Archive for September, 2017

99% of UK Law Firms Ripe For Email Fraud

Thursday, September 21st, 2017

The actual title of the report is: Addressing Cyber Risks Identified in the SRA Risk Outlook Report 2016/17. Yawn. Not exactly an attention grabber.

The report does have this nifty graphic:

The Panama Papers originated from a law firm.

Have you ever wondered what the top 100 law firms in the UK must be hiding?

Or any of the other 10,325 law firms operating in the UK? (Total number of law firms: 10,425.)

If hackers feasting on financial fraud develop a sense of public duty, radical transparency will not be far behind.

Responding to Theresa May on Free Speech

Thursday, September 21st, 2017

Google and Facebook among tech giants Theresa May will order to remove extremist content by Rob Merrick.

Theresa May and her cadre of censorious thugs pose a clear and present danger to free speech on the Internet. No news there but the danger she poses has increased.

From the post:

The world’s biggest technology firms will be told to take down terrorist propaganda in as little as one hour, as Theresa May seeks to dramatically reduce the danger of it inspiring further atrocities.

The Prime Minister will also challenge them to develop technology to prevent “evil material” ever appearing on the web, as they are forced to defend their efforts in public for the first time.

Facebook, Microsoft, Google and Twitter are among the firms who will face their critics in New York, having agreed to set up a Global Internet Forum to Counter Terrorism.

At the heart of the plan is a target for terror propaganda to be taken down within one to two hours – the crucial period during which most of it is disseminated.

My response to Theresa May’s latest assault on free speech doesn’t depend on the “details” of her proposal. Proposing to suppress “terrorist propaganda” and “evil material” is a clear violation of free speech. What is “terrorist propaganda” and “evil material” is left free for individuals to judge for themselves, in a free society.

No one should dignify her assault on free speech by debating the details of how much or what kind of free speech will be suppressed. Her request for censoring of any speech, should be rejected unconditionally.

Sadly Merrick reports that censorship by content now takes 36 hours, as opposed to 30 days a year ago. The tech giants mentioned above, have been laboring mightily to censor the Internet and are no less guilty than Theresa May in that regard.

The loss of free speech has been debated and lamented over that same year, when 30 days of freedom shrank to 36 hours. Or in equivalent terms, going from 720 hours of freedom to only 36, a reduction of 95%.

With a loss of 95% of practical freedom for “terrorist propaganda” and “evil material,” I’d say that lamenting the loss of free speech has been largely ineffectual. You?

Practical Responses to Theresa May and Her Cadre of Internet Censors

If lamenting the loss of freedom of speech (and other rights) on Facebook, Twitter, the web isn’t effectual, what is? What follows are my suggestions, feel free to share yours.

1. Upload/Download “terrorist propaganda” and “evil material” to Torrent Sites

As Robert Graham, @ErrataBob reminds us at: Did You Miss The Macron Leak? @ErrataBob To The Rescue!, a “distributed hash network” preserves files even if the original link has been deleted.

If high tech toadies remove “terrorist propaganda” and “evil material,” from a Torrent download site, the content is preserved on the computers of everyone who has downloaded it.

Uploading and downloading using Torrent is a value-add activity for every user. The larger the group that downloads, the greater the preservation of the content. Enlist your followers/users today!

2. Generate and Share “evil material”

I’ve only looked at a small amount of “evil material” on the Internet but what I have seen, well, I’m not impressed. The “bomb making” recipes I have seen pose almost as much danger to their maker as they do to any intended victims. There is a certain romance to making your own ordinance, but there’s a reason professional armies don’t. Yes?

But pointing out the repetitious and dubious nature of bomb making recipes on the Internet won’t stop Theresa May. That being the case, I suggest prodding her to a fever pitch with imaginative and innovative ways to create chaos.

If you think about it for a few minutes, bombs, cars and guns are the simplest of tools. Defending freedom of speech requires imagination.

Anyone up for war gaming a future event in London? (Speech only, no action.)

3. Governments and Tech Giants Who Support Censorship

For governments, tech giants and staffers supporting censorship of “terrorist propaganda” and “evil material,” we should all draw inspiration from this slightly altered lyric:

In their styes with all their backing
They don’t care what goes on around
In their eyes there’s something lacking
What they need’s a damn good hacking

(with apologies to the Beatles, Piggies

Governments and tech giants have chosen to be censors of free speech. They can just as easily choose to be supporters of free speech.

Their choices dictate how they should be seen and treated by others.

PS: For your image recognition software, Theresa May:

Testing Next-Gen Onions!

Wednesday, September 20th, 2017

Please help us test next-gen onions! by George Kadianakis.

From the webpage:

this is an email for technical people who want to help us test next-gen onion services.

The current status of next-gen onion services (aka prop224) is that they have been fully merged into upstream tor and have also been released as part of tor-0.3.2.1-alpha: https://blog.torproject.org/tor-0321-alpha-released-support-next-gen-onion-services-and-kist-scheduler

Unfortunately, there is still no tor browser with tor-0.3.2.1-alpha so these instructions are for technical users who have no trouble building tor on their own.

We are still in a alpha testing phase and when we get more confident about the code we plan to release a blog post (probs during October).

Until then we hope that people can help us test them. To do so, we have setup a *testing hub* in a prop224 IRC server that you can and should join (ideally using a VPS so that you stick around).

Too late for me to test the instructions today but will tomorrow!

The security you help preserve may be your own!

