UPDATE: Sony TV calls home, tells your MAC-address

May 30, 2011

Just because I can and I was curious, I sniffed on my Sony TV set’s traffic:

GET /WsIndexes/AZ1_EU.xml HTTP/1.1
Host: applicast.ga.sony.net
Accept: */*
X-WS-MODEL-NAME: KDL-46EX705
X-WS-CLIENT-ID: 54:42:49:B5:E1:28
X-WS-COUNTRY-CODE: DEU
X-WS-LANGUAGE-CODE: ger
User-Agent: WidgetSystem/2.0


HTTP/1.1 200 OK
Server: Apache
ETag: "dd74d85181fb035ebc97fe67fc242681:1303966227"
Last-Modified: Thu, 28 Apr 2011 04:50:27 GMT
Accept-Ranges: bytes
Content-Length: 3107
Content-Type: application/xml
Date: Thu, 26 May 2011 14:50:46 GMT
Connection: keep-alive

Why does my TV send it’s MAC-address to Sony?

Next on: Will try to change the X-WS-CLIENT-ID to some arbitrary value and see what happens.

Because I can. For science.

UPDATE: I just wrote Sony Europe a letter with a request for comment. Text (in German) below:

Bei einem Sicherheitsaudit meines Netzwerkes ist mir aufgefallen,
dass mein Fernseher jedes Mal beim Einschalten bestimmte Server von
Sony im Internet kontaktiert, um die Liste verfügbarer Widgets
herunter zu laden.
Das ist auch soweit OK.
Aber warum schickt mein Fernseher seine MAC-Adresse mit - das Merkmal,
was meinen bestimmten Fernseher identifiziert, obwohl ich in diesem Fall
noch keinen Kaufvorgang eingeleitet habe?
Das Deutsche Datenschutzgesetz sagt eindeutig, dass Daten nur dann
erhoben werden dürfen, wenn diese für einen Geschäftsvorgang unbedingt
nötig sind. Beim Einschalten meines Fernsehgerätes habe ich aber noch
nicht die Intention, mit Ihnen ein neues Geschäft zu tätigen.

Bitte teilen Sie mir bis zu Montag, dem 13. Juni, folgende
Informationen mit:

* Warum Sie das tun
* In welcher Form sie die MAC-Adresse in Kombination mit meiner
IP-Adresse speichern
* Wem Sie diese Daten weitergeben
* Was sie mit diesen Daten tun
* Wie lange sie diese Daten speichern

Ich bedanke mich recht herzlich im Voraus!

Alexander Janßen.

UPDATE: A few weeks later, no response from Sony. I wrote them another message over their webinterface.

Sehr geehrte Damen und Herren,

ich habe Ihnen am 30. Mai die Frage gestellt, warum mein Fernseher -
ein KDL-46EX705 - seine Ethernet MAC-Adresse zu ihnen mitschickt, wenn
er sich seine Diensteliste bei Ihnen abholt.
Leider haben Sie mir weder eine Antwort noch eine Bearbeitungsnummer
bisher zukommen lassen.
Um mein Anliegen noch einmal zu verdeutlichen, füge ich meine Nachricht
an Sie noch einmal unten an.
Bitte geben Sie mir bis nächste Woche Montag, den 27. Juni 2011
Bescheid, unter welcher Bearbeitungsnummer SIe mein Anliegen bearbeiten
und wen ich in Ihrem Unternehmen dazu telefonisch befragen kann - und
das bitte nicht unter einer kostenpflichtigen Nummer. Wir hatten schon
Kontakt miteinander und ich sehe nicht ein, mit meinem Lieferanten
gegen Geld bei einer Reklamation zu sprechen - einer Reklamation, die
auch noch meine Privatsphäre betrifft.
Meine alte Nachricht an Sie.
--- schnipp ---

