Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 17, 2017

Open Source Data Jeopardizing Cleared Personnel:… (School Yearbooks?)

Filed under: Government,Intelligence,Open Source Intelligence — Patrick Durusau @ 4:38 pm

Open Source Data Jeopardizing Cleared Personnel: Intelligence Operations Outsmarted by Technology by Alexander H. Georgiades.

Abstract:

The availability and accessibility of Open Source Intelligence (OSINT) combined with the information from data breaches has affected cleared personnel in the United States Intelligence Community (IC) and Department of Defense (DoD) who conduct and support intelligence operations. This information when used in conjunction with biometric detection technology at border crossings has greatly improved the likelihood of cleared personnel from the United States Government (USG) of being identified and targeted by adversaries. The shift from traditional Tactics, Techniques, and Procedures (TTPs) used by cleared personnel (either operating in an overt or covert status) during the Cold War when biometric technology was not an obstacle, has caught the United States government intelligence services off-guard when conducting sensitive missions Outside of the Continental United States (OCONUS).

The consequences of not maintaining updated software and hardware standards have already affected U.S. intelligence operations and exposed cleared personnel. The computer breach at the Office of Personnel and Management (OPM), where millions of sensitive records from cleared personnel in the private and public sectors is the most recent example. This unprecedented loss of Personally Identifiable Information (PII) has been the unfortunate wakeup call needed for decision makers in the United States government to reevaluate how they handle, collect, store, and protect the information of cleared personnel in this digital age.

The analysis of competing hypothesis and other predictive analytical methods will be used to evaluate the data available to adversaries who target cleared personnel and the intelligence operations they support. Case studies, news articles, books, government, and industry reports will be used as supporting evidence to illustrate how the growth in biometric detection technology use in conjunction with the availability of OSINT and material from data breaches adversely affect intelligence operations.

The amount of information available to adversaries is at an unprecedented level. Open source forums provide detailed information about cleared personnel and government TTPs that can be used by adversaries to unravel intelligence operations, target cleared personnel, and jeopardize USG equities (such as sources and methods) in the field. The cleared workforce must learn from mistakes of complacency and poor tradecraft in the past to develop new methodologies to neutralize the effectiveness of adversaries who use OSINT and biometric technology to their advantage.

Social media use by cleared employees who reveal too much operational information about themselves or the projects they work on is one of the gateways that can be easily closed to adversaries. Cleared personnel must be mandated to limit the amount of information they publish online. By closing the door to social media and preventing the personal and professional lives of the cleared workforce from being used to target them, adversaries would not be as effective in jeopardizing or exposing intelligence operations overseas. Increased Operational Security (OPSEC) procedures must also be mandated to protect the programs and operations these cleared personnel work on, with an emphasis on covert officers who use false personas when operating overseas.

The information bridges that were created after September 11, 2001 to increase collaboration must be reevaluated to determine if the relaxation of classified information safeguards and storage of sensitive information is now becoming detrimental to USG intelligence operations and cleared personnel.

As you know, I have little sympathy for the Intelligence Community (IC), creators of the fishbowl in which we commonly reside. Members of the IC sharing that fate, has a ring of justice to it.

This thesis offers a general overview of the problem and should be good to spark ideas of open source intelligence that can be used to corroborate or contradict other sources of intelligence.

By way of example, educational records are easy enough to edit and convincing to anyone not aware they have been edited.

On the other hand, original and digitized year books or similar contemporary resources, are not so easily manipulated.

As I say that, tracking every child from first grade through the end of their academic career, is eminently doable, with the main obstacle being acquisition of the original yearbooks.

Cross-referencing other large collections of photos and the project starts to sound useful to any number of governments, especially those worried about operatives from Western countries.

Are you worried about Western operatives?

Memo To File (Maybe Bad OpSec)

Filed under: Government,Security — Patrick Durusau @ 3:02 pm

What an FBI memo like Comey’s on Trump looks like by Josh Gerstein.

From the post:

The existence of memos that former FBI Director James Comey reportedly prepared detailing his conversations with President Donald Trump about the bureau’s Russia investigation is far from shocking to FBI veterans, who say documenting such contacts in highly sensitive investigations is par for the course.

“A conversation with a subject of an investigation is evidentiary, no matter what is discussed,” said former FBI official Tom Fuentes, who stressed that he doesn’t know what the president’s status is with respect to the ongoing probe of Russia’s alleged meddling in the 2016 election. “Any conversation with Trump is going to be noteworthy….If you drop dead of a heart attack, your successor is going to want to know what was going on, so you would record that whether it’s to aid your future memory or for a successor two or three years down the line.”

Comey documented Trump’s request to curtail the FBI investigation into Russian meddling in the 2016 election the day after former national security adviser Michael Flynn resigned, according to a New York Times report subsequently confirmed by a source to POLITICO. The White House has denied the president made any such request.

A “memo to file” isn’t complicated and especially if done on a routine basis, has high value as evidence. Gerstein includes a link to an actual “memo to file.” (see his post)

I mention this because a practice of “memo to file,” much like Nixon’s Watergate tapes, can prove to be a two-edged sword.

Like calendars, travel logs, expense records, etc., a series of “memo(s) to file” may not agree with your current memory of events. The “record” will be presumed to be more reliable than your present memory.

Just a warning to make sure the record you preserve is the one you want quoted back to yourself in the future.

Don’t Blame NSA For Ransomware Attack!

Filed under: Cybersecurity,Government,NSA,Security — Patrick Durusau @ 1:40 pm

Stop Blaming NSA For The Ransomware Attack by Patrick Tucker.

Most days I think the NSA should be blamed for everything from global warming to biscuits that fail to rise.

But for leaked cyber weapons? No blame whatsoever.

Why? The answer lies in the NSA processing of vulnerabilities.

From the post:


“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed—responsibly disclosed —to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”

Dukes said the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.

We may choose to restrict a vulnerability for offensive purposes, like breaking into an adversary’s network, he said. But that doesn’t mean we’re not also constantly looking for signs whether another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.

You may think that is a “thoughtful process” but that’s not why I suggest the NSA should be held blameless.

Look at the numbers on vulnerabilities:

80% disclosed by the NSA for remediation.

20% concealed by the NSA.

