Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 10, 2018

Passwords: Philology, Security, Authentication

Filed under: Cryptography,Humanities,Security — Patrick Durusau @ 4:29 pm

Passwords: Philology, Security, Authentication by Brian Lennon.

Disclaimer: I haven’t seen Passwords, yet, but it’s description and reviews prompted me to mention it here.

That and finding an essay with the same titie, verbatim, by the same author, published in Diacritics, Volume 43.1 (2015) 82-104. Try: Passwords: Philology, Security, Authentication. (Hosted on the Academia site so you will need an account (free) to download the essay (also free).

From the publisher:

Cryptology, the mathematical and technical science of ciphers and codes, and philology, the humanistic study of natural or human languages, are typically understood as separate domains of activity. But Brian Lennon contends that these two domains, both concerned with authentication of text, should be viewed as contiguous. He argues that computing’s humanistic applications are as historically important as its mathematical and technical ones. What is more, these humanistic uses, no less than cryptological ones, are marked and constrained by the priorities of security and military institutions devoted to fighting wars and decoding intelligence.

Lennon’s history encompasses the first documented techniques for the statistical analysis of text, early experiments in mechanized literary analysis, electromechanical and electronic code-breaking and machine translation, early literary data processing, the computational philology of late twentieth-century humanities computing, and early twenty-first-century digital humanities. Throughout, Passwords makes clear the continuity between cryptology and philology, showing how the same practices flourish in literary study and in conditions of war.

Lennon emphasizes the convergence of cryptology and philology in the modern digital password. Like philologists, hackers use computational methods to break open the secrets coded in text. One of their preferred tools is the dictionary, that preeminent product of the philologist’s scholarly labor, which supplies the raw material for computational processing of natural language. Thus does the historic overlap of cryptology and philology persist in an artifact of computing—passwords—that many of us use every day.

Reviews (from the website):

Passwords is a fascinating book. What is especially impressive is the author’s deft and knowing engagements with both the long histories of computational text processing and the many discourses that make up literary philology. This is just the sort of work that the present mania for the digital demands, and yet books that actually live up to those demands are few and far between. Lennon is one of the few scholars who is even capable of managing that feat, and he does so here with style and erudition.”—David Golumbia, Virginia Commonwealth University

“A stunning intervention, Passwords rivets our attention to the long history of our present fascination with the digital humanities. Through a series of close, contextual readings, from ninth-century Arabic philology and medieval European debates on language to twentieth-century stylometry and machine translation, this book recalls us to a series of engagements with language about which ‘all of us—we scholars, we philologists,’ as Lennon puts it, ought to know more. Passwords is eloquent and timely, and it offers a form of deep, institutional-lexical study, which schools us in a refusal to subordinate scholarship in the humanities to the identitarian and stabilizing imperatives of the national-security state.”—Jeffrey Sacks, University of California, Riverside

Not surprisingly, I think a great deal was lost when humanities, especially those areas focused on language, stopped interacting with computer sciences. Sometime after the development of the first compilers but I don’t know that history in detail. Suggested reading?

Dodging Paywalls: Zotero Adds Improved PDF Retrieval

Filed under: Open Source,Zotero — Patrick Durusau @ 2:57 pm

How often do you hit paywalls? Every week? Every day?

You find an article of interest to ~200 researchers in your sub-field and the publisher wants $39.95 for you to “buy” the article. The research was free to the publisher, usually supported by public grants. The copy editing and peer review was free to the publisher. Yet they are squatting like Cerberus over value they didn’t create.

Not quite Hercules or Virgil but Zotero makes it easier to find open source PDFs to replace those behind firewalls.

Improved PDF retrieval with Unpaywall integration

From the post:

As an organization dedicated to developing free and open-source research tools, we care deeply about open access to scholarship. With the latest version of Zotero, we’re excited to make it easier than ever to find PDFs for the items in your Zotero library.

