Archive for ‘Computers and Internet’

December 1, 2012

Gmail and mobile service related news

There has been an accumulation of minor activity about Gmail recently.

Email art

Gmail Outage

On 11 December 2012, many Google accounts experienced Gmail unavailability. I did not have experience any problems in Arizona. Gmail was definitely offline for at least 45 minutes, when I checked the official Google Apps Status page.

According to GigaOm, continuous deployment was the problem, and Gmail went down during a routine load balancing update. The GigaOm article is good. It includes a two-page PDF document later released by Google, with a detailed explanation of the incident.

For future reference, I suggest bookmarking the Google Apps Status Dashboard. Despite the “Google Apps” page name, the information is relevant to consumers as well as Google Apps business customers. It lists time and cause for disruptions in Gmail and many other Google services.

Verdict of the Herd

There is an unofficial Is Gmail down? service which culls data from multiple sources. It reminds me of an informal version of Herdict, the “verdict of the herd”. Herdict collects and publicly reports on global incidents of filtering, denial of service attacks, availability, and overall internet infrastructure reliability. Input data is crowd-sourced.

Herdict reports on website inaccessibility regardless of cause. After aggregation and trend analysis, it can be useful for gauging regional blockages of websites known for activism and possibly subject to politically motivated internet censorship. “Is Gmail down” is not intended for anything beyond the convenience of the public, though that is always appreciated! It is not crowd-sourced, nor does it give a comprehensive real-­time map of global Internet health. In contrast, Herdict does exactly that. The collected information can even be broken down on a more granular level.

Herdict access service I like the Herdict badge. You can put it on your website to support Herdict activities. Just click on the sheep-shaped image to get one. The Herdict real time interactive map is fun to watch, and its RSS feed is available for free to anyone who wants to use the data. Herdict is run by the Berkman Center for Internet & Society of Harvard University. 

read more »

Advertisements
December 19, 2011

A Special Kind Of Proxy

GoogleSharing is a special proxy service that doesn’t hide what you are searching from Google. Instead, it obscures where the requests are coming from. GoogleSharing is not a full proxy service designed to anonymize traffic. It is exclusively intended for certain aspects of your communication with Google. So there are no “alternative” websites to visit. Your use of the web need not change at all.

diagram

How does it work?

How does it work?
The GoogleSharing system is a custom proxy with a Firefox Add-on.

The proxy

The proxy generates a pool of GoogleSharing “identities,” each containing a cookie issued by Google and an arbitrary User-Agent for one of several browsers.

The add-on

The Firefox add-on watches for requests to Google services from your browser… and will transparently redirect them to a GoogleSharing proxy. There your request is stripped of identifying information and replaced with a GoogleSharing identity. Then this request is forwarded to Google, and the response is proxied back to you.

If your next search is given a different identity,

read more »

July 15, 2011

Try a VeriSign SSL Certificate gratis

Network and data security has really been on my mind lately!

I visited the Symantec and VeriSign websites the other day. I’m not sure if this is a true “limited time special offer” or an ongoing promotional deal that I never noticed until now. Two sorts of SSL (Secure Socket Layer encryption) certificates are available from VeriSign.

Secure Socket Layer protection

30-day SSL test-drive

One is the standard type that is desirable for websites that are accepting payment data or collecting other sensitive personal information from users. VeriSign refers to this as a Production Certificate. It includes use of the distinctive VeriSign Trust Seal, for use on SSL websites.

The other type is an SSL Test Certificate. Applications developers who want to confirm that SSL encryption is functional in a test (pre-production ONLY) environment should select this. It doesn’t include display of the Trust Seal, because it isn’t intended for use with applications on the public web. Both are available for free, for a 30-day trial period.

Try a VeriSign Certificate* today!

There may be superior alternatives to VeriSign SSL authentication. Regardless of vendor choice or implementation, it won’t hurt to contemplate data security, given the almost daily news reports of DDoS, DoS and other attacks. Or disclosure of yet another 0-day vulnerability or data breach.

* No, I’m not a paid endorser. I hoped someone might find it helpful and informative. Me, for example!

UPDATE: July 30, 2011

I just noticed that VeriSign has another offer; a 60-day free trial for a VeriSign Seal. See the VeriSign website for more information.

VeriSign offers both SSL and non-SSL products

What is the difference between the Trust Seal and the Secured Seal?

Like the VeriSign Secured Seal, the VeriSign Trust Seal shows that a site is authenticated by the high standards of VeriSign… The VeriSign Trust Seal is free with the purchase of any VeriSign® SSL Certificate. It can also be purchased separately for web sites that do not require SSL for securing online transactions. The VeriSign Trust Seal provides a cost-effective way to establish trust on your site without installing an SSL Certificate.

