Ethereum Contracts – Future Hacker Candy

May 20th, 2016

Ethereum Contracts Are Going To Be Candy For Hackers by Peter Vessenes.

From the post:

Smart Contracts and Programming Defects

Ethereum promises that contracts will ‘live forever’ in the default case. And, in fact, unless the contract contains a suicide clause, they are not destroyable.

This is a double-edged sword. On the one hand, the default suicide mode for a contract is to return all funds embedded in the contract to the owner; it’s clearly unworkable to have a “zero trust” system in which the owner of a contract can at will claim all money.

So, it’s good to let people reason about the contract longevity. On the other hand, I have been reviewing some Ethereum contracts recently, and the code quality is somewhere between “optimistic as to required quality” and “terrible” for code that is supposed to run forever.

Dan Mayer cites research showing industry average bugs per 1000 lines of code at 15-50 and Microsoft released code at 0.5 per 1000, and 0(!) defects in 500,000 lines of code for NASA, with a very expensive and time consuming process.

Ethereum Smart Contract Bugs per Line of Code exceeds 100 per 1000

My review of Ethereum Smart Contracts available for inspection at dapps.ethercasts.com shows a likely error rate of something like 100 per 1000, maybe higher.

If you haven’t seen Ethereum, now is the time to visit.

From the homepage:

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property. This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middle man or counterparty risk.

The project was crowdfunded during August 2014 by fans all around the world. It is developed by the Ethereum Foundation, a Swiss nonprofit, with contributions from great minds across the globe.

Early in the life cycle and some contracts will be better written than others.

Vulnerabilities will be Authors x Contracts so the future looks bright for hackers.

The Islamic State’s suspected inroads into America – Data Set!

May 19th, 2016

The Islamic State’s suspected inroads into America by Adam Goldman , Jia Lynn Yang, and John Muyskens.

From the post:

Federal prosecutors have charged 84 men and women around the country in connection with the Islamic State. So far, 32 have been convicted. Men outnumber women in those cases by about 7 to 1. The average age of the individuals is 27. One is a minor. The FBI says that, in a handful of cases, it has disrupted plots targeting U.S. military or law enforcement personnel.

The post breaks down proceedings by state and lists each person separately, along with the source of the information.

If you are looking for a small but significant data set on terrorism, I think this is the place.

If you develop further information on these cases, repay the original authors by sharing your discoveries.

Thoughts On How-To Help Drown A Copyright Troll?

May 19th, 2016

Copyright Trolls Rightscorp Are Teetering On The Verge Of Bankruptcy riff on (arstechnica.com).

Suggestions?

Think of it as a service to the entire community, including legitimate claimants to intellectual property.

I tried to think of any methods I would exclude and came up empty.

You?

FindFace – Party Like It’s 2001

May 19th, 2016

What a difference fifteen years make!

Is Google or Facebook evil? Forget it!

Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.

FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.

(From This App Lets You Find Anyone’s Social Profile Just By Taking Their Photo by Mohit Kumar)

Compare that breathless, “…nightmare for privacy lovers…public anonymity at risk…” prose to:

Super Bowl, or Snooper Bowl?

As 100,000 fans stepped through the turnstiles at Super Bowl XXXV, a camera snapped their image and matched it against a computerized police lineup of known criminals, from pickpockets to international terrorists.

It’s not a new kind of surveillance. But its use at the Super Bowl — dubbed “Snooper Bowl” by critics — has highlighted a debate about the balance between individual privacy and public safety.

Law enforcement officials say what was done at the Super Bowl is no more intrusive than routine video surveillance that most people encounter each day as they’re filmed in stores, banks, office buildings or apartment buildings.

But to critics, the addition of the face-recognition system can essentially put everyone in a police lineup.

“I think it presents a whole different picture of America,” said Howard Simon, executive director of the American Civil Liberties Union in Florida.

(From Biometrics Used to Detect Criminals at Super Bowl by Vickie Chachere)

If you don’t keep up with American football, Super Bowl XXXV was held in January of 2001.

Facial recognition being common in 2001, why the sudden hand wringing over privacy and FindFace?

Oh, I get it. It is the democratization of the loss of privacy.

Those whose privacy would be protected by privilege or position are suddenly fair game to anyone with a smartphone.

A judge coming out of a kinky bar can be erased or not noticed on police surveillance video, but in a smartphone image, not so much.

The “privacy” of the average U.S. citizen depends on the inattention of state actors.

I’m all for sharing our life-in-the-goldfish-bowl condition with the powerful and privileged.

Get FindFace and use it.

Create similar apps and use topic maps to bind the images to social media profiles.

When the State stops surveillance, perhaps, just perhaps, citizens can stop surveillance of the State. Maybe.

If “privacy” advocates object, ask them what surveillance by the State they support? If the answer isn’t “none,” they have chosen the side of power and privilege. What more is there to say? (BTW, take their photo with FindFace or a similar app.)

Allo, Allo, Google and the Government Can Both Hear You

May 19th, 2016

Google’s Allo fails to use end-to-end encryption by default by Graham Cluley.

The lack of end-to-end encryption by default in Google’s Allo might look like a concession to law enforcement.

Graham points out given the choice of no government or Google spying versus government and Google spying, Google chose the latter.

Anyone working on wrappers for apps to encrypt their output and/or to go dark in terms of reporting to the mother ship?

PS: Yes, Allo offers encryption you can “turn on” but will you trust encryption from someone who obviously wants to spy on you? Your call.

Before There Was Big Data … There Was XLDB!

May 18th, 2016

9th Extremely Large Databases Conference

Online registration closes 19 May 2016!

May 24-26, 2016

Program

Rumor has it that some sponsorships are still available.

