Going Among Capitalists? Don’t Forget Your S8 USB Cable!

November 15th, 2017

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

How-Keep A Secret, Well, Secret (Brill)

November 15th, 2017

Weapons of Mass Destruction: The Top Secret History of America’s Nuclear, Chemical and Biological Warfare Programs and Their Deployment Overseas, edited by Matthew M. Aid, is described as:

At its peak in 1967, the U.S. nuclear arsenal consisted of 31,255 nuclear weapons with an aggregate destructive power of 12,786 megatons – more than sufficient to wipe out all of humanity several hundred times over. Much less known is that hidden away in earth-covered bunkers spread throughout the U.S., Europe and Japan, over 40,000 tons of American chemical weapons were stored, as well as thousands of specially designed bombs that could be filled with even deadlier biological warfare agents.

The American WMD programs remain cloaked in secrecy, yet a substantial number of revealing documents have been quietly declassified since the late 1970s. Put together, they tell the story of how America secretly built up the world’s largest stockpile of nuclear, chemical, and biological weapons. The documents explain the role these weapons played in a series of world crises, how they shaped U.S. and NATO defense and foreign policy during the Cold War, and what incidents and nearly averted disasters happened. Moreover, they shed a light on the dreadful human and ecological legacy left by decades of nuclear, chemical and biological weapons manufacturing and testing in the U.S. and overseas.

This collection contains more than 2,300 formerly classified U.S. government documents, most of them classified Top Secret or higher. Covering the period from the end of World War II to the present day, it provides unique access to previously unpublished reports, memoranda, cables, intelligence briefs, classified articles, PowerPoint presentations, military manuals and directives, and other declassified documents. Following years of archival research and careful selection, they were brought together from the U.S. National Archives, ten U.S. presidential libraries, the NATO Archives in Brussels, the National Archives of the UK, the National Archives of Canada, and the National Archives of the Netherlands. In addition, a sizeable number of documents in this collection were obtained from the U.S. government and the Pentagon using the Freedom of Information Act (FOIA) and Mandatory Declassification Review (MDR) requests.

This collection comes with several auxiliary aids, including a chronology and a historiographical essay with links to the documents themselves, providing context and allowing for easy navigation for both students and scholars.

It’s an online resource of about 21,212 pages.

Although the editor, Aid and/or Brill did a considerable amount of work assembling these document, the outright purchase price: €4.066,00, $4,886.00 or the daily access price: $39.95/day, effectively keeps these once secret documents secret.

Of particular interest to historians and arms control experts, I expect those identifying recurrent patterns of criminal misconduct in governments will find the data of interest as well.

It does occur to me that when you look at the Contents tab, http://primarysources.brillonline.com/browse/weapons-of-mass-destruction#content-tab, each year lists the documents in the archive. Lists that could be parsed for recovery of the documents from other sources on the Internet.

You would still have to index (did I hear someone say topic map?) the documents, etc., but as a long term asset for the research community, it would be quite nice.

If you doubt the need for such a project, toss “USAF, Cable, CINCUSAFE to CSAF, May 6, 1954, Top Secret, NARA” into your nearest search engine.

How do you feel about Brill being the arbiter of 20th century history, for a price?

Me too.

From Forever Vulnerable (aka Microsoft) – Seventeen Years of Vulnerability

November 15th, 2017

A seventeen year old vulnerability was patched in the Microsoft Equation Editor yesterday.

For a semi-technical overview, see Office Equation Editor Security Bug Runs Malicious Code Without User Interaction by Catalin Cimpanu.

For all the details and a back story useful for finding vulnerabilities, see: Skeleton in the closet. MS Office vulnerability you didn’t know about by Embedi.

Walking through the steps in the post to “re-discover” this vulnerability is good exercise.

It’s not the fault of Microsoft that its users fail to patch/upgrade Microsoft products. That being said, CVE-2017-11882, with a seventeen year range, should be added to your evergreen list of Microsoft vulnerabilities.

Call For Cyber Weapons (Arsenal at Black Hat Asia 2018)

November 15th, 2017

Welcome to Arsenal at Black Hat Asia 2018 – Call for Tools Open

Deadline: January 10 at 23:59 Pacific

From the webpage:

The Black Hat Arsenal team will be back in Singapore with the very same goal: give hackers & security researchers the opportunity to demo their newest and latest code.

The Arsenal tool demo area is dedicated to researchers and the open source community. The concept is quite simple: we provide the space and you bring your machine to showcase your work and answer questions from delegates attending Black Hat.

Once again, the ToolsWatch (@toolswatch) team will work in conjunction with Black Hat for the special event Black Hat Arsenal Asia 2018.

The 16th session will be held at the Marina Bay Sands in Singapore from March 22-March 23, 2018.

The same rules to consider before applying to Arsenal:

  • Bring your computer (with VGA output), adapter, your tool, your stickers
  • Avoid stodgy presentations. Folks are expecting action, so give’em action.
  • No vendor pitches or gear!
  • Be yourself, be cool, and wear a smile.
  • Hug the folks at Arsenal :)
  • Above all, have tremendous fun!!

For any questions, contact blackhatarsenal@ubm.com.

