Roundup on Onavo Protect VPN used to inform Facebook UX, M&A | Houseparty contra Bonfire, On This Day contra Timehop

In archaeological order…

tl;dr → Onavo is a VPN. Facebook snoops the traffic on it to grok trends. Trends highlights cause cloned features in Facebook UX or deal flow at Facebook M&A.

  • The Washington Post piece goes broad to illustrate the pattern across a wide range of business lines and a long time span.
  • The Wall Street Journal (WSJ) piece goes deep to focus on travel log: group video chat with Facebook’s attempt to acqui-hire Houseparty prior to the launch of Bonfire in 2017-Q4 (“in the Fall”).


  • Onavo
    • Onavo Protect
    • Tel Aviv, Israel
  • Science
    • a startup studio, an incubator, a venture capital shop.
    • Los Angeles.
  • Meerkat
  • Verto Analytics
    • sourced the DAU factoids.
    • Hannu Verkasalo, CEO
  • Sensor Tower.
    • sourced the app popularity factoids
  • Bonfire, Facebook

The Four Dominant Companies

  • Apple
  • Google Alphabet
  • Amazon
  • Facebook



The Misdirection

Onavo does not not state its affiliation with Facebook in T&C on stores.
This is positioned as a sort of misdirective cloaking to consumers. It allows Facebook to observe nominally the VPN traffic flowing over “its” wires.

The Subsumption

Facebook competitor apps become tabs in the Facebook UX.

  • Event scheduling
    Cloning: Meetup
  • Fundraising
    Cloning: Kickstarter, GoFundMe
  • Messaging (WattsApp)
    Cloning: SMS
  • Marketplace
    Cloning: Craigslist
  • Meal delivery
    Cloning: Grubhub, Seamless, Caviar, Postmates.
  • Photo memorabilia (On This Day)
    Cloning: Timehop, Dropbox, Google Drive, iPhone camera (on box?)

The Pattern


  • Quidsi of
  • Something contra Blue Apron


  • Instagram
  • WhatsApp
  • Something contra Snap’s Snapchat.

Google Alphabet

  • Waze for (Google) Maps
  • Something contra Snap’s Snapchat.



  • an app
  • cloned by Facebook


  • an app
    • casual small-group chat by video.
    • Like, but different
      • Meerkat
      • (Google) Hangouts
      • “everyone” has a teen-focused group chat.…
    • Cultures (both)
    • The promotion page uses Flash.
      <snide>Are you kidding me?  In 2017?</snide>
    • Something about a kerfluffle with a change in the Terms & Conditions (T&C)
  • Launched
    • 2016-02.
    • as Life on Air Inc.; renamed Houseparty
  • Location
    • San Francisco, CA
    • Some warehouse; around SOMA
  • Founders
    • Ben Rubin,
      • age 29
    • Sima Sistani
      • age 38
    • Itai Danino
      • exists
  • Funders
    • Greylock Partners

      • Josh Elman, with board representation
    • Sequoia

      • Mike Vernal, with board representation
      • $50M
      • 2016?
  • Staff
    • Employees
      • 25
      • “30% increase” since “then” in 2016.
    • Kinshuk Mishra
      • vice president of engineering, Houseparty
      • ex-Spotify AB
      • hired 2016


  • “Don’t be too proud to copy” attributed to Mark Zuckerberg, Facebook via a leaked memo; in The Wall Street Journal (WSJ).

Attributed to The Washington Post.

  • <quote>acebook is able to glean detailed insights about what consumers are doing when they are not using the social network’s family of apps, which includes Facebook, Messenger, WhatsApp and Instagram</quote>
  • <quote>Facebook’s use of Onavo is partly borne of need. Because Google and Apple, for instance, control the operating systems in which many apps live, they have access to huge amounts of information about how consumers use their apps. Facebook is more limited. It knows what consumers do within its own apps, and it knows about behavior on apps that work with Facebook — such as for sign-in credentials. Onavo, on the other hand, helps Facebook’s expanding ambitions by offering near real-time access to information about what users do while Onavo is active in the background. Onavo sends anonymized data to Facebook on what apps consumers have installed, how frequently they open those apps, how long they linger inside them, and the sequence throughout the day of consumers’ app usage — information that functions as an early-detection system on whether an app is gaining popularity, according to the people familiar with the company’s activities. This information can be far more valuable, and be available earlier, than waiting for an app or feature to publicly take off.</quote>
  • <quote>Onavo was used to detect the popularity outside the United States of the messaging service WhatsApp, which Facebook purchased for $19 billion in 2014, several months after the Onavo acquisition, according to the people familiar with the company’s activities</quote>

Attributed ot The Wall Street Journal (WSJ)

  • <quote>Facebook uses an internal database to track rivals, including young startups performing unusually well, people familiar with the system say. The database stems from Facebook’s 2013 acquisition of a Tel Aviv-based startup, Onavo, which had built an app that secures users’ privacy by routing their traffic through private servers. The app gives Facebook an unusually detailed look at what users collectively do on their phones, these people say.</quote>
  • <quote>Mr. Elman says he is encouraged that Bonfire is a stand-alone app and that Facebook hasn’t been particularly successful with those. But, he says, if Facebook figures out how to integrate the power of Houseparty “into a property that I’m already using 10 times a day, that would scare the crap out of me.”</quote>
    but that’s sorof the point of launching Bonfire as a separable MVP.