Bei einem Sicherheitsaudit meines Netzwerkes ist mir aufgefallen,
dass mein Fernseher jedes Mal beim Einschalten bestimmte Server von
Sony im Internet kontaktiert, um die Liste verfügbarer Widgets
herunter zu laden.
Das ist auch soweit OK.
Aber warum schickt mein Fernseher seine MAC-Adresse mit - das Merkmal,
was meinen bestimmten Fernseher identifiziert, obwohl ich in diesem Fall
noch keinen Kaufvorgang eingeleitet habe?
Das Deutsche Datenschutzgesetz sagt eindeutig, dass Daten nur dann
erhoben werden dürfen, wenn diese für einen Geschäftsvorgang unbedingt
nötig sind. Beim Einschalten meines Fernsehgerätes habe ich aber noch
nicht die Intention, mit Ihnen ein neues Geschäft zu tätigen.

Bitte teilen Sie mir bis zu Montag, dem 13. Juni, folgende
Informationen mit:

* Warum Sie das tun
* In welcher Form sie die MAC-Adresse in Kombination mit meiner
IP-Adresse speichern
* Wem Sie diese Daten weitergeben
* Was sie mit diesen Daten tun
* Wie lange sie diese Daten speichern

Ich bedanke mich recht herzlich im Voraus!

Alexander Janßen.
--- schnapp ---

Ich hoffe, bis nächste Woche Montag von Ihnen zu hören -
Alexander Janßen.


The Datagram Onion Router

October 15, 2008

After having a quite depressing discussion about how Tor will evolve in Germany considering the data retention laws, I met a guy on IRC who told me about his new really cool project.

Camilo Viecco, who’s just doing his PhD in CS at the Indiana University, developed a naive UDP-implementation of the anonymisation-principle known as onion-routing from scratch. It’s far from perfect and it wouldn’t meld with the Tor-code easily, but it’s a first approach to improve latency for anon-services.

Tdor is an anonymisation-software to be installed on your local PC. It enables you to use the internet anonymously by configuring tdor as a proxy in your webbrowser. By using this software, no one can find out your IP-address, effectively resulting in an obfuscation of your identity.

The software is available on his homepage and is currently compiling on unixish systems.

What’s different about this project compared to regular anonymisation-systems is that tdor is using UDP instead of TCP, dramatically improving the well-known latency you suffer off when you’re using regular TCP-based anon-systems.

The project didn’t even release it’s first alpha-version, but the version I tested was usable and quite fast. I couldn’t make a difference of regular internet-connections and Internet over tdor.

Though where’s light, there’re shadows: The whole tdor-network only uses six nodes at the moment. It’s not meant to be used for real productive use, it’s only for testing – though it works cool!

At the moment the whole project consists of just a handful of people, but I bet Camilo appreciates any help he can get.

So. If you wanna participate in a really cool fancy brand-new cutting-edge anonymisation technology, grab the sources, compile it, run it and report bugs and issues!

A formal description about tdor is available here: http://petsymposium.org/2008/hotpets/udp-tor.pdf


Privacy in Germany: What’s going on?

December 19, 2007

This is a meta-posting describing what’s going on in Germany.

Organisations:

German Privacy Foundation (GPF)

The German Privacy Foundation was finally officially established. The GPF thinks everyone has the right for privacy and anonymous communication. Anonymity is one of the fundamental basics to privacy and support human- and citizen’s rights.

It’s goals are to inform and educate about safe communication on the internet, supporting and organising tutorialsfor citizen about those topics.

The GPF is supporting and endorsing the development and deployment of anonymous infrastructure.

The GPF is a non-profit organisation according to the German law.

Contact: Use the Contact-Form.

Privacy Legal Fund (Germany) [PLF]

The Privacy Legal Fund (Germany) is a yet-to-be-founded organisation which will help voluntary operators of anonymisation-services like JAP, Tor, Mixmaster, Entropy, Freenet et al. with their problems with the Feds.

Much like the GPF, they want to promote the useage of privacy-enhancing internet-tools, but puts it’s emphasis on direct action instead of education. In that sense, the GPF and the PLC will be complementary.