Hard to imagine but check with xldb-admin@slac.stanford.edu if you want to be associated with the premier extreme scale event of the year.

Best Served From The Ukraine [Aside on Jury Instruction Re FBI Evidence]

May 18th, 2016

Experts Warn of Super-Stealthy Furtim Malware by Phil Muncaster.

From the post:

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

Phil’s post summarizes some of the better ideas used in this particular bit of malware.

The post by enSilo researcher Yotam Gottesman includes this description:


Upon initial communication, Furtim collects unique information from the device it is running on, such as the computer name and installation date and sends that information to a specific server. The server stores the received details about the infected machine to ensure that the payload is sent only once.

That reminds me of the search warrant Ben Cox posted in Here Is the Warrant the FBI Used to Hack Over a Thousand Computers, which reads in part:

From any “activating” computer described in Attachment A:

1. The “activating” computer’s actual IP address, and the date and time that the NIT determines what that IP address is;

2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other “activating” comptuers, that will be sent with and collected by the NIT;

3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);

4. information about whether the NIT has already been delivered to the “activating” computer;

5. the “activating” computer’s Host name;

6. the “activating” computer’s active operating system username; and

7. the “activating” computer’s media access control (“MAC”) address;

….

I mention that because if the FBI can’t prove its NIT’s capabilities against the users computer, who knows where they got the information they now claim to have originated from a child porn website?

Considering the FBI knowingly gave flawed testimony for twenty years, including in death penalty cases, when prosecutors were aware of those flaws, absence both source code and a demonstration of its use against the defendant’s computer as it existed then, the NIT evidence should be excluded at trial.

Or at the very least, a jury instruction that recites the FBI’s history of flawed technical testimony in detail and cautioning the jury that they should view all FBI “evidence” as originating from habitual liars.

Could be telling the truth, but that hasn’t been their habit. (Judicial notice of the FBI practice of providing flawed evidence.)

Colleges Shouldn’t Have to Deal With Copyright Monitoring [Broods of Copyright Vipers]

May 18th, 2016

Colleges Shouldn’t Have to Deal With Copyright Monitoring by Pamela Samuelson.

From the post:

Colleges have a big stake in the outcome of the lawsuit that three publishers, Cambridge University Press, Oxford University Press, and Sage Publications, brought against Georgia State University officials for copyright infringement. The lawsuit, now in its eighth year, challenged GSU’s policy that allowed faculty members to upload excerpts (mainly chapters) of in-copyright books for students to read and download from online course repositories.

Four years ago, a trial court held that 70 of the 75 challenged uses were fair uses. Two years ago, an appellate court sent the case back for a reassessment under a revised fair-use standard. The trial court has just recently ruled that of the 48 claims remaining in the case, only four uses, each involving multiple chapters, infringed. The question now is, What should be the remedy for those four infringements?

Sage was the only publisher that prevailed at all, and it lost more infringement claims than it won. Cambridge and Oxford came away empty-handed. Despite the narrowness of Sage’s win, all three publishers have asked the court for a permanent injunction that would impose many new duties on GSU and require close monitoring of all faculty uploads to online course repositories.

I expected better out of Cambridge and Oxford, especially Cambridge, which has in recent years allowed free electronic access to some printed textbooks.

Sage and the losing publishers, Cambridge and Oxford, seek to chill the exercise of fair use by not only Georgia State University but universities everywhere.

Pamela details the outrageous nature of the demands made by the publishers and concludes that she is rooting for GSU on appeal.

We should all root for GSU on appeal but that seems so unsatisfying.

It does nothing to darken the day for the broods of copyright vipers at Cambridge, Oxford or Sage.

In addition to creating this money pit for their publishers, the copyright vipers want to pad their nests by:


As if that were not enough, the publishers want the court to require GSU to provide them with access to the university’s online course system and to relevant records so the publishers could confirm that the university had complied with the record-keeping and monitoring obligations. The publishers have asked the court to retain jurisdiction so that they could later ask it to reopen and modify the court order concerning GSU compliance measures.

I don’t know how familiar you are with academic publishing but every academic publisher has a copyright department that shares physical space with acquisitions and publishing.

Whereas acquisitions and publishing are concerned with collection and dissemination of knowledge, while recovering enough profit to remain viable, the copyright department could just as well by employed by Screw.

Expanding the employment rolls of copyright departments to monitor fair use by publishers is another drain on their respective publishers.

If you need proof of copyright departments being a dead loss for their publishers, consider the most recent annual reports for Cambridge and Oxford.

Does either one highlight their copyright departments as centers of exciting development and income? Do they tout this eight year long battle against fair use?

No? I didn’t think so but wanted your confirmation to be sure.

I can point you to a history of Sage, but as a privately held publisher, it has no public annual report. Even that history, over changing economic times in publishing, finds no space to extol its copyright vipers and their role in the GSU case.

Beyond rooting for GSU, work with the acquisitions and publication departments at Cambridge, Oxford and Sage, to help improve their bottom line profit and drown their respective broods of copyright vipers.

How?

Before you sign a publishing agreement, ask your publisher for a verified statement of the ROI contributed by their copyright office.

If enough of us ask, the question will resonant across the academic publishing community.

Password Security – Not Blaming Victims

May 18th, 2016

linkedIn-passwords-460

No, don’t waste your breath blaming victims.

Do use this list and similar lists as checks on allowable passwords.

One really good starting place would be: Today I Am Releasing Ten Million Passwords by Mark Burnett.

iPad Security – Just Brick It! Just Brick It!

May 18th, 2016

bricks-450

Apple has released a new method for securing your iPad, brick it!

