Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

July 31, 2018

Assassination Market Clickbait

Filed under: CryptoCurrency,Government,Politics — Patrick Durusau @ 3:46 pm

The First Augur Assassination Markets Have Arrived by David Floyd.

From the post:

“Killed, not die of natural causes or accidents.”

Pretty much everyone saw them coming, but it was no less disturbing when assassination markets actually began to appear on Augur, a decentralized protocol for betting on the outcomes of real-world events and that launched two weeks ago on ethereum.

The markets – which allow users to bet on the fates of prominent politicians, entrepreneurs and celebrities – in some cases explicitly specify assassination, as the quote above shows. (CoinDesk is intentionally not providing links to these markets or naming the individuals concerned.)

In addition to targeting individuals, some markets offer bets on whether mass shootings and terrorist attacks with certain minimum numbers of casualties will occur.

By creating a market for an assassination and placing a large “no” bet (actually, selling shares in the outcome), an individual or group could in effect place a bounty on the targeted person. The would-be assassin could then place a bet on “yes” (buy shares) and manipulate the outcome, to put it delicately.

An Augur assassination markets sounds like a way to democratize murder. Governments spend $billions every year killing people with their citizens exercising little or no influence of the choice of murder targets. An assassination market has the potential for a more democratic process. Or so it would seem.

The first thing you need is an Ethereum wallet. I choose a FireFox browser extension called MetaMask, but there are others, The Top 10 Best Ethereum Wallets (2018 Edition) by Sudhir Khatwani.

Next up, the Augur app. (GitHub) Augur isn’t long on documentation for the beginning users so here are screen shots and text about my installation process.

  1. I used sudo dpkg -i linux-Augur-1.0.7.deb, encountered dependency issues and so then ran apt-get install -f.

    OK, first screen shot, the default screen when I started Augur from the panel bar:

    I accepted all of the defaults, saved the configuration.

  2. After selecting connect, with the default configuration values, this is the next screen:

    As you can tell by the % meter, this is going to take a while. I didn’t time it precisely but would guess it is 90 minutes or longer to synch up.

  3. You probably don’t have to wait as long as I did but when it was over 99% synched, I connected with the Augur app:

  4. I should have expected it, next was the scroll down agreement to activate the checkbox and then agree to terms window, which in part reads:

    Right! I’ve taken numerous steps to conceal both my identity and activity, so sure, I’m going to try to tag Augus in court if something goes sideways.

    Sigh, old habits die hard. 😉

  5. The Augur default homepage (in part only):

    Then you choose “MARKETS” in the upper left-hand corner and look for assasinations.

A lot of installing to realize the reason why:

(CoinDesk is intentionally not providing links to these markets or naming the individuals concerned.)

There’s only one (1) such market and it has only one target, without any “no” money. As you might suspect, it’s the fav of all late night talk show hosts:

I don’t regret installing the new tools but was disappointed by the “assassination market clickbait” approach.

PS: Putin doesn’t even make my top 100. You?

July 30, 2018

Introducing VizHub

Filed under: D3,SVG,Visualization — Patrick Durusau @ 3:53 pm

Introducing VizHub by Curran Kelleher.

From the post:

I’d like to tell you a bit about VizHub, the next generation of Datavis.tech, a data visualization platform I worked on for about a year, and from which I learned how I wanted to develop VizHub.

VizHub is still early work in progress (alpha software), but the beta release should be ready by September, at which time I plan to use it as the platform for teaching (creating example code) and learning (students doing homework assignments) data visualization with D3.js and SVG in an online course this Fall at @WPI ! Many students are remote and transfer credit from WPI to other universities. If you’re a graduate student in Computer Science anywhere, you can register (see enrollment details). Here’s a taste of what my students made last year.

