Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

April 24, 2019

Government Countermeasures, Traffic Cams

Filed under: Government,Hacking,Protests — Patrick Durusau @ 10:52 am

If you use public feeds from traffic cams to guide or monitor disruptions, Public Spy (Traffic) Cams, or “leak” that you are using public feeds in that manner, government authorities are likely to interrupt public access to those feeds.

The presence of numerous wi-fi hotspots and inexpensive wi-fi video cameras suggests the most natural counter to such interruptions.

Unlike government actors, you know which locations are important, which disruptions are false flags (including random events that attract attention), and you benefit from public uncertainly caused by any interruption of public services, such as traffic cams.

As an illustration and not a suggestion, if cars caught in gridlock come under attack, say a pattern of attacks over several days, motorists caught in ordinary gridlock become more nervous and authorities view accidents or other causes with hightened suspicion. Whether you are the cause of the gridlock or not.

Authorities suffer from apophenia, that is “seeing apparently meaningful connections between unrelated patterns, data or phenomena.” What is pareidolia? (a sub-class of apophenia) Perhaps more than apophenia, because actively searching for patterns, makes them more likely to discover false ones. With an eye for patterns, you can foster their recognition of false ones. [FYI, false patterns are “subjects” in the topic maps. May include data on their creation.]

April 23, 2019

Best OCR Tools – Side by Side

Filed under: Government,Government Data,OCR — Patrick Durusau @ 8:34 pm

Our Search for the Best OCR Tool, and What We Found by Ted Han and Amanda Hickman.

From the post:

We selected several documents—two easy to read reports, a receipt, an historical document, a legal filing with a lot of redaction, a filled in disclosure form, and a water damaged page—to run through the OCR engines we are most interested in. We tested three free and open source options (Calamari, OCRopus and Tesseract) as well as one desktop app (Adobe Acrobat Pro) and three cloud services (Abbyy Cloud, Google Cloud Vision, and Microsoft Azure Computer Vision).

All the scripts we used, as well as the complete output from each OCR engine, are available on GitHub. You can use the scripts to check our work, or to run your own documents against any of the clients we tested.

The quality of results varied between applications, but there wasn’t a stand out winner. Most of the tools handled a clean document just fine. None got perfect results on trickier documents, but most were good enough to make text significantly more comprehensible. In most cases if you need a complete, accurate transcription you’ll have to do additional review and correction.

Since government offices are loathe to release searchable versions of important documents (think Mueller report), reasonable use of those documents requires OCR tools.

Han and Hickman enable you to compare OCR engines on your documents, an important step before deciding on which engine best meets your needs.

Should you find yourself in a hacker forum, no doubt by accident, do mention agencies which force OCR of their document releases. That unnecessary burden on readers and reporters should not go unrewarded.

Weaponized USB Drives and Beyond

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:19 pm

Weaponized USB devices as an attack vector by Alex Perekalin.

USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

Perekalin takes us beyond flash drives with a reminder that any USB device can be an attack vector.

An incomplete list of USB devices includes:

  • Speaker
  • Microphone
  • Sound card
  • MIDI
  • Modem
  • Ethernet adapter
  • Wi-Fi adapter
  • RS-232 serial adapter
  • Keyboard
  • Mouse
  • Joystick
  • Webcam
  • Scanner
  • Laser printer
  • Inject printer
  • USB flash drive
  • Memory card reader
  • Digital audio player
  • Digital camera

Just to name some of the more common ones. 

So it’s a little more expensive to do: “Congratulations! You were selected at random for a free digital camera!” (make sure it is a nice one) If it gets you inside the ******* agency, it’s worth every penny. Weaponized USB devices should be standard part of your kit.

R Graphics Cookbook, 2nd edition

Filed under: Graphics,R — Patrick Durusau @ 3:28 pm

R Graphics Cookbook, 2nd edition by Winston Chang.

From the webpage:

Welcome to the R Graphics Cookbook, a practical guide that provides more than 150 recipes to help you generate high-quality graphs quickly, without having to comb through all the details of R’s graphing systems. Each recipe tackles a specific problem with a solution you can apply to your own project, and includes a discussion of how and why the recipe works.

Read online here for free, or buy a physical copy on Amazon.

Do us all a favor, buy a hard copy of it. It encourages healthy behavior on the part of publishers and it’s easier on your eyes.

Enjoy!

