Archive for August, 2017

Secure Data Deletion on Windows (Or Not)

Thursday, August 31st, 2017

How to: Delete Your Data Securely on Windows

From the post:

Most of us think that a file on our computer is deleted once we put the file in our computer’s trash folder and empty the trash; in reality, deleting the file does not completely erase it. When one does this, the computer just makes the file invisible to the user and marks the part of the disk that the file was stored on as “available”—meaning that your operating system can now write over the file with new data. Therefore, it may be weeks, months, or even years before that file is overwritten with a new one. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), you can even still retrieve the “deleted” file. The bottom line is that computers normally don’t “delete” files; they just allow the space those files take up to be overwritten by something else some time in the future.

The best way to delete a file forever, then, is to make sure it gets overwritten immediately, in a way that makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the “empty” space on your disk with gibberish and thereby protect the confidentiality of deleted data.

Note that securely deleting data from solid state drives (SSDs), USB flash drives, and SD cards is very hard! The instructions below apply only to traditional disk drives, and not to SSDs, which are becoming standard in modern laptops, USB keys/USB thumb drives, or SD cards/flash memory cards.

This is because these types or drives use a technique called wear leveling. (You can read more about why this causes problems for secure deletion here.)

If you’re using an SSD or a USB flash drive, you can jump to the section below.

On Windows, we currently suggest using BleachBit. BleachBit is a free/open source secure deletion tool for Windows and Linux, and is much more sophisticated than the built-in Cipher.exe.

BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. Please check the documentation for further information.

The EFFs reminder:


Time required: 10 minutes to several hours (depending on size of files/disks to be securely deleted)

is reassurance that most drives retired from government and industry may be loaded with goodies.

If in doubt, share this EFF resource with office level decision makers. It’s almost certain they will not tax their users with secure data deletion duties.

Monitoring Malware Sinkhole Traffic

Thursday, August 31st, 2017

Consolidated Malware Sinkhole List by Lesley Carhart, Full Spectrum Cyber-Warrior Princess.

From the post:

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

An incomplete malware sinkhole list by her own admission but an interesting starting point for data collection/analysis.

When I read Carhart’s:

I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I had to wonder, at what level will you be monitoring traffic “…to these sinkholes?”

Sysadmins monitor their own networks, but traffic monitoring at higher levels is possible as well.

Above network level traffic monitoring for sinkhole would give a broader picture of possible “infections.”

Upon discovery, a system already infected by one type of malware, may be found to be vulnerable to other malware with a similar attack vector.

It certainly narrows the hunt for vulnerable systems.

If you don’t already, follow Lesley Carhart, @hacks4pancakes, or visit her blog, tisiphone.net.

brename – data munging tool

Thursday, August 31st, 2017

brename — a practical cross-platform command-line tool for safely batch renaming files/directories via regular expression

Renaming files is a daily activity when data munging. Wei Shen has created a batch renaming tool with these features:

  • Cross-platform. Supporting Windows, Mac OS X and Linux.
  • Safe. By checking potential conflicts and errors.
  • File filtering. Supporting including and excluding files via regular expression.
    No need to run commands like find ./ -name "*.html" -exec CMD.
  • Renaming submatch with corresponding value via key-value file.
  • Renaming via ascending integer.
  • Recursively renaming both files and directories.
  • Supporting dry run.
  • Colorful output. Screenshots:

Binaries are available for Linux, OS X and Windows, both 32 and 64-bit versions.

Linux has a variety of batch file renaming options but I didn’t see any short-comings in brename that jumped out at me.

You?

HT, Stephen Turner.

FCC Supports Malware Distribution!

Thursday, August 31st, 2017

Well, not intentionally.

FCC “apology” shows anything can be posted to agency site using insecure API by Sean Gallagher

Gallagher reports that with an API key (use gmail account) you can post malicious Word documents to the FCC site.

Not formal support for malware distribution but then next best thing.

The FCC has been given notice so this is probably a time limited opportunity.

Don’t despair!

Knowing what to look for, you can begin scanning other government websites for a similar weakness.

Journalist tip: As APIs with this weakness are uncovered, trace them back to the contractors who built them. Then run forward to see who the contractors are afflicting now.

Confirmation: Google Does Not Support Free Speech

Wednesday, August 30th, 2017

Google-Funded Think Tank Fired Google Critics After They Dared Criticize Google by Sam Biddle and David Dayen.

From the post:

THE NEW AMERICA FOUNDATION’S Open Markets group was a rare, loud voice of protest against Google’s ever-growing consolidation of economic and technological power around the world. But New America, like many of its fellow think tanks, received millions in funding from one of the targets of its anti-monopoly work, and according to a New York Times report today, pulled the plug after the company’s chief executive had enough dissent.

