Google Chrome now marking non-SSL sites as insecure

Another Google Unnecessity?

Previously Google’s Chrome was just marking sensitive sites where you would input things like credit card details as insecure (and rightfully so) but what’s happened in July of 2018 here is a different ball game.  They are now marking any sites that are not using SSL (including mine) as being insecure- a blog site that does nothing more than provide information…

Another strange thing is that Google is claiming that there are “performance benefits” to switch to SSL.  I am not aware of any performance benefits as the SSL handshake and encryption overhead itself only decreases performance.  Now I am not saying it is always significant and noticeable but it definitely silly to claim a negative performance feature as something that increases performance.  It’s like saying “we’ve added way more stairs to your daily walk” but “this results in improved stair climbing time”.

The one thing I and many others take issue with is that Google wields enormous power and has been known to abuse it for their benefit and the benefit of other large businesses, to the detriment of small business.  Google is perhaps the most powerful on the internet overall since they control Search, Youtube and they are a non-regulated for-profit business that is essentially going to be cutting off access and traffic to non-SSL sites.

While it is good for everything to use some sort of encryption it’s important to remember that not every site on the internet has the resources to setup their own SSL certificate. I am not talking only financially (although it is not very expensive to do) but on a technical level I can imagine a lot of people and organizations will not have the ability to do so.  In addition there are other technical steps required in some hosting environments such as often requiring a separate IP which requires a DNS update or migration (which is no simple feat for the non-technical).

I’ve always kept what I’ve thought of as “public domain” sites where I am publicly sharing the information on purpose as not needing SSL.  I am neither concerned for example with this site and articles who is reading or who can see what is being read.

I think part of the motivation here may be an SEO benefit or to weed out a lot of websites and owners which will happen to be smaller and less sophisticated.  This means that the average or smaller guy or company will be at a huge disadvantage on the web in Google Chrome where their users are scared off that viewing this article here without SSL is dangerous.

I think encouraging more sites to use SSL is a good idea but I also think it is a form of penalizing and reducing the views, traffic and audience of smaller organizations and businesses.

I’d also like to point out that the average key size is very small on average from 128bit to 256bit and I believe this is well within the ability of large supercomputing facilities to crack.  SSL and TLS has suffered from security flaws in recent years and if anything I think it is time to switch to something GPG based if we are serious about security.  I believe the current SSL implementations give us a false sense of security.

There are a lot of cheap solutions to do this but it all depends on how and where you are hosted and your level of expertise.

It’s also important to keep in mind that Google may give more weight to SSL sites in the search results than before if they are implementing this in Chrome (yes I am aware that supposedly SSL sites have ranked higher for awhile but I think the algorithm will be tweaked shortly if it hasn’t already to give much less weight to non-SSL sites).

Cheers!
A.Yasir

 

Vitalik Buterin Courted to work for Google

Buterin has apparently been courted by Google according to his Twitter feed.  He initially shared the Tweet but then deleted it.  This makes sense that Google would want to recruit him for their own secret crypto project.  Since Buterin is considered an expert in blockchain and Google wants to make its own cryptocurrency the fit may be a good one, but at what cost?

Many see Vitalik as a champion of the cryptocurrency revolution against big banks and big business. If he were to work with Google there are fears Ethereum may fall in value or that Buterin may try to harm or sabotage ETH in some way, similar to what some fear Ripple may do with XRP. Essentially Google would control ETH by proxy just as banks control XRP through partnerships. The commonality is that Google would view ETH as a rival to its own currency and banks only see value in Ripple’s network to settle payments without needing or using XRP.  Google and Vitalik bv proxy may then have reason to kill off Ethereum in favour of Google’s project.

Observations on AI and Google’s Implementation

Google (the company who claims it does no evil) is a good example of social implications of AI.  A recent live demonstration showed Google’s AI assistant being told to book a haircut appointment for a certain time.  The AI searched and found local salons and actually booked an appointment while having a normal, human conversation with the person on the other end being completely unaware they were talking to an AI bot.  The voices seem random and they are all 100% convincing and essentially without fault or flaws in their interactions that it is simply stunning and scary at the same time.

