OMG we appear to have entered a run for MS…

Posted on 08/05/2013 by Stewart Smith

We are team MEEP – as that is the noise Beaker the cockatiel, our team mascot, makes. Stewart is going for 10 km, Leah is planning for 5 km … and Beaker will enjoy having two tired people to sit on afterwards. :)

We are taking part in the 2013 MS Walk and Fun Run in order to raise funds for people affected by multiple sclerosis (MS). MS is is the most common disease of the central nervous system and affects more than 23,000 Australians.

Did you know?

The average age of diagnosis of MS is just 30 years
MS affects three times as many women as men

MS Australia aims to minimize the impact of multiple sclerosis on all individuals affected by the disease, as well as their families, carers and the community, by offering a wide range of services, equipment and support. MS Australia’s goal is to assist everyone affected by MS to live life to their fullest potential and secure the care and support they need, until we ultimately find a cure.

You can sponsor us here: http://register.mswalk.org.au/2013-MS-Walk-and-Fun-Run-Melbourne/Meep

The Age (Fairfax) picks up on Telstra NextG ‘stalking’

Posted on 05/07/2012 by Stewart Smith

http://www.theage.com.au/technology/technology-news/telstra-accused-of-next-g-web-stalking-20120705-21ivs.html

It took a while, but it’s there. There is a mention of Netsweeper and that they provide products and services to Yemen, Qatar and the United Arab Emirates but it misses what these products are really for.

Not a good week for Telstra and privacy

Posted on 29/06/2012 by Stewart Smith

The Office of the Australian Information Commissioner just posted this: http://www.oaic.gov.au/news/media_releases/media_release_120629_telstra_breaches_privacy_act.html

This isn’t to do with what I’ve posted about here the past few days, but to do with an incident back in December 2011. The details of 734,000 customers were available publicly on the Internet.

Details exposed include:

Name
phone numbers
Services held
free text field (where information such as username, password, email or other information could be recorded)

The ACMA report says that up to 41,000 customers had their user names and passwords exposed.

So… who had access? I quote from the ACMA report:

Between 3 June 2011 and 8 December 2011, the Visibility Tool received 108 access requests per day from unrecognised IP addresses (IP addresses that cannot be conclusively identified as Telstra IP addresses). On the day of the media publication, this number increased to 20,498 access requests.

The information was available from 29th March 2011 through 9th December 2011 with from a date in October it being easier to access (via a google search).

Unfortunately this is yet another case of internal procedures failing and being inadequate and only when the issue was raised publicly (in Whirlpool and the media) was it swiftly fixed.

It can be hard for a person inside a company to speak up, continue to speak up and be an asshole on these issues. It’s just human nature and after all, annoying your boss isn’t what everybody wants to do all day at work. I hope that the improvements that Telstra has committed to as a result of this investigation make it easier for people to raise such problems and ensure they are resolved.

Achieving things inside large companies can be incredibly hard. I have sometimes felt I’ve had more success trying to convince a dead seal to go for a walk than to get a large company to fix something that’s obviously broken (and everybody knows it). Undoubtedly there were people inside Telstra who knew about the problem yet felt powerless to force a fix to happen. This kind of culture is poisonous and tricky to avoid in a large organisation.

Both ACMA (Australian Communications) and OAIC have full reports:

If we are extrapolate out for the latest incident (NextG and Netsweeper) we could expect:

Telstra Incident report in ~2 months
If ACMA or OAIC take action, a report in ~6months

Telstra has a database of your NextG web activity

Posted on 28/06/2012 by Stewart Smith

So, in what must be my biggest blog day ever, Telstra posted this: http://exchange.telstra.com.au/2012/06/28/further-update-telstra-smart-controls-cyber-safety-tool/

What is clear from their previous post and the pickup in the media (including ABC, Crikey and news.com.au) is that people care about this, a lot.

What is also clear is that they’ve had to go and talk to the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman and the Australian Communications Consumer Action Network.

I’d like to thank Senator Ludlam for raising this with Telstra government affairs which without a doubt helped raise the profile of this issue.

