Don’t Blame NSA For Ransomware Attack!

May 17th, 2017

Stop Blaming NSA For The Ransomware Attack by Patrick Tucker.

Most days I think the NSA should be blamed for everything from global warming to biscuits that fail to rise.

But for leaked cyber weapons? No blame whatsoever.

Why? The answer lies in the NSA processing of vulnerabilities.

From the post:


“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed—responsibly disclosed —to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”

Dukes said the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.

We may choose to restrict a vulnerability for offensive purposes, like breaking into an adversary’s network, he said. But that doesn’t mean we’re not also constantly looking for signs whether another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.

You may think that is a “thoughtful process” but that’s not why I suggest the NSA should be held blameless.

Look at the numbers on vulnerabilities:

80% disclosed by the NSA for remediation.

20% concealed by the NSA.

Complete NSA disclosure means the 20% now concealed, vanishes for everyone.

That damages everyone seeking government transparency.

Don’t wave your arms in the air crying “ransomware! ransomeware! Help me! Help me!,” or “Blame the NSA! “Blame the NSA.”

Use FOIA requests, leaks and cyber vulnerabilities to peel governments of their secrecy, like lettuce, one leaf at a time.

Correction to Financial Times on EsteemAudit

May 16th, 2017

Hackers prime second classified US cyber weapon by Sam Jones and Max Seddon.

From the post:

Criminal hacking groups have repurposed a second classified cyber weapon stolen from US spies and have made it available on the so-called dark web after the success of the WannaCry attack that swept across the globe on Friday.

The hacking tool, developed by the US National Security Agency and called EsteemAudit, has been adapted and is now available for criminal use, according to security analysts.

Correction:

“…is now available for criminal use…” should read:

“…is now available for widespread criminal use….”

NSA cyber weapons have always in use by criminals. The debate now is over more criminals using the same weapons.

If those weapons are used against the NSA and its co-conspirators, I don’t see a problem.

DeepSketch2Face

May 16th, 2017

DeepSketch2Face: A Deep Learning Based Sketching System for 3D Face and Caricature Modeling by Xiaguang Han, Chang Gao, and Yizhou Yu.

Abstract:

Face modeling has been paid much attention in the field of visual computing. There exist many scenarios, including cartoon characters, avatars for social media, 3D face caricatures as well as face-related art and design, where low-cost interactive face modeling is a popular approach especially among amateur users. In this paper, we propose a deep learning based sketching system for 3D face and caricature modeling. This system has a labor-efficient sketching interface, that allows the user to draw freehand imprecise yet expressive 2D lines representing the contours of facial features. A novel CNN based deep regression network is designed for inferring 3D face models from 2D sketches. Our network fuses both CNN and shape based features of the input sketch, and has two independent branches of fully connected layers generating independent subsets of coefficients for a bilinear face representation. Our system also supports gesture based interactions for users to further manipulate initial face models. Both user studies and numerical results indicate that our sketching system can help users create face models quickly and effectively. A significantly expanded face database with diverse identities, expressions and levels of exaggeration is constructed to promote further research and evaluation of face modeling techniques.

Deep learning assisted drawing, here with faces or drawing more generally, is rife with possibilities for humor.

Realistic caricature/avatars are nearly within the reach of even art-challenged users.

Marketing Advice For Shadow Brokers

May 16th, 2017

Shadow Brokers:

I read your post OH LORDY! Comey Wanna Cry Edition outlining your plans for:

In June, TheShadowBrokers is announcing “TheShadowBrokers Data Dump of the Month” service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

More details in June.

OR IF RESPONSIBLE PARTY IS BUYING ALL LOST DATA BEFORE IT IS BEING SOLD TO THEPEOPLES THEN THESHADOWBROKERS WILL HAVE NO MORE FINANCIAL INCENTIVES TO BE TAKING CONTINUED RISKS OF OPERATIONS AND WILL GO DARK PERMANENTLY YOU HAVING OUR PUBLIC BITCOIN ADDRESS
… (emphasis in original)

I don’t know your background in subscription marketing but I don’t see Shadow Brokers as meeting the criteria for a successful subscription business. 9 Keys to Building a Successful Subscription Business.

Unless you want to get into a vulnerability as commodity business, with its attendant needs for a large subscriber base, advertising, tech support, etc., with every service layer adding more exposure, I just don’t see it. The risk of exposure is too great and the investment before profit too large.

I don’t feel much better about a bulk purchase from a major government or spy agency. The likely buyers already have the same or similar data so don’t have an acquisition motive.

Moreover, likely buyers don’t trust the Shadow Brokers. As a one time seller, Shadow Brokers could collect for the “lost data” and then release it for free in the wild.

You say that isn’t the plan of Shadow Brokers, but likely buyers are untrustworthy and expect the worst of others.

If I’m right and traditional subscription and/or direct sales models aren’t likely to work, that doesn’t mean that a sale of the “lost data” is impossible.

Consider the Wikileak strategy with the the Podesta emails.

The Podesta emails were replete with office chatter, backbiting remarks, and other trivia.

Despite the lack of intrinsic value, their importance was magnified by the release of small chunks of texts, each of which might include something important.

With each release, main stream media outlets such as the New York Times, the Washington Post, and others went into a frenzy of coverage.

That was non-technical data so a similar strategy with “lost data” will require supplemental, explanatory materials for the press.