*Please note: You may use the plaint text “Upload File” section if you wish to include whitepapers or research; however, this field is optional and not required.

Not as much advance notice as you have for Balisage 2018 but surely you are building new tools on a regular basis!

As you have learned from tools written by others, come to Arsenal at Black Hat Asia 2018 and enable others to learn from you.

Terminology: I say “weapons” instead of “tools” to highlight the lack of any “us” when it comes to cybersecurity.

Governments and corporations have an interest in personal privacy and security only when it furthers their agendas and none when it doesn’t.

Making governments and corporations more secure isn’t in my interest. Is it in yours? (Governments have declared their lack of interest in your privacy and security by their actions. Nothing more need be said.)

A Docker tutorial for reproducible research [Reproducible Reporting In The Future?]

November 15th, 2017

R Docker tutorial: A Docker tutorial for reproducible research.

From the webpage:

This is an introduction to Docker designed for participants with knowledge about R and RStudio. The introduction is intended to be helping people who need Docker for a project. We first explain what Docker is and why it is useful. Then we go into the the details on how to use it for a reproducible transportable project.

Six lessons, instructions for installing Docker, plus zip/tar ball of the materials. What more could you want?

Science has paid lip service to the idea of replication of results for centuries but with the sharing of data and analysis, reproducible research is becoming a reality.

Is reproducible reporting in the near future? Reporters preparing their analysis and releasing raw data and their extraction methods?

Or will selective releases of data, when raw data is released at all, continue to be the norm?

Please let @ICIJorg know how you feel about data hoarding, #ParadisePapers, #PanamaPapers, when data and code sharing are becoming the norm in science.

How-To Avoid Sexually Harassing Others

November 15th, 2017

“Sensitivity” training will divert resources, be seen as “forced” on employees (primarily a male reaction), and results in a certificate, not the desired change in behavior. (Albeit “sensitivity” training is a growth industry right now.)

Here’s my rough draft to combat sexual harassment. Not 100% because mothers, spouses and significant other vary widely. But if answers are followed, in general, behavior will improve.

It should have been 3 questions and not 5 because people can’t remember more than 3 things at a time so suggestions for how to shorten it are welcome.

Hmmm, perhaps call mother, spouse, other and ask:

May I (describe behavior) to/with/on (name) without their permission?

One question. What do you think?

The key being “without their permission.” Something the AI people could create a mother, spouse, other bot for.

Datasette: instantly create and publish an API for your SQLite databases

November 14th, 2017

Datasette: instantly create and publish an API for your SQLite databases by Simon Willison.

From the webpage:

I just shipped the first public version of datasette, a new tool for creating and publishing JSON APIs for SQLite databases.

You can try out out right now at fivethirtyeight.datasettes.com, where you can explore SQLite databases I built from Creative Commons licensed CSV files published by FiveThirtyEight. Or you can check out parlgov.datasettes.com, derived from the parlgov.org database of world political parties which illustrates some advanced features such as SQLite views.

That sounds really great but then I read:


Or you can try it out on your own machine. If you run OS X and use Google Chrome, try running the following:

pip3 install datasette
datasette ~/Library/Application\ Support/Google/Chrome/Default/History

This will start a web server on http://127.0.0.1:8001/ displaying an interface that will let you browse your Chrome browser history, which is conveniently stored in a SQLite database.

Warning – Warning:: Don’t have datasette on your laptop at a conference. Yes?

Other than the caution about your own security, this looks very cool!

Enjoy!

Top GIS Programming Languages You Should Use [Ad Avoidance]

November 14th, 2017

Top GIS Programming Languages You Should Use

No surprises and to help you avoid the one language per page plus ads presentation:

  1. Python
  2. JavaScript
  3. R
  4. SQL (not a programming language, their mistake, not mine)
  5. Java
  6. C#
  7. C++

Best guide is to use whatever other people you work with use, so you can share experience and techniques. All of these languages have more documentation, examples, etc., than any one person can master. Share that load and you will all be more productive.

Data Hoarding Journalists and Information Security

November 14th, 2017

A Study of Technology in Newsrooms

From the post:

We face a global media landscape rife with both uncertainty and excitement. The need to understand this new digital era — and what it means for journalists — has never been more urgent. That’s why we at the International Center for Journalists (ICFJ) launched the first-ever global survey on the adoption of new technologies in news media.

More than 2,700 newsroom managers and journalists, from 130 countries, responded to our survey, which was conducted in 12 languages. Storyful, Google News Lab and SurveyMonkey supported the research. ICFJ worked with Georgetown University’s Communication, Culture, and Technology (CCT) program to administer and analyze the survey, conducted using SurveyMonkey.

One highlight from the report:

Perhaps data hoarding journalists aren’t as secure as they imagine.

Considering they are hoarding stolen data for their own benefit, what would be their complaint if the data was liberated from them?

I’ve heard the “we act in the public interest” argument but unless and until the public can compare the data to their reports, it’s hard to judge such claims.

Notice I said “the public” and not me. There are entire areas of no interest to me or in which I lack the skills to judge the evidence. Interests and skills possessed by other members of the public.