Enjoy!

W3C’s EME/DRM: Standardizing Abuse and Evasion

Wednesday, September 20th, 2017

Among the bizarre arguments in favor of Encrypted Media Extensions (EME), this one stuck with me:

Standardizing an API for Abuse of Users.

The argument runs something like this:

DRM is already present on the Web using plugins for browsers, each with a different API. EME, standardizing a public API, enables smaller browsers to compete in offering DRM. Not to mention avoiding security nightmares like Flash.

As a standards geek, I often argue the advantages of standardization. Claiming standardizing an API for abuse of users as beneficial, strikes me as odd.

Conceptually DRM systems don’t have to infringe on the rights of users to fair use, first sale, modification for accessibility, but I don’t have an example of one from a commercial content provider that doesn’t. Do you?

Moreover, confessed corporate behavior, false bank accounts (Wells Fargo), forged mortgage documents (Ally (formerly known as GMAC), Bank of America, Citi, JPMorgan Chase, Wells Fargo), etc., leave all but the most naive certain user rights will be abused via the EME API.

A use of the EME API that does not violate user rights would be a man bites dog story. Sing out in the unlikely event you encounter such a case.

(I got to this point and my post ran away from me.)

Is there an upside to ending the crazy quilt of DRM plugins and putting encrypted media delivery directly into browsers for users?

With EME as the single interface for delivery of encrypted web content, what else must be true?

Ah, there is a single point of failure for encrypted web content, meaning if the security of EME is broken, then it is broken for all encrypted web content.

There’s a pleasant thought. Over-reaching to gut user’s rights, the DRM crowd created a standardized, single point of failure. A single breach spells disaster on a large scale.

Looking forward to the back-biting and blame allocation sure to follow the failure of this plan to rain greed over the world. (Wasn’t some company named ContentGuard (sp?) involved in an earlier one?)

Not happy with a standardized API for abusing users but having a single API is like the Windows market share. Breach one and you have breached them all. I take some consolation from that fact.

Build a working game of Tetris in Conway’s Game of Life (brain candy)

Tuesday, September 19th, 2017

Build a working game of Tetris in Conway’s Game of Life

From the webpage:

In Conway’s Game of Life, there exist constructs such as the metapixel which allow the Game of Life to simulate any other Game-of-Life rule system as well. In addition, it is known that the Game of Life is Turing-complete.

Your task is to build a cellular automaton using the rules of Conway’s game of life that will allow for the playing of a game of Tetris.

Your program will receive input by manually changing the state of the automaton at a specific generation to represent an interrupt (e.g. moving a piece left or right, dropping it, rotating it, or randomly generating a new piece to place onto the grid), counting a specific number of generations as waiting time, and displaying the result somewhere on the automaton. The displayed result must visibly resemble an actual Tetris grid.

Your program will be scored on the following things, in order (with lower criteria acting as tiebreakers for higher criteria):

  • Bounding box size — the rectangular box with the smallest area that completely contains the given solution wins.
  • Smaller changes to input — the fewest cells (for the worst case in your automaton) that need to be manually adjusted for an interrupt wins.
  • Fastest execution — the fewest generations to advance one tick in the simulation wins.
  • Initial live cell count — smaller count wins.
  • First to post — earlier post wins.

A challenge that resulted in one and one-half years of effort by an array of participants to create an answer.

Very deep and patient thinking here.

Good training for the efforts that will defeat both government security forces and DRM on the web.

XQuery (Walmsley – Updated15 Sept. 2017) – Pagination Differences

Tuesday, September 19th, 2017

For those of you smart enough to own a copy of XQuery by Priscilla Walmsley, it was updated as of 15 September 2017.

There’s a four (4) page difference in length between the original edition (758 pages) and the updated version (762 pages).

One two (2) page addition is the new section “Specifying Serialization Parameters by Using a Map” plus an unnecessary page break following the introduction to example 13-4 (of the updated version).

Chapter 13, Inputs and Outputs, now ends on page 228 instead of 226.

The other two pages arise from the insertion of array:put following prefix-from-QName and before map:put, in Appendix A. Built-in Function Reference.

I haven’t found any mention of the pagination difference, which will be confusing for students consulting Walmsley.

Since the edition is not being updated, putting the added four pages in an Appendix D or even in preface material numbered i, ii, …, would have preserved references across the first and second versions.

XQuery should be widely used. Creating unnecessary friction for using XQuery resources doesn’t advance that goal.

An Honest Soul At The W3C? EME/DRM Secret Ballot

Tuesday, September 19th, 2017

Billions of current and future web users have been assaulted and robbed in what Jeff Jaffe (W3C CEO) calls a “respectful debate.” Reflections on the EME Debate.

Odd sense of “respectful debate.”

A robber demands all of your money and clothes, promises to rent you clothes to get home, but won’t tell you how to make your own clothes. You are now and forever a captive of the robber. (That’s a lay persons summary but accurate account of what the EME crowd wanted and got.)

Representatives for potential victims, the EFF and others, pointed out the problems with EME at length, over years of debate. The response of the robbers: “We want what we want.

Consistently, for years, the simple minded response of EME advocates continued to be: “We want what we want.

If you think I’m being unkind to the EME advocates, consider the language of the Disposition of Comments for Encrypted Media Extensions and Director’s decision itself:


Given that there was strong support to initially charter this work (without any mention of a covenant) and continued support to successfully provide a specification that meets the technical requirements that were presented, the Director did not feel it appropriate that the request for a covenant from a minority of Members should block the work the Working Group did to develop the specification that they were chartered to develop. Accordingly the Director overruled these objections.