Emphasis is mine. However, VeriSign prominently displays this advisory on the Trust Seal FAQ page:

If your Web site uses SSL, you must use VeriSign SSL in order to display the VeriSign Trust Seal.

I’m uncertain, but suspect that the 30-day Trust Seal deal includes SSL certification, which is actually the VeriSign Secured Seal. The 60-day special probably does not. In other words, it offers the Trust Seal but not the SSL certificate, and is suitable only for non-SSL websites..

June 3, 2011

IPv6 Day is on the way

ipv4 versus ipv6 explained

IPv4 versus IPv6

IPv6 Day is scheduled for 12 June 2011. Most internet service providers (ISP’s), major technology companies and of course, Google, Yahoo and Microsoft will be participating. The complete list of participants is available from the Internet Society (ISOC).

The ISOC sees to the overall well-being of the global internet. This is a very important task. The internet is the framework for most of our digital infrastructure.

What is IPv6?

IP is the abbreviation for “Internet protocol”. No, not “Intellectual property”! At least, not in this context.  Internet Protocol version 4 (IPv4) is the current standard. Internet Protocol version 6 (IPv6) will be the new internet protocol.

IPv6 Day is only a test day

It is not a permanent transition to the new standard. IPv6 Day is a 24-hour period during which participants will run using IPv6 instead of IPv4. Complete transition to an exclusively IPv6 internet is still in the future. There is a very real urgency though. The most pressing concern is IP address availability. The IPv4 address space was exhausted, completely depleted, several months ago.

This animated IPv6-themed Google logo was featured during  the 2010 IPv6 Implementors Conference. Unlike the usual Google *.jpeg logo, this image is formatted as a *.gif file.

Google IPv6 logo that wiggles for transition from IPv4

Special Google IPv6 logo using GIF format

Google worked with internet organizations on the IPv6 transition for many years:

Since 2008, Google has hosted conferences focused on addressing and sharing IPv6 implementation experience, designs, and associated research.

—  Google IPv6 Implementors Conferences

May 11, 2011

TechCrunch and Your Right To Free Speech

First Amendment rights apply to the government, not to private companies. Nor to anyone or anything else that is not the U.S. Government.

This was an excellent and educational article from TechCrunch.

TechCrunch Has Breached Your Right To Free Speech

TechCrunch explains Free Speech

“You know something I love?

The US Constitution. Not because it’s one of the most artfully drafted pieces of legislation on the planet, covering the spectrum of rights due to every man, woman and child in the United States and yet still with less legalese than the average EULA.

Not because of the wonderful stories that surround its creation … “

via TechCrunch, Read more….

April 3, 2011

reCAPTCHA definition and history

reCAPTCHA example

reCAPTCHA and OCR for digitization projects

What does a CAPTCHA do?

Humans can read the distorted text in CAPTCHA challenges* but current computer programs cannot.

A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.

What does CAPTCHA mean?

CAPTCHA is an acronym for Completely Automated Public Turing Test To Tell Computers and Humans Apart. It was coined in 2000 by Carnegie Mellon University computer science research staff who invented CAPTCHA originally.

What is the difference between CAPTCHA and reCAPTCHA?

This is how the reCAPTCHA Project explains the difference:

ReCAPTCHA helps prevent automated abuse of your site (such as comment spam or bogus registrations) by using a CAPTCHA to ensure that only humans perform certain actions.

Generally a CAPTCHA is a single word, whereas a ReCAPTCHA is two words. The reCAPTCHA project page explains this in greater detail. There are research papers, in *.pdf format available for download on the Google ReCAPTCHA website.

Google purchased CAPTCHA in 2009 and describes usage and further background on reCAPTCHA FAQs:

ReCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old-time radio shows.

ReCAPTCHA is free

While free to use, including the API, be aware that ReCAPTCHA is not open source software.

Other uses

ReCAPTCHA is best known for historic text digitization and spam filtering, which is an information security measure.

Answers to reCAPTCHA challenges are used to digitize textual documents… a combination of multiple OCR programs, probabilistic language models, and the answers from millions of humans on the internet, reCAPTCHA is able to achieve over 99.5% transcription accuracy at the word level….

OCR is an acronym. It means Optical Character Recognition. Compare the accuracy of standard OCR versus reCAPTCHA transcriptions of a medium quality scanned document on the reCAPTCHA digitization accuracy website. See some humorous reCAPTCHA examples from the official Google reCAPTCHA blog. Google announced an audio version of reCAPTCHA in 2009.

MailHide is another application, where potential for spam is reduced by requiring a reCAPTCHA challenge in order to disclose an otherwise partially obscured email address. More details are available in my post about MailHide from last month.

Recent developments

Recent research in the area of computer security led to some surprising discoveries about CAPTCHA and spam. Initially, it appeared that the CAPTCHA challenge had been defeated on a large scale, but localized very regionally. That was not true though. Human interaction of an unanticipated sort was still required to evade the CAPTCHA, on each and every spam comment and email that got through.

