If You See Something, Save Something (Poke A Censor In The Eye)

August 17th, 2017

If You See Something, Save Something – 6 Ways to Save Pages In the Wayback Machine by Alexis Rossi.

From the post:

In recent days many people have shown interest in making sure the Wayback Machine has copies of the web pages they care about most. These saved pages can be cited, shared, linked to – and they will continue to exist even after the original page changes or is removed from the web.

There are several ways to save pages and whole sites so that they appear in the Wayback Machine. Here are 6 of them.

In the comments, Ellen Spertus mentions a 7th way: Donate to the Internet Archive!

It’s the age of censorship, by governments, DMCA, the EU (right to be forgotten), Facebook, Google, Twitter and others.

Poke a censor in the eye, see something, save something to the Wayback Machine.

The Wayback Machine can’t stop all censorship, so save local and remote copies as well.

Keep poking until all censors go blind.

Emojipedia

August 17th, 2017

Emojipedia

If you aren’t familiar with Emojipedia, be forewarned: It’s a real time sink! 😉

In small doses it’s highly entertaining and a necessity in some communities.

Enjoy!

Sex Trafficking at Hartsfield-Jackson Airport – Quick, Censor the Internet!

August 11th, 2017

Hartsfield-Jackson airport in Atlanta, GA, is the hub of sex trafficking in the United States.

FBI reports that Atlanta is the center for the sex-trafficking of adolescence and around 200 to 300 youth are prostituted in Atlanta a month. (At world’s busiest airport, sex trafficking abounds)

With an average of 20 to 30 youths prostituted a day in Atlanta, some members of Congress want to address sex trafficking by censoring the Internet.

Elliot Harmon in Internet Censorship Bill Would Spell Disaster for Speech and Innovation, puts it this way:

There’s a new bill in Congress that would threaten your right to free expression online. If that weren’t enough, it could also put small Internet businesses in danger of catastrophic litigation.

Don’t let its name fool you: the Stop Enabling Sex Traffickers Act (SESTA, S. 1693) wouldn’t help punish sex traffickers. What the bill would do (PDF) is expose any person, organization, platform, or business that hosts third-party content on the Internet to the risk of overwhelming criminal and civil liability if sex traffickers use their services. For small Internet businesses, that could be fatal: with the possibility of devastating litigation costs hanging over their heads, we think that many entrepreneurs and investors will be deterred from building new businesses online.

Make no mistake: sex trafficking is a real, horrible problem. This bill is not the way to address it. Lawmakers should think twice before passing a disastrous law and endangering free expression and innovation.

Rather than focusing on a known location for sex trafficking, Congress is putting “…small Internet businesses…” in harm’s way.

The large content providers, Facebook, Google, Twitter, already have the financial and technical resources to meet the demands of SESTA. So in a very real sense, SESTA isn’t anti-sex trafficking but rather anti-small Internet business, in addition to being a threat to free speech.

Call your member of the U.S. House or the U.S. Senate, asking for their vote against Stop Enabling Sex Traffickers Act (SESTA, S. 1693).

SESTA:

  1. Endangers free speech
  2. Favors large content providers over small ones
  3. Ignores known sex trafficking locations
  4. Is a non-solution to a known problem

Sex trafficking is a serious problem that needs a workable solution. Not an ineffectual, cosmetic non-solution that favors large content providers over smaller ones.

DNA Injection Attack (Shellcode in Data)

August 10th, 2017

BioHackers Encoded Malware in a String of DNA by Andy Greenberg.

From the post:

WHEN BIOLOGISTS SYNTHESIZE DNA, they take pains not to create or spread a dangerous stretch of genetic code that could be used to create a toxin or, worse, an infectious disease. But one group of biohackers has demonstrated how DNA can carry a less expected threat—one designed to infect not humans nor animals but computers.

In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. While that attack is far from practical for any real spy or criminal, it’s one the researchers argue could become more likely over time, as DNA sequencing becomes more commonplace, powerful, and performed by third-party services on sensitive computer systems. And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity.

“We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer,” says Tadayoshi Kohno, the University of Washington computer science professor who led the project, comparing the technique to traditional hacker attacks that package malicious code in web pages or an email attachment. “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”

Very high marks for imaginative delivery but at its core, this is shellcode in data.

Shellcode in an environment the authors describe as follows:


Our results, and particularly our discovery that bioinformatics software packages do not seem to be written with adversaries in mind, suggest that the bioinformatics pipeline has to date not received significant adversarial pressure.

(Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More)

Question: Can you name any data pipelines that have been subjected to adversarial pressure?

The reading of DNA and transposition into machine format reminds me that a data pipeline could ingest apparently non-hostile data and as a result of transformations/processing, produce hostile data at some point in the data stream.

Transformation into shellcode, now that’s a very interesting concept.

#FCensor – Facebook Bleeding Red Ink of Censorship

August 10th, 2017

Naked down under: Facebook censors erotic art

From the post:

Facebook has censored Fine Art Bourse’s (FAB) adverts for the online auction house’s relaunch sale of erotic art on the grounds of indecency. In 2015, FAB, then based in London, went into receivership shortly before its first sale after running out of funds due to a delay in building the technology required to run the cloud-based auctions. But the founder, Tim Goodman, formerly owner of Bonhams & Goodman and then Sotheby’s Australia under license, has now relaunched the firm in his native Australia, charging a 5% premium to both buyers and sellers and avoiding VAT, GST and sales tax on service charges by running auctions via a server in Hong Kong.

When Goodman attempted to run a series of adverts for his relaunch sale of Erotic, Fetish, & Queer Art & Objects on 12 September, Facebook barred the adverts citing its policy against “adverts that depict nudity” including “the use of nudity for artistic or educational purposes”.

Remember to use #FCensor for all Facebook censorship. (#GCensor for Google censoring, #TCensor for Twitter censoring.)

