David Cameron’s move to ban strong encryption is dangerous and futile

In the wake of the terrible events in France, the Conservative Party of the UK are, in an act of tedious predictability, capitalising on a crisis to sell a policy that further erodes British freedoms.

Continue reading

The always-updated Heartbleed masterpost

heartbleedHeartbleed is quite possibly the most enormous security issue to hit the Internet in over a decade. Made public on Monday 7th April, if you haven’t heard of it yet, then you’ve probably been living under a rock.

Unlike individual sites getting compromised and the username/password database leaked, Heartbleed affects most secure sites on the Web. It has been proven to leak user information, and more recently, private keys. Because it’s not a virus, trojan, or other malware, the steps to fix it have to be taken by the people who run the websites you use, but there are things you can do to minimise its impact on you.

Let’s start with a quick demonstration that I knocked up to explain how it works.

As you can see, any information that the website processes is at risk of being sent out. It’s hard for an attacker to choose exactly what information will be sent back, but even without making the significant effort to target specific memory, they can repeatedly send the attack hundreds of times a second, potentially receiving a different chunk of memory each time.

The tiny bit of good news in this mire of disaster is that the severity of the issue has caused most affected sites to fix the issue. Unfortunately, it’s not that simple, but that doesn’t affect anything that was leaked while it was vulnerable – we’ll get into that a bit later.

Securing yourself

The important thing to remember is that this attack does not target you, it targets the websites you use. Security software such as VPNs, antivirus/antimalware, and consumer firewalls, will not afford any protection. Heartbleed is not a virus, it is an exploitable bug: an accidental mistake in software (‘bug’) that can be taken advantage of if you know how (‘exploitable’).

There are two major things that may have been compromised here: your username and password, and the server’s private key. I’ll take them one at at time.

Your username and password

Sensitive login details are often returned in a Heartbleed response. Here’s an example from the period during which Yahoo! was vulnerable.


The blue portions are added to avoid revealing a live user’s details. You can clearly see the username and password near the bottom.

What makes Heartbleed fairly unusual is that the normal ‘change your password’ reaction is not necessarily the right thing to do. Because Heartbleed leaks the contents of memory, the more recently the server has had to process your details, the more likely it is to appear in a random Heartbleed response.

This means that until the server has been patched, you should avoid using it entirely, including using it to change your password.

You can check whether a site is affected using the tool at filippo.io/Heartbleed – enter the address of the site you want to check in the text area, and press ‘Go!’. For help, read the FAQ at filippo.io/Heartbleed/faq.html or leave a comment and I’ll try to help.

Assume that all sites you use have been affected. Change all your passwords, but not until you’ve verified that the site in question is safe. It’s a pain, it’s boring, and it’s irritating, but it’s entirely worth the effort.

Private keys

This is, in many ways, the biggest issue. Fedor Indutny has successfully recovered a private key from a vulnerable Web server. This is something that many people, including Cloudflare and myself, thought would be practically infeasible in a real-world scenario. He’s proved his success cryptographically, and I’m absolutely certain that he’s succeeded.

Possession of a private key allows anyone to impersonate the site in question (for example Google, or your employer) without any warnings being displayed, and to read all encrypted traffic that was encrypted with that private key (with exceptions, but PFS is underutilised).

This is exceptionally bad, and there’s not really anything conclusive that can be done about it. Your best call is to switch to Firefox, using the HTTPS Everywhere addon (enable the SSL Observatory when asked), and the Perspectives addon. These addons will provide another layer of checks, giving you the best chances of detecting any impersonation.

Technical users may also benefit from Certificate Patrol, but normal users will find it confusing, and it’s worthless if you can’t interpret its warnings.


I’ll be tracking the impact of Heartbleed, as I doubt we’ve heard the end of it. This post will be updated as new information comes to light.

Update (2014-04-14 22:36 UTC): Tor

Tor is particularly threatened by Heartbleed, as it could provide a window into identifying information for hidden services (ie .onion sites) and a coordinated attack could compromise anonymity by providing access to plaintext data.

Red Team have been mapping vulnerable GUARD and EXIT nodes. Now is a very good time to update your Tor Browser Bundle to at least version 3.5.4.

No, seriously, why DO you hate porn stars?

A gentleman by the name of Conner Habib recently wrote about his experience as a porn actor. Not the actual day-job side of it, but about how his profession caused him all manner of hassle in his day-to-day life and his love life.

“Well,” I said to Alex, “I’m a porn star”.

It’s the kind of thing that when you say it, you’re worrying you might flinch a little, since you’re expecting the other person to.

At the time, porn was my main job. One to five movies a month. I was still getting used to telling people about it. Making movies was my favorite thing in the world, but it was tiring sometimes. And it followed me around. Every meal was linked to the shape of my body and my livelihood. I had to go to the gym a lot, which I’d never done regularly. But then, because I was going to the gym, because I was making porn, things like this happened – I got to meet guys like Alex.

