EarthCalm EMF Protection Technology (USB or Ethernet)

There is almost nothing that gets me more mad then pseudo science. There are those who are just completely self-absorbed and believe in their quackery science, such as the “vaccinations causes autism” people, who are now responsible for an increased infant mortality in the western world. That upsets me and frustrated me, but there is another group that actually infuriates me. Those frauds trying to sell people bracelets, stones, crystals, and as it seems like now, usb drives filled with stones or a variation powered by non-PoE ethernet connectors. Note that Earthcalm is aware of lawyers, so their website states:

Disclaimer: The products and/or technologies listed on this website are not FDA-approved and are not intended to diagnose, treat, cure, mitigate, or prevent any disease. Please consult your physician or health care practitioner for any questions about EMFs and your health.

 

Instead of spending $179 on these gutted USB drives, please consider this $49,90 bargain Possible Health Effects of Exposure to Residential Electric and Magnetic Fields instead. Or spend nothing and read its summary:

CHARGE TO THE COMMITTEE

Public concern regarding possible health risks from residential exposures to low-strength, low-frequency electric and magnetic fields produced by power lines and the use of electric appliances has generated considerable debate among scientists and public officials. In 1991, Congress asked that the National Academy of Sciences (NAS) review the research literature on the effects from exposure to these fields and determine whether the scientific basis was sufficient to assess health risks from such exposures. In response to the legislation directing the U.S. Department of Energy to enter into an agreement with the NAS, the National Research Council convened the Committee on the Possible Effects of Electromagnetic Fields on Biologic Systems. The committee was asked “to review and evaluate the existing scientific information on the possible effects of exposure to electric and magnetic fields on the incidence of cancer, on reproduction and developmental abnormalities, and on neurobiologic response as reflected in learning and behavior.” The committee was asked to focus on exposure modalities found in residential settings. In addition, the committee was asked to identify future research needs and to carry out a risk assessment insofar as the research data justified this procedure. Risk assessment is a well-established procedure used to identify health hazards and to recommend limits on exposure to dangerous agents.

CONCLUSIONS OF THE COMMITTEE

Based on a comprehensive evaluation of published studies relating to the effects of power-frequency electric and magnetic fields on cells, tissues, and organisms (including humans), the conclusion of the committee is that the current body of evidence does not show that exposure to these fields presents a human-health hazard. Specifically, no conclusive and consistent evidence shows that exposures to residential electric and magnetic fields produce cancer, adverse neurobehavioral effects, or reproductive and developmental effects.

 

The committee reviewed residential exposure levels to electric and magnetic fields, evaluated the available epidemiologic studies, and examined laboratory investigations that used cells, isolated tissues, and animals. At exposure levels well above those normally encountered in residences, electric and magnetic fields can produce biologic effects (promotion of bone healing is an example), but these effects do not provide a consistent picture of a relationship between the biologic effects of these fields and health hazards. An association between residential wiring configurations (called wire codes, defined below) and childhood leukemia persists in multiple studies, although the causative factor responsible for that statistical association has not been identified. No evidence links contemporary measurements of magnetic-field levels to childhood leukemia.

 

 

A random email of appreciation

Today, I got this email in my inbox. I had already hit delete skimming it, but it caught my attention at the last moment:

Paul,

Do not be surprised, You haven’t interacted with me directly recently but I’d like to thank you for your contributions and hard work for all these years to openswan. Was just browsing through old mailing lists so here this is.

Thanks,
Elison

And it made me smile. I know my efforts are appreciated, but I don’t get much feedback about it. it is far more common for someone to ask repeated questions (and not googling first), and then vanish without telling me whether or not they got it working.Though from experiences in the past, I’ve found they usually did get it working, but I only find out the next time they have a question.

It reminds me of Ben Laurie’s .sig,

There is no limit to what one can achieve if one doesn’t mind who gets the credit.”.

(Ironically, I don’t know if Ben is the author or just the distributor of that quote, which somehow makes the quote even better)

Certificate pinning just prevented me from accessing my first legitimate website

So I had done some tests with “real” certificates, so I used the Comodo free SSL certificate for 90 days offer. I put some TLSA records in the dns for nohats.ca, and this allowed me to test the firefox plugin I was testing that deals with CA backed and DNSSEC backed certificates.

