We've got less than a day until the key vote on the wording of the new EU Copyright Directive, when members of the EU's legislative committee will vote on whether to include controversial mass censorship language in the proposal that the parliament will vote on. Read the rest
Yesterday, I wrote about the way that tech-sector concentration was making it nearly impossible for Russia to block the encrypted messaging service Telegram: because Telegram can serve its traffic through giant cloud providers like Amazon, Russia can only block Telegram by blocking everyone else who uses Amazon. Read the rest
Russia tried to get the creators of the private messaging service Telegram to create a back-door so its cops could spy on Telegram users; Telegram refused and Russia banned Telegram in retaliation. Read the rest
Cloudflare, a company with a history of resisting surveillance and censorship orders (albeit imperfectly and sometimes with undesirable consequences) has announced a new DNS service, hosted at the easy-to-remember address of 126.96.36.199, which accepts connections under the still-novel DNS-over-HTTPS protocol, and which has privacy designed in, with all logs written only to RAM (never to disk) and flushed every 24 hours. Read the rest
To launch an effective Denial of Service attack, your bots need to overwhelm your target with a flood of requests; the more bandwidth and computing-power your target has, the more you need to knock them off the internet. Read the rest
Cloudflare has terminated service to Sci-Hub, the site that provides paywall-free access to virtually all scholarly work, citing Aaron Swartz as inspiration -- Cloudflare previously serviced the sci-hub.la, sci-hub.tv, and sci-hub.tw domains, but in response to an injunction obtained by the American Chemical Society, they will no longer provide that service. Read the rest
With the rise of white nationalist groups whose allies in government extend all the way to the President of the United States, tech companies are finding themselves in the uncomfortable position of deciding where tolerance begins and ends -- where they have a duty to step in and silence certain kinds of speech. Read the rest
As Trump FCC Chairman Ajit Pai tries to kill Net Neutrality under cover of Thanksgiving, Cloudflare CEO Matthew Prince has tweeted that he is looking into ways that he can legally take up Josh Constantine's challenge to give Pai "14.4k dial-up speeds for killing net neutrality." (Image: Evan-Amos, CC-BY-SA) (via /.) Read the rest
"Something like ten percent of the web flows through Cloudflare's network," states Nick Sullivan, Head of Cryptography for internet "gatekeeping" service Cloudflare.
So, in order to keep their client's protected, they need to generate a lot of unpredictable, completely random numbers. That's where this wall of lava lamps comes in.
Cloudflare's "Wall of Entropy" sits in the lobby of their headquarters in San Francisco. It uses the unpredictability of its flowing "lava" to assist in randomly generating numbers.
Read the rest
At Cloudflare, we have thousands of computers in data centers all around the world, and each one of these computers needs cryptographic randomness. Historically, they got that randomness using the default mechanism made available by the operating system that we run on them, Linux.
But being good cryptographers, we’re always trying to hedge our bets. We wanted a system to ensure that even if the default mechanism for acquiring randomness was flawed, we’d still be secure. That’s how we came up with LavaRand.
LavaRand is a system that uses lava lamps as a secondary source of randomness for our production servers. A wall of lava lamps in the lobby of our San Francisco office provides an unpredictable input to a camera aimed at the wall. A video feed from the camera is fed into a CSPRNG, and that CSPRNG provides a stream of random values that can be used as an extra source of randomness by our production servers.
Cloudflare's joint research with "a large e-commerce site" and Mozilla found that between 4-10% of secure, encrypted web connections are "intercepted," largely by corporate antivirus software that inserts its own certificates into users' browsers, allowing it to scan all traffic entering workers' computers. Read the rest
A group of security researchers from academe and industry (including perennial Boing Boing favorite J Alex Halderman) have published an important paper documenting the prevalence and problems of firewalls that break secure web sessions in order to scan their contents for undesirable and malicious content. Read the rest
Google, Facebook, Microsoft, Apple, Twitter, Snap, Uber, Airbnb, Lyft, Dropbox, Cloudflare, Box, eBay, GitHub, Kickstarter, Indiegogo, Medium, Mozilla, Patreon, Paypal, Pinterest, Reddit, Salesforce, Spotfy, Stripe, Wikimedia, Yelp, Y Combinator and many, many others (97 in all!) have co-signed an amicus brief filed with the Ninth Circuit to oppose Trump's Muslim Ban, as part of the ongoing litigation over the constitutionality of Trump's chaotic executive order. Read the rest
A group of tech firms will meet today to plan the filing of an amicus brief in support of lawsuit to challenge U.S. President Donald Trump's “Muslim Ban.”
Trump's order was issued on Friday, and restricts immigration from seven Muslim-majority countries in which Trump has no business interests. Adjacent Muslim-majority nations in which Trump does have business interests were left untouched by the ban. Administration staffers took great pains to keep the orders secret from other government officials, and from the public, until it went into effect. Read the rest
Insecure desktop operating systems (and even server/CMS vulnerabilities) has led to the creation of enormous, powerful botnets comprised of thousands, hundreds of thousands, or even millions of machines -- and thanks to the law of supply and demand, it's remarkably cheap and easy to rent time on a botnet and blast any site of your choosing off the Internet. Read the rest