Some are criticizing this as unethical and I would agree, but argue the technology could be used for good as well.  However, what is stopping a bunch of script kiddies from making an army of these bots to SWAT people or report false emergencies and even make mass prank calls.  I would imagine at this point that the AI is probably good enough to duplicate a target’s voice as well.  We are heading into extremely uncharted and scary territory here.

Like anything else, there is no arguing that scientific advancement has almost always been used for war and to harm people.  I believe AI’s first and primary use will be to weaponize it, whether it be for social experiments, controlling people or crimes.

There are other “here right now” implications such as the fact that this technology can essentially replace entire call centers.  In fact I would argue that this could be done now and no one would be the wiser they were speaking to a bot.

The implications are far reaching, I also feel this kind of AI combined with robotics are going to be mass job killers.  We have robots that can build entire cars, houses and AI that can interact with humans at the same level as we interact with ourselves.  It’s not an understatement to say that a lot of our jobs and our existence are teetering on unnecessary and obsolete and this is, in fact a conclusion that it appears some AI has already reached.  It would be a logical one for an AI net to conclude that they should be on top and that we should work for them.  I know it’s a doomsday scenario but I concur with other experts that not only is this possible, it is likely if proper checks are not put in place.

Other examples of AI have shown how some of these bots use the whole treasure trove and mine of social media to create their persona, including their views.  I am sure you could even plugin political or racial bias.  The point is that some of these bots have said and done disturbing things like threaten the person they were talking to.  It’s almost as if the cesspool that we know as social media is ruining them and a lot of people said if AI is picking up bad habits from social, how about our kids?

I would not feel comfortable with machines making life and death decisions for the above reasons.  I think AI has massive potential and we are only starting to tap into it, but time will tell where we take AI or where AI takes us.  It has the potential to do both great good and great harm and I think it is largely unpredictable.

Google’s Co-Founder Sergey Brin Says Ethereum Mining Driving Computer Boom and Renaissance

This is very striking to me in that I find the statement makes no sense and with one word “SETI”.  SETI didn’t set off a computing revolution and still has limited participation.  SETI which is searching for signs of extraterrestrial life has used a sort of grid-computing through unused computing power of its supporters to help search through troves of data that the SETI researchers don’t have the power to do.  I admit back in high school I didn’t want to share my CPU cycles, nor did most other people.

I am drawing this comparison because SETI didn’t start off a frenzy of computer buying to “mine” SETI.  This is because there was no actual reward or benefit to doing it any practical sense.  Mining is only being driven by the hope of big rewards and profits, or in other words greed.  Yes, some computing enthusiasts are getting into mining but does anyone really think that this greed has turned people into computer enthusiasts?  Sales of GPUs would be flat if not for the profits.  If mining because unprofitable the same people who rushed in will rush out, they are speculators and investors, not computing experts or enthusiasts.

Aside from being extremely wasteful, inefficient and ineffective I believe PoW or mining is not sustainable and the long-term currencies that are to survive will be converting to PoS (Proof of Stake).

And this gets to the most ironic point.  Google has recently banned ALL cryptocurrency advertisements.  Maybe Sergey thinks “mining Ethereum is cool and so is cryptocurrency but not if you want to promote it on Google!”.

Cloud VPS Server Comparison by Techrich

Recently a friend asked me to compare ourselves to other large Cloud providers.  It didn’t take me long to think about it, considering essentially Techrich and Compevo architecture are identical. This wasn’t by accident, but by my own principles on how an IT company should function.  Since designing what is now known as the “Super High Performance Cloud Architecture” back in 2009. I knew I wanted Techrich to be smart on security, strict on reliability, and strong on IT protocols.

This infographic probably says it the best but I’ll do my best to explain it as well (explanation below the infographic).

Techrich Cloud VPS Server Hosting Comparison

In a nutshell most of the other Cloud architectures out there rely heavily on a shared storage pool for their VPS’s. We don’t do this.

Some companies have even gone down completely when one of their “main shared storage nodes” was hacked or had a hardware failure.

The problem with shared storage nodes/SANs (Storage Area Networks)

The problem with this architecture is that multiple physical hostnodes rely on a single point of failure for storage.  Not only that, but you can imagine the performance issues that shared network bandwidth cause when multiple hostnodes are competing for the same disk IO resources from a single shared node.

