Nebula: The Zero Trust Networking Tool You Didn’t Know You Needed

I first became aware of Nebula a few days ago, thanks to two excellent write-ups at Ars Technica. (here and here) It’s an open source product freely given to the world by the folks at Slack. (Best known for making billions putting a fresh skin on IRC.). While those two write-ups at Ars Technica do a decent job at introducing Nebula, I feel like a use case for Nebula that hasn’t been fully explained.

Nebula isn’t like the VPNs for which you are constantly bombarded with ads. It isn’t designed for you to hide your torrent traffic, or to mask your IP address. It is designed to secure communications between systems you control, and makes for an excellent building block in a Zero Trust implementation.

First off, what’s “Zero Trust”? It’s the idea that you can’t trust any of your infrastructure, any more than you could trust the Internet. It’s logical evolution of the old adage “never trust the client”. If you can’t trust the client, you can’t trust the network they are connected to either. Assume at all times:

  • There’s a compromised device on your network sniffing traffic.
  • All of those ‘Smart Appliances’ you got for Christmas are remotely hackable, if they weren’t flat out designed to attack your network from the inside.
  • Any machine can have zero-day malware that isn’t detectable yet.
  • The NSA has a tap on your AWS VPC (Virtual Private Cloud).
  • Any of the Five Eyes countries have taps on the switches/routers at your ISP.
  • The ‘free WiFi’ at the cafe is sniffing traffic to insert ads, or worse.
  • Your ISP is sniffing traffic for * reason.
  • Your SuperMicro server has the Magick Chip that sends data to China.
  • Your network gear has Huawei components.
  • One of your sysadmins didn’t get enough of a raise and has sold access to your network for fun and profit.
  • There are a thousand other risk factors not on this list.

The old paradigm was built around a division of realms: the trusted home/office/datacenter network and the wild west of the Internet, with firewalls in between. That paradigm is shifting with the acceptance of the reality that devices inside your trusted network are going to be compromised. By accepting that, and making design decisions with that in mind, the impact of your future compromise(s) just might be reduced.

Now that you are starting to embrace the appropriate level of paranoia, how does Nebula VPN help? Nebula lets you create a mesh VPN between the hosts in your network, whether or not they are on the same subnet or in the same VPC. It allows you to secure traffic that was otherwise difficult to secure, or that you wouldn’t normally consider securing because it takes place in a ‘trusted’ layer of your network. With Nebula it becomes trivial to encrypt MySQL, MongoDB, Redis, Memcache, etc, traffic; restricting access to hosts with the appropriate certificates installed while also limiting exposure if another instance in your infrastructure becomes compromised.

Unlike traditional hub and spoke VPNs, Nebula functions as something closer to a mesh. In a traditional VPN, two clients who want to talk to each other would have to route their traffic to the server and back. With Nebula, clients negotiate the best way to talk to each other, using the shortest route possible. This is a far more efficient use of bandwidth.

I spent a couple of hours adding a new column on my IP/subnet spreadsheet, creating certificates, and writing a Puppet module to deploy Nebula in my quirky infrastructure. I now have a virtual VPN subnet that spans systems across two continents, where I can now use the Nebula IP for a host to automagically encrypt traffic.

I haven’t used Nebula long enough to run into any gotchas, which means I’m still a novice. Despite that, I do feel secure in saying that it makes for a powerful tool in your Security toolbox.

If you want to give it a try, this write-up at Ars Techica will have you up and running in ten minutes or so.

The absurdity of YouTube’s Copyright Claim System

I recently found a bumblebee nest in my back yard. Friends on Facebook asked questions about it, and I decided to set up a GoPro and record a video of the bee’s activity. After assembling segments into a two hour video, I decided to add some music. Knowing that is a tricky proposition on YouTube, because of the insanity of illegitimate organizations making copyright claims on the tiniest sample they can suss out of a video, I came up with a strategy I thought would be foolproof:

  1. Pick my music: Flight of the Bumblebee, composed by Nikolai Rimsky-Korsakov sometime around 1899-1900. Long out of copyright.
  2. Find a MIDI file built from the score.
  3. Run the MIDI file through a computerized synth to get a mp3 file.
  4. ***
  5. No profit. (YouTube took away my ability to monetize.)

I even included this helpful message in the description:

**The musical accompaniment is a computer generated audio track created from a MIDI file transcribed from the original score. As the score itself is long out of copyright, and this is not a human performance, you would be blatantly abusing the Youtube copyright system if you attempt to file a claim against this video.**

As a computer generated rendering of a MIDI file of a public domain work, there should be no basis for a copyright claim. And yet… I got one within minutes of uploading my video. This had to gave been done by an automated system that scans all new videos on Youtube, for I do not have a popular channel. I’m reasonably sure my only subscribers are family members and the occasional random person who took pity on me. At my current rate of subscribers and views I should qualify for monetization right around the time we finish colonizing Mars.

A company called AdRev Publishing has filed a claim: “Monetized in some territories” What does that even mean? Monetized isn’t the same as copyrighted. There are people that ‘monetize’ Project Gutenberg public domain books by publishing them as ebooks on Amazon, but that doesn’t grant them rights.