There are a couple of issues with Telstra’s updated statement:

They admit to constructing a database with your full query string and IP address
They don’t address the moral issue of being involved with a company so involved in curtailing human rights (Netsweeper).
Just stripping out the query string doesn’t erase all personal information

I don’t think we can ignore any of these problems, and I hope we get good responses and resolutions to them.

The significance of point 1 should not be understated. This means that some people, somewhere, have access to a decent amount of your browsing history. There is no details on who has access to this (hint: law enforcement could probably request it). There is also no explanation about why this was applied to everyone.

Update: after rereading their blog post, at best I can say it’s ambiguous on if they stored this or not. One sentence implies that they do, another implies that they don’t. Clarification would be most welcome, and given the history so far, we should not assume the best.

Personally, I’m really disappointed in Telstra for at any point thinking it’s okay to finance human rights abuses. I’m also really disappointed in world governments for permitting the sale of such software to those who use it to oppress their people. We should be in the business of exporting freedom and democracy, not exporting tyranny and oppression.

If you have a NextG handset, I strongly suggest the following:

iOS device users (iPad and iPhone): Go look at Onion Browser
Android users: read my post http://www.flamingspork.com/blog/2012/06/28/tor-firefox-twitter-not-rooted-android-awesome/

Tor + Firefox + Twitter + (not rooted) Android = awesome

Posted on 28/06/2012 by Stewart Smith

This is actually pretty simple to get going once you know how. This is a short “HOWTO use Tor on Android”

Basic problem: I want to use Tor on my phone. If you’re wondering why, perhaps my previous posts on Telstra and what they do to your traffic may be a good hint.

First of all, you’re going to want to install OrBot. It’s available from the Google Play store. There is absolutely no harm in leaving this running all the time in the background. I have found it to have zero impact on battery life of my phone (the Battery thing in settings doesn’t show OrBot at all).

With OrBot running, you now have a HTTP and SOCKS proxy available on your phone. This means you can set any app that can use a HTTP or SOCKS proxy to do their Internet access through Tor instead of directly through your Wifi or cellular network.

The Twitter client wonderfully has built in support for using a HTTP proxy. You just need to go into the Twitter app’s Settings, click “Enable HTTP Proxy”, and set “Proxy Host” to localhost and “Proxy Port” to 8118. You are now done. You can test this by disabling OrBot and then trying to refresh your Twitter stream. If it doesn’t work, then Twitter is trying to use the (not running) Tor proxy. Re-enable OrBot to be able to use your Twitter client. This “just works”.

There is pretty much no excuse not to have your phone Twitter client go through Tor. We all know that Twitter gets all sorts of legal queries for information about users. We also know that they’ve been fairly good about it, and indeed hats off to Twitter for being awesome. But… guess what? We can just ensure they don’t have any information worth handing over :)

Next step… Web Browsing. The Firefox Beta is pretty awesome. It’s fast and usable (which is exactly what you want in a web browser). This may also work with the standard Firefox browser (I’m not sure when they’ve updated it to be on par with the Firefox Beta version I’ve been using).

There is no place to specify proxy settings in the normal UI (I do hope Mozilla add this). But not to worry, Firefox on Android is built on the same base as Firefox on the desktop, so it does support it (there just isn’t a good UI).

What you need to do is go to the URL bar and go to “about:config”. This shows every little thing you can tweak in Firefox (a lot). Luckily, there’s a search bar. Search for “proxy” and modify the following settings to the following values (the = sign means “click modify and enter the value after the =”):

network.proxy.http = 127.0.0.1
network.proxy.http_port = 8118
network.proxy.socks = 127.0.0.1
network.proxy.socks_port = 9050
network.proxy.ssl = 127.0.0.1
network.proxy.ssl_port = 8118
network.proxy.type = 1
UPDATED: network.proxy.socks_remote_dns to “true” (click “toggle”)

Then head to http://check.torproject.org to check that it’s working!

This doesn’t provide you with all the features and benefits of using the TorButton in the desktop firefox, but it will stop your mobile phone provider spying on all the web sites you visit (unless they break into your phone itself).

Luckily, Android is fairly awesome and whenever you try to open a URL it can ask you what program you want to use to do that with. Guess what? Just select the Firefox you configured with Tor to open it and you’re browsing through Tor. Brilliant and easy with no need to go and “root your phone” or anything else that may turn people off from doing so.