“Oh,” he said, and then looked into his tea.

Why do you hate us? What is it about us you don’t like? I never get the answer, just the symptoms of the answer.

It’s an incredible piece of writing, from someone who’s been through a lot and is able to share it very eloquently, and is well worth a read.

Anyway, I’m picking this up because a friend of mine shared it on Facebook, having had the same reaction that I had to it, and there was a reaction that neither of us had expected.


Would you tell a victim of abuse not to deal with their own trauma by making disturbing forms of art? How about taking up a punishing physical sport like mixed martial arts? No, of course you wouldn’t, because it’s their trauma and it’s their decision how to deal with it. The base disgust that Conner Habib talks about in his article is on display here – because it’s porn, it’s obviously a negative influence.


Here’s the ‘porn is base/disgusting’ viewpoint. It’s entirely up to someone whether they consume porn, and it doesn’t affect anyone who chooses not to, but somehow by existing it taints the person involved.


Again – “this is my preferred presentation of human sexuality, any other presentations are inferior” is the message here, and the concept of porn is lumped together into one amorphous mass of negative influence.


A person who went through a horrible experience and struggles to sustain his chosen coping mechanism without losing friends and relationships isn’t entitled to be upset with the situation and write about it? I have to wonder if the same would be said if he chose to write about his abuse without reference to his career in porn.

Let’s consider an allegory: drunk driving. Banning alcohol, or banning driving, or both, would put a stop to drunk driving. Neither are desirable. People enjoy alcohol, and consumed appropriately, it’s harmless. People need to drive, and when done safely, it’s harmless. Clearly targeting the specific issue – driving and alcohol together – is the pragmatic course of action.

Now, it’s extremely important to bear in mind that there are serious problems with the production, distribution, and consumption of pornography. That must not be ignored if we hope to change it. That said, though, just as we wouldn’t ban cars and alcohol to stop drunk driving, we can’t take the easy option of pushing porn as far into taboo as possible in the hopes of reducing its prevalence. All you need to do is take a good look at some of the murals discovered in the ruins of Pompeii to realise that the representation of human sexuality is something that isn’t going away.

So, how do we move forward? First, we accept that the sex work industry is not going away, and in fact can be a very positive thing for those involved. We also accept that it has serious problems. Secondly, we agree that we want to fix these problems (‘drunk driving’ in the previous allegory), without stopping people from doing something they enjoy (‘drinking alcohol’) or something that is a necessity in their lives (‘driving a car’).

It’s worth noting and examining a recent significant change in the landscape of porn. Internet connections and media distribution opportunities are getting better and cheaper. Payment processing is getting easier. Content marketplaces are springing up. As a result, indie porn is seeing something of a renaissance. People are starting their own small boutique studios, producing their own content, and selling it themselves.

This is a big deal. Whereas the image of the sleazy LA lounge lizard was the previous stereotype of the porn studio head, exploiting desperate people in order to make his filthy lucre and buy really bad suits, it’s being replaced by someone who has nobody but themselves deciding what they do, how they do it, who they do it with, who they want to sell it to, and for what price. There will always be a consent issue with porn – even with the best of communications and pay structure, the premise of ‘doing it because you have to’ applies to anything which pays the rent and bills. That said, independent studios are able to optimise for enthusiastic consent within that scaffold.

Even the larger studios are able to take steps to maximise enthusiastic consent and minimise grudging resignation. Pro-rata payment structures are taking hold, meaning that if an actor chooses to stop filming at any point, they are paid fairly for the proportion of the material completed. On-camera discussion of consent and humanisation of the actors is starting to take off, with filmed consent negotations being part of the content itself, and the participants talking frankly about what they enjoyed or didn’t enjoy before and after the shoot.

I’d like to take a minute to talk about condom-visible porn while I’m at it. I’m a huge believer in safer sex. I was of the opinion that condom-visible porn was a goal to work towards, both to promote their use and for the safety of the performers. However, after a conversation with someone involved in the kink.com production team, my opinion has been changed, and I’d like to share why. It’s fairly simple – penetrative sex means friction. Over the course of the production of a piece of content, you can expect many re-takes, meaning lots of penetration and lots of friction. Friction means two things – firstly, degradation of the condom, and secondly, tiny ruptures in the thin skin of the genitals; tiny ruptures that are perfect entry points for STIs.

Had I not had the chance to speak to a performer, I wouldn’t have known this. By denying sex workers a platform, we’re missing out on this kind of information and advocacy. That puts people in danger, and that is unacceptable.

I have been an extra in a porn shoot (fully clothed, and unavailable in the UK, but by all means, go hunting). My flat has been used as a set for a few shoots. More than one of my partners have been involved, or are involved, in the production and sales of indie porn. I’m not a performer, but I do know what I’m talking about.