Dumping one or two tasty morsels every Friday, for example, will extend media coverage, not to mention building public outrage that could, no guarantees, force one or more governments to pony up for the “lost data.”

Hard to say unless you try.

PS: For anyone who thinks this post runs afoul of “aiding hackers” prohibitions, you have failed to consider the most likely alternate identity of Shadow Brokers, that of the NSA itself.

Ask yourself:

Who wants real time surveillance of all networks? (NSA)

What will drive acceptance of real time surveillance of all networks? (Hint, ongoing and widespread data breaches.)

Who wants to drive adoption of Windows 10? (Assuming NSA agents wrote backdoors into the 50 to 60 million lines of code in Windows 10.)

Would a government that routinely assassinates people and overthrows other governments hesitate to put ringers to work at Microsoft? Or other companies?

Is suborning software verboten? (Your naiveté is shocking.)

Network analysis of Game of Thrones family ties [A Timeless Network?]

May 15th, 2017

Network analysis of Game of Thrones family ties by Shirin Glander.

From the post:

In this post, I am exploring network analysis techniques in a family network of major characters from Game of Thrones.

Not surprisingly, we learn that House Stark (specifically Ned and Sansa) and House Lannister (especially Tyrion) are the most important family connections in Game of Thrones; they also connect many of the storylines and are central parts of the narrative.

The basis for this network is Kaggle’s Game of Throne dataset (character-deaths.csv). Because most family relationships were missing in that dataset, I added the missing information in part by hand (based on A Wiki of Ice and Fire) and by scraping information from the Game of Thrones wiki. You can find the full code for how I generated the network on my Github page.

Glander improves network data for the Game of Thrones and walks you through the use of R to analyze that network.

It’s useful work and will repay close study.

Network analysis can used with all social groups, activists, bankers, hackers, members of Congress (U.S.), terrorists, etc.

But just as Ned Stark has no relationship with dire wolves when the story begins, networks of social groups develop, change, evolve if you will, over time.

Moreover, events, interactions, involving one or more members of the network, occur in time sequence. A social network that fails to capture those events and their sequencing, from one or more points of view, is a highly constrained network.

A useful network as Glander demonstrates but one cannot answer simple questions about the order in which characters gained knowledge that a particular character hurled another character from a very high window.

If I were investigating say a leak of NSA cybertools, time sequencing like that would be one of my top priorities.

Thoughts?

The Hitchhiker’s Guide to d3.js [+ a question]

May 14th, 2017

The Hitchhiker’s Guide to d3.js by Ian Johnson.

From the post:

[graphic omitted: see post]

The landscape for learning d3 is rich, vast and sometimes perilous. You may be intimidated by the long list of functions in d3’s API documentation or paralyzed by choice reviewing the dozens of tutorials on the home page. There are over 20,000+ d3 examples you could learn from, but you never know how approachable any given one will be.

[graphic omitted: see post]

If all you need is a quick bar or line chart, maybe this article isn’t for you, there are plenty of charting libraries out there for that. If you’re into books, check out Interactive Data Visualization for the Web by Scott Murray as a great place to start. D3.js in Action by Elijah Meeks is a comprehensive way to go much deeper into some regions of the API.

This guide is meant to prepare you mentally as well as give you some fruitful directions to pursue. There is a lot to learn besides the d3.js API, both technical knowledge around web standards like HTML, SVG, CSS and JavaScript as well as communication concepts and data visualization principles. Chances are you know something about some of those things, so this guide will attempt to give you good starting points for the things you want to learn more about.

Depending on your needs and learning style, The Hitchhiker’s Guide to d3.js (Guide), may be just what you need.

The Guide focuses on how to use d3.js and not on: What visualization should I create?

Suggestions on what should be considered when moving from raw data to a visualization? Resources?

Thanks!

WCry/WanaCry Analysis – Reading For Monday, May 15, 2017.

May 14th, 2017

The chief of Europol warns the WCry/WanaCry crisis to grow Monday, May 15, 2017. That exhausted Europol’s reservoir of the useful comments for this “crisis.”

“Crisis” with parentheses because only unpatched but supported Windows systems and no longer supported Windows systems are vulnerable to WCry/Wanacry.

Exception for non-supported systems: Microsoft issued a patch for Windows XP, unfortunately, to protect against WCry/WanaCry.

Translation: If you are running Windows XP without the WCry/WanaCry patch, you can still be a victim.

For the more technically minded, Amanda Rousseau writes in: WCry/WanaCry Ransomware Technical Analysis:

As we discussed when this outbreak began, the WCry or WanaCrypt0r ransomware spread quickly across Europe and Asia, impacting almost 100 countries and disrupting or closing 45 hospitals in the UK. As the ransomware continued to propagate, I got my hands on a sample and quickly began analyzing the malware. This post will walk through my findings and provide a technical overview of the strain of WCry ransomware which caused the massive impact on Friday. Many have done great work analyzing this malware in action and helping contain its spread, and I hope my comprehensive static analysis will provide a good overall picture of this particular ransomware variant on top of that.

I assume you are:

  1. Not running Windows
  2. Are running supported and patched Windows
  3. Are running patched Windows XP (please don’t tell anyone)

If any of those are true, then Rousseau’s post makes great reading material for Monday, May 15, 2017.