I’m not interested in access to hoarded information until everyone has access to the same information. To exclude anyone from access is to put them at a disadvantage in any ensuing discussion. I’m not willing to go there. Are you?

pynlp – Pythonic Wrapper for Stanford CoreNLP [& Rand Paul]

November 14th, 2017

pynlp – Pythonic Wrapper for Stanford CoreNLP by Sina.

The example text for this wrapper:

text = (
'GOP Sen. Rand Paul was assaulted in his home in Bowling Green, 
Kentucky, on Friday, ''according to Kentucky State Police. State 
troopers responded to a call to the senator\'s ''residence at 3:21 
p.m. Friday. Police arrested a man named Rene Albert Boucher, who 
they ''allege "intentionally assaulted" Paul, causing him "minor 
injury. Boucher, 59, of Bowling ''Green was charged with one count of 
fourth-degree assault. As of Saturday afternoon, he ''was being held 
in the Warren County Regional Jail on a $5,000 bond.')

[Warning: Reformatted for readability. See the Github page for the text]

Nice to see examples using contemporary texts. Any of the recent sexual abuse apologies or non-apologies would work as well.

Enjoy!

Hackers! 90% of Federal IT Managers Aiming for Their Own Feet!

November 14th, 2017

The Federal Cyber AI IQ Test November 14, 2017 reports:


Most Powerful Applications:

  • 90% of Feds say AI could help prepare agencies for real-world cyber attack scenarios and 87% say it would improve the efficiency of the Federal cyber security workforce
  • 91% say their agency could utilize AI to monitor human activity and deter insider threats, including detecting suspicious elements and large amounts of data being downloaded, and analyzing risky user behavior
  • (emphasis in original)

One sure conclusion from this report, 90% of Feds don’t know AIs mistake turtles for rifles, 90% of the time. The adversarial example literature is full of such cases and getting more robust by the day.

The trap federal IT managers have fallen into is a familiar one. To solve an entirely human problem, a shortage of qualified labor, they want mechanize the required task, even if it means a lower qualify end result. Human problems are solved poorly, if at all, by mechanized solutions.

Opposed by lowest common denominator AI systems, hackers will be all but running the mints as cybersecurity AI systems spread across the federal government. “Ghost” federal installations will appear on agency records for confirmation of FedEx/UPS shipments. The possibilities are endless.

If you are a state or local government or even a federal IT manager, letting hackers run wild isn’t a foregone conclusion.

You could pattern your compensation packages after West Coast start-ups, along with similar perks. Expensive but do you want an OMB type data leak on your record?

Human Trafficking Resources (@gijn)

November 14th, 2017

The Global Investigative Journalism Network, @gijn, has created three guide for investigative reporters covering human trafficking:

  1. Human Trafficking Resources: Data.
  2. Human Trafficking Resources: Stories.
  3. Human Trafficking Resources: Best Practices in Reporting.

It’s a tough subject this close to the holidays but the victims of human traffickers don’t enjoy holidays, 365 days out of the year.

What I missed in “Best Practices” was mention of the use of data science to combat human trafficking.

On that score, a starter set of three resources:

Data science can help us fight human trafficking by Renata Konrad and Andrew C. Trapp.

Combating Human Trafficking Using Data Science (Booz Allen whitepaper)

How Data Analytics Is Helping to Fight Human Trafficking by Alex Woodie.

It’s unlikely that human traffickers are more cyber secure than your average corporation or government agency, so there is a role for hackers to breach information systems used by human traffickers.

If you have resources on human trafficking to suggest, contact @gijn.

XML Prague 2017 – 21 Reasons to Attend 2018 – Offensive Use of XQuery

November 13th, 2017

XML Prague 2017 Videos

Need reasons for your attending XML Prague 2018?

The XML Prague 2017 YouTube playlist has twenty-one (21) very good reasons (videos). (You may have to hold the hands of c-suite types if you share the videos with them.)

Two things that I see missing from the presentations, security and offensive use of XQuery.

XML Security

You may have noticed that corporations, governments and others have been hemorrhaging data in 2017 (and before). While legislators wail ineffectually and wish for a 18th century world, the outlook for cybersecurity looks grim for 2018.

XML and XML applications exist in a law of the jungle security context. But there weren’t any presentations on security related issues at XML Prague in 2017. Are you going to break the ice in 2018?

Offensive use of XQuery

XQuery has the power to extract, enhance and transform data to serve your interests, not those of its authors.

I’ve heard the gospel that technologists should disarm themselves and righteously await a better day. Meanwhile, governments, military forces, banks, and their allies loot and rape the Earth and its peoples.

Are data scientists at the NSA, FSB, MSS, MI6, Mossad, CIA, etc., constrained by your “do no evil” creeds?

Present governments or their successors, can move towards more planet and people friendly policies, but they require, ahem, encouragement.

XQuery, which doesn’t depend upon melting data centers, supercomputers, global data vacuuming, etc., can help supply that encouragement.

How would you use XQuery to transform government data to turn it against its originator?