Every act of censorship by Facebook and every person employed as a censor, is a splash of red ink on the books at Facebook. Red ink that has no profit center offset.

Facebook can and should erase the red ink of censorship from its books.

Provide users with effective self-help filtering, being able to “follow” filters created by others and empowering advertisers to filter the content in proximity to their ads (for an extra $fee), moves censoring cost (read Facebook red ink) onto users and advertisers, improving Facebook’s bottom line.

What sane investor would argue with that outcome?

Better and “following” filters would enable users to create their own custom echo chambers. Oh, yeah, that’s part of the problem isn’t it? Zuckerberg and his band of would-be messiahs want the power to decide what the public sees.

I’ll pass. How about you?

Investors! Use your stock and dollars to save all of us from a Zuckerberg view of the world. Thanks!

Why Astronomers Love Python And Why You Should Too (Search Woes)

August 10th, 2017

From the description:

The Python programming language is a widely used tool for basic and advanced research in Astronomy. Watch this amazing presentation to learn specifics of using Python by astronomers. (Jake Vanderplas, speaker)

The only downside to the presentation is Vanderplas mentions software being on Github, but doesn’t supply the URLs.

For example, if you go to Github and search for for “Large Synoptic Survey Telescope” you get two (2) results:

Both “hits” are relevant but what did we miss?

Try searching for LSSTC.

There are twelve (12) “hits” with the first one being highly relevant and completely missed by the prior search.

Two lessons here:

  1. Search is a lossy way to navigate Github.
  2. Do NOT wave your hands in the direction of Github for software. Give URLs.

Links from above:

bho4/LSST Placeholder, no content.

LSSTC-DSFP-Sessions

Lecture slides, Jupyter notebooks, and other material from the LSSTC Data Science Fellowship Program

smonkewitz/scisql

Science-specific tools and extensions for SQL. Currently the project contains user defined functions (UDFs) for MySQL including spatial geometry, astronomy specific functions and mathematical functions. The project was motivated by the needs of the Large Synoptic Survey Telescope (LSST).

Defeat FBI Video Booby-Trap

August 9th, 2017

Joseph Cox details “…deanonymizing people in a targeted way using novel or unorthodox law enforcement techniques…” in The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist.

Not an attack on Tor per se but defeated the use of Tor none the less.

Can you spot the suspect’s error?

From the complaint:


F. Law Enforcement Identifies “Brian Kil’s” True IP Address

51. On June 9, 2017, the Honorable Debra McVicker Lynch authorized the execution of a Network Investigative Technique “NIT” (defined in Clause No. 1:17-mj-437) in order to ascertain the IP address associated with Brian Kil and Victim 2.

52. As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

57. When Kil viewed the video containing the NIT on a computer the NIT disclosed the true IP address associated with the computer used by Kil.

Where did “Kil’s” opsec fail?

“Kil” viewed content of unknown origin on a networked computer.

“Kil” thought the content originated with Victim 2, but all remote content on the Internet should be treated as being of unknown origin.

No one knows if you are a dog on the Internet just as you don’t know if the FBI sent the video you are playing.

Content of unknown origin is examined and stays on non-networked computers. Copy text only to networked systems. If you need the original content, well, you have been warned.

You can see the full complaint at:
https://assets.documentcloud.org/documents/3914871/Hernandez-NIT-Complaint.pdf

Best practice: Remote content, even if from known source, is of unknown origin. (A comrade may have made the document, video, image, but government agents intercepted and infected it.)

PS: I’m no fan of sextortionists but I am concerned about the use of “booby-trapped” videos against political activists. (Makes you wonder about “jihadist” videos on YouTube doesn’t it?)

Open Source Safe Cracking Robots

August 9th, 2017

Live, robotic, safe cracking demo. No pressure, no pressure!

One of the most entertaining and informative presentations you are likely to see this year! It includes an opening tip for those common digital safes found in hotel rooms.

From the description:

We’ve built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Don’t miss their highly informative website, SparkFun Electronics.

Open source, part of the Maker community!

This won’t work against quality safes in highly secure environments but most government safes are low-bidder/low-quality and outside highly secure environments. Use tool appropriate for the security environment.

GraphSON and TinkerPop systems

August 8th, 2017

Tips for working with GraphSON and TinkerPop systems by Noah Burrell.

From the post:

If you are working with the Apache TinkerPop™ framework for graph computing, you might want to produce, edit, and save graphs, or parts of graphs, outside the graph database. To accomplish this, you might want a standardized format for a graph representation that is both machine- and human-readable. You might want features for easily moving between that format and the graph database itself. You might want to consider using GraphSON.

GraphSON is a JSON-based representation for graphs. It is especially useful to store graphs that are going to be used with TinkerPop™ systems, because Gremlin (the query language for TinkerPopTM graphs) has a GraphSON Reader/Writer that can be used for bulk upload and download in the Gremlin console. Gremlin also has a Reader/Writer for GraphML (XML-based) and Gryo (Kryo-based).

Unfortunately, I could not find any sort of standardized documentation for GraphSON, so I decided to compile a summary of my research into a single document that would help answer all the questions I had when I started working with it.

Bookmark or better yet, copy-n-paste “Vertex Rules and Conventions” to print on one page and then print “Edge Rules and Conventions” on the other.

Could possibly get both on one page but I like larger font sizes. 😉

Type in the “Example GraphSON Structure” to develop finger knowledge of the format.

Watch for future posts from Noah Burrell. This is useful.

Radio Navigation, Dodging Government GPS

August 8th, 2017

Radio navigation set to make global return as GPS backup, because cyber by Sean Gallagher.

From the post:

Way back in the 1980s, when I was a young naval officer, the Global Positioning System was still in its experimental stage. If you were in the middle of the ocean on a cloudy night, there was pretty much only one reliable way to know where you were: Loran-C, the hyperbolic low-frequency radio navigation system. Using a global network of terrestrial radio beacons, Loran-C gave navigators aboard ships and aircraft the ability to get a fix on their location within a few hundred feet by using the difference in the timing of two or more beacon signals.