Darren Pauli reports in Apple’s iOS updates brick iPads the brick your iPad upgrade process is 100% effective at securing iPads, at least until restored by users and/or Apple support is contacted.

Office of Personnel Management managers have expressed interest in iPad bricking in light of its most recent IT security fiasco. The cost of upgrading to iPads, suitable for bricking, is unknown.

Mozilla/Tor Vulnerabilities – You Can Help!

May 17th, 2016

You have probably heard the news that the FBI doesn’t have to reveal its Tor hack. Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack by Joseph Cox.

Which of course means that Mozilla isn’t going to get the hack fourteen days before the defense attorneys do.

While knowing the FBI hack would help fix that particular vulnerability, it would not help fix any other Mozilla/Tor vulnerabilities.

Rather than losing any sleep or keystrokes over the FBI’s one hack, clasped in its grubby little hands, contribute to the discovery and more importantly, fixing of vulnerabilities in Mozilla and Tor.

Let the FBI have its one-trick pony. From what I understand you had to have Flash installed for it to work.

Flash? Really?

Flash users need to mirror their SSN, address, hard drives, etc., to public FTP site. At least then you will have a record of when your data is stolen, I mean downloaded.

Whether vulnerabilities persist in Mozilla/Tor isn’t up to the FBI. It’s up to you.

Your call.

Unicode Code Chart Reviewers Needed – Now!

May 17th, 2016

I saw an email from Rick McGowan of the Unicode Consortium that reads:

As we near the release of Unicode 9.0, we’re looking for volunteers to review the latest code charts for regressions from the 8.0 charts… If you have a block that you’re particularly fond of, please consider checking the glyphs and names against the 8.0 charts… To see the latest 9.0 charts, you can start here:

http://www.unicode.org/Public/9.0.0/charts/

The “blocks” directory has all of the individual block charts, and the charts with specific additions/changes are here:

http://www.unicode.org/charts/PDF/Unicode-9.0/

Not for everyone but if you can contribute, please do.

Just so you know, this is the 25th anniversary of the Unicode Consortium!

Even if you don’t proof the code charts, do remember to wish the Unicode Consortium a happy 25th anniversary!

Map for Long Term Investors in British Isles

May 16th, 2016

For any long range planners in the crowd:

british_isles_in_2100_by_the9988-d583szc

Censored SIDtoday File Release

May 16th, 2016

Snowden Archive — The SIDtoday Files

From the post:

The Intercept’s first SIDtoday release comprises 166 articles, including all articles published between March 31, 2003, when SIDtoday began, and June 30, 2003, plus installments of all article series begun during this period through the end of the year. Major topics include the National Security Agency’s role in interrogations, the Iraq War, the war on terror, new leadership in the Signals Intelligence Directorate, and new, popular uses of the internet and of mobile computing devices.

Along with this batch, we are publishing the stories featured below, which explain how and why we’re releasing these documents, provide an overview of SIDtoday as a publication, report on one especially newsworthy set of revelations, and round up other interesting tidbits from the files.

There are a series of related stories with this initial release:

The Intercept is Broadening Access to the Snowden Archive. Here’s Why by Glenn Greenwald.

NSA Closely Involved in Guantánamo Interrogations, Documents Show by Cora Currier.

The Most Intriguing Spy Stories From 166 Internal NSA Reports by Micah Lee, Margot Williams.

What It’s Like to Read the NSA’s Newspaper for Spies by Peter Maass.

How We Prepared the NSA’s Sensitive Internal Reports for Release by The Intercept.

A master zip file has all the SIDtoday files released thus far.

Comments on the censoring of these files will follow.

Office of Personnel Management Upgrade Crashes and Burns

May 16th, 2016

You may remember Flash Audit on OPM Infrastructure Update Plan which gave you a summary of the Inspector General for the Office of Personnel Management (OPM) report on OPM’s plans to upgrade its IT structure.

Unfortunately for U.S. taxpayers and people whose records are held by the OPM, the Inspector General doesn’t have veto power over the mis-laid plans of the OPM.

As a consequence, we read today:

Contractor Working on OPM’s Cyber Upgrades Suddenly Quits, Citing ‘Financial Distress” by Jack Moore.

From the post:

The contractor responsible for the hacked Office of Personnel Management’s major IT overhaul is now in financial disarray and no longer working on the project.

OPM awarded the Arlington, Virginia-based Imperatis Corporation a sole-source contract in June 2014 as part of an initial $20 million effort to harden OPM’s cyber defenses, after agency officials discovered an intrusion into the agency’s network.

In the past week, however, Imperatis ceased operations on the contract, citing “financial distress,” an OPM spokesman confirmed to Nextgov.

After Imperatis employees failed to show up for work May 9, OPM terminated Imperatis’ contract for nonperformance and defaulting on its contract.

“DHS and OPM are currently assessing the operational effect of the situation and expect there to be very little impact on current OPM operations,” OPM spokesman Sam Schumach said in a statement to Nextgov. Schumach said OPM had been planning for performance on the contract to end in June 2016.

Show of hands: Who is surprised by this news?

The Board of Directors/Advisors page for Imperatis is now blank.

To help you avoid becoming entangled with these individuals in future contacts, the Wayback Machine has a copy of their Board of Directors/Advisors as of March 31, 2016.

So you can identify the right people:

Board of Directors

CHARLES R. HENRY, CHAIRMAN OF THE BOARD

Retired Major General Charles (Chuck) Henry became Chairman of the Board of Directors in early 2013. Henry retired after 32 years in the U.S. Army, during which he held various important Quartermaster, mission-related, command, and staff positions. He was the Army’s first Competition Advocate General and reported directly to the Secretary of the Army. His overseas assignments included tours of duty in Vietnam, Europe, and Saudi Arabia. Henry is a member of the Army Quartermaster and Defense Logistics Agency Halls of Fame. In his last position with the federal government, he was the founder and first commander of the Defense Contract Management Command (DCMC).