If you are exposed, you should take steps to end your exposure now. Rousseau’s post can wait until you are safe.

Bigoted Use of Stingray Technology vs. Other Ills

May 13th, 2017

Racial Disparities in Police ‘Stingray’ Surveillance, Mapped by George Joseph.

From the post:

Louise Goldsberry, a Florida nurse, was washing dishes when she looked outside her window and saw a man pointing a gun at her face. Goldsberry screamed, dropped to the floor, and crawled to her bedroom to get her revolver. A standoff ensued with the gunman—who turned out to be an agent with the U.S. Marshals’ fugitive division.

Goldsberry, who had no connection to a suspect that police were looking for, eventually surrendered and was later released. Police claimed that they raided her apartment because they had a “tip” about the apartment complex. But, according to Slate, the reason the “tip” was so broad was because the police had obtained only the approximate location of the suspect’s phone—using a “Stingray” phone tracker, a little-understood surveillance device that has quietly spread from the world of national security into that of domestic law enforcement.

Goldsberry’s story illustrates a potential harm of Stingrays not often considered: increased police contact for people who get caught in the wide dragnets of these interceptions. To get a sense of the scope of this surveillance, CityLab mapped police data from three major cities across the U.S., and found that this burden is not shared equally.

How not equally?

Baltimore, Maryland.

The map at Joseph’s post is interactive, along with maps for Tallahassee, Florida and Milwaukee, Minnesota.

I oppose government surveillance overall but am curious, is Stingray usage a concern of technology/privacy advocates or is there a broader base for opposing it?

Consider the following facts gathered by Bill Quigley:

Were you shocked at the disruption in Baltimore? What is more shocking is daily life in Baltimore, a city of 622,000 which is 63 percent African American. Here are ten numbers that tell some of the story.

One. Blacks in Baltimore are more than 5.6 times more likely to be arrested for possession of marijuana than whites even though marijuana use among the races is similar. In fact, Baltimore county has the fifth highest arrest rate for marijuana possessions in the USA.

Two. Over $5.7 million has been paid out by Baltimore since 2011 in over 100 police brutality lawsuits. Victims of severe police brutality were mostly people of color and included a pregnant woman, a 65 year old church deacon, children, and an 87 year old grandmother.

Three. White babies born in Baltimore have six more years of life expectancy than African American babies in the city.

Four. African Americans in Baltimore are eight times more likely to die from complications of HIV/AIDS than whites and twice as likely to die from diabetes related causes as whites.

Five. Unemployment is 8.4 percent city wide. Most estimates place the unemployment in the African American community at double that of the white community. The national rate of unemployment for whites is 4.7 percent, for blacks it is 10.1.

Six.African American babies in Baltimore are nine times more likely to die before age one than white infants in the city.

Seven. There is a twenty year difference in life expectancy between those who live in the most affluent neighborhood in Baltimore versus those who live six miles away in the most impoverished.

Eight. 148,000 people, or 23.8 percent of the people in Baltimore, live below the official poverty level.

Nine. 56.4 percent of Baltimore students graduate from high school. The national rate is about 80 percent.

Ten. 92 percent of marijuana possession arrests in Baltimore were of African Americans, one of the highest racial disparities in the USA.

(The “Shocking” Statistics of Racial Disparity in Baltimore)

Which of those facts would you change before tackling the problem of racially motivated use of Stingray technology?

I see several that I would rate much higher than the vagaries of Stingray surveillance.

You?

Effective versus Democratic Action

May 13th, 2017

OpenMedia is hosting an online petition: Save our Security — Strong Encryption Keeps Us Safe to:

Leaked docs reveal the UK Home Office’s secret plan to gain real-time access to our text messages and online communications AND force companies like WhatsApp to break the security on its own software.1 This reckless plan will make all of us more vulnerable to attacks like the recent ransomware assault against the NHS.2

If enough people speak out right now and flood the consultation before May 19, then Home Secretary Amber Rudd will realise she’s gone too far.

Tell Home Secretary Amber Rudd: Encryption keeps us safe. Do not weaken everyone’s security by creating backdoors that hackers and malicious actors can exploit.
… (emphasis in original, footnotes omitted)

+1! on securing your privacy, but -1! on democratic action.

Assume the consultation is “flooded” and Home Secretary Amber Rudd says:

Hearing the outcry of our citizens, we repent of our plan for near real time monitoring of your conversations….

I’m sorry, why would you trust Home Secretary Amber Rudd or any other member of government, when they make such a statement?

They hide the plans for monitoring your communications in near real time, as OpenMedia makes abundantly clear.

What convinces you Home Secretary Rudd and her familiars won’t hide government monitoring of your communications?

A record of trustworthy behavior in the past?

You can flood the consultation if you like but effective actions include:

  • Anyone with access to government information should leak that information whenever possible.
  • Anyone employed by government should use weak passwords, follow links in suspected phishing emails and otherwise practice bad cybersecurity.
  • If you don’t work for a government or have access to government information, copy, repost, forward, and otherwise spread any leaked government information you encounter.
  • If you have technical skills, devote some portion of your work week to obtaining information a government prefers to keep secret.

The only trustworthy government is a transparent government.

WanaCrypt0r: The Wages Of False Economy

May 12th, 2017

Malware that attacks unsupported or unpatched Microsoft software started making the rounds today.