Let’s focus on providing resources for the undeniable few who are abused in the sex work industry, and reducing the risk that those who work in it face every day. The alternative is what’s happening now: wasting our efforts hand-wringing about the morality of a few naked humans doing the same naked human things that naked humans have done for thousands of years.

Dropbox hack: not everything (or anything) that it seems to be

The Twitterwebs were all a-buzz yesterday, as @1775Sec claimed that they had access to the Dropbox systems and were preparing to leak usernames and passwords.

At the time, the Dropbox site was down, with sync services unavailable. It looked a bit concerning, and then the worst happened – a leak was posted to Pastebin.

  The ‘leak’ contained what appeared to be first names, last names, and email addresses. The lack of password information was a bit suspect. And then…

The truth came to light. A DDoS attack (for the uninitiated, this involves bombarding a target with so much traffic that it stops being able to respond) had taken the Dropbox site down, and the ‘leak’ was nothing to do with Dropbox. Of course, that hasn’t stopped the nonexistent leak being reported as fact:



Yet again, a lesson in not believing everything that you read.

A slight case of overblocking: the UK web filters are a disaster

Sadly, the UK goverment chose not to use the overwhelmingly unified voice of the technical community to help them make policy, because “self-regulate or we’ll legislate” filtering is now a reality for UK homes.

New customers to TalkTalk and BT, and soon Virgin Media too, will find that unless they explicitly choose otherwise, their connection will be filtered by an unaccountable, ominously-named “third party filtering solution”.

The visual language of the filter is quite clear, too –


Look how enticing the “opt in” section is. Natural side of the UI to start reading, encouraging information, coloured button, green tick, green shield denoting ‘protection’ with the symbolism of a family behind it. The ‘opt out’ section is denigrated to the far right, in a tiny column, with no further information and an unencouraging plain button.

So, what’s actually getting filtered?


For a minute there, I thought that sex education was actively included. No, wait, that’s exactly what’s happened. Note that ‘gay and lesbian lifestyle’ is considered ‘sex education’ – this is likely (though I can’t verify) to include sites like PinkNews and SoSoGay. Also note the ‘nudity’ category, classified as nudity without sexual content – even if you don’t actively block sex education content, I find it unlikely that any decent sex education resource is nudity-free, meaning it classifies for automatic blocking on the ‘Moderate’ and ‘Strict’ settings.

Sex education should never, ever, ever be filtered. Not ever. Denying children access to resources regarding sex education (note that I’m not talking about porn here – that’s another conversation) is outright abusive. And what about resources for the survivors of rape, child abuse, domestic abuse, and similar? Would they be blocked under ‘sex education’, or the much easier to enable ‘weapons and violence’?

Why the whole concept is flawed

Remember, this is being promoted as a way to block ‘the really nasty stuff’. Well, let’s get technical for a minute, and consider that. The Internet is a collection of protocols, one subset of which is the Web, which uses HTTP and HTTPS. The filters are designed to block HTTP and HTTPS content.

The problem is something called, in rather lurid terms, ‘the darknet’. This is just a collective term for protocols like TOR, I2P, Freenet, and more. These are designed to encapsulate HTTP and HTTPS traffic, rendering it uninspectable to the filter, and allow communication anonymously with remote sites.

Guess what? That’s where ‘the really nasty stuff’ lives.

Now, darknet protocols are not evil; they’re used to circumvent political repression in more oppressive regimes, for example. It’s like walking down the street in Camden. There are drug dealers openly plying their wares – does that mean that everyone in Camden is a drug dealer? No.

But, the fact remains, the darknet is where any self-respecting child-abusing scumbag goes to do whatever it is that child-abusing scumbags do, and the filters that are being rolled out do not inspect it.

Tin foil hats at the ready

This is about two things; courting votes by letting tabloids make policy – the Daily Mail has been all over this one since the beginning – and control of information flow. When you have a centralised location that is able to control what content the vast majority of the online public is able to see, by selling it as a positive way to ‘protect children’, you can control what they can read about.

The Government can declare a group a ‘terrorist organisation’ or ‘hate group’. It seems natural that the sites of those groups would be listed in the filters. The question is, of course, what stops them from using that measure against any group that threatens their power or even disagrees with them? We’ve already seen the Conservatives erase their pre-election promises from the Web, so clearly revisionism is not a problem for them.

They may not do this. Cameron may simply be deluded into thinking that this will end child abuse for good. The problem is, though, that by building these massive filtering architectures, we hand control over content filtering to unaccountable (and unnamed) ‘third parties’ where before we had the control ourselves.

My own personal views aside, I can understand the human desire to control what kind of content flows into a family home. For years, software has existed to do the same thing that these remote filters are doing, except in the home, and under the control of the family itself. If you want to open it up, you open it up. You don’t have to tell a ‘third party’ that you actively want to access pornography, or information about weapons, or download Justin Bieber’s latest abomination.