Update: Thanks should also go to François Marier for his site that helped me get this right: http://feeding.cloud.geek.nz/2012/06/browsing-privacy-and-ad-blocking-on.html

Update: Added setting of socks_remote_dns

Telstra stops tracking, still supporting Netsweeper

Posted on 27/06/2012 by Stewart Smith

http://www.zdnet.com.au/telstra-halts-customer-tracking-339340404.htm

The big news:

“We are stopping all collection of website addresses for the development of this new product,” Telstra said in a statement.

This does not change their association (and presumed financial support) of Netsweeper, helping make its technology affordable to its government customers who use it to suppress free speech and access to information.

Telstra funding censorship in Middle East

Posted on 26/06/2012 by Stewart Smith

This post inspired by https://twitter.com/BernardKeane/status/217535549731389440

So, we know that Netsweeper is used by Telstra - http://www.zdnet.com.au/telstra-logs-customer-history-for-new-filter-339340337.htm

We know that Netsweeper is used in Qatar, the UAE and Yemen ( http://en.wikipedia.org/wiki/Internet_censorship - see also http://www.guelphmercury.com/news/local/article/577673–aiding-repression-or-just-doing-business ) and these states use it to suppress free speech and access to information.

The majority of countries that implement suppression of free speech on the internet could not afford the high cost of developing such software. The only thing that makes it possible is the subsidies from companies in the free world. With Telstra using Netsweeper, they directly contribute to the development costs of this software.

In years gone past free speech was suppressed by members of secret police and guns. Now you can do a lot of that with software. Software that is made affordable because the development costs are shared with companies such as Telstra.

See also my last two posts on the topic:

An update on Telstra’s surveillance of what you do online

Posted on 26/06/2012 by Stewart Smith

http://www.scmagazine.com.au/News/306441,telstra-tracks-users-to-build-web-filter.aspx

I’d suggest going and reading: http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/ to learn a bit about anonymization failures.

What we know:

Telstra has the ability to monitor every URL you visit on a NextG connection
Telstra is, in fact, monitoring every URL you visit through your NextG connection and piping that to some computer system that then takes action on it.
None of this was disclosed to customers.
Telstra is building a system for censorship.

What we don’t know:

If this is a violation of any Australian privacy law (I’m not a lawyer)
Who else has access to this “anonymised” data (hellooo US legal system)
What universal surveillance infrastructure they have running

Update: this is a followup from yesterday’s post: http://www.flamingspork.com/blog/2012/06/25/on-telstra-tracking-nextg-http-requests/

On Telstra tracking NextG HTTP requests

Posted on 25/06/2012 by Stewart Smith

http://lists.ausnog.net/pipermail/ausnog/2012-June/013833.html and http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)

Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.

I started to investigate.

I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.

Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.

If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.

The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.

What can we learn from this?

If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
The iPhone needs Tor more than ever and it needs it on a system level.

Update: I have been pointed to http://v3.mike.tig.as/onionbrowser/ which is an Open Source Web Browser that uses Tor on iOS.

Update: http://www.flamingspork.com/blog/2012/06/26/an-update-on-telstras-surveillance-of-what-you-do-online/

There is a story….

Posted on 25/05/2012 by Stewart Smith

I have a friend who is fond of telling a story from way back in November 2008 at the OpenSQL camp in Charlottesville, Virgina. This was relatively shortly after we had announced to the public that we’d started something called Drizzle (we did that at OSCON) and was even closer to the date I started working on Drizzle full time (which was November 1st). Compared to what it is now, the Drizzle code base was in its infancy. One of the things we hadn’t yet sorted out was the rewrite of the replication code.

So, I had my laptop plugged into a projector, and somebody suggested opening up some random source file… so I did. It was a bit of the replication code that we’d inherited from MySQL. Immediately we spotted a bug. In fact, between myself and Brian I think we worked out that none of the error handling in this code path ever even remotely worked.

Fast forward a bunch of years, and recently I had open part of the replication code in MySQL 5.5 and (again) instantly spotted a bug. Well.. the code is correct in 2 out of 3 situations…

It is rather impressive that the MySQL Replication team has managed to add the features they have in MySQL 5.6.

