BolehVPN

TM/Streamyx/Unifi Services Interruption in Malaysia

June 12th, 2015

There have been reports of internet service interruption from users using TM/Streamyx/Unifi in Malaysia since 4:30PM (GMT+0800).

Lowyat reports even Time Fibre users are experiencing this issue, TM has declined to comment. The cause of this interruption is yet unknown even for Telekom Malaysia. However Connectivity seems to be coming back slowly.

More information here: http://www.lowyat.net/2015/06/tmunifistreamyx-services-facing-severe-slowdown-across-the-country/

P.S: TM/Streamyx/Unifi users, try restarting your modem or refresh your IP, It works for some of us.

Google files creepy patent for toys that can watch and record you.

May 26th, 2015

google-patent-for-iot-toys-100586948-large.idge

The Internet of Things (IOT) revolution is here…Most people have a common conception of IOT as fridges telling you when you’re running low on milk, thermostats automatically controlling temperature, washing machines that tell you when the laundry is done and other mundane tasks. Google’s new patent filing shows a creepier side of IOT, by integrating them into toys that can record, watch and speak to you. It even has body gestures and facial expressions…

To express interest, an anthropomorphic device may open its eyes, lift its head, and/or focus its gaze on the user or object of its interest. To express curiosity, an anthropomorphic device may tilt its head, furrow its brow, and/or scratch its head with an arm. To express boredom, an anthropomorphic device may defocus its gaze, direct its gaze in a downward fashion, tap its foot, and/or close its eyes. To express surprise, an anthropomorphic device may make a sudden movement, sit or stand up straight, and/or dilate its pupils.

google-patent-for-iot-toys-to-control-one-or-more-media-devices-100586947-large.idge

As creepy as it sounds, the privacy implications of IOT are far reaching. In the recent paper, Iota of Fear: eDiscovery of the Internet of Things, there was a reason why Google bought Nest, the company that built the smartphone controlled thermostat.

Google knows alot about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house. By connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?

Having IOT also gives hackers potential control over the real world. For example, Kevin Munro has hacked into the internet connected My Kayla Doll to spew curse words. Humorous as it may be, with a slight twist, all our Chucky nightmares can be made real…

Chucky's backkkk...

Chucky’s backkkk…

BolehVPN not vulnerable to Logjam DHE vulnerability

May 22nd, 2015

Logjam-vulnerability-exposure-chart

VPN Implications

A couple of alarming findings have emerged namely the Logjam DHE Flaw. News reports claims that up to 66 percent of the VPN servers can be vulnerable to eavesdropping by nation-states if they use a DHE key exchange with a key that is 1024-bit or smaller. This means using huge computational power, agencies such as the NSA can decrypt VPN connections that are subject to this vulnerability.

Nevertheless, it is not that easy to do so as certain conditions have to be met:

It takes a lot to mount a practical attack that hinges on Logjam (think: more computing power than the NSA or a major university lab).

1. The attacker must be actively listening to the conversation before it starts — lurking on an airport Wi-Fi near the victim is an example. The attacker must select a victim in advance and actively manipulate the victim’s connection. He cannot vacuum up all the data today and find a victim in it next week.

2. Both the victim and the victim’s online service must use traditional Diffie-Helman key exchange and “export-grade” ciphers.

3. The attacker must be a man-in-the middle on the conversation. The attacker must be in between the victim and the victim’s internet connection already or able to insert themselves once the conversation has started.

4. The attacker needs to spend some time and crypto power in advance to precompute values based off of commonly used 512-bit prime numbers. Or, they need access to a list of precomputed values for the primes that the client will choos

Also:

The main data an attacker would get from a VPN connection is whatever data she could get if there was no crypto. Internal email, internal web page content, phone numbers, email addresses, appointments, names, and so on will all be in the clear.

If the victim is using TLS with an internal system, even though they are connected via the VPN, the attack will probably fail. The attacker would have to detect and tamper with that TLS connection via more man-in-the-middle stuff inside the VPN connection they’re already attacking.

However, notwithstanding the implications of Logjam, BolehVPN is not subject to this vulnerability as we had updated our encryption mechanisms last year to use the 2048 bit Diffie Helman exchange. We continue to be at the forefront of VPN encryption developments and are constantly evaluating the best mix of security and speed.

Browser Implications

Surprisingly as at the date of writing, only Internet Explorer 11 is not subject to this bug as they had patched this a while back. All other browsers are still affected.

You can do a test to see if you are vulnerable by performing a test at Qualys SSL Labs or weakdh.org

To temporarily fix this while waiting for an update, follow the instructions here:

Firefox Instructions:
Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

Chrome Instructions:

Try this plugin. We have however not audited the plugin so it’s at your own risk.

For further details on the Logjam bug, you can read it here. Bruce Schneier also has an excellent article.

Exclusive ProtonMail “NSA-Proof” E-mail Invites for long term users

May 21st, 2015

logo1

We are pleased to announce that after working things out with Protonmail, we are now ready to start giving out exclusive Protonmail invites to our eligible users giving as close as possible to “NSA-proof” secure e-mail. This comes with 1 GB of space! Please read our previous blog entry to find out more about what makes Protonmail so special.

Eligible Users

  • New 180 days and 365 day accounts
  • Existing users with equal or more than 180 days unexpired.

This offer is subject to limited availability and may be discontinued at any time.

Eligible users will just need to login into our user panel and head on over to the Bonus section for redemption details. Account details will be sent out within a day. Remember to change your login and mailbox password from the defaults upon first login!

Exclusive Protonmail secure e-mail accounts for BolehVPN users

May 18th, 2015

We are proud to announce that we’ve worked out a great offer with Protonmail. You asked us for a secure e-mail solution, we are happy to oblige!

screen

Protonmail is unlike your regular secure mail provider in that it has the following privacy protections

  • No IP logs
  • ProtonMail works by encrypting messages in the user’s browser before it ever reaches its servers – meaning that the company never has access to the password and can never read emails. Even if Protonmail is asked to do so, it cannot decrypt it as they do not have the keys to do so.
  • Hosted in a Swiss datacenter located within a granite mountain

These features will give you peace of mind that your e-mail provider will not hand over your private e-mails under duress and is the closest thing most people will get to having a surveillance proof e-mail service.

Normally, if you click to Sign-Up to Protonmail, you will be presented with a screen informing you that you have to wait and they will send you an invite. This wait can be pretty long! My request since 25 April 2015 still has not yielded an account.

protonmailinvite

However with the deal we’ve worked out, we are able to offer private invites to Protonmail subject to the following terms:

Eligible Users

  • Existing users with not less than 180 unexpired days in their account
  • New 365 days customers
  • We may consider expanding this invite list further depending on availability and response

Terms and Conditions

  • Invite is to the free version of Protonmail (which you can’t get now even if you wanted to). If and when Protonmail launches its commercial/paid version, you will not be automatically upgraded to it.
  • Subject to availability (though we are confident that we have enough barring unforeseen circumstances)
  • This is purely a free gift and we reserve the right to withdraw this deal at any time or to amend the eligibility requirements.

Further details on getting an account will be announced over the coming days so hang in tight!