While Zotero has always been able to download PDFs automatically as you save items from the web, these PDFs are often behind publisher paywalls, putting them out of reach of many people.

Enter Unpaywall, a database of legal, full-text articles hosted by publishers and repositories around the world. Starting in Zotero 5.0.56, if you save an item from a webpage where Zotero can’t find or access a PDF, Zotero will automatically search for an open-access PDF using data from Unpaywall.

Which reminds me, I need to upgrade my current Zotero installation!

Don’t forget to harry, harass and penalize those who seek to deny access to materials being produced on 17th century economic models. Whatever befalls them, it won’t be severe enough.

Microsoft Open-Sources Patent Portfolio: OIN ~1,300 + 60,000 = ~61,300 Patents

Filed under: Open Source,Patents — Patrick Durusau @ 1:06 pm

Kudos! Microsoft Open-Sources Patent Portfolio by Steven J Vaughan-Nichols.

From the post:

Several years ago, I said the one thing Microsoft has to do — to convince everyone in open source that it’s truly an open-source supporter — is stop using its patents against Android vendors. Now, it’s joined the Open Invention Network (OIN), an open-source patent consortium. Microsoft has essentially agreed to grant a royalty-free and unrestricted license to its entire patent portfolio to all other OIN members.

Before Microsoft joined, OIN had more than 2,650 community members and owns more than 1,300 global patents and applications. OIN is the largest patent non-aggression community in history and represents a core set of open-source intellectual-property values. Its members include Google, IBM, Red Hat, and SUSE. The OIN patent license and member cross-licenses are available royalty-free to anyone who joins the OIN community.

In a conversation, Erich Andersen, Microsoft’s corporate vice president and chief intellectual property (IP) counsel — that is, Microsoft top patent person — added: We “pledge our entire patent portfolio to the Linux system. That’s not just the Linux kernel, but other packages built on it.”

This is huge

How many patents does this affect? Andersen said Microsoft is bringing 60,000 patents to OIN.
(emphasis in original)

If approximately 1,300 patents attracted members to Open Invention Network (OIN), imagine the attractive force exerted by an additional 60,000!

Suggestion: None of us are who we were yesterday, much less ten or twenty years ago. Let’s take these new facts on the patent landscape and move forward.

Discussions of “could have, should have, what if had, etc.,” are non-contributions to building a new tomorrow.

October 9, 2018

Are You A “Lesser Skilled” Hacker? [Build Your Own Car Did Ya?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods by Jai Vijayan.

From this long prose ad for CrowdStrike:

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike’s Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike’s OverWatch and security response team. “Sophisticated techniques are becoming a little more commoditized,” she says. “Anything goes. Anyone can be a target.”

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses.

In addition to being gratuitiously ugly to hackers who use tools developed by others, Vijayan includes CrowdStrike attributed remarks about Russian hackers, of course.

When you have no evidence to present, throw off on the Russians. At least this season. Not so long ago it was those masterminds of everything digital, the North Koreans. Then the Chinese, or is it now the Chinese?

Check with the ministry of truth, sorry, Department of Homeland Security to see who the current “enemy” and greatest cyberthreat is today. It changes.

You are very unlikely to have written your own compiler, debugger, or other tools you use in cybersecurity. Building on the work of others, even nation-states, carries no shame.

By analogy, you could claim people are “lesser skilled” drivers because they didn’t assemble their own cars. Try that in a bar and watch other patrons start to edge away from you. Keep it up long enough and you will have public accomodations for the night (jail).

Find, use, build upon and share any “…tactics, techniques and procedures (TTPs)…” that you find, nation-state or otherwise.

So will I.

Weapon Systems Cybersecurity:… [Opportunity Knocks!]

Filed under: Cybersecurity,Hacking,Military,Security — Patrick Durusau @ 4:14 pm

Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities

From the webpage:

The cited reason for the “fictitious weapon system” is “classification reasons.”