After EU regulators fined Google $2.7 billion earlier this summer, Barry Lynn, who ran the Open Markets division, cheered the decision, adding that “U.S. enforcers should apply the traditional American approach to network monopoly, which is to cleanly separate ownership of the network from ownership of the products and services sold on that network, as they did in the original Microsoft case of the late 1990s.” It didn’t take long for Lynn and his colleagues to suffer the consequences, the Times reports:

Google has long suppressed speech as a government toady but its open suppression of criticism portents wider and more active censorship of the marketplace of ideas.

Biddle and Dayen do a great job of identifying those who bowed to “displeasure” and those who were displeased. Something to keep in mind when deciding how to act on your displeasure with this misconduct by Google.

We all know that Google makes invaluable contributions to any number of projects but that isn’t a “bye” for abuse of their economic power or the sycophants they fund.

Are You Investing in Data Prep or Technology Skills?

Wednesday, August 30th, 2017

Kirk Borne posted for #wisdomwednesday:

New technologies are my weakness.

What about you?

What if we used data driven decision making?

Different result?

Inspiring Female Hackers – Kronos Malware

Tuesday, August 29th, 2017

Hasherezade authored a two part series:

Inside the Kronos malware – part 1

Inside the Kronos malware – part 2,

an in depth examination of the Kronos Malware.

It’s heavy sledding but is one example of current work being done by a female hacker. If it seems alien now, return to it after you learn some hacking skills to be properly impressed.

BTW, Hasherezade has a blog at: hasherezade’s 1001 nights

PS: There’s a lot of talk about white-hats and black-hats in the cybersecurity community.

My question would be: “What color hat are you paying me to wear? Otherwise, it’s really none of your concern.”

Drop-n-Retrieve Honeypots, Portals, Deception

Monday, August 28th, 2017

A low-cost drop-n-retrieve WiFi device, suitable use in public, private, commercial and governmental locations.

YouTube has a series of videos on WiNX under the playlist Hacker Arsenal.

You don’t want to search using “WiNX” at YouTube. The most popular results are for Winx Club. Not related.

What Being a Female Hacker Is Really Like

Monday, August 28th, 2017

What Being a Female Hacker Is Really Like by Amanda Rousseau.

I never imagined citing a TeenVogue post on my blog but this one is a must read!

Amanda Rousseau is a white-hat malware expert and co-founder of the blog, VanitySec.

I won’t attempt to summarize her four (4) reasons why women should consider careers as hackers, thinking you need to read the post in full, not my highlights.

Looking forward to more hacker oriented posts in TeenVogue and off now to see what’s up at VanitySec. (Today’s top post: Fall Bags to Conceal Your RFID Reader. Try finding that at your tech feed.)

Hacking For Government Transparency

Monday, August 28th, 2017

The 2017 U.S. State and Federal Government Cybersecurity Report by SecurityScorecard lacks details of specific vulnerabilities for identified government units, but paints an encouraging picture for hackers seeking government transparency.

Coverage of the report:


In August 2017, SecurityScorecard leveraged its proprietary platform to analyze and grade the current security postures of 552 local, state, and federal government organizations, each with more than 100 public-facing IP addresses, to determine the strongest and weakest security standards based on security hygiene and security reaction time compared to their peers.

Security Rankings by Industry

Out of eighteen (18) ranked industries, best to worst security, government comes in at a tempting number sixteen (16):

Financial services, with the fifth (5th) best security, is routinely breached, making it curious the government (#16) has any secrets at all.

Why Any Government Has Secrets

Possible reasons any government has secrets:

  • 1. Lack of interest?
  • 2. Lack of effort by the news media?
  • 3. Habituation to press conferences?
  • 4. Habituation to “leaks?”
  • N. Cybersecurity?

You can wait for governments to embarrass themselves (FOIA and its equivalents), wait for leakers to take a risk for your benefit, or, you could take the initiative in obtaining government secrets.

The SecurityScorecard report makes it clear the odds are in your favor. Your call.

Good News For Transparency Phishers

Friday, August 25th, 2017

If you are a transparency phisher, Shaun Waterman has encouraging news for you in: Most large companies don’t use standard email security to combat spoofing.

From the post:

Only a third of Fortune 500 companies deploy DMARC, a widely-backed best-practice security measure to defeat spoofing — forged emails sent by hackers — and fewer than one-in-10 switch it on, according to a new survey.

The survey, carried out by email security company Agari via an exhaustive search of public Internet records, measured the use of Domain-based Message Authentication, Reporting and Conformance, or DMARC.

“It is unconscionable that only eight percent of the Fortune 500, and even fewer [U.S.] government organizations, are protecting the public against email domain spoofing,” said Patrick Peterson, founder and executive chairman, Agari. A similar survey of federal government agencies earlier this month, by the Global Cyber Alliance, found fewer than five percent of federal domains were protected by switched-on DMARC.

The Agari survey found adoption rates similarly low among companies in the United Kingdom’s FTSE and Australia’s ASX 100.

DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both cybercrime and cyber-espionage, in which an email appearing to a come from a trusted company like a bank or government agency contains malicious links, directing readers to a fake site which will steal their login and password when they sign on.