Some sites should never be blocked

No, it really is that simple. The Samaritans, for example. Childline. Resources for those enduring domestic abuse, or child abuse, or human trafficking. Sex education. LGBTQ resources. There are certainly more. Consider the situation in which an abuser controls the filter, and ensures that their victim is unable to reach out for help.

Conversation is better than silence

The Internet is about free flow of information. There’s no actual evidence that pornography has a denigratory effect on children in the first place. Sex education is important to establish the falsehood of pornography and the criticality of consent and respect for partners. Blocking it all is the same logic as abstinence-only sex education; it ensures that when kids find out about it (and I promise you, they will go looking) they get their information from the sketchy sites able to slip through the filter – or, worse, darknet content.

If you’re tempted to use these filters to ‘protect’ your kids, reconsider. Talk to your kids, don’t wall them off. Conversations about sex can be difficult, but they are going to come across pornography at some point, and if they have an understanding that their sexual nature is part of being human, that pornography is a staged, false version of sex full of smoke and mirrors, and that in the real world safety, consent, communication, and laughter are all part of a healthy sex life, does it really matter what they see online?

Resist anything that chooses wilful ignorance over education and discussion.

The most terrifying compliment you can pay someone with a hidden illness

In news that will surprise nobody, I suffer from CFS/ME. It’s a difficult condition to manage, not only because of its effects but also because of the way people react to it – or, more specifically, don’t react to it.

CFS/ME, fibromyalgia, and similar conditions present – to the uninformed eye – as a person being antisocial and lazy. One of the top worries for a sufferer who is able to hold down a job is how our colleagues and superiors feel about us. Even when a job isn’t involved, we have the same worries about our friends.

So when we hear this particular compliment (or a variant) it completely paralyses us with worry. That compliment?

“You’re looking really well”

Suddenly, the efforts that we’ve made to tell people about our conditions, while trying to come across as self-motivated, mature, and responsible, seem like they’re nothing.

People see us as well people, because we’re looking really well.

Does this mean that everyone’s judging us on the basis of what a well person should be capable of? Do the cornucopia of fuckups that our conditions bring seem like they’re wilful? And, critically, do the vast majority of people – who, necessarily, we haven’t made the enormous effort to try to explain our conditions to – think that we should be doing better?

It’s a statement that comes from the best of places, and especially from people who do understand the condition. It’s meant to make us feel better, to make us feel less of a failure. It does the opposite.

What would we rather hear? “Wow, you look like crap” is actually better. The ideal, though, is nothing. Not commenting on my outward appearance of health is an implicit statement that you understand that appearances are completely meaningless.

If you want to talk about how we’re doing, ask us. Understand that a hidden illness is called that for a reason, and that your support is not only appreciated but critically important.

(Creative Commons photo credit: exalthim)

Bitcoin, Litecoin, Namecoin, and the rest: a cryptocurrency Rogues’ Gallery

DSC_0481Bitcoin, or ‘BTC’, has been flying around the collective geek consciousness a lot lately, mainly due to its ridiculous climb from $12 a year ago on 2012–12–02, to its peak of $1242 on 2013–11–28. It’s a value-exchange system that has a lot of promise, and is going in all kinds of interesting directions, but for the moment we’re going to head off on a tangent to Bitcoin and take a look at the alternatives that are based on its concepts.

I’ll talk about the two options that I think are worth paying attention to, and then I’ll talk about ‘the rest’. For the two interesting altcoins, Litecoin and Namecoin, I’ll tackle them both cryptographically and economically, but remember: I’m a cryptographer, not an economist. so I wouldn’t make any investment decisions based on my economic analyses.

Litecoin / ‘LTC’


Technical introduction

Litecoin is probably the most well-known altcoin. At its heart is a totally different cryptographic primitive, known as scrypt.

In contrast to Bitcoin’s use of SHA–256, scrypt is designed to be memory-hungry rather than easily optimisable. In other words, SHA–256 is a mathematical construct built to be very easy to operate in one direction and impossible (more specifically, too cryptographically expensive) to operate in the other. That one-way nature is critical to its security.

Right, so what about scrypt? Well, same concept, except scrypt is built to make going in the correct direction a little bit harder. To generate a result, a certain amount of memory is required for each computation. It doesn’t need to be much to achieve its desired result; that result being making parallelism harder.

While this is an oversimplification, Bitcoin (and its derivatives) require a lot of trying to go in the wrong direction with a cryptographic hash function, until someone gets ‘close enough’ to the goal. ASIC mining rigs can perform ludicrous numbers of SHA–256 hashes per second – the latest beast that I’ve been dribbling over can perform around 300,000,000,000 hashes per second (300GH/s). That’s ~0.005% of the grunt of the entire Bitcoin network, and for a single device, it’s enormous.

