How much do sextortionist’s make?

A close-up of a women with her finger on her lips
This article should take around 2 minutes 11 seconds. to read

Wikipedia defines Sextortion, as

a form of sexual exploitation that employs non-physical forms of coercion to extort money or sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.

Just under a year ago spammers started to send sextortion emails such as the ones highlighted by Sophos and Brian Krebs
Since I’m still getting theses email into my honeypot I thought I check to see just how much theses scammers made.
Bitcoin wallets allow you to generate addresses on the fly so in theory each email could have a unique address however a quick check on the latest spammer I got has two reports in the Bitcoin Abuse Database since neither of theses reports are from me at least three people received emails with the same address, it is therefore likely that each run of emails has it’s own address.

So how much has our scammer made?
The original address highlighted in Brian Krebs report shows a single payment of 0.28847409 BTC (About $1,522.34 USD) The address this payment was sent to also received 4 other payments into it, two of them where for smaller amount and therefore don’t look like additional runs. therefore their are three sextortion runs from this scammer earning them a total of a round $4,000. A tidy sum for a few hours work.

That however was the first sextortion scammer. checking back on the bitcoin addresses used in emails previously sent to me, I’ve failed to find a single one that has been paid anything.
Clearly like much else if you have a “good” idea and are able to capitalise on it on it you can make some cash, however for most scammers you make nothing, and risk a long prison sentence.

Continue Reading

Implementing rate limiting with PHP

This article should take around 2 minutes 57 seconds. to read

If you’ve ever implemented a public facing API, you will know how important rate limiting is. If you don’t someone, somewhere will abuse your API’s sending millions of requests a second, either because they want to pull your your data (just ask FFS), because they want to take your service down or just because they messed up the coding and put the request in an infinite loop (… no… I’ve never done that… honest… Sorry @Jack). Whatever the reason, such a huge volume of requests will, like the “Tragedy of the commons“, cause at least a reduced service for other users and increased costs for you and, if left unchecked, eventually cause your service to start falling over.

The answer to this is of course to limit the number of requests a user can make. Their are two main approaches to this, limit by IP address or limit by account, for the purposes of this post, it doesn’t matter too much which you choose, their are good arguments for either (or both) schema’s, the one you decided to implement will be dependent on your use, threat model and willingness to manage accounts.

Regardless of which approach you choose the logic you need to follow is the same. For the purposes of the examples below I’ll assume we’re managing by a key and allowing no more than 100 requests every 10 minutes.

  1. When a request is made, and before you perform whatever function the API performs, log the key/IP address in a table. The details you store here should be just the key/IP address, the endpoint being accessed and a DateTime stamp of the transaction
  2. Perform an SQL query something like SELECT count(*) FROM table WHERE key=@key AND timestamp < DATE_ADD(CURRENT_TIMESTAMP(), INTERVAL -10 MINUTE);
  3. This will return the total number of requests in the last 10 minutes, if that’s less then 101 (101 because we’ve already logged the current request) then we can allow the call otherwise we return a failed message.

The problem with this is that this table will grow huge in a very short amount of time, therefore we should add an event to reduce the size of this table every hour or so (of courses if you want to the know exactly who has accessed what and when, you could you this as as way to log that information).

A second problem arises with this if we want to allow different limits for different users. For example you may want to allow FaceBook to make slightly more calls to your API’s then you would allow this blog to make. This can easily be implemented with a step 0.

  1. Validate the users key and retrieve their settings.

This allows you to revoke keys, set limits at the key level and do fancy things like return different data for different users (who pay different amounts) based on the program they have signed up to.

Continue Reading

Securing data at rest and the database

This article should take around 9 minutes 12 seconds. to read

AKA Best practice for storing your user’s data.

Just last month Quora (a question and answer style site) suffered a huge data breach losing the personal data of over 100 million users (that’s slightly less than the population of Egypt).

So how do you prevent your site from being a target?

In the military world, there is a concept called Defence in Depth, the idea is to make it as hard as possible for your opponent, by slowing them down, forcing them to fight battle after battle for every inch of ground. This concept has been co-opted by the computer security world.

The rest of the article will assume you’ve been hacked, or rather you will be hacked. 
If you look through Wikipedia’s list of security hacks, you’ll notice that originally (70’s, 80’s and 90’s) these hacks where, for the most part, pranks, mostly aimed at either getting relatively minor services (telephone calls) for free, while the later hacks have been aimed at earning serious money for the criminals involved.