Difficulties with WordPress accepting images at the moment but here are links to three of the more impressive visualizations from Kelleher’s class:

If your visualization isn’t working, it’s unlikely its the tool. 😉

PS: CS 573 Data Visualization:

This course exposes students to the field of data visualization, i.e., the graphical communication of data and information for the purposes of presentation, confirmation, and exploration. The course introduces the stages of the visualization pipeline. This includes data modeling, mapping data attributes to graphical attributes, visual display techniques, tools, paradigms, and perceptual issues. Students learn to evaluate the effectiveness of visualizations for specific data, task, and user types. Students implement visualization algorithms and undertake projects involving the use of commercial and public-domain visualization tools. Students also read papers from the current visualization literature and do classroom presentations. Prerequisite: a graduate or undergraduate course in computer graphics.

July 29, 2018

When Phishing and “Dropped” USB Fails – Precision Issues in Graphic Libraries

Filed under: Cybersecurity,Security,Subject Identity — Patrick Durusau @ 3:10 pm

Drawing Outside the Box: Precision Issues in Graphic Libraries by Mark Brand and Ivan Fratric, Google Project Zero.

From the post:

In this blog post, we are going to write about a seldom seen vulnerability class that typically affects graphic libraries (though it can also occur in other types of software). The root cause of such issues is using limited precision arithmetic in cases where a precision error would invalidate security assumptions made by the application.

While we could also call other classes of bugs precision issues, namely integer overflows, the major difference is: with integer overflows, we are dealing with arithmetic operations where the magnitude of the result is too large to be accurately represented in the given precision. With the issues described in this blog post, we are dealing with arithmetic operations where the magnitude of the result or a part of the result is too small to be accurately represented in the given precision.

These issues can occur when using floating-point arithmetic in operations where the result is security-sensitive, but, as we’ll demonstrate later, can also occur in integer arithmetic in some cases.

With phishing success rates reported at 90% and the commonly cited 50% of all users who would insert a “found” USB drive in their computer, use of high end hacks is always a fall back position.

The techniques discussed here will be useful for such fall back cases but, the more interesting question to me comes in the conclusion:


When it comes to finding such issues, unfortunately, there doesn’t seem to be a great way to do it. When we started looking at Skia, initially we wanted to try using symbolic execution on the drawing algorithms to find input values that would lead to drawing out-of-bounds, as, on the surface, it seemed this is a problem symbolic execution would be well suited for. However, in practice, there were too many issues: most tools don’t support floating point symbolic variables and, even when running against just the integer parts of the simplest line drawing algorithm, we were unsuccessful in completing the run in a reasonable time (we were using KLEE with STP and Z3 backends).

In the end, what we ended up doing was a combination of the more old-school methods: manual source review, fuzzing (especially with values close to image boundaries) and, in some cases, when we already identified potentially problematic areas of code, even bruteforcing the range of all possible values.

Do you know of other instances where precision errors resulted in security issues? Let us know about them in the comments.

What set of subject identity criteria would enable rough indentification of these issues?

Thoughts?

July 28, 2018

Deep Learning … Wireless Jamming Attacks

Filed under: Cybersecurity,Government,Government Data,Hacking — Patrick Durusau @ 8:25 pm

Deep Learning for Launching and Mitigating Wireless Jamming Attacks by Tugba Erpek, Yalin E. Sagduyu, Yi Shi.

Abstract:

An adversarial machine learning approach is introduced to launch jamming attacks on wireless communications and a defense strategy is provided. A cognitive transmitter uses a pre-trained classifier to predict current channel status based on recent sensing results and decides whether to transmit or not, whereas a jammer collects channel status and ACKs to build a deep learning classifier that reliably predicts whether there will be a successful transmission next and effectively jams these transmissions. This jamming approach is shown to reduce the performance of the transmitter much more severely compared with randomized or sensing-based jamming. Next, a generative adversarial network (GAN) is developed for the jammer to reduce the time to collect the training dataset by augmenting it with synthetic samples. Then, a defense scheme is introduced for the transmitter that prevents the jammer from building a reliable classifier by deliberately taking a small number of wrong actions (in form of a causative attack launched against the jammer) when it accesses the spectrum. The transmitter systematically selects when to take wrong actions and adapts the level of defense to machine learning-based or conventional jamming behavior in order to mislead the jammer into making prediction errors and consequently increase its throughput.