Intro to Low-Level Graphics on Linux – Impressing Spouse’s Family

November 12th, 2017

Intro to Low-Level Graphics on Linux

From the webpage:

This tutorial attempts to explain a few of the possible methods that exist on Linux to access the graphics hardware from a low level. I am not talking about using Xlib instead of GTK+ or QT5, nor am I talking about using DirectFB, I want to go even lower than that; I’m talking about drawing graphics to the screen without needing any external dependencies; I’m talking about communicating directly with the Linux kernel. I will also provide information about programming for newer graphical systems (Wayland/Mir) even though those do not involve direct communication with the kernel drivers. The reason I want to provide this information in this tutorial is that even though their APIs are higher level, the programming techniques used in low-level graphics programming can easily be adapted to work with Wayland and Mir. Also, similar to fbdev and KMS/DRM APIs, good programming resources are hard to come by.

Most Linux systems actually provide a few different methods for drawing graphics to the screen; there are options. However, the problem is that documentation is basically non-existent. So, I would like to explain here what you need to know to get started.

Please note that this tutorial assumes you have a basic knowledge of C, this is not a beginner tutorial, this is for people who are interested in something like learning more about how Linux works, or about programming for embedded systems, or just doing weird experimental stuff for fun.

You can impress your spouse’s family this holiday season by writing C code for low-level graphics on Linux. They won’t know you are frantically typing comments to the example code and will be suitably impressed by compiling.

The other reason to mention this is the presence of Linux on embedded systems. Embedded systems such as in industrial controllers, monitoring equipment, etc. The more comfortable you are will such systems the easy they will be to explore.

Enjoy!

Scipy Lecture Notes

November 12th, 2017

Scipy Lecture Notes edited by Gaël Varoquaux, Emmanuelle Gouillart, Olav Vahtras.

From the webpage:

Tutorials on the scientific Python ecosystem: a quick introduction to central tools and techniques. The different chapters each correspond to a 1 to 2 hours course with increasing level of expertise, from beginner to expert.

In PDF format, some six-hundred and fifty-seven pages of top quality material on Scipy.

In addition to the main editors, there are fourteen chapter editors and seventy-three contributors.

Good documentation needs maintenance so if you improvements or examples to offer, perhaps your name will appear here in the not too distant future.

Enjoy!

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l

November 12th, 2017

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l by Azeria.

From the webpage:

Let me guess, you don’t want to bother with any of this and just want a ready-made Ubuntu VM with all QEMU stuff setup and ready-to-play. Very well. The first Azeria-Labs VM is ready. It’s a naked Ubuntu VM containing an emulated ARMv6l.

This VM is also for those of you who tried emulating ARM with QEMU but got stuck for inexplicable linux reasons. I understand the struggle, trust me.

It’s Sunday evening here and I have conference calls tomorrow. 🙁

Still, I wanted to pass on the news about the Azeria-Labs VM and Azeria’s pointer to “ARM” challenges at Root Me.

Enjoy!

Beginner’s Guide to Exploitation on ARM

November 12th, 2017

Beginner’s Guide to Exploitation on ARM by Billy Ellis.

From the website:

‘Beginner’s Guide to Exploitation on ARM’ is a beginner-friendly book aimed at individuals who are interested in learning the core concepts behind software vulnerability analysis & exploit development.

It explains everything from the basics of the ARM architecture to the various methods of exploitation used to take advantage of memory corruption vulnerabilities within modern systems today, using diagrams and example applications along the way to ensure that each chapter is easy to follow!

Judging from the rave reviews on Twitter and other forums, the time to order is now!

We’re all expecting relatives for the holiday season, at least in the US and Europe, so why not treat yourself to some reading material?

I will be posting more on this book after it arrives.

Enjoy!

WiMonitor – Hacker Arsenal, Design Suggestions

November 12th, 2017

WiMonitor

From the webpage:

WiMonitor makes Wi-Fi packet sniffing and network monitoring dead simple!

Once configured the device automatically scans channels 1-13 in the 2.4GHz band, captures packets and sends them to a remote IP address over Ethernet for further processing. The encapsulation is compatible with Wireshark so you can analyze Wi-Fi traffic using it.

More information on how to get started: Getting Started Guide.

Design Suggestions:

I’m not the artistic type but I do have a couple of suggestions for the housing of the WiMonitor.

Stock image from website:

Right, let’s make the case a bright white, use “Hacker Arsenal” with a bright graphic on top surface, have labels for Wan/Lan and USB (those are hard to recognize) and of course, a power light to attract attention.

Sigh. I guess it go well with your standard working shirt:

Those c-suite types won’t notice you at all. Completely invisible.

If you strive to be a little less noticeable, ask Hacker Arsenal for a little less obvious WiMonitor. Something along these lines:

First, a black case, lose the cover as well:

(Yes, I need to work on my graphic editing skills. 😉 )

Second, make an internal USB connection sufficient for 256GB USB thumb drive, battery for power and lose the power light.

Make it drop and retrieve ready.

Now that would be a hot package!

Hacking 90% of the Commercial Air Fleet

November 12th, 2017

Short notice for the holiday travel season but 90% of the commercial air fleet can be hacked without insider or physical access.

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says by Calvin Biesecker.

While the research is classified (making this a CTF type problem), Biesecker reports these broad hints:


“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.

