Romance, Historical, Contemporary, Paranormal, Young Adult, Book reviews, industry news, and commentary from a reader's point of view

Essays

Dear Author

Pay No Attention to that Man Behind the Curtain!

Shades of Gray or, as I like to say, #666666, #333333, and #999999

Today I’d like to talk about anonymity. Should we have it? Why or why not? If you’d like to be anonymous, for good or ill, I’ll talk about ways you can achieve this.

Hypothetical Situation One

A woman writes a blog post in which she expresses opinions about the way gender roles are baked into our thinking and how that perpetuates actions that are harmful to women in their daily lives. People who believe a woman has no business pointing out such things escalate comments with vile language and threats unrelated to any of her theories. The reactions include threats of physical harm, backed up with evidence that some people making these threats have obtained her phone number, address and the addresses of family members.

These threats are easy to make because it is possible to make such contact without the commenter being directly linked his or her real identity. This precise situation has led some to suggest websites and blogs should no longer allow anonymous comments.

Hypothetical Situation Two

A young man in a government job observes misconduct on the part of his government. Human rights violations, lets say. He wants to alert others of the conditions and actions he has observed and documented, but if he does, his government will punish him and suppress the evidence. If he does nothing, egregious wrongs will continue unabated. Because of technology like Tor, he is able to post his evidence of this wrongdoing without his government being able to identify him as the source of the information.

Hypothetical Situation Three

You have reason to believe the government is spying on you solely because you are brown and have a last name that sounds foreign. You’ve never made it through a TSA line without being taken aside for additional searches.

Hypothetical Situation Four

Someone has been kidnapped and the police need access to cell phone information in order to track the location of the missing person. Alas, the missing person has an iPhone 6 and all communications are encrypted natively.

Good or Bad?

If we were to do away with anonymity, people making threats against a woman who dares to speak out would not, the theory is, feel quite so free to engage in campaigns designed to silence her.

If we were to do away with anonymity, the world would not learn about human rights violations or other serious harmful, or criminal misconduct by others, be they companies, governments, or individuals.

Either the government can spy on any calls they want, or they can’t locate kidnapped children.

I feel I should pose the question of whether any situation is really that stark. Feel free to discuss in the comments.

Why You Might Want to be Anonymous

Suppose you are someone with personal knowledge of facts about malfeasance by a company. This company is publicly telling everyone that no such malfeasance is taking place. According to others with personal knowledge, these public statements contradict the facts they have. Further, this company is threatening to retaliate against anyone who reveals such facts.

The US warrantless wiretapping cases currently being litigated come to mind as an example of (alleged) corporate malfeasance, but it’s not hard to imagine other examples where a company denies wrongdoing despite evidence held by others. Eron, perhaps.

Perhaps there is a company that has actually retaliated against people who have pointed out facts that suggest something might be wrong. Again, not too hard to find such situations.

How would someone who wants to express an opinion or share facts about such cases, do so without risking retaliation? Well, anonymity is required.

About How to be Anonymous

Getting your internet traffic behind a service like Tor (The Onion Router) can help people maintain some degree of anonymity. Tor is a set of technologies that allow a user to obfuscate the origination of their traffic. Suppose you are sitting at your computer, and you are connected to the internet. You have an IP (Internet Protocol) address that might be a permanent one or that might be temporarily assigned for a session or series of sessions. In order to go to other sites on the internet, you must contact other IP addresses and say, hey, Hello! I have arrived at your IP address from this IP address and here is a packet header, please acknowledge I am well formed and can talk to you! The server at the other end checks the packet header and if it’s well-formed, agrees to talk to you. Voila. You are surfing Dear Author. You tell DA what page on the site you’d like to see, and DA sends you that page.

Under normal circumstances, your originating IP will come from your Internet Service Provider (ISP) who likely has a very large block of IPs to use. See IANA for a pretty good explanation. (https://www.iana.org/numbers). Quick example, if your IP address begins with 166 you’re traveling on the block of IPs originally assigned to AT&T.

An IP address is a good indication (but not always reliable) of where internet traffic is coming from.  If you pay attention to such things, you’ll know that entities who wish to find and punish pirates file legal actions based on an end-user’s supposed IP address. There are lots of reasons why IP address does not provide proof positive. (It does not, for example, prove who was sitting at the computer at the time. Nor does it speak to any malware that might be originating such connections. Or cached data on one end or the other such that the supposed link between the computer and the IP address is, in fact, outdated and therefore identifies the wrong end user.