Maybe, but identifying weaknesses in named weapon systems, encourages use of those security flaws as excuses for flaws in other systems. “Everybody has flaw ….. You can’t penalize me for a market standard flaw.”

Under the section title: Test Teams Easily Took Control (page 22):


Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

For “security” reasons none of the systems were named, guranteeing the same failing vendors in the same congressional districts will continue to produce failing weapon systems.

Not only does opportunity knock for present US weapon systems, but additional opportunities await in every country where such systems are sold.

Remember, “…one hour to gain initial access … one day to gain full control….” If that’s not opportunity, I don’t know what is.

October 8, 2018

Hurricane Florence Twitter Dataset – Better Twitter Interface?

Filed under: Data,Tweets,Twitter — Patrick Durusau @ 3:56 pm

Hurricane Florence Twitter Dataset by Mark Edward Phillips.

From the webpage:

This dataset contains Twitter JSON data for Tweets related to Hurricane Florence and the subsequent flooding along the Carolina coastal region. This dataset was created using the twarc (https://github.com/edsu/twarc) package that makes use of Twitter’s search API. A total of 4,971,575 Tweets and 347,205 media files make up the combined dataset.

No hyperlink in the post but see: twarc.

Have you considered using twarc to create a custom Twitter interface for yourself? At present just a thought but once you have the JSON, your ability to manipulate your Twitter feed is limited only by your imagination.

Once a base archive is constructed, create a cron job that updates base. Not “real time” like Twitter but then who makes decisions of any consequence in “real time?” You can but its not a good idea.

While you are learning twarc, consider what other datasets you could create.

Slacking Hackers? Google API Bug – 13 Internet Years

Filed under: Cybersecurity,Google+,Hacking — Patrick Durusau @ 3:29 pm

Google chose not to go public about bug that exposed Google Plus users’ data by Graham Cluley.

From the post:


No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data – it has not seen any evidence that any profile data was misused.

Estimates of an Internet year vs. a calendar year range from 1 calendar year = 2 Internet years; 1 calendar year = 4.7 Internet years; and, a high of 1 calendar year = 7 Internet years.

To be fair, let’s arbitrarily pick 1 year = 4 Internet years, which means the Google API bug has been around for 13 Internet years.

I’m not a hacker so I certainly wasn’t helping but geez. Not that anyone should have pointed the flaw out to Google by any means. Google’s moves to hide the existence of the bug, speaks volumes about some of us being in ocean going yachts and others in leaking life rafts.

There is no commonality of interests in computer security between the average user and Google. Google offers security as a commodity (think DoD in the cloud) and whether you are secure, well, have you paid Google for your security?

I’m certain that Google will protest, should they bother to notice but can you guess who has a financial interest in your free or nearly so reports of security bugs? (Hint: It’s not me.)

I’ve tried to avoid Google+ since its inception so its death won’t impact me.

I do need to set about learning how to check APIs for security flaws. 😉

Cash Spitting ATMs Near You?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:19 am

Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash by Swati Khandelwal.

Fromt the post:

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group had also reportedly been associated with the WannaCry ransomware menace that last year shut down hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014.

Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed “FASTCash,” that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server.

See Khandelwal’s post for more details but the disruption/fun factor of such a hack is readily evident.

Most effective on Black Friday (a U.S. orgy of consumerism the day after Thanksgiving) or Christmas Eve (December 24th).

Remind testers of the hazards of facial recognition. Holiday masks are sold at many locations.

A Red Teamer’s guide to pivoting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:30 am

A Red Teamer’s guide to pivoting by Artem Kondratenko.

From the post:

Penetration testers often traverse logical network boundaries in order to gain access to client’s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach or gaining access to initialy unroutable network segments after compromising hosts inside the organization. Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility. In this post I’ll cover common pivoting techniques and tools available.

A handy list of pivoting techniques to refresh/test your skills.