Enter scrypt, which means that each of these massively parallel ASICs need to supply an mount of memory per scrypt operation. Memory is still expensive, and large, and runs hot. Suddenly, a USB-sized ASIC fills a full rack, brings a huge energy bill with it, and melts nearby icecaps with its waste heat.

Economic analysis

From 3 USD a month ago (2013–11–02), Litecoin has risen somewhat rapidly to a peak of 48 USD (2013–11–27) and is now dipping, currently at 29 USD (2013–12–02).

If Bitcoin’s value is unstable, Litecoin is like blending yourself up a nitroglycerine smoothie. There are rumours – and they are only rumours – that the LTC rise is a pump-and-dump, intended to raise its price against BTC so that those boosting the price through nefarious means can cash in their LTC for BTC, leaving the LTC purchasers holding something that nobody wants to buy since the pump-and-dumpers were the ones creating the demand in the first place.

These are just rumours. It might simply be that people are interested in investing in what might be the next big thing – and it’s true that an ASIC-resistant cryptocurrency does have value. Something ugly will have to happen to Bitcoin, though, before Litecoin sees serious uptake.

Namecoin / ‘NMC’


Technical introduction

Namecoin is a bit different than the ‘store of value’ cryptocurrencies, in that – while Namecoin currency does have a financial value, you buy the ability to make assertions and have those assertions recorded on the block chain, with the nonrepudiation, nonreplayability, chronology-by-consensus, and all the other things that makes Bitcoin a secure store of financial value.

Sounds boring? Well, in the abstract, it is. The exciting bit is what it can be used for. Centralised DNS replacement, for example, as with the dot-bit project; I’ve got a Namecoin, and I ‘spend’ that Namecoin to make an entry in the ledger to assert that I’ve created the domain dave.bit. Since I now own that domain, I can now issue further statements signed by my private key to give it A records, MX records, in fact arbitrary data.

As long as someone has a copy of the blockchain, they can use it to look up records stored in it. Namecoin’s scarcity prevents mass registrations, and the cryptography protects the integrity of the record. DNS-based censorship is no more, everyone wears robes, and sings happy songs for the rest of eternity.

Of course, it’s not just DNS that can benefit from a key-value store like Namecoin. There are projects to perform SSL certificate verification (replacing the CA trust chain), public and permanent signing of documents, and more.

Economic analysis

Namecoin relies on scarcity to prevent spam and flooding, but it’s not a financial instrument. Namecoin will find a value, definitely, but that will only happen when/if it becomes the dominant DNS store, SSL verification method, document signing tool, or so on.

Right now, Namecoin currency is not a good investment. Maybe grab a few to play with (or mine a few) but there’s a lot that has to happen before Namecoin develops any real financial value.

And the rest; or, ‘the ugly


Looks legit.

Oh, they’re out there. A brief, non-exhaustive list of other altcoins –

Blakecoin (BLC), Bitcoin-scrypt (BTC2), Curecoin (CRC), Huitongbi (HTC), Kingcoin (KING), Memorycoin (MEG), NXT, Offerings to Cthulhu (OFF), Pangu (PGC), Protoshares (PTS), Quark (QRK), Skeincoin (SKC), Securecoin (SRC), Tagcoin (TAG), Primecoin (XPM), and more…

Why bother? Well, some come from people with an idea – a good idea or a bad idea, but with good intentions – for a twist on Bitcoin, but don’t have the adoption required for success. Many, however, are malicious scams, using ‘pre-mining’.

Here’s how it works. You build a cryptocurrency and you set the rules so that a huge number of units can be mined in a very short period of time. Then, you and your friends mine them. Holding your enormous supply of your own cryptocurrency, you invite others in, to mine at a much higher difficulty, hopefully developing interest in the currency and raising its value. At some point, your group decides that enough is enough, and sells off its huge stack of early, easily-mined coins. You’re rich, and the currency is hugely devalued and will shortly die off.


The ugly truth: cryptocurrency is not safe to trade.

The volatility of even the most stable cryptocurrency, Bitcoin, is absolutely enormous. Trading is not trading, it’s outright gambling, and if you put money in then you have to accept that money might vanish overnight. Also, it’s a microcosm of the real economy; for someone to win, others have to lose.

This will change if Bitcoin gains liquidity and you can expect to be able to pay for things in a given shop with it. Not everywhere, but on the level of a credit card, at least. Until then, its value is driven by speculation, and that’s a recipe for disaster.

Cryptocurrencies are a technically fascinating development, with a generally good community, and they’re a lot of fun to get involved with. Just don’t get tempted to invest any money that you don’t consider ephemeral anyway.

[Review] Asus Transformer Book T100: it’s Atom, but not as we know it

Asus have just released the latest in their Transformer range, and this one’s a bold move. It’s a full x86 tablet/ultraportable, it runs Windows 8.1, it’s got an 11-hour battery life, and it’s $350. Looking for the catch, I got my hands on one.