Henry spent 20 years as a senior executive working in industry, serving as the CEO of five companies. He currently sits on two public boards, Molycorp (NYSE) and Gaming Partners International Corp (NASDAQ), and also sits on the Army Science Board, an advisory committee that makes recommendations on scientific and technological concerns to the U.S. Army.

SALLY DONNELLY

Sally Donnelly is founder and CEO of SBD Advisors, an international consulting and communications firm. Donnelly is also a senior advisor and North American representative to C5, a UK-based investment fund in safety and security markets.

Prior to founding SBD Advisors, Donnelly served as head of Washington’s office for U.S. Central Command. Donnelly was a key advisor to General Jim Mattis on policy issues, Congressional relations, communications, and engagements with foreign governments. Before joining U.S. Central Command, Donnelly was a Special Assistant to the Chairman of the Joint Chiefs of Staff, Admiral Mike Mullen.

Before joining the Chairman’s staff, Donnelly worked at Time Magazine for 21 years. Donnelly currently sits on the Board of the American Friends of Black Stork, a British-based military veterans’ charity and is a consultant to the Pentagon’s Defense Business Board.

ERIC T. OLSON

Retired Admiral Eric T. Olson joined the Imperatis Board in April 2013. Olson retired from the U.S. Navy in 2011 after more than 38 years of military service. He was the first Navy SEAL officer to be promoted to the three-star and four-star ranks. He served as head of the US Special Operations Command, where he was responsible for the mission readiness of all U.S. Army, Navy, Air Force, and Marine Corps Special Operations Forces.

Olson is now an independent national security consultant for private and public sector organizations as the president of the ETO Group. He is an adjunct professor in the School of International and Public Affairs at Columbia University and serves as director of Iridium Communications, Under Armour, the non-profit Special Operations Warrior Foundation, and the National Navy UDT-SEAL Museum.

MASTIN M. ROBESON

Retired Major General Mastin Robeson joined Imperatis as President and Chief Executive Officer in March 2013. Robeson retired in February 2010 after 34 years of active service in the U.S. Marine Corps, during which time he served in more than 60 countries. He commanded a Combined/Joint Task Force in the Horn of Africa, two Marine Brigades, two Marine Divisions, and Marine Corps Special Operations Command. He also served as Secretary of Defense William Cohen’s Military Assistant and General David Petraeus’ Director of Strategy, Plans, and Assessments. He has extensive strategic planning, decision-making, and crisis management experience.

Since retiring in 2010, Robeson has operated his own consulting company, assisting more than 20 companies in business development, marketing strategy, strategic planning, executive leadership, and crisis management. He has also served on three Boards of Directors, two Boards of Advisors, a college Board of Trustees, and a major hospital’s Operations Council.

BOARD OF ADVISORS

JAMES CLUCK

James (Jim) Cluck joined the Imperatis Board of Advisors in 2013. Cluck formerly served as acquisition executive, U.S. Special Operations Command. He was responsible for all special operations forces research, development, acquisition, procurement, and logistics.

Cluck held a variety of positions at USSOCOM, including program manager for both intelligence systems and C4I automation systems; Deputy Program Executive Officer for Intelligence and Information Systems; Director of Management for the Special Operations Acquisition and Logistics Center; and Chief Information Officer and Director for the Center for Networks and Communications. During these assignments, he consolidated diverse intelligence, command and control, and information programs through common migration and technical management techniques to minimize Major Force Program-11 resourcing and enhance interoperability.

ED WINTERS

Retired Rear Admiral Ed Winters joined the Imperatis Board of Advisors in September 2014. Winters retired from the U.S. Navy after more than 33 years of military service. As a Navy SEAL, he commanded at every level in the Naval Special Warfare community as well as serving two tours in Iraq under the Multi-National Security Transition Command (MNSTC-I). During his first tour with MNSTC-I he led the successful efforts to establish the Iraqi National Counter-Terrorism Task Force. During his second tour with MNSTC-I he served as Deputy Commander, overseeing the daily training and mentoring of the Iraqi Security Architecture and Government institutions. Since retiring, Winters has consulted to multiple corporations.

Should any of these individuals appear in any relationship with any contractor on a present or future contract, run the other way. Dig in your heels and refuse to sign any checks, contracts, etc.

Imperatis Corporation was once known as Jorge Scientific, which also crashed and burned. You can find their “leadership team” at the Wayback Machine as well.

You have to wonder how many Imperatis and Jorge Scientific “leaders” are involved in other government contracts.

Suggestions for a good starting place to root them out?

Shame! Shame! John McAfee Tricks Illiterates

May 16th, 2016

My day started with reading WhatsApp Message Hacked By John McAfee And Crew by Steve Morgan.

I thought it made the important point that while the WhatsApp message is secured by bank vault quality encryption:

Luxembourg_Bankmuseum_Tuer-w-note

By LoKiLeCh (Own work) [GFDL, CC-BY-SA-3.0, CC BY-SA 2.5-2.0-1.0, GFDL, CC-BY-SA-3.0 or CC BY-SA 2.5-2.0-1.0], via Wikimedia Commons

When you enlarge the little yellow note on the front (think Android) you find:

combination

While your message encryption may be Shannon secure end-to-end, the security of your OS, to say nothing of your personal, organizational, etc., security counts whether the message is indeed “secure.”