Public Spy (Traffic) Cams

Filed under: Government,Protests — Patrick Durusau @ 3:21 pm

See the Road Ahead with Traffic Camera Images on Bing Maps

From the post:

The Bing Maps Routing and Traffic Team is constantly working to make navigation and route planning easier! Hot on the heels of our previous announcement about traffic coloring, the Bing Maps team is proud to announce that we have made it possible for users to access traffic camera images along a planned driving route! You can now see traffic camera icons along a short to moderate-length route. By clicking on a traffic camera icon, you can view the latest image from the traffic camera at that location.

Bing Maps with traffic cameras:

  • Enable real time routing of “breakdowns” for maximum impact
  • Monitor highways for enhancement of unplanned blockages
  • Support live tweeting/messaging/blogging of highway conditions

Access to traffic cams is not news but Bing is making them easy for casual users. The more users, the more noise and the safer you will be accessing traffic cams for your purposes.

Assuming the worst outcome in the 2021 presidential elections, you may want to consult Defeating Police Formations – Parallel Distributed Protesting, a post that I badly need to re-write. The lesson there is one of stopping cars on the Beltway around Washington, D.C., to effectively interrupt any inaguration ceremony. Traffic cams and management of “breakdowns” go hand in hand.

If you want to ineffectively interrupt any inaguration ceremony, mug for the press cameras at subways entrances. Your call.

April 11, 2019

The Online Books Page

Filed under: Books,Library — Patrick Durusau @ 2:59 pm

The Online Books Page

The Online Books Page is a website that facilitates access to books that are freely readable over the Internet. It also aims to encourage the development of such online books, for the benefit and edification of all.

A remarkable resource that I discovered quite by accident that lists over 3 million free books on the Web. More than enough to keep even a dedicated reader busy.

Enjoy!

April 8, 2019

Solnit, Unattended Luggage, Pipelines

Filed under: #DAPL,Environment,Pipelines (Oil/Gas) — Patrick Durusau @ 4:11 pm

Rebecca Solnit’s When the Hero is the Problem, triggered an insight for me that is likely old news to you: social resistance succeeds only when it is we (a group) and not me (the hero). Solnit writes of ecological sabotage saying:

For an embodiment of the word singlehanded you might turn to the heroine of the recent movie Woman at War. It’s about an Icelandic eco-saboteur who blows up rural power lines and hides in scenic spots from helicopters hunting her and is pretty good with a bow and arrow. But the most famous and effective eco-sabotage in the island’s history was not singlehanded.

In a farming valley on the Laxa River in northern Iceland in August 25, 1970, community members blew up a dam to protect farmland from being flooded. After the dam was dynamited, more than a hundred farmers claimed credit (or responsibility). There were no arrests, and there was no dam, and there were some very positive consequences, including protection of the immediate region and new Icelandic environmental regulations and awareness. It’s almost the only story I know of environmental sabotage having a significant impact, and it may be because it expressed the will of the many, not the few.

Solnit’s essay set me to thinking of ways for ecological sabotage to be a collective but uncoordinated expression of opposition to an oil or gas pipeline. Unbidden the endless loop warning at the Dallas Forth Worth (DFW) airport, in a deep Texas accent, “Watch out! … for unattended luggage and packages” (paraphrase from memory) came to mind. From there I remembered stories of abandoned packages, backpacks, etc., each of while provoked disproportionate and costly police responses.

Does unattended luggage attract the same attention as it would at DFW during the six stages of pipeline construction:

  1. Construction Staging Areas & Storage Yards
  2. Clear Cutting the ROW
  3. Excavating the Trench
  4. Pipe Transport, Stringing, & Assembly
  5. Obstacles: Roads & Streams
  6. Testing & Restoration?

If unattended luggage attracts a DFW level of attention on pipeline routes, defense and offense against pipeline construction takes on an entirely different complexion. Pipeline projects must secure the entire length of the pipeline from the time the pipeline route is fixed and the pipeline is complete. If anyone breeches pipeline security, any resulting unattended luggage or other packages, would require law enforcement attention before the project could proceed.

Rather than a focused area for law enforcement attention, think Standing Rock, pipeline proponents have to divide their resources between hundreds of miles of pipeline route for years. That sounds expensive, yes? On the other hand, opponents of pipelines can contribute to the rising cost of pipelines without leadership, charismatic or otherwise.

To illustrate, instead of “defending” against the protesters at Standing Rock (the entire reservation is shown in orange), imagine defending the entire route marked in red:

File:Bakken map osm basemap.png

Advantage red team! Yes?

Do remember to post videos to the media and get word to investors about increasing pipeline costs.


April 3, 2019

Reversing WannaCry Part 1 – [w/] #Ghidra

Filed under: Cybersecurity,Ghidra,Hacking — Patrick Durusau @ 7:43 pm
From Gnidra Ninja

From the description:

In this first video of the “Reversing WannaCry” series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.