I’m also really happy with what we managed to do inside Drizzle for replication. Ripping out all the MySQL legacy code was a big step to take, and for a while it seemed like possibly the wrong one - but ultimately, it was incredibly the right thing to do. I love going and looking at the Drizzle replication code. I simply love it.

Espresso

Posted on 19/05/2012 by Stewart Smith

Many people may know that I’m a bit of a coffee fan. I do quite like a good espresso. These are, unfortunately, more rare than I would like. I know, I live in Melbourne, the average coffee quality is pretty damn high… but still, perhaps I’m just a bit of a coffee snob (oh wait, that’s where I buy my beans from).

This is a photo of the espresso I got at a place near Leah’s work the other week.

Much LOL

Posted on 14/05/2012 by Stewart Smith

At least here in Australia there is this drink called LOL. I saw much LOL on the shelves in the supermarket the other day. I’ve been trying to save this picture up to send to someone… but there hasn’t (yet) been the opportunity.

Orbital

Posted on 05/05/2012 by Stewart Smith

Saturday night, went to see Orbital. Awesome. A two hour set of a whole bunch of fun and a crowd that was really into it. Luckily there was a mirror nearby to capture the stage and the crowd.

Joining Percona

Posted on 17/05/2011 by Stewart Smith

As you may have read on the MySQL Performance Blog post – I’ve recently joined Percona. This is a fairly exciting next step. I’ll be in New York for Percona Live next week, where I’ll be giving a session titled “Drizzle 7, GA and Supported: Current & Future Features”.

I’ll write more soon, there’s a lot keeping me busy already!

Big Day Out 2011

Posted on 01/02/2011 by Stewart Smith

Yesterday, I headed to the Big Day Out in Melbourne with Leah, Hayden and Michael. This is after Leah and I had spent the last week at linux.conf.au – which (as anyone who’s ever been knows) is wonderful and tiring. I am amazed that this conference has continued to be so incredibly awesome and am still amazed that I speak at it and that my talks are often well received.

First off we managed to see the Deftones. Somebody seriously needed smacking around the head with the levels… it just didn’t quite sound right. I do like the Deftones though, and was glad to catch them.\

By this time in the day, it was making days on the playa seem like childs play. Lots of water and really quite warm. Out of 52,000 at BDO this year, 1000 were treated for dehydration. I think there needs to be giant “Piss Clear” signs here too.

I managed to see Paul Dempsey, who I’ve seen solo once before playing Something For Kate material several years ago now – and it was truly one of the most awesome shows I’ve seen. I really enjoyed his performance at BDO and he certainly has to be one of my most favourite male vocalists.

Next up? Wolfmother! That’s right kids, I missed half of Iggy and the Stooges to see Wolfmother. They didn’t disappoint – it was rather awesome and sooo totally nearly ditched everyone in the shade to run in jumping about.

Iggy and the Stooges (well, the last half). I want to be doing this when I’m 63. Seriously. One year Hayden said that Iggy Pop was the best act he saw… and I can believe it. Again, awesome.

Then it did get explodingly awesome. Yes, this means Rammstein.

There should certainly be more bands using explosions as instruments and midway through fire a flamethrower high enough so that shorter people in the middle of the crowd can see it – how considerate! The heat from fire could be felt from where we were – AWESOME.

Finally….. Tool.

I saw them last time they were at Big Day Out (and when they played in Melbourne the next week). I’m doing the same this time around. I think finishing with Stinkfist gave a lovely end to the night – and loved how the crowd was right into Aenima. I cannot wait to see them on Wednesday night.

Rackspace Rookie-O (in Hong Kong!)

Posted on 25/10/2010 by Stewart Smith

I’d meant to finish writing this way back in July… but I failed at that. Now is a good time to talk about Rookie-O as my again new colleague Andrew Hutchings (Buy his and Sergei’s book on MySQL 5.1 Plugin Development!) just went through the same thing (but in London instead of Hong Kong) given by the same trainer (Hi Eddie!).

Rackspace is the second employer I’ve had that has some kind of new hire training (the first being Sun). I am, of course, not quite counting Salmiakki as new-hire training for MySQL (although I probably should). To quote from the Wikipedia article: “Although the rumor of the heart attack was a hoax, the drink may still cause harm. The strong flavor almost completely masks the presence of ethanol, and the drinker may not realize he is consuming a drink almost 40% alcohol by volume (80-proof), leading to possible alcohol poisoning.” A promising introduction to the company.

