Insights For Success

Strategy, Innovation, Leadership and Security

The New York Times now available on TOR

GeneralEdward Kiledjian
I do not agree with what you have to say, but I’ll defend to the death your right to say it.
— Voltaire

When the average consumer thinks about TOR (which isn't very often), they imagine that it is the ugly, damp & rancid underbelly of the internet. 

Reality is that TOR is a US government-funded project to create anonymity on the internet. It is a platform that allows everyone to have a voice without fear of punishment or even death (think political activists).

No technology is perfect, but TOR is a very powerful tool for human rights activists and other dissidents. 

In a 2015 The Intercept article, Edward Snowden goes as far as saying "I think Tor is the most important privacy-enhancing technology project being used today. " & " What Tor does is it provides a measure of security and allows you to disassociate your physical location."

Proof that TOR isn't just for drugs and counterfeit goods is the fact many reputable organizations have started to create their own TOR presence. 

The New York times launched it's TOR Onion Service website (in late October) as a secure way of making its content available to people around the world that may otherwise not have access to its content (China, Iran, etc.)

When companies moved to the web 15-20 years ago, sites were less reliable as companies tried to figure out how this "web thing" worked. TOR is the same today. Sites Like the New York Times are still trying to figure out how to efficiently use TOR, and therefore you should assume these sites are all in beta status. 

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
— The New York Times

You can access The New York Times TOR ONION Service site here : https://www.nytimes3xbfgragh.onion/ [remember this doesn't work via the "normal web". 

Karma releases an anonymizing hotspot

GeneralEdward Kiledjian

Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

Is it worth it?

I have not had a chance to test the device so everything written here is based on the documentation. 
 

We wanted to create a product that allows consumers to feel protected while surfing the web. Karma Black is that product. Our users can freely consume internet content while knowing that no one is looking over their shoulders. Consumers do not want strangers listening to their phone calls… they deserve the same security from intrusion when going online.
— Todd Wallace, Karma Mobility CEO

I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here

Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.

The start of the end for Symantec cert trust on Google's Chrome

GeneralEdward Kiledjian

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here

Chrome to distrust Symantec TLS Certs

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

  1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
  2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
  3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

Google Chrome to block "bad" ads in February

GeneralEdward Kiledjian

The Sultan of Search, Google, announced in June that it would introduce ad blocking tech in an upcoming version of the Google Chrome browser (and Chromebook). 

We can now confirm that this feature will make it into our browser on February 15 (2018). Chrome 64 will be delivered on January 23 and Chrome 65 on March 6. Either this feature will be part of Chrome 64 and turned on with a remote trigger, or it will be a server-side function. We will have to wait and see how Google implements this feature. 

Google will deliver this functionality simultaneously to desktop and mobile clients.

Why would an advertising company block ads?

To be clear, the blocked will only prevent ads that don't meet the standards set by the Coalition for Better Ads

  • What kinds of ads will get blocked? 
  • Ads that pop-up when you open a website
  • Ads that fill the entire screen
  • Ads that automatically play a video
  • Ads that trick you into clicking on them by pretending to be a close button
  • and many more

A single violation won't move a site into the blocked list. There are thresholds Google will be looking for and a site can come off the "bad" list if it removes the offending ads.

Google probably realized that these ads are forcing users to install aggressive ad blocking add-ons which are having an impact on its revenue. 
 

Link: Google blog post

Review of the Morakniv Garberg outdoor knife

GeneralEdward Kiledjian

What is the best outdoor knife?

Those who know me well know that I love the outdoors and I love knives. If I were stranded on an island and could only bring one home comfort, it would be an outdoor knife. Having many outdoor enthusiast readers, I am regularly asked what knife I like best. 

When I first started studying survival skills, I had the misguided belief that the more expensive your equipment, the better it must be. I quickly learned that this wasn't always the case and sometimes even the most basic tool, used correctly, could be a lifesaver. 

Nowhere is this more true than outdoor (camping or survival knives). I say outdoor because my choice for an everyday carry knife is very different. 

Outdoors you say?

I have been camping for 30+ years and have been interested in wilderness survival and native survival skills for the last five years. I have been fortunate enough to have participated in training camps with some of the industries most recognized names in forests hours from the nearest city. 

While camping or during a survival event, a knife could be the difference between life and death. It can help you catch & process food, build shelter, start a fire and much more. In the wild, I can

  • make a natural "sleeping bag" with logs and leaves
  • make utensils and plates from logs
  • use rocks as cookware on a fire

What I can't make in the wild is a knife. Sure you can use a sharp rock, but that won't allow you to batton firewood or perform any of the hundreds of tasks a real sturdy knife can.

Let's be clear, a knife without training won't save your life. But with decent knowledge, a bit of practice and a good knife, you can save your life even in the most treacherous environment. 