The sample can be found here: https://www.ghidra.ninja/posts/03-wannacry-1/

Twitter: https://twitter.com/ghidraninja

Links:

Interview with MalwareTech: https://soundcloud.com/arrow-bandwidth/s3-episode-11-wannacry-interview-with-malware-tech-at-infosec-europe-2017

MalwareTech’s blogpost about the killswitch: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Further reading

Wikipedia: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

LogRhythm Analysis: https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

Secureworks Analysis: https://www.secureworks.com/research/wcry-ransomware-analysis

Unless you are a very proficient Windows reverse engineer, be prepared to pause the video repeatedly! A level of comfort to aspire to.


April 1, 2019

radare2 r2-3.4.0

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:59 pm
https://www.radare.org/r/

Now there’s a bold claim! Is that true? Only one way for you to know for sure! Well, what are you waiting for? Download r2-3.4.0 today!

March 31, 2019

Ghidra quickstart & tutorial: Solving a simple crackme

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 6:52 pm

Ghidra quickstart & tutorial: Solving a simple crackme

In this introduction to Ghidra we will solve a simple crackme – without reading any assembly!

The first of several Ghidra tutorials by Ghidra Ninja. Be sure to follow on Twitter!

March 30, 2019

ARM Assembly Basics

Filed under: ARM,Assembly,Cybersecurity,Hacking,Security — Patrick Durusau @ 8:51 pm

ARM Assembly Basics by Azeria.

Why ARM?:

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.
Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Written in the best tradition of sharing technical knowledge and skill, this is your ticket to over 100 billion ARM powered devices. Not all of them of interest and/or vulnerable, but out of 100 billion (higher now) you will be kept busy.

Enjoy!

March 29, 2019

Pentagon Adopts Hostile Adoption Strategy

Filed under: Cybersecurity,FBI,Government,Hacking,Security — Patrick Durusau @ 10:44 am

Pentagon’s Multibillion-Dollar DEOS Contract is Guaranteed for Microsoft

High-five traffic saturated networks between groups of North Korean, Chinese and Russian hackers when they read:

In the coming weeks, the Pentagon—through its partner, the General Services Administration—will bid out a cloud-based contract for enterprisewide email, calendar and other collaboration tools potentially worth as much as $8 billion over the next decade.


Yet former defense officials, contracting analysts and industry experts tell Nextgov the Defense Enterprise Office Solutions contract is one that tech giant Microsoft—with its Office 365 Suite—simply cannot lose.

Yes, the Pentagon, through a variety of bidders, all of who offer Microsoft based solutions, is adopting a hostile adoption strategy, described as:

According to Defense Department spokeswoman Elissa Smith, the intent is for DEOS to replace all the disparate, duplicative collaboration tools Defense Department agencies use around the world. Components, including the Army, Navy and Air Force, “will be required” to use the same cloud-based business tools.

“It is expected that DEOS will be designated as an enterprise solution for DOD-wide adoption and organizations,” Smith told Nextgov. “Components that have already implemented different solutions with similar functionality will be required to migrate to DEOS.”

You may remember how successful the FBI Virtual Case File project was, $170 million in the toilet, where local FBI offices were to be “forced” to migrate to a new system. Complete and utter failure.

Undeterred by previous government IT failures, the Pentagon is upping the stakes 47 X the losses in the FBI Virtual Case File project and, even more importantly, risking national security on hostile adoption of an unwanted product.

If that weren’t bad enough, the Office 365 Suite offers a security single point of failure (SPOF). Once the system is breached for one instance, it has been breached for all. Hackers can now abandon their work on other systems and concentrate on Microsoft alone. (A thanks on their behalf to the Pentagon.)

Hackers are unlikely to take up my suggestion because an eight year slog to complete failure leaves non-Microsoft systems in operation during and past the project’s failure date. Not to mention that a hostile transition to an unwanted system is likely to leave openings for exploitation. Happy hunting!

March 28, 2019

Terrorist Usage of Twitter and Social Media (AKA Advertising)

Filed under: Advertising,Censorship,Social Media,Terrorism — Patrick Durusau @ 8:29 pm

Primer: Terrorist Usage of Twitter and Social Media

I mention this as an example of a catchy title for what is otherwise an “advertising on social media” post. Consider this re-write of the lead paragraph:

In recent years the Internet and social media has rapidly grown and become a part of everyday life for many people.  For example, YouTube alone has nearly two billion active users each month, has one billion hours of content watched every day, and over 300 hours of new video uploaded every minute (Aslam, 2019).  Other social media platforms also generate huge amounts of users and views.  The wide reach of these and other platforms has given many people and groups the opportunity to be heard when they otherwise would not have a voice.  While in many cases this opportunity is celebrated for supporting free speech, advertisers can take advantage of this access to reach and entice people that would otherwise be outside their influence.  Advertisers are becoming increasingly aware of, and taking advantage of, the global access the Internet and social media gives them.  These advertisers are no longer limited to recruiting new buyers in their physical sphere of influence; they can entice and recruit new buyers from anywhere around the world.  Advertisers are also using the Internet to encourage and carry out sales (physical and cyber) around the world…

The bolded text replaces text in the original.