As you know, convenience is going to triumph over security, even (especially?) in the context of military contractors. A deep learning approach may be overkill for low-bid contractor targets but it’s good practice for the occasionally more skilled opponent.

Enjoy!

July 24, 2018

Digital Research Tip

Filed under: Library,Research Methods — Patrick Durusau @ 6:44 pm

From Twitter:

Or photo the inside page with publications details (if it includes the shelf location).

Other digital research tips?

July 22, 2018

username: 4julian password: $etJulianFree!2Day

Filed under: Cybersecurity — Patrick Durusau @ 8:50 pm

Should Julian Assange lose his freedom, it looks eminent, sysadmins at all levels of corporations, governments and organizations are likely to create new root users:

username: 4julian
password: $etJulianFree!2Day

There’s nothing illegal about creating new users. Happens everyday.

Many have promised impotent and camera mugging expressions of rage as a response to an Assange arrest.

Systems hemorrhaging and continuing to hemorrhage data will have a much greater impact.

Don’t banks, stock exchanges, airports, news media, government, etc., all run on computers? Yes?

All those organizations should be lobbying the US government to leave Assange alone. Let him go freely to whatever destination he chooses. The alternative could be uncontrolled transparency.

Universal Feminine Hygiene

Filed under: Feminism,Government,Politics — Patrick Durusau @ 6:30 pm

It’s Not Just the Tampon Tax: Why Periods Are Political by By Karen Zraick reminded me to post a “progressive” proposal on feminine hygiene products.

Removing taxes on feminine hygiene products is a step in the right direction but why not go all the way and make those products universally available, at no cost?

The existing distribution chain for feminine hygiene products needs only a few minor tweaks to make that possible. Here’s my solution in three steps:

  1. Retailers provide feminine hygiene products to any customer, free of charge.
  2. Customers are free to choose any brand or type of feminine hygiene product.
  3. Retailers have a tax credit equal to feminine hygiene products distributed, at their retail “price.”

Charging customers for feminine hygiene products, directly or indirectly becomes illegal and states/localities are forbidden from limiting or regulating such sales in anyway.

A direct benefit to all women that preserves their freedom of choice of products. It re-uses existing distribution systems, without any additional forms or paperwork.

Share this with progressives seeking public office.

July 19, 2018

Printed Guns – Security Warning for Protesters

Filed under: FOIA,Free Speech,Government — Patrick Durusau @ 12:13 pm

DOJ Settles With Cody Wilson, Defense Distributed on 3D-Printed Guns

From the post:

The three-year legal battle over the future of 3D-printed guns is officially over, with the Department of Justice agreeing to allow the general public to “access, discuss, use, reproduce or otherwise benefit from” 3D gun files which had previously been prohibited, Reason.com reported.

DEFCAD will permit downloading and uploading of 3D gun files 1 August 2018.

Teasers on the site include:

AR-15

VZ. 58

Printable guns raise two major security concerns for protest groups in general but especially those who oppose pipelines, mining and other environmental crimes.

Traceability: Prior to 3-D printable guns, oppressors risked tracing of bullets fired to particular weapons, weapons which have relatively permanent serial numbers and at least some records of purchase/transfer. Not 100% and certainly rarely pursued but now even that remote possibility has been removed.

Untraceable Throw Down Guns: Putting “throw down” guns on protesters has always carried the risk of the true origin of a gun being discovered. Printable guns lower the cost of “throw down” guns and their lack of traceability, removes the risk of tracking a gun back to its point of origin.

The cheap “throw down” gun is the most likely use of 3-D printable guns by oppressors.

A partial solution for specific protest sites: Have a friendly police officer search you and document your lack of weapons. It’s not much but a law enforcement officer testifying on your behalf could be the saving touch.

PS: FOIA requests to police and other government departments should include purchases of 3-D printers and supplies for the same.