Only eight (8) percent of the Fortune 500 and less than five (5) percent of federal (US) domains have DMARC protection.

I expect DMARC protection rates fall rapidly outside the Fortune 500 and non-federal government domains.

If you are interested in transparency, for private companies or government agencies, the lack of DMARC adoption and use presents a golden opportunity to obtain otherwise hidden information.

As always, who you are and who you are working for, determines the legality of any phishing effort. Consult with an attorney concerning your legal rights and obligations.

FBI As Unpaid Cybersecurity Ad Agency

Friday, August 25th, 2017

Despite its spotty record on cybersecurity expertise, the FBI is promoting competitors of Kaspersky Lab.

Patrick O’Neill‘s account of the FBI’s efforts, FBI pushes private sector to cut ties with Kaspersky:


In the briefings, FBI officials give companies a high-level overview of the threat assessment, including what the U.S. intelligence community says are the Kaspersky’s deep and active relationships with Russian intelligence. FBI officials point to multiple specific accusations of wrongdoing by Kaspersky, such as a well-known instance of allegedly faking malware.

In a statement to CyberScoop, a Kaspersky spokesperson blamed those particular accusations on “disgruntled, former company employees, whose accusations are meritless” while FBI officials say, in private and away from public scrutiny, they know the incident took place and was blessed by the company’s leadership.

The FBI’s briefings have seen mixed results. Companies that utilize ISC and SCADA systems have been relatively cooperative, one government official told CyberScoop, due in large part to what’s described as exceptional sense of urgency that dwarfs most other industries. Several of these companies have quietly moved forward on the FBI’s recommendations against Kaspersky by, for example, signing deals with Kaspersky competitors.

The firms the FBI have briefed include those that deal with nuclear power, a predictable target given the way the electric grid is increasingly at the center of catastrophic cybersecurity concerns.

The traditional tech giants have been less receptive and cooperative to the FBI’s pitch.

leaves the impression Kaspersky competitors are not compensating the FBI for the additional business.

That’s just wrong! If the FBI drives business to vendors, the public merits a cut of those contracts for services rendered. Members of Congress pushing for the exclusion of Kaspersky are no doubt being compensated but that doesn’t benefit the general public.

The only known validation of the FBI’s nationalistic fantasy is the relationship between the US government and US software vendors. Microsoft says it’s already patched flaws exposed in leak of NSA hacks What motive does the NSA have to withhold flaws from US vendors other than to use them against other nations?

Expecting other governments act like the US government and software vendors to be spineless as US vendors makes the FBI Kaspersky fantasy consistent with its paranoia. Consistency, however, isn’t the same as a factual basis.

Free tip for Kaspersky Lab: Starting with your competitors and likely competitors, track their campaign contributions, contacts with the U.S. government, news placements, etc. No small task as acceptance of the FBI’s paranoid delusions didn’t happen overnight. Convictions of incautious individuals for suborning the government for commercial gain would go a long way to countering that tale.

DOJ Wanted To Hunt Down DisruptJ20.org Visitors

Friday, August 25th, 2017

National Public Radio (NPR) details the Department of Justice (DOJ) request for web records from DisruptJ20.org, which organized protests against the coronation of the current U.S. president, in Government Can Search Inauguration Protest Website Records, With Safeguards and Justice Department Narrows Request For Visitor Logs To Inauguration Protest Website. (The second story has the specifics on the demand.)

The narrowed DOJ request excludes:

f. DreamHost shall not disclose records that constitute HTTP requests and error logs.

A win for casual visitors this time, but no guarantees for next time.

The NPR stories detail this latest governmental over-reaching but the better question is:

How to avoid being scooped up if such a request were granted?

One word answer: Tor!

What is Tor?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Why Anonymity Matters

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

What’s your default browser?

If your answer is anything but Tor, you are putting yourself and others at risk.

Air Gapping USB Sticks For Journalists (Or Not! For Others)

Friday, August 25th, 2017

CIRCLean – USB key sanitizer

Journalists are likely to get USB sticks from unknown and/or untrustworthy sources. CIRCLean copies potentially dangerous files on an untrustworthy USB stick, converts those files to a safe format and saves them to your trusted USB stick. (Think of it as not sticking a potentially infected USB into your computer.)

Visual instructions on using CIRCLean:

Written instructions based on those for CIRCLean, without illustrations:

  1. Unplug the device.
  2. Plug the untrusted USB stick into the top usb slot.
  3. Plug your own, trusted USB stick into the bottom usb slot.
  4. Note: Make sure your USB stick is bigger than the untrusted one. The extracted documents are sometimes bigger than the original ones.

  5. Connect the power to the device.
  6. If your device has a diode, wait until the blinking stops.
  7. Otherwise, plug a headset and listen to the music that is played during the conversion. When the music stops, the conversion is finished.