For all of the bleeting and whining about terrorists on social media, what is being discussed is advertising. Any decent introduction to advertising is more useful to terrorists and their opponents than all of the literature on terrorist use of social media.

Critics of terrorist advertising miss the validity of terrorist ads in the eyes of their target populations. Twenty to thirty year old males in most cultures know they lack of ability to make a difference. For their families and communities. Structural inequalities guarantee that lack of ability. Those have been the “facts” all their lives. Terrorists offer the chance to perhaps not make a difference, but to at least not grow bent and old under the weight of oppression.

Your counter ad? …. There’s the problem with countering terrorist advertising. The facts underlying those ads are well known and have no persuasive refutation. Change the underlying facts as experienced by terrorists and their families and terrorist ads will die of their own accord. Keep the underlying facts and …, well, you know how that turns out.


March 27, 2019

GHIDRA 9.0.1 has been posted

Filed under: Cybersecurity,NSA — Patrick Durusau @ 7:56 pm

GHIDRA 9.0.1 has been posted

That was quick! Version 9.0.1 of GHIDRA is available for downloading. Release notes.

March 7, 2019

Nearest Neighbor/Fire Hydrant?

Filed under: Dataset,Insurance — Patrick Durusau @ 5:37 pm

HazardHub’s HydrantHub Passes 10 Million Fire Hydrant Locations Nationwide

From the post:

Distance to a fire hydrant is one of the most critical components to properly priced homeowners and property insurance. Yet – too often – hydrant data is simply missing from existing fire protection algorithms. HydrantHub’s aim is to break that data blockage by collecting and standardizing hydrant data, then making that data available to consumers, insurers, inspectors, and municipalities across the country. Not only can HydrantHub tell you the closest hydrant, it can also tell you the number within perimeter 1,000-foot radius of a location, giving insurers unique insight as to how well a community can provide critical water assets to a fire. The hydrant locations in HydrantHub cover over 80% of the US population with hydrants.

HydrantHub is available via HazardHub’s free “Where’s My Closest Hydrant” tool on http://www.hazardhub.com, as well as HazardHub’s powerful API.

Exploring the placement and number of fire hydrants by race and social class is one re-use of this data. Another re-use includes determining when different fires would place conflicting demands on fire hydrants.

Does every data set that admits to a benign use, have one or more non-benign uses? I suspect that to be the case. Counter-examples anyone?

February 24, 2019

LaTeX Cleaner (From Google)

Filed under: Publishing,TeX/LaTeX,Writing — Patrick Durusau @ 5:44 pm

arXiv LaTeX cleaner: safer and easier open source research papers by Jordi Pont-Tuset.

Scans LaTeX files to remove comments. Akin to the scrubbing revision meta-date from Word files.

Pont-Tuset says protecting the privacy of authors will encourage greater sharing of papers. A laudable goal but the monthly submission rate at arXiv exceeds 13,000/month presently. How many authors fail to submit now but will with scrubbed LaTeX files? The paper doesn’t say or offer a measure of submissions that would constitute “success.”

It’s an interesting utility but final papers now rarely document false starts, ideas not followed or other marks of authoring a paper. This utility will make the authoring process even less accessible, albeit by a small amount.

Rather that scrubbing comments from your LaTeX authored papers, insert more comments. What were false leads or ideas that didn’t survive the authoring or review process? Offer insight into your authoring so that others can learn how to write a publishable paper. Remember, you will be reading papers from current students when you are a journal editor. Won’t you prefer to read well-written papers?

Layout Land

Filed under: Graphics,Interface Research/Design — Patrick Durusau @ 5:19 pm

Layout Land (YouTube)

If you need help creating attractive web content with CSS, then Layout Land is one place to start. You can tell by my website and blog, I have yet to watch and implement, any of the advice you find here.

Don’t take my lack of effort as a commentary on the channel, which has approximately 38K subscribers. Content creation is a necessary first step, but then it has to be effectively delivered to users to make a difference.