Complete NSA disclosure means the 20% now concealed, vanishes for everyone.

That damages everyone seeking government transparency.

Don’t wave your arms in the air crying “ransomware! ransomeware! Help me! Help me!,” or “Blame the NSA! “Blame the NSA.”

Use FOIA requests, leaks and cyber vulnerabilities to peel governments of their secrecy, like lettuce, one leaf at a time.

May 13, 2017

Bigoted Use of Stingray Technology vs. Other Ills

Filed under: #BLM,Bias,Ethics,Government — Patrick Durusau @ 8:33 pm

Racial Disparities in Police ‘Stingray’ Surveillance, Mapped by George Joseph.

From the post:

Louise Goldsberry, a Florida nurse, was washing dishes when she looked outside her window and saw a man pointing a gun at her face. Goldsberry screamed, dropped to the floor, and crawled to her bedroom to get her revolver. A standoff ensued with the gunman—who turned out to be an agent with the U.S. Marshals’ fugitive division.

Goldsberry, who had no connection to a suspect that police were looking for, eventually surrendered and was later released. Police claimed that they raided her apartment because they had a “tip” about the apartment complex. But, according to Slate, the reason the “tip” was so broad was because the police had obtained only the approximate location of the suspect’s phone—using a “Stingray” phone tracker, a little-understood surveillance device that has quietly spread from the world of national security into that of domestic law enforcement.

Goldsberry’s story illustrates a potential harm of Stingrays not often considered: increased police contact for people who get caught in the wide dragnets of these interceptions. To get a sense of the scope of this surveillance, CityLab mapped police data from three major cities across the U.S., and found that this burden is not shared equally.

How not equally?

Baltimore, Maryland.

The map at Joseph’s post is interactive, along with maps for Tallahassee, Florida and Milwaukee, Minnesota.

I oppose government surveillance overall but am curious, is Stingray usage a concern of technology/privacy advocates or is there a broader base for opposing it?

Consider the following facts gathered by Bill Quigley:

Were you shocked at the disruption in Baltimore? What is more shocking is daily life in Baltimore, a city of 622,000 which is 63 percent African American. Here are ten numbers that tell some of the story.

One. Blacks in Baltimore are more than 5.6 times more likely to be arrested for possession of marijuana than whites even though marijuana use among the races is similar. In fact, Baltimore county has the fifth highest arrest rate for marijuana possessions in the USA.

Two. Over $5.7 million has been paid out by Baltimore since 2011 in over 100 police brutality lawsuits. Victims of severe police brutality were mostly people of color and included a pregnant woman, a 65 year old church deacon, children, and an 87 year old grandmother.

Three. White babies born in Baltimore have six more years of life expectancy than African American babies in the city.

Four. African Americans in Baltimore are eight times more likely to die from complications of HIV/AIDS than whites and twice as likely to die from diabetes related causes as whites.

Five. Unemployment is 8.4 percent city wide. Most estimates place the unemployment in the African American community at double that of the white community. The national rate of unemployment for whites is 4.7 percent, for blacks it is 10.1.

Six.African American babies in Baltimore are nine times more likely to die before age one than white infants in the city.

Seven. There is a twenty year difference in life expectancy between those who live in the most affluent neighborhood in Baltimore versus those who live six miles away in the most impoverished.

Eight. 148,000 people, or 23.8 percent of the people in Baltimore, live below the official poverty level.

Nine. 56.4 percent of Baltimore students graduate from high school. The national rate is about 80 percent.

Ten. 92 percent of marijuana possession arrests in Baltimore were of African Americans, one of the highest racial disparities in the USA.

(The “Shocking” Statistics of Racial Disparity in Baltimore)

Which of those facts would you change before tackling the problem of racially motivated use of Stingray technology?

I see several that I would rate much higher than the vagaries of Stingray surveillance.

You?

Effective versus Democratic Action

Filed under: Cybersecurity,Government,Privacy,Security — Patrick Durusau @ 7:54 pm

OpenMedia is hosting an online petition: Save our Security — Strong Encryption Keeps Us Safe to:

Leaked docs reveal the UK Home Office’s secret plan to gain real-time access to our text messages and online communications AND force companies like WhatsApp to break the security on its own software.1 This reckless plan will make all of us more vulnerable to attacks like the recent ransomware assault against the NHS.2

If enough people speak out right now and flood the consultation before May 19, then Home Secretary Amber Rudd will realise she’s gone too far.

Tell Home Secretary Amber Rudd: Encryption keeps us safe. Do not weaken everyone’s security by creating backdoors that hackers and malicious actors can exploit.
… (emphasis in original, footnotes omitted)

+1! on securing your privacy, but -1! on democratic action.

Assume the consultation is “flooded” and Home Secretary Amber Rudd says:

Hearing the outcry of our citizens, we repent of our plan for near real time monitoring of your conversations….

I’m sorry, why would you trust Home Secretary Amber Rudd or any other member of government, when they make such a statement?

They hide the plans for monitoring your communications in near real time, as OpenMedia makes abundantly clear.

What convinces you Home Secretary Rudd and her familiars won’t hide government monitoring of your communications?

A record of trustworthy behavior in the past?

You can flood the consultation if you like but effective actions include:

  • Anyone with access to government information should leak that information whenever possible.
  • Anyone employed by government should use weak passwords, follow links in suspected phishing emails and otherwise practice bad cybersecurity.
  • If you don’t work for a government or have access to government information, copy, repost, forward, and otherwise spread any leaked government information you encounter.
  • If you have technical skills, devote some portion of your work week to obtaining information a government prefers to keep secret.

The only trustworthy government is a transparent government.

May 11, 2017

Executive Order on Cybersecurity [“No Snide Remark Seems Adequate”]

Filed under: Cybersecurity,Government,Humor — Patrick Durusau @ 4:02 pm

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

You do remember this Dilbert cartoon from May 23, 1989?

May 10, 2017

Laptops Banned To Drive Alcohol Consumption

Filed under: Government,Humor,Terrorism — Patrick Durusau @ 4:07 pm

Clive Irving writes in U.S. to Ban Laptops in All Cabins of Flights From Europe:


The Department of Homeland Security will ban laptops in the cabins of all flights from Europe to the United States, European security officials told The Daily Beast. The announcement is expected Thursday.