Just some of the coverage:

Malware Stolen From The NSA Cripples Computers In 74 Countries (And Counting)

Massive ransomware cyber-attack hits computers in 74 countries

Cyber-attack hits 74 countries with UK hospitals among targets – live updates

Cyberattack Hits Dozen Nations ‘Using Leaked NSA Hacking Tool’

Massive ransomware attack hits 99 countries

Criminals used leaked NSA cyberweapon in crippling ransomware attack, experts say

Global cyberattack disrupts shipper FedEx, UK health system

Hackers use leaked NSA bug in massive global cyber attack

Wanna Decrypter 2.0 ransomware attack: what you need to know

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

You will see phrases like “weapons grade malware,” “NSA exploit,” “NSA cyberweapon,” etc., and many others over the coming days.

It will be mentioned but few consequences will be seen for managers who practiced false economy, in not upgrading their Microsoft systems in a timely fashion.

It is equally unlikely that sysadmins will suffer for their failure to patch currently supported Microsoft systems in a timely manner.

Given those two likely outcomes, the next “massive global cyber attack,” is a question of when, not if. Managers will continue to practice false economies and sysadmins won’t follow good patching practices.

My suggestions:

  1. Upgrade to supported Microsoft software.
  2. Implement and audit patch application.
  3. Buy Microsoft stock.

The first two will help keep you safe and the third one will enable you to profit from the periodic panics among unsupported Microsoft software users.

The Cartoon Bank

May 12th, 2017

The Cartoon Bank by the Condé Nast Collection.

While searching for a cartoon depicting Sean Spicer at a White House news briefing, I encountered The Cartoon Bank.

A great source of instantly recognized cartoons but I’m still searching for one I remember from decades ago. 😉

Executive Order on Cybersecurity [“No Snide Remark Seems Adequate”]

May 11th, 2017

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

You do remember this Dilbert cartoon from May 23, 1989?

Local News: Willing Buyers/Willing Sellers

May 11th, 2017

The reference to We Interrupt This Newscast and the quote being from @cjr, was enough to get me to read: Oy, the TRAFFIC. And it’s POURING! Do I hear SIRENS? by Simon Van Zuylen-Wood.

First things first, We Interrupt This Newscast: How to Improve Local News and Win Ratings, Too, mentioned without linking by Zuylen-Wood, can be found at: http://www.worldcat.org/oclc/939668347 (link is to WorldCat which will display copies held at libraries close to you).

Second, Zuylen-Wood’s definition of the “problem” of local TV news:


Local TV news has a problem. Broadcasts are dominated by sensationalistic crime stories, weather reports, and human-interest puff pieces. The format—two plasticky news anchors reading from teleprompters—has not meaningfully changed in 40 years. The end product tends to be irrelevant journalism packaged in an increasingly irrelevant way. The problem isn’t that the product is partisan or under-resourced or “fake.” The problem is that it’s lame.

isn’t shared by local TV news directors:


“You’d be hard-pressed to find a news director who isn’t saying we need to be [innovating],” Bob Papper says. And yet, none of them really is. “The biggest hindrance to innovation,” he continues, “is the success of TV news. The fact is, it’s doing well, and if anything it may be doing better and better. That’s not an impetus to change.”

Zuylen-Woods’ definition is not shared by local TV news viewers, who lap up stories of random, non-repeatable events. Generally speaking people are murdered only once, photogenic teenagers die in automobile accidents only once, tree limbs turn toddlers into life long medical cases only occassionally, although TV news does milk those stories for weeks, months, even years.

Zuylen-Woods is right, local TV news is “lame,” but it’s a product tailored to the taste of willing customers.

If “willing customers” are buying “irrelevant journalism” (Zuylen-Woods’ term), I don’t see the obligation of the media to create products, one assumes “relevant journalism,” for which there is no market.

If you do, is it because you are a better judge of what the public should be reading, viewing, discussing?

Careful.

Beginning with Plato, if not earlier, prescribing better, more appropriate content for others, censorship, has an unhappy history.

Tools and Resources to Help Facts Keep Pace with Fake News (June 30, 2017 Deadline)

May 10th, 2017

Tools and Resources to Help Facts Keep Pace with Fake News by Oren Levine.

From the post:

When fake news moves fast, you need the right tools and resources to help the truth keep pace.

To inspire you to enter TruthBuzz: The viral fact-checking contest, we have collected some useful tools, along with resources that shed light on fake and misleading news and information, and how it spreads online.

During our recent TruthBuzz webinar, my fellow contest judges, Aimee Rinehart, Shaheryar Popalzai and I shared several resources and tools that could be useful in helping you craft your TruthBuzz entry. We’ve also rounded those up here:

Enabling people to decide for themselves what is or is not “fake news,” gets my full support.

Filtering or suppressing “fake news” requires others to determine fake/not fake and is censorship whatever other label you want to use.

The resources listed can be helpful and the contest, TruthBuzz: The viral fact-checking contest, does have a $10K, $5K and $2.5K prizes.

Cloudera Introduces Topic Maps Extra-Lite

May 10th, 2017

New in Cloudera Enterprise 5.11: Hue Data Search and Tagging by Romain Rigaux.

From the post:

Have you ever struggled to remember table names related to your project? Does it take much too long to find those columns or views? Hue now lets you easily search for any table, view, or column across all databases in the cluster. With the ability to search across tens of thousands of tables, you’re able to quickly find the tables that are relevant for your needs for faster data discovery.