So you may feel that since you don’t run a banking or crypto currency site, your don’t need to worry. 

Sadly most people at one time or another have used the same (or almost the same) password on different sites, so while someone stealing all the user names and passwords to your “I love kittens” forum may allow the evil dog lover to post photos of dogs and embarrassed your members if they have used the same password email address and password on “high-end-fashion.com” the evil dog lover could login their and (if high end fashion stores your users payment details) order designer dresses for themselves.

If you where a money grabbing ner-well-a-do, rather than the fine upstanding person you are, you may be tempted to think “Pah , what do I care, I won’t lose anything” however you’d be wrong. If just one of the people whose data was stolen from you was a citizen of the European Union, their data comes under the jurisdiction of the GDPR and you legally *must* protect it.

Hash passwords

One of the most basic ways of protecting a users password is not to store it at all, but store a cryptographic “hash” of the password.
Say for example you’re user choose the password Pa$$w0rd rather then store that you could store 02726d40f378e716981c4321d60ba3a325ed6a4c which is the hashed version of that password.

As you can see it looks nothing like the password, whats more theirs no way to get from the result of the hash to the password, it’s gone, additionally even a small change in the password give a totally different hash result 

Pa%$w0rd, a change of one bit gives you the result a3e35fb1bc27126e65b396456a048c99bea9a5fb and Pa$%w0rd, the same characters as the last one but in a slightly different order, gives you 590f36c43ede760092da844e34e4895c71c5f9f9

However applying the same hash function to the same input word will give the same output hash, so every-time you hash Pa$$w0rd you will get 02726d40f378e716981c4321d60ba3a325ed6a4c. This means that rather than checking if a password exists and user name combination exist within the database you can just check if the hash exists.

As I alluded to before their are a number of different hash functions, some stronger then others. In general you should go with the strongest you can get. With the latest version of PHP this is likely SHA3-512. if your having to work with older versions of PHP it may be SHA2.

Within PHP this can be implemented like this

A full description of the PHP function hash can be found in the online manual.

SaltedHash

As noted above every-time you run a word through a hash function you get the same answer. So what if someone where to run every common password through a hash function, note the results, then if you see that value again you know what the password was originally.

Well people do, do this, and the results are called rainbow tables. and you can even do them on line. If you put the three hash we created earlier into crack station you will notice that it only comes up with one success.

A screen shot of the results from crackstation

This is because it takes a *lot* of space, time and therefore money to generate rainbow tables, and therefore they only focus on the most common billion or so passwords (yep, billion). So how do you defeat rainbow tables? make the password not in throes billion words.

If when you generate the hash for the password you add a random word, called a salt, to the end you create a password that (likely) won’t appear in a rainbow table. and as long as you also store that salt in the database along with the hash you’ll still be able to append it to the password and check the hash. 

If you wanted to improve the security (slightly) more you could use two salts, one fixed salt, stored in a config file and one generated for each account and stored within the database. Within PHP this may look a little like this.

The benefit of adding a fixed salt may not the immediately obvious. From a hackers point of view, they may see a database table with a password that’s clearly a hash and a salt and, if your passwords are customers are worth the extra effort, try common passwords + the hash against the hash you have stored. Including a fixed hash that the hacker will only know about if they have access to you’re source code / config files (and if they do you have serious problems) allows you to make that extra effort by the hacker pointless.

Stored procedures

As I said in my last paragraph

if they have access to you’re source code / config files

When most people think of a hacked site they assume the hacker has total access to everything. However generally the hacker is “just” after the database. Most attacks of this nature use what is called SQL injection to send rouge commands to the database. 

The best way to deal with SQL injection is to use SQL Parameters, in PHP that is done as follows.

This is best used with with stored procedures

Encrypted columns

Even if you’ve salted and hashed all the user passwords and put all your queries in parameter’s their are still things that can be done to protect you users data, it can be encrypted while stored in the database.

By using AES_ENCRYPT when inserting and updating data (and AES_DECRYPT when Selecting) with a known passphrase stored within a config file if a hacker does gain access to your database all they will get is encrypted data.

 

 

Continue Reading

Chinese spam – a source of eternal amusement.

This article should take around 1 minutes 46 seconds. to read
One of my spam black holes does nothing but pick up Chinese spam.