Irving does a good job of illustrating the increased risk from the laptop ban, but misses the real motivation behind the ban. Yes, yes, DHS says it:

…continues to evaluate the threat environment and will make changes when necessary to keep air travelers safe.

“Threat environment” my ass!

Remember the UK has been reduced to claiming people with knives are terrorists.

Armed police carrying out a counterterrorism operation Thursday swooped in on a man they said was carrying knives in a bag near Britain’s Parliament and arrested him on suspicion of planning terrorist acts.

A European security official familiar with the individual said the suspect was known to British security agencies and was thought to have been inspired by the Islamic State group.

The official, who spoke on condition of anonymity to discuss sensitive intelligence matters, said the discovery of knives suggested an attack might have been close to fruition. Authorities haven’t released the man’s name.

London’s Metropolitan Police said the 27-year-old suspect was stopped and detained “as part of an ongoing operation” by the force’s counterterrorism unit.

“…swooped in on a man they said was carrying knives in a bag…”

That sounds more like a Saturday Night Live skit than a terrorist attack or potential one.

Shake the Department of Homeland Security (DHS) tree really hard, by leakers or FOIA requests and I’m betting the following will fall out:

Alcoholic Drink Consumption On Europe to US Flights

  • Underage and kill-joys: 0
  • Parent with one child: 3
  • Parent with two children: 5
  • Business flyer with no laptop: 1 per hour of flight time

Once this data began to circulate among airline companies, the fate of laptops was sealed.

Increase alcohol sales are the primary goal of the laptop ban.

PS: If you think I am being cavalier about the risk from terrorism, consider that 963 people were killed by police officers in 2016. Versus 54 people in “terrorist” attacks, all by US citizens.

May 4, 2017

Congressional Fact Laundering

Filed under: Government,Marketing — Patrick Durusau @ 4:52 pm

How a Fake Cyber Statistic Raced Through Washington by Joseph Marks.

The statistic you are about to read is false:


The statistic, typically attributed to the National Cyber Security Alliance, is that 60 percent of small businesses that suffer a cyberattack will go out of business within six months.

It appears in a House bill that won unanimous support from that chamber’s Science Committee this week, cited as evidence the federal government must devote more resources to helping small businesses shore up their cybersecurity. It’s also in a companion Senate bill that sailed through the Commerce Committee in April.

Both bills require the government’s cyber standards agency, the National Institute of Standards and Technology, to devote more of its limited resources to creating cybersecurity guidance for small businesses.

Federal Trade Commissioner Maureen Ohlhausen cited the figure in testimony before the House Small Business Committee in March, as did Charles Romine, director of NIST’s Information Technology Laboratory.

Sen. Jeanne Shaheen, D-N.H., ranking member on the Senate Small Business Committee, cited the figure in a letter to Amazon asking the internet commerce giant what it was doing to improve cybersecurity for its third-party sellers.

Reminder: The 60 percent of small businesses that suffer a cyberattack will go out of business within six months statement is FALSE.

The bulk of the article is an amusing romp through various parties attempting to deny they were the source of the false information and/or that the presence of false information had any impact on the legislation.

The second part, that false information had no impact on the legislation seems plausible to me. Legislation rarely has any relationship to information true or false so I can understand why false information doesn’t trouble those cited.

Congressional hearing documents could simply repeat the standard Lorem Ipsum:

“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.”

It has as much of a relationship to any legislation Congress passes as the carefully published committee hearings.

There is an upside to Joseph’s story:


The size and expertise of congressional staffs who write and vet legislation have also steadily diminished over time as have the staffs of congressional services such as the Government Accountability Office and the Congressional Research Service designed to provide Congress with authoritative data.

“Basically, [congressional staffers] have less expertise available to them, are more reliant on what other people tell them and it’s much easier for erroneous information to get into the political system,” said Daniel Schuman, a former House and Senate staffer who also worked for the Congressional Research Service and is now policy director for Demand Progress, a left-leaning internet rights and open government organization.

It’s what I call “fact laundering.” It’s like money laundering but legal.

You load your member of Congress up with fake facts, which they cite (without naming you), which are spread by other people (with no checking), cited by other members of congress and agencies, and in just weeks, you have gone from a false fact to a congressional fact.

An added bonus, even when denied, a congressional fact can become stronger.

Facts on demand as it were.

Sheriff’s Capt. Jason Gearman Signals DAPL Opponents

Filed under: #DAPL,Government — Patrick Durusau @ 2:08 pm

Sheriff’s Capt. Jason Gearman adopted one of my suggestions from Protecting DAPL From Breaches (Maps and Hunting Safety) and has signaled DAPL opponents of increased law enforcement patrols in Buena Vista County, Iowa and Minnehaha County, South Dakota.

Express your appreciation to Capt. Jason Gearman for keeping DAPL opponents and sheriff’s deputies safely apart. Not all law enforcement personnel are pipeline stooges.

For more details see: New Vandalism on DAPL.

May 2, 2017

EU Censorship Emboldens Torpid UK Parliament Members

Filed under: Censorship,Free Speech,Government — Patrick Durusau @ 3:24 pm

Social media companies “shamefully far” from tackling illegal and dangerous content

From the webpage:

The Home Affairs Committee has strongly criticised social media companies for failing to take down and take sufficiently seriously illegal content – saying they are “shamefully far” from taking sufficient action to tackle hate and dangerous content on their sites.

The Committee recommends the Government should assess whether failure to remove illegal material is in itself a crime and, if not, how the law should be strengthened. They recommend that the Government also consult on a system of escalating sanctions to include meaningful fines for social media companies which fail to remove illegal content within a strict timeframe.
… (emphasis in original)

I can only guess the recent EU censorship spasm, EU’s Unfunded Hear/See No Evil Policy, has made the UK parliament bold. Or at least bolder than usual.

what leaves me puzzled though, is that “hate crimes,” are by definition crimes. Yes? And even the UK laws against hate crimes, police officials to enforce those laws and courts in which to try those suspected of hate crimes and prisons in the event they are convicted. Yes?

If all that’s true, then for social media, really media in general, you need only one rule:

If what you see, hear and/or read disturbs you, look, listen and/or read something else.