The PLF doesn’t have fixed rules yet, they’re still to be defined. The PLF will be a non-profit organisation.

Contact: Contact me using the contact-form in this blog. You may encrypt the message using the PGP-key 0x90DEE171.

Events:

Both, the GPF and the PLF, will meet on the Chaos Communication Congress 24 in Berlin at the 27th-30th of December 2007 in Berlin.

On the 27th the PLF will meet for it’s founding-ceremony.
On the 28th the PLF and the GPF will meet to discuss the cooperation of both organisations.

Roger Dingledine, head of the Tor-project, will attend 24C3 for some talks as well.

Other Events:

There should be a “10 Years GnuPG“-party in Düsseldorf featuring Werner Koch this Thursday; however, no official annoucement was made yet. Still waiting.


nemo tenetur seipsum accusare^2

November 14, 2007

It didn’t even take a month.

The Registers reports about an animal rights activist who’s now asked to hand over her crypto-keys.

El Reg sums up the details:

An animal rights activist has been ordered to hand over her encryption keys to the authorities.

Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, seven years after the original legislation passed through parliament. Intended primarily to deal with terror suspects, it allows police to demand encryption keys or provide a clear text transcript of encrypted text.
[...] she has been given 12 days to hand over a pass-phrase to unlock encrypted data held on the drive – or face the consequences. [Failure to comply can result in up to two years imprisonment for cases not involving national security, or five years for terrorism offences and the like.]

So what do we have here?

A dodgy law which is meant for serious crimes and terrorists.
A women engaged in animals rights.

I can see the plot!

Evil trrrsts meetin animal-rights activists to blow up Downing Street.

Oh, you’ve got nothing to hide? Sure mate.

Some people pointed out that this silly law could be circumvented by technology based on plausible deniability and hard crypto – but still I say, it’s the law that’s flawed!


nemo tenetur seipsum accusare

October 11, 2007

Well, not in the UK anymore.

Nowadays you got to hand over your encryption keys to the authorities if they ask you. Non-compliancy can be punished with up to two years for ordinary “crimes” and up to five for trrrsts.


Schily, Schily, oy oy oy

February 9, 2007

My “favourite” politician, Mr. Wolfgang Schäuble, Home Secretary of Germany, was interviewed by the newspaper TAZ.

I almost spilled my coffee over my keyboard while reading the interview. I knew that he’s absolutely for Law and Order but I couldn’t imagine that he’s that ignorant about what the citizen think about his plans to introduce a governmental trojan horse, which should infiltrate terrorist’s computers. It’s about security, isn’t it? (And the children. And world peace. Are you against the children or what? Either your’re with us or the terrorist.)

Some examples:

TAZ: Mr. Schäuble, are you Germany’s highest ranked hacker?
Schäuble: No, I don’t get into any computer, and frankly I don’t really know how the police is doing that. I barely know what a trojan horse is.

TAZ: Are you afraid of those so called trojans, means e-spionage software?
Schäuble: No, in general I never open attachments in email, where I’m not sure about it’s origin. And also I’m a decent guy, the BKA [German Federal Police] doesn’t need to send trojans to me.

TAZ: 10,000 citizen are planning to file a constitutional complaint against the mandatory data retention. Don’t you get contemplative about that?
Schäuble: That doesn’t bother me any more.

Once again I’m totally convinced that the politicians don’t give a damn about the citizen’s opinion. They try to justify every surveillance measurement with the terrorism/child-porn/internet pirate argument.

To quote Kurfürst Friedrich Wilhelm v. Brandenburg:

“Es ist dem Untertanen untersagt, den Maßstab seiner beschränkten Einsicht an die Handlungen der Obrigkeit anzulegen.”
(Flaky translation: “It’s forbidden to the subject to apply the standard of his limited views to the acts of the authorities”)

Happy hacking.