Enjoy!

October 4, 2018

The Atlas of Endangered Alphabets – Navajo Code Writers?

Filed under: Language — Patrick Durusau @ 8:40 am

The Atlas of Endangered Alphabets by Tim Brookes.

From the Kickstarter page:

Dear lovers of language, supporters of human rights, and Kickstarter allies past, present and future:

When I give exhibitions and talks on the Endangered Alphabets Project, everyone is fascinated. They want to know more about the scripts I carve, where they come from, the cultures that have created them and, above all, they ask, “How can we help?”

But here’s the problem: there’s no one source for such information. And when information remains scattered and hard to find, both the problems and the solutions seem vague, distant, over the horizon.

So I’m in the process of creating a free online Atlas of Endangered Alphabets, and I need your help. But first I need to explain why endangered alphabets are so important.

Every culture has its own spoken language, and many have their own written languages, too—languages they have developed to express their own beliefs, their own experiences, their understanding of their world. What they have collectively written in those languages is the record of their cultural identity: spiritual texts, historical documents, land deeds, letters between family members, poems.

In scores of countries, though, those minority languages are untaught, unofficial, suppressed, ignored, even illegal, and everything is transacted in the alphabets of the dominant cultures, even the conquerors. And when that happens, within two generations everything important enough to be written down becomes incomprehensible, and is lost.

Denying members of a minority culture the right to read, write and speak in their mother tongue defines them as inferior and unimportant, and leaves them vulnerable, marginalized, and open to abuse. The extent and quality of education go down, while levels of homelessness and incarceration, and even suicide go up—the kind of situation that has led to the endangerment or eradication of hundreds of Aboriginal languages in Australia and Native American languages in the U.S.

It’s my aim to help reverse that global loss, and the Atlas of Endangered Alphabets is my most ambitious and far-reaching effort in that direction.(You can hear me talking about the Atlas and the Endangered Alphabets Project, by the way, in a public radio interview HERE.)

Although the US intelligence community is often stymied by mainstream languages such as Arabic, Chinese, Russian, AI-assisted language tools will eventually bring them an elementary understanding of texts in those languages.

Begin preparing for that unhappy day by supporting the The Atlas of Endangered Alphabets!

Using endangered alphabets puts you in a position similar to the Navaho code talkers in WWII. Your enemies know it is a communication, that it is in a language, but their knowledge ends at that point. No AI tools to assist them.

If you don’t find the reasons Brookes advances compelling enough to support this project, consider the potential to stymy world class intelligence operations as an additional one. Interested now?

Patent Prior Art Archive – Malware Prior Art?

Filed under: Cybersecurity,Malware,Patents — Patrick Durusau @ 8:18 am

Coming together to create a prior art archive by Ian Wetherbee and Mike Lee.

From the post:

Patent quality is a two-way street. Patent applicants should submit detailed disclosures describing their inventions and actively participate in the examination process to define clear distinctions between their inventions and existing technology. Examiners reviewing patent applications should conduct thorough searches of existing technology, reject any attempts to patent existing technology, and develop a clear record of the differences between the patent claims and what came before. The more that the patent system supports and incentivizes these activities, the more reliable the rights that issue from patent offices will be, and the more those patents will promote innovation.

A healthy patent system requires that patent applicants and examiners be able to find and access the best documentation of state-of-the-art technology. This documentation is often found in sources other than patents. Non-patent literature can be particularly hard to find and access in the software field, where it may take the form of user manuals, technical specifications, or product marketing materials. Without access to this information, patent offices may issue patents covering existing technology, or not recognize trivial extensions of published research, removing the public’s right to use it and bringing the reliability of patent rights into question.

To address this problem, academia and industry have worked together to launch the Prior Art Archive, created through a collaboration between the MIT Media Lab, Cisco and the USPTO, and hosted by MIT. The Prior Art Archive is a new, open access system that allows anyone to upload those hard-to-find technical materials and make them easily searchable by everyone.

