Missing Maps Reading

24 February 2018

Unmapped Places

I have been doing some mapping of late for the Missing Maps project. In conversation with people at Reading Geek Night we wanted to see if we could run an event in Reading. Well we have managed to get the use of space at work.life and the promise of some Pizza from Zizzi in King Street.

In the west we take maps for granted. That post arrives, that people can find your place, that government and companies can plan the services they provide. These are so fundamental the functioning of society that we take them for granted. But they require the investment and effort to create.

The picture above is an analysis of data in the OpenStreetMap database. It shows the number of town and village entries that do not have surrounding residential roads. It is a fairly good indicator of the coverage of maps in various areas. Notice that big band of red across the centre of the map. That is the problem.

But there is a very effective way we now have of solving this. We have access to high resolution images of the entire world, we have the software to allow people to look at these and create a simple map of roads and buildings. When we have these base layers it is relatively easy for local people to add names to roads, tag hospitals and schools.

The Missing Maps project is aiming to get the rest of the world mapped. Working with OpenStreetMap, and specifically the Humanitarian OpenStreetMap Team (HOT), to create an open data map of the world. Here is a great little video that explains the project.

So if you are in reading and want to come along, get your ticket here. The first event is 20 March 2018 at work.life 33 King’s Road, RG1 3AR Reading. If you can’t make that we are already planning the next event on 17 April 2018. Come along and help map the world.


Evolving internet protocols TLS 1.3, HTTP/2, QUIC, & DOH

5 January 2018

There is a must read blog article by Mark Nottingham on the APNIC Site

Internet Protocols are Changing

Now, significant changes to the core Internet protocols are underway. While they are intended to be compatible with the Internet at large (since they won’t get adoption otherwise), they might be disruptive to those who have taken liberties with undocumented aspects of protocols or made an assumption that things won’t change.

Finally, we are in the midst of a shift towards more use of encryption on the Internet, first spurred by Edward Snowden’s revelations in 2015. That’s really a separate discussion, but it is relevant here in that encryption is one of best tools we have to ensure that protocols can evolve.

Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at amazon.com not amason.com amaz0n.com amazom.com arnazon.com

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.

Article on IMSI Catchers and Stingrays

24 April 2015

I have been helping a proper journalist, Brady Dale, write a article on the use and abuse of Stingrays and other IMSI catchers. It turned out quite well. It is up on Motherboard.

Open Streetmap v Google smackdown

24 April 2015

While everybody seems to be using Google maps, the quality of the maps in Open Streetmaps has quietly surged ahead. Now the detail and useful information on OSM easily beets Google into the covers. Here is a simple example of a location in Reading that I know well.

osm screenshot

Open Streetmap of and area in Reading UK

google map screenshot

Google maps of the same location


The street names are there in the Google version, and one or two building outlines. Bus stops are in both, but in OSM these all have labels. Many more amenities are in OSM that Google, and they probably score equally on businesses. I would have thought that Google would have many more businesses, but perhaps these are not all displayed in trying to keep the map clean.

Try it yourself and see if you can find an area where Google is better!