An evolution of World War II technology (LORAN was an acronym for long-range navigation), Loran-C was considered obsolete by many once GPS was widely available. In 2010, after the US Coast Guard declared that it was no longer required, the US and Canada shut down their Loran-C beacons. Between 2010 and 2015, nearly everyone else shut down their radio beacons, too. The trial of an enhanced Loran service called eLoran that was accurate within 20 meters (65 feet) also wrapped up during this time.

But now there’s increasing concern about over-reliance in the navigational realm on GPS. Since GPS signals from satellites are relatively weak, they are prone to interference, accidental or deliberate. And GPS can be jammed or spoofed—portable equipment can easily drown them out or broadcast fake signals that can make GPS receivers give incorrect position data. The same is true of the Russian-built GLONASS system.

Sean focuses on the “national security” needs for a backup to GPS but it isn’t North Koreans, Chinese or Russians who are using Stingray devices against US citizens.

No, those are all in use by agents of the federal and/or state governments. Ditto for anyone spoofing your GPS in the United States.

You need a GPS backup, but your adversary is quite close to home.

The new protocol is call eLoran and Sean has a non-technical overview of it.

You would have unusual requirements to need a private eLoran but so you have an idea of what is possible:


eLoran technology has been available since the mid-1990s and is still available today. In fact, the state-of-the-art of eLoran continues to advance along with other 21st-century technology. eLoran system technology can be broken down into a few simple components: transmitting site, control and monitor site, differential reference station site and user equipment.

Modern transmitting site equipment consists of a high-power, modular, fully redundant, hot-swappable and software configurable transmitter, and sophisticated timing and control equipment. Standard transmitter configurations are available in power ranges from 125 kilowatts to 1.5 megawatts. The timing and control equipment includes a variety of external timing inputs to a remote time scale, and a local time scale consisting of three ensembled cesium-based primary reference standards. The local time scale is not directly coupled to the remote time scale. Having a robust local time scale while still monitoring many types of external time sources provides a unique ability to provide proof-of-position and proof-of-time. Modern eLoran transmitting site equipment is smaller, lighter, requires less input power, and generates significantly less waste heat than previously used Loran-C equipment.

The core technology at a differential eLoran reference station site consists of three differential eLoran reference station or integrity monitors (RSIMs) configurable as reference station (RS) or integrity monitor (IM) or hot standby (RS or IM). The site includes electric field (E-field) antennas for each of the three RSIMs.

Modern eLoran receivers are really software-defined radios, and are backward compatible with Loran-C and forward compatible, through firmware or software changes. ASF tables are included in the receivers, and can be updated via the Loran data channel. eLoran receivers can be standalone or integrated with GNSS, inertial navigation systems, chip-scale atomic clocks, barometric altimeters, sensors for signals-of-opportunity, and so on. Basically, any technology that can be integrated with GPS can also be integrated with eLoran.
Innovation: Enhanced Loran, GPS World (May, 2015)

Some people are happy with government controlled services. Other people, not so much.

Who is determining your location?

When You Say “Google,” You Mean #GCensor

August 8th, 2017

Google Blocking Key Search Terms For Left Websites by Andre Damon.

From the post:

Note: In a previous article we reported that Popular Resistance had also seen more than a 60% drop in visits to our website since April when Google changed its search functions. This report goes further into how Google is blocking key search terms. See Google’s New Search Protocol Restricting Access To Leading Leftist Web Sites. KZ

Google blocked every one of the WSWS’s 45 top search terms

An intensive review of Internet data has established that Google has severed links between the World Socialist Web Site and the 45 most popular search terms that previously directed readers to the WSWS. The physical censorship implemented by Google is so extensive that of the top 150 search terms that, as late as April 2017, connected the WSWS with readers, 145 no longer do so.

These findings make clear that the decline in Google search traffic to the WSWS is not the result of some technical issue, but a deliberate policy of censorship. The fall took place in the three months since Google announced on April 25 plans to promote “authoritative web sites” above those containing “offensive” content and “conspiracy theories.”

Because of these measures, the WSWS’s search traffic from Google has fallen by two-thirds since April.

The WSWS has analyzed tens of thousands of search terms, and identified those key phrases and words that had been most likely to place the WSWS on the first or second page of search results. The top 45 search terms previously included “socialism,” “Russian revolution,” “Flint Michigan,” “proletariat,” and “UAW [United Auto Workers].” The top 150 results included the terms “UAW contract,” “rendition” and “Bolshevik revolution.” All of these terms are now blocked.
… (emphasis in original)

In addition to censoring “hate speech” and efforts such as: Google Says It Will Do More to Suppress Terrorist Propaganda, now there is evidence that Google is tampering with search results for simply left-wing websites.

Promote awareness of the censorship by Google, Facebook and Twitter, by using #GCensor, #FCensor, and #TCensor, respectively, for them.

I don’t expect to change the censorship behavior of #GCensor, #FCensor, and #TCensor. The remedy is non-censored alternatives.

All three have proven themselves untrustworthy guardians of free speech.

BuzzFeed News Searches For Hidden Spy Planes

August 7th, 2017

BuzzFeed News Trained A Computer To Search For Hidden Spy Planes. This Is What We Found.

From the post:

Data and R code for the analysis supporting this August 7, 2017 BuzzFeed News post on identifying potential surveillance aircraft. Supporting files are in this GitHub repository.

Awesome! This is what data journalism is about!

While Musk and others are wringing their hands over AI, BuzzFeed uses machine learning to out government spy planes. How cool is that?

So, what are some of the headlines from The New York Times today?