  8. Unplug the device and remove the USB keys

Label all untrusted USB sticks. “Untrusted” means it has an origin other than you. Unicode U+2620 ‘skull and crossbones” works, ☠. Or a bit larger:


(Image from http://graphemica.com/)

It’s really that easy!

On The Flip Side

Modifying the CIRCLean source to maintain its present capabilities but adding your malware to the “trusted” USB stick offers a number of exciting possibilities.

Security is all the rage in the banking industry, making a Raspberry Pi (with diode), an attractive case, and your USB malware great banking convention swag.

Listing of banking conferences are maintained by the American Bankers Association, the European Banking Association, and Asian Banking & Finance, to name just a few.

A low-cost alternative to a USB cleaning/malware installing Raspberry Pi would to use infected USB sticks as sway. “Front Office Staff: After Hours” or some similar title. If that sounds sexist, it is, but traps use bait based on their target’s proclivities, not yours.

PS: Ethics/legality:

The ethics of spreading malware to infrastructures based on a “white, cisheteropatriarchal*” point of view, I leave for others to discuss.

The legality of spreading malware depends on who’s doing the spreading and who’s being harmed. Check with legal counsel.

* A phrase I stole from: Women’s Suffrage Leaders Left Out Black Women. A great read.

Blasphemy and Related Laws (Censorship)

Thursday, August 24th, 2017

Years ago I encountered a description of a statement as being so vile that it made:

…strong men curse and women faint…

The author did not capture the statement and I don’t remember the book with that description. Based on the sexism in the quote, I’m assuming either the work or the time described was late 19th century.

Suggestions?

Blasphemy is a possible subject area for such a statement and the Library of Congress has helpfully compiled:

Blasphemy and Related Laws.

Description:

This report surveys laws criminalizing blasphemy, defaming religion, harming religious feelings, and similar conduct in 77 jurisdictions. In some instances the report also addresses laws criminalizing proselytization. Laws prohibiting incitement to religious hatred and violence are outside the scope of this report, although in some cases such laws are mentioned where they are closely intertwined with blasphemy. The report focuses mostly on laws at the national level, and while it aims to cover the majority of countries with such laws, it does not purport to be comprehensive.

I recognize not blaspheming in the presence of believers as a social courtesy but the only true blasphemy, in my view, is censorship of the speech of others.

Censorship of blasphemy implies a Deity threatened by human speech. That is a slander of any Deity worthy of worship.

58 Newsletters About Journalism

Wednesday, August 23rd, 2017

An incomplete list of newsletters about journalism (Compiled by Joseph Lichterman, Lenfest Institiute for Journalism, joseph@lenfestinstitute.org)

Fifty-eight (58) newsletters as of today.

Some you will recognize, some you won’t.

Anything you see missing?

Censors To Hate: Alison Saunders, Crown Prosecution Services

Wednesday, August 23rd, 2017

There is no complete list of censors to hate, but take all the posts marked censorship as a starting point for an incomplete list.

Alison Saunders in Hate is hate. Online abusers must be dealt with harshly announces the bizarre proposition:


the Crown Prosecution Service (CPS) today commits to treat online hate crimes as seriously as those committed face to face.

Not distinguishing between face to face versus online hate crimes places the value of a University of Leeds legal education in question.

Unlike a face to face hate crime, all online users have access to an on/off button to immediately terminate any attempt at a hate crime.

Moreover, applications worthy of use offer a variety of filtering mechanisms, by which an intended victim of a hate crime can avoid contact with a would be abuser.

Saunders claims 15,000 hate crime prosecutions in 2015-2016, but fails to point out their conviction rate was 82.9%. More hate crimes prosecuted by the Crown Prosecution Service than ever before.

If these were all online crimes, Saunders and the CPS would be prosecuting almost 1 in 5 cases where no crime was committed.

Or put differently, there is a four out of five chance if charged with a hate crime, you will be convicted.

Are you more or less likely to make a strong objection or post if there is a four out of five chance you will be convicted of a crime?

Check your local laws before acting on any hatred for Alison Saunders or Crown Prosecution Services.

Citizens of the world must oppose censors and censorship everywhere. If you can’t criticize local censorship, speak out against censors elsewhere.

Rethinking (read abandoning) Free Speech

Saturday, August 19th, 2017

If The A.C.L.U. Needs to Rethink Free Speech by K-Sue Parkaug were an exercise in legal logic, Parkaug would get an F.

These paragraphs capture Pakkaug’s argument:


After the A.C.L.U. was excoriated for its stance, it responded that “preventing the government from controlling speech is absolutely necessary to the promotion of equality.” Of course that’s true. The hope is that by successfully defending hate groups, its legal victories will fortify free-speech rights across the board: A rising tide lifts all boats, as it goes.

While admirable in theory, this approach implies that the country is on a level playing field, that at some point it overcame its history of racial discrimination to achieve a real democracy, the cornerstone of which is freedom of expression.