In addition, you can also now tag objects with names to better categorize them and group them to different projects. These tags are searchable, expediting the exploration process through easier, more intuitive discovery.

Through an integration with Cloudera Navigator, existing tags and indexed objects show up automatically in Hue, any additional tags you add appear back in Cloudera Navigator, and the familiar Cloudera Navigator search syntax is supported.
… (emphasis in original)

Seventeen (17) years ago, ISO/IEC 13250:2000 offered users the ability to have additional names for tables, columns and/or any other subject of interest.

Additional names that could have scope (think range of application, such as a language), that could exist in relationships to their creators/users, exposing as much or as little information to a particular user as desired.

For commonplace needs, perhaps tagging objects with names, displayed as simple string is sufficient.

But if viewed from a topic maps perspective, that string display to one user could in fact represent that string, along with who created it, what names it is used with, who uses similar names, just to name a few of the possibilities.

All of which makes me think topic maps should ask users:

  • What subjects do you need to talk about?
  • How do you want to identify those subjects?
  • What do you want to say about those subjects?
  • Do you need to talk about associations/relationships?

It could be, that for day to day users, a string tag/name is sufficient. That doesn’t mean that greater semantics don’t lurk just below the surface. Perhaps even on demand.

Laptops Banned To Drive Alcohol Consumption

May 10th, 2017

Clive Irving writes in U.S. to Ban Laptops in All Cabins of Flights From Europe:


The Department of Homeland Security will ban laptops in the cabins of all flights from Europe to the United States, European security officials told The Daily Beast. The announcement is expected Thursday.

Irving does a good job of illustrating the increased risk from the laptop ban, but misses the real motivation behind the ban. Yes, yes, DHS says it:

…continues to evaluate the threat environment and will make changes when necessary to keep air travelers safe.

“Threat environment” my ass!

Remember the UK has been reduced to claiming people with knives are terrorists.

Armed police carrying out a counterterrorism operation Thursday swooped in on a man they said was carrying knives in a bag near Britain’s Parliament and arrested him on suspicion of planning terrorist acts.

A European security official familiar with the individual said the suspect was known to British security agencies and was thought to have been inspired by the Islamic State group.

The official, who spoke on condition of anonymity to discuss sensitive intelligence matters, said the discovery of knives suggested an attack might have been close to fruition. Authorities haven’t released the man’s name.

London’s Metropolitan Police said the 27-year-old suspect was stopped and detained “as part of an ongoing operation” by the force’s counterterrorism unit.

“…swooped in on a man they said was carrying knives in a bag…”

That sounds more like a Saturday Night Live skit than a terrorist attack or potential one.

Shake the Department of Homeland Security (DHS) tree really hard, by leakers or FOIA requests and I’m betting the following will fall out:

Alcoholic Drink Consumption On Europe to US Flights

  • Underage and kill-joys: 0
  • Parent with one child: 3
  • Parent with two children: 5
  • Business flyer with no laptop: 1 per hour of flight time

Once this data began to circulate among airline companies, the fate of laptops was sealed.

Increase alcohol sales are the primary goal of the laptop ban.

PS: If you think I am being cavalier about the risk from terrorism, consider that 963 people were killed by police officers in 2016. Versus 54 people in “terrorist” attacks, all by US citizens.

Did You Miss The Macron Leak? @ErrataBob To The Rescue!

May 10th, 2017

If you missed the Macron leak, or leaks deleted before you can copy them, don’t despair!

Robert Graham, @ErrataBob, rides to the rescue with: Hacker dumps, magnet links, and you.

From the post:


Along with downloading files, BitTorrent software on your computer also participates in a “distributed hash” network. When using a torrent file to download, your BitTorrent software still tell other random BitTorrent clients about the hash. Knowledge of this hash thus spreads throughout the BitTorrent world. It’s only 16 bytes in size, so the average BitTorrent client can keep track of millions of such hashes while consuming very little memory or bandwidth.

If somebody decides they want to download the BitTorrent with that hash, they broadcast that request throughout this “distributed hash” network until they find one or more people with the full torrent. They then get the torrent description file from them, and also a list of peers in the “swarm” who are downloading the file.

Thus, when the original torrent description file, the tracker, and original copy goes away, you can still locate the swarm of downloaders through this hash. As long as all the individual pieces exist in the swarm, you can still successfully download the original file.

Graham provides the magnet link for “langannerch.rar” and as of this AM, I can attest the link is working as described.

Consider a “distributed hash” network as a public service. Even if you aren’t especially interested in a leak, like Macron’s, consider grabbing a copy to assist others who are.

Patched != Applied / Patches As Vulnerability Patterns

May 9th, 2017

Microsoft’s Microsoft Security Advisory 4022344 in response to MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more by taviso@google.com, was so timely as to deprive the “responsible disclosure” crowd of a chance to bitch about the notice given to Microsoft.

Two aspects of this vulnerability merit your attention.

Patched != Applied

Under Suggested Actions, the Microsoft bulletin reads:

  • Verify that the update is installed

    Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

    For more information on how to verify the version number for the Microsoft Malware Protection Engine that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.

    For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.13704.0 or later.

  • If necessary, install the update

    Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.

    For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.