A brief history lesson

I was an early adopter for netbooks. I’ll admit it; I thought they were going to be enormous. In 2007, I owned Asus’ very first Eee PC, the 701, and it was a thing of beauty at the time – a true go-anywhere commodity computer.

Unfortunately, the processors and graphics chipsets of the time were, to put it bluntly, a bit crap. Still, I stuck with the netbook form factor, and owned four different netbooks from Asus, Acer, and Dell. All of them (bar the very first Eee 701) were built around Intel’s Atom chipset – and, to be honest, they didn’t have the grunt they needed to be even approach viability as an everyday machine. ‘Intel Atom’ became a synonym for ‘good luck getting anything done’.

Fast-forward to today. Intel’s line of CPUs have come a very long way; all you have to do is look at the battery life and performance that mobile platforms are squeezing out of the Haswell i5 and i7 processors to see that.

However, as I discovered, Intel have been quietly de-bollocksing the Atom line too.

Transformer what?

Asus’ Transformer line is pretty cool. I owned an Android-based TF300T until it disappeared mysteriously. Gnomes or something. Anyway, the Transformer devices have historically been Android tablets that docked to a keyboard and touchpad to turn them into ultramobile laptops. Sadly, they didn’t turn into trucks and start moaning about the good old days in Cybertron, but you can’t have it all.

Because of the efficiencies afforded by the Android platform, they had long battery life, and I wrote many a blog post on the TF300T. The offerings varied from budget (like the TF300T) to the luxury (such as the Infinity), but they all had Android in common.


The T100 is Asus’ first budget Windows 8.1 hybrid, and it’s cheap. Best Buy carries it for $350 over here. Equipped with a Bay Trail Atom processor, 2Gb of RAM, a 32Gb lump of eMMC storage, and a microSD slot, it’s not exactly going to be rendering Pixar’s latest masterpiece, but that Bay Trail SoC is far more powerful than you might expect. The Atom Z3740 at the heart of the machine is clocked at 1.33GHz, and has onboard graphics on the SoC.


If any other netbook veterans are reading this, alarm bells are ringing at the mention of Atom and onboard graphics. Allow me to muffle them with a quick video.

Whilst some games chew, you just saw Starcraft 2 and World of Warcraft running at the device’s 1366×768 native resolution without any significant slowdown. Of course, this isn’t a device to buy for gaming, but as a performance demo it’s striking.

Sound and vision

Video playback is excellent. YouTube’s 1080p H.264 plays without any issues, and the machine remains responsive when multitasking during playback.

The onboard speakers, too, are surprisingly good. They’re hardly audiophile-grade, but they’re loud without distorting, and the frequency response is inoffensive if a bit tinny.

Web and productivity

As far as the intended use case for the T100 goes, which is a no-frills mobile device – one of the selling points is the inclusion of Microsoft Office – it’s exemplary.

Multitasking with Chrome, Word, and Outlook is extremely responsive, with slowdowns only appearing when lots of swapping is going on. The storage is quick but not SSD-grade, and with just 2Gb of RAM to play with, swapping is inevitable.

 ASUS Transformer Book T100


The display is a 1366×768 10.1in IPS panel. Nice and bright, very clear, good viewing angles, and works well in either landscape or portrait mode. It’s not a high-DPI display, but to be honest, you wouldn’t expect it to be at this price.


Asus quotes eleven hours for the battery, and they’re not making it up. Laptop Magazine’s standardised test (continuous web browsing, 40% screen brightness, Wi-Fi enabled) clocks at 12h28m. That’s 88 minutes longer than Asus claims in the T100’s marketing material.

The battery charges incredibly slowly, but with twelve hours of battery life between charges, overnight charging isn’t too big a deal. The likely reason for this inexorable trickle is that the tablet’s power comes from a standard micro-USB connector, and the supplied power adapter is your standard 5V@2A tablet rating.


Bluetooth 4.0 and 802.11n Wi-Fi are exactly what you’d expect, and they’re what you get. What you might not expect, however, is a mini-HDMI port that talks HDMI 1.4 on the tablet, and a full-speed 5Gbit USB 3.0 port on the keyboard dock.

Build quality

And here’s the catch. It’s a cheap device with surprising grunt, and corners have been cut on the build. The case is plastic and flexes slightly under strain, the touchpad on the keyboard dock is functional but pretty terrible, and the keys, while crisp, are cramped.

Unlike previous incarnations of the Transformer line, the T100’s keyboard dock does not contain a battery. Transformer devices have always been top-heavy, but the T100 is especially bad because of the lack of weight in the dock.

It’s definitely usable on a flat surface or a surface inclined toward you, but any surface inclined away from you will be a problem. It’s not a critical problem; the palm-rest area is fairly large, and keeping your palms in place stabilises things, but it’s not something that a user really wants to have to think about.