It’s really that simple. No costs to social media companies, no extra personnel to second guess what some number of UK parliament members find to be “hate and dangerous content,” no steady decay of the right to speak without government pre-approval, etc.

As far as what other people prefer to see, hear and/or read, well, that’s really none of your business.

Practical Suggestions For Improving Transparency

Filed under: Government,Journalism,Leaks,News,Reporting — Patrick Durusau @ 2:50 pm

A crowd wail about Presidents Obama, Trump, opacity, lack of transparency, loss of democracy, freedom of the press, the imminent death of civilization, etc., isn’t going to improve transparency.

I have two practical suggestions for improving transparency.

First suggestion: Always re-post, tweet, share stories with links to leaked materials. If the story you read doesn’t have such a link, seek out one that does to re-post, tweet, share.

Some stories of leaks include a URL to the leaked material, like Hacker leaks Orange is the New Black new season after ransom demands ignored by Sean Gallagher, or NSA-leaking Shadow Brokers just dumped its most damaging release yet by Dan Goodin, both of Ars Technica

Some stories of the same leaks do not include a URL to the leaked material,The Netflix ‘Orange is the New Black’ Leak Shows TV Piracy Is So 2012 (which does have the best strategy for fighting piracy I have ever read) or, Shadow Brokers leak trove of NSA hacking tools.

Second suggestion: If you encounter leaked materials, post, tweet and share them as widely as possible. (Translations are always needed.)

Improving transparency requires only internet access and the initiative to do so.

Are you game?

April 28, 2017

4.5 Billion Forced To Boycott ‘Hack the Air Force’ (You Should Too)

Filed under: Cybersecurity,Government — Patrick Durusau @ 10:41 am

I mentioned in How Do Hackers Live on $53.57? (‘Hack the Air Force’) that only hackers in Australia, Cananda, New Zealand, the United Kingdom and United States can participate in ‘Hack the Air Force.’

For a rough count of those excluded, let’s limit hackers to being between the ages of 15 and 64. The World Bank puts that as 66% of the total population as of 2015.

OK, the World Population Clock gives a world population as of 28 April 2017 as 7,500,889,628.

Consulting the table for population by country, we find: Australia (25M), Cananda (37M), New Zealand (5M), the United Kingdom (66M) and United States (326M), for a total of 459 million.

Rounding the world’s population to 7,501,000,000, 66% of that population is 4,950,660,000 potential hackers world-wide, and from Australia, Cananda, New Zealand, the United Kingdom and United States, 283,140,000 potential hackers.

Hmmm,

Worldwide 4,950,660,000
AF Rules 283,140,000
Excluded 4,667,520,000

Not everyone between the ages of 15 and 64 is a hacker but raw numbers indicate a weakness in the US Air Force approach.

If ‘Hack the Air Force’ attracts any participants at all (participation is a bad idea, damages the cybersecurity labor market), those participants will be very similar to those who wrote the insecure systems for the Air Force.

The few participants will find undiscovered weaknesses. But the weaknesses they find will be those anyone similar to them would find. A lack of diversity in security testing is as serious a flaw as standard root passwords.

If you need evidence for the need for diversity in security testing, consider any of the bugs that are found post-appearance of any major software release. One assume that Microsoft, Oracle, Cisco, etc., don’t deliberately ignore major security flaws. Yet the headlines are filled with news of such flaws.

My explanation is that different people look for vulnerabilities differently and hence discover different vulnerabilities.

What’s yours?

As far as the ‘Hack the Air Force’ contest, my counsel is to boycott it along with all those forcibly excluded from participating.

The extreme lack of diversity in the hacking pool is a guarantee that post-contest, the public web systems of the US Air Force will remain insecure.

Moreover, it’s not in the interest of the cybersecurity defense community to encourage practices that damage the chances cybersecurity defense will become a viable occupation.

PS: Appeals to patriotism are amusing. The Air Force spent $billions constructing insecure systems. The people who built and maintain these insecure systems were/are paid a living wage. Having bought damaged goods, repeatedly and likely from the same people, what basis does the Air Force have to seek free advice and labor on its problems?

April 27, 2017

Facebook Used To Spread Propaganda (The other use of Facebook would be?)

Filed under: Facebook,Government,Journalism,News,Subject Identity,Topic Maps — Patrick Durusau @ 8:31 pm

Facebook admits: governments exploited us to spread propaganda by Olivia Solon.

From the post:

Facebook has publicly acknowledged that its platform has been exploited by governments seeking to manipulate public opinion in other countries – including during the presidential elections in the US and France – and pledged to clamp down on such “information operations”.

In a white paper authored by the company’s security team and published on Thursday, the company detailed well-funded and subtle techniques used by nations and other organizations to spread misleading information and falsehoods for geopolitical goals. These efforts go well beyond “fake news”, the company said, and include content seeding, targeted data collection and fake accounts that are used to amplify one particular view, sow distrust in political institutions and spread confusion.

“We have had to expand our security focus from traditional abusive behavior, such as account hacking, malware, spam and financial scams, to include more subtle and insidious forms of misuse, including attempts to manipulate civic discourse and deceive people,” said the company.

It’s a good white paper and you can intuit a lot from it, but leaks on the details of Facebook counter-measures have commercial value.

Careful media advisers will start farming Facebook users now for the US mid-term elections in 2018. One of the “tells” (a behavior that discloses, unintentionally, a player’s intent) of a “fake” account is recent establishment with many similar accounts.

Such accounts need to be managed so that their “identity” fits the statistical average for similar accounts. They should not all suddenly like a particular post or account, for example.

The doctrines of subject identity in topic maps, can be used to avoid subject recognition as well as to insure it. Just the other side of the same coin.

Coloring US Hacker Bigotry (Test Your Geographic Ignorance)

Filed under: Cybersecurity,Geography,Government — Patrick Durusau @ 4:22 pm

I failed to mention in How Do Hackers Live on $53.57? (‘Hack the Air Force’) that ‘Hack the Air Force’ is limited to hackers in Australia, Canada, New Zealand, and the United States (blue on the following map).

The dreaded North Korean hackers, the omnipresent Russian hackers (of Clinton fame), government associated Chinese hackers, not to mention the financially savvy East European hackers, and many others, are left out of this contest (red on the map).