Monty, Mårten and Kaj with Salmiakki singing Helan Går at the MySQL User Conference Japan in 2007

I could possibly say something about the Sun New-Hire training… but I’m just trying to find something positive to say – and I can’t. I got a bit of hacking done? Seriously.

Actually coordinating a time to attend a Rookie-O (Rookie Orientation, the Rackspace name for new hire training) was rather tricky. There was one right before the MySQL User Conference back in April (not the best of timing), one during an upcoming team meeting (again, not ideal) and one that got organised in the middle of everything for the office in Hong Kong. So, I headed to Hong Kong.

The Hong Kong office is relatively new (late 2008) and there were people there who hadn’t gone through the standard Rackspace Rookie-O (Orientation).

It was rather cool to hang out with other people who worked for the company – and in totally different areas than I do. I did get a better understanding for how the rest of the company operates and the people involved. The training itself was useful and substantially less geared towards not-my-job than Sun’s was.

The good news is that Andrew thought it was useful too. Pretty impressed so far.

At OSCON

Posted on 20/07/2010 by Stewart Smith

I’m at OSCON this week. Come say hi and talk Drizzle, Rackspace, cloud, photography, vegan food or brewing.

Finding Ada

Posted on 25/03/2010 by Stewart Smith

Ada Lovelace Day is an international day of blogging to celebrate the achievements of women in technology and science.

- http://findingada.com/

This is something I had wanted to do last year… and I’m finding I have the same problem this year. My idea was to write about someone who has had an influence on me. The problem is picking one person to write about. Throughout my life there have been many women in technology who have influenced me. I started going through people in my head… and got to a very long list rather quickly.

So, instead, I shall write about the future.

To the future Ada, who will think this whole exercise of picking a woman in technology to write about as absurd as if we, today, picked a woman who votes to write about.

Continuing the journey

Posted on 11/03/2010 by Stewart Smith

A couple of months ago (December 1st for those playing along at home) it marked five years to the day that I started at MySQL AB (~~now Sun~~, now Oracle). A good part of me is really surprised it was for that long and other parts surprised it wasn’t longer. Through MySQL and Sun, I met some pretty amazing people, worked with some really smart ones and formed really solid and awesome friendships. Of course, not everything was perfect (sometimes not even close), but we did have some fun.

Up until November 2008 (that’s 3 years and 11 months for those playing at home) I worked on MySQL Cluster. Still love the product and love how much better we’re making Drizzle so it’ll be the best SQL interface to NDB :)

The ideas behind Drizzle had been talked about for a while… and with my experience with internals of the MySQL server, I thought that some change and dramatic improvement was sorely needed.

Then, in 2008, Brian created a tree. I was soon sending in patches at nights, we announced to the whole world at OSCON and it captured a lot of attention.

Since November 2008 I’ve been working on Drizzle full time. It was absolutely awesome that I had the opportunity to spend all my days hacking on Drizzle – both directly with fantastic people and for fantastic people.

But… the Sun set… which was exciting and sad at the same time.

Never to fear! There were plenty of places wanting Drizzle hackers (and MySQL hackers). For me, it came down to this: “real artists ship”. While there were other places where I would no doubt be happy and work on something really cool, the only way I could end up working out where I should really be was: what is the best way to have Drizzle make a stable release that we’d see be suitable for deployment? So, Where Am I Now?

Rackspace.

Where I’ll again be spending all my time hacking Drizzle.

Bike Riding in the storm

Posted on 06/03/2010 by Stewart Smith

Out on a pier down St Kilda, the weather looked… well… like it could be a bit annoying on the way back:

but then… just a bit down the way…. it hit:

It was “a bit wet”. Big blocks of ice falling from the sky (that hurt).

Anyway, on the way back we found a storm water drain:

Yes, behind Michael is just all water (and I’m not talking about the Bay).

Still managed to get a 36.5km ride out of it, so not all bad.

Ramblings

Ramblings which occasionally resemble reality. This is the blog of Stewart Smith.

Category Archives: life, the universe and everything