8 Big Processor Vulnerabilities in 2018

Filed under: Cybersecurity — Patrick Durusau @ 10:16 am

8 Big Processor Vulnerabilities in 2018 by Ericka Chickowski

Since the Spectre and Meltdown vulnerabilities knocked the glow off of the new year, 2018 has been the year of the CPU bug. Security researchers have been working in overdrive examining processors for design flaws, firmware bugs, and other vulnerabilities that put an entire computing architecture at risk.

They haven’t come up empty-handed.

Here’s what we’ve had to contend with this year on the CPU vulnerability front — and what we can expect in a couple of weeks when new research hits the stage at Black Hat.

Among those Chickowski dicusses:

BranchScope, Spectre Variants 3a and 4 (breaching barrier between cloud instances on the same CPU, think the IC’s planned cloud), not to leave AMD Ryzen chips unnoticed: Ryzenfall, Masterkey, Fallout, and Chimera, and others.

And the year is a little more than half over!

Enjoy!

July 18, 2018

Self-Help Transparency – Smoke Loader

Filed under: Cybersecurity,Malware,Transparency — Patrick Durusau @ 8:18 pm

Dissecting Smoke Loader by Michał Praszmo.

From the post:

Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families.

Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own.

Despite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.

In this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.

You can go the Freedom of Information Act (FOIA) route to become an “informed citizen,” provided you don’t mind:

  • Indeterminate exchanges to clarify your request
  • Delays and fees by agencies
  • Exemptions
  • Review and editing of documents by those most interested in non-disclosure

If you had access to the agency’s files:

  • No need to clarify your request
  • No delays or fees by the agency
  • No exemptions from disclosure
  • No review and editing of requested documents to prevent disclosure

Not to mention that self-help transparency saves the agency staff time and other resources in answering your request.

The other advantage of self-help transparency is that it works with political PACs, foreign governments, corporations and a host of other groups and institutions with no FOIA traditions.

All of those are incentives for closely attending to this blog post on the Smoke Loader.

Enjoy!

Is the GRU Running Windows 10?

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 7:44 pm

I ask if the GRU is running Windows 10 in part because of the fanciful indictment of twelve Russians that presumes key logging on GRU computers.

That and I saw: Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018), today.

From the post:

My contribution to the above result was a flag for the “Searchme” task authored by Eat, Sleep, Pwn, Repeat. It involved the exploitation of an off-by-one buffer overflow of a PagedPool allocation made by a vulnerable kernel driver loaded in Windows 10 64-bit. Shortly after the CTF, the original author (@_niklasb) published the source code of the driver and the corresponding exploit (see niklasb/elgoog on GitHub and discussion on Twitter), which revealed that my solution was partially unintended. Niklas used the off-by-one to corrupt allocation metadata and performed some pool feng-shui to get overlapping pool chunks. On the other hand, I achieved a similar outcome through a data-only attack without touching any pool metadata, which made the overall exploitation process somewhat simpler. I encourage you to closely analyze Niklas’ exploit, and if you’re interested in my approach, follow along.

If you want to jump straight to the exploit code, find it on GitHub.

Beyond my current skill level but a good example to follow for improving the same.

Aside to the GRU: Software compiled by others is untrustworthy. All cases, no exceptions. Consider Linux.

Apologies for the Silence!

Filed under: Social Media — Patrick Durusau @ 12:18 pm

After years of posting on a daily basis, I fell into a slump since 30 June 2018 with no posts.

Sorry!

Part of the blame goes to social media, Facebook/Twitter, where I wasted time every day correcting people who were wrong. 😉

Both are tiresome and bottomless pits of error.

The sight of people wrapping themselves in flag and country over remarks concerning the US intelligence community, shocked me back into some semblance of sanity.

There are no words, no facts, no persuasive techniques that will sway anyone in the grip of such delusions.

That being the case, I was wasting my time trying to do so.

I’ve still been collecting links so have a large backlog of potential posts.

Spread the word! I’m back!

Powered by WordPress