Tech Tags:


Skype, oh Skype

February 8, 2007

Via /., via pagetable:

To quote a fellow blogger: “As a Web Worker, you have undoubtedly used, tried, or at least heard of Skype, that wonderful peer-to-peer IM/voice tool that end users love, but security administrators detest.

Wee. I had my own experience with Skype (see the first posting, Bloglines still isn’t able to recover all the postings correctly); they just kill your account-balance if you don’t use your account for a while. They claim that the administrative hassle is too much, so I can’t be with them anymore. Whatever, probably I wasn’t made for loving them.

Also there was quite a discussion what kind of encryption Skype uses, their motto is security through obscurity. They’re using a propriatary encryption which was never disclosed and is therefore of doubtful security.

Now i just read this posting at /.; The Skype-software is now accused of reading the BIOS.

For what? There is no apparent reason why Skype should be reading the BIOS. Except maybe reading some serial number.

Skype. What’s your bloody problem. Eh? Tell us. This is crazy. Not that you only take the piss with your customers accouting-wise, now you’re collecting data about your customers which you aren’t supposed to collect. And, I make this statement clear: This action is absolutely illegal in Germany. The german privacy-laws clearly say that you’re only allowed to collect data about users if they AGREE and that you’re only allowed to collect data necessary for billing. Nothing bloody else.

What the hell is wrong with those people? Isn’t there an organization in the EU which could sue their ass off? Well, there’s the newly founded EFF Europe, but I doubt that they’re already fully operational.

Tech Tags:


Verfassungsbeschwerde gegen Vorratsdatenspeicherung

February 7, 2007

Flag of GermanyNote to my readers: This posting is about a constitutional complaint against the upcoming EU data retention laws.

Heute einmal ein Posting auf Deutsch: Rechtsanwalt Meinhard Starostik strebt eine Verfassungsbeschwerde gegen die Vorratsdatenspeicherung an, sobald diese verabschiedet worden ist. Kleine Zusammenfassung: Die EU verlangt von seinen Mitgliedsstaaten, dass zum Jahreswechsel 2007/2008 ein nationales Gesetz ratifiziert wird, welches die EU Richtlinie 2006/24/EG umsetzt.

Wikipedia hat eine einfache Zusammenfassung:

“Die Richtlinie über die Vorratsdatenspeicherung ist eine Richtlinie der Europäischen Union, durch die die unterschiedlichen nationalen Vorschriften der EU-Mitgliedsstaaten zur Speicherung von Telekommunikationsdaten auf Vorrat vereinheitlicht werden sollen. Durch die Harmonisierung soll sichergestellt werden, dass die Daten für einen bestimmten Zeitraum zum Zweck der Ermittlung und Verfolgung von schweren Straftaten aufbewahrt werden.”

Im Prinzip bedeutet das: Jeder ist verdächtig. Es wird verdachtsunabhängig gespeichert, ohne dass konkrete Hinweise auf eine Straftat vorliegen. Es werden riesige Sammlungen an personenbezogenen Daten erzeugt, auf die die Strafverfolgungsbehörden Zugriff bekommen. Um sich einen Überblick zu verschaffen, welche Daten alles gespeichert werden sollen, ist der Wikipedia-Artikel ein guter Anfang.

Ich als unbescholtener Bürger wehre mich gegen diese pauschale Verdächtigung und gegen den Bruch meiner informellen Selbstbestimmung. Deshalb habe ich Herrn Starostik eine gerichtliche Vollmacht erteilt, dass er in meinem Namen eine Beschwerde einreichen kann.

Macht mit. Der Satz “Wer nichts zu verbergen hat, hat nichts zu befürchten” ist absoluter Hohn. Zeigt denen, dass Politik für den normalen Bürger nicht nur heisst, alle paar Jahre ein Kreuz zu machen um dann bis zur nächsten Wahl die Schnauze zu halten. Wehrt Euch!

Mehr Informationen zu diesem Thema:
Stoppt die Vorratsdatenspeicherung
Verein zur Förderung des öffentlichen bewegten und unbewegten Datenverkehrs e.V.
Originaltext Richtlinie 2006/24/EG

Gruss, Alex.