The EME lacks a covenant protecting researchers and others from anti-circumvention laws, enabling continued research on security and other aspects of EME implementations.

That covenant was not in the original charter, the director’s “(without any mention of a covenant),” aka, “We want what we want.

There wasn’t ever any “respectful debate,” but rather EME supporters repeating over and over again, “We want what we want.

A position which prevailed, which bring me to the subject of this post. A vote, a secret vote was conducted by the W3C seeking support for the Director’s cowardly and self-interested support for EME, the result of which as been reported as:


Though some have disagreed with W3C’s decision to take EME to recommendation, the W3C determined that the hundreds of millions of users who want to watch videos on the Web, some of which have copyright protection requirements from their creators, should be able to do so safely and in a Web-friendly way. In a vote by Members of the W3C ending mid September, 108 supported the Director’s decision to advance EME to W3C Recommendation that was appealed mid-July through the appeal process, while 57 opposed it and 20 abstained. Read about reflections on the EME debate, in a Blog post by W3C CEO Jeff Jaffe.

(W3C Publishes Encrypted Media Extensions (EME) as a W3C Recommendation)

One hundred and eight members took up the cry of “We want what we want.” rob billions of current and future web users. The only open question being who?

To answer that question, the identity of these robbers, I posted this note to Jeff Jaffe:

Jeff,

I read:

***

In a vote by Members of the W3C ending mid September, 108 supported the Director’s decision to advance EME to W3C Recommendation that was appealed mid-July through the appeal process, while 57 opposed it and 20 abstained.

***

at: https://www.w3.org/2017/09/pressrelease-eme-recommendation.html.en

But I can’t seem to find a link to the vote details, that is a list of members and their vote/abstention.

Can you point me to that link?

Thanks!

Hope you are having a great week!

Patrick

It didn’t take long for Jeff to respond:

On 9/19/2017 9:38 AM, Patrick Durusau wrote:
> Jeff,
>
> I read:
>
> ***
>
> In a vote by Members of the W3C ending mid September, 108 supported the
> Director’s decision to advance EME to W3C Recommendation that was
> appealed mid-July through the appeal process, while 57 opposed it and 20
> abstained.
>
> ***
>
> at: https://www.w3.org/2017/09/pressrelease-eme-recommendation.html.en
>
> But I can’t seem to find a link to the vote details, that is a list of
> members and their vote/abstention.
>
> Can you point me to that link?

It is long-standing process not to release individual vote details publicly.

I wonder about a “long-standing process” for the only vote on an appeal in W3C history but there you have it, the list of robbers isn’t public. No need to search the W3C website for it.

If there is an honest person at the W3C, a person who stands with the billions of victims of this blatant robbery, then we will see a leak of the EME vote.

If there is no leak of the EME vote, that is a self-comment on the staff of the W3C.

Yes?

PS: Kudos to the EFF and others for delaying EME this long but the outcome was never seriously in question. Especially in organizations where continued membership and funding are more important than the rights of individuals.

EME can only be defeated by action in the trenches as it were, depriving its advocates of any perceived benefit and imposing ever higher costs upon them.

You do have your marker pens and sticky tape ready. Yes?

Darkening the Dark Web

Monday, September 18th, 2017

I encountered Andy Greenberg‘s post, It’s About to Get Even Easier to Hide on the Dark Web (20 January 2017), and was happy to read:

From the post:


The next generation of hidden services will use a clever method to protect the secrecy of those addresses. Instead of declaring their .onion address to hidden service directories, they’ll instead derive a unique cryptographic key from that address, and give that key to Tor’s hidden service directories. Any Tor user looking for a certain hidden service can perform that same derivation to check the key and route themselves to the correct darknet site. But the hidden service directory can’t derive the .onion address from the key, preventing snoops from discovering any secret darknet address. “The Tor network isn’t going to give you any way to learn about an onion address you don’t already know,” says Mathewson.

The result, Mathewson says, will be darknet sites with new, stealthier applications. A small group of collaborators could, for instance, host files on a computer known to only to them. No one else could ever even find that machine, much less access it. You could host a hidden service on your own computer, creating a way to untraceably connect to it from anywhere in the world, while keeping its existence secret from snoops. Mathewson himself hosts a password-protected family wiki and calendar on a Tor hidden service, and now says he’ll be able to do away with the site’s password protection without fear of anyone learning his family’s weekend plans. (Tor does already offer a method to make hidden services inaccessible to all but certain Tor browsers, but it involves finicky changes to the browser’s configuration files. The new system, Mathewson says, makes that level of secrecy far more accessible to the average user.)

The next generation of hidden services will also switch from using 1024-bit RSA encryption keys to shorter but tougher-to-crack ED-25519 elliptic curve keys. And the hidden service directory changes mean that hidden service urls will change, too, from 16 characters to 50. But Mathewson argues that change doesn’t effect the dark web addresses’ usability since they’re already too long to memorize.

Your wait to test these new features for darkening the dark web are over!

Tor 0.3.2.1-alpha is released, with support for next-gen onion services and KIST scheduler

From the post:

And as if all those other releases today were not enough, this is also the time for a new alpha release series!

Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation (“v3”) onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here.

You can download the source from the usual place on the website. Binary packages should be available soon, with an alpha Tor Browser likely by the end of the month.