So of course, the SSL certificate expired, and I did not want to pay $99 to renew it. So I replaced it with a self-signed certificate and updated the TLSA record.

Then neither firefox or chrome would connect to my website. They both threw an error about the certification being invalid. And they both refused to give me the override option. They knew better then me. This is exactly what you get when the publisher of the certificate is not in control of telling you if the new certificate is valid. If these browsers had confirmed via DNS and DNSSEC that this is in fact the new real certificate, they wouldn’t have had to block my access (or witheld the override option from me)

The way to fix this, is to delete all the browser history. Then it will have forgotten the pinned certificate and it will re-ask you with the familiar “untrusted, do you want to continue anyway” dialog. I had to spend about 10 minutes to figure out how to do this. There go your website visitors. Both Chrome and Firefox acted in this way.

Expect many such false positives when you are dealing with certificate pinning, such as TACK

Ironically, many of you will have to do exactly this, before you can read this blog entry. How long did it take you?

$10/month VPN services – snake oil or not?

In the last few years, I’ve clearly seen a rise in the offering of commercial VPN services. I would find out about these VPN hosting networks in the past by a new yahoo, gmail or hotmail account on the openswan-users mailing list, repeatedly asking the same questions. They would tend to not like the answers we gave them but develop and deploy their systems anyway.In the last few years, more and more keep popping up and vanishing really fast, making me wonder if these are run by the same group of people constantly rebranding themselves, or whether new people keep inventing the same brain-dead idea. Yes, offering a commercial VPN service to “help” people is a very brain dead idea.

Legal issues

The first and foremost reason all these commercial VPN providers are nothing more then snake oil is because it quickly runs afoul with the law. Most, if not all, OECD countries have computer crime laws in place that mandates every ISP service that adds a cryptographic layer for their customer must be able to remove that cryptographic protection lawyer and hand over decrypted traffic to any law enforcement agency (LEA). And that is the best case scenario. I would not recommend the casual reader to attempt to work around encryption laws in non-OECD countries – whatever you’re trying to do, it’s likely not worth the jail time usually associated in such countries for using “illegal encryption”.

These laws mean you can never outsource your crypto to someone else. You must do it yourself. At most, you are putting a few legally separated jurisdictions between yourself and your government. If you’re just one of the four million people downloading Game of Thrones you’re more protected by the sheer numbers of violators, then by adding any commercial VPN service between you and The Pirate Bay. If you gave that VPN provider your name and credit card details when you signed up you might actually end up being in a worse position. Courts often will not take an IP address as proof that the person paying for the internet service (you) did something illegal. However, a credit card transaction in combination with traffic statistics showing you are using the service will be an excellent argument in court against you. And the VPN provider will have to hand those over as soon as a LEA knocks on their door. It might be using a non-US based credit card or paypal processor, but in the end, all roads lead to a few major US based financial institutions with enough US economic ties to turn your VPN provider over to the FBI at the first sign of trouble.

Technical dependencies

And on top of that, most VPN providers have technical dependencies in the US, for example by using a com/net/org domain name for their service, running DNS servers within the US, or even having their website or VPN servers located inside the US.

But measures like in The Netherlands where people need to subvert the Pirate Bay censorship at the ISP level to be able to watch Game of Thrones (not broadcast by any commercial TV service in the country) seems to attract a lot of new customers for these types of services. Other frequent annoyances that people want to circumvent are geo-restrictions based on IP address. I cannot watch The Daily Show or South Park using their own video streams, because I live in Canada, and they have commercial reasons why they cannot serve non-US customers. The same applies (or applied) to other services like Hulu, Netflex, etc.

VPN’s are not just a button that protect you. Realise that all your traffic is being intercepted and sent through this VPN tunnel. The people you’re paying about $10/month get to have a copy of all your traffic! How much dedicated security do you think they can offer their customer? How many lawyers do you think they have on staff to verify all warrants and tapping orders coming in?

Using VPNS for a few bucks a month to “steal” these services won’t get you in too much trouble, it’s just petty crime. The real trouble with these VPN services happen for people who’s lives depend on their anonymity.