The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,’” Hickey said.

Terminology for researching this issue can be found in Boeing 757 Operations Manual Volume 2, sections 5.40.1 and 5.50.1. Hardware for testing your hack can be found at one or more aircraft boneyards. Or you can always purchase new systems and advice.

No need to rush for fear of patching:

…Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Aircraft also represent different challenges for cybersecurity and traditional land-based networks, Hickey said. He said that whether it’s the U.S. Air Force or the commercial sector, there are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft.

No one checking for vulnerabilities and if discovered too expensive to fix?

Sounds like a hacker’s wet dream.

Have Orwell‘s pigs built their palaces out of straw?

PS: The meaning of “hack” when used by the DHS isn’t clear. It could mean bad temperature or location information, up to and including interference with flight control systems (highly unlikely). Interference with flight control systems is more likely to be a feature of the F-35.

Antivirus Engines Have Design Flaws?

November 12th, 2017

Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System by Catalin Cimpanu.

Cimpanu routs the chest beating of antivirus vendors with this report on a design flaw common to Windows antivirus products. Code named AVGater by its discoverer, Florian Bogner, who also created a colorful logo for the vulnerability:

(Source: #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine by Florian Bogner)

Cimpanu gives a high level summary and Bogner more details to support further investigation of this design flaw. An incomplete list of impacted vendors: Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

So the answer is yes, antivirus engines do have design, and other, flaws.

Antivirus and other security software, increase the available attack surface for discovery of flaws and vulnerabilities.

If your antivirus or security software vendor denies increasing your attack surface, best you consider another vendor.

Practical advice for analysis of large, complex data sets [IC tl;dr]

November 11th, 2017

Practical advice for analysis of large, complex data sets by Patrick Riley.

From the post:

For a number of years, I led the data science team for Google Search logs. We were often asked to make sense of confusing results, measure new phenomena from logged behavior, validate analyses done by others, and interpret metrics of user behavior. Some people seemed to be naturally good at doing this kind of high quality data analysis. These engineers and analysts were often described as “careful” and “methodical”. But what do those adjectives actually mean? What actions earn you these labels?

To answer those questions, I put together a document shared Google-wide which I optimistically and simply titled “Good Data Analysis.” To my surprise, this document has been read more than anything else I’ve done at Google over the last eleven years. Even four years after the last major update, I find that there are multiple Googlers with the document open any time I check.

Why has this document resonated with so many people over time? I think the main reason is that it’s full of specific actions to take, not just abstract ideals. I’ve seen many engineers and analysts pick up these habits and do high quality work with them. I’d like to share the contents of that document in this blog post.

Great post and should be read and re-read until it becomes second nature.

I wave off the intelligence community (IC) with tl;dr because intelligence conclusions are policy and not fact, artifacts.

The best data science practices in the world have no practical application in intelligence circles, unless they support the desired conclusions.

Rather than sully data science, intelligence communities should publish their conclusions and claim the evidence cannot be shared.

Before you leap to defend the intelligence community, recall their lying about mass surveillance of Americans, lying about weapons of mass destruction in Iraq, numerous lies about US activities in Vietnam (before 50K+ Americans and millions of Vietnamese were killed).

The question to ask about American intelligence community reports isn’t whether they are lies (they are), but rather why they are lying?

For those interested in data driven analysis, follow Riley’s advice.

eXist-db Docker Image Builder

November 11th, 2017

eXist-db Docker Image Builder

From the webpage:

Pre-built eXist-db Docker images have been published on Docker Hub. You can skip to Running an eXist-db Docker Image if you just want to use the provided Docker images.

To ease your use of eXist-db or create a customized distribution of eXist-db, complete with additional resources, this rocks.

Who Has More Government Censorship of Social Media, Canada or US?

November 10th, 2017

Federal government blocking social media users, deleting posts by Elizabeth Thompson.

From the post:

Canadian government departments have quietly blocked nearly 22,000 Facebook and Twitter users, with Global Affairs Canada accounting for nearly 20,000 of the blocked accounts, CBC News has learned.

Moreover, nearly 1,500 posts — a combination of official messages and comments from readers — have been deleted from various government social media accounts since January 2016.

However, there could be even more blocked accounts and deleted posts. In answer to questions tabled by Opposition MPs in the House of Commons, several departments said they don’t keep track of how often they block users or delete posts.

It is not known how many of the affected people are Canadian.

It’s also not known how many posts were deleted or users were blocked prior to the arrival of Prime Minister Justin Trudeau’s government.

But the numbers shed new light on how Ottawa navigates the world of social media — where it can be difficult to strike a balance between reaching out to Canadians while preventing government accounts from becoming a destination for porn, hate speech and abuse.

US Legal Issues

Davison v. Loudoun County Board of Supervisors

Meanwhile, south of the Canadian border, last July (2017), a US district court decision carried the headline: Federal Court: Public Officials Cannot Block Social Media Users Because of Their Criticism.


Davison v. Loudoun County Board of Supervisors (Davidson) involved the chair of the Loudoun County Board of Supervisors, Phyllis J. Randall. In her capacity as a government official, Randall runs a Facebook page to keep in touch with her constituents. In one post to the page, Randall wrote, “I really want to hear from ANY Loudoun citizen on ANY issues, request, criticism, compliment, or just your thoughts.” She explicitly encouraged Loudoun residents to reach out to her through her “county Facebook page.”