Remember: This is an alpha release, and it’s likely to have more bugs than usual. We hope that people will try it out to find and report bugs, though.

The Vietnam War series by Ken Burns and Lynn Novick makes it clear the United States government lies and undertakes criminal acts for reasons hidden from the public. To trust any assurance by that government of your privacy, freedom of speech, etc., is an act of madness.

Will you volunteer to help with the Tor project or place your confidence in government?

It really is that simple.

3D Face Reconstruction from a Single Image

Monday, September 18th, 2017

3D Face Reconstruction from a Single Image by Aaron S. Jackson, Adrian Bulat, Vasileios Argyriou and Georgios Tzimiropoulos, Computer Vision Laboratory, The University of Nottingham.

From the webpage:

This is an online demo of our paper Large Pose 3D Face Reconstruction from a Single Image via Direct Volumetric CNN Regression. Take a look at our project website to read the paper and get the code. Please use a (close to) frontal image, or the face detector won’t see you (dlib)

Images and 3D reconstructions will be deleted within 20 minutes. They will not be used for anything other than this demo.

Very impressive!

You can upload your own image or use an example face.

Here’s an example I stole from Reza Zadeh:

This has all manner of interesting possibilities. 😉

Enjoy!

PS: Torch7/MATLAB code for “Large Pose 3D Face Reconstruction from a Single Image via Direct Volumetric CNN Regression”

RStartHere

Monday, September 18th, 2017

RStartHere by Garrett Grolemund.

R packages organized by their role in data science:

This is very cool! Use and share!

Upsides of W3C’s Embrace of DRM

Monday, September 18th, 2017

World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns by Cory Doctorow.

From the post:

In July, the Director of the World Wide Web Consortium overruled dozens of members’ objections to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition.

EFF appealed the decision, the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn’t think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded.

This is a bad day for the W3C: it’s the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections — even the most minimal compromise was rejected without discussion, an intransigence that the W3C leadership tacitly approved. It’s the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium.

EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is our resignation letter:

In his haste to outline all the negatives, all of which are true, about the W3C DRM decision, Cory forgets to mention there are several upsides to this decision.

1. W3C Chooses IP Owners Over Web Consumers

The DRM decision reveals the W3C as a shill for corporate IP owners. Rumors have it that commercial interests were ready to leave the W3C for the DRM work, rumors made credible by Tim Berners-Lee’s race to the head of the DRM parade.

We are fortunate the Stasi faded from history before the W3C arrived, lest we have Tim Berners-Lee leading a march for worldwide surveillance on the web.

The only value being advanced by the Director (Tim Berners-Lee) is the relevance of the W3C for the web. Consumers aren’t just expendable, but irrelevant. Best you know than now rather than later.

2. DRM Creates “unauditable attack-surface” (for vendors too)

Cory lists the “unauditable attack surface” for browsers like it was a bad thing. That’s true for consumers, but who else is that true for?

Oh, yes, IP owners who plan on profiting from DRM. Their DRM efforts will be easy to circumvent, the digital equivalent of a erasable marker no doubt and offer the advantage of access to their systems.

Take the recent Equifax breach as an example. What is the one mission critical requirement for Equifax customers?

Easy and reliable access. You could have any number of enhanced authentication schemes for access to Equifax, but that conflicts with the mission-critical need for customers to have ready access to its data.

Content vendors dumb enough to invest in W3C DRM, which will be easy to circumvent, have a similar mission critical requirement. Easy and reliable approval. Quite often as the result of a purchase at any number of web locations.

So we have N vendors sites, selling N products, for N IP owners, to N users, using N browsers, from N countries, err, can you say: “DRM opens truck sized security holes?”

I feel sorry for web consumers but not for any vendor that enriches DRM vendors (the only people who make money off of DRM).

DRM Promotes Piracy and Disrespect for IP

Without copyright and DRM, there would be few opportunities for digital piracy and little disrespect for intellectual property (IP). People can and do photocopy individual journal articles, violating the author’s and possibly the journal’s IP, but who cares? Fewer than twenty (20) people are likely to read it ever.

Widespread and browser-based DRM will be found on the most popular content, creating incentives for large numbers of users to engage in digital piracy. The more often they use pirated content, the less respect they will have for the laws that create the crime.

To paraphrase Princess Leia speaking to Governor Tarkin:

The more the DRM crowd tightens its grip, the more content that will slip through their fingers.

The W3C/Tim Berners-Lee handed IP owners the death star, but the similarity for DRM doesn’t stop there. No indeed.

Conclusion

Flying its true colors, the W3C/Tim Berners-Lee should be abandoned en masse by corporate sponsors and individuals alike. The scales have dropped from web users eyes and it’s clear they are commodities in the eyes of the W3C. Victims if you prefer that term.

The laughable thought of effective DRM will create cybersecurity consequences for both web users and the cretins behind DRM. I don’t see any difficulty in choosing who should suffer the consequences of DRM-based cybersecurity breeches. Do you?

I am untroubled by the loss of respect for IP. That’s not surprising since I advocate only attribution and sale for commercial gain as IP rights. There’s no point in pursuing people who are spending their money to distribute your product for free. It’s cost free advertising.

As Cory points out, the DRM crowd was offered several unmerited compromises and rejected those.

Having made their choice, let’s make sure none of them escape the W3C/DRM death star.