In alphabetical order…

  • Jeffrey P. Bezos
    • CEO, Amazon
    • owner, The Washington Post.
  • Itai Danino
    • founder, Houseparty
    • not featured, quoted, pictured.
  • Josh Elman
    • partner, Greylock Partners
    • investor, director, Houseparty
    • ex-product manager, Facebook.
  • Scott Heiferman, chief executive,
  • Alfred Lin, partner, Sequoia.
  • Kinshuk Mishra
    • vice president of engineering, Houseparty
    • ex-Spotify AB
  • Roger McNamee
    • founder, Elevation Partners
    • claims on Facebook & Google,
      • reminds us of his prescience as evidenced in his early contribution credit.
      • regret on his early contribution as such participation is no longer politic:
        I helped create the Google-Facebook monster — and I’m sorry; Roger McNamee; an oped; In USA Today; 2017-08-08.
        Teaser: ‘Brain hacking’ Internet monopolies menace public health, democracy, writes Roger McNamee.
  • Peter Pham, co-founder, Science (a vc boutique).
  • Scott Sandell
    • managing partner, New Enterprise Associates
    • ex-product manager, Windows 95, Microsoft.
    • quoted for color, background & verisimilitude;
      a confessional testifying to illegal, abusive & predatory aggressive M&A tactics from “back in the day.”
  • Fidji Simo, “head” of “video efforts”, Facebook.
  • Sima Sistani
    • founder, Houseparty
    • age 38
    • featured, quoted, pictured.
  • Scott Stern
    • professor, management, Massachusetts Institute of Technology (MIT)
    • quoted for color, background & verisimilitude.
      testification that an early exit is good for the investors & good for the founders, and something vague about <quote>might be at the expense of a more competitive landscape</quote>
  • Ben Rubin
    • founder, Houseparty
    • age 29
    • featured, quoted, pictured.
  • Rick Webb, CEO, Timehop.
  • Hannu Verkasalo, CEO, Verto Analytics
  • Mike Vernal
    • partner, Sequoia
    • investor, director, Houseparty
    • ex-”executive,” Facebook.
  • Mark Zuckerberg, CEO, Facebook


The Washington Post

  • Some, surely; they went broad.
  • <quote>Facebook declined to comment but noted [some platitudes]</quote>
  • Not so obviously sourced on deep background & pure gossip & rumor.

The Wall Street Journal

  • <quote>says a person familiar with the contacts.</quote>
  • <quote>Rubin and Elman declined to discuss details of the conversations.</quote>
  • <quote>the person says. Facebook said Ms. Simo declined to comment.</quote>




  • the prominent venture capital firm
  • the investment firm
  • the startup studio
  • the venture-capital firm


  • is nimble
  • forces the best entrepreneurs to be more creative


  • tech giants (contra media giants)
  • Silicon Valley is dominated by a few titans
  • libertarian-leaning Silicon Valley

Previously filled.

Some impressions on Internet advertiser security | Citizen Lab (U. Toronto)

Andrew Hilts (Citizen Lab); Some impressions on Internet advertiser security; In Their Blog; 2015-03-30.
Andrew Hilts, Executive Director of Open Effect and Research Fellow, Citizen Lab.

Promotional Cross-Posts


<quote>We found a significant disparity between the level of HTTPS support in the ad industry referred to on the IAB’s blog and what we measured with our tests. We furthermore found that more than half of the ad trackers found on popular news websites that use cookie-based tracking mechanisms have no security measures in place to stop bad actors from collecting and correlating these unique identifiers with other browsing data. An important area of future work will be to repeat these tests in six months, and again in a year’s time to determine the relative success of the IAB’s call to security.</quote>


  • Cookie-based tracking
  • NSA uses Google cookies to pinpoint targest for hacking ; Ashkan Soltani, Andrea Peterson, Barton Gellman; In The Washington Post; 2013-12-10.

    • Google’s cookie PREFID
  • How Advertisers Use Internet Cookies To Track You; Christina Tsuei; In Wall Street Journal Video; a tutorial; 2010-07-30; 7:04.
  • Brendan Riordan-Butterworth (IAB); Adopting Encryption: The Need for HTTPS. In Their Blog; 2015-03-25.

  • TrackerSSL
  • Disconnect
  • HTTPS Everywhere
  • Surveys
    • Alexa 100 News Sites
      • <quote>Overall the results show that news websites are slightly beyond the midway point of getting their third party dependencies secured before they themselves can reliably implement HTTPS.</quote>
    • Digital Advertising Alliance (DAA)
      • <quote> 38% of the 123 advertisers in the Digital Advertising Alliance’s own database support HTTPS, less than half of the 80% figure referred to by [the IAB]</quote>
    • Disconnect Tracker Inventory
      • <quote>[Under] 11% of ad trackers in this list supported HTTPS in practice <snip/> Another 3.8% did support HTTPS but used server configurations to actively redirect users away from a secure to an insecure connection. The remaining 85.7% of advertising trackers did not support HTTPS at all</quote>


Alexa 100 News using HTTPS
DAA Ad Choices, use of SSL
Disconnect Census of Trackers' use of HTTPS

Via: backfill

Cookies that give you away: The surveillance implications of web tracking | Englehardt, Reisman, Eubank, Zimmerman, Mayer, Narayanan, Felten

Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, Edward W. Felten; Cookies that give you away: The surveillance implications of web tracking; draft; 2014-12-19; 12 pages.


