am very interested in the Financial markets. 

I am going to attempt to make some YouTube videos about trading. 

If you are interested this is the first attempt. This tries to explain how to read the Candlestick Charts, Using Alert Candles and Confirmation Candles to spot an ongoing trend and how to find an entry point for a trade. 

https://www.youtube.com/watch?v=CHPK12_Qk0M




Thursday 12 February 2015

Two Quick Nmap Commands

This is a reminder for me more than anything else.

nmap -v -sV -iR 10000 -sU -p 23 | grep '^23.*open' -B3 | grep '^Nmap scan' | cut -d\( -f2 | cut -d\) -f1 > output.txt

nmap -v -sV -iR 10000 -sU -p 23|awk  '/(open)/{print $2}' RS="Nmap" FS="[)(]"

Try work our what they are doing....

Tuesday 27 January 2015

Some Quick Cisco Stuff - Greylog2

So I plan on updating this with ALOT of Cisco stuff....Eventually. If this helps ANYONE out there I will be a happy man. 

For now this is a quick update.

I am configuring Greylog2, Here is the Cisco Config Commands to set it up to send to Greylog2 using syslog. Obviously I dont need to tell you to change the Server IP of your Greylog Server and the logging level. 

https://www.graylog2.org/resources/documentation/sending/syslog

conf t
service timestamps log datetime msec localtime
no logging message-counter syslog
logging origin-id hostname
logging facility syslog
logging <<<SERVER IP>>>
no service sequence-numbers
logging trap (
emergencies/critical/errors/warnings/notifications/informational/debugging)
 

0
   

System unstable
   

LOG_EMERG

alerts
   

1
   

Immediate action needed
   

LOG_ALERT


   

2
   

Critical conditions
   

LOG_CRIT


   

3
   

Error conditions
   

LOG_ERR


   

4
   

Warning conditions
   

LOG_WARNING


   

5
   

Normal but significant condition
   

LOG_NOTICE


   

6
   

Informational messages only
   

LOG_INFO


   

7
   

Debugging messages
   

LOG_DEBUG