The US Air Force is “fishing in the shallow end of the cybersecurity talent pool.”

I say this is “a partial cure for geographic ignorance,” because I started with the BlankMap-World4.svg map and proceeded in Gimp to fill in the outlines with appropriate colors.

There are faster map creation methods but going one by one, impressed upon me the need to improve my geographic knowledge!

April 26, 2017

How To Avoid Lying to Government Agents (Memorize)

Filed under: FBI,Government,Law — Patrick Durusau @ 7:58 pm

How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents by Solomon L. Wisenberg.

Great post but Wisenberg buries his best advice twelve paragraphs into the story. (Starts with: “Is there an intelligent alternative to lying….”)

Memorize this sentence:

I will not answer any questions without first consulting an attorney.

That’s it. Short, sweet and to the point. Make no statements at all other than that one. No “I have nothing to hide,” etc.

It’s like name, rank, serial number you see in the old war movies. Don’t say anything other than that sentence.

For every statement a government agent makes, simply repeat that sentence. Remember, you can’t lie if you don’t say anything other than that sentence.

See Wisenberg’s post for the details but the highlighted sentence is the only one you need.

How Do Hackers Live on $53.57? (‘Hack the Air Force’)

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 4:27 pm

I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’:

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

You find:


Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties.

“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.

Let’s see, $75,000 split between 1,400 hackers, that’s $53.57 per hacker, on average. Some got more than average, some got nothing at all.

‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change.

I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks.

However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity.

Not my decision, not my problem.

Want an effective solution?

First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins.

Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it.

Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers.

Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes?

Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts.

Is This Public Sector Corruption Map Knowingly False?

Filed under: Government,Journalism,News — Patrick Durusau @ 1:12 pm

The The New York Times, , Google and Facebook would all report no.

Knowingly false?

It uses the definition of “corruption” in McCutcheon v. Federal Election Comm’n, 134 S. Ct. 1434 (2014).

Chief Justice Roberts writing for the majority:


Moreover, while preventing corruption or its appearance is a legitimate objective, Congress may target only a specific type of corruption—“quid pro quo” corruption. As Buckley explained, Congress may permissibly seek to rein in “large contributions [that] are given to secure a political quid pro quo from current and potential office holders.” 424 U. S., at 26. In addition to “actual quid pro quo arrangements,” Congress may permissibly limit “the appearance of corruption stemming from public awareness of the opportunities for abuse inherent in a regime of large individual financial contributions” to particular candidates. Id., at 27; see also Citizens United, 558 U. S., at 359 (“When Buckley identified a sufficiently important governmental interest in preventing corruption or the appearance of corruption, that interest was limited to quid pro quo corruption”).

Spending large sums of money in connection with elections, but not in connection with an effort to control the exercise of an officeholder’s official duties, does not give rise to such quid pro quo corruption. Nor does the possibility that an individual who spends large sums may
garner “influence over or access to” elected officials or political parties. Id., at 359; see McConnell v. Federal Election Comm’n, 540 U.S. 93, 297 (2003) (KENNEDY, J., concurring in judgment in part and dissenting in part). And because the Government’s interest in preventing the
appearance of corruption is equally confined to the appearance of quid pro quo corruption, the Government may not seek to limit the appearance of mere influence or access. See Citizens United, 558 U. S., at 360.
… (page 20)

But with the same “facts,” if your definition of “quid pro quo” included campaign contributions, then this map is obviously false.

In fact, Christopher Robertson, D. Alex Winkelman, Kelly Bergstrand, and Darren Modzelewski, in The Appearance and the Reality of Quid Pro Quo Corruption: An Empirical Investigation Journal of Legal Analysis (2016) 8 (2): 375-438. DOI: https://doi.org/10.1093/jla/law006, conduct an empirical investigation into how jurors could view campaign contributions as “quid pro quo.”

Abstract:

The Supreme Court says that campaign finance regulations are unconstitutional unless they target “quid pro quo” corruption or its appearance. To test those appearances, we fielded two studies. First, in a highly realistic simulation, three grand juries deliberated on charges that a campaign spender bribed a Congressperson. Second, 1271 representative online respondents considered whether to convict, with five variables manipulated randomly. In both studies, jurors found quid pro quo corruption for behaviors they believed to be common. This research suggests that Supreme Court decisions were wrongly decided, and that Congress and the states have greater authority to regulate campaign finance. Prosecutions for bribery raise serious problems for the First Amendment, due process, and separation of powers. Safe harbors may be a solution.

Using Robertson, et al., “quid pro quo,” or even a more reasonable definition of “corruption:”

Transparency International defines corruption broadly as the abuse of entrusted power for private gain. (What is Public Sector Corruption?)

a re-colorization of the map shows a different reading of corruption in the United States:

Do you think the original map (top) is going to appear with warnings it depends on how you define corruption?

Or with a note saying a definition was chosen to conceal corruption of the US government?

I didn’t think so either.

PS: The U.S. has less minor corruption than many countries. The practice of and benefits from corruption are limited to the extremely wealthy.

April 24, 2017

Scotland Yard Outsources Violation of Your Privacy

Filed under: Cybersecurity,Government,Privacy — Patrick Durusau @ 3:07 pm

Whistleblower uncovers London police hacking of journalists and protestors by Trevor Johnson.

From the post:

The existence of a secretive unit within London’s Metropolitan Police that uses hacking to illegally access the emails of hundreds of political campaigners and journalists has been revealed. At least two of the journalists work for the Guardian.

Green Party representative in the British House of Lords, Jenny Jones, exposed the unit’s existence in an opinion piece in the Guardian. The facts she revealed are based on a letter written to her by a whistleblower.

The letter reveals that through the hacking, Scotland Yard has illegally accessed the email accounts of activists for many years, and this was possible due to help from “counterparts in India.” The letter alleged that the Metropolitan Police had asked police in India to obtain passwords on their behalf—a job that the Indian police subcontracted out to groups of hackers in India.

The Indian hackers sent back the passwords obtained, which were then used illegally by the unit within the Met to gather information from the emails of those targeted.

Trevor covers a number of other points, additional questions that should be asked, the lack of media coverage over this latest outrage, etc., all of which merit your attention.