Marketing and other lies

The real danger with these VPN services are the blatant lies about what services are provided. Take for example the latest one that came to my notice, SuperVPN.net. It’s a very typical offering. They promise “complete anonymity“, “absolute anonymity” and “your real IP address will never be stored“. It offers “128 bit encryption” without specifying anything about the encryption algorithm. It’s all marketing to the ignorant. Your IP address likely leaks immediately to any malicious website that wants it. You probably already sent some HTTP cookies when those browser tabs reconnected to facebook, gmail and twitter.

You can have the strongest encryption on every packet you send out on the internet, but that says absolutely nothing about anonymity. Your browser is full of cookies, history and the ability to run code like javascript or flash or html5 that could reveal your identity. People could play DNS tricks on your and leak your location. Any true anonymity solution will try to handle both the operating system and application level, as well as the network encryption. If you need anonymity, please use something like tor. Do not depend on any of these services!

Technical issues

Again looking at SuperVPN as example, they offer PPTP, SSL, OpenVPN and L2TP services. Some of these require certificates that will reveal who you are while you authenticate with your VPN provider. Or they use prehared keys meaning you can easily be fooled by another customer pretending to be your VPN provider. And most importantly, all of these protocols are not hiding the fact that they are VPNs. If the country you are in out-laws cryptography, you just pointed a targeting laser at yourself.

If you ever see anyone promising security using PPTP, you know you arrived at snake oil heaven. PPTP was broken about 10 years ago, and its successor L2TP had its native encryption layer mostly replaced by IPsec. L2TP itself is now on its way out to be replaced by a pure (IKEv2) IPsec solution. VPN services that offer these obsoleted VPN protocols value your money more then your privacy or security.

And even with strong L2TP/IPsec VPNs, your anonymity can easily leak, especially when used on mobile devices that hop from network to network, guaranteeing your VPN will go up and down repeatedly, inevitably leaking some unencrypted data to reveal your identity. More on that soon by some of my fellow cypherpunks….

If you’re just using these vpn services to bypass GEO IP locations and the traffic you send over this VPN is just a video stream, then it might be worth your $10/month (though it might be illegal for you to do this). If you need real VPN security, use a trusted party to provide you with a VPN connection, or run your own virtual or real server in your favourite jurisdiction.  If you need privacy, use TOR.

DNSSEC software bug causing nohats.ca down time – possible catch22

I sign my own domain nohats.ca using OpenDNSSEC. Since .ca is not yet signed, I added my key to the ISC DLV Registry. It is enabled by default by Fedora and RHEL if you install the bind/unbound name server for resolving.

Today, I removed and added a few zones to my opendnssec (an alpha version, 1.4.0a) based signer. These domains were unrelated to nohats.ca. But somehow I ended up with a “signed” nohats.ca zone that contained NSEC3 records but no RRSIG records, and one other domain that only contained 1 RRSIG record. As a result, anyone who was using DNSSEC could no longer resolve my domain nohats.ca. That included me. The nohats.ca domain is still in this weird state inside opendnssec, so I decided to remove the DLV record for that domain. Turns out I forgot the password to my login at dlv.isc.org. With my mouse hovering over the “request password reset” option, I realised that my MX records point to “nohats.ca”. If the dlv.isc.org site uses DNSSEC, they will fail to resolve the MX record to send me my password reset information to fix my DNSSEC setting. Catch 22!

Whether by design or by sheer luck, this did not seem to be the case and I received my password reset, and have removed the DLV record for nohats.ca.

I upgraded opendnssec to 1.4.0a2, but this has not resolved the issue of ods-signerd giving me a zone without RRSIGs. I’ll have to investigate this more tomorrow. Our tools really still have lots of room for improvement.

But it does bring up a delicate point. Registrars should ensure that there is a way you can remove a DS record using an account that somehow can do a password reset even if your only email goes into a failing DNSSEC domain. Perhaps a two factor using a text message to a phone? Or perhaps allow more then one email address for a reset, so that people could include use two different email addresses in two different domains. Though one should not point password resets to domains that are not secured by DNSSEC, because these are precisely the kind of messages people could abuse to hack access to your domain account. Another security catch 22.

So if you are a registrar, please think about this issue. Sooner or later one of your customers will be the position I found myself in…..