None of it ever has links in it so I don’t normally do anything with it however sometimes when I feel like being confused I run it through Google Translate.

Apparently, the blue text in this message reads

Support text <quiet edge sound> word and language <rock stone wear empty> sound chat <evoke two clear Qing dynasty> day mode <蓦山溪>, the highest <驿外断桥边> can <tear marks residual> get 58<白鹤 江入京>8电<凡九阕>子游<卮酒向人时时>Art<近中秋>15<年年年为花愁>重<不卷卷幕人>曲,巨 <杯再拜> cost-effective . <正目断>Company’s entry into the <Jun Watch> section no <Qingmen are scrap> upper limit

This is not some Chinese fortune cookie spam but down to hidden elements within the text, the original text doesn’t contain any “< >” characters yet the translated text does

Looking at the HTML of the message confirms this.

Removing the “< >” from the input text give a much more sensible translation.

Support text and voice chat mode, up to 588 electronic entertainment 15 songs, huge cost-effective. No deposit limit for company deposit

Still no links etc. but at least I know what it’s about.

Continue Reading

Keeping users safe from hate.

This article should take around 2 minutes 50 seconds. to read
Facebook and Twitter, two of the most popular (in the “west” at any rate) social media platforms both have a (well deserved) reputation for being places where hate festers.

Both Facebook and Twitter are worldwide communities, anyone with a working internet connection can signup and become friends with anyone else in the world.

The flip side of that is they can harass and intimidate anyone else in the world.

That hate is not only bad for the users, but it’s also bad for the company, people harassed tend to leave the service.

This isn’t a technical people so much as a social one. Of course, hatred of others is a problem as old as humans, over time it’s served us well, when we lived in small groups of up to 150 odd people, distrusting the village on the other side of the hill, or people who didn’t do as the wider community did, was a successful system. However, as time’s gone on, we have lived in larger and larger community’s and the hatred and distrust of other groups have become less and less useful.

Technology such as content filters are a technological solution and are an important but limited solution. Another prong is to combat the social problem directly.

Of the two social media platforms noted above it is Twitter which has the worst problem with online hated, I believe this is in part due to how Twitter allows interaction. In order to see a post on Facebook, you must either be a member of a group and have a post posted to that group, or friends with another user, whose posts you then can see. In order to be friends with someone, you need to request a friendship and have them confirm that friendship. With Twitter in contrast by default all posts are public and can be responded to by anyone. This open model has allowed Twitter to grow rapidly but also allows anyone to contact anyone else, giving harassers an opening.

It appears, and my personal observations support this, that friends don’t harass you, but friends of friends do. Once you’re removed from knowing the person you’re talking to its far easier to harass them.

Given the above point, it appears the root cause of the bulk of the harassment on Facebook and Twitter is the comments of people you don’t know. And so, assuming, the goal is to minimise harassment, a Facebook-like “friend” system (rather than Twitters follow system) where you can’t see the comment of people, you’re not friends with sounds like a good solution. However, this limits what you can see, it may be better to allow users to “see” anything but only to be able to respond to things if they are friends of the OP, and throes comment be invisible anyone other than the OP and commentator (and backend services).

Continue Reading

Universities: Is free speech under threat?

This article should take around 11 minutes 2 seconds. to read
In this article, the BBC asks the question “Is free speech under threat?“, And I hope to add to that discussion with this post.

But first, let’s discuss what exactly is meant by “free speech”. The concept of free speech hasn’t always existed, it came about due to a group of thinkers called the utilitarians who professed that the best way to govern actions was for the maximum “utility” i.e. what was in the best interest of the majority or as the movement’s founder, Jeremy Bentham, is reported to say “the sum of all pleasure that results from an action, minus the suffering of anyone involved in the action.” (Theory of Knowlege).