Believe it or not, Wetherbee and Lee write an entire post on Google and the Prior Art Archive, without ever giving the web address of the Prior Art Archive.

There, fixed that problem on the web. 😉 You know, it’s possible to be so self-centered as to be self-defeating.

The problems of malware prior art are orders of magnitude greater than patent prior art. The literature, posts, etc., alone are spread across ephemeral and often inaccessible forums, blogs, emails, chat groups, to say nothing of the self-defeating secrecy of security researchers themselves. (Not to mention information in languages other than English.)

A malware prior art archive would present numerous indexing, searching, machine translation, clustering and other problems. Perhaps not as lucrative as the results of the Patent Prior Art Archive but at least as interesting.

Thoughts? Suggestions?

PS: You can search the Prior Art Archive through Google Patents. Two other relevant Google resources: TDCommons (non-patented information) and Google Patents Public Datasets.

October 3, 2018

Someone is wrong on the Internet: Turing complete/weird machines

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:43 am

Turing completeness, weird machines, Twitter, and muddled terminology by halvar.flake.

From the post:

First off, an apology to the reader: I normally spend a bit of effort to make my blog posts readable / polished, but I am under quite a few time constraints at the moment, so the following will be held to lesser standards of writing than usual.

A discussion arose on Twitter after I tweeted that the use of the term “Turing-complete” in academic exploit papers is wrong. During that discussion, it emerged that there are more misunderstandings of terms that play into this. Correcting these things on Twitter will not work (how I long for the days of useful mailing lists), so I ended up writing a short text. Pastebin is not great for archiving posts either, so for lack of a better place to put it, here it comes:

No apologies necessary for this highly entertaining and useful post!

Our misuse of “Turing completeness” and “weird machine” is harmful and confusing (emphasis in original)

Corrections of public ignorance rarely succeed but at least within exploit research, it’s worth a try. Watch for mis-use of Turing complete and weird machines and cite halvar.flake‘s correction.

PS: Personally I would not correct such misunderstandings by government sponsored researchers. Their ignorance and confusion doesn’t trouble me. Your call.

New Release: Tor Browser 8.0.2 – Upgrade Time!

Filed under: Privacy,Tor — Patrick Durusau @ 10:25 am

New Release: Tor Browser 8.0.2

From the post:

Tor Browser 8.0.2 is now available from the Tor Browser Project page and also from our distribution target=”_blank”directory.

This release features important security updates to Firefox. We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr. Thus, users are fine with Tor Browser 8.0.2 even though the Firefox version is 60.2.1esr.

Grab the latest version of Tor Browser today!

You are the last and best hope for your personal privacy.

October 2, 2018

Tracking Potential Security Fails: The Pentagon and Its Familiars

Filed under: Hacking,Journalism,News,Reporting — Patrick Durusau @ 7:37 pm

Want to Track the Pentagon’s Funding? Here’s How You Can Follow the Money by Michael Morisy.

From the post:

In the 2017 financial year, the US Department of Defense alone spent about $590 billion, according to data from the Congressional Budget Office in Washington, DC. Even veteran journalists who cover the US government extensively can find themselves stumped.

“It was like an acid flashback getting your email,” said Steve Fainaru, winner of the 2008 Pulitzer Prize for International Reporting. “This was a huge issue for us. We couldn’t get these contracts.”

His reporting from Iraq shows millions in cost overruns for security contractors.

Since that series, new databases have been posted online that can help those looking to follow the money wherever it flows, including making it easier to trace contracts from companies in a specific country or servicing a particular area.

I’m not sure you will agree with “…making it easier to trace contracts from companies…(emphasis added)” but perhaps it is “easier” than before recent changes.

Certainly a very helpful article for journalists and anyone interested in information the government is willing to share. I take sharing of information by governments and corporations to indicate the shared information is of little value.