We study the ability of a passive eavesdropper to leverage “third-party” HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages from the same user (i.e., browser instance) even if the user’s IP address varies. Further, many popular websites leak a logged-in user’s identity to an eavesdropper in unencrypted traffic.

To evaluate the effectiveness of our attack, we introduce a methodology that combines web measurement and network measurement. Using OpenWPM, our web privacy measurement platform, we simulate users browsing the web and find that the adversary can reconstruct 62—73% of a typical user’s browsing history. We then analyze the effect of the physical location of the wiretap as well as legal restrictions such as the NSA’s “one-end foreign” rule. Using mea- surement units in various locations—Asia, Europe, and the United States—we show that foreign users are highly vulnerable to the NSA’s dragnet surveillance due to the con- centration of third-party trackers in the US. Finally, we find that some browser-based privacy tools mitigate the attack while others are largely ineffective.


  • Methodology (Section 4, page 4)
    • Synthetic queries; i.e. no consumers were actually involved (or harmed) in this study.
    • Profile Generation
      1. Random generation of traces from random selection of Alexa top 500 sites.
      2. Generated user behavior seeded via the 2006 AOL Search Query Dataset.
    • Algorithmically generated user behavior.
    • Amazon colos: VA, IR, JP
    • MaxMind GeoLite for geolocation
  • OpenWPM
    • http_requests
    • http_responses
    • http_cookies
  • Giant Connected Component (GCC)



  • Adblock Plus
  • Do Not Track
  • Ghostery
  • Lightbeam
  • HTTPS Everywhere
  • ShareMeNot
  • TrackingObserver

also vendor-supplied 3rd-party cookie blocking

Secret Silly Codenames (of the NSA)

Recited for gravitas & grandeur.




in order of appearance

  • Steven Englehardt,
  • Dillon Reisman,
  • Christian Eubank,
  • Peter Zimmerman,
  • Jonathan Mayer,
  • Arvind Narayanan,
  • Edward W. Felten


  • Jennifer Rexford
  • Doug Madory
  • Harlan Yu
  • Andrew Clement
  • Colin McCann