One of the most famous proponents of Utilitarianism, John Stuart Mill summed the notion of free speech up as :

I choose, by preference the cases which are least favourable to me – In which the argument opposing freedom of opinion, both on truth and that of utility, is considered the strongest. Let the opinions impugned be the belief of God and in a future state, or any of the commonly received doctrines of morality… But I must be permitted to observe that it is not the feeling sure of a doctrine (be it what it may) which I call an assumption of infallibility. It is the undertaking to decide that question for others, without allowing them to hear what can be said on the contrary side. And I denounce and reprobate this pretension not the less if it is put forth on the side of my most solemn convictions. However, positive anyone’s persuasion may be, not only of the faculty but of the pernicious consequences, but (to adopt expressions which I altogether condemn) the immorality and impiety of opinion. – yet if, in pursuance of that private judgement, though backed by the public judgement of his country or contemporaries, he prevents the opinion from being heard in its defence, he assumes infallibility. And so far from the assumption being less objectionable or less dangerous because the opinion is called immoral or impious, this is the case of all others in which it is most fatal. (“On Liberty” 1859. ed. Gertrude Himmelfarb, UK: Penguin, 1985, pp. 83–84)

It has also been described, more restrictively, as governments not being allowed to forbid people from expressing their ideas, however as JS Mill is closer to the original concept of free speech then I and, his views are more maximalist than restricting the concept to government interference I think it is right to use his notion.

So is free speech under threat in UK Universities?

I will argue that free speech, as described by JS Mill doesn’t exist, either at UK Universities or in the UK in general, and moreover isn’t something that is desirable or even possible, but in the scope that it can be enacted, the limiting of free speech isn’t from the direction the BBC article suggests it is.

In my reading, the key section from the passage above is “It is the undertaking to decide that question for others, without allowing them to hear what can be said on the contrary side.”, I.E. in order to be fair and come to the right decision one must hear both sides of an argument. Is this what we seeing within UK Universities? Are students and staff having their access to “both” sides of a discussion restricted?

Firstly the phrase “contrary side” in JS Mills quote is interesting, It assumes only two sides to an argument. However, as anyone who has ever discussed/argued anything with anyone will know there tends to be more than just to points of view within an argument, to quote ambassador Kosh Naranek “Understanding is a three edged sword: your side, their side, and the truth.”, but let’s assume that JS Mill et al, really mean you need to hear all sides. Is that something that should happen? What would it mean to hear all sides of an argument? Let’s imagine it for a second, let’s pick a self-evident truth, 2+2=4,  according to the expanded JS Mill’s statement, we should not accept this until be first hear, not only that 2+2=5, but that they equal six, seven, eight ad infinitum.

Those who argue for a maximalist free speech position have argued that in the marketplace of ideas the notion that 2+2=5 will be shown as false and people will gradually see that 2+2=4. Firstly this assumes a linear progression of ideas, it assumes we never go backwards while personally, I find that notion quite reassuring there is surprisedly little evidence for it. Additionally, and more importantly, it assumes the neutral observer is able to know a priori the correct answer. If we go back to the question of what 2+2 make, if I were to choose to argue the answer as 5, I would say something like “The + sign mean add and add 1 to the numbers either side of it so 2+2 becomes 2 add 2 add 1, which equals 5”, someone else may argue that in fact the + sign means subtract 2 from the number to the left and add it to the number on the right, giving an answer of 2. People may, of course, ask for proof that the + symbol does mean what I say it means and of course I could produce any number of mathematical texts showing that to be the case.

How then is a neutral observer, unaware of the standard meaning of the + sign, to determine who (if anyone) is correct? Clearly, all this is going to do is prevent our understanding, rather than help us move forward. We, therefore, need something between blindly accepting 2+2=4 and the navel-gazing of exploring every possible option, with no means of determining its validity?

Of course, those who argue for free speech aren’t calling for the discussion of every possible option, they want to limit the range of options to a socially acceptable sub-set. The BBC article linked to at the top acknowledges that the NUS has banned six far-right groups from speaking and doesn’t question the legitimacy that, but other incidents, additionally, the Former Met Police Assistant Commissioner, Mark Rowley, says giving extremists “air time… plays to what extremists are looking for” And no one condemns him for limiting Choudary’s freedom of speech.

Where are these boundaries? What is fair to say and what isn’t?

Far from being fixed these boundaries, are of dependent on the audience and to a lesser extent organizers view of what is an acetabular view at that moment in time. It is important to note that these views change over time, even a relatively short space of time, and for those who miss the change in norms the result can leave them falling foul of such changing values. For example, in September 2013 the British politician Ian Davidson suggested that the debate on Scottish independence was continuing only “in the sense there is a large number of wounded still to be bayoneted”, this drew the ire of some in Scotland, but little beyond that, however in June 2016, the Labour MP Jo Cox was murdered because of her pro-Europe views this lead to a sea change in the way politics was discussed and the appropriateness of inflammatory language such as Ian Davidson’s. To the extent that in 2018 when some Tory backbencher was quoted as saying: “The moment is coming when the knife gets heated, stuck in her front and twisted. She’ll be dead soon.” there was a huge outcry from all political parties. Clearly, there has been a shift in what is acceptable language to use within political debates within the UK.