*Work continues on the original CAPTCHA project.

March 7, 2011

Authentication and Authorization

Access control has two components, referred to collectively as auth.

Third-party applications often require limited access to a user’s Google Account… all requests for access must be approved by the account holder.

via Authentication and Authorization for Google APIs.

Authentication services

Authentication refers to the process of allowing users to sign in to websites. In the context of this blog, it also refers to sign in to applications using a Google Account, or an OpenID 2.0 based protocol. When Google authenticates a user’s account, it returns a user ID to the web application. This allows user information to be stored and collected. Open ID also allows access to certain user account information, with the user’s approval.

Authorization services

OAuth Logo

OAuth

Authorization is often confused (by me, maybe others) with authentication. Authorization lets a user authorize access by applications to specific data associated with the user’s Google account.

OAuth 2.0 Protocol

The OAuth 2.0 open-standard protocol allows users to authorize access to their data, after successful authentication. Google supports the OAuth 2.0 protocol with bearer tokens for web (and installed) applications. Regular Google account data and Google Apps account data are accessible with OAuth 2.0. OAuth 2.0 relies on SSL for security instead of direct cryptographic signing that would otherwise be necessary for such access.

Note that OAuth 2.0 has not been finalized, according to IETF (version 13). Google cautions that it’s OAuth 2.0 support is in an early preview and may change at any time, or as the final specifications evolve. Google considers OAuth experimental.  However, “experimental” does not have the same tentative connotation associated with Google Labs projects.

OAuth 1.0 Protocol

There is also an OAuth 1.0 for web applications. OAuth 1.0 can be used for authorization to user data by all Google API’s. Google continues to support OAuth 1.0.*

* OAuth 1.0 is sometimes referred to in documentation without version number, only as OAuth.

Other protocols

The OpenID-OAuth hybrid protocol provides authentication and authorization in a single-step process. Open ID provides authentication services, and OAuth provides authorization to Google APIs.

AuthSub API is Google’s proprietary protocol. It is mostly used for Google APIs. AuthSub is similar to OAuth. OAuth is more generally applicable and Google recommends that developers use OAuth instead of AuthSub API.

Registration

Registering a web application is optional. It is also free and straightforward. Web applications that are not registered with Google can still use OAuth 1.0 or AuthSub interfaces. However, registered web applications are recognized by Google and receive a correspondingly higher level of trust designation. This is communicated to users on the login screen.

Example of access request screen for OAuth or AuthSub web app

Sample Google access request screen for unregistered web application

Summary

These are the three levels of registration:

  1. Unregistered These applications conduct transactions at a lower security level.  Google flags the user login page with a precautionary message.  See image above with yellow-shaded advisory.
  2. Registered and recognized but not configured for secure requests
  3. Registered with enhanced security These applications have a security certificate and can use secure tokens.
February 28, 2011

The Anti-Matter of Network Security

Is virtual routing the “anti-matter” of network security?

This post from the Rational Security blog* presented a convincing case as to why that might be so. It was dated December 2008. I don’t know if virtual routing is safer now, or not.

Layer 3 Routing diagram for system administration

Routing diagram for networks

Meanwhile, for those interested in routing as depicted in the photo, I found a good article about LAN switches. It explains quite clearly the difference between a router and a switch.

*The Rational Security blog has since departed TypePad (as of 2009). It has a slightly altered name, and is now The Rational Survivability blog.

February 26, 2011

Google Public DNS

logo

Speed Test

Google Public DNS is a free, global Domain Name System (DNS) resolution service.

You can use it as an alternative to your current DNS provider.

 

 

How can I take it out for a test run?

To try it out,

  • configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers or
  • read the configuration instructions.

If you decide to try Google Public DNS, your client programs will perform all DNS lookups using Google Public DNS.

Why is DNS important?

The DNS protocol is an important part of the web’s infrastructure, serving as the Internet’s phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often need multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day.

Read more in the Google Public DNS documentation and Frequently Asked Questions.

Speed up your browsing

DNS!

With Google Public DNS you can:

Tags: ,
February 11, 2011

Microsoft and Google Enter the Nigerian Digital Real Estate Market

Another African country has joined Libya in the digital real estate market. The country code top-level domain, abbreviated ccTLD, of Libya is the very popular .ly.

Introducing .ng

Nigeria’s official top-level domain is .ng. Domain thisday.ng was the first registered .ng domain in December 2010. Not surprisingly, both Microsoft and Google recently secured places in the Nigerian ccTLD namespace.

Microsoft bi.ng

Microsoft registered bi.ng on 4 February 2011, although it remains parked on Microsoft name servers. Possible uses are a Microsoft URL shortening service. 

read more »