Technical caveats

The first thing I did when I got the T100 was fiddle with the bits that I wasn’t meant to. It’s a UEFI-based device with Secure Boot enabled by default, but that’s easy to disable.

However, once I did, I realised something deeply annoying. The Atom processor is a 64-bit device, but Asus’ bootloader will only load 32-bit EFI code. Since I haven’t found a way to chainload 64-bit code from 32-bit code, you’re stuck with a 32-bit operating system.

Ubuntu boots with a bit of hackery to trick the Asus bootloader into thinking it’s Windows, but many of the important bits don’t work, and X only runs in (horribly slow) fbdev at 800×600. Whilst that might just be a matter of time, if you consider Windows 8.1 unacceptable as a long-term operating system, this is not currently the device for you.

I successfully reinstalled Windows (32-bit) from scratch using an ISO and a USB stick, and the drivers and downloads on Asus’ support site are sufficient to get all the devices working as they do on the stock image.

For now, at least, you can forget about 64-bit operating systems, and at least in the short-to-medium term, you can also forget about non-Windows operating systems too, but that’s mainly a hardware support issue since the Atom SoC in the T100 is so new. It remains to be seen if we have another Linux-unfriendly GMA500 on our hands – that all depends on how forthcoming Intel are with specifications.

Making a decision

Right now, the T100 is pretty unique in its little niche of the market. The closest alternative is probably Lenovo’s ‘Miix 10’, which uses a previous-generation Atom and lives at $579, so you’d be paying more for less grunt. The Miix reportedly has a nicer build quality, but that’s the only potential upside.

Do you need the T100? Probably not. It’s a sidecar machine, capable of allowing you both to get stuff done and kill time watching cat videos while you’re commuting to and from the office. It’s unobtrusive, and you’ll definitely feel more comfortable cracking it out on public transport than you would a shiny, humblebragging Mac.


While the T100 is unashamedly plasticky, it’s a cool toy, at a great price, with a battery life that serves its use case perfectly. If you were burned by the netbook dream but loved what the concept had to offer, you may well find the T100 to be quite compelling.

The mind-controlling parasite that affects 1 in 3 humans

There is a parasitic infection that 30% of the human population of this planet carries. It’s easy to pick up, passes from mother to child, and can present no obvious symptoms. It has also evolved the ability to influence its host’s thoughts, decisions, and behaviour.

Its traditional reproductive cycle is between cats and their prey.

Toxoplasma cat rat

Simple enough. An infected cat craps Toxoplasma, a rat eats the infected faecal matter and becomes infected, another cat eats the rat, and the cycle continues. Toxoplasma thrives in any warm-blooded animal, so human infection can occur through the faecal or flesh route, through eating or drinking contaminated food or water.

The cool (and/or terrifying) bit about this? Toxoplasma fucks with its host’s head.

Toxoplasma gondii: tiny orange wedges of doom.

Tiny orange wedges of doom.

You see, rats are quite risk-averse. They have no defence against predators other than situational awareness, running really fast, and the ability to squeeze through tight escape routes. What Toxoplasma does is cause the rat’s aversion to risk to decrease. The rat is bolder, more confident, and less likely to run when faced with a possible warning sign of a predator.

This makes the rat more likely to be eaten by the predator, which makes Toxoplasma spread more quickly.

Sucks to be a rat, right? Well, this effect isn’t confined to rats. It happens to humans too. The parasite achieves its sneaky ends by causing massive secretion of a neurotransmitter called GABA – which rats and humans share in structure and function. The result is mental instability, reduction in risk-averseness, and aggression.

Two separate studies have shown that infected humans are 250% more likely to be involved in a car accident. Relative level of infection is directly correlated to increased suicide rates. Antipsychotics are as effective as antiparasitics for mood disorders in infected rats. Even significant cultural differences can be strongly linked to Toxoplasma infection rates.

It could even give a proper explanation to the stereotypical link between mental instability and cat ownership.

Toxoplasmosis is dealt with by a cocktail of antiparasitics and antibiotics, which is unpleasant and expensive. For these reasons, infection is rarely treated unless severely symptomatic or in cases of immunosuppression such as in HIV+ people. Meanwhile, the little bastard sits in one in three human brains, tugging at the strings of our thought processes, and helping us make really bad decisions.

After the closure of Lavabit, don’t look for an alternative

Lavabit's gravestoneHaving made the news by being used by Edward Snowden, the hosted secure email service service Lavabit has been forced to shut down. In a statement now available on the Lavabit website, its creator said –

“I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”

Obviously, Lavabit’s actions are laudable from a privacy viewpoint. They were offered a choice between handing data over or shutting down, and chose the latter. The service was well-built, but it suffered from one unavoidable and critically important issue – it was a trusted third party, which is a great big flashing danger sign to crypto / privacy geeks.