Make a difference, learn effective layout of web resources.

eXist-db 5.0.0 RC6

Filed under: eXist,XML,XML Database,XPath,XQuery — Patrick Durusau @ 4:35 pm

eXist-db 5.0.0 RC6

RC5 was released on November 21, 2018 so there are a number of new features and bug fixes to grab your interest in RC 6.

Features:

  • New De-duplicating BLOB store for binary documents – see https://blog.adamretter.org.uk/blob-deduplication/
  • More elaborate XPath expressions in the Lucene index config of collection.xconf are now supported
  • New non-blocking lock-free implementation of the Transaction Manager
  • CData serialization now respects the output:cdata-section-elements option
  • New XQuery function util:eval-and-serialize for dynamic XQuery evaluation and serialization.
  • New XQuery function util:binary-doc-content-digest to retrieve a digest of a Binary Document
  • … and others.

Bug fixes:

  • Fixed Lucene term range queries
  • Copying an XML Resource now correctly removes any nodes that it replaces
  • Fixed a memory leak with XQuery serializers
  • Fixed Garbage Collection churn issue with serialization
  • Fixed Backup/Restore progress reporting
  • XQuery Library Modules on the Java Classpath are now correctly resolved from the importing XQuery module
  • … and others.

Although not ready for production, these new features and bug fixes should have you scurrying to download eXist-db 5.0.0 RC6!

PS: Remember there are only 48 days left for paper submissions to Balisage 2019! Are you going to be using the latest RC for eXist?

February 23, 2019

USA Confirms Hacking Only Viable Path To Transparency

Filed under: Government,Hacking,Transparency — Patrick Durusau @ 5:12 pm

After years of delays and democratic regression, USA releases weak open government plan from: E Pluribus Unum

From the post:

If the American public wants to see meaningful progress on transparency, accountability or ethics in U.S. government, it should call on Congress to act, not the Trump White House.
With little fanfare or notice, the United States of America has published a fourth National Action Plan for Open Government for the Open Government Partnership (OGP). The USA was automatically placed under review in January, but not because of two years of regression on transparency, accountability, and brazen corruption. The plan was was simply late, after failing to deliver a new plan for the multi-stakeholder initiative for years.
The new “national action plan” is notable for its lack of ambition, specificity or relevance to backsliding on democracy in the USA under the Trump administration.

Calling on the U.S. Congress for “…meaningful progress on transparency, accountability or ethics in U.S. government…” is a jest too cruel for laughter.

The current U.S. president has labored mightly to reduce government transparency but Congress is responsible for the crazy quilt laws enabling agencies to practice secrecy as their default position. Any sane system of transparency starts with transparency as the default setting, putting the burden of secrecy on those who desire it.

You can waste supporter dollars on yearly tilts at the transparency windmill in Congress, or bi-annual elections of members of Congress who promise (but don’t deliver) transparency, or presidential elections every four years. The resulting government structures will not be meaningfully more transparent at any future point in time.

If you see a viable (as in effective) alternative to hacking as a means of making government transparent, please leave it in a comment below.

February 22, 2019

Interpretable Machine Learning

Filed under: Machine Learning — Patrick Durusau @ 5:10 pm

Interpretatable Machine Learning: A Guide for Making Black Box Models Explainable by Christoph Molnar.

From the introduction:

Machine learning has great potential for improving products, processes and research. But computers usually do not explain their predictions which is a barrier to the adoption of machine learning. This book is about making machine learning models and their decisions interpretable.
After exploring the concepts of interpretability, you will learn about simple, interpretable models such as decision trees, decision rules and linear regression. Later chapters focus on general model-agnostic methods for interpreting black box models like feature importance and accumulated local effects and explaining individual predictions with Shapley values and LIME.
All interpretation methods are explained in depth and discussed critically. How do they work under the hood? What are their strengths and weaknesses? How can their outputs be interpreted? This book will enable you to select and correctly apply the interpretation method that is most suitable for your machine learning project.
The book focuses on machine learning models for tabular data (also called relational or structured data) and less on computer vision and natural language processing tasks. Reading the book is recommended for machine learning practitioners, data scientists, statisticians, and anyone else interested in making machine learning models interpretable.

I can see two immediate uses for this book.

First, as Molnar states in the introduction, you can peirce the veil around machine learning and be able to explain why your model has reached a particular result. Think of it as transparency in machine learning.

Second, after peircing the veil around machine learning you can choose the model or nudge a model, into the direction of a result specified by management. Or having gotten a desired result, you can train a more obscure technique to replicate it. Think of it as opacity in machine learning.

Enjoy!