Brian C. Davidson, a Loudon denizen, took Randall up on her offer and posted a comment to a post on her page alleging corruption on the part of Loudoun County’s School Board. Randall, who said she “had no idea” whether Davidson’s allegations were true, deleted the entire post (thereby erasing his comment) and blocked him. The next morning, she decided to unblock him. During the intervening 12 hours, Davidson could view or share content on Randall’s page but couldn’t comment on its posts or send it private messages.

Davidson sued, alleging a violation of his free speech rights. As U.S. District Judge James C. Cacheris explained in his decision, Randall essentially conceded in court that she had blocked Davidson “because she was offended by his criticism of her colleagues in the County government.” In other words, she “engaged in viewpoint discrimination,” which is generally prohibited under the First Amendment.

Blocking Twitter users by President Trump has lead to other litigation.

Knight First Amendment Institute at Columbia University v. Trump (1:17-cv-05205)

You can track filings in Knight First Amendment Institute at Columbia University v. Trump courtesy of the Court Listener Project. Please put the Court Listener project on your year end donation list.

US Factual Issues

The complaint outlines the basis for the case, both legal and factual, but does not recite any data on blocking of social media accounts by federal agencies. Would not have to, it’s not really relevant to the issue at hand but it would be useful to know the standard practice among US government agencies.

I can suggest where to start looking for that answer: U.S. Digital Registry, which as of today, lists 10877 social media accounts.

You could ask the agencies in question, FOIA requests for lists of blocked accounts.

Twitter won’t allow you to see the list of blocked users for accounts other than your own. Of course, that rule depends on your level of access. You’ll find similar situations for other social media providers.

Assuming you have blocked users by official or self-help means, comparing blocked users across agencies, by their demographics, etc., would make a nice data-driven journalism project. Yes?

New Maltese Investigative News Website – Security Suggestions

November 10th, 2017

Three Experienced Maltese Journalists Open Investigative News Website by Tim Diacono.

From the post:


“The vile execution of journalist Daphne Caruana Galizia is a wakeup call for civic action, to stop the greed and the rot and to assert the power of the pen over the might of criminals who want us to remain silent as they pile up their profits,” the journalists wrote in their first editorial. “It was nothing short of a declaration of war on our serenity and freedom to stand up to be counted.”

“We have come together to create The Shift months ago thinking that there could not have been a better time for a nonpartisan voice with a clear agenda for good governance, which speaks its truth to power respectfully but firmly, keeping a distance from economic and partisan agendas. We never could have anticipated that our country would descend into this nightmare,” they added.

“We have decided to take the plunge now because we also want to contribute to the civic awakening which followed the brutal elimination of a journalist who spoke her truths to power. We do not seek to step in Daphne Caruana Galizia’s shoes and our style and approach is very different. But we promise to honour the best part of her legacy, that of being a thorn in the side… of whoever is in power.”

To the extent The Shift can be “…a thorn in the side… of whoever is in power,” I’m all for it.

On the other hand, the organizers of The Shift should consider working with an umbrella organization that provides basic security.

The Shift organizers should retain their independence but among the more glaring flaws of their current site:

  1. http:// instead of https://
  2. No PGP key for encrypted email
  3. No secure drop box for leaks
  4. No advice on secure contacts
  5. Contact form requires name and email?
  6. … others I’m sure…

The Global Investigative Journalism Network (GIJN) maintains a great list of Digital Security resources.

Even if someone else in your organization is tasked with digital security, have a nodding acquaintance with the GIJN resources and revisit them on a regular basis.

Don’t be a passive consumer of security services.

Passive consumers of security services are also known as “victims.”

Introduction To ARM Assembly Basics [The Weakest Link?]

November 10th, 2017

Introduction To ARM Assembly Basics

The latest security fails by Intel and Microsoft capture media and blog headlines but ARM devices are more numerous.

ARM devices, like a Windows server in an unlocked closet, may be the weakest link in your next target.

From the webpage:

Welcome to this tutorial series on ARM assembly basics. This is the preparation for the followup tutorial series on ARM exploit development. Before we can dive into creating ARM shellcode and build ROP chains, we need to cover some ARM Assembly basics first.

The following topics will be covered step by step:

ARM Assembly Basics Tutorial Series:
Part 1: Introduction to ARM Assembly
Part 2: Data Types Registers
Part 3: ARM Instruction Set
Part 4: Memory Instructions: Loading and Storing Data
Part 5: Load and Store Multiple
Part 6: Conditional Execution and Branching
Part 7: Stack and Functions

To follow along with the examples, you will need an ARM based lab environment. If you don’t have an ARM device (like Raspberry Pi), you can set up your own lab environment in a Virtual Machine using QEMU and the Raspberry Pi distro by following this tutorial. If you are not familiar with basic debugging with GDB, you can get the basics in this tutorial. In this tutorial, the focus will be on ARM 32-bit, and the examples are compiled on an ARMv6.