I volunteered with the A.C.L.U. as a law student in 2011, and I respect much of its work. But it should rethink how it understands free speech. By insisting on a narrow reading of the First Amendment, the organization provides free legal support to hate-based causes. More troubling, the legal gains on which the A.C.L.U. rests its colorblind logic have never secured real freedom or even safety for all.

For marginalized communities, the power of expression is impoverished for reasons that have little to do with the First Amendment. Numerous other factors in the public sphere chill their voices but amplify others.

Without doubt, the government, American society in general and the legal system in particular is not race, gender, class or in any other meaningful sense, blind. Marginalized communities bear the brunt of that lack of blindness.

If the legal system deprives those with privilege and power of free speech, what does logic and experience dictate will be the impact on marginalized communities?

Are you expecting a different free speech result for the marginalized from courts that discriminate against them?

If yes, call your mother to say your failure at legal logic is putting the marginalized in harm’s way. (post her reaction)

Updating “First they came …”

Friday, August 18th, 2017

Ds. Martin Niemöller neemt deel aan oecumenische samenkomst in de Grote Kert te Den Haag. Vlnr [Vrnl in spiegelbeeld!] . Ds M.N. W. Smitvoors (van de Haagse Oecumenische Raad), ds. Niemöller en prof. P. Kaetske, predikant van de Duitse Evangelische gemeente in Den Haag
*27 mei 1952

An updated version of Martin Niemöller‘s First they came … for censors:

First they censored pornographers, and I did not speak out—
Because I was not a pornographer.

Then they censored terrorists, and I did not speak out—
Because I was not a terrorist.

Then they censored “hate speech,” and I did not speak out—
Because I don’t use “hate speech.”

Then they censored Nazis, and I did not speak out—
Because I was not a Nazi.

Then they censored the KKK, and I did not speak out—
Because I was not a member of the KKK.

Then they censored the alt-Right, and I did not speak out—
Because I was not a member of the alt-Right.

Then they censored the environmentalists, and I did not speak out—
Because I was not an environmentalist.

Then they censored the feminists, and I did not speak out—
Because I was not a feminist.

Then they censored #BlackLivesMatter, and I did not speak out—
Because I was not Black.

Then they censored me—and no one was able to speak for me.

Feel free to add to or re-order “Then they censored…” lines based on your own priorities and experience.

For a defense of free speech, consider the 1934 ACLU pamphlet entitled: “Shall We Defend Free Speech for Nazis in America?“:


To those who advocate suppressing propaganda they hate, we ask—where do you draw the line? They can answer only in the terms of revoluntionists—at our political enemies. But experience shows that “political enemies” is a broad term, and has covered the breaking up even of working class meetings by rival working class organizations. It illustrates the danger, and the impracticality of making any distinctions in defending rights sought by all.

To those who urge suppression of meetings that may incite riot or violence, the complete answer is that nobody can tell in advance what meetings may do so. Where there is reasonable ground for apprehension, the police can ordinarily prevent disorder.

To those who would suppress meetings where race or religious hatred is likely to be stirred up, the answer is simple,—that there is no general agreement on what constitutes race or religious prejudice. Once the bars are so let down, the field is open for all-comers to charge such prejudice against any propagandists, — Communists, Socialists, atheists,—even Jews attacking the Nazis. On that ground the Union has opposed the anti-Nazi bills introduced in the New York and New Jersey legislatures punishing propaganda which “stirs up race or religious hatred” or “domestic strife”. No laws can be written to outlaw Nazi propaganda without striking at freedom of speech in general.

Further, we point out the inevitable effect of making martyrs by persecution. Persecute the Nazis, drive them underground, imitate their methods in Germany—and attract to them hundreds of sympathizers with the persecuted who would otherwise be indifferent. The best way to combat their propaganda is in the open where it can be fought by counter-propaganda, protest demonstrations, picketing—and all the devices of attack which do not involve denying their rights to meet and speak.

Authored 84 years ago, the ACLU position on free speech is remarkably relevant today.

“[S]tirs up race or religious hatred” sounds a lot like “hate speech.”

Propaganda to suppress equals “political enemies.”

Political enemies today include the alt-right, Nazis, white supremacists, feminists, #Blacklivesmatter, and others, depending upon your personnel perspective.

Three of the world’s largest censors, Google, Facebook and Twitter, pout that freedom of speech doesn’t apply to them as non-governments.

True enough but their censorship spans governments, creating an even greater denial of the basic right to be heard.

If censorship is the question, none is the answer.


I cannot claim credit for finding the 1934 ACLU pamphlet. See: Fee Speech or Hate Speech? Civil Liberties Body ACLU Will No Longer Defend Gun-Carrying Protest Groups by Josh Lowe.

Yes, the ACLU is retreating from a long and honorable history of defending the First Amendment. (I won’t speculate on their motivations.)

If You See Something, Save Something (Poke A Censor In The Eye)

Thursday, August 17th, 2017

If You See Something, Save Something – 6 Ways to Save Pages In the Wayback Machine by Alexis Rossi.