Safer Porn Viewing

Filed under: Cybersecurity,Porn — Patrick Durusau @ 3:30 pm

Threats to Users of Adult Websites in 2018 by Kaspersky Lab.


2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms – Tumblr – announced it was banning erotic content (even though almost a quarter of its users consume adult content). In addition, the UK received the title of ‘The Second Most Porn-Hungry Country in the World‘ and is now implementing a law on age-verification for pornography lovers that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially opening a world of new tricks for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks declared a ‘holy war’ on porn as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.
Such measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active adult website user, who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.
It is no secret that digital pornography has long been associated with malware and cyberthreats. While some of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted research on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year’s report was the fact that cybercriminals not only use adult content in multiple ways – from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims’ banking credentials and other personal information – but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.

The U.S. Government, being itself untrustworthy, doesn’t trust Kaspersky Lab. There’s an odd logic to that position, tinged by a desire for a domestic cybersecurity industry. A domestic industry that would be subject to the orders of the U.S. Government. What it now suspects of Kaspsersky.

You can read Kaspersky’s Three common myths about Kaspersky Lab, or ask yourself, would I cheat while holding 6.25 percent of the world market for Windows anti-malware software? If the answer is no, then trust Kaspersky Lab until you have facts that compel a different choice.

The report details which types porn carry the greatest risk for malware and common techniques used to deliver the same. (You are using a VPN and a Tor browser to view porn. Yes?)

I trust Kaspersky because unlike the U.S. Government, it has no record of running porn sites to entrap viewers. (The FBI likely ran nearly half the child porn sites on the dark web in 2016.) Enjoy the report.

Open Government Guide [“I Am Dorthy, the Small and Meek”]

Filed under: FOIA,MuckRock,Open Government,OpenMeetings — Patrick Durusau @ 12:58 pm

Open Government Guide

The Open Government Guide is a complete compendium of information on every state’s open records and open meetings laws. Each state’s section is arranged according to a standard outline, making it easy to compare laws in various states. If you’re a new user of this guide, be sure to read the Introduction to the Open Government Guide.  The Open Government Guide covers state laws. We also have a separate FOIA Wiki that covers the federal government.

Please note: We have not yet received the following chapters from our guide authors: Alabama, Florida, Massachusetts, Pennsylvania, and Wisconsin. You can find the 2011 guides for those states here.

See something that needs updating?  Please email guides@rcfp.org, so we can fix it!

If you are asking for government records or data, the go-to guide for your efforts.

If the “sky is falling” claims of cybersecurity experts are credited (which I suspect largely are correct), then government information is more accessible than not. It’s all there for a little hacking.

Using open record laws for states or FOIA (Freedom of Information Act) for the federal government, affirms their right to decide what the public may or may not know, delays your obtaining of the information and, and, acts as a filter on what is ultimately disclosed.

An enormous amount of great work has been done using such laws, MuckRock being one of the best examples. But it’s an information lossy proposition.

If you are going to be “…Dorthy, the small and meek” and ask for information, this is your handbook. Otherwise, you may discover information the government would rather its citizens did not know.

PS: When visiting government offices, be alert for open network or USB ports. Observe the color and markings on any removable media in use.

Mapping Manhattan In 3D [Data Science Playing “Favorites”]

Filed under: Mapping,Maps — Patrick Durusau @ 11:28 am

How we made the NY Manhattan Buildings 3D Map?

Partial of Mapli 3D Map of Manhattan

Partially a promotion for Mapli but not an unwelcome one. The starter package begins at $49/month (as of 22 Feb. 2019) so is within the range of most users.

This map used data already available from OpenStreetMap, but you can create your own data set for less well known locations.

The uses of 3D maps of urban locations range from planning the placement of surveillance cameras, sniper or counter-sniper locations, “high ground” positions in the event of civil disturbances, and others.

Data science plays “favorites,” but only for those with data.

Corporations and governments are collecting data. Shouldn’t you?

February 19, 2019

OnionShare 2 adds anonymous dropboxes, … [Potential Leakers/Cleaning Staff Take Note!]

Filed under: Cybersecurity,Tor — Patrick Durusau @ 1:28 pm

OnionShare 2 adds anonymous dropboxes, supports new Tor addresses, and is translated into a dozen new languages by Micah Lee.

From the post:

After nearly a year of work from a growing community of developers, designers, and translators, I’m excited that OnionShare 2 is finally ready. You can download it from onionshare.org.

OnionShare is an open source tool for securely and anonymously sending and receiving files using Tor onion services. It works by starting a web server directly on your computer and making it accessible as an unguessable Tor web address that others can load in Tor Browser to download files from you, or upload files to you. It doesn’t require setting up a separate server, using a third party file-sharing service, or even logging into an account.