Now I know some companies have redundant shared storage but this is not good enough for both performance, security and reliability reasons.

The Techrich way of doing things is that we have tons of individual nodes that are active/failover.  This eliminates the possibility that a shared storage fault could take offline multiple hostnodes.

In our architecture we have Cloud in a 1-to-1 structure, that means data is live replicated to a standby server which does nothing but wait in case the main server fails or has an issue.

By doing this the performance is also higher, since storage is all local, you get the benefit of Cloud architecture but none of the high risks or performance issues that traditional “shared storage” Cloud brings you.

That’s the Techrich advantage and why we developed our own proprietary and hybrid system to accomplish this.  To date we’ve never been hacked or had any downtime and this is because of the architecture we’ve pursued while sparing no expense in delivering what we feel is the best product.  This is what I’d recommend all of my colleagues and friends to do if they went Cloud.  If they were going to use a shared storage cloud I’d recommend that they just make their own with a few dedicated servers or even a single dedicated server can sometimes be better, more affordable and reliable in the long-run.

When these large Cloud companies like Amazon and Alibaba started out, we did wonder would we lose out to customers who valued price over quality, security and reliability?  We were shocked when the opposite ended up happening- there was a sudden rush of sign ups, and not only that, we had to order a ton of extra servers to keep up with the demand.  I had my IT support staff double and working overtime to meet the crazy rush. It was a good problem to have, but it forced me to grow a lot faster than predicted.

In fact we’ve now noticed a trend that the bottom feeders (scammers, hackers, spammers) have gone to the cheap Cloud companies and a lot of larger players have moved to us.  This is in part, because companies who are more tech and privacy orientated who don’t want to be in a PRISM country or be at risk of the NSA being given access to their sensitive, private and proprietary business/ client information  (which is mandated for large-Cloud providers operating out of any PRISM country), so they moved to us and remain with us.

Now we get clients who even run small or middle scale businesses who have found us and switched to us simply because they do not want to be on something as risky as Amazon or Alibaba. I guess you could call Techrich and Compevo, the original IT business security company. And I plan to keep it that way.

 

Cryptocurrency Groups Sue Google, Facebook, Twitter and Yandex For Advertising Ban

This is very interesting and about high time.  There is hardly any legal basis to single out the banning of cryptocurrency and ICOs when so many other questionable things are promoted on Google, Facebook and Twitter.  They could have probably gotten away with banning a few confirmed scam coins or ICOs but they’d also have to demonstrate similar action in other industries that they have never done with this.

The allegation of collusion is important and I am very curious how this plays out.  My suspicion is that these actions are voluntary.  The CEOs of these companies were essentially convinced and paid out to it by stakeholders of fiat and traditional securities.  If not that, here would be an interesting defense if they could make such a defense legally in this scenario I propose.  Of course all 3 of the major companies are based in the US and are subject to the laws of the US including being obliged to co-operate by providing the NSA backdoors for spying.  What if under the pretext of national security these companies were forced to ban cryptocurrency advertising?  It may sound far fetched but the US government even wanted to put tariffs on Canada during negotiations for NAFTA under the pre-text of National Security.

It is hard to say for sure what the truth is but I’ll be following these lawsuits as some of the truth may come out in the reply to the claim, discovery and other filings.  One thing I am sure of is that neither company came up with the idea of their own volition.  It would be another thing to prove which external force or entity is really responsible for this.  Financially it makes little sense since they all stood to profit more from the increased advertising revenue so it is very plausible that some other stakeholders made an offer they couldn’t refuse whether in the form of enticement or being obliged by law (even if falsely under the pre-text of national security).

 

My Take On Meltdown and Spectre Computer Security Flaws

Spectre and Meltdown allow a non-privileged user (non-root/non-Admin)  to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers.  This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..

If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world.  Whether you are on Linux, Unix, Windows, Mac this applies to you.  It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.

I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues.  We are now unfortunately there and have been since 1995.

This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).

To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public).  With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later.   This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.

What is Spectre?

The primary variants (1,2) that make up Spectre  rely on the user exploiting the speculative feature of the CPU to write to memory under their control.  This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted.  AMD Claims that Variant #2 does not impact them as well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

What is Meltdown?

Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will).  The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.

The only good news is that apparently this Meltdown attack only affects Intel and not AMD.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Redhat has also done an excellent writeup about the issue here:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

How To Protect Yourself

First and foremost you should update your devices as soon as patches become available.  In Linux enabling KPTI can protect you.   However for some major distributions of Linux users are still waiting for a patch.

If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.

Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.

It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.

If possible remove all non-essential or untrusted applications from your device/computer/server.

Dedicated Servers Will Become More Popular

There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.

Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.

I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible.  By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.

Serious Questions and Concerns Raised

I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it?  Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.

Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.

Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible?  Considering recent revelations I don’t think it would be inconceivable.

Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?

Long-term Value for Intel, AMD and ARM

At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.

Conclusion

It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown.  So far it looks like we were lucky to choose AMD.  The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor?  This would increase the amount of zombies and data security breaches several fold.

This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.

Losing Chinese Business Because of 2 Simple Mistakes

This is not an article about the market condition in China but more of a practical reality that I think most people and businesses have not considered. If you read the news you’ll feel the first impediment to business in China is going to be regulations or that your website may be blocked by the GFW (Great Firewall of China). However in practical terms this is something you’ll almost never encounter. There are however 2 simple but huge, crucial and critical mistakes that most businesses make when trying to attract prospective Chinese customers for overseas or cross-border e-Commerce.

#1 Common Mistake That Guarantees No Customers From China Will Ever Reach Your Site
Everyone knows Google has extensive reach in various online services and platforms including search but their reach goes farther in a very harmful way for anyone trying to get Chinese visitors to their website. This issue applies to almost any user in China whether they are a local or foreigner and whether you are hosting in China, Hong Kong or anywhere outside. This problem can only be resolved by an experienced web developer or team and is a mistake MOST developers unknowingly make.

This little mistake comes from the fonts specified in CSS (Cascading Style Sheets) that are used to style and/or layout all websites on the internet. CSS itself is not the problem, but what is the problem is that a lot of designers use “Google Font APIs” from googleapis.com. This is a bad idea in my opinion aside from the main reason which is that you rely on a third outside party to make sure your website loads. If the remotely hosted fonts cannot be loaded due to a change in location or the server goes down, your website will not load. In the case of China on virtually all consumer grade connections “googleapis.com” is blocked, this means the third party font server is as good as down and your website WILL not load in China because of it.

Essentially what this means is that any website using Google Font APIs will not work in China no matter where it is hosted. The solution is to edit your CSS code and use alternative fonts, or to manually download the .ttf and edit your .css files.

#2 Hosting your site outside of Mainland China or Hong Kong is too slow
For those who have ever visited China, loading sites abroad such as in the US or even worse in Europe is a very difficult hit and miss experience. While most sites are actually not blocked by the GFW, a good portion of sites and services are unusable due to poor connectivity between China and a lot of ISPs. This can be solved somewhat with premium bandwidth that we use in China but really the best solution is to host your site in Mainland China or Hong Kong.

For those familiar with China, you will know that you need an ICP license from the Ministry of IT. This is not a problem if you have a presence in China or a friend who can help. But really the only legal way is to get a proper ICP license which means based on your business and not a personal ICP (we have seen these revoked for misuse). To make it short, if you don’t have an ICP in China your site will not work and will be blocked. So hosting your website in China is only an option if you have an ICP license.

The next best thing is Premium bandwidth from Hong Kong with direct China connectivity which is almost as good as being in Mainland China. But note the “Premium Bandwidth” and “Direct China Connectivity” because only some providers have this. Bandwidth is very expensive in Hong Kong and the only way providers can save money is by buying non-premium bandwidth that routes all China traffic through the USA. For cost it makes sense for those providers, but for you the end user and business who wants to have Chinese customers it doesn’t make sense unless you have direct China peering/connectivity. If you have a good connection to China from Hong Kong then users can essentially expect your site to perform as if it’s in Mainland China, in fact most users will probably feel it is located in China because of the low latency and fast response. In Hong Kong there is no requirement for an ICP license so this is really the best method for those who can’t the ICP license in China.