From the post:

In recent days many people have shown interest in making sure the Wayback Machine has copies of the web pages they care about most. These saved pages can be cited, shared, linked to – and they will continue to exist even after the original page changes or is removed from the web.

There are several ways to save pages and whole sites so that they appear in the Wayback Machine. Here are 6 of them.

In the comments, Ellen Spertus mentions a 7th way: Donate to the Internet Archive!

It’s the age of censorship, by governments, DMCA, the EU (right to be forgotten), Facebook, Google, Twitter and others.

Poke a censor in the eye, see something, save something to the Wayback Machine.

The Wayback Machine can’t stop all censorship, so save local and remote copies as well.

Keep poking until all censors go blind.

Emojipedia

Thursday, August 17th, 2017

Emojipedia

If you aren’t familiar with Emojipedia, be forewarned: It’s a real time sink! 😉

In small doses it’s highly entertaining and a necessity in some communities.

Enjoy!

Sex Trafficking at Hartsfield-Jackson Airport – Quick, Censor the Internet!

Friday, August 11th, 2017

Hartsfield-Jackson airport in Atlanta, GA, is the hub of sex trafficking in the United States.

FBI reports that Atlanta is the center for the sex-trafficking of adolescence and around 200 to 300 youth are prostituted in Atlanta a month. (At world’s busiest airport, sex trafficking abounds)

With an average of 20 to 30 youths prostituted a day in Atlanta, some members of Congress want to address sex trafficking by censoring the Internet.

Elliot Harmon in Internet Censorship Bill Would Spell Disaster for Speech and Innovation, puts it this way:

There’s a new bill in Congress that would threaten your right to free expression online. If that weren’t enough, it could also put small Internet businesses in danger of catastrophic litigation.

Don’t let its name fool you: the Stop Enabling Sex Traffickers Act (SESTA, S. 1693) wouldn’t help punish sex traffickers. What the bill would do (PDF) is expose any person, organization, platform, or business that hosts third-party content on the Internet to the risk of overwhelming criminal and civil liability if sex traffickers use their services. For small Internet businesses, that could be fatal: with the possibility of devastating litigation costs hanging over their heads, we think that many entrepreneurs and investors will be deterred from building new businesses online.

Make no mistake: sex trafficking is a real, horrible problem. This bill is not the way to address it. Lawmakers should think twice before passing a disastrous law and endangering free expression and innovation.

Rather than focusing on a known location for sex trafficking, Congress is putting “…small Internet businesses…” in harm’s way.

The large content providers, Facebook, Google, Twitter, already have the financial and technical resources to meet the demands of SESTA. So in a very real sense, SESTA isn’t anti-sex trafficking but rather anti-small Internet business, in addition to being a threat to free speech.

Call your member of the U.S. House or the U.S. Senate, asking for their vote against Stop Enabling Sex Traffickers Act (SESTA, S. 1693).

SESTA:

  1. Endangers free speech
  2. Favors large content providers over small ones
  3. Ignores known sex trafficking locations
  4. Is a non-solution to a known problem

Sex trafficking is a serious problem that needs a workable solution. Not an ineffectual, cosmetic non-solution that favors large content providers over smaller ones.

DNA Injection Attack (Shellcode in Data)

Thursday, August 10th, 2017

BioHackers Encoded Malware in a String of DNA by Andy Greenberg.

From the post:

WHEN BIOLOGISTS SYNTHESIZE DNA, they take pains not to create or spread a dangerous stretch of genetic code that could be used to create a toxin or, worse, an infectious disease. But one group of biohackers has demonstrated how DNA can carry a less expected threat—one designed to infect not humans nor animals but computers.

In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. While that attack is far from practical for any real spy or criminal, it’s one the researchers argue could become more likely over time, as DNA sequencing becomes more commonplace, powerful, and performed by third-party services on sensitive computer systems. And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity.

“We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer,” says Tadayoshi Kohno, the University of Washington computer science professor who led the project, comparing the technique to traditional hacker attacks that package malicious code in web pages or an email attachment. “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”

Very high marks for imaginative delivery but at its core, this is shellcode in data.

Shellcode in an environment the authors describe as follows:


Our results, and particularly our discovery that bioinformatics software packages do not seem to be written with adversaries in mind, suggest that the bioinformatics pipeline has to date not received significant adversarial pressure.

(Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More)

Question: Can you name any data pipelines that have been subjected to adversarial pressure?

The reading of DNA and transposition into machine format reminds me that a data pipeline could ingest apparently non-hostile data and as a result of transformations/processing, produce hostile data at some point in the data stream.

Transformation into shellcode, now that’s a very interesting concept.