Via: backfill





  1. Do Not Track (DNT).
  2. Ghostery
  3. ShareMeNot: Protecting against tracking from third- party social media buttons while still allowing you to use them.
  4. TrackingObserver, A browser-based web tracking detection platform.
  5. Executive Order 12333 United States Intelligence Activities; 1981.
  6. NSA ‘planned to discredit radicals over web-porn use; In BBC News; 2013-11.
  7. Tor Stinks; a presentation; promoted at The Guardian; 2013-10-04.
  8. G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz; The web never forgets: Persistent tracking mechanisms in the wild; In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS); 2014; previously noted.
  9. G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, B. Preneel. FPDetective: dusting the web for fingerprinters; In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS); ACM; 2013; pages 1129–1140; previously noted.
  10. A. Arnbak, S. Goldberg; Loopholes for circumventing the constitution: Warrantless bulk surveillance on americans by collecting network traffic abroad; 2014; SSRN.
  11. M. Ayenson, D. J. Wambach, A. Soltani, N. Good, C. J. Hoofnagle; Flashcookies and privacy II: Now with HTML5 and ETag respawning; In Proceedings of World Wide Web Internet And Web Information Systems; 2011; SSRN.
  12. M. Balakrishnan, I. Mohomed, V. Ramasubramanian; Where’s that phone?: Geolocating IP addresses on 3G networks. In Proceedings of the 9th ACM SIGCOMM conference on Internet Measurement Conference (IMC); ACM; 2009; pages 294–300; slideshare, promotion,
  13. R. Balebako, P. Leon, R. Shay, B. Ur, Y. Wang, L. Cranor; Measuring the effectiveness of privacy tools for limiting behavioral advertising; In Proceedings of Web 2.0 Security and Privacy Workshop (W2SP), 2012.
  14. [The] NSA stores metadata of millions of web users for up to a year, secret files show; J. Ball; In The Guardian; 2013.
  15. P. E. Black; Ratcliff/Obershelp pattern recognition; In Some Venue at the National Institute for Standards & Technology; 2004-12.
  16. E. Bursztein; Tracking users that block cookies with a HTTP redirect; In His Blog; 2011.
  17. S. Chen, R. Wang, X. Wang, K. Zhang; Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP); IEEE; 2010; pages 191–206.
  18. A. Clement; IXmaps – Tracking your personal data through the NSA’s warrantless wiretapping sites; In Proceedings of the 2013 IEEE International Symposium on Technology and Society (ISTAS); IEEE; 2013-06-27; pages 216-223; paywall.
  19. HTTPS-Everywhere; Electronic Frontier Foundation (EFF).
  20. The surveillance market and its victim; B. Elgin, V. Silver; In Bloomberg News, 2011.
  21. S. Englehardt, C. Eubank, P. Zimmerman, D. Reisman, A. Narayanan; Web privacy measurement: Scientific principles, engineering platform, new results. (unpublished) manuscript, 2014.
  22. Are we private yet?; Ghostery (a promotional site)
  23. New details show broader NSA surveillance reach; S. Gorman, J. Valentino-Devries; In The Wall Street Journal (WSJ); 2013.
  24. How the NSA is still harvesting your online data; G. Greenwald, S. Ackerman; In The Guardian; 2013.
  25. M. Hastak, M. J. Culnan; Persistent and unblockable cookies using HTTP headers; In Some Blog; 2011.
  26. D. Herrmann, R. Wendolsky, H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In Proceedings of the 2009 ACM Workshop on Cloud Computing Security (CCSW); ACM; 2009; pages 31–42.
  27. A. Hintz; Fingerprinting websites using traffic analysis. In Privacy Enhancing Technologies (PETS); Springer; 2003; pages 171–178.
  28. B. Krishnamurthy, K. Naryshkin, C. Wills; Privacy leakage vs. protection measures: the growing disconnect; In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP); Volume 2; 2011; pages 1–10.
  29. B. Krishnamurthy, C. Wills; Privacy diffusion on the web: a longitudinal perspective; In Proceedings of the 18th International Conference on World Wide Web (WWW); ACM; 2009; pages 541–550.
  30. B. Krishnamurthy, C. E. Wills; On the leakage of personally identifiable information via online social networks; In Proceedings of the 2nd ACM Workshop on Online Social Networks; ACM; 2009; pages 7–12;
  31. B. Krishnamurthy, C. E. Wills. Privacy leakage in mobile online social networks; In Proceedings of the 3rd Conference on Online Social Networks; USENIX; 2010.
  32. B. Liu, A. Sheth, U. Weinsberg, J. Chandrashekar, and R. Govindan; AdReveal: improving transparency into online targeted advertising; In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks; ACM; 2013; page 12; notes & Q+A.
  33. D. Madory, C. Cook, K. Miao; Who are the anycasters? In Proceedings of NANOG59, Volume 10; 2013.
  34. J. Mayer (Stanford); Tracking the trackers: Self-help tools; In Their Blog; 2011-09.
  35. J. R. Mayer, J. C. Mitchell; Third-party web tracking: Policy and technology; In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP); IEEE; 2012; pages 413–427.
  36. A. M. McDonald, L. F. Cranor; Survey of the use of Adobe Flash local shared objects to respawn HTTP cookies. ISJLP, 7:639, 2011; technical report CMU-CyLab-11-01; 2011-01-31; landing.
  37. S. J. Murdoch, G. Danezis; Low-cost traffic analysis of Tor; In Proceedings of the IEEE Symposium on Security and Privacy (SP); IEEE; 2005; pages 183–195.
  38. S. J. Murdoch, P. Zieliński; Sampled traffic analysis by internet-exchange-level adversaries. In Proceedings of Privacy Enhancing Technologies (PETS); Springer; 2007; pages 167–183.
  39. N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna; Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP); IEEE; 2013; pages 541–555.
  40. L. Olejnik, Minh-Dung Tran, C. Castelluccia; Selling off privacy at auction. In Proceedings of the Network and Distributed Systems Symposium (NDSS); 2014-02-23; landing, slides; previously filled.
  41. A. Panchenko, L. Niessen, A. Zinnen, T. Engel; Website fingerprinting in onion routing based anonymization networks; In Proceedings of the 10th annual ACM workshop on Privacy in the Electronic Society; ACM; 2011; pages 103–114.
  42. M. Perry, E. Clark, S. Murdoch; The design and implementation of the Tor browser, draft; 2013-03.
  43. F. Roesner, T. Kohno, D. Wetherall; Detecting and defending against third-party tracking on the web; In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation; 2012.
  44. A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle; Flash cookies and privacy; In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management; 2010.
  45. NSA uses Google cookies to pinpoint targets for hacking; A. Soltani, A. Peterson, B. Gellman; In The Washington Post; 2013-12-10.
  46. D. X. Song, D. Wagner, X. Tian; Timing analysis of keystrokes and timing attacks on ssh; In Proceedings of the 10th USENIX Security Symposium; 2001.
  47. A. M. White, A. R. Matthews, K. Z. Snow, F. Monrose; Phonotactic reconstruction of encrypted voip conversations: Hookt on fon-iks; In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP); 2011; pages 3–18.
  48. T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi; Host fingerprinting and tracking on the web: Privacy and security implications; In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS); 2012.
  49. M. Zalewski; Rapid history extraction through non-destructive cache timing (v8); In His Blog; undated?

Let’s Encrypt

Let’s Encrypt

Internet Security Research Group (ISRG)


  • Mozilla
  • Akamai
  • Cisco
  • Electronic Frontier Foundation (EFF)
  • IdentTrust




  1. Your Public Key exists (and is public)
  2. [Automated] proof of domain ownership
    1. a DNS record in your domain
    2. a URI on your server in the domain
  3. Client to Let’s Encrypt (LE)
    1. Client requests service from LE
    2. LE responds with a nonce to be signed
    3. Client is validated
  4. Client requests a Certificate
    1. Client initiates a PKCS#10 Certificate Signing Request
    2. …etc…

How It Works

$ sudo apt-get install lets-encrypt
$ lets-encrypt

Via: backfill

Black Code: Surveillance, Privacy, and the Dark Side of the Internet | Ronald J. Diebert

Ronald J. Deibert; Black Code: Surveillance, Privacy, and the Dark Side of the Internet; Signal; 2013-11-19; 336 pages; kindle: no; paperback: $14.