    For more information on how to manually update the Microsoft Malware Protection Engine and malware definitions, refer to Microsoft Knowledge Base Article 2510781.

Microsoft knows its customers far better than I do and that suggests unpatched systems can be discovered in the wild. No doubt in diminishing numbers but you won’t know unless you check.

Patches As Vulnerability Patterns

You have to visit CVE-2017-0290 to find links to the details of “MsMpEng: Remotely Exploitable Type Confusion….”

Which raises an interesting use case for the Microsoft/MSRC-Microsoft-Security-Updates-API, which I encountered by by way of a PowerShell script for accessing the MSRC Portal API.

Polling the Microsoft/MSRC-Microsoft-Security-Updates-API provides you with notice of vulnerabilities to look for based on unapplied patches.

You can use the CVE links to find deeper descriptions of underlying vulnerabilities. Those descriptions, assuming you mine the sips (statistically improbable phrases), can result in a powerful search tool to find closely related postings.

Untested but searching by patterns for particular programmers (whether named or not), may be more efficient than an abstract search for coding errors.

Reasoning that programmers tend to commit the same errors, reviewers tend to miss the same errors, and so any discovered error, properly patterned, may be the key to a grab bag of other errors.

That’s an issue where tunable subject identity would be very useful.

Network datasets (@Ognyanova)

May 9th, 2017

Network datasets by Katherine Ognyanova.

From the post:

Since I started posting network tutorials on this site, people will occasionally write to ask me about the included example datasets. I also get e-mails from people asking where they might find network data to use for a project or in teaching. Seems like a good idea to post a quick reply here.

The datasets included in my tutorials are mostly synthetic (or trimmed and heavily manipulated) in order to illustrate various visualization aspects in a manageable way. Feel free to use those datasets (citing or linking to the source is appreciated), but keep in mind that they are artificially generated and not the result of actual data collection. When I do use empirical data, the download files include documentation (if the data is collected by me) or clearly point to the source (if the data was collected by someone else).

If you are looking for network data, large or small, there are a number of excellent open online repositories that you can take a look at. Below is a short list (feel free to e-mail me if you have other good links, and I will add them here).

Links to ten (10) collections of network datasets, plus suggestions on software for collecting and analyzing social network data.

Considering following her: @Ognyanova. See her website, http://kateto.net/ for additional resources.

FOIA Data Models for Everyone [If You Are Going To Ask]

May 8th, 2017

FOIA Data Models for Everyone by Jeremy B. Merrill.

From the post:

Listen to two FOIA practitioners describe their request strategies and you’ll probably get two very different answers. I know because I’ve done it. As someone with not much of a personal FOIA strategy—besides “wait and hope”—I was surprised that journalists skilled at prying obscure records from the government have wildly different approaches.

These differences in how to engage with the FOIA process can cover questions that are flashy—to us nerds—like whether to ask for “any and all” documents or to call the officer every week or so. But the idiosyncrasies in journalists’ mental models trickle down even into the little details, like how they keep track of agencies’ contact info.

When I began an internal FOIA tracker app for the New York Times, I knew I’d have to understand different mental models of the FOIA process in order to represent that process in a database. So, I put out a call to the friendly community of news nerds on Twitter and in the NewsNerdery Slack:

Tracking your FOIAs with a spreadsheet (or an app) is a best practice. But everyone’s chart is a little different and probably encodes different nuggets of hard-earned wisdom. Care to share the column headers from your spreadsheet?

Computers don’t know anything about FOIAs. Bless their hearts, but they’re dumb; data modeling is how we imbue computers with little morsels of our human wisdom hidden in row 1 of a spreadsheet. I collated the results—from eight individuals’ spreadsheets and two open-source FOIA tracker apps plus my own, so hopefully a lot of little morsels of wisdom—and analyzed them to see what I might have missed. I want to share the results back to the community.

A gold mine of curated advice and practices on FOIA data models.

Old pros and newbies at FOIA requests are going to benefit from Merrill’s post.

Be sure to ping him @jeremybmerrill to show your appreciation for this summary.

OSS-Fuzz: Five months later, and rewarding projects

May 8th, 2017

OSS-Fuzz: Five months later, and rewarding projects

From the post:

Five months ago, we announced OSS-Fuzz, Google’s effort to help make open source software more secure and stable. Since then, our robot army has been working hard at fuzzing, processing 10 trillion test inputs a day. Thanks to the efforts of the open source community who have integrated a total of 47 projects, we’ve found over 1,000 bugs (264 of which are potential security vulnerabilities).

[graphic omitted]

Notable results

OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view restricted so links may show smaller numbers.)

A useful way to improve the quality of software and its security. Not only that, but rewards are offered for projects that adopt the ideal integration guidelines.

The Patch Rewards program now includes rewards for integration of fuzz targets into OSS-Fuzz.

Contributing to open source projects, here by contributing to the use of fuzzing in the development process, is a far cry from the labor market damaging “Hack the Air Force” program. The US Air Force can and does spend $millions if not $billions on insecure software and services.

Realizing it has endangered itself, but unwilling to either contract for better services and/or to hold its present contractors responsible for shabby work, the Air Force is attempting to damage the labor market for defensive cybersecurity services by soliciting free work. Or nearly so given the ratio of the prizes to Air Force spending on software.

$Millions in contributions to open source projects, not a single dime for poorly managed government IT contract results.