Game of Thrones, Murder Network Analysis

Monday, September 18th, 2017

Game of Thrones, Murder Network Analysis by George McIntire.

From the post:

Everybody’s favorite show about bloody power struggles and dragons, Game of Thrones, is back for its seventh season. And since we’re such big GoT fans here, we just had to do a project on analyzing data from the hit HBO show. You might not expect it, but the show is rife with data and has been the subject of various data projects from data scientists, who we all know love to combine their data powers with the hobbies and interests.

Milan Janosov of the Central European University devised a machine learning algorithm to predict the death of certain characters. A handy tool, for any fan tired of being surprised by the shock murders of the show. Dr. Allen Downey, author of the popular ThinkStats textbooks conducted a Bayesian analysis of the characters’ survival rate in the show. Data Scientist and biologist Shirin Glander applied social network analysis tools to analyze and visualize the family and house relationships of the characters.

The project we did is quite similar to that of Glander’s, we’ll be playing around with network analysis, but with data on the murderers and their victims. We constructed a giant network that maps out every murder of character’s with minor, recurring, and major roles.

The data comes courtesy of Ændrew Rininsland of The Financial Times, who’s done a great of collecting, cleaning, and formatting the data. For the purposes of this project, I had to do a whole lot of wrangling and cleaning of my own and in addition to my subjective decisions about which characters to include as well and what constitutes a murder. My finalized dataset produced a total of of 240 murders from 79 killers. For my network graph, the data produced a total of 225 nodes and 173 edges.

I prefer the Game of Thrones (GoT) books over the TV series. The text exercises a reader’s imagination in ways that aren’t matched by visual media.

That said, the TV series murder data set (Ændrew Rininsland of The Financial Times) is a great resource to demonstrate the power of network analysis.

After some searching, it appears that sometime in 2018 is the earliest date for the next volume in the GoT series. Sorry.

Tax Phishing

Sunday, September 17th, 2017

The standard security mantra is to avoid phishing emails.

That assumes your employer’s security interests coincide with your own. Yes?

If you are being sexually harassed at work, were passed over for a job position, your boss has found a younger “friend” to mentor, etc., there are an unlimited number of reasons for a differing view on your employer’s cybersecurity.

The cybersecurity training that enables you to recognize and avoid a phishing email, also enables you to recognize and accept a phishing email from “digital Somali pirates” (HT, Dilbert).

Acceptance of phishing emails in tax practices could result in recovery of tax returns for public officials (Trump?), financial documents similar to those in the Panama Papers, and other data (Google’s salary data?).

If you don’t know how to recognize phishing emails in the tax business, Jeff Simpson has adapted tips from the IRS in: 10 tips for tax pros to avoid phishing scams.

Just quickly (see Simpson’s post for the details):

  1. Spear itself.
  2. Hostile takeovers.
  3. Day at the breach.
  4. Ransom devil.
  5. Remote control.
  6. BEC to the wall.
  7. EFIN headache.
  8. Protect clients.
  9. Priority No. 1. (Are you the “…least informed employee…?)
  10. Speak up.

Popular terminology for phishing attacks varies by industry so the terminology for your area may differ from Simpson’s.

Acceptance of phishing emails may be the industrial action tool of the 21st century.

Thoughts?

Rewarding UK Censorship Demands

Sunday, September 17th, 2017

Image of the Daily Mail from Twitter:

No link to the online version. It’s easy enough to find on your own. Besides, regular reading of the Daily Mail increases your risk of rumored appointment by the accidental president of the United States. As your mother often said, “you are what you read.”

The story claims:


Theresa May will order internet giants to clamp down on extremism following yesterday’s Tube terror attack.

Where “extremism” doesn’t include the daily bombing runs and other atrocities committed by the West.

I don’t expect better from the Daily Mail but the government’s hysteria over online content is clearly misplaced.

The inability of a group to make a successful “fairy light” bomb, speaks volumes about the threat posted by online bomb making plans.

Bomb making plans are great wannabe reading, tough guy talk for cell meetings, evidence for the police when discovered in your possession, but in and of themselves, are hardly worthy of notice. The same can be said for “radical” literature of all stripes.

Still, it seems a shame for the UK’s paranoid delusions to go unrewarded, especially in light of the harm it intends to free speech for all Internet users.

Suggestions?

Red Scare II (2016 – …) – Hacker Opportunities

Saturday, September 16th, 2017

I’m not old enough to remember the Red Scare of the 1950s, but it was a time where accusation, rumors actually, were enough to destroy careers and lives. Guilt was assumed and irrefutable.

The same tactics are being used against Kaspersky Lab today. I won’t dignify those reports with citation but we share the experience that none of them cite facts or evidence, only the desired conclusion, that Kaspersky Lab is suspect.

Neil J. Rubenking routs Kaspersky Lab critics with expert opinions and facts in: Should You Believe the Rumors About Kaspersky Lab?.

From the post:

If you accuse me of stealing your new car, I have a lot of options to prove my innocence. I was out of the country at the time of the alleged theft. I don’t have the car. Security cameras show it’s sitting in a garage. And so on.

But if you accuse me of hacking in and stealing the design documents for your new car, things get dicey, especially if you start a whispering campaign. Neil sometimes consorts with known hackers (true). Neil regularly meets with representatives of foreign companies (true). Neil maintains a collection of all kinds of malware, including ransomware and data-stealing Trojans (true). Neil has the programming skills to pull off this hack (I wish!).