So, in examining the IP address at one end of an internet connection, you may or may not end up with the person responsible for the traffic. Certain governments may have measures in place that make this more likely.

How to be Anonymous

The challenges shift depending on whether you’re on a computer or a mobile device, and no methods are foolproof. That said, here are some links to get you started:

The EFF has some very good documentation on the subject:  Tor and https has a great visualization of what data is visible when you are using Tor and/or https. Worth a click-through if you’re a visual learner.

PC World has a very good article about setting up Tor here.

Tech Republic: Everything you need to know about using Tor

Sending Anonymous email

Tor itself has some thorough documentation and discussion here: (https://www.torproject.org/download/download.html.en#warning)

Do you want secure browsing and commenting? Download the Tor browser:

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.

Note: There are important provisos. You MUST pay attention to what you are doing and when and how those actions may circumvent the anonymity of Tor with or without you knowing.

So long as you are aware, you could install the Tor browser and leave an anonymous comment on this post. Please consider giving it a try.

Want to help out with Tor? Run a relay.

VPNs

This 2013 LifeHacker article is a pretty decent overview with some VPN recommendations.

About.com has this article about 2014 VPN applications

As with everything, do your due diligence. VPNs are not free.

For my phone, I’m still very happy with my test of Freedome. The iOS 8 updates make it even easier to use.

Not Free – But worth looking at

If you’re on an Android OS, check out Whispersystems for secure texting, phone calls and local encryption.

For iPhone compatibility, (Android, too) take a look at Silent Circle’s offerings for mobile and desktop. They also offer the Blackphone, which runs a secure fork of Android. I ask you, who wouldn’t want a phone called Blackphone?

The iPhone 6 and iOS 8

Read about the security and encryption baked in to iOS 8 here

So, what do you think? Where do you stand on the issue of anonymity? Let me know in the comments. Anonymously or otherwise.

 

Malicious Books?

Malicious Books?

It was only a matter of time before we had to worry about our books delivering more than a great story well told. We humans can be damned devious.

This Gizmodo article is pretty interesting, though a little thin on facts (see infra). Basically, it is possible to create a Kindle book with malicious code in the metadata. When a user views their list of titles under “Manage My Kindle” (now renamed to “Manage Your Content and Devices”) on Amazon, the code executes and a user could end up with a compromised Amazon account or worse, one imagines. If you are a Calibre user, read on and confirm you’re on a patched version.

A more thorough discussion by Benjamin Messler, the person who discovered the flaw, is here. Note that Calibre was also vulnerable, but the developer had it patched within 4 hours of being notified. Therefore, if you use Calibre and are not on version 1.80 or higher, you would be wise to update right now.

This flaw was pointed out to Amazon and patched nearly a year ago, but was reintroduced after a recent, subsequent update to the Manage Your Content pages. Amazon has re-patched the flaw, though they seem to have taken their sweet time about it. Third parties remain vulnerable.

This, May God Help Us, is a Cherry Tomato

I have additional thoughts on this.

First, about three or four months ago, there was a slew of sites that pointed to books on Google docs. I think there weren’t/aren’t actual books there, only malware. There’s been another spate of new pirate sites just recently, many of which appear to be registered to folks in China. Right. Stage set.

Pretend for a moment that you have discovered this Amazon vulnerability and have developed an exploit. Now, you must get this BookMalware (TM) into the hands of readers and onto a Kindle user’s Manage Your Device page. Or any other page similarly vulnerable.

A reader who obtains one of these malicious files and then sends it to their Kindle becomes vulnerable to an account hack, or some other Bookware (TM) attack. I mean sure, someone’s Amazon account credentials is a pretty juicy target, but I don’t see why malicious code would necessarily limit itself to grabbing credentials.

Because, you know, that MalBook (TM) is sitting there on a server and that title is probably stored in a database somewhere, and well, suppose instead of javascript, the code was something like this:

xkcd comic featuring SQL Injection

Little Bobby Tables, via xkcd

xkcd

Just saying. There’s no evidence this happened or, even, that it would work. But hey.