Tech Tags:


Analyzing TOR-exitnodes for anomalies – results

October 6, 2006

TOR logoAs my regular readers clearly remember, a couple of days ago i accused the Linux Magazine of bigotry. Later I learned that it’s not only the Linux Magazine, but lot’s of other sites which show a strange behaviour when accessed through the Tor-system.

To check what’s really going on i started an investigation and tested more than a thousand Tor-nodes for strange behaviour. I submitted my results to the or-talk List yesterday:

Date: Thu, 5 Oct 2006 17:56:51 +0200
From: “Alexander W. Janssen” <yalla@ynfonatic.de>
To: or-talk@freehaven.net
Subject: First results of analysis

Hi all,

i checked 1161 nodes in total.

269 of them where responsive exit-nodes, all behaving correctly.

9 exitnodes where responsive, but their had some proxy installed which didn’t behave quite correct when you accessed a webpage with the notation original.url.$nodename.exit; the error-messages varied from “could not resolve” (looks like a DNS-leak to me) over “502 Bad Gateway” through “502 Proxy Error”.

However, in my list of exit-nodes i couldn’t find any host which showed the described behaviour. My test-URL was http://www.linux-magazine.com/.

So there is still some space left for discussion: Did i miss the “bad” or “banned” exitnode?

I tend to agree with Claude; at the moment it doesn’t seem likely that we have some sort of bad exitnodes in place.

However we probably should think if we should install some kind of early warning system. I could imagine something like this: Every client checks once per day some random website on the internet via, let’s say, 10 random exit-nodes and compares the results. If something is wrong the exitnode could be signalled to a real human which could verify the claim.

How do you think about that?

Cheers, Alex.

I stopped my efforts at the moment; I tend to blame Linux Magazine’s webhoster, but no-one knows exactly what’s going on. It’ll just be a matter of time until somehow set’s up rogue Tor-nodes.

Therefore: Dear editor and people from the Linux Magazine, I was in rage. You clearly didn’t deserve to be called “bigot”. I honestly apologize. I don’t know what’s really going on, but maybe you start an investigation on your own.

Alexander “Yalla” Janssen.

Tech Tags:


Analyzing TOR-exitnodes for anomalies

October 4, 2006

TOR logoA few days ago I had a strange encounter with Linux New Media‘s “Linux Magazine” website; depending on whether I used TOR to access their website i got different results. Accessing their site with TOR resulted in getting redirected to some kind of link-farm which made me totally suspicious. I assumed that they’re looking on the source IP-address and deciding for the correct webpage – however, that phenomenon vanished a couple of hours after blogging about it so i assumed that they fixed it.

Later i found a posting on the or-talk mailinglist about someone who was suspecting that certain TOR-nodes might alter webpages and include advertising of some sort. This would’ve been an interesting attack.

I take my own work and my own assumptions very serious. I don’t want to blame the Linux Magazine if they didn’t do it and denouncing their actions as “bigotry“, as I did, is not to be taken ligthly.

For that reason, out of curiosity, interest and for everyone else I started an investigation about if there are any bogus TOR-exitnodes which might alter the content of webpages and if they do, what else they might do.

Theory of operation is simple:

  1. Get a list of known nodes which allow outbound tcp/80 traffic (http://localhost:9030/tor/running-routers is a good start)
  2. Loop over all exitnodes i and get a website A via exitnode i using TOR: “wget http://A.${i}.exit/ -O $i.html
  3. Compare all stored websites (or, let’s say, distinctive parts) with an original

I already checked about 20% of all known exitnodes which were known to one of machines as of today and I certainly will conduct the same experiment a couple of times until publishing a result.

Stay tuned for updates. If there are bogus exitpoints we’ll find; what actions we might take is up to the TOR-operators. I’d suggest putting them on your TOR-nodes blacklist.

Tech Tags:


Follow

Get every new post delivered to your Inbox.

Join 120 other followers