.:Computer Defense:.

I don't know what else to say other than... Awesome!

http://xkcd.com/456/

Previously I've blogged on Comcast hijacking Live Search Results. That didn't affect me, but I felt it was worth sharing... This time I'm affected. Rogers Cable is my ISP... today I sat down and opened Firefox, planning to visit a site I enjoy, AntiOnline.com. I accidently typed antionline and hit enter without adding the .com... now normally this wouldn't be a problem.... except today it was, I ended up at a Rogers search engine (powered by Yahoo). I looked at the page briefly and found an opt-out button, however the opt-out button simply means I won't get the search results... they still hijack the text I pass my browser. I typed in antionline again and hit enter, this time I ended up at http://www20.search.rogers.com/not_found. I was rather confused, so I opened up a command prompt and tested with netcat. Check this out

C:\Documents and Settings\treguly>nc antionline 80
GET / HTTP/1.0

HTTP/1.1 404 Not Found
Content-type: text/html

<html><head>
<title>404 Not Found</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script>
 var value;
 value = 'se';
 document.location = 'htt' + 'p://www20.'
 + 'search.rogers.com/' + value + 'arch?qg=%20&r' +
 'n=oVbVbPY7LO34d36';
</script>
</head>
<body>404 Not Found</body></html>

I can't believe they are doing this. I called Rogers and got to speak to a foreign call center (what a joy that always is... ) After about 5 minutes of explaining to the guy that I didn't need step by step explanations from him on how to opt-out and explaining to him that the service to opt-out only sets a cookie, it doesn't delete one. He finally announced that they were simply hijacking DNS queries and that any NXDomain was sent there. If I were to change my DNS server then I would no longer have this issue. I think it's time to start using my own internal DNS server. I'm sure if I pressed the matter I'd be told that this is, in some way, a partial solution to Kaminsky's DNS vuln. To me... it's a pain in the ass... get rid of it.

I figured I'd switch to OpenDNS, so I dropped the OpenDNS servers into my m0n0wall install and tried to make use of them. I've only ever used OpenDNS from the command line but surprise surprise... in your browser, the exact same thing happens... You get a nice search results page. Why does everyone feel the need to make money off my typos? What happened to the good old days, where you could type 'antionline' in your browser and it would automatically end up at 'antionline.com', I miss those days...

We need to stop making the Internet easier for the stupid and incompetent... it just encourages them to use it. Let me find out that I've got a typo, let me type in shortcuts... let me mix the two and end-up at a phishing site. That's my problem... Something is going to make me go... 'D0h!' and realize my typo. If we got rid of the stupid people... the ones who buy from spam, the ones who are taken by phishing sites... then spammers and phishers wouldn't exist... So let's stop turning the internet into the internet for dummies and instead just keep the dummies off the internet.

Now I have to go and build my own DNS server so that things function the way they should and not the way the idiots need them to to avoid being taken advantage of.

Well... I guess that was a bit of a rant... but I find it frustrating... very very frustrating.

Sometimes we hear about dataloss via theft or loss of a computer. For the most part (assuming I don't hear about it happening to a company on a weekly basis), I can (eventually) forgive the company (even if my personal data has been lost). After all accidents (losing a computer) and burglaries are a fact of life. Does this excuse the practice of not encrypting data? Nope... but as I said... eventually I forgive the company, after all years ago when these were paper files, they weren't encrypted. At the same time, I do feel that there should be serious government fines handed out to companies that lose sensitive customer data (my forgiveness doesn't exclude the requirement for punishment of some sort).

What I can't forgive though is dataloss via stupidity... That is, throwing away sensitive data without making an effort to destroy it. I shred pretty much everything that comes to me in the mail at home... (everything I don't save anyways). I've worked in places where DBAN was utilized religiously before laptops were assigned from one individual to another or old desktops were sold off. I even took a bench grinder to a hard drive one time (although that was more for fun... but it did destroy the data).

I just read this blog post (via Consumerist) and it reminded me once again of the stupidity that sometimes happens. I can get replacing old computers... I even get throwing out the computer (although I'd think that there are plenty of places to donate the machine). I can't get leaving your employee and customer databases, along with letters to customers in place (screenshots on the original blog). This really does come down to Dataloss via Stupidity and I think that's how we need to start defining it.

Someone needs to go and put a big notice on the door of the offending Curves that mentions how poorly they treat customer data. We should start doing this to all companies that fall victim to Dataloss via Stupidity. This is a prime example of one of those unforgiveable acts.

Now I know someone is saying, "But you just said you can forgive accidents... maybe this was an accident." This isn't an accident... Throwing away a letter to a single customer without shredding it that contains personal information... That's an accident. Turning around to grab a drink from the vending machine and having your laptop stolen... That's an accident. Taking a used computer and just tossing it in the trash... that's not an accident... that's stupidity.

In Texas they've got a law requiring those that service computers to have a PI license. Perhaps it's time that we start thinking about licensing to use a computer... We could even have stages of licensing:

• Stage 1: Allowed use of a computer
• Stage 2: Allowed access to the internet
• Stage 3: Allowed use of a computer for business purposes
• Stage 4: Allowed to repair a computer
• Stage 5: Allowed to dispose of or destroy used computer equipment.

In reality that's going way overboard (just like the Texas law), but something needs to be done to prevent the stupid from using computers... and something really needs to be done to prevent Dataloss via Stupidity. Perhaps Curves should be slapped with a nice, big fine just to remind people to think first.

And I feel fine...

By morning most likely everyone will have blogged about the recent court ruling that Google hand over the YouTube logs to Viacom (MTV & Paramount Pictures parent company).

Oddly enough I saw a clip on BBC News that was mentioning popular articles on their website. The first thing my wife said was, "Does this mean I should stop going to YouTube?" My immediate response was, "Why?" To which she responded, "If I watch something that's copyrighted, can't I be sued or something?"

Now this was the way the short little news clip presented itself, and I'm definitely not a lawyer but my answer was, "No." Now maybe I'm wrong, and I'll probably be the only one to say this, but I don't see how this is a big deal. Viacom wants to compare the viewing habits on their copyrighted material vs non-copyrighted material. I actually think they have a right to do that. It comes down to this... find a way to keep the copyrighted material off the site or give people who's copyrights are violated access to statistics.

Based on the article, that's all Viacom wanted... statistics. Well at one point they wanted to YouTube source code but that's a ridiculous request. Google probably should have just granted them access to the statistics right away. I honestly don't care if Viacom figures out who I am and what I've watched on YouTube.

I do hope that Google gets the right to anonymize the logs before passing them on, but they should have been doing that all along... there was no real reason to store IP Addresses for any length of time.

Anyways... it'll be interesting to see what Viacom gets in the end, and how many people cry that this really is the end of the world.