Zero-Day versus Tried-n-True Methods

May 8th, 2017

IBM shipped malware-laden USB sticks to unsuspecting customers by Chris Bing.

From the post:

Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.

An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.

An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.

One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.

Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!

Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.

Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.

Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.

😉

The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.

How to Spot Visualization Lies

May 8th, 2017

How to Spot Visualization Lies : Keep your eyes open by Nathan Yau.

From the post:

It used to be that we’d see a poorly made graph or a data design goof, laugh it up a bit, and then carry on. At some point though — during this past year especially — it grew more difficult to distinguish a visualization snafu from bias and deliberate misinformation.

Of course, lying with statistics has been a thing for a long time, but charts tend to spread far and wide these days. There’s a lot of them. Some don’t tell the truth. Maybe you glance at it and that’s it, but a simple message sticks and builds. Before you know it, Leonardo DiCaprio spins a top on a table and no one cares if it falls or continues to rotate.

So it’s all the more important now to quickly decide if a graph is telling the truth. This a guide to help you spot the visualization lies.

Warning: Your blind acceptance/enjoyment of news graphics may be diminished by this post. You have been warned.

Beautifully illustrated as always.

Perhaps Nathan will product a double-sided, laminated version to keep by your TV chair. A great graduation present!

Tackling “Fake News” (So You Don’t Have To, How Nice)

May 8th, 2017

A Global Guide to Initiatives Tackling “Fake News” by Fergus Bell.

From the post:

Here’s a list of initiatives that hope to fix trust in journalism and tackle “fake news”.

There’s a lot.

I’ve tried to collect an extensive list of projects, initiatives and tools created to fix trust in journalism and false/fake news and misinformation. This also includes efforts and initiatives around verification. Where possible I’ve also tried to attach where the funding has come from for each initiative.

A great resource for tracking efforts with the self-appointed goal of:

Protecting you from “fake news.”

The arrogance of such efforts is almost palpable. They can recognize “fake news” but millions of benighted souls on the Internet are victims in waiting.

I have a great deal of sympathy for the efforts to teach readers how to evaluate information, the source of its reporting and consistency with other sources of information.

However, efforts like that of Google, are an attempt to privilege certain narratives with an imprimatur of truth.

Skip to the “guides” section of Bell’s post and preserve your own judgment in the face of the hue and cry over “fake news.”

Guessing Valid GMail Addresses – Not A Bug (Must Be A Feature)

May 8th, 2017

Abusing Gmail to get previously unlisted e-mail addresses

From the post:

tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown. DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉
… (emphasis in original)

Cutting to the chase:


This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.
… (emphasis in original)

When advised of the issue, Google responded its not a security bug.

Hijacking Fleets of PCs

May 7th, 2017

Intel chip vulnerability lets hackers easily hijack fleets of PCs by Zack Whittaker.

From the post:

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The “critical”-rated bug, disclosed by Intel last week, lies in a feature of Intel’s Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer’s keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser — accessible even when the remote PC is asleep — that’s protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.

Embedi researchers, credited with finding the bug, explained in a whitepaper posted Friday that a flaw in how the default “admin” account for the web interface processes the user’s passwords effectively lets anyone log in by entering nothing at the log-on prompt.

Opportunity to stretch your technical chops as fixes are due to roll out May 8th and thereafter.

Of course, as Verizon posted last week:

81% of hacking-related breaches leveraged either stolen and/or weak passwords. (page 3)

Decade old hardware bugs grab headlines but human fails are the bread and butter of cybersecurity.

The New York Times — Glory Days

May 7th, 2017

Hell hath no fury like The New York Times scorned by Hollywood by Thomas Vinciguerra.

From the post:

GOD, IT’S BEEN SAID, makes a lousy playwright. As far as an upcoming film that spotlights the Pentagon Papers is concerned, though, The New York Times is seething not at the Almighty but at the producers.

In March it was announced that Steven Spielberg would direct The Post, which offers as its backdrop the dramatic story of how the press exposed the federal government’s infamous secret history of the Vietnam War. Liz Hannah, who studied at the American Film Institute, sold her spec script to former Sony co-chair Amy Pascal’s production company last fall. Meryl Streep and Tom Hanks, Variety reported, are “attached to star” as Washington Post publisher Katharine Graham and executive editor Ben Bradlee.

But it was The New York Times—not the Washington Post—that broke the Pentagon Papers story. It is the Times whose name is on the landmark 1971 Supreme Court case that affirmed the right to publish the classified documents. And it was the Times that won the 1972 Pulitzer Prize for meritorious public service for its labors.

Nonetheless, as its title implies, the Spielberg project emphasizes the ancillary role of the Post. Not unexpectedly, Times people from back in the day are incensed.
… (emphasis in original)

Any mention of The New York Times and the Pentagon Papers brings Glory Days by Bruce Springsteen, E Street Band to mind:

I had a friend was a big baseball player
Back in high school
He could throw that speedball by you
Make you look like a fool boy
Saw him the other night at this roadside bar
I was walking in, he was walking out
We went back inside sat down had a few drinks
But all he kept talking about was

Glory days, well, they’ll pass you by
Glory days, in the wink of a young girl’s eye
Glory days, glory days

Well there’s a girl that lives up the block
Back in school she could turn all the boy’s heads
Sometimes on a Friday I’ll stop by
And have a few drinks after she put her kids to bed
Her and her husband Bobby well they split up
I guess it’s two years gone by now
We just sit around talking about the old times,
She says when she feels like crying
She starts laughing thinking about

Glory days, well, they’ll pass you by
Glory days, in the wink of a young girl’s eye
Glory days, glory days

To be sure, The New York Times (NYT) broke the story, fought for the right to publish up to the Supreme Court, but what has the NYT done for you or journalism lately?