What about a multitool?

I carry a Victorinox Swiss Champ with me every day (EDC). I wouldn't leave home without it. I own and carry various dependable leatherman multitools, but in the wild, I want a knife. A multitool just wouldn't be able to take the abuse of real outdoor survival. You try batoning a log with a multitool and see how long it lasts. 

Aren't all survival knives the same?

The answer is No. Just in case you were confused, the answer is no, no and no. Go to any Walmart, and you will find a dozen knives marked as survival knives. Most are garbage, but unless you are an experienced user, you will undoubtedly be overwhelmed with conflicting marketing messages and the sheer number of possible options.

An excellent outdoor knife will:

  • Be a multi-use item but not a multi-tool. You will have to stay away from the specialized products (e.g., blades with hooks to help gut a catch, a tanto point to stab, etc.)
  • Be durable in the field. You need a tool that is designed to last and won't fail you when you need it most. Remember "that which can fail will fail." This is why I stay away from folding knives when looking for the ideal outdoor knife.
  • Be built for survival and hard use. The ideal knife must be full-tang which means the blade's steel runs into the handle. Some knives have a long thick tang in the handle (typically more expensive), while others use a skinnier metal body in the handle (typically less expensive). 
  • Be budget friendly. The more expensive your knife, the less likely you are to use and abuse it. The knife must be "expensive enough" to be well designed and crafted using quality materials, yet cheap enough that you will use it in the wild (you can't cry every time you baton logs with it). 

What characteristics should I look for?

Blade: My preference is the Scandinavian grind (SG). The SG is a wide flat bevel (V) that wind to the end of the blade. There is no secondary bevel. This produces a knife with excellent cut control. It is slightly more fragile than over edges and can be strengthened with a slight secondary bevel. This is a blade edge that is easy to maintain in the field with a single sharpening stone and sharpening requires less skill [compared to other edges]. 

Length: Blade length is a very personal decision, but I have found 4-6" to be the sweet spot. Too short and the knife's usefulness is greatly diminished. Too long and the blade will be difficult to control and will be on your way when hanging on your belt.

Price: As mentioned earlier, it has to be expensive enough to be well built from quality materials. It shouldn't be too expensive causing you to avoid using it in the field. 

What is the best outdoor knife?

If I had to pick one knife right now that I would want in a survival situation, it would be the Morakniv Garberg MultiMount. Anyone interested in camping or survival has probably heard of MoraKniv. The poster child for Mora knives (Mora is a region in Sweden) is Cody Lundin from the Aboriginal Living Skills School and TV personality.

The Garberg meets all of my requires. It is durable, versatile, easy to maintain in the field and affordable. I have used the cheaper $20 Mora knives in the early days, and most of them are still in my collection today and are regularly used.

The MoraKniv Garberg has a simple but comfortable plastic handle which means you have better control and won't have hand pain after extended use. 

It is a full-tang knife, which means it can withstand the abuse of batoning. You can easily baton 3.5-4inch pieces of wood with ease.

The Morakiv Garberg uses 14C28N stainless steel which does not rust, hold's an edge relatively well and is easy to sharpen in the wild with a stone. Surprise surprise it has a Scandinavian grind. 

The back end of the blade has a 90-degree spine so you can use it with magnesium or a feral rod to start a fire. 

The Garberg comes with a nice sheath that works well for righties or lefties. Mora also included Velcro straps that allow you to easily hang the knife on a free or a backpack (Molle attachment). The blade is made from rust-resistant stainless steel but Mora still included drainage holes in the sheath (a nice touch). 

To make a good knife deal even better, Morakniv offers a lifetime warranty that covers defects. As long as you have maintained the knife according to their guidelines and haven't abused the product, Morakniv will fix or replace the product if you have any issues (this is their Knife for Life guarantee).

The price

This is not a sponsored post so I won't link to any specific retailer but you should be able to buy a Morakniv Garberg Multi-Mount (make sure you pick up the multi-mount version) for $70-$80 USD (~$125CAD). Online retailers, you can check out include:

  • USA: Amazon, KnifeCenter, Cutlery USA, MEC, etc.
  • Canada: Adventure Pro Zone, Canadian Outdoor Equipment, Bushcraft Canada, etc
  • Europe: Bushgear UK, Knives, and Tools, Amazon, etc. 

Make sure you shop around because prices can be $10-30 different per site for the same item.

You sure?

I have tested over 50 knives in the last 3 years and conducted hours of research before choosing this knife. I take this type of review seriously and put in the hours, so you don't have to. As I write this (December 2017) The Morakniv Garber multi-mount is the best deal on an outdoor knife available. The offers the biggest band for the buck and has the least negative characteristics. 

Link to Morakniv

Note: This is not a sponsored review.