Unlike services like email, Google Drive, DropBox, WeTransfer, or nearly any other way people typically send files to each other, when you use OnionShare you don’t give any companies access to the files that you’re sharing. So long as you share the unguessable web address in a secure way (like pasting it in an encrypted messaging app), no one but you and the person you’re sharing with can access your files.

Depending on the cyberfails at your organization (How to Block Tor (The Onion Router)), secure leaking may be as easy as installing OnionShare, adding the files you want to leak and transmitting an Onion address to a member of the media.

Well, some members of the media. Western main stream media is extremely risk adverse and will take no steps to assist leakers. That is leaks have to arrive on their doorsteps with no direct effort on their part. I suspect that applies to obtaining files with OnionShare but you would have to ask a reporter.

On the other hand, cleaning staff can read passwords off sticky notes as easily as users and with OnionShare 2 on a USB stick, could be sharing files during their shift. Deleting OnionShare 2 before leaving of course.

OnionShare 2 is a project to support, follow, use and share as widely as possible.

February 18, 2019

Kali Linux 2019.1 Release (With MetaSpoilt 5.0)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:29 pm

Kali Linux 2019.1 Release

From the post:

Welcome to our first release of 2019, Kali Linux 2019.1, which is available for immediate download. This release brings our kernel up to version 4.19.13, fixes numerous bugs, and includes many updated packages.

The big marquee update of this release is the update of Metasploit to version 5.0, which is their first major release since version 4.0 came out in 2011.

To the extent any mainstream media outlet can be credited, information security in general continues to decline. Even so, it’s better to be at the top of your game with the best tools than not.

Enjoy!

r2con 2019 – A Sensible Call for Papers

Filed under: Conferences,Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 2:20 pm

r2con 2019 – Call for Papers

The call for papers in its entirety:

Want to give a talk in r2con? Please send your submission to r2con@radare.org with the following information in plain-text format:

  • Your nick/name(s)
  • Contact information (e-mail, twitter, telegram)
  • Talk title and description with optional speaker bio
  • Length: (20 or 50 minutes)

Such a contrast from conferences with long and tiresome lists of areas included, implying those not listed are excluded. You know the type so I won’t embarrass anyone by offering examples.

For more details, check out r2con 2018, 22 videos, r2con 2017, 16 videos, or r2con 2016, 25 videos.

If after sixty-three (63) videos you are uncertain if your talk is appropriate for r2con 2019, perhaps it is not. Try elsewhere.

UK Parliament Pouts About Facebook – Alternative History

Filed under: Facebook,Fair Use — Patrick Durusau @ 10:39 am

I followed Facebook labelled ‘digital gangsters’ by report on fake news by David Pegg to find Disinformation and ‘fake news’: Final Report published, which does have a link to Disinformation and ‘fake news’: Final Report, an eleventy-one page pout labeling Facebook “digital gangsters” (pages 43 and 91, if you are interested).

The report recommends Parliament respond to the invention of the movable type printing press:

MPs conclude: “[Printing presses] cannot hide behind the claim of being merely a ‘platform’ and maintain that they have no responsibility themselves in regulating the content [they produce].” (alternative history edits added)

Further, the printing press has enable broadsheets, without indentifying the sources of their content, to put democracy at risk:

“Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalised ‘dark adverts’ from unidentifiable sources, delivered through the major [broad sheets and newspapers] we use everyday. Much of this is directed from agencies working in foreign countries, including Russia.

For obscure reasons, the report calls for changing the current practice of foreign players interfering in elections and governments of others, saying:

“The UK is clearly vulnerable to covert digital influence campaigns and the Government should be conducting analysis to understand the extent of the targeting of voters, by foreign players, during past elections.” The Government should consider whether current legislation to protect the electoral process from malign influence is sufficient. Legislation should be explicit on the illegal influencing of the democratic process by foreign players.

The UK, its allies and enemies have been interfering in each others’ elections, governments and internal affairs for centuries. The rush to insulate the UK and its long time partner in interference, the United States, from “illegal interference” is a radical departure from current international norms.

On the whole, the report struts and pouts as only a UK parliament committee, spurned by Mark Zuckerberg, not once, not twice, but three times, can.

There’s no new information in the report but more repetition that can be stacked up and then cited to make questionable claims less so. Oh, that’s one of the alleged tactics of disinformation isn’t it?

Can we say that “disinformation,” “interference,” and “influencing” are in the eye of the beholder?