HushMail: when trusted third parties go bad

HushMail was the original attempt to provide strong cryptography in a web-based email service. It used a Java applet to perform cryptographic operations, with an encrypted private key stored with HushMail. All well and good, until you realise that HushMail started serving a backdoored version of its Java applet to certain users when requested by a court order. Their crypto was solid, unless you were served the intentionally broken Java applet, at which point your data was no longer secure. Admitting to this was laudable, but there’s a clear message: trusted third-parties can rarely, if ever, be fully trusted.

Lavabit, but better

Lavabit offered two separate points of value to its users – privacy and security. Privacy, in that it was difficult to link a user to an actual human, and security, in that cryptography and good key management was used. Unfortunately, from a privacy perspective, it was all too easy to link a user to their IP addresses and/or billing information, and from a security perspective, key security was impaired by the nature of being a hosted service. We can look at privacy and security separately, and consider how to achieve what Lavabit achieved, except more successfully.

Better privacy

Communications with Lavabit were sent over the open Internet, using SSL/TLS for transport encryption and authentication. SSL/TLS relies on trusted third-parties for authentication, which has resulted in fraudulent certificate issuance in the recent past. For a governmental attacker, fraudulent SSL certificate issuance is quite achievable, meaning that you can’t be 100% certain that you’re talking to the real Lavabit. The good news about SSL/TLS encryption is that it’s pretty solid, though; authentication issues aside, the crypto is reliable. So, what to do? Self-management isn’t an option when you’re after privacy and anonymity. Some kind of hosted service is necessary.

Suggestions for privacy-respecting email services have been removed, after the Freedom Hosting shutdown. Admittedly, Freedom Hosting was a hotbed of some truly reprehensible content, but it also hosted a service that was previously my best suggestion.

Better security

Lavabit rolled encryption in with its email offering. While this was convenient, it meant that your private key had to be held on their end and decrypted by your passphrase. There’s a huge difference between brute-forcing a passphrase to a known 4096-bit key, and brute-forcing an unknown 4096-bit key itself.

Own your keys

The necessity of a hosted service for privacy and anonymity means that it’s much better to keep encryption separate. The de facto standards for strong email encryption and strong IM encryption involve managing your own keys.

GnuPG: strong email cryptography

GnuPG is an open-source crypto suite based on PGP, and is reliably strong. It can be a bit daunting to get started with, but the payoff is enormous. A guide is somewhat out of scope, but it’s something that I’ll be posting about soon. In the meantime, Windows users should check out Gpg4win, Mac OS X users should investigate GPGTools, and Linux users should have a look through their package manager for command line packages and hassle-saving frontends.

OTR: strong IM cryptography

While GnuPG can be used for IM crypto, something more lightweight is more suitable. OTR (‘Off The Record’) is the standard that has emerged. It’s supported by nearly every multiprotocol client (libpurple-based clients such as Pidgin and Adium come heartily recommended). Alongside encryption and authentication, OTR offers both perfect forward secrecy and deniability after the fact.

Use private and encrypted communications for everything

Traffic analysis, the art of inferring information about communication from the flow of communication itself rather than its content, is surprisingly effective. Encrypting only important communication is a dead giveaway of an interesting target. Encrypt as often as possible, even if you’re just sending pictures of cats to your mum. It makes an attacker’s job a lot harder.

Avoid shortcuts

Services such as Lavabit are tempting because of the low barrier to entry, compared to managing your own encryption and sneaking around with Tor or remailers. Unfortunately, with privacy and security, ‘easy’ usually means ‘less effective’. Quite simply, investing a bit of time in getting yourself set up will result in better protection – both for you, and for the people that you correspond with.

UK porn filter: CBC Radio One interviews

As a professional radio personality, I use a professional recording setup.

As a professional radio personality, I use a professional recording setup.

I was asked to appear on CBC Radio One in Canada, to provide a technical perspective to their listeners about why the proposed UK porn filter was such a problematic prospect. The curious amongst you can listen to them using the Soundcloud player below – they’re presented in order of recording.

The proposed UK porn filter is a threat, not a safeguard

censorshipI can count the number of times that I’ve agreed with David Cameron on policy without having to resort to counting. The latest move to come out of the tabloid-courting Conservative government is an opt-out filter – meaning ‘enabled by default’ – for all adult content, legal and otherwise.

The usual suspects have rallied behind this illiberal idea. The Daily Mail calls it “a victory for the Daily Mail” and “protection for every home”. Cameron even namechecks the rag himself.

“The Daily Mail has campaigned hard to make internet search engine filters ‘default on’. Today they can declare that campaign a success.”

I’m not going to target the reasons that this is a terrible idea from a sociopolitical standpoint. Stavvers, over at Another Angry Woman, has done it better. What I am going to cover is the details of the filtering that is already in place (and has been for some time now), and the technical reasons why a filter like this will do more harm than good.

Continue reading