Anyway, our MalBookWare (TM) developer must now get his product to users. You might well ask how. What leaps to mind is a website with malicious books just waiting for readers with Kindles. You must dangle the pretties and do everything you can to make your site look like there are loads of great books by great authors. All you have to deliver to the person on the other end is a mobi file with any old content, as long as the website makes it look like it’s a book by a favorite author.

Authors with services like Google Alerts, or Talkwalker alerts might start getting alerts like this:

Best Romance Ever: Number 3 in series pdf
My Book of Bible Stories and Prayers: AND My Book of Prayers
Best Romance Ever: Number 3 in series – Author, Suzie – PDF, EPUB, DOC Free Download EBook and Audiobook …

Anyone clicking on such a link, whether in an alert or through arriving at it after Googling for

Suzie Authors Best Romance Ever, Book 3, torrent

will be clicking a link (which I have altered so you can’t actually get there…) like the one below.

https://www.google . com/url?rct=j&sa=t&url =[removed]:// xxyebooks.[tld removed]/best-romance-ever-number-3-in-series_zqjr5.html&ct=ga&cd=CAEYACoUMTI5MjY0NTMzOTEwNzYyNjA4MDgyGRobert;('Drop Table Students;--sjg4gYzY0ZjI0ZjhjNzE5Y2I6Y29tOmVuOlVT&usg=AFQjCNGK5w9Tvxf3JSRA5DXs6q1JtSvZng

Ok, so I added the SQL injection just for kicks. Because it’s hilarious to SQL inject obfuscated code.

Anyhow, you see all that stuff after the number-3-in-series_zqjr5.html ? If the intent behind the link is bad, it could well be obfuscated code that will, eventually, get translated into a location that goes somewhere scary. Or not. Or a to a script that delivers a malicious payload. You won’t get a book. You’ll get malware. Or, maybe, a file with a MalBookWare (TM) title.

By the way
xxyebooks.[tld removed]:

Registrant Name:WU YOUPO
Registrant Organization:WU YOUPO
Registrant Street: LIJIAPOLU
Registrant City:SHANGHAI
Registrant State/Province:Shanghai
Registrant Postal Code:368742
Registrant Country:CN

Additional Observations

There has been a great deal of speculation and public comment among some of the authors I know or know of. Many are making a connection between Kindle Unlimited and an increase in piracy, and well, maybe. But I think that’s not what they’re seeing.

There are several problems with those conclusions. Foremost is the erroneous belief that every site that advertises pirated books is actually delivering pirated books. They are not. They are delivering malware or just stealing payment information. The ironic good news for authors is that books are the bait. If people didn’t want the books, they would not be effective bait.

This is not an endorsement of anything. It’s just an observation.

The rash of Google docs as a (probable) malware delivery method isn’t an increase in actual piracy. Neither are any efforts to exploit that Kindle vulnerability, and you can bet that there were/are sites out there where the bait is supposedly pirated books by popular authors. The user may even believe they got the book, but the payload is malware.

If I were a malware deliverer, I wouldn’t bother pirating a book and altering the contents. I’d make my own content, disguise it as a popular book by grabbing the Amazon feed so I can populate the metadata and links with the author name and book title, and deliver it to the user. By the time they click on the content in their Manage my Device and say, hey! where’s my book by Suzie Author, a server in China has their Amazon credentials. Or worse.

A few more observations

Clicking on links to what looks like a pirate site is risky business. The click itself can deliver malware. It’s important to recognize that and not, if one cares about such things, conflate the apparent purpose of a link with it’s actual purpose. I would suggest, though, that no one should be saying, well, they got what they deserved for trying to steal books. The last thing any author should want is readers who think books = malware.

Because epub3 and other book formats allow javascript, I would expect that the book as (more) sophisticated malware delivery method is only a matter of time. Someone, at some point, is going to deliberately do what Benjamin Messler did in order to prove to Amazon that they had a vulnerability.

Any developer worth his or her salt can extrapolate out to sneakier things to do. I suspect Amazon, Apple, and Google can secure their vendor environments. I’m not so sure about Barnes & Noble since they can’t even be bothered to take care of their Warrior Cat problem. Kobo seems to care more, so I’ll put them on the vendors who are careful list until they prove otherwise.

My point, really, is if you’re pirating, be suspicious. If you’re an author, well, not all those links are actual instances of pirated books, and you shouldn’t be clicking either.