But this isn’t uniform across a population, different people have different norms they accept. So for example what would be an acceptable language for a far-right meeting would most likely not be acceptable for a far left meeting.

Clearly what is meant by “free speech” is very much down to the audience.

As we’ve seen the idea of a universal maximum “free speech” is not something we have, not something we’re ever likely to get and not even something we should desire. Instead the concept of “free speech” appears to be nothing more than the ability to say things your audience doesn’t find abhorrent.

Even so the idea that we should allow a wide range of views is an important one. With just a narrow range of views being heard it become difficult, if not imposable to move our understanding and society forward.

The what are we to make of the student protests against a number of recent speakers at UK University?

To understand the effect of these student protests it is worth understanding what the protests were protesting against.

To quote from the article

Feminist writer Germaine Greer and LGBT rights campaigner Peter Tatchell both delivered talks despite complaints at their presence.

There have been cases – like that of YouTuber Sargon of Akkad, whose talk at King’s College London was interrupted by protesters, or ex-Muslim feminist campaigner Maryam Namazie, who was heckled by some students at Goldsmiths – where speaking events have been disrupted by a small number of vocal students. These were not institutional bans.

Warwick students’ union did try to block Ms Namazie from speaking, a decision which was reversed after public pressure.

In all these cases the protests where against talks delivered by individuals. There may be some who misunderstand what a talk (or lecture) is. Normally the invited speaker stands an talks to a self-selected audience of students, faculty members and sometimes members of the wider community who are interested in what the speaker has to say. At the end of the 45 minutes to an hour talk, there is sometimes (but not always) time for questions, there are often more questions then the speaker has time to answer and most speakers are able to string out questions if they haven’t planted them with students who look favourably upon the speakers point of view.

The whole set-up doesn’t encourage debate and the consumption of multiple views instead it only provides a single view, there is, however, a counter view in the scenarios listed above, the student protestors themselves.

It can be argued that far from limiting free speech the by protesting they are in fact providing the counter position that is missing from the talk, and so, therefore, the “proponents” of free speech who are critical of the are limiting the discourse in that instance, they of course arn’t in the instance of the meta discussion, as their view is as unabhorrent as mine.

Continue Reading

Can we use PHP for machine learning?

This article should take around 2 minutes 46 seconds. to read
In response to a question asked on a facebook group…

The simple answer is, yes you can. but before I explain how, I need to give a quick explanation of what “Machine learning” or “Artificial Intelligence” is.

At its heart “Machine learning” isn’t magic, it isn’t a black art, it is a set of algorithms which used mathematical functions which can be used to look for patterns in data.

Imagine you have two groups each containing a number of items.

{1,2,1,8,2,1,1,2,1}

{8,9,10,8,9,9,10,1}

and you have a single number you know belongs in one of the two groups but your not sure which one

2

Which group do you think the number belongs in? The first set contains mostly lower numbers and the second set mostly numbers above seven. So it’s likely that the item belongs in set one.

Automate this and you have machine learning.

Machine learning, therefore, can be implemented in almost any language, you just need to implement the relevant algorithms.

Sadly for all but trivial cases, such algorithms are hard to implement.

Thankfully Microsoft, Google, and Amazon all have API that can be used to implement Artificial Intelligence within your own applications.

Since all the API are web-based they can be accessed by any application which can make web-based calls, and so PHP can be used with the API’s.

Microsoft has five main types of cognitive services.

  • Vision – Image-processing algorithms to smartly identify, caption and moderate your pictures.
  • Knowledge – Map complex information and data in order to solve tasks such as intelligent recommendations and semantic search.
  • Language – Allow your apps to process natural language with pre-built scripts, evaluate sentiment and learn how to recognize what users want.
  • Speech – Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.
  • Search – Add Bing Search APIs to your apps and harness the ability to comb billions of web pages, images, videos, and news with a single API call.

Which allow you to implement a wide range of functionality. Best of all, if you don’t already have an Azure account you can sign up for one for free and get more than enough free credits to build something amazing.

Continue Reading