#FCensor – Facebook Bleeding Red Ink of Censorship

Thursday, August 10th, 2017

Naked down under: Facebook censors erotic art

From the post:

Facebook has censored Fine Art Bourse’s (FAB) adverts for the online auction house’s relaunch sale of erotic art on the grounds of indecency. In 2015, FAB, then based in London, went into receivership shortly before its first sale after running out of funds due to a delay in building the technology required to run the cloud-based auctions. But the founder, Tim Goodman, formerly owner of Bonhams & Goodman and then Sotheby’s Australia under license, has now relaunched the firm in his native Australia, charging a 5% premium to both buyers and sellers and avoiding VAT, GST and sales tax on service charges by running auctions via a server in Hong Kong.

When Goodman attempted to run a series of adverts for his relaunch sale of Erotic, Fetish, & Queer Art & Objects on 12 September, Facebook barred the adverts citing its policy against “adverts that depict nudity” including “the use of nudity for artistic or educational purposes”.

Remember to use #FCensor for all Facebook censorship. (#GCensor for Google censoring, #TCensor for Twitter censoring.)

Every act of censorship by Facebook and every person employed as a censor, is a splash of red ink on the books at Facebook. Red ink that has no profit center offset.

Facebook can and should erase the red ink of censorship from its books.

Provide users with effective self-help filtering, being able to “follow” filters created by others and empowering advertisers to filter the content in proximity to their ads (for an extra $fee), moves censoring cost (read Facebook red ink) onto users and advertisers, improving Facebook’s bottom line.

What sane investor would argue with that outcome?

Better and “following” filters would enable users to create their own custom echo chambers. Oh, yeah, that’s part of the problem isn’t it? Zuckerberg and his band of would-be messiahs want the power to decide what the public sees.

I’ll pass. How about you?

Investors! Use your stock and dollars to save all of us from a Zuckerberg view of the world. Thanks!

Why Astronomers Love Python And Why You Should Too (Search Woes)

Thursday, August 10th, 2017

From the description:

The Python programming language is a widely used tool for basic and advanced research in Astronomy. Watch this amazing presentation to learn specifics of using Python by astronomers. (Jake Vanderplas, speaker)

The only downside to the presentation is Vanderplas mentions software being on Github, but doesn’t supply the URLs.

For example, if you go to Github and search for for “Large Synoptic Survey Telescope” you get two (2) results:

Both “hits” are relevant but what did we miss?

Try searching for LSSTC.

There are twelve (12) “hits” with the first one being highly relevant and completely missed by the prior search.

Two lessons here:

  1. Search is a lossy way to navigate Github.
  2. Do NOT wave your hands in the direction of Github for software. Give URLs.

Links from above:

bho4/LSST Placeholder, no content.

LSSTC-DSFP-Sessions

Lecture slides, Jupyter notebooks, and other material from the LSSTC Data Science Fellowship Program

smonkewitz/scisql

Science-specific tools and extensions for SQL. Currently the project contains user defined functions (UDFs) for MySQL including spatial geometry, astronomy specific functions and mathematical functions. The project was motivated by the needs of the Large Synoptic Survey Telescope (LSST).

Defeat FBI Video Booby-Trap

Wednesday, August 9th, 2017

Joseph Cox details “…deanonymizing people in a targeted way using novel or unorthodox law enforcement techniques…” in The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist.

Not an attack on Tor per se but defeated the use of Tor none the less.

Can you spot the suspect’s error?

From the complaint:


F. Law Enforcement Identifies “Brian Kil’s” True IP Address

51. On June 9, 2017, the Honorable Debra McVicker Lynch authorized the execution of a Network Investigative Technique “NIT” (defined in Clause No. 1:17-mj-437) in order to ascertain the IP address associated with Brian Kil and Victim 2.

52. As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

57. When Kil viewed the video containing the NIT on a computer the NIT disclosed the true IP address associated with the computer used by Kil.

Where did “Kil’s” opsec fail?

“Kil” viewed content of unknown origin on a networked computer.

“Kil” thought the content originated with Victim 2, but all remote content on the Internet should be treated as being of unknown origin.

No one knows if you are a dog on the Internet just as you don’t know if the FBI sent the video you are playing.

Content of unknown origin is examined and stays on non-networked computers. Copy text only to networked systems. If you need the original content, well, you have been warned.

You can see the full complaint at:
https://assets.documentcloud.org/documents/3914871/Hernandez-NIT-Complaint.pdf

Best practice: Remote content, even if from known source, is of unknown origin. (A comrade may have made the document, video, image, but government agents intercepted and infected it.)

PS: I’m no fan of sextortionists but I am concerned about the use of “booby-trapped” videos against political activists. (Makes you wonder about “jihadist” videos on YouTube doesn’t it?)

Open Source Safe Cracking Robots

Wednesday, August 9th, 2017

Live, robotic, safe cracking demo. No pressure, no pressure!

One of the most entertaining and informative presentations you are likely to see this year! It includes an opening tip for those common digital safes found in hotel rooms.

From the description:

We’ve built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Don’t miss their highly informative website, SparkFun Electronics.

Open source, part of the Maker community!

This won’t work against quality safes in highly secure environments but most government safes are low-bidder/low-quality and outside highly secure environments. Use tool appropriate for the security environment.