A better illustration would be to show McAfee and crew taking the vault out of the wall (think OS) but my graphic skills aren’t up to that task. ;-)

That’s a useful lesson and to be honest, McAfee says as much, in the fifth paragraph of the story.

So I almost fell off my perch when later in the morning I read:

John McAfee Apparently Tried to Trick Reporters Into Thinking He Hacked WhatsApp by William Turton.

Here’s the lead paragraph:

John McAfee, noted liar and one-time creator of anti-virus software, apparently tried to convince reporters that he hacked the encryption used on WhatsApp. To do this, he attempted to send them phones with preinstalled malware and then convince them he was reading their encrypted conversations.

Just in case you don’t follow the “noted liar” link, that’s another post written by William Turton.

The “admitted lie” was one of simplification, compressing an iPhone hack into sound bite length.

Ever explain (attempt) computer technology to the c-suite? You are guilty of the same type of lies.

If someone divested themselves of their interest in WhatsApp because they didn’t read to the fifth paragraph of the original story, I’m sorry.

Read before you re-tweet/re-post and/or change your investments. Whether it’s a John McAfee story or not.

Twitter Giveth and Taketh Away (NSA as Profit Center?)

May 16th, 2016

Twitter Giveth: GCHQ intelligence agency joins Twitter. Just about anyone can get a Twitter account these days.

Do see the GCHQ GitHub site for shared software.

Taketh Away Twitter Bars Intelligence Agencies From Using Analytics Service.

Twitter has barred Dataminr from providing services to government intelligence services.

Dataminr monitors the entire Twitter pipe and provides analytics based on that stream.

Will this result in the NSA sharing its signal detection in the Twitter stream with other intelligence agencies?

Or for that matter, the NSA could start offering commercial signal detection services across all its feeds. Make it a profit center for the government rather than a money pit.

BTW, don’t be deceived by the illusion of space between government and Twitter, or any other entity that cooperates with a national government. Take “compromised” as a given. The real questions are by who and for what purpose?

How to create interactive maps with MapHub

May 16th, 2016

How to create interactive maps with MapHub by Mădălina Ciobanu.

From the post:

Maps may not be every graphics editor or reporter’s favourite way to illustrate information, particularly a more interesting dataset that can lend itself to a more creative format, but sometimes they are the best way to take your readers from point A to point B – literally.

We have written about mapping tools before, so make sure you check out the list (and stay tuned for an update!), but in the meantime this guide will show you how to create a quick interactive map using free platform MapHub, which is currently available in beta.

After you read about using MapHub, be sure to follow the link to resources on other mapping tools as well.

One quick use of maps for stories such as Congress, Maps and a Research Tale – Part 1, where public land is going to be mined in a noisy and toxic way, is to plot the physical residences of those who support the project versus those who oppose it.

I haven’t gathered that data, yet, but won’t be surprised if supporters DO NOT have the mine in their backyards.

Other examples of how distance increases political support for noxious activities?

A Linguistic Divide: Cow Tipping vs. Fly-tipping

May 16th, 2016

When I read Private landowners face increasing costs and fines as fly-tipping reaches one million cases a year, I immediately thought of the urban legend of cow tipping.

Stories about cow tipping usually involve intoxicated people who attempt to push over, “tip,” a sleeping cow onto its side.

Before you verify for yourself that such deeds are urban legends, be aware that cows are quite large, often accompanied by bulls and always owned by people who take exception to drunks molesting their cattle at night. You have been warned.

When the story mentioned England and Wales, the idea of “fly-tipping” made a little more sense but not the increased costs and fines.

Who cares if drunk English/Welshmen want to tip over flies or not?

It does sound very British doesn’t it?

In any event, reading further revealed the unfortunate usage of “fly-tipping,” to mean “illegal dumping.”

Why the British have departed from the mainstream usage of “illegal dumping” to use “fly-tipping” isn’t clear.

But, if you are making a list of ill-advised synonyms, be sure to add “fly-tipping” to your list.

Congress, Maps, A Research Tale – Part 1

May 15th, 2016

oak-flat-facebook-450

A close friend posted this to Facebook. I pressed them for further details because alone, all this does is raise my blood pressure, it offers no opportunity for meaningful action.

With their response I was able to locate the offending act: Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015, which given the date, fiscal year 2015, means it likely passed in 2014.

The timeless nature of most web posts increases the difficult of even minimal searching. If what you are complaining about has a date, please recite it. If it is legislation, provide the date and a pointer.

Having located the act, if you are reading along you want Section 3003.

In subsection (b), Definitions, you will find:

(1) APACHE LEAP.—The term ‘‘Apache Leap’’ means the approximately 807 acres of land depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Apache Leap’’ and dated March 2011.

(2) FEDERAL LAND.—The term ‘‘Federal land’’ means the approximately 2,422 acres of land located in Pinal County, Arizona, depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Federal Parcel–Oak Flat’’ and dated March 2011.

(5) OAK FLAT CAMPGROUND.—The term ‘‘Oak Flat Campground’’ means the approximately 50 acres of land comprising approximately 16 developed campsites depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Oak Flat Campground’’ and dated March 2011.

(6) OAK FLAT WITHDRAWAL AREA.—The term ‘‘Oak Flat Withdrawal Area’’ means the approximately 760 acres of land depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Oak Flat Withdrawal Area’’ and dated March 2011.

OK, I like maps and so went looking for these maps. Searched all of Congress.gov, fourteen hits for the names, but no maps.