Ronald J. Deibert; Black Code: Inside the Battle for Cyberspace; Signal; 2013-05-21; 320 pages; kindle: $12.

I challenged hackers to investigate me and what they found out is <shrill> chilling</shrill> | Penenberg, Pando Daily

; I challenged hackers to investigate me and what they found out is chilling; In Pando Daily; 2013-10-26.



  • Long article ~5300 words
    • Much background color from the 1999 piece.
    • Lots of travel log & background color.
    • Reminds that no laws were broken.
    • The elaborate pretexting process doesn’t achieve much
  • The Reveal
    • They “hack” into the OSX laptop
    • Financial documents, passwords and cookies are recovered
    • Charlotte Penenberg (his wife) is convinced to install a RAT
    • Which was delivered by email from gmail, she or he clicked on zip, jar and pdf.
  • Nicholas Percoco
    • Age 38
    • SpiderLabs
      • staff
      • end 2013-10
    • KMPG
      • Director, Information Protection Practice
      • start 2013-10.

Via: backfill


The Surveillant Assemblage | Haggerty, Ericson

Kevin D. Haggerty, Richard V. Ericson; The Surveillant Assemblage; In British Journal of Sociology; Vol. 51, No. 4; 2000-12; 18 pages.


George Orwell’s ‘Big Brother’ and Michel Foucault’s ‘panopticon’ have dominated discussion of contemporary developments in surveillance. While such metaphors draw our attention to important attributes of surveillance, they also miss some recent dynamics in its operation. The work of Gilles Deleuze and Félix Guattari is used to analyse the convergence of once discrete surveillance systems. The resultant ‘surveillant assemblage’ operates by abstracting human bodies from their territorial settings, and separating them into a series of discrete flows. These flows are then reassembled in different locations as discrete and virtual ‘data doubles’. The surveillant assemblage transforms the purposes of surveillance and the hierarchies of surveillance, as well as the institution of privacy.

Via: backfill

ZB Block blocks Softlayer/ThePlanet/Everyone/Reach (ASN-SLTP-054) and Hurricane Electric (ASN-HE1-029)

Seems like someone has added to the ZB Block list. Pesky. Sloppy.

See the file from ZB Block 0.4.10a3 2013-04-28 “Tomcat” update 72.
To wit:

$ax += cidrblock($address,"","Softlayer/ThePlanet/Everyone/Reach. (ASN-SLTP-054). "); //71
$ax += cidrblock($address,"","Hurricane Electric (ASN-HE1-029). "); //73b


ZB Block of Spambot Security
ZB Block is a freeware php driven website/forum/blog/CMS anti spam and hacking script.

“ZB” seems to be the adoption of Douglas Adams’ character Zaphod Beeblebrox as the preferred nick name of the main autho.


Note that the actualities below are tagged ZB Block 0.4.10a4 / 74d, so that’s prerelease code.

Related, Sympathetic, Clones & Copies




Intro to ZB Block; On YouTube; 2009-19; 8:20.
tl;dr => content free


  • Bad hosts
  • Bad IPs ( block single IP’s and IP ranges )
  • Bad query input ( $_GET )
  • Bad POST input ( $_POST )
  • Remote file inclusion
  • MySQL injections
  • http injections
  • Bad browser useragents.

Source: some other site



     403 FORBIDDEN!     

Either the address you are accessing this site from has been banned for previous malicious behavior or the action you attempted is considered to be hostile to the proper functioning of this system.

The detected reason(s) you were blocked are:
Softlayer/ThePlanet/Everyone/Reach. (ASN-SLTP-054). Hurricane Electric (ASN-HE1-029).

Your IP, Domain Name (if resolvable), the referring page (if any), QUERY, POST, User Agent, time of access, and date have been logged and flagged for admin review. Please either 1. Stop the bad behavior, or 2. Cease accessing this system.

The webmaster of this site has decided to provide you with an e-mail link to start a trouble ticket about this block.
Please do not change the beginning of the subject line, nor the preamble of the body text.

Click HERE to start a trouble ticket.

Your connection details:
Record #: 284220
Time: 2013-07-15, Mon – 11:41:51 -06:00
Running: 0.4.10a4 / 74d
Host: *
Stripped Query:
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0
Reconstructed URL: http:// /

Generated by ZB Block 0.4.10a4 / 74d

Bruce Schneier: Talks at Google, at DEFCON 20

Bruce Schneier; Talks at Google, at Google; On YouTube; 2012-06-19; 55:23.