  1. Scientists Fear Trump Will Dismiss Climate Change Report
  2. What Music Do Americans Love the Most? 50 Detailed Fan Maps
  3. Partisan C.I.A. Chief Heartens Trump and Worries the Agency
  4. North Korea Warns U.S. of Retaliation Over Sanctions
  5. Industries Are Left in the Lurch by Trump’s Stalled Trade Plans
  6. White House Won’t Say Who Is on Its Deregulation Teams
  7. Wells Fargo Faces New Inquiry Over Insurance Refunds
  8. Take the Generic, Patients Are Told. Until They Are Not.
  9. $78,000 of Debt for a Harvard Theater Degree
  10. Investigators in Israel Turn Up the Heat on Netanyahu

Four out of ten stories are about our accidental president (1, 3, 5, 6) The other six (2, 4, 7, 8, 9, 10), offer no actionable information.

Not a word about government spy planes.

Why isn’t The New York Times pressing the government hard?

Or perhaps the easier question: Why are you still reading The New York Times?

Applications of Topic Models [Monograph, Free Until 12 August 2017]

August 7th, 2017

Applications of Topic Models by Jordan Boyd-Graber, Yuening Hu,David Mimno. (Jordan Boyd-Graber, Yuening Hu and David Mimno (2017), “Applications of Topic Models”, Foundations and Trends® in Information Retrieval: Vol. 11: No. 2-3, pp 143-296. http://dx.doi.org/10.1561/1500000030)

Abstract:

How can a single person understand what’s going on in a collection of millions of documents? This is an increasingly common problem: sifting through an organization’s e-mails, understanding a decade worth of newspapers, or characterizing a scientific field’s research. Topic models are a statistical framework that help users understand large document collections: not just to find individual documents but to understand the general themes present in the collection.

This survey describes the recent academic and industrial applications of topic models with the goal of launching a young researcher capable of building their own applications of topic models. In addition to topic models’ effective application to traditional problems like information retrieval, visualization, statistical inference, multilingual modeling, and linguistic understanding, this survey also reviews topic models’ ability to unlock large text collections for qualitative analysis. We review their successful use by researchers to help understand fiction, non-fiction, scientific publications, and political texts.

The authors discuss the use of topic models for, 4. Historical Documents, 5. Understanding Scientific Publications, 6. Fiction and Literature, 7. Computational Social Science, 8. Multilingual Data and Machine Translation, and provide further guidance in: 9. Building a Topic Model.

If you have haystacks of documents to mine, Applications of Topic Models is a must have on your short reading list.

New spearphishing technique – Phishing for Leaks

August 6th, 2017

Timo Steffens tweeted:

New spearphishing technique: Targeted mail contains no links or exploits, but mentions report title. Googling title leads to exploit site.

Good news for wannabe government/industry leakers.

This spearphishing technique avoids question about your cybersecurity competence in evaluating links in a phishing email.

You did a search relevant to your position/task and Google delivered an exploit site.

Hard to fault you for that!

The success of phishing for leaks depends on non-leak/spoon-fed journalists.

Overlap – Attacking on Machine Learning Models

August 5th, 2017

Robust Physical-World Attacks on Machine Learning Models by Ivan Evtimov, et al.

Abstract:

Deep neural network-based classifiers are known to be vulnerable to adversarial examples that can fool them into misclassifying their input through the addition of small-magnitude perturbations. However, recent studies have demonstrated that such adversarial examples are not very effective in the physical world–they either completely fail to cause misclassification or only work in restricted cases where a relatively complex image is perturbed and printed on paper. In this paper we propose a new attack algorithm–Robust Physical Perturbations (RP2)– that generates perturbations by taking images under different conditions into account. Our algorithm can create spatially-constrained perturbations that mimic vandalism or art to reduce the likelihood of detection by a casual observer. We show that adversarial examples generated by RP2 achieve high success rates under various conditions for real road sign recognition by using an evaluation methodology that captures physical world conditions. We physically realized and evaluated two attacks, one that causes a Stop sign to be misclassified as a Speed Limit sign in 100% of the testing conditions, and one that causes a Right Turn sign to be misclassified as either a Stop or Added Lane sign in 100% of the testing conditions.

I was struck by the image used for this paper in a tweet:

I recognized this as an “overlapping” markup problem before discovering the authors were attacking machine learning models. On overlapping markup, see: Towards the unification of formats for overlapping markup by Paolo Marinelli, Fabio Vitali, Stefano Zacchiroli, or more recently, It’s more than just overlap: Text As Graph – Refining our notion of what text really is—this time for sure! by Ronald Haentjens Dekker and David J. Birnbaum.

From the conclusion:


In this paper, we introduced Robust Physical Perturbations (RP2), an algorithm that generates robust, physically realizable adversarial perturbations. Previous algorithms assume that the inputs of DNNs can be modified digitally to achieve misclassification, but such an assumption is infeasible, as an attacker with control over DNN inputs can simply replace it with an input of his choice. Therefore, adversarial attack algorithms must apply perturbations physically, and in doing so, need to account for new challenges such as a changing viewpoint due to distances, camera angles, different lighting conditions, and occlusion of the sign. Furthermore, fabrication of a perturbation introduces a new source of error due to a limited color gamut in printers.

We use RP2 to create two types of perturbations: subtle perturbations, which are small, undetectable changes to the entire sign, and camouflage perturbations, which are visible perturbations in the shape of graffiti or art. When the Stop sign was overlayed with a print out, subtle perturbations fooled the classifier 100% of the time under different physical conditions. When only the perturbations were added to the sign, the classifier was fooled by camouflage graffiti and art perturbations 66.7% and 100% of the time respectively under different physical conditions. Finally, when an untargeted poster-printed camouflage perturbation was overlayed on a Right Turn sign, the classifier was fooled 100% of the time. In future work, we plan to test our algorithm further by varying some of the other conditions we did not consider in this paper, such as sign occlusion.