I started to write to the law librarians at the Library of Congress and for due diligence, did a search on the term ” maps ” (note the leading and following spaces). There were twenty-eight (28) “hits” and the eight one reads:

(b) AVAILABILITY OF MAPS AND LEGAL DESCRIPTIONS.—Maps are entitled ‘‘Trinity County Land Exchange Act of 2014 – Parcel A’’ and ‘‘Trinity County Land Exchange Act of 2014 – Parcel B’’, both dated March 24, 2014. The maps shall be on file and available for public inspection in the Office of the Chief of the Forest Service and the appropriate office of the Bureau of Land Management.

Ah! So map titles in the bill don’t refer to maps attached to the bill (a sensible assumption), nor do they refer to maps already available elsewhere, of necessity. Maps referenced in legislation may not exist at the time of the reference.

I would not vote based on a to-be-produced-map but then many in Congress don’t vote as I would. ;-) (Not always a criticism, just an observation.)

So, the solution to finding the maps lies in

PUBLIC LAW 113–291, Section 3003, (i) (2) MAPS, Estimates, AND Descriptions (C) Availability:


(C) AVAILABILITY.—On the date of enactment of this, Act, the Secretary shall file and make available for public inspection in the Office of the Supervisor, Tonto National Forest, each map referred to in this section.

A quick search at the Tonto National Forest website does not turn up the maps in question.

Nor does a search for “Oak Flat Withdrawal Area” at the Secretary of Agriculture site:

usda-oak-flat-search-450

At this point I have the following outstanding questions:

What is the source of these maps, alleged to be dated 2011?

Bearing in mind the advice in the Moon is a Harsh Mistress, “Always cut cards.”

I’m fine with maps, so long as it is my map.

Can these maps be accessed without traveling to the “…Office of the Supervisor, Tonto National Forest….?”

What maps were available to members of congress voting on this legislation?

I have feelers out for additional information and will be posting a follow-up later this week.

Consent/Anonymised Data Concerns For Nulled.io?

May 14th, 2016

Famous Nulled.io Hacking Forum Suffers Devastating Data Breach by Catalin Cimpanu.

From the post:


According to security firm Risk Based Security, the leaked data was offered as a 1.3 GB tar archive that decompressed to a 9.45 GB db.sql file, which was a database dump of the entire forum’s database.

Everything from user accounts to private messages, and from VIP forum posts to financial transactions were included. More precisely, the data contained 536,064 user accounts, 800,593 user personal messages, 5,582 purchase records, and 12,600 invoices.

For each user, leaked data included his forum username, email address, hashed password, join date, IP records, and other forum-related tidbits such as titles and post counts.

Crime investigation agencies are most likely to be interested in this leak since it also includes 907,162 authentication logs with geolocation data that will allow them to tie various criminal activity to IPs, forum usernames, and email addresses.

I am waiting to see Oliver Keyes, OKCupid data and Scientific Censorship, ride in to condemn this unknown hacker for breaching the privacy of the users of Nulled.io and for the data not being anonymised.

Or in Oliver’s words on another data breach:

…this is without a doubt one of the most grossly unprofessional, unethical and reprehensible data releases I have ever seen.

I wonder where this one ranks?

Considering that criminal charges are a distinct possibility from the data breach?

I haven’t looked at the data, yet, but if hackers failed to take steps to conceal their identities on a site devoted to hacking, user education on security may be a lost cause.

Receding Trust In Internet Privacy

May 13th, 2016

You may have seen this post on Twitter:

trust-internet-01-450

So, what is this:

…single problem that we just can’t seem to solve[?]

The Washington Post headline was even more lurid: Why a staggering number of Americans have stopped using the Internet the way they used to.

The government post releasing the data was somewhat calmer: Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities by Rafi Goldberg.

Rafi writes:

Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

Perhaps the most direct threat to maintaining consumer trust is negative personal experience. Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the July 2015 survey. Security breaches appear to be more common among the most intensive Internet-using households. For example, while 9 percent of online households that used just one type of computing device (either a desktop, laptop, tablet, Internet-connected mobile phone, wearable device, or TV-connected device) reported security breaches, 31 percent of those using at least five different types of devices suffered this experience (see Figure 1).

No real surprises in the report until you reach:


NTIA’s initial analysis only scratches the surface of this important area, but it is clear that policymakers need to develop a better understanding of mistrust in the privacy and security of the Internet and the resulting chilling effects. In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online.

I’m sorry, given that almost 1 out of every 5 households surveyed had suffered from an online security breach, what is there to “…better understand…” about their mistrust?

The Internet, their computers and other online devices, etc., are all insecure.

What seems to be the problem with acknowledging that fact?

It’s mis-leading for the Washington Post to wave it hands and say this is a …single problem that we just can’t seem to solve.

Online services and computers can be made less insecure, but no computer system is completely secure. (Not even the ones used by the NSA. Remember Snowden.)

Nor can computer systems be less insecure without some effort from users.

I know, I know, I blaming all those users who get hacked. Teaching users to protect themselves has some chance of a positive outcome. Wringing your hands over poor hacked users that someone should be protecting has none.

Educate yourself about basic computer security and be careful out there. The number of assholes on the Internet seems to multiply geometrically. Even leaving state actors to one side.

Flawed Input Validation = Flawed Subject Recognition

May 13th, 2016

In Vulnerable 7-Zip As Poster Child For Open Source, I covered some of the details of two vulnerabilities in 7-Zip.

Both of those vulnerabilities were summarized by the discoverers:

Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.

The first vulnerability is described as:

TALOS-CAN-0094, OUT-OF-BOUNDS READ VULNERABILITY, [CVE-2016-2335]

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

(code in original post omitted)

This vulnerability can be triggered by any entry that contains a malformed Long Allocation Descriptor. As you can see in lines 898-905 from the code above, the program searches for elements on a particular volume, and the file-set starts based on the RootDirICB Long Allocation Descriptor. That record can be purposely malformed for malicious purpose. The vulnerability appears in line 392, when the PartitionRef field exceeds the number of elements in PartitionMaps vector.