  • Insights about Technology and Power
  • Security isn’t part of products as sold today; products today aren’t “complete.”
  • Four Trends
    1. The Cloud
      • Computers owned by someone else.
      • Located somewhere else.
      • 3rd party holds “your data.”
    2. Locked-down Endpoints (Closed CPE)
      • More closed is more successful for the host of the ecosystem.
      • Mobile is lockdown.
      • Desktop (Windows 8, Mountain Lion) is moving to lockdown.
      • Curated “stores” for executables.
  • Trust
    • Users have to trust vendors
    • Users give up control in return for functionality.
  • Cost of Computing drives architecture, product definition and social configuration of usage.
  • Feudal Security
    • Big Host takes care of Users.
    • Users are not customers.
    • Vendors can act arbitrarily.
    • Vendors are allowed to make “mistakes.”
    • Vendors can shade the rules (cheat) to tie users to the system even more strongly.
    • Based on deceit on many dimensions.
    • Based on power and the exercise of it.
  • Agenda of the Net
    • The natural laws of the internet
    • Exhibits quotes as a flavor of the thinking “back then”
    • John Perry Barlow, 1996; Declaration of Independence of Cyberspace
    • John Gilmore, 1993; <quote>the internet interprets censorship as damage and routes around it</quote>
  • Theory of Power and Technologyrelative to The Internet
    • The Internet magnifies power
    • The powerless got some, they got it fast.
    • The powerful got more, but they were very very slow.
  • Four classes of the use of power
    • have dual use; police/military as well as market/consumer
    • The List
      1. Censorship / Content Filter
      2. Propaganda / Marketing
      3. Surveillance / Track-N-Targ (the business model of The Internet)
      4. Use Control / DRM & AppStores & Code Licensing
  • Comingling of the corporate and governance
    • Charlies Stros => The End of Pre-History (where we save everything)
    • Changing the social norms: sharing.
    • Industry lobbies for laws that benefits their business model.
  • Cybernationalism
    • ITU wants to “take over the Internet”
  • Militarization of Cyberspace
    • Something about Snowden.
    • Something about China.
    • Something about ARAMCO attack attributed to Iran.
  • Legal Theory
    • Two types of law
      1. Constitutional Law (limits government acts)
      2. Business Law (regulation limits business acts)
    • Each side uses the laws/regulations of their domain to control the “consumer in the middle.”
    • Facebook CIA Onion satire is now truth.
      CIA’s ‘Facebook’ Program Dramatically Cut Agency’s Costs
    • Thought Experiments (what if government said…; what if private industry said…)
      • Each citizen must carry a continuous tracking device
        yet cellphones
      • Each citizen must register each new contact (friend) each time an acquaintance is made
        yet Facebook
      • Business can reach out and destroy data that does not suit them
        Yet RIAA proposes a law “attack back” to destroy rogue copies of files “out there.”
  • Military Strategic Theory / Social Theory
    • Attackers have an advantage with technology (usually mil-theory says that defenders are considered to have a 3:1 advantage).
    • Analogies are cited: cars for bank robbers vs police.
    • Cybercime took a decade before police understood it.
    • Security Gap is the time before The Establishment figures out how to use it.
  • The Classes
    • The Nimble (The Dissidents)
    • The Powerful (The Establishment)
    • The Rest of Us (users in the middle)
  • Complex Social Questions which are power struggles
    • an Algorithms Judge
    • Can information be corrected
    • Can information be forgotten
    • Can certain data files be prevented from being executed
      • Music files
      • Design files: Gun designs, Barbie Dolls, Mickey Mouse
    • Weapons of Mass Destruction
      • If they exist in the wrong hands, what level of control is warranted?
  • Claim:
    • The powerful are winning right now.
    • Need innovative solutions.
    • This isn’t where government can be involved.
  • The Internet, origins and future
    • Technolibertarian origins
    • Geopolitical regulatory now
  • Suggestions
    • Researchers: study more the 4 dual use technologies
      • Areas
        1. Censorship
        2. Propaganda
        3. Surveillance
        4. Use Control
      • Examples
        • Fake yelp reviews
        • Fake Amazon reviews
        • Astroturfing on Twitter?
      • Need
        • Safe places to anonymously publish
        • Wikileaks is not safe
        • Strongbox New Yorker is under review
      • Vendors: every technology is dual-use
        • Blue Coat
        • Social network monitoring
        • FBI wants CALEA-II in the U.S., but not abroad
    • Policy
      • Keep circumvention legal
      • Keep network neutrality
      • Can’t have both ways: privacy at home requires privacy abroad
    • Laws will come, and they will be bad. Maybe they can be headed off
    • Power must be leveled; as was the case in the Rise of the Nation State
      • Rights & Responsibilities
      • Limitations on Use
      • Transparency on Rules
  • Power, coded in
    • Money
    • Social Control
    • Marketing (Advertising)

Via: backfill


The basic theme of the Feudalism metaphor is one of prognostication; future prediction.  Its premise is that history repeats itself in fundamental ways (rhymes) and so if we all agree to choose and understand the appropriate metaphor for the current time then we can by implication predict the outcome in the future.

Doesn’t Mention

  • Marc Davis who has been using this metapor for a while: Digital Feudalism. c.f. slides especially slides
  • Doc Searls who has a calf/cow metaphor for client/server in the VRM activism; c.f. blog
  • Tim Wu who has the same basic idea in his popularization and some academic output.
  • Anil Dash, who talks about online entertainment systems  using the metaphor of the legal structure of privately-owned public spaces (POPS); c.f. notes and notes


DEFCON 20 Bruce Schneier Answers Your Questions; On YouTube; 2013-06-14; 47:52; also here (with better audio)
The DEFCON talk is much more freeform but is the same basic material. The Google talk is structured and positioned as the input material for his next book. This is a promotional tour for Liars & Outliers or maybe not since the book has been out for a year.