Excellent work but my question: Is the inability of the classifier to recognize overlapping images similar to the issues encountered as overlapping markup?

To be sure overlapping markup is in part an artifice of unimaginative XML rules, since overlapping texts are far more common than non-overlapping texts. Especially when talking about critical editions or even differing analysis of the same text.

But beyond syntax, there is the subtlety of treating separate “layers” or stacks of a text as separate and yet tracking the relationship between two or more such stacks, when arbitrary additions or deletions can occur in any of them. Additions and deletions that must be accounted for across all layers/stacks.

I don’t have a solution to offer but pose the question of layers of recognition in hopes that machine learning models can capitalize on the lessons learned about a very similar problem with overlapping markup.

Neuroscience-Inspired Artificial Intelligence

August 5th, 2017

Neuroscience-Inspired Artificial Intelligence by Demis Hassabis, Dharshan Kumaran, Christopher Summerfield, and Matthew Botvinick.

Abstract:

The fields of neuroscience and artificial intelligence (AI) have a long and intertwined history. In more recent times, however, communication and collaboration between the two fields has become less commonplace. In this article, we argue that better understanding biological brains could play a vital role in building intelligent machines. We survey historical interactions between the AI and neuroscience fields and emphasize current advances in AI that have been inspired by the study of neural computation in humans and other animals. We conclude by highlighting shared themes that may be key for advancing future research in both fields.

Extremely rich article with nearly four (4) pages of citations.

Reading this paper closely and chasing the citations is a non-trivial task but you will be prepared understand and/or participate in the next big neuroscience/AI breakthrough.

Enjoy!

No Fault Leaking (Public Wi-Fi, File Sharing)

August 5th, 2017

Attorney General Sessions and his League of Small Minds (LSM) seek to intimidate potential leakers into silence. Leakers who are responsible for what transparency exists for unfavorable information about current government policies and actions.

FOIA requests can and do uncover unfavorable information about government policies and actions, but far too often after the principals have sought the safety of the grave.

It’s far better to expose and stop ill-considered, even criminal activities in real time, before government adds more blighted lives and deaths to its record.

Traditional leaking involves a leaker, perhaps you, delivering physical or digital copies of data/documents to a reporter. That is it requires some act on your part, copying, email, smail, etc., which offers the potential to trace the leak back to you.

Have you considered No Fault Leaking? (NFL)

No Fault Leaking requires only a public Wi-Fi and appropriate file sharing permissions on your phone, laptop, tablet.

Public Wi-Fi: Potential Washington, DC based leakers can consult Free Wi-Fi Hotspot Locations in Washington, DC by Rachel Cooper, updated 7/28/2017. Similar listings exist for other locations.

File Sharing Permissions: Even non-techies should be able to follow the screen shots in One mistake people make using public Wi-Fi that lets everyone see their files by Francis Navarro. (Pro tip: Don’t view this article on your device or save a copy there. Memorize the process of turning file sharing on and off.)

After arriving at a Public Wi-Fi location, turn file sharing on. It’s as simple as that. You don’t know who if anyone has copied any files. Before you leave the location, turn file sharing off. (This works best if you have legitimate reasons to have the files in question on your laptop, etc.)

No Fault Leaking changes the role of the media from spoon-fed recipients of data/documents into more active participants in the leaking process.

To that end, ask yourself: Am I a fair weather (no risk) advocate of press freedom or something more?

“This culture of leaking must stop.” Taking up Sessions’ Gage

August 4th, 2017

Jeff Sessions, the current (4 August 2017) Attorney General of the United States, wants to improve on Barack Obama‘s legacy as the most secretive presidency of the modern era.

Sessions has announced a tripling Justice Department probes into leaks and a review of guidelines for subpoenas for members of the news media. Attorney General says Justice Dept. has tripled the number of leak probes. (Media subpoenas are an effort to discover media sources and hence to plug the “leaks.”)

Sessions has thrown down his gage, declaring war on occasional transparency from government leakers. Indirectly, that war will include members of the media as casualties.

Shakespeare penned the best response for taking up Sessions’ gage:

Cry ‘Havoc,’ and let slip the dogs of war;

In case you don’t know the original sense of “Havoc:”

The military order Havoc! was a signal given to the English military forces in the Middle Ages to direct the soldiery (in Shakespeare’s parlance ‘the dogs of war’) to pillage and chaos. Cry havoc and let slip the dogs of war

It’s on all of us to create enough chaos to protect leakers and members of the media who publish their leaks.

Observations – Not Instructions

Data access: Phishing emails succeed 33% of the time. Do they punish would-be leakers who fall for phishing emails?

Exflitration: Tracing select documents to a leaker is commonplace. How do you trace an entire server disk? The larger and more systematic the data haul, the greater the difficulty in pinning the leak on particular documents. (Back to school specials often include multi-terabyte drives.)

Protect the Media: Full drive leaks posted a Torrent or Dark Web server means media can answer subpoenas with: go to: https://some-location. 😉

BTW, full drive leaks provide transparency for the relationship between the leaked data and media reports. Accountability is as important for the media as the government.

One or more of my observations may constitute crimes depending upon your jurisdiction.

Which I guess is why Nathan Hale is recorded as saying:

Gee, that sounds like a crime. You know, I could get arrested, even executed. None for me please!

Not!

Nathan Hale volunteered to be a spy, was caught and executed, having said:

I only regret, that I have but one life to lose for my country.

Question for you:

Are you a ‘dog of war’ making the government bleed data?

PS: As a security measure, don’t write that answer down or tell anyone. When you read about leaks, you can inwardly smile and know you played your part.

DMCA Complaint As Finding Aid

August 3rd, 2017

Credit where credit is due, I saw this idea in How to Get Past DMCA Take-Downs in Google Search and report it here, sans the video.

The gist of the idea is that DMCA complaints, found at: Lumen, specify in the case of search engines, links that should not be displayed to users.