After a while the original accusation doesn’t even matter; you’ve successfully damaged my reputation. And that’s exactly what seems to be happening with antivirus maker Kaspersky Lab.

You can find any number of news articles suggesting improper activities by Kaspersky Lab. The US government removed Kaspersky from its list of approved programs and, more recently, added it to a list of banned programs. Best Buy dropped Kaspersky products from its stores. Kaspersky has hired security experts who previously worked for the Russian government. Kaspersky is a Russian company, darn it!

The list goes on, but what’s impressively absent is any factual evidence of security-related misbehavior. To get a handle on this situation, I asked for thoughts from security experts I know, both in the US and around the world.

A moment of disclosure, first. While I wouldn’t say I know him well, I have certainly met Eugene Kaspersky and been impressed by his knowledge. I follow him on Twitter, and he follows me. I’ve even ridden a tour boat with Eugene (and others) into McCovey Cove during a Giants game. Go Giants!

It’s a great post and one you should forward to Kaspersky critics, repeatedly.

As Rubenking mentions in his post, the Department of Homeland Security (sic): US government bans agencies from using Kaspersky software over spying fears:


On Wednesday, the Department of Homeland Security (DHS) issued a directive, first reported by the Washington Post, calling on departments and agencies to identify any use of Kaspersky antivirus software and develop plans to remove them and replace them with alternatives within the next three months.

Which sets a deadline of December 12, 2017 for federal agencies to abandon Kaspersky software.

That’s not a serious/realistic date but moving from known and poorly used software (Kaspersky) to unknown and poorly used software (to replace Kaspersky), can’t help but create opportunities for hackers.

The United States federal government maybe the first government to become completely transparent in fact, if not by intent.

Enjoy!

Landsat Viewer

Friday, September 15th, 2017

Landsat Viewer by rcarmichael-esristaff.

From the post:

Landsat Viewer Demonstration

The lab has just completed an experimental viewer designed to sort, filter and extract individual Landsat scenes. The viewer is a web application developed using Esri‘s JavaScript API and a three.js-based external renderer.

 

Click here for the live application.

Click here for the source code.

 

The application has a wizard-like workflow. First, the user is prompted to sketch a bounding box representation the area of interest. The next step defines the imagery source and minimum selection criteria for the image scenes. For example, in the screenshot below the user is interested in any scene taken over the past 45+ years but those scenes must have 10% or less cloud cover.

 

Other Landsat resources:

Landsat homepage

Landsat FAQ

Landsat 7 Science Data Users Handbook

Landsat 8 Science Data Users Handbook

Enjoy!

I first saw this at: Landsat satellite imagery browser by Nathan Yau.

xquerl (“We always do it nice and rough” Tina Turner)

Thursday, September 14th, 2017

xqerl

From the webpage:

Erlang XQuery 3.1 Processor

This is a currently a draft/proof-of-concept. Please don’t try to use it for “real” computing!

It is passing about 91% its (~25k) test cases.

Features it has:

  • Module Feature
  • Higher-Order Function Feature

Features it does not have, but might later:

  • XQuery Update Facility
  • Schema Aware Feature
  • Typed Data Feature
  • Static Typing Feature
  • Serialization Feature

If you want to combine an interest in Erlang along with XQuery 3.1, you have arrived!

Decide for yourself which is the “nice” part and which is the “rough.”

Enjoy!

Find + Boolean Operators

Thursday, September 14th, 2017

Bob DuCharme @bobdc, tweeted: How to use find with boolean operators AND, OR, NOT today.

Not recent but a nice reminder.

Especially helpful when leaks start occurring in TBs.

Self-Censorship and Privilege on the Internet

Thursday, September 14th, 2017

Sloppy U.S. Spies Misused A Covert Network For Personal Shopping — And Other Stories From Internal NSA Documents by Micah Lee, Margot Williams, Talya Cooper.

From the post:

NSA agents successfully targeted “the entire business chain” connecting foreign cafes to the internet, bragged about an “all-out effort” to spy on liberated Iraq, and began systematically trying to break into virtual private networks, according to a set of internal agency news reports dating to the first half of 2005.

British spies, meanwhile, were made to begin providing new details about their informants via a system of “Intelligence Source Descriptors” created in response to intelligence failures in Iraq. Hungary and the Czech Republic pulled closer to the National Security Agency.

And future Intercept backer Pierre Omidyar visited NSA headquarters for an internal conference panel on “human networking” and open-source intelligence.

These stories and more are contained in a batch of 294 articles from SIDtoday, the internal news website of the NSA’s core Signals Intelligence Directorate. The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.

In addition to the aforementioned highlights, summarized in further detail below, the documents show how the NSA greatly expanded a secret eavesdropping partnership with Ethiopia’s draconian security forces in the Horn of Africa, as detailed in an investigation by longtime Intercept contributor Nick Turse. They describe the NSA’s operations at a base in Digby, England, where the agency worked with its British counterpart GCHQ to help direct drones in the Middle East and tap into communications through the Arab Spring uprisings, according to a separate article by Intercept reporter Ryan Gallagher. And they show how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer file sharing through the apps Kazaa and eDonkey, as explained here by Intercept technologist Micah Lee.

NSA did not comment for this article.

If you are interested in reporting based on redacted versions of twelve year old news (last half of 2005), this is the article for you.

The authors proclaim self-censorship and privilege saying:


The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.

These authors can milk their treasure trove of unredacted SIDreports, giving them an obvious advantage over other journalists.