The NYT, along with others, did publish the Afghan War Diaries, although sanitized as described by Bill Keller:


We used that month to study the material, try to assess its value and credibility, weigh it against our own reporters’ experience of the war and against other sources, and then tell our readers what it all meant. In doing so, we took great care both to put the information in context and to excise anything that would put lives at risk or jeopardize ongoing military missions.

What does that mean in practice? Obviously we did not disclose the names of Afghans, except for public officials, who have cooperated with the war effort, either in our articles or in the selection of documents we posted on our own Web site. We did not disclose anything that would compromise intelligence-gathering methods. We erred, if at all, on the side of prudence. For example, when a document reported that a certain aircraft left a certain place at a certain time and arrived at another place at a certain time, we omitted those details on the off chance that an enemy could gain some small tactical advantage by knowing the response time of military aircraft.

The administration, while strongly condemning WikiLeaks for making these documents public, did not suggest that The Times should not write about them. On the contrary, in our discussions prior to the publication of our articles, White House officials, while challenging some of the conclusions we drew from the material, thanked us for handling the documents with care, and asked us to urge WikiLeaks to withhold information that could cost lives. We did pass along that message.

Journalists have a role in supporting “…ongoing military missions[?]”

Pointers to any school of journalism that teaches that role? (Thanks!)

Worse, Keller describes the NYT consulting with and acting as a surrogate for the US government in urging Wikileaks to withhold information.

Isn’t withholding information contrary to creating an informed public?

Crowd-funding opportunity: Francis Ford Coppola directs: From Government Watchdog to Mouthpiece – The New York Times

Introduction: The New Face of Censorship

May 6th, 2017

Introduction: The New Face of Censorship by Joel Simon.

From the post:

In the days when news was printed on paper, censorship was a crude practice involving government officials with black pens, the seizure of printing presses and raids on newsrooms. The complexity and centralization of broadcasting also made radio and television vulnerable to censorship even when the governments didn’t exercise direct control of the airwaves. After all, frequencies can be withheld; equipment can be confiscated; media owners can be pressured.

New information technologies–the global, interconnected internet; ubiquitous social media platforms; smart phones with cameras–were supposed to make censorship obsolete. Instead, they have just made it more complicated.

Does anyone still believe the utopian mantras that information wants to be free and the internet is impossible to censor or control?

The fact is that while we are awash in information, there are tremendous gaps in our knowledge of the world. The gaps are growing as violent attacks against the media spike, as governments develop new systems of information control, and as the technology that allows information to circulate is co-opted and used to stifle free expression.

The work of Joel Simon and the Committee to Protect Journalists is invaluable. The challenges, dangers and hazards for journalists around the world are constant and unrelenting.

I have no doubt about Simon’s account of suppression of journalists. His essay is a must read for everyone who opposes censorship, at least in its obvious forms.

A more subtle form of censorship is practiced in the United States, self-censorship.

How many stories on this theme have you read in the last couple of weeks? U.S. spy agency abandons controversial surveillance technique

Now, how many of those same stories mentioned that the NSA has a long and storied history of lying to the American public, presidents and congress?

By my count, which wasn’t exhaustive, the total is 0.

Instead of challenging this absurd account, Reuters reports the NSA reports as though it were true and fails to remind the public it is relying on a habitual liar.

Show of hands, how many readers think the Reuters staff forgot that the NSA is a hotbed of liars and cheats?

There is little cause for government censorship of US media outlets. They censor themselves before the government can even ask.

Support the Committee to Protect Journalists and perhaps their support of journalists facing real censorship will shame US media into growing a spine.

Archive.org (Internet Archive) Security Warning!

May 5th, 2017

Just in case you forgot, every packet of Internet traffic can disclose your identity.

From Twitter today:

I have no idea if this was the actual Macron leaker or an account being used to mask their true identity.

But, it’s worth a quick heads up to say:

Presume every packet from your computer is being captured (not necessarily read if encrypted) somewhere by someone.

Plan accordingly.

3,000 New Censorship Jobs At Facebook

May 5th, 2017

Quick qualification test for censorship jobs at Facebook:

  • Are you more moral than most people?
  • Are you more religious than most people?
  • Are you more sensitive than most people?
  • Do you want to suppress “harmful” content?
  • Do you enjoy protecting people who are easily mis-lead (unlike you)?
  • Do you support the United States, its agencies, offices and allies?
  • Do you recognize Goldman Sachs, Chase and all other NYSE listed companies as people with rights?

If you answered one or more of these questions with “yes,” congratulations! You have passed a pre-qualification test for one of the 3,000 new censorship positions for Facebook.

(Disclaimer: It is not known if Facebook will recognize this pre-qualification test and may have other tests or questions for actual applicants.)

For further details, see: Will Facebook actually hire 3,000 content moderators, or will they outsource? by Annalee Newitz.

Censorship is the question. The answer is no.