Archive for July 24, 2019

Wednesday, July 24, 2019

Lockdown 0.1.1

Juli Clover:

Lockdown, a new app launching today, is designed to be an open source firewall, letting users block any connection to any domain, including those that use ad tracking services and analytics platforms to monitor device usage.

Lockdown is free to download and use, and because it operates on device, it collects no user data. Lockdown uses Apple’s VPN setup to function, though it is not a VPN and will not obscure your own IP address.

This sounds great, although it looks like you have to manually enter the domains to block, and they are blocked globally and permanently. Whereas, Little Snitch on the Mac prompts you interactively, its blocks can be temporary, and you can have different settings for each app.

Note that the actual name of the app in the App Store is “Lockdown Apps”. That’s currently the fifth app in the list when I search for “Lockdown.”

The source is available here. Being able to compile it yourself—from code that anyone can inspect—makes it a bit more trustworthy than downloading the version from the App Store, which you can’t prove matches the published source.


Attorney General William Barr on Encryption Policy

Bruce Schneier:

Yesterday, Attorney General William Barr gave a major speech on encryption policy -- what is commonly known as “going dark.” Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it.


I think this is a major change in government position. Previously, the FBI, the Justice Department and so on had claimed that backdoors for law enforcement could be added without any loss of security. They maintained that technologists just need to figure out how: an approach we have derisively named “nerd harder.”

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having not the fake one about whether or not we can have both security and surveillance.

That sounded encouraging. However, Barr also said (via Nick Heer):

We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption.

If he’s only conceding a theoretical—not material—difference, I’m not sure how much of a change this really is.


Update (2019-08-15): See also: Bruce Schneier.

Update (2021-03-09): Christopher A. Wray:

The FBI remains a strong advocate for the wide and consistent use of responsibly-managed encryption – encryption that providers can decrypt and provide to law enforcement when served with a legal order. Protecting data and privacy in a digitally-connected world is a top priority for the FBI and the U.S. government, and we believe that promoting encryption is a vital part of that mission. But we have seen that the broad application of end-to-end and user-only-access encryption adds negligible security advantages. It does have a negative effect on law enforcement’s ability to protect the public. What we mean when we talk about lawful access is putting providers who manage encrypted data in a position to decrypt it and provide it to us in response to legal process. We are not asking for, and do not want, any “backdoor,” that is, for encryption to be weakened or compromised so that it can be defeated from the outside by law enforcement or anyone else. Unfortunately, too much of the debate over lawful access has revolved around discussions of this “backdoor” straw man instead of what we really want and need.

We are deeply concerned with the threat end-to-end and user-only-access encryption pose to our ability to fulfill the FBI’s duty of protecting the American people from every manner of federal crime, from cyber-attacks and violence against children to drug trafficking and organized crime.

Google Open Sources robots.txt Parser

Google (via Hacker News):

We’re here to help: we open sourced the C++ library that our production systems use for parsing and matching rules in robots.txt files. This library has been around for 20 years and it contains pieces of code that were written in the 90’s. Since then, the library evolved; we learned a lot about how webmasters write robots.txt files and corner cases that we had to cover for, and added what we learned over the years also to the internet draft when it made sense.

We also included a testing tool in the open source package to help you test a few rules.

My sites have recently been hammered by bots—hundreds of thousands of hits for search engines and directories I’d never heard of—causing the server to run out of memory (I think due to the PHP-based vBulletin forum) and reboot. If you’ve seen this site go down for a couple minutes every now and then, I think that’s why.

The bots all claimed to follow the Robots Exclusion Protocol, but they were not respecting my requests to crawl more slowly and to avoid the forum. Eventually I figured out that the specification calls for lines to be separated by CR LF, but my robots.txt files were only using CR.


Google has been very clear lately (via John Mueller) regarding getting pages indexed or removed from the index.

If you want to make sure a URL is not in their index then you have to ‘allow’ them to crawl the page in robots.txt and use a noindex meta tag on the page to stop indexing. Simply disallowing the page from being crawled in robots.txt will not keep it out of the index.