That said, tracking Pentagon funding also turns up entities, people and locations with access to data that isn’t intended for sharing. A ripe field for pentesting and security upgrade services.

Perhaps not the intent of the information sources mentioned by Morisy, but then information you can’t weaponize isn’t very interesting is it?

More Free Speech Lost at Twitter

Filed under: Censorship,Free Speech,Hacking,Twitter — Patrick Durusau @ 7:19 pm

Twitter bans distribution of hacked materials ahead of US midterm elections by Catalin Cimpanu.

From the post:


Twitter already had rules in place that prohibited the distribution of hacked materials that contain private information or trade secrets, but after Monday’s update, the platform’s review teams will also ban accounts that claim responsibility for a hack, make hacking threats, or issue incentives to hack specific people and accounts.

Nevertheless, the social network hasn’t been that successful, barely putting a dent in spam-related reports, with the number of complaints going down from 17,000 in May to only 16,000 in September. More work needs to be done, and Twitter just gave its staff sharper teeth to go about their job.

See Cimpanu’s post for the full scope of the damage being done to free speech at Twitter.

Any Twitter investor’s with insight into how much Twitter wastes on its censorship operations every year?

As an investor, I would want to see some ROI from censorship. You?

September 28, 2018

LoJax – Coming to a Corporation/Government Near You!

Filed under: Cybersecurity,Government,Hacking,Security — Patrick Durusau @ 8:58 pm

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild by Swati Khandelwal.

From the post:

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

Khandelwal has a great explanation of LoJax with pointers to more detailed information.

At present the result of governmental development, it’s not unreasonable to expect LoJax to become commodity malware in a period of a year or two, perhaps less. Not unlike the first atomic bomb. The first one was true research, the second one and following, were matters of engineering.

Any number of governments and corporations merit being gifted with installations of LoJax.

Watching the anti-woman antics in the US Senate this week, made me think of several likely targets.

September 26, 2018

pandas: powerful Python data analysis toolkit & Data Skepticism

Filed under: Pandas,Python,Skepticism — Patrick Durusau @ 12:52 pm

pandas: powerful Python data analysis toolkit

From the webpage:

pandas is a Python package providing fast, flexible, and expressive data structures designed to make working with “relational” or “labeled” data both easy and intuitive. It aims to be the
fundamental high-level building block for doing practical, real world data analysis in Python. Additionally, it has the broader goal of becoming the most powerful and flexible open source data analysis / manipulation tool available in any language. It is already well on its way toward this goal.

pandas is well suited for many different kinds of data:

  • Tabular data with heterogeneously-typed columns, as in an SQL table or Excel spreadsheet
  • Ordered and unordered (not necessarily fixed-frequency) time series data.
  • Arbitrary matrix data (homogeneously typed or heterogeneous) with row and column labels
  • Any other form of observational / statistical data sets. The data actually need not be labeled at all to be placed into a pandas data structure

[if you need more enticement]

Here are just a few of the things that pandas does well:

  • Easy handling of missing data (represented as NaN) in floating point as well as non-floating point data
  • Size mutability: columns can be inserted and deleted from DataFrame and higher dimensional objects
  • Automatic and explicit data alignment: objects can be explicitly aligned to a set of labels, or the user can simply ignore the labels and let Series, DataFrame, etc. automatically align the data for you in computations
  • Powerful, flexible group by functionality to perform split-apply-combine operations on data sets, for both aggregating and transforming data
  • Make it easy to convert ragged, differently-indexed data in other Python and NumPy data structures into DataFrame objects
  • Intelligent label-based slicing, fancy indexing, and subsetting of large data sets
  • Intuitive merging and joining data sets
  • Flexible reshaping and pivoting of data sets
  • Hierarchical labeling of axes (possible to have multiple labels per tick)
  • Robust IO tools for loading data from flat files (CSV and delimited), Excel files, databases, and saving / loading data from the ultrafast HDF5 format
  • Time series-specific functionality: date range generation and frequency conversion, moving window statistics, moving window linear regressions, date shifting and lagging, etc.