In a Google search result, content subject to a DMCA complaint will appear as:

In response to multiple complaints we received under the US Digital Millennium Copyright Act, we have removed 2 results from this page. If you wish, you may read the DMCA complaints that caused the removals at LumenDatabase.org: Complaint, Complaint.

If you follow the complaint links, knowing Google is tracking your following of those links, the complaints list the URLs to be removed from search results.

You can use the listed URLs to verify the presence of illegal content, compile lists of sites with such content, etc.

Enjoy!

PS: I’m adding their RSS feed of new notices. You should too.

Sophisticated, Chilling, Alarming, Nefarious, Vicious … HBO Hack 2017

August 3rd, 2017

Sophisticated, chilling, alarming, nefarious, vicious, are all terms used to describe the recent HBO hack.

For your reading pleasure, try HBO Hack: Insiders Fear Leaked Emails as FBI Joins Investigation by Tatiana Siegel, or HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE) by Janko Roettgers

There’s a shortage of facts available concerning this hack of HBO (Home Box Office) but 1.5 terabytes is being thrown around as a scary number for the data loss.

While everyone else oohs and aahs over 1.5 terabytes of data, you can smile knowing that a new Dell XPS 27 sells pre-configured with a 2 terabyte drive for $1899.99, shipping, taxes, blah, blah extra. That’s a mid to low range desktop.

Hackers may have gotten 1.5 terabytes of data but that’s no indication of its worth. How do you count emails with dozens of people on the cc: line? Or multiple versions of the same video?

I don’t have time to watch the majority of HBO content on my legitimate subscription so I’m not interested in the stolen content, assuming it includes anything worth watching.

Of greater interest is forensic analysis of how the hack was performed, because post-Sony, one expects HBO avoided the obvious faults that led to the Sony hack. If they did, perhaps there is something to be learned here.

Unlike the Podesta “hack,” which consisted of losing his email password in a phishing attack. That’s not really a hack, that’s just dumb

Watch your favorite sites for alleged HBO content.

Alleged HBO content with viruses, malware and ransomeware! Oh, my!

Foreign Intelligence Gathering Laws (and ethics)

August 3rd, 2017

Foreign Intelligence Gathering Laws from the Law Library of the Library of Congress.

From the webpage:

This report offers a review of laws regulating the collection of intelligence in the European Union (EU) and Belgium, France, Germany, Netherlands, Portugal, Romania, Sweden, and the United Kingdom. This report updates a report on the same topic issued from 2014. Because issues of national security are under the jurisdiction of individual EU Member States and are regulated by domestic legislation, individual country surveys provide examples of how the European nations control activities of their intelligence agencies and what restrictions are imposed on information collection. All EU Member States follow EU legislation on personal data protection, which is a part of the common European Union responsibility.

If you are investigating or reporting on breaches of intelligence gathering laws in “the European Union (EU) and Belgium, France, Germany, Netherlands, Portugal, Romania, Sweden, and the United Kingdom,” this will be useful. Otherwise, for the other one hundred and eighty-eight (188), you are SOL.

Other than as a basis for outrage, it’s not clear how useful intelligence gathering laws are in fact. The secrecy of intelligence operations makes practical oversight impossible and if leaks are to be credited, no known intelligence agency obeys such laws other than accidentally.

Moreover, as the U.S. Senate report on torture demonstrates, even war criminals are protected from prosecution in the name of intelligence gathering.

I take my cue from the CIA‘s position, as captured by Bob Dylan in Tweeter and the Monkey Man:

“It was you to me who taught
In Jersey anything’s legal as long as you don’t get caught.”

Disarming yourself with law or ethics in any encounter with an intelligence agency, which honors neither, means you will lose.

Choose your strategies accordingly.

Security Leadership by the Uninformed

August 2nd, 2017

The first two paragraphs of Senators Want A Hack-Proof Internet Of Government Things are sufficient to establish the authors of the Internet of Things Cybersecurity Improvements Act as deeply uninformed:

Internet-connected smart devices purchased by the federal government would have to meet strict security standards under bipartisan legislation introduced Tuesday.

Those devices would have to accept software patches to remove vulnerabilities and allow users to change default passwords, according to the Internet of Things Cybersecurity Improvements Act.

Sigh, “…allow users to change default passwords….”

That’s section 3, (a)(1)(A)(i)(IV):

…does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.

Yeah! Getting users to change default passwords is a step towards …. 91% insecurity.

If you have the top 1,000 passwords by popularity, you are close to 91% of the “changed” passwords you will encounter. (That link leads to the top 10,000 passwords if you are looking for completeness.)

You could argue that improving the security of the Internet of Things by 9 percentage points (maybe) isn’t nothing.

True but it is so nearly nothing as to not be worth the effort.

PS: There are solutions to the IoT password issue but someone needs to pay money to spark that discussion.

Potential NSA Leak Stream

August 2nd, 2017

The Government Accounting Office (GAO) has publicly identified a potential source of NSA technology leaks. The cumbersome title: DOD’s Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened (GAO-17-512) begins with this summary:

Officials from Department of Defense (DOD) components identified advantages and disadvantages of the “dual-hat” leadership of the National Security Agency (NSA)/Central Security Service (CSS) and Cyber Command (CYBERCOM) (see table). Also, DOD and congressional committees have identified actions that could mitigate risks associated with ending the dual-hat leadership arrangement, such as formalizing agreements between NSA/CSS and CYBERCOM to ensure continued collaboration, and developing a persistent cyber training environment to provide a realistic, on-demand training capability. As of April 2017, DOD had not determined whether it would end the dual-hat leadership arrangement.

At first I thought it said “ass-hat” leadership and went back to check. 😉

You can read the recommendations if you are in charge of improving that situation (an unlikely outcome) or take the GAO at its word as a place to mine for leaks.

Are dual-hat arrangements “leak patterns” much like “design patterns” in programming languages?