From my perspective, these abuses by the London Metropolitan Police (Scotland Yard), are examples of the terrorism bogeyman furthering government designs against quarrelsome but otherwise ordinary citizens.

Quarrelsome but otherwise ordinary citizens are far safer and easier to spy upon than seeking out actual wrongdoers. And spying justifies part of Scotland Yard’s budget, since everyone “knows” a lack of actionable intelligence means terrorists are hiding successfully, not the more obvious lack of terrorists to be found.

As described in Trevor’s post, Scotland Yard, like all other creatures of government, thrives in shadows. Shadows where its decisions are beyond discussion and reproach.

In choosing between supporting government spawned creatures that live in the shadows and working to dispel the shadows that foster them, remember they are not, were not and never will be “…on you side.”

They have a side, but it most assuredly is not yours.

April 22, 2017

Shortfall in Peer Respect and Accomplishment

Filed under: Cybersecurity,Government — Patrick Durusau @ 8:13 pm

I didn’t expect UK government confirmation of my post: Shortfall in Cypbersecurity Talent or Compensation? so quickly!

I argued against the groundless claims of a shortage of cybersecurity talent in the face of escalating cybercrime and hacking statistics.

If there were a shortage of cybersecurity talent, cybercrime should be going down. But it’s not.

The National Crime Agency reports:

The National Crime Agency has today published research into how and why some young people become involved in cyber crime.

The report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime.

The report emphasises that financial gain is not necessarily a priority for young offenders. Instead, the sense of accomplishment at completing a challenge, and proving oneself to peers in order to increase online reputations are the main motivations for those involved in cyber criminality.

Government agencies, like the FBI for example, are full of lifers who take their breaks at precisely 14:15 PM, have their favorite parking spots, play endless office politics, masters of passive-aggression, who make government and/or corporate work too painful to contemplate for young cybersecurity talent.

In short, a lack of meaningful peer respect and a sense of accomplishment is defeating both government and private hiring of cybersecurity talent.

Read Pathways Into Cyber Crime and evaluate how the potential young hires in there would react to your staff meetings and organizational structure.

That bad? Wow, you are worse off than I thought.

So, are you going to keep with your certificate-driven, cubicle-based, Dilbert-like cybersecurity effort?

How’s that working out for you?

You will have to take risks to find better solutions but you are losing already. Enough to chance a different approach?

April 20, 2017

Conclusive Reason To NOT Use Gmail

Filed under: Email,Government,Law — Patrick Durusau @ 8:07 pm

Using an email service, Gmail for example, that tracks (and presumably reads) your incoming and outgoing mail is poor security judgement.

Following a California magistrate ruling on 19 April 2017, it’s suicidal.

Shaun Nichols covers the details in Nuh-un, Google, you WILL hand over emails stored on foreign servers, says US judge.

But the only part of the decision that should interest you reads:


The court denies Google’s motion to quash the warrant for content that it stores outside the United States and orders it to produce all content responsive to the search warrant that is retrievable from the United States, regardless of the data’s actual location.

Beeler takes heart from the dissents in In the Matter of a Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016), reh’g denied en banc, No. 14-2985, 2017 WL 362765 (2d Cir. Jan. 24, 2017), to find if data isn’t intentionally stored outside the US, and can be accessed from within the US, then its subject to a warrant under 18 U.S.C. § 2703(a), the Stored Communications Act (“SCA”).

I have a simpler perspective: Do you want to risk fortune and freedom on a how many angels can dance on the head of 18 U.S.C. § 2703(a), the Stored Communications Act (“SCA”) questions?

If your answer is no, don’t use Gmail. Or any other service where data can be accessed from United States for 18 U.S.C. § 2703(a), but similar statutes for other jurisdictions.

For that matter, prudent users restrict themselves to Tor based mail services and always use strong encryption.

Almost any communication can be taken as a crime or step in a conspiracy by a prosecutor inclined to do so.

The only partially safe haven is silence. (Where encryption and/or inability to link you to the encrypted communication = silence.)

April 7, 2017

Wikileaks Vault 7 “Grasshopper” – A Value Added Listing

Filed under: CIA,Government,Vault 7,Wikileaks — Patrick Durusau @ 1:29 pm

Wikileaks has released Vault 7 “Grasshopper.”

As I have come to expect the release:

  • Is in no particular order
  • Requires loading an HTML page before obtaining a PDF file

Here is a value-added listing that corrects both of those problems (and includes page numbers):

  1. GH-Drop-v1_0-UserGuide.pdf 2 pages
  2. GH-Module-Bermuda-v1_0-UserGuide.pdf 9 pages
  3. GH-Module-Buffalo-Bamboo-v1_0-UserGuide.pdf 7 pages
  4. GH-Module-Crab-v1_0-UserGuide.pdf 6 pages
  5. GH-Module-NetMan-v1_0-UserGuide.pdf 6 pages
  6. GH-Module-Null-v2_0-UserGuide.pdf 5 pages
  7. GH-Module-Scrub-v1_0-UserGuide.pdf 6 pages
  8. GH-Module-Wheat-v1_0-UserGuide.pdf 5 pages
  9. GH-Module-WUPS-v1_0-UserGuide.pdf 6 pages
  10. GH-Run-v1_0-UserGuide.pdf 2 pages
  11. GH-Run-v1_1-UserGuide.pdf 2 pages
  12. GH-ScheduledTask-v1_0-UserGuide.pdf 3 pages
  13. GH-ScheduledTask-v1_1-UserGuide.pdf 4 pages
  14. GH-ServiceDLL-v1_0-UserGuide.pdf 4 pages
  15. GH-ServiceDLL-v1_1-UserGuide.pdf 5 pages
  16. GH-ServiceDLL-v1_2-UserGuide.pdf 5 pages
  17. GH-ServiceDLL-v1_3-UserGuide.pdf 6 pages
  18. GH-ServiceProxy-v1_0-UserGuide.pdf 4 pages
  19. GH-ServiceProxy-v1_1-UserGuide.pdf 5 pages
  20. Grasshopper-v1_1-AdminGuide.pdf 107 pages
  21. Grasshopper-v1_1-UserGuide.pdf 53 pages
  22. Grasshopper-v2_0_1-UserGuide.pdf 134 pages
  23. Grasshopper-v2_0_2-UserGuide.pdf 134 pages
  24. Grasshopper-v2_0-UserGuide.pdf 134 pages
  25. IVVRR-Checklist-StolenGoods-2_0.pdf 2 pages
  26. StolenGoods-2_0-UserGuide.pdf 11 pages
  27. StolenGoods-2_1-UserGuide.pdf 22 pages

If you notice that the Grasshopper-*****-UserGuide.pdf appears in four different versions, good for you!