Tech companies fret over loss of consumers’ trust after NSA revelations | The Hill’s Hillicon Valley

Jennifer Martinez; Tech companies fret over loss of consumers’ trust after NSA revelations; In Hillicon Valley; 2013-06-24.


  • Ron Bonjean, Singer Bonjean Strategies
    • partner, Singer Bonjean Strategies
    • a Republican strategist
    • Singer Bonjean Strategies is a public affairs advice boutique
  • Consumer Entertainment Internet
    • Facebook
    • Apple
    • Yahoo!
    • Google
  •  Mike Rogers
    • R-MI
    • Chairman, House Intelligence
  • Foreign Intelligence Surveillance Act (FISA)
  • David Drummond
    • Google
    • their “top attorney” (title?)
  • Keith Alexander
    • General Keith Alexander
    • Director, NSA
    • <quote>The TechAmerica Foundation, the non-profit educational arm of the Washington, D.C., trade group Tech America that represents tech companies like Google and Microsoft, gave NSA Director Gen. Keith Alexander its “Government Executive of the Year” award last Thursday for his efforts on cybersecurity and protecting the U.S. from hacker attacks. Alexander has also traveled to the annual Defcon conference in Las Vegas to recruit skilled hackers to work for the agency.</quote>
  • Adam Schiff
    • D-CA
    • Member, House Intelligence Committee.
    • <quote>“I’m sure it’s the worst of all worlds for them at the moment. [The PRISM scandal also brings up questions] about what they’re doing with their own data — not just whether they’re providing it to the government in terrorism cases, but are they providing it to advertisers?</quote>
  • Amie Stepanovich
    • Director, Domestic Surveillance Project at the Electronic Privacy Information Center (EPIC)
    • <quote>“The problem is [companies are] using this information for their own financial means, which means it’s vulnerable for government interception, I think that’s really the basic point that needs to be made here. <snip/> There are technological solutions that these companies could start looking at and engaging in … [and] change their business models to lead to greater privacy protections for all users.”

Via backfill

PRISM Roundup


  • and ; NSA Prism program taps in to user data of Apple, Google and others; In The Guardian; 2013-06-06.
    Teaser: Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook. Companies deny any knowledge of program in operation since 2007

    • Participations:
      • 2007 Microsoft.
      • 2008 Yahoo!.
      • 2009 Google, Facebook and PalTalk.
      • 2010 YouTube.
      • 2011 Skype, AOL.
      • 2012 Apple.
      • Planned Dropbox
    • Allegations
      • Direct access to the servers of the online services
      • <quote>claims “collection directly from the servers” of major US service providers.</quote>
      • Collection Capability
        • email,
        • video chat
        • voice chat,
        • videos,
        • photos,
        • Voice-over-IP (Skype, for example) chats,
        • file transfers,
        • social networking details
        • “and more.”
    • Provenance
      • NSA document
      • dated 2013-04.
      • 41-slide PowerPoint presentation
      • Classified as top secret with no distribution to foreign allies
    • Quoted & Cited
      • Senator Christopher Coons of Delaware
      • Jameel Jaffer, director, Center for Democracy, ACLU.
    • Legalistics
      • Since internet infrastructure is hosted in the U.S., there are individuals from abroad who are achieving the protection of U.S. soil when their operations are international and thus not covered
      • FISA (Foreign Intelligence Surveillance Act)
        • Section 702 of the Foreign Intelligence Surveillance Act
      • FAA (Fisa Amendments Act)
        • Fisa Amendments Act in December 2012
  • Barton Gellman and Laura Poitras; U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program; In The Washington Post; 2013-06-05.

    • Largely a reprise of The Guardian article
    • Implicated:
      • NSA of the U.S.
        • NSA’s Signals Intelligence Directorate
        • NSA’s Special Source Operations
        • BLARNEY’s top-secret program summary, set down in the slides alongside a cartoon insignia of a shamrock and a leprechaun hat.
      • GCHQ of the U.K.
    • Enabling Legislation & Orders
      • Foreign Intelligence Surveillance Court
      • Protect America Act in 2007
      • FISA Amendments Act of 2008
      • Four new orders
        • which remain secret
        • issued 2004-2007
    • Quoted, Referenced, Mentioned & Cited
      • James R. Clapper, Director of National Intelligence.
      • Jameel Jaffer, deputy legal director, American Civil Liberties Union.
      • Joe Sullivan, chief security officer, Facebook.
      • Steve Dowling, spokesman, Apple.
      • Sens. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.); knew of this in 2012-12 during the FISA Amendments Act (FAA) debate on the Senate floor.
      • Lt. Gen. Keith B. Alexander, testified about FISA Amendments Act
        Inspector General I. Charles McCullough III, wrote a letter asserting.
    • Provenances
      • A classified report obtained by The Post (the one the Guardian got).
        • An internal presentation of 41 briefing slides on PRISM, dated 2013-04.
      • another classified report obtained by The Post
      • “User’s Guide for PRISM Skype Collection”
      • <quote>Firsthand experience with these systems, and horror at their capabilities, is what drove a career intelligence officer to provide PowerPoint slides about PRISM and supporting materials to The Washington Post in order to expose what he believes to be a gross intrusion on privacy. “They quite literally can watch your ideas form as you type,” the officer said.</quote>



Prism Prism Prism PRISM slide crop

CALEA II Proposal & Responses


  • CALEA (CALEA I, “CALEA One”); the standing law.
    CALEA => Communications for Law Enforcement Act
  • CALEA II; the proposed response to “Going Dark”
  • RFC 3261: SIP: Session Initiation Protocol; J. Rosenberg, H. Schulzrinne, G. Camarillo et al.; IETF, 2002-06.