I ask because identifying “leak patterns,” whether in software (buffer overflows) or recurrent organizational security failures, could be a real boon to hounds and hares alike.

Continue Flash? As what? Example of insecure coding?

August 2nd, 2017

Some People Want Adobe Flash to Continue as an Open Source Project by Derick Sullivan M. Lobga.

From the post:

Last week we heard the good news that Adobe is officially killing Flash in 2020.

This news was well received by developers and end users alike. Well, at least most people liked the demise of Adobe Flash. But it seems that Adobe Flash has still some fans left.

A group of developers at GitHub have come up with a petition to “save Adobe Flash”. Just a few days after the announcement by Adobe, Juha Linstedt, a web developer with username “Pakastin” on GitHub started a petition calling on Adobe to allow for open source Flash, which he thinks is part of Internet history.

Losing Flash altogether will impair access to resources developed using Flash but even as open source, preserving Flash strikes me as the equivalent of preserving small pox for later study.

If Adobe does open source the necessary components, it could have value as examples of how not to code an application. Or for testing of code auditing tools.

It’s more than just overlap: Text As Graph

August 2nd, 2017

It’s more than just overlap: Text As Graph – Refining our notion of what text really is—this time for sure! by Ronald Haentjens Dekker and David J. Birnbaum.

Abstract:

The XML tree paradigm has several well-known limitations for document modeling and processing. Some of these have received a lot of attention (especially overlap), and some have received less (e.g., discontinuity, simultaneity, transposition, white space as crypto-overlap). Many of these have work-arounds, also well known, but—as is implicit in the term “work-around”—these work-arounds have disadvantages. Because they get the job done, however, and because XML has a large user community with diverse levels of technological expertise, it is difficult to overcome inertia and move to a technology that might offer a more comprehensive fit with the full range of document structures with which researchers need to interact both intellectually and programmatically. A high-level analysis of why XML has the limitations it has can enable us to explore how an alternative model of Text as Graph (TAG) might address these types of structures and tasks in a more natural and idiomatic way than is available within an XML paradigm.

Hyperedges, texts and XML, what more could you need? 😉

This paper merits a deep read and testing by everyone interested in serious text modeling.

You can’t read the text but here is a hypergraph visualization of an excerpt from Lewis Carroll’s “The hunting of the Snark:”

The New Testament, the Hebrew Bible, to say nothing of the Rabbinic commentaries on the Hebrew Bible and centuries of commentary on other texts could profit from this approach.

Put your text to the test and share how to advance this technique!

“But it feels better when I sneak”

August 2nd, 2017

Email prankster tricks White House officials by Graham Cluley is ample evidence for why you should abandon FOIA requests in favor of phishing/hacking during the reign of Donald Trump.

People can and do obtain mountains of information using FOIA requests, but in the words of Parker Ray, “The Other Woman,”:

“Now I hate to have to cheat
But it feels better when I sneak”

In addition to feeling better, not using FOIA requests during the Trump regime results in:

  1. Access to competitor’s data deposited with the government
  2. Avoids the paperwork and delay of the FOIA process
  3. Bidding and contract data
  4. Develop long-term stealth access than spans presidencies
  5. Incompetence of staff gives broad and deep access across agencies
  6. Mine papers of extremely secretive prior presidents, like Obama
  7. Transparency when least expected and most inconvenient

If that sounds wishful, remember Cluley reports the “technique” used by the prankster was: 1) create an email account in the name of a White House staffer, 2) send an email from that account. This has to be a new low bar for “fake” emails.

Can you afford to be a goody two shoes?

Why Learn OpenAI? In a word, Malware!

August 1st, 2017

OpenAI framework used to create undetectable malware by Anthony Spadafora.

Spadafora reports on Endgame‘s malware generating software, Malware Env for OpenAI Gym.

From the Github page:

This is a malware manipulation environment for OpenAI’s gym. OpenAI Gym is a toolkit for developing and comparing reinforcement learning algorithms. This makes it possible to write agents that learn to manipulate PE files (e.g., malware) to achieve some objective (e.g., bypass AV) based on a reward provided by taking specific manipulation actions.
… (highlight in original)

Introducing OpenAI is a good starting place to learn more about OpenAI.

The value of the OpenAI philosophy:

We believe AI should be an extension of individual human wills and, in the spirit of liberty, as broadly and evenly distributed as possible. The outcome of this venture is uncertain and the work is difficult, but we believe the goal and the structure are right. We hope this is what matters most to the best in the field.

will vary depending upon your objectives.

From my perspective, it’s better for my AI to decide to reach out or stay its hand, as opposed to relying upon ethical behavior of another AI.

You?

Decentralization and Linked Data: Open Review for DeSemWeb2017 at ISWC2017

August 1st, 2017

A recent email from the organizers of DeSemWeb2017 reads:

Below are 14 contributions on the topic of decentralization and Linked Data. These were shared in reply to the call for contributions of DeSemWeb2017, an ISWC2017 workshop on Decentralizing the Semantic Web.

We invite everyone to add open reviews to any of these contributions. This ensures fair feedback and transparency of the process.

