biringa.comEtienne Perot

Blog Projects About CV Privacy » Blog Contact information Email etienne at perot dot me Public key : 974E E250 Project repositories GitHub Bitbucket Find me on LinkedIn The Talos Principle and Technological Optimism By etienne (at) perot (dot) me on 2024-01-29 . The Talos Principle was released in December 2014 and attempted to ansroach, but it means that said subsystems cannot easily be incorporated back into regular Linux distributions, for various reasons. Some systems may not make sense in a non-Android environment (e.g. the Google Play Store), some of them make assumptions that a general-purpose distribution cannot ("there will be a touch screen"), some of them depend on other Android-specific code, etc. However, those systems can be used (and are being used) in Android distributions such as CyanogenMod or ParanoidAndroid . Therefore, divergence of core software creates a new ecosystem , rather than contributing to the one it originated from . This distinction is important in order to give credence to the following definition of "Linux distribution": *A Linux distribution is an operating system along with a set of software contributions which benefit the overall Linux software ecosystem. By this definition, does Ubuntu still qualify as a Linux distribution? Let’s find out. (Read more...) | 8 comments MAC spoofing: What, why, how, and something about coffee By etienne (at) perot (dot) me on 2013-01-22 . MAC addresses are a unique identifier associated to every network interface, wired or wireless. They are used to identify devices on a physical network. Usually, a network interface comes with a fixed MAC address called the burned-in address . This address cannot be changed, as it is stored in the interface’s hardware itself. Because of their fixed nature, they make it pretty easy to use for tracking purposes. This has some some pretty useful applications, such as being used as the matching criterion for a DHCP server to give a static IP address to a given device, or in order to target a "dormant" interface as required for Wake-on-LAN . MAC spoofing is the technique to effectively change the MAC address that your network interface appears to have. It doesn’t change the burned-in address, it merely changes what other devices think your interface’s MAC address is. It can be used for some legitimate and not-always-legitimate purposes: Appearing as a legitimate device on a network which employs MAC address whitelisting (useful when your last network interface dies, and for certain types of network attacks ) Avoiding tracking: Different MAC addresses means no device on the network can tell if it has already seen this device on this network before, or on another network. For example, Starbucks may wish to maintain a list of all MAC addresses accessing their WiFi access points and use this information to figure out someone’s movements or simply to identify who their best customer is (or at least which one is that guy always hogging all the bandwidth). Think they would never do that? Think again . Appearing as a different device to a network you’ve previously been on. (Hey, remember those "time-limited" free WiFi access points at the airport?) Avoiding profiling: The first three bytes of the MAC address identify the manufacturer of the device. Thus, the burned-in address gives away which company made the chip. Sometimes that’s not important, but perhaps a hardware exploit exists in all network interfaces manufactured by $MANUFACTURER, thus changing your MAC address gives you a bit of security by obscurity. Or, more mundanely, perhaps you don’t want a thief to be able to see that you have a shiny, new, and very expensive iThingy at your house simply by standing outside and looking all the MAC addresses broadcasted by all your WiFi devices. Bypassing futile roadblocks , and unjustly getting prosecuted to death over it. Wireless access points use MAC spoofing in order to provide multiple wireless networks with a single wireless interface. Recent routers often have this "guest network" feature which, when turned on, makes your router show up twice in the list of available access points: The regular network, and the guest network. This is a good thing, as it gives you some network-level isolation between machines. This way, even if your guests don’t practice healthy security practices on their computing devices, at least they won’t spread any nasty stuff through your LAN. Interestingly, while MAC addresses have thus far been limited in terms of tracking potential due to being confined to one’s local network, this is about to change with IPv6 . One of IPv6’s addressing models, stateless address autoconfiguration , allows a device to acquire an address for itself by taking the 64-bit prefix of the network it is on, and using the 48-bit MAC address of its network interface to determine the value of the remaining 64 bits. The consequence of this scheme is that any website you connect to can figure out your MAC address from nothing but your IPv6 address. (More on that later.) As you can see, there are many reasons as to one would want to spoof their MAC address. So how do we get in on the action? (Read more...) | 14 comments Ubuntu privacy blunder over Amazon ads continues By etienne (at) perot (dot) me on 2012-09-25 . First, some context: There have been quite a few complaints and concerns about Ubuntu ’s attempt to include advertisements in their operating system , in the form of Amazon-affiliate-tracked results showing up in Unity ’s Dash interface by default. There has also been some attempts to do some damage control over this PR disaster, including one by Mark Shuttleworth himself , Ubuntu’s Self-Appointed Benevolent Dictator For Life (SABDFL). To his credit, he isn’t pulling any punches or dancing around the question: Why are you telling Amazon what I am searching for? We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err. One of the statements here is pretty ominous at first: "Don’t trust us? Erm, we have root." Mark refers to the fact that system updates are all done as root, and they can indeed slip in any code they want in there, which could include a remote-administration trojan or a little script uploading all of $HOME to Canonical’s servers... But doing so would go directly against their users and instantly ruin their reputation. It is expectable from users to trust their operating system vendor will not snoop on them. The argument, while technically correct, doesn’t hold much water when considering user expectations and Canonical’s own business interests. However, I’d like to challenge one particular passage (emphasis mine): We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. There’s a number of issues here. (Read more...) | 2 comments Using PGP for SSH verification/authentication: What is Monkeysphere, and why should you care? By etienne (at) perot (dot) me on 2012-09-16 . One of the issues with SSH is the lack of public-key infrastructure . This causes two kinds of potential problems. Fingerprint verification problem Fingerprint verification is the technique SSH uses to check if it is connecting to the correct server, to ensure that the connection being not tampered with and not wiretappable. In practice, this means that when you connect to a new SSH server, you’re usually presented with something like this: $ ssh perot.me The authenticity of host ’perot.me (2600:3c03::f03c:91ff:fe93:5318)’ can’t be established. ECDSA key fingerprint is 87:e2:c8:25:25:ee:a8:a6:ad:c9:2a:a5:2c:ae:8a:cf. Are you sure you want to...