PS: The only legislation I would support for social media platform is the prohibition of any terms of service that bar any content. Social media platforms should be truly content neutral. If you can digitize it, it should be posted. Filtering is the answer to offensive content. Users have no right to censor what other readers choose to consume.

February 11, 2019

A Quick Guide to Spear Fishing

Filed under: Cybersecurity,Hacking,Phishing for Leaks — Patrick Durusau @ 4:28 pm

How cybercriminals harvest information for spear phishing by Anastasiya Gridasova.

From the post:

In analyzing targeted attacks over the past decade, we continually find a recurring theme: “It all started when the victim opened a phishing e-mail.” Why are spear-phishing e-mails so effective? It’s because they are contextualized and tailored to the specific victim.

Victims’ social networks are often used as a source of information. Naturally, that leads to the question: How? How do cybercriminals find these accounts? To a large extent, it depends on how public the victim is. If someone’s data is published on a corporate website, perhaps with a detailed biography and a link to a LinkedIn profile, it’s quite simple. But if the only thing the cybercriminal has is an e-mail address, the task is far more complicated. And if they just took a picture of you entering the office of the target company, their chances of finding your profile in social networks are even lower.

A quick but useful introduction to gathering social data for spear fishing. The more experience you gain at spear fishing the more sources you will add to those mentioned here.

Just as an observation: Detailed biographies of management terms for large institutional investors (think oil pipelines and the like) are published online and in a number of other sources.

BTW, to avoid being taken in by a phishing email, don’t use links sent in email. Ever. From any source. The act of copying them for use will direct your attention to the link. Or it should.

White/Black Hats – Swiss E-Voting Systems – $$$ (or rather CHF)

Filed under: Bugs,Cybersecurity,Government — Patrick Durusau @ 3:59 pm

Switzerland Launches Bug Bounty Program for E-Voting Systems by Eduard Kovacs

From the post:


Hackers can earn between $30,000 and $50,000 if they find vulnerabilities that can be exploited to manipulate votes without being detected by voters and auditors. Voting manipulation methods that are detectable can earn participants up to $20,000.

Server-side flaws that allow an attacker to find out who voted and what they voted can earn hackers as much as $10,000, while vote corruption issues can be worth up to $5,000. The smallest bounty, $100, will be paid out for server configuration weaknesses. Participants will be allowed to make their findings public.

The source code for the e-voting system is publicly available, but Swiss Post noted that source code vulnerabilities must be reported separately if they cannot be exploited against the test system.

If you are a registered White Hat hacker, submit your findings for awards as described.

If you are a Black Hat hacker, sell your hack to one of the participating White Hat hackers. 😉

Something for everyone.

February 7, 2019

SHARIAsource [Islamic Law – Don’t Make Your Readers Dumber]

Filed under: Islam,Journalism,News,Religion,Reporting — Patrick Durusau @ 8:44 pm

SHARIAsource

From the about page:

SHARIAsource is a team of advisors, scholars, and editors dedicated to providing content and context on Islamic law in a collective mission to organize the world’s information on Islamic law in a way that is accessible and useful. Find out more about our advisory boardeditorial boardregional editors, and senior scholars

What We Do

Harvard Law School’s Islamic Legal Studies Program: SHARIAsource (“ILSP: SHARIAsource” or “The Program”) is dedicated to providing content and context on Islamic law in a way that is accessible and useful. Working with a global team of editors, we provide a platform to house primary sources of Islamic law, organize the people to critically analyze them, and promote research to inform academic and public discourse about Islamic law. Our research portal, SHARIAsource (beta.shariasource.com) (“The Portal”) is our flagship project, and offers a home for wide-ranging sources and analysis of Islamic law. Other projects and special events serve legal scholars and lawyers, students, and generally interested readers; and we disseminate information, deliver cutting-edge analysis, and facilitate scholarly conversation and debate on Islamic law through our blog (shariasource.blog), newsletter (shariasource.blog/ archives/), social media outlets, listservs, and special events. The SHARIAsource Portal collects sources and scholarly commentary on Islamic law from the earliest periods of Islam to the modern era, covering both Muslim-majority and Muslim-minority contexts. SHARIAsource adheres to common principles of academic engagement, including attention to diverse perspectives, peer-reviewed analysis, and the free and open exchange of ideas. 

What We Cover

SHARIAsource includes sources and scholarly commentary on Islamic law from the earliest periods of Islam to the modern era, covering both Muslim-majority and Muslim-minority contexts.

Reporters looking to evaluate discussions or claims about Islamic law can hardly do better than SHARIAsource It offers an amazing range of primary and secondary resources, as well as authorities on Islamic law.

« Newer PostsOlder Posts »

Powered by WordPress