Response of EFF

Response of CDT

  • Signatories (see below); CALEA II: Risks of Wiretap Modifications to Endpoints; 2013-05-17; 7 pages.
  • Abstract: The U.S. government is proposing to expand wiretap design laws broadly to Internet services, including voice over Internet protocol (VoIP) services and other peer-to-peer tools that allow communications in real-time directly between individuals. This report explains how mandating wiretap capabilities in endpoints poses serious security risks. Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences for the economic well-being and national security of the United States.
  • Promotions
  • Signatories
    • Ben Adida (Independent);
      now at Mozilla, just not using the Mozilla brand.
    • Collin Anderson (Independent); either
    • Annie I. Anton (Georgia Institute of Technology);
    • Matt Blaze (University of Pennsylvania);
    • Roger Dingledine (The Tor Project);
    • Edward W. Felten (Princeton University);
    • Matthew D. Green (Johns Hopkins University);
    • J. Alex Halderman (University of Michigan);
    • David R. Jefferson (Lawrence Livermore National Laboratory);
    • Cullen Jennings (Independent);
      now at Cisco as a Fellow, just not using the Cisco brand.
    • Susan Landau (;
    • Navroop Mitter (Independent);
      now CEO of Gryphn Corporation (a DC-based security boutique)
    • Peter G. Neumann (SRI International);
    • Eric Rescorla (RTFM, Inc.);
    • Fred B. Schneider (Cornell University);
    • Bruce Schneier (BT);
    • Hovav Shacham (University of California, San Diego);
    • Micah Sherr (Georgetown University);
    • David Wagner (University of California, Berkeley);
    • Philip Zimmermann (Silent Circle, LLC)


Who can hack a plug? | Ofer Shezaf

Ofer Shezaf; Who can hack a plug?; In Output of the HITBSEC Conference; 2013.
Teaser: The InfoSec risks of charging electric cars


  • Of the “there could be problems” genre
  • Doesn’t actually state that he can do this or that anyone can do this, just that it could be done.
  • For the page views and the free conference food.
  • Learned a few factoids about EVSE charging.


Sousveillance | Existential Technology | eyetap | Steve Mann


Steven Mann
cite is a tenured professor at the Department of Electrical and Computer Engineering at the University of Toronto. Mann holds degrees from the Massachusetts Institute of Technology (PhD in Media Arts and Sciences ’97) and McMaster University, where he was also inducted into the McMaster University Alumni Hall of Fame, Alumni Gallery, 2004, in recognition of his career as an inventor and teacher. While at MIT he was one of the founding members of the Wearable Computers group in the Media Lab. In 2004 he was named the recipient of the 2004 Leonardo Award for Excellence for his article Existential Technology, published in Leonardo, Volume 36:1. Mann’s blog is: eyetap


  • Sousveillance; In Jimi Wales’ Wiki
  • Philip Virgo; Plebgate, the Sousveillance society and your Boxing Day Browsing; In Some Trade Rag; 2012-12-21.
    Summary: generic opinement
  • ;
  • Steve Mann; Existential Technology: Wearable Computing Is Not The Real Issue!; In Leonardo; pdf[1] pdf[2]; MIT Press: PDF[1], PDF[2]

    The author presents “Existential Technology” as a new category of in(ter)ventions and as a new theoretical framework for understanding privacy and identity. His thesis is twofold: (1) The unprotected individual has lost ground to invasive surveillance technologies and complex global organizations that undermine the humanistic property of the individual; (2) A way for the individual to be free and collegially assertive in such a world is to be “bound to freedom” by an articulably external force. To that end, the author explores empowerment via self-demotion. He has founded a federally incorporated company and appointed himself to a low enough position to be bound to freedom within that company. His performances and in(ter)ventions over the last 30 years have led him to an understanding of such concepts as individual self-corporatization and submissivity reciprocity for the creation of a balance of bureaucracy.

  • Steve Mann, Jason Nolan, Barry Wellman; Sousveillance: Inventing and Using Wearable Computing Devices for Data Collection in Surveillance Environments; In Surveillance & Society; DATE; Volume 1(3); pages 331-355 (25 pages); ISSN: 1477-7487

    This paper describes using wearable computing devices to perform “sousveillance” (inverse surveillance) as a counter to organizational surveillance. A variety of wearable computing devices generated different kinds of responses, and allowed for the collection of data in different situations. Visible sousveillance often evoked counter-performances by front-line surveillance workers. The juxtaposition of sousveillance with surveillance generates new kinds of information in a social surveillance situation.

  • Surveillance and Society; The international, interdisciplinary, open access, peer-reviewed journal of Surveillance Studies.