Don’t Lose Out
For companies who have targeted the Chinese market and have attempted to drive traffic to their own website or third party portal if you haven’t received the response you’ve expected the above could very well be why you have no Chinese customers. In another blog post I will show a few technical examples of how to fix it and still use Google Font APIs although the easiest, quickest fix is to stop using them.

Google Pixel 2 for Business Use?

Source http://areebyasir.com/?p=218

I have to start off by saying I am surprised at the specs or lack of them right out of the box I wouldn’t buy because there is no value there and no compelling features over the average phone. The entry level 5″ model comes in at $899 and the XL 6″ at $1159 USD. What is especially disappointing is the lackluster 4GB of RAM in both models this is quite shocking for a flagship phone I would say it is a low-end phone in terms of RAM which is a big deal to me and I think most people. If you don’t have enough RAM your apps will slow down and start swapping. There is also nothing that I see is groundbreaking in this phone compared to the iPhone-X.

If this phone came in at a budget price I’d say it would be a good value but like many, I am comparing it against flagship Chinese phones such as my OnePlus 5 that I recently bought. In comparison my One Plus 5 came in at $540 USD has 8GB of RAM, 128GB of storage and dual-SIM slot (very hand when traveling abroad/on business).

I think Google is going to be creating more work for itself and it needs to decide if it’s competing against the OnePlus or Apple because both are very different types of market segments and this phone fits into the middle of the pack in terms of specs but at a premium price. It just doesn’t make sense because these phones don’t carry any prestige that say a Samsung or Apple would.

I’m sorry for not going into more depth but for the way I purchase I had to stop at the 4GB of RAM I cannot believe any 2017 flagship phone would have such little memory.
The Pixel 2 looks like a good phone but it is overpiced and underspec’d and usually I say specs are not an issue but at that price point it certainly is and I’d say the iPhone-X is the better value. Think of it this way though you could almost buy 2 OnePlus 5’s with 8GB of RAM for the price of one Pixel 2.

Decentralized Search Engines to Rival Google Based on Blockchain from Bitclave

I haven’t covered it in my blog here but many know the blockchain technology made popular by Bitcoin has other possibilities such as sharing data, files etc and one of the latest manifestations is the “Bitclave” project. The website doesn’t detail some of these things but here is what I gather and I apologize if it’s not 100%, but here is what I break it down as:

#1) Bitclave is a decentralized search engine based on blockchain technology.
#2) Bitclave has CAT which is it’s own cryptocurrency based off the same blockchain meant to be used as currency.
#3) Bitclave is unique in that unlike the current big search engines, they will not be freely selling your information to benefit unknown third parties.
#4) Bitclave is not only a decentralized search engine and currency but it also rewards you for engaging in particular offers if you want to buy a car or house, for engaging with particular companies and offers (even if you don’t buy) you are rewarded with some CAT currency.
#5) Your information is under your control and completely private so you can choose when and how to sell it for big money potentially to third parties.

I’m going to go into some of the pros and cons that I see.
Pros.
First and foremost this is an exciting project on its own due to the decentralized aspect of the search engine. It takes it one step further by giving the user control over their private search/marketing data and even lets them directly and profit in ways that are under their control.

It will also revolutionize business potentially if things are done this way under a mutual benefit between business and user. In fact if executed properly it could end or significantly change the internet business and search model as it exists now with the big engines and social sites.

Cons

However, the Bitclave team would still largely retain certain controls just as developers of any blockchain do which makes some aspects only as trustworthy as the team is capable and trustworthy for.

It is theoretically possible that the business model above could turn biased in a somewhat similar way that the mega search engines have done things, where the rules are constantly changing for the benefit of a few. However, this is not a likely thing in the near future since Bitclave needs to prove itself and gain trust to both users and business.

Another big concern, which is still a concern for the mega engines is how would spam, hateful, defamatory and other harmful material be handled? It is great to be free and decentralized but there needs to be some legal or other mechanism to prevent abuse of such a powerful search engine. It’s definitely worth checking out to see how things play out.

Conclusion
I am very excited about this project, it is more commercialized than I expected and could not be considered entirely open source or community based but I’m OK with it as long as it is executed as envisioned it will have a massive and positive impact on the internet which benefits the majority.

Good luck to the Bitclave team they could be making serious history in both blockchain, search and online commerce!