I would describe the lack of a check on the “PartitionRef” field in topic maps terms as allowing a subject, here a string, of indeterminate size. That is there is no constraint on the size of the subject, which is here a string.

That may seem like an obtuse way of putting it, but consider that for a subject, here a string that is longer than the “available amount of partition may objects,” can be in association with other subjects, such as the user (subject) who has invoked the application(association) containing the 7-Zip vulnerability (subject).

Err, you don’t allow users with shell access to suid root do you?

If you don’t, at least not running a vulnerable program as root may help dodge that bullet.

Or in topic maps terms, knowing the associations between applications and users may be a window on the severity of vulnerabilities.

Lest you think logging suid is an answer, remember they were logging Edward Snowden’s logins as well.

Suid logs may help for next time, but aren’t preventative in nature.

BTW, if you are interested in the details on buffer overflows, Smashing The Stack For Fun And Profit looks like a fun read.

Vulnerable 7-Zip As Poster Child For Open Source

May 13th, 2016

Anti-virus products, security devices affected by 7-Zip flaws by David Bisson.

From the post:


But users be warned. Cisco Talos recently discovered multiple vulnerabilities in 7-Zip that are more serious than regular security flaws. As explained in a blog post by Marcin Noga and Jaeson Schultz, two members of the Cisco Talos Security Intelligence & Research Group:

“These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”

Cisco Talos has identified two flaws in particular. The first (CVE-2016-2335) is an out-of-bounds read vulnerability that exists in the way 7-Zip handles Universal Disk Format (UDF) files. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution.

The “many products and appliances” link results in:

7-zip-03-450

If you use the suggested search string:

7-zip-02-450

Every instance of software running a vulnerable 7-Zip library is subject to this hack. A number likely larger than the total 2,490,000 shown by these two searches.

For open source software, you can check to see if it has been upgraded to 7-Zip, version 16.0.

If you have non-open source software, how are you going to check for the upgrade?

Given the lack of liability under the usual EULA, are you really going to take a vendor’s word for the upgrade?

The vulnerable 7-Zip library is a great poster child for open source software.

Not only for the discovery of flaws but to verify vendors have properly patched those flaws.

For The Artistically Challenged (that includes me)

May 12th, 2016

via GIPHY

If you are looking for animated gifs for a blog post, presentation, etc., give GIPHY a try.

Now that I have found it, I’m likely to spend too much time looking for the perfect animated GIF.

Enjoy!

OKCupid data and Scientific Censorship

May 12th, 2016

Scientific consent, data, and doubling down on the internet by Oliver Keyes.

From the post:

There is an excellent Tim Minchin song called If You Open Your Mind Too Much, Your Brain Will Fall Out. I’m sad to report that the same is also true of your data and your science.

At this point in the story I’d like to introduce you to Emil Kirkegaard, a self-described “polymath” at the University of Aarhus who has neatly managed to tie every single way to be irresponsible and unethical in academic publishing into a single research project. This is going to be a bit long, so here’s a TL;DR: linguistics grad student with no identifiable background in sociology or social computing doxes 70,000 people so he can switch from publishing pseudoscientific racism to publishing pseudoscientific homophobia in the vanity journal that he runs.

Yeah, it’s just as bad as it sounds.

The Data

Yesterday morning I woke up to a Twitter friend pointing me to a release of OKCupid data, by Kirkegaard. Having now spent some time exploring the data, and reading both public statements on the work and the associated paper: this is without a doubt one of the most grossly unprofessional, unethical and reprehensible data releases I have ever seen.

There are two reasons for that. The first is very simple; Kirkegaard never asked anyone. He didn’t ask OKCupid, he didn’t ask the users covered by the dataset – he simply said ‘this is public so people should expect it’s going to be released’.

This is bunkum. A fundamental underpinning of ethical and principled research – which is not just an ideal but a requirement in many nations and in many fields – is informed consent. The people you are studying or using as a source should know that you are doing so and why you are doing so.

And the crucial element there is “informed”. They need to know precisely what is going on. It’s not enough to simply say ‘hey, I handed them a release buried in a pile of other paperwork and they signed it': they need to be explicitly and clearly informed.

Studying OKCupid data doesn’t allow me to go through that process. Sure: the users “put it on the internet” where everything tends to end up public (even when it shouldn’t). Sure: the users did so on a site where the terms of service explicitly note they can’t protect your information from browsing. But the fact of the matter is that I work in this field and I don’t read the ToS, and most people have a deeply naive view of how ‘safe’ online data is and how easy it is to backtrace seemingly-meaningless information to a real life identity.

In fact, gathering of the data began in 2014, meaning that a body of the population covered had no doubt withdrawn their information from the site – and thus had a pretty legitimate reason to believe that information was gone – when Kirkegaard published. Not only is there not informed consent, there’s good reason to believe there’s an implicit refusal of consent.

The actual data gathered is extensive. It covers gender identity, sexuality, race, geographic location; it covers BDSM interests, it covers drug usage and similar criminal activity, it covers religious beliefs and their intensity, social and political views. And it does this for seventy thousand different people. Hell, the only reason it doesn’t include profile photos, according to the paper, is that it’d take up too much hard-drive space.

Which nicely segues into the second reason this is a horrifying data dump: it is not anonymised in any way. There’s no aggregation, there’s no replacement-of-usernames-with-hashes, nothing: this is detailed demographic information in a context that we know can have dramatic repercussions for subjects.