Not as great an advantage as being white and male but it is a privilege unrelated to merit, one violates any concept of equal access.

Other reporters or members of the public notice connections unseen by the Intercept authors.

We won’t ever know since the Intercept, along with other media outlets, is quick to call foul on the privileges of others while clinging to its own.

PS: The lack of efforts by intelligence agencies to stop the SIDtoday series is silent testimony to its lack of importance. The SIDtoday series is little better than dated office gossip and not a complete (redacted) account of the same.

Meaningful intelligence reporting derails initiatives, operations, exposes criminal excesses with named defendants and holds the intelligence community accountable to the public. Not to be confused with the SIDtoday series and its like.

Equifax: Theft Versus Sale Increases Your Risk?

Thursday, September 14th, 2017

Hyperventilating reports about Equifax leak:

Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers

Why the Equifax breach is very possibly the worst leak of personal info ever

The Equifax Breach Exposes America’s Identity Crisis

fail to mention that Equifax was selling access to all 143 million stolen credit reports.

Had the hackers, may their skills be blessed, purchased access to the same 143 million credit reports, not a word of alarm would appear in any press report.

Isn’t that odd? You can legally purchase access to “personal identity data” but if you steal it, the foundations of a credit society are threatened.

Equifax doesn’t prevent purchase/use of its data by known criminal organizations, Wells Fargo and its ‘s 2.1 million fake accounts that now totals 3.5 million (oops, overlooked 1.4 million accounts) for example.

Can you see a difference between a stolen credit report and one purchased by Wells Fargo? Or any other entity with paid access to Equifax data?

Another question, can you identify people employed by the DHS, FBI, CIA, NSA, etc. from the Equifax data?

PS: Before you lose too much sleep over theft of data already for sale, in the case, Equifax credit reports, consider: How Bad Is the Equifax Hack? by Josephine Wolff.

New Anti-Leak Program (leaked of course)

Wednesday, September 13th, 2017

Trump Administration Launches Broad New Anti-Leak Program by Chris Geidner.

From the post:

The top US national security official has directed government departments and agencies to warn employees across the entire federal government next week about the dangers and consequences of leaking even unclassified information.

The Trump administration has already promised an aggressive crackdown on anyone who leaks classified information. The latest move is a dramatic step that could greatly expand what type of leaks are under scrutiny and who will be scrutinized.

In the memo about leaks that was subsequently obtained by BuzzFeed News, National Security Adviser H.R. McMaster details a request that “every Federal Government department and agency” hold a one-hour training next week on “unauthorized disclosures” — of classified and certain unclassified information.

I’m guessing that since BuzzFeed News got the memo leaked before next week, then this didn’t count as as a leak under the new anti-leak program. Yes?

If “next week” means ending 24 September 2017, then leaks on or after 25 September 2017 count as leaks under the new program.

Journalists should include “leak” in all stories based on leaked information to assist researchers in tracking the rate of leaking under the new anti-leaking program.

Every leak is a step towards transparency and accountability.

JSONata: JSON query and transformation language

Sunday, September 10th, 2017

JSONata: JSON query and transformation language

From the webpage:

  • Lightweight query and transformation language for JSON data
  • Inspired by the location path semantics of XPath 3.1
  • Sophisticated query expressions with minimal syntax
  • Built in operators and functions for manipulating and combining data
  • Create user-defined functions
  • Format query results into any JSON output structure

Watch JSONata in 5 minutes and play with JSONata Exerciser.

Result: JSONata will be on your to-learn list for this week!

Enjoy!

“Should We Talk About Security Holes? An Old View”

Sunday, September 10th, 2017

Michael Sikorski, @mikesiko, tweeted a quote forwarded by @SteveBellovin in a discussion about open sharing and discussion of malware.

The quote was an image and didn’t reduce well for display. I located the source of the quote and quote the text below.

Rudimentary Treatise on the Construction of Door Locks: For Commercial and Domestic Purposes : with Mr. Smyth’s Letter on the Bramah Locks by J. Weale (by the book’s pagination, starting on page 2 and ending on page 4).


A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not is it right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolate as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear—milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. So likewise in respect to bread, sugar, coffee, tea, wine, beer, spirits, vinegar, cheap silks, cheap wollens—all such articles are susceptible of debasement by admixture with cheaper substances—much more good than harm is effected by stating candidly and scientifically the various methods by which debasement has been, or can be produced. The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle—the advantage of publicity. In respect to lock-making there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open for them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and the curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.

More to follow but here’s a question to ponder:

Can you name one benefit that white hats gain by not sharing vulnerability information?

@rstudio Cheatsheets Now B&W Printer Friendly

Saturday, September 9th, 2017

Mara Averick, @dataandme, tweets:

All the @rstudio Cheatsheets have been B&W printer-friendlier-ized

It’s a small thing but appreciated when documentation is B&W friendly.

PS: The @rstudio cheatsheets are also good examples layout and clarity.

Unpatched Windows Vulnerability – Cost of Closed Source Software

Friday, September 8th, 2017

Bug in Windows Kernel Could Prevent Security Software From Identifying Malware by Catalin Cimpanu.

From the post:

Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.

Continue on with Cimpanu for a good overview or catch Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 1).

Symantec says proactive security includes:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware & Software
  • Constant Vulnerability Assessment and Remediation
  • Malware Defense

But since Windows is closed source software, you can’t remedy the vulnerability. Whatever your cyberdefenses, closed source MS Windows leaves you vulnerable.