I need to spend more time with pandas but have to confess that meta-issues with data interest me more than “alleged” data distributed by governments, corporations and others.

I saw “alleged” data because unless you know the means by which it was collected, the criteria for that collection, what was available but excluded from collection, plus a host of other questions about any data set, about all you know is that X claims the “alleged” data means “something.”

The “something” claimed for data varies on who is reporting it and what purpose they have in telling you. I immediately discount explanations that involve my or the public’s benefit. No, rather say the data was released in hopes that I or the public would see it as a benefit. A bit closer to the truth.

All that said, there are any number of interesting ways that processing data shades it as well, so a deep appreciate for pandas will help you spot those tricks as well.

PS: I don’t mean to contend we can ever be bias free, but I do think we can aspire to expose the biases of others.

I first saw this in a tweet by Kirk Borne

September 25, 2018

Abuse Apologist News Bingo

Filed under: Feminism — Patrick Durusau @ 6:21 pm

I saw a delightful “bingo” graphic that is on point for all abusers in the news, from www.shethepeopleusa.com. In reduced form:

I have also uploaded the graphic in its original size.

The Abuse Apologist Bingo game is sadly familiar. But it could also be used to play Abuse Apologist News Bingo. To see who and when news stations report, repeat and amplify these excuses for abusers.

To that end, I drafted the Abuse Apologist News Bingo game, that includes these instructions:

How often do you hear these excuses reported, repeated or amplified in news reports? Too often but do you have a record, an actual count? If not, trying playing abuse apologist bingo while you watch your regular news program.

When you hear one of these apologies for abusers, mark that square. After your program is over, record:

Date:__________ Time: __________ Station: __________

Send to your local news station with or without your name and email.

PS: For safety reasons, a close friend recommends you not use this as a drinking game.

My efforts can certainly be improved upon and if enough stations get enough Abuse Apologist News Bingo cards, who knows, maybe NRP won’t describe reports about Kavanaugh as being from thirty years ago in every broadcast. As though that has any meaning.

PS: Ping me for the source file, my ISP won’t accept word processing documents.

Twitter’s Quest to Police Public Conversation [Note on feminist power analysis]

Filed under: Censorship,Free Speech,Twitter — Patrick Durusau @ 10:05 am

Not satisfied with suppressing the free speech of millions, Twitter is expanding the power of its faceless censors to seek out and silence dehumanizing language.

From their post:


For the last three months, we have been developing a new policy to address dehumanizing language on Twitter. Language that makes someone less than human can have repercussions off the service, including normalizing serious violence. Some of this content falls within our hateful conduct policy (which prohibits the promotion of violence against or direct attacks or threats against other people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability, or serious disease), but there are still Tweets many people consider to be abusive, even when they do not break our rules. Better addressing this gap is part of our work to serve a healthy public conversation.

With this change, we want to expand our hateful conduct policy to include content that dehumanizes others based on their membership in an identifiable group, even when the material does not include a direct target. Many scholars have examined the relationship between dehumanization and violence. For example, Susan Benesch has described dehumanizing language as a hallmark of dangerous speech, because it can make violence seem acceptable, and Herbert Kelman has posited that dehumanization can reduce the strength of restraining forces against violence.

Let’s be clear: I don’t tweet, re-tweet or otherwise amplify any of the conduct that is now or would be in the future, forbidden as “dehumanizing language.”

At the same time, it is every user’s right to determine for themselves what content, harmful and/or dehumanizing, they wish to say or view.

Trivially easy for Twitter to implement filters that users could “follow” in order to avoid either harmful or dehumanizing speech, tuned to their specific choices. The same is true for followable block list of users known to spew such nonsense.

For reasons unknown to me, Twitter and its fellow travelers