Why ARM?

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.

Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Don’t forget to follow Azeria on Twitter, or her RSS Feed.

Enjoy!

PS: She recently posted an really cool cheatsheet: Assembly Basics Cheatsheet. I’m going to use it to lobby (myself) for a pair of 32″ monitors so I can enlarge it on one screen and have a non-scrolling display. (Suggestions on the monitors?)

Open Ownership Project

November 9th, 2017

Open Ownership Project

From about page:

OpenOwnership is driven by a steering group composed of leading transparency NGOs, including Global Witness, Open Contracting Partnership, Web Foundation, Transparency International, the ONE Campaign, and the B Team, as well as OpenCorporates.

OpenOwnership’s central goal is to build an open Global Beneficial Ownership Register, which will serve as an authoritative source of data about who owns companies, for the benefit of all. This data will be global and linked across jurisdictions, industries, and linkable to other datasets too.

Alongside the register, OpenOwnership is developing a universal and open data standard for beneficial ownership, providing a solid conceptual and practical foundation for collecting and publishing beneficial ownership data.

I first visited the Open Ownership Project site following two (of four) posts on verifying beneficial ownership.

What we really mean when we talk about verification (Part 1 of 4) by Zosia Sztykowski and Chris Taggart.

From the post:

This is the first of a series of blog posts in which we will discuss the critical but tricky issue of verification, particularly with respect to beneficial ownership.

‘Verification’ is frequently said to be a critical step in generating high-quality beneficial ownership information. What’s less clear is what is actually meant by verification, and what are the key factors in the process. In fact, verification is not one step, but three:

  1. Ensuring that the person making a statement about beneficial ownership is who they say they are, and that they have the right to make the claim (authentication and authorization);

  2. Ensuring that the data submitted is a legitimate possible value (validation);

  3. Verifying that the statement made is actually true (which we will call truth verification).

Another critical factor is whether these processes are done on individual filings, typically hand-written pieces of paper, or their PDF equivalents, or whole datasets of beneficial ownership data. While verification processes are possible on individual filings, this series will show that that public, digital, structured beneficial ownership data adds an additional layer of verification not possible with traditional filings.

Understanding precisely how verification takes place in the lifecycle of a beneficial ownership datum is an important step in knowing what beneficial ownership data can tell us about the world. Each of the stages above will be covered in more detail in this series, but let’s linger on the final one for a moment.

What we really mean when we talk about verification: Authentication & authorization (Part 2 of 4)

In the first post in this series on the principles of verification, particularly relating to beneficial ownership, we explained why there is no guarantee that any piece of beneficial ownership data is the absolute truth.

The data collected is still valuable, however, providing it is made available publicly as open data, as it exposes lies and half-truths to public scrutiny, raising red flags that indicate potential criminal or unethical activity.

We discussed a three-step process of verification:

  1. Ensuring that the person making a statement about beneficial ownership is who they say they are (authentication), and that they have the right to make the claim (authorization);

  2. Ensuring that the data submitted is a legitimate possible value (validation);

  3. Verifying that the statement made is actually true (which we will call truth verification).

In this blog post, we will discuss the first of these, focusing on how to tell who is actually making the claims, and whether they are authorized to do so.

When authentication and authorization have been done, you can approach the information with more confidence. Without them, you may have little better than anonymous statements. Critically, with them, you can also increase the risks for those who wish to hide their true identities and the nature of their control of companies.

Parts 3 and 4 are forthcoming (as of 9 November 2017).

A beta version of the Beneficial Ownership Data Standard (BODS) was released last April (2017). A general overview appeared in June, 2017: Introducing the Beneficial Ownership Data Standard.

Identity issues are rife in ownership data so when planning your volunteer activity for 2018, keep the Open Ownership project in mind.

Flight rules for git – How to Distinguish Between Astronauts and Programmers

November 9th, 2017

Flight rules for git by Kate Hudson.

From the post:

What are “flight rules”?

A guide for astronauts (now, programmers using git) about what to do when things go wrong.

Flight Rules are the hard-earned body of knowledge recorded in manuals that list, step-by-step, what to do if X occurs, and why. Essentially, they are extremely detailed, scenario-specific standard operating procedures. […]

NASA has been capturing our missteps, disasters and solutions since the early 1960s, when Mercury-era ground teams first started gathering “lessons learned” into a compendium that now lists thousands of problematic situations, from engine failure to busted hatch handles to computer glitches, and their solutions.

— Chris Hadfield, An Astronaut’s Guide to Life.

Hudson devises an easy test to distinguish between astronauts and programmers:

Astronauts – missteps, disasters and solutions are written down.

Programmers – missteps, disasters and solutions are programmer/sysadmin lore.

With Usenet and Stackover, you can argue improvement by programmers but it’s hardly been systematic. Even so it depends on a “good” query returning few enough “hits” to be useful.

Hudson is capturing “flight rules” for git.

Act like an astronaut and write down your missteps, disasters and solutions.

NASA made it to the moon and beyond by writing things down.

Who knows?

Writing down software missteps, disasters and solutions may help render all systems transparent, willingly or not.

