Wednesday, December 11, 2013

Disqus admits security flaw - MD5-hashes disabled

Disqus admits that the MD5 security flaw exists and has removed the function från their API, disabling Gravatar support. Using the API in the manner of Researchgruppen or their employees or contractors is a breach of Disqus privacy policy and the account has been terminated.

The complete statement from Disqus regardning the MD5 flaw is available on their website.
"Disqus offers an API service that includes MD5 hashes of email addresses in order to use Gravatar, a commonly used third party service that enables users to display a consistent avatar across platforms. This appears to be a targeted attack on a group of individuals using pattern matching of their activity across the web, associated with email addresses used by those individuals. [...] ​Further, we are disabling Disqus’ use of the Gravatar service and removing the MD5 hash email addresses from the API."
Help Net Security has an article about the flaw, in which I, Lars Wilderäng, is quoted from this blog. I must re-iterate that it was the security engineer David Remahl (@chmod007 on Twitter) who made the the security flaw public. I only spread the news when I discovered what I considered real news and a serious breach of privacy in Disqus. My Swedish blog is the largest independent (not affiliated with any employer, media house, political party or other outlet) Swedish blog on serious subjects (ie not fashion, celebrities or sports), mainly economy, finance, environment and politics, and as such news published by me can spread fast.

Ordinary Swedish journalists generally lack the technological know-how to understand the technology and the serious implications of security flaws, and I've been consulted, but not quoted, by journalists in several other related cases. Mainly the Snowden files and the fact that many Swedish government organisations, municipalities and companies are open for industrial espionage by using Google or Microsoft e-mail services, even for internal organisation mail, which NSA have full access to.

Industrial espionage is one of NSA:s tasks, and may be used in order to let american companies have an advantage when placing bids on contracts, as they may see other bidders offerings to for example Swedish government organisations. NSA may also get intimate knowledge of key individuals private lives, which also can be used to the advantage of US companies and foreign policy, for example by easier making friends with politicians by discussing their hobbies or favourite subjects when meeting informally. The man on the street may very well lose his job due to unfair competition practices on behalf of US companies cooperating with the NSA, but most people don't think they have anything to fear from the monitoring of the Internet.

Back in Sweden, the Bonnier Group tabloid Expressen is now publishing names of private individuals, not politicians, who have commented on hate speech sites, identified by the Disqus security flaw.

Tuesday, December 10, 2013

FLASH: Disqus cracked - security flaw reveals user e-mail addresses

The Swedish company Resarchgruppen has cracked the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites. (Bonnier/Expressen, article in Swedish)

The crack uses a serious security flaw in the Disqus API:s, enabling the extraction of MD5 hashes of user e-mail addresses. By matching the MD5 hashes by brute force vs an e-mail database users are identified.

Example of the attack vector, as revealed by Twitter user chmod007, security engineer David Remahl.
https://disqus.com/api/3.0/users/details.json?user=username:USERNAME&api_secret=secret
The Disqus commenting system has over 50 million users world wide and is used by 750 000 media sites and blogs (Wikipedia). They are no longer necessarily anonymous.

Update: Looking for 150 million e-mail addresses to match vs Disqus accounts? Download the 150 million user e-mails from the intrusion into Adobe's user database.

Update 2: Researchgruppen and possibly Expressen might be in violation of the Disqus terms of service, which they probably have to agree to in order to access the API. See below.
"Service Rules. You agree not to engage in any of the following prohibited activities: (i) copying, distributing, or disclosing any part of the Service in any medium, including without limitation by any automated or non-automated “scraping” except for uses allowed under the “Feed and API” section below; [...](vii) collecting or harvesting any personally identifiable information, including account names, from the Service; (viii) uploading, posting, transmitting, sharing, storing or otherwise making publicly available on the site, or other channels, any private, personally identifiable information of any third partyincluding, but not limited to: addresses, phone numbers, email addresses, Social Security numbers and credit card numbers; [...] (xii) accessing any content on the Service through any technology or means other than those provided or authorized by the Service or Disqus’ written permission;"

Thursday, July 4, 2013

Egypt oil production 1965 - 2012


Egypt provides an interesting study in oil production, peak oil and the export land model. Not only has the country passed national peak oil, it is also an example of the export land model with increasing national consumption, combined with climbing oil prices.

Egyptens oil production, consumption and
net exports 1965-2012
National peak oil occured in 1996 (EIA) at 934 kboed. The net oil exports peaked at 471 kboed in 1995 and with almost linear consumption increases the country now imports 91 000 net barrels of oil daily.

At the same time the income from oil exports, based on the average annual Brent reference oil price - real income is lower depending on oil quality and transport costs, from 3.259 billion USD for the entire 1996 to import costs of 3.707 billion USD in 2012. A difference of 7 billion USD yearly.

The western world naturally thanks Egypt for having produced and sold it's oil exports cheaply back in the 80:s and 90:s.

Rising oil prices and new investments managed to stop the decline in national production, resulting in a new, lower peak, in 2009 but the production has since started to fall again, in spite of rising oil prices since 2009.

Wednesday, May 29, 2013

Peak oil exports occured in 2005


The export market for oil peaked in 2005, although 2012 showed a slight increase in available export volumes.
At the same time China's and India's net oil imports reached a new all time high.
This means that even less oil is available for importing countries, when taking into account the increased consumption in India and China. Most OECD- and EU-countries need to buy oil on the shrinking exports market.
Adjusted for chinese and indian imports the export volumes has fallen 12.7% since 2005.

With a linear continued development the export market for oil will have vanished in 49 years, but the global total liquids oil production didn't fall 2005, it stagnated and entered a plateau-phase and has even increased somewhat the last few years. Once peak oil hits and production starts to fall, the available export market will vanish in 10-15 years, and several models show that the oil market exports will be gone by around 2030.

Tuesday, January 29, 2013

Crude oil use as a percentage of world gross product

Below is a chart of the cost of world crude oil as a percentage of world gross product for the years 1960 - 2012.

Values for 2012 are preliminary, but indicative. Roughly 5% of the world gross product, GWP, went to buying unrefined crude oil. This is the first time since 1984.
However, the oil crisis around 1980 was worse than it is today, as compared to the world economy as a whole.

Due to higher average oil prices, a larger part of the world economy went to crude oil than during 2008, when the price of oil spiked sharply and then crashed with the financial crisis.

The chart could do with a few improvements. The correlation between crashes in real GWP and the relative cost of oil should be added, but this graph is only using data from nominal GWP. Using oil prices as a percentage of real GWP would be incorrect, as real GWP already adjusts for the general price level using a GWP-deflator, which includes the oil price.

The actual cost of oil use is higher than the percentages above, as refined fuel, such as diesel, kerogen or gasoline, is more expensive than crude oil.

Addition: Real GWP from 1980 and forwards added below. 1982 was a very mild global recession, but the world economy didn't start growing significantly until the Reagan-regime convinced Saudi-Arabia to open all taps and the "oil glut" of the 1980:s and 1990:s started.