They specifically filed a claim against the interval occurring between 16:59 and 19:04. That’s really odd, since I repeated the exact same piece of music approximately 60 times. If they have a claim, and its legitimate, why pick a specific interval in the middle? Why not the first iteration? Why not the whole video? I suspect they didn’t file against the whole video so that if I successfully dispute this they can just file again for a different time interval. Or maybe it’s even more evil… Maybe they only file against a small subset of people’s videos with the expectation that people won’t risk their account on a dispute for such a small slice of the ad revenue; and in that way make tiny slices of revenue from large numbers of creators.

AdRev didn’t demand I take my video down. Nooo… they leveraged YouTube’s system so that the video now shows ads and they get the money. What really makes this absurd is that I can’t show ads for revenue on my own videos, because YouTube changed their requirements and I no longer make the cut. So I make a video, AdRev swoops in and files a completely bogus claim against a computer generated rendition of a public domain piece of music, and AdRev gets to make money on my videos where I can not.

This is my response to the claim on Youtube:

The music in my video is Flight of the Bumblebee, composed by Nikolai Rimsky-Korsakov between 1899 and 1900; and it is in the public domain.

The specific orchestration of the piece used in my video is non-human; it was generated using a MIDI file made from the score and then run through a computer based synthesizer, so it can not be a copyrighted performance.

I respectfully ask that the claimant provide documentation for how they can be representing the rights of a Russian composer who has been dead for 111 years, or for the synthesizer used to render this piece.

It appears that AdRev has a history of filing illegitimate claims against Flight of the Bumblebee. Perhaps the existence of precedence could be used to block them from making similar future claims?
https://www.summet.com/blog/2017/01/01/youtube-copyright-claim-by-adrev-for-rights-holder-flight-of-the-bumblebee/

When the content reviewers at YouTube realize the absurdity of this claim, I ask that AdRev’s claim be rejected with prejudice; so that they don’t just keep re-filing for the other 59 instances that this same clip appeared in my video.

https://www.ghostwheel.com/2019/12/08/the-absurdity-of-youtubes-copyright-claim-system/

While filing my dispute to their claim I am presented with a dire warning that filing a fraudulent dispute can result in the termination of my account. This is a scary threat for some content creators, as they may be depending on income from their videos. This warning feels a bit one-sided to me, as AdRev has been filing claims against Flight of the Bumblebee since at least 2017 and in at least one case dropping the claim when it was disputed. Is there no penalty for a company filing fraudulent claims? How many times have they pulled this maneuver?

In another display of bias against the creators that made Youtube what it is, when a claim is filed it goes into effect immediately; but they then have thirty days to respond to your dispute. That’s thirty days where a creator is in limbo stressing about the fate of their monetization. I wonder how many claims are filed by automated systems and then left hanging for thirty days after they are disputed?

This is what YouTube has become: A platform where content creators upload videos and copyright trolls can file an illegitimate automated claim and steal any potential revenue, and where the threat of a lost account will deter people from disputing those claims.

UPDATE 2019/12/11 (NZT, of course!) – Thanks to Cory Doctorow’s awesome write-up at boingboing, and the sleuthing of Sluggo in the message boards, these two interesting tidbits have come to light:

UPDATE 2019/12/12 – I received an update from YouTube today that Adrev has deigned to release their illegitimate claim on my public domain music. YouTube considers this “Good news!” but I find it disturbing. My takeaway is that YouTube never reviewed my response, and instead allowed AdRev to self police. If that’s the process, then YouTube gets to remain blissfully ignorant of the abuses occurring on their platform.

Phase two of this experiment is coming soon…

State Farm Security Fail

On State Farm’s security page, they say “The Security of Your Personal Information is a Priority at State Farm” and “We work hard to make sure your account information stays secure. Learn more about how to protect yourself and how State Farm protects you.”

That’s all well and good to say, but the reality is not so simple.

State Farm supports 2FA on your account, which is good-ish. They don’t support Google Authenticator, or Duo. They do support SMS messages and email, in a way in which enabling 2FA enables both and you can’t disable SMS in the settings. This is not so good, as current industry advice is to avoid SMS as 2FA due to SIM swapping attacks and SS7 hacks.

But then it gets worse. The devil is in the details, or in this case the following sentences: “Use a verification code or answer public based questions every time I log in.” “Selecting Two-Factor Authentication means you’ll receive a unique verification code by email or text or you will answer a series of public based questions each time you log in.” This is where things get really scary. Verification by ‘public based questions’ is an absolute favorite for identity thieves. They can sit at their computer with a copy of your credit report and answer these with a high degree of success.

I tried complaining about lapse in security practice to State Farm, and they seem to have fully drunk the LexisNexis kool-aid on this. They stand by their use of a vulnerable verification tool that puts my accounts at risk.

Time to find a new insurance provider.

I use Amazon affiliate links in some of my posts. I think it is fair to say my writing is not influenced by the $0.40 I earned in 2022.