A Primer for Computational Biology

November 9th, 2017

A Primer for Computational Biology by Shawn T. O’Neil.

From the webpage:

A Primer for Computational Biology aims to provide life scientists and students the skills necessary for research in a data-rich world. The text covers accessing and using remote servers via the command-line, writing programs and pipelines for data analysis, and provides useful vocabulary for interdisciplinary work. The book is broken into three parts:

  1. Introduction to Unix/Linux: The command-line is the “natural environment” of scientific computing, and this part covers a wide range of topics, including logging in, working with files and directories, installing programs and writing scripts, and the powerful “pipe” operator for file and data manipulation.
  2. Programming in Python: Python is both a premier language for learning and a common choice in scientific software development. This part covers the basic concepts in programming (data types, if-statements and loops, functions) via examples of DNA-sequence analysis. This part also covers more complex subjects in software development such as objects and classes, modules, and APIs.
  3. Programming in R: The R language specializes in statistical data analysis, and is also quite useful for visualizing large datasets. This third part covers the basics of R as a programming language (data types, if-statements, functions, loops and when to use them) as well as techniques for large-scale, multi-test analyses. Other topics include S3 classes and data visualization with ggplot2.

Pass along to life scientists and students.

This isn’t the primer that separates the CS material from domain specific examples and prose. Adaptation to another domain is a question of re-writing.

I assume an adaptable primer wasn’t the author’s intention and so that isn’t a criticism but an observation that basic material is written over and over again, needlessly.

I first saw this in a tweet by Christophe Lalanne.

Encouraging CS Careers – Six Backdoors in Less Than an Hour!

November 9th, 2017

Farmers Insurance for inspiration CS stories? If you doubt the answer is yes!, you haven’t read: “I HAD SIX BACKDOORS INTO THEIR NETWORK IN LESS THAN AN HOUR” by Jason Kersten.

From the post:

Hired hackers share real-world stories of breaking into computer systems (legally) through phishing scams and other high-tech mischief

It was a moment that would likely make any bank robber’s or computer hacker’s head spin: Joshua Crumbaugh talked his way behind the teller windows of a small bank in Maryland by posing as an IT technician working on the bank’s email system. As he installed malware designed to give him even more illegal access to the bank’s systems, he noticed the door to the vault was open. When no one was looking, he walked in. Piles of cash filled shelves, all within easy reach.

He turned around, held out his phone, and took a selfie. Later, he sent the picture to the bank’s CEO.

Fortunately, no crime had been committed. The CEO had hired Crumbaugh, a penetration tester (also known as a “pen tester”), to test the bank’s security. In his 10 years as a pen tester and CEO of PeopleSec, Crumbaugh has hacked everything from an NBA stadium to an oil rig. For the bank test, he identified the bank’s Internet Service Provider, called the bank pretending to be from the ISP’s customer service department, and set up a service appointment. “They were overly trusting,” says Crumbaugh, noting the bank’s own IT guy had also given him remote access to its systems without checking his credentials.

According to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report from the Ponemon Institute, a research center for global privacy, data and IT security issues, more than half of the 598 businesses surveyed had experienced a cyber attack in the prior year. A full half of respondents experienced data breaches involving customer and employee information. The companies surveyed spent an average of $900,000 cleaning up the mess, and many spent an additional $1 million to pay for disrupted workflow as a consequence of the security issues.

Teachers in middle or high school need only read the first story and allude to the others to have a diverse group of students clamoring to read the post.

There are boring CS careers where you squint at a lot of math but this article highlights more exciting life styles for those with CS training.

Here’s an inspiration picture to go with your pitch:

More details to go with the image: Inside the Secret Vault: $70 Billion in Gold.

Warn your students about the false claim that cybersecurity benefits everyone.

Correction: Cybersecurity benefits everyone who is happy with the current distribution of rewards and stripes.

People who are not happy with it, not so much.

Tanenbaum on Intel MINIX – Discourtesy is its Own Reward

November 9th, 2017

Andrew S. Tanenbaum has posted An Open Letter to Intel on its incorporation of a modified version of MINIX into its chips.

Tanenbaum points out Intel’s conduct in this case is clearly covered by the Berkeley license of MINIX but he has a valid point that common courtesy dictates a personal note from Intel to Tanenbaum on the widespread deployment of MINIX would have been a nice touch.

In this case, discourtesy carried its own reward because Intel adapted an older version of MINIX to lie at the heart of its chips. A version perhaps not as robust and secure as a later version. A flaw that would have been discovered following a courteous note, which was never sent by Intel.

The mother lode of resources on earlier (and current) versions of MINIX is: http://www.minix3.org/.

How widely deployed is the Intel version of MINIX? Aditya Tiwari says:


After the release of MINIX 3, it is being developed as Microkernel OS. You can find MINIX 3 running inside every Intel-powered desktop, laptop or server launched after 2015. This surely gives it the title of the most used operating system in the world. Although, you don’t use it at all.
… (What Is MINIX? Is The World’s Most Used OS A Threat?)

I haven’t located a “chips shipped with MINIX” number so if you see one, ping me with the source.

Do be courteous, even if not required by license.

Otherwise, you may “pull an Intel” as this mistake will come to be known.