This isn’t academic: it’s willful obtuseness from a place of privilege. Every day, marginalised groups are ostracised, excluded and persecuted. People made into the Other by their gender identity, sexuality, race, sexual interests, religion or politics. By individuals or by communities or even by nation states, vulnerable groups are just that: vulnerable.

This kind of data release pulls back the veil from those vulnerable people – it makes their outsider interests or traits clear and renders them easily identifiable to their friends and communities. It’s happened before. This sort of release is nothing more than a playbook and checklist for stalkers, harassers, rapists.

It’s the doxing of 70,000 people for a fucking paper.

I offer no defense for the Emil Kirkegaard’s paper, its methods or conclusions.

I have more sympathy for Oliver’s concerns over consent and anonymised data than say the International Consortium of Investigative Journalists (ICIJ) and their concealment of the details from the Panama Papers, but only just.

It is in the very nature of data “leaks” that no consent is asked of or given by those exposed by the “leak.”

Moreover, anonymised data sounds suspiciously like ICIJ saying they can protect the privacy of the “innocents” in the Panama Papers leak.

I don’t know, hiding from the tax man doesn’t raise a presumption of innocence to me. You?

Someone has to decide who are “innocents,” or who merits protection of anonymised data. To claim either one, means you have someone in mind to fill that august role.

In our gender-skewed academic systems, would that be your more than likely male department head?

My caveat to Oliver’s post is even with good intentions, the power to censor data releases is a very dangerous one. One that reinforces the power of those who possess it.

The less dangerous strategy is to teach users if information is recorded, it is leaked. Perhaps not today, maybe not tomorrow, but certainly by the day after that.

Choose what information you record carefully.

107,000 Anal Fisting Aficionados But No Senate Torture Report

May 12th, 2016

Huge embarrassment over fisting site data breach by John Leyden.

From the post:

A data breach at a forum for “anal fisting” has resulted in the exposure of 107,000 accounts.

Of course, ‘;–have i been pwned? plays the “I know something you don’t” game, loads the data but blocks searching.

I didn’t look hard for the data dump but for details sufficient to replicate this hack, see:

Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software? by Joseph Cox.

Quick search shows there are about 15K reports (including duplicates) on exposure of these 107,000 anal fisting aficionados.

It’s mildly amusing to think of the reactions of elected officials, military officers, etc., caught up in such data breach (sorry) but where is the full U.S. Senate Torture Report?

If you are going to risk jail time for hacking, shouldn’t it be for something more lasting than a list of anal fisters?

Is there a forum for nominating and voting on (anonymously) targets for hacking?

PS: Leaking data to ‘;–have i been pwned?, the International Consortium of Investigative Journalists or Wikileaks, etc., only empowers new exercises of privilege. Leak to them if you like but leak to the public as well.

MOOGI – The Film Discovery Engine

May 11th, 2016

MOOGI – The Film Discovery Engine

Not the most recent movie I have seen but under genre I entered:

movies about B.C.

Thinking that it would return (rather quickly):

One Million Years B.C. (1966)

Possibly just load on this alpha site but after a couple of minutes, I just reloaded the homepage.

Using “keyword,” just typing “B.C.” brought up a pick list where One Million Years B.C. (1966) was eight in the list. Without any visible delay.

The keyword categories are interesting and many.

Learned a new word, canuxploitation! There is an entire site devoted to Canadian B-movies, i.e., Canuxploitation! – Your Complete Guide to Canadian B-Film.

You will recognize most of the other keywords.

If not, check the New York Times or the Washington Post and include the term plus “member of congress.” You will get several stories that will flesh out the meaning of “erotic,” “female nudity,” “drugs,” “prostitution,” “monster,” “hotel,” “adultery” and the like.

If search isn’t your strong point, try the “explore” option. You can search for movies “similar to” some named movie.

Just for grins, I typed in:

The Dirty Dozen. When I saw it during its first release, it had been given a “condemned” rating by Catholic movie rating service. Had no redeeming qualities at all. No one should see it.

I miss those lists because they were great guides to what movies to go see! ;-)

One of five (5) results was The Dirty Dozen: The Deadly Mission (1987).

When I chose that movie, the system failed so I closed out the window and tried again. Previous quick response is taking a good bit of time, suspect load/alpha quality. (I will revisit fairly soon and update this report.)

In terms of aesthetics, they really should lose the hand in the background moving around with a remote control. Adds nothing to the experience other than annoyance.

The site is powered by Mindmaps. Which means you are going to find Apache Tinkerpop under the hood.

Enjoy!

Moderate Rebels ™

May 11th, 2016

By the U.S. Dept. of Fear.

sailingtois-450

FYI, why sailing from Australia to join ISIS is a bad idea:

syria-google-450

I keep expecting either governments or terrorists to up their game but so far, no joy.

Is that intentional?

With an unknown number of terrorists about, governments can justify their terrorism budgets. Ineffectual and counter-productive government strategies to fight terrorism, writes terrorist recruitment literature for them.

Could it be that governments need terrorists and terrorists need governments?

Hunting Bugs In Porn Site (or How to Explain Your Browsing History)

May 11th, 2016

Pornhub Launches Bug Bounty Program; Offering Reward up to $25,000 by Swati Khandelwal.

From the post:


The world’s most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.

Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find. (emphasis in the original)

As always, there are some exclusions:


Vulnerabilities such as cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout will not be considered for the bounty program.

I take “information disclosure” to mean that if your hack involves NSA credentials it doesn’t count. Well, you can’t make it too easy.

The program is in beta so see Swati’s post for further details.

This PornHub program benefits people asked awkward questions about their browsing history.

Yes, you were looking at PornHub or related sites. You were doing “security research.”

Being in HR or accounting may make that claim less credible. ;-)