I suggest you read only Grasshopper-v2_0_2-UserGuide.pdf.

The differences between Grasshopper-v1_1-UserGuide.pdf at 53 pages and Grasshopper-v2_0-UserGuide.pdf at 134 pages, are substantial.

However, between Grasshopper-v2_0-UserGuide.pdf and Grasshopper-v2_0_1-UserGuide.pdf the only differences from Grasshopper-v2_0_2-UserGuide.pdf are these:

diff Grasshopper-v2_0-UserGuide.txt Grasshopper-v2_0_1-UserGuide.txt

4c4
< Grasshopper v2.0 
---
> Grasshopper v2.0.1 
386a387,389
> 
> Payloads arguments can be added with the optional -a parameter when adding a 
> payload component. 


diff Grasshopper-v2_0_1-UserGuide.txt Grasshopper-v2_0_2-UserGuide.txt

4c4
< Grasshopper v2.0.1 
---
> Grasshopper v2.0.2 
1832c1832
< winxppro-sp0 winxppro-sp1 winxppro-sp2 winxppro-sp3 
---
> winxp-x64-sp0 winxp-x64-sp1 winxp-x64-sp2 winxp-x64-sp3 
1846c1846
< winxppro win2003 
---
> winxp-x64 win2003

Unless you are preparing a critical edition for the CIA and/or you are just exceptionally anal, the latest version, Grasshopper-v2_0_2-UserGuide.pdf, should be sufficient for most purposes.

Not to mention saving you 321 pages of duplicated reading.

Enjoy!

Naming German Censors

Filed under: Censorship,Free Speech,Government — Patrick Durusau @ 10:12 am

Germany gives social networks 24 hours to delete criminal content by Simon Sharwood.

From the post:

Germany has followed through on its proposal to make social networks remove slanderous hate speech and fake news or face massive fines.

The nation’s Bundesministerium der Justiz und für Verbraucherschutz (Federal Ministry of Justice and Consumer Protection) has announced that cabinet approved a plan to force social network operators to create a complaints mechanism allowing members of the public to report content that online translate-o-tronic services categorise as “insults, libel, slander, public prosecutions, crimes, and threats.”

The Bill approved by Cabinet proposes that social networks be required to establish complaints officer who is subject to local law and gets the job of removing obviously criminal content 24 hours after receiving a complaint. A seven-day deadline will apply to content that’s not immediately identifiable as infringing. Social networks will also be required to inform complainants of the outcome of their takedown requests and to provide quarterly summaries of their activities.

The ministry’s statement also suggests that those who feel aggrieved by material posted about them should be able to learn the true identity of the poster.

A Faktenpapier (PDF) on the Bill says that if the deadlines mentioned above aren’t met the social network’s designated complaints-handler could be fined up to five million Euros, while the network itself could cop a fine of 50 million Euros. An appeal to Germany’s courts will be possible.

Sharwood’s post is a great summary of this censorship proposal but fails to identify those responsible for it.

“Germany” in the abstract sense isn’t responsible for it. And to say the “Cabinet,” leaves the average reader no more informed than saying “Germany.”

Perhaps this helps: German Cabinet / Censors:

Peter Altmaier Alexander Dobrindt Sigmar Gabriel
Hermann Gröhe Barbara Hendricks Ursula von der Leyen
Heiko Maas Thomas de Maizière Angela Merkel
Gerd Müller Andrea Nahles Wolfgang Schäuble
Christian Schmidt Manuela Schwesig Johanna Wanka
Brigitte Zypries

I don’t have their staff listings, yet, but that’s a start on piercing the veil that “Germany,” and “Cabinet” puts between the reader and wannabe censors.

Other veils that hide/protect censors that need piercing?

April 3, 2017

The Upside To Overturning Internet Privacy Rules

Filed under: Government,Privacy,Security — Patrick Durusau @ 8:28 pm

Trump signs measure overturning internet privacy rules by David McCabe.

From the post:

President Trump has signed a Congressional resolution overturning Federal Communications Commission rules that would have required internet providers to get their customers’ permission before sharing personal data like browsing history with advertisers. The rules had yet to go into effect.

Is this a bad thing?

Sure, but there is an upside.

You have already seen media reports urging everyone to start using VPNs and the like to protect their privacy from ISP predators.

What happens if VPNs come into everyday use by the average user? Aside from greater profits for VPN vendors.

Hmmm, several orders of magnitude more VPN connections than are being tracked by the usual alphabet soup agencies.

Encourage every user you know to use a VPN connection. Hell, offer them as swag at conferences.

Teacher and library conferences. Church camps. Oh, yeah, technical conferences too.

Hackers in the mist? 😉

March 27, 2017

Hacking vs. Buying Passwords – Which One For You?

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 3:04 pm

You remember the Dilbert cartoon on corporate security where the pointed haired boss asks what Dilbert would do if a stranger offered to buy company secrets. Dilbert responds asking how much is the stranger offering? See the strip for the boss’ answer and Wally’s follow up question.

Danny Palmer reports the price point for employees who would sell their access, maybe less than you think.

From the post:

A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200.

According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who’d sell their credentials to an outsider, nearly half would do it for less.

That’s about $260.00 U.S. at today’s exchange rates.

Only you know your time and expense of hacking passwords and/or buying them on the dark web.

I suspect the price point is even lower in government agencies with unpopular leadership.

I haven’t seen any surveys of US employees, but I suspect employees of companies, suppliers, contractors, banks, etc., involved in oil pipeline construction are equally open to selling passwords. Given labor conditions in the US, perhaps even more so.

Not that anyone opposing a multi-generational environmental crime like an oil pipeline would commit a crime when there are so many lawful and completely ineffectual means to oppose it at hand.

