Ars tests Internet surveillance—by spying on an NPR reporter

Aurich Lawson

On a bright April morning in Menlo Park, California, I became an Internet spy.

This was easier than it sounds because I had a willing target. I had partnered with National Public Radio (NPR) tech correspondent Steve Henn for an experiment in Internet surveillance. For one week, while Henn researched a story, he allowed himself to be watched—acting as a stand-in, in effect, for everyone who uses Internet-connected devices. How much of our lives do we really reveal simply by going online?

Henn let me into his Silicon Valley home and ushered me into his office with a cup of coffee. Waiting for me there was the key tool of my new trade: a metal-and-plastic box that resembled nothing more threatening than an unlabeled Wi-Fi router. This was the PwnPlug R2, a piece of professional penetration testing gear designed by Pwnie Express CTO Dave Porcello and his team and on loan to us for this project.

Read 60 remaining paragraphs | Comments

Web giants encrypt their services—but leaks remain

One of these sites is not like the others....

It's been a year since Edward Snowden's leak of National Security Agency documents triggered a firestorm around cloud service providers' privacy protections (or lack thereof). Since last summer, the giants of the Internet have pledged to do more to encrypt their Internet traffic—and in some cases, their internal network traffic—to protect it from both government surveillance and other prying eyes. But an Ars investigation reveals that data continues to leak.

Although companies have made great strides in securing their Internet services, implementations of SSL and other security standards aren’t always consistent across applications. And some of the gaps are intentional—left there to meet the demands of certain customers, to support older applications, or to make integration with other services faster (and more profitable).

The Electronic Frontier Foundation (EFF) has published a chart that shows which major Internet services support SSL and other security “best practices,” including encrypted data center links, perfect forward secrecy, and encrypted communications with other providers’ e-mail services. Eight major Internet companies—Google, Microsoft, Yahoo, Twitter, Facebook, Dropbox, Sonic.net, and SpiderOak—have implemented or are in the process of implementing all of EFF’s recommended security practices.

Read 20 remaining paragraphs | Comments

Keeping Track of the Update Status of Web Apps on the Websites You Manage

If you follow our blog you know that many websites are not getting the software running on them updated in a timely manner, which is a basic security measures. Just yesterday we looked at the fact that two months after a security update was released for Drupal 7 only 29 percent of the websites running it had been updated. To try to improve the situation we have now put together a Chrome App, Up to Date?, to help those who manage websites keep track of the update status of web apps on those websites. With the app you don’t have to keep track of when new versions of the software are released or log in to the individual websites to see if an update is available as the app lists the versions in use and if it is an outdated version for all the websites in one place.

The app currently can check the versions of the following web apps:

  • concrete5
  • Drupal
  • Joomla
  • Magento (Community Edition only)
  • MediaWiki
  • Moodle
  • PrestaShop
  • Revive Adserver (formerly OpenX)
  • SPIP
  • TYPO3
  • WordPress
  • Zen Cart

(If you are interested in additional web app being checked please let us know in the comments section or through our contact form.)

To show what the app does let’s see if the MediaWiki versions running on some of the websites of the other web apps we check for are being kept up to date:

MediaWiki Versions: http://codex.wordpress.org - 1.15.5 (Outdated), http://docs.joomla.org - 1.21.5 (Outdated), http://docs.moodle.org/27/en/ - 1.21.9 (Outdated), http://www.zen-cart.com/wiki/ - 1.18.1 (Outdated), http://wiki.typo3.org/ - 1.23.0

Of the five, only TYPO3 has kept their MediaWiki installation up to date. Joomla and Moodle are running versions from earlier this year, which is not that bad compared to the other two. Zen Cart is running a MediaWiki versions, 1.18.x, for which support ended in 2012. WordPress has the dubious distinction of still running a version of MediaWiki, 1.15.x, for which support ended back in 2010. That software developers who remind you that you need to keep their software up to date are not following that advice with other software highlights the need for improvement.

Why a Chrome App?

When we started looking at putting this together one of the first questions was what type of application we would make. Making it web-based is an obvious option, but we went with a Chrome app for several important reasons.

One of the big reasons for this was that with a Chrome app we could leverage the version checking code we already created and keep up to date for our various version check extensions. With those you can see if websites are running the software and check if the websites are up to date as your browse in Chrome. There are currently versions available for Drupal, Joomla, Magento, MediaWiki, PrestaShop, Revive Adserver, WordPress, and Zen Cart. While working on the app lead we made some improvements to the version checking code that has been incorporated in to the extensions. Using a Chrome app also allowed us to create something that works across Linux, Mac OS, and Windows.

The other big reason is that these web apps are also used on internal websites, which wouldn’t be accessible if the version checking was done from a web-based app. While updating software running on an intranet doesn’t have the same necessity as something connected to the Internet, numerous breaches of major organizations internal systems is reminder that just because something isn’t directly accessible from the Internet it doesn’t mean that security can be ignored.