GraphSON and TinkerPop systems

Tuesday, August 8th, 2017

Tips for working with GraphSON and TinkerPop systems by Noah Burrell.

From the post:

If you are working with the Apache TinkerPop™ framework for graph computing, you might want to produce, edit, and save graphs, or parts of graphs, outside the graph database. To accomplish this, you might want a standardized format for a graph representation that is both machine- and human-readable. You might want features for easily moving between that format and the graph database itself. You might want to consider using GraphSON.

GraphSON is a JSON-based representation for graphs. It is especially useful to store graphs that are going to be used with TinkerPop™ systems, because Gremlin (the query language for TinkerPopTM graphs) has a GraphSON Reader/Writer that can be used for bulk upload and download in the Gremlin console. Gremlin also has a Reader/Writer for GraphML (XML-based) and Gryo (Kryo-based).

Unfortunately, I could not find any sort of standardized documentation for GraphSON, so I decided to compile a summary of my research into a single document that would help answer all the questions I had when I started working with it.

Bookmark or better yet, copy-n-paste “Vertex Rules and Conventions” to print on one page and then print “Edge Rules and Conventions” on the other.

Could possibly get both on one page but I like larger font sizes. 😉

Type in the “Example GraphSON Structure” to develop finger knowledge of the format.

Watch for future posts from Noah Burrell. This is useful.

Radio Navigation, Dodging Government GPS

Tuesday, August 8th, 2017

Radio navigation set to make global return as GPS backup, because cyber by Sean Gallagher.

From the post:

Way back in the 1980s, when I was a young naval officer, the Global Positioning System was still in its experimental stage. If you were in the middle of the ocean on a cloudy night, there was pretty much only one reliable way to know where you were: Loran-C, the hyperbolic low-frequency radio navigation system. Using a global network of terrestrial radio beacons, Loran-C gave navigators aboard ships and aircraft the ability to get a fix on their location within a few hundred feet by using the difference in the timing of two or more beacon signals.

An evolution of World War II technology (LORAN was an acronym for long-range navigation), Loran-C was considered obsolete by many once GPS was widely available. In 2010, after the US Coast Guard declared that it was no longer required, the US and Canada shut down their Loran-C beacons. Between 2010 and 2015, nearly everyone else shut down their radio beacons, too. The trial of an enhanced Loran service called eLoran that was accurate within 20 meters (65 feet) also wrapped up during this time.

But now there’s increasing concern about over-reliance in the navigational realm on GPS. Since GPS signals from satellites are relatively weak, they are prone to interference, accidental or deliberate. And GPS can be jammed or spoofed—portable equipment can easily drown them out or broadcast fake signals that can make GPS receivers give incorrect position data. The same is true of the Russian-built GLONASS system.

Sean focuses on the “national security” needs for a backup to GPS but it isn’t North Koreans, Chinese or Russians who are using Stingray devices against US citizens.

No, those are all in use by agents of the federal and/or state governments. Ditto for anyone spoofing your GPS in the United States.

You need a GPS backup, but your adversary is quite close to home.

The new protocol is call eLoran and Sean has a non-technical overview of it.

You would have unusual requirements to need a private eLoran but so you have an idea of what is possible:


eLoran technology has been available since the mid-1990s and is still available today. In fact, the state-of-the-art of eLoran continues to advance along with other 21st-century technology. eLoran system technology can be broken down into a few simple components: transmitting site, control and monitor site, differential reference station site and user equipment.

Modern transmitting site equipment consists of a high-power, modular, fully redundant, hot-swappable and software configurable transmitter, and sophisticated timing and control equipment. Standard transmitter configurations are available in power ranges from 125 kilowatts to 1.5 megawatts. The timing and control equipment includes a variety of external timing inputs to a remote time scale, and a local time scale consisting of three ensembled cesium-based primary reference standards. The local time scale is not directly coupled to the remote time scale. Having a robust local time scale while still monitoring many types of external time sources provides a unique ability to provide proof-of-position and proof-of-time. Modern eLoran transmitting site equipment is smaller, lighter, requires less input power, and generates significantly less waste heat than previously used Loran-C equipment.

The core technology at a differential eLoran reference station site consists of three differential eLoran reference station or integrity monitors (RSIMs) configurable as reference station (RS) or integrity monitor (IM) or hot standby (RS or IM). The site includes electric field (E-field) antennas for each of the three RSIMs.

Modern eLoran receivers are really software-defined radios, and are backward compatible with Loran-C and forward compatible, through firmware or software changes. ASF tables are included in the receivers, and can be updated via the Loran data channel. eLoran receivers can be standalone or integrated with GNSS, inertial navigation systems, chip-scale atomic clocks, barometric altimeters, sensors for signals-of-opportunity, and so on. Basically, any technology that can be integrated with GPS can also be integrated with eLoran.
Innovation: Enhanced Loran, GPS World (May, 2015)

Some people are happy with government controlled services. Other people, not so much.

Who is determining your location?