Semantic Web in the Fog of Browsers by Pascal Molli, Hala Skaf-Molli https://openreview.net/forum?id=ByFHXFy8W&noteId=ByFHXFy8W

Decentralizing the Semantic Web: Who will pay to realize it? by Tobias Grubenmann, Daniele Dell’Aglio, Abraham Bernstein, Dmitry Moor, Sven Seuken https://openreview.net/forum?id=ryrkDpyIW&noteId=ryrkDpyIW

On a Web of Data Streams by Daniele Dell’Aglio, Danh Le Phuoc, Anh Le-Tuan, Muhammad Intizar Ali, Jean-Paul Calbimonte https://openreview.net/forum?id=HyU_JWLU-&noteId=HyU_JWLU-

Towards VoIS: a Vocabulary of Interlinked Streams by Yehia Abo Sedira, Riccardo Tommasini, Emanuele Della Valle https://openreview.net/forum?id=H1ODzYPLZ&noteId=H1ODzYPLZ

Agent Server: Semantic Agent for Linked Data by Teofilo Chambilla, Claudio Gutierrez https://openreview.net/forum?id=H1aftW_Lb&noteId=H1aftW_Lb

The tripscore Linked Data client: calculating specific summaries over large time series by David Chaves Fraga, Julian Rojas, Pieter-Jan Vandenberghe, Pieter Colpaer, Oscar Corcho https://openreview.net/forum?id=H16ZExYLb&noteId=H16ZExYLb

Agreements in a De-Centralized Linked Data Based Messaging System by Florian Kleedorfer, Heiko Friedrich, Christian Huemer https://openreview.net/forum?id=B1AK_bKL-&noteId=B1AK_bKL-

Specifying and Executing User Agent Behaviour with Condition-Action Rules by Andreas Harth, Tobias Käfer https://openreview.net/forum?id=BJ67PfFLZ&noteId=BJ67PfFLZ

VisGraph^3: a web tool for RDF visualization and creation by Dominik Tomaszuk, Przemysław Truchan https://openreview.net/forum?id=rka5DGt8Z&noteId=rka5DGt8Z

Identity and Blockchain by Joachim Lohkamp, Eugeniu Rusu, Fabian Kirstein https://openreview.net/forum?id=HJ94gXtUZ&noteId=HJ94gXtUZ

LinkChains: Exploring the space of decentralised trustworthy Linked Data by Allan Third and John Domingue https://openreview.net/forum?id=HJhwZNKIb&noteId=HJhwZNKIb

Decentralizing the Persistence and Querying of RDF Datasets Through Browser-Based Technologies by Blake Regalia https://openreview.net/forum?id=B1PRiIK8-&noteId=B1PRiIK8-

Attaching Semantic Metadata to Cryptocurrency Transactions by Luis-Daniel Ibáñez, Huw Fryer, Elena Simperl https://openreview.net/forum?id=S18mSwKUZ&noteId=S18mSwKUZ

Storage Balancing in P2P Based Distributed RDF Data Stores by Maximiliano Osorio, Carlos Buil-Aranda https://openreview.net/forum?id=rJn8cDtIb&noteId=rJn8cDtIb

Full list: https://openreview.net/group?id=swsa.semanticweb.org/ISWC/2017/DeSemWeb About the workshop: http://iswc2017.desemweb.org/

You and I know that “peer review” as practiced by pay-per-view journals is nearly useless.

Here, instead of an insider group of mutually supportive colleagues, there is the potential for non-insiders to participate.

Key word is “potential.” It won’t be more than “potential” to participate unless you step up to offer a review.

Well?

Further questions?

Microsoft Fuzzing (Linux Too)

July 28th, 2017

Microsoft Security Risk Detection

From the webpage:

What is Microsoft Security Risk Detection?

Security Risk Detection is Microsoft’s unique fuzz testing service for finding security critical bugs in software. Security Risk Detection helps customers quickly adopt practices and technology battle-tested over the last 15 years at Microsoft.

“Million dollar” bugs

Security Risk Detection uses “Whitebox Fuzzing” technology which discovered 1/3rd of the “million dollar” security bugs during Windows 7 development.

Battle tested tech

The same state-of-the-art tools and practices honed at Microsoft for the last decade and instrumental in hardening Windows and Office — with the results to prove it.

Scalable fuzz lab in the cloud

One click scalable, automated, Intelligent Security testing lab in the cloud.

Cross-platform support

Linux Fuzzing is now available. So, whether you’re building or deploying software for Windows or Linux or both, you can utilize our Service.

No bug detection and/or fuzzing technique is 100%.

Here MS says for one product its “Whitebox Fuzzing” was 33% effective against “million dollar” security bugs.

A more meaningful evaluation of “Whitebox Fuzzing” would be to say which of the 806 Windows 7 vulnerabilities listed at CVE Details were detected and which ones were not.

I don’t know your definition of a “million dollar” security bugs so statistics against known bugs would be more meaningful.

Yes?

Open Source GPS Tracking System: Traccar (Super Glue + Burner Phone)

July 28th, 2017

Open Source GPS Tracking System: Traccar

From the post:

Traccar is an open source GPS tracking system for various GPS tracking devices. This Maven Project is written in Java and works on most platforms with installed Java Runtime Environment. System supports more than 80 different communication protocols from popular vendors. It includes web interface to manage tracking devices online… Traccar is the best free and open source GPS tracking system software offers self hosting real time online vehicle fleet management and personal tracking… Traccar supports more than 80 GPS communication protocols and more than 600 models of GPS tracking devices.

(image omitted)

To start using Traccar Server follow instructions below:

  • Download and install Traccar
  • Reboot system, Traccar will start automatically
  • Open web interface (http://localhost:8082)
  • Log in as administrator (user – admin, password – admin) or register a new user
  • Add new device with unique identifier (see section below)
  • Configure your device to use appropriate address and port (see section below)

With nearly omnipresent government surveillance of citizens, citizens should return the favor by surveillance of government officers.

Super Glue plus a burner phone enables GPS tracking of government vehicles.

For those with greater physical access, introducing a GPS device into vehicle wiring is also an option.

You may want to restrict access to Traccar as public access to GPS location data will alert targets to GPS tracking of their vehicles.

It’s a judgment call when the loss of future tracking data is offset by the value of accumulated tracking data for a specific purpose.

What if you tracked all county police car locations for a year and patterns emerge from that data? What forums are best for summarized (read aggregated) presentation of the data? When/where is it best to release the detailed data? How do you sign released data to verify future analysis is using the same data?

Hard questions but better hard questions than no tracking data for government agents at all. 😉