Eternal (possibly) vulnerability – the cost of closed source software.

It’s hard to think of a better argument for open source software.

Open source software need not be free, just open source so you can fix it if broken.

PS: Open source enables detection of government malware.

The International Conference on Functional Programming – 2017

Tuesday, September 5th, 2017

The International Conference on Functional Programming – 2017 – Papers

If you are on the Gulf or East coast of the United States, take this opportunity to download papers to read following land fall of Irma.

You may not have Internet service but if you have printed several papers out as emergency preparedness, you won’t be at a loss for reading materials.

I’ve been in the impact zone of several hurricanes and while reading materials don’t make repairs go any faster, they do help pass the time.

Chess Captcha (always legal moves?)

Tuesday, September 5th, 2017

I saw this on Twitter. Other games you would use for a captcha?

Graham Cluley says chess captchas aren’t hard to defeat in: Chess CAPTCHA – a serious defence against spammers?

But Cluley, like most users, is assuming a chess captcha has a chess legal solution.

What if the solution is an illegal move? Or more than one illegal move?

An illegal move would put the captcha beyond any standard chess program.

Yes?

Reserving access to those told of the solution.

Tor Browser 7.0.5 is released – Upgrade! Stay Ahead of Spies!

Tuesday, September 5th, 2017

Tor Browser 7.0.5 is released

From the webpage:

Tor Browser 7.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded.

Well, no guarantee you will stay ahead of spies but using the current release of Tor is the best one can do. At least for browsers.

Enjoy!

Guide to Investigative Web Research (Populating A Topic Map)

Tuesday, September 5th, 2017

Guide to Investigative Web Research

From the webpage:

We’ve just finished working with a partner to create an introductory guide to investigative web research.

As part of our aim to encourage shared, open documentation about the use of technology in social change, we’re publishing it so that other people can use it too.

The guide is designed for researchers, activists and journalists who need to collect online information about people, entities or events and use it for investigative research or advocacy. If you’re tracking corporate ownership, monitoring corruption or mapping political influence, this guide is for you.

Read our guide to investigative web research

It’s designed to be practical and straightforward, pointing you to more detailed resources and giving you the context to decide what tools you might need.

As part of our philosophy of reuse and replication, we publish all our research and guides in the same open format on our Library. The Library aims to help build our collective knowledge of how technology can help activists and organisations. It has guides in Spanish, Portuguese, French, Bahasa and English, is responsive (unlike a PDF), and is designed to let people find and reuse content quickly and easily. Topics range from drones and messaging apps to participatory budgeting – and there are more guides coming soon!

Check out more guides from The Engine Room’s Library

The Library code is available on Github, and all the content is Creative Commons-licensed. We’ll keep you updated whenever new guides are added. If you’d like to chat about investigative web research techniques and how they could help your work, get in touch.

Once you decide to author a topic map, the really hard work comes in populating it with information. At least, if you want information that can be traced to verifiable sources (unlike presidential press releases these days).

The Investigative Web Research guide is a useful starting point, especially if you aren’t a seasoned web user. The more web experience you have, the less useful it will become.

There are a number of links to other resources, which is useful, but collections of links can only take the reader so far.

I had to smile when I read:

A key difference between hacking and web scraping is respect for legitimate legal barriers.

“…[L]egitimate legal barriers” support illegitimate, oppressive, patriarchal and discriminatory regimes, along with more just ones. Consider legal barriers for your own personal safety, but nothing more. Legal barriers are the carriers (in the sense of infection) of privilege in a society. Act accordingly.

DACA: 180 Days to Save 800,000 : Whose Begging Bowl to Choose? (Alternative)

Tuesday, September 5th, 2017

Trump administration ending DACA program, which protected 800,000 children of immigrants by Jacob Pramuk | @jacobpramuk.

From the post:

  • President Trump is ending DACA, the Obama-era program that protects hundreds of thousands of “dreamers.”
  • Attorney General Jeff Sessions says there will be a six-month delay in terminating it to give Congress time to act.
  • Sessions says the immigration program was an unlawful overreach by Obama that cannot be defended.

Check out Pramuk’s post if you are interested in Attorney General Sessions’ “reasoning” on this issue. I refuse to repeat it from fear of making anyone who reads it dumber.

Numerous groups have whipped out their begging bowls and more are on the way. All promising opposition, not success, but opposition to ending Deferred Action for Childhood Arrivals (DACA).

Every group has its own expenses, lobbyists, etc., before any of your money goes to persuading Congress to save all 800,000 children of immigrants protected by the DACA.

Why not create:

  • low-over head fund
  • separate funds for house and senate
  • divided and contributed to the campaigns* of all representatives and senators who vote for replacement to DACA within 180 days
  • where replacement for DACA protects everyone now protected
  • and where replacement DACA becomes law (may have to override veto)

*The contribution to a campaign, as opposed to the senator or representative themselves, is important as it avoids the contributions being a “gratuity” for passage of the legislation, which is illegal. 2041. Bribery Of Public Officials.

Such funds would avoid the overhead of ongoing organizations and enable donors to see the results of their donations more directly.

I’m not qualified to setup such funds but would contribute to both.

You?

PS: You do the math. If some wealthy donor contributed 6 $million to the Senate fund, then sixty (60) senatorial campaigns would each get $600,000 in cash. Nothing to sneeze at.