PS: As recent CIA revelations demonstrate, the question isn’t if government will betray the public’s interest but when. The same is true for environmental, health and other concerns.

Peeping Toms Jump > 16,000 In UK

Filed under: Government,Privacy,Security — Patrick Durusau @ 8:23 am

The ranks of peeping toms swells by at least 16,000 in the UK:

More than 16,000 staff in the public sector empowered to examine your web browsing by Graeme Burton.

From the post:

More than 16,000 staff in the public sector and its agencies have been empower by Section 4 of the Investigatory Powers Act to snoop on people’s internet connection records.

And that’s before the estimated 4,000 staff at security agency MI5, the 5,500 at GCHQ and 2,500 at MI6 are taken into account.

That’s according to the responses from a series of almost 100 Freedom of Information (FOI) requests made in a bid to find out exactly who has the power to snoop on ordinary people’s web browsing histories under the Act.

GCHQ, the Home Office, MI6, the National Crime Agency, the Ministry of Justice, all three armed forces and Police Service of Scotland all failed to respond to the FOI requests – so the total could be much higher.

My delusion that the UK has a mostly rational government was shattered by passage of the Investigatory Powers Act. Following web browsing activity, hell, even tracking everyone and their conversations, 24 x 7, isn’t going to stop random acts of violence.

What part of random acts of violence being exactly that, random, seems to be unclear? Are there no UK academics to take up the task of proving prediction of random events is possible?

Unless and until the UK Parliament comes to its senses, the best option for avoiding UK peeping toms is to move to another country.

If re-location isn’t possible, use a VPN and a Tor browser for all web activity.

March 26, 2017

March 25th – Anniversary Of Triangle Fire – The Names Map

Filed under: Government,Maps,Politics — Patrick Durusau @ 11:09 am

The Names Map

From the website:

The Names Map displays the name, home address, likely age, country of origin, and final resting place of all known Triangle Fire victims.

(map and list of 146 victims)

The Remember the Triangle Fire Coalition connects individuals and organizations with the 1911 Triangle Factory Fire — one of the pivotal events in US history and a turning point in labor’s struggle to achieve fair wages, dignity at work and safe working conditions. Outrage at the deaths of 146 mostly young, female immigrants inspired the union movement and helped to institute worker protections and fire safety laws. Today, basic rights and benefits in the workplace are not a guarantee in the United States or across the world. We believe it is more vital than ever that these issues are defended.

The “not guilty” verdict on all counts of manslaughter for Triangle Factory owners Max Blanck and Issac Harris:

is often overlooked in anniversary celebrations. (Image from Cornell University, ILR School, Kheel Center’s Remembering The 1911 Triangle Factory Fire, Transcript of Criminal Trial)

That verdict is a forerunner to the present day decisions to not prosecute police shootings/abuse of unarmed civilians.

Celebrate the progress made since the 1911 Triangle Factory Fire while mindful exploitation and abuse continue to this very day.

The Remember the Triangle Fire Coalition has assembled a large number of resources, many of which are collections of other resources, including primary materials.

Politics For Your Twitter Feed

Filed under: Government,Politics,Tweets,Twitter — Patrick Durusau @ 8:28 am

Hungry for more political tweets?

GovTrack created the Members of Congress Twitter list.

Barometer of congressional mood?

Enjoy!

March 25, 2017

Looking For Installed Cisco Routers?

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 7:50 pm

News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers.

You already know that Nmap can uncover and identify routers.

What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap.

Consider GovernmentBids.com for example.

You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor.

If you are routinely searching for IT vulnerability information, I would not begrudge them the $131/month fee for full information on bids.

From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.

How much IT information is your office/department hemorrhaging?

March 22, 2017

The New Handbook For Cyberwar Is Being Written By Russia

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 8:35 pm

The New Handbook For Cyberwar Is Being Written By Russia by Sheera Frenkel.

From the post:


One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”

Well, “…testing things out in the field and refining them…” is the difference between a potential weapon on a dry erase board and a working weapon in practice. Yes?

Personally I favor the working weapon in practice.

It’s an interesting read despite the repetition of the now debunked claim of Wikileaks releasing 8,761 CIA documents (Fact Checking Wikileaks’ Vault 7: CIA Hacking Tools Revealed (Part 1))

Frenkel of course covers the DNC hack:


The hack on the DNC, which US intelligence agencies have widely attributed to Russia, could be replicated by dozens of countries around the world, according to Robert Knake, a former director of cybersecurity policy in the Obama administration.

“Russia has laid out the playbook. What Russia did was relatively unsophisticated and something that probably about 60 countries around the world have the capability of doing — which is to target third parties, to steal documents and emails, and to selectively release them to create unfavorable conditions for that party,” Knake told the BBC’s Today. “It’s unsubtle interference. And it’s a violation of national sovereignty and customary law.”

Kanke reflects the failure of major powers to understand the leveling potential of cyberwarfare. Sixty countries? You think? How about every kid that can run a phishing scam to steal John Podesta’s password? How many? 600,000 maybe? More than that?

None of who care about “…national sovereignty and customary law.”

Are you going to write or be described in a chapter of the new book on cyberwar?

Your call.

March 18, 2017

Congress API Update

Filed under: Government,Politics — Patrick Durusau @ 9:09 pm

Congress API Update by Derek Willis.

From the post:

When we took over projects from the Sunlight Foundation last year, we inherited an Application Programming Interface, or API, that overlapped with one of our own.

Sunlight’s Congress API and ProPublica’s Congress API are similar enough that we decided to try to merge them together rather than run them separately, and to do so in a way that makes as few users change their code as possible.

Today we’ve got an update on our progress.

Users of the ProPublica Congress API can now access additional fields in responses for Members, Bills, Votes and Nominations. We’ve updated our documentation to provide examples of those responses. These aren’t new responses but existing ones that now include some new attributes brought over from the Sunlight API. Details on those fields are here.

We plan to fold in Sunlight fields and responses for Committees, Hearings, Floor Updates and Amendments, though that work isn’t finished yet.

The daily waves of bad information on congressional legislation will not be stopped by good information.

However, good information can be used to pick meaningful fights, rather than debating 140 character or less brain farts.

Your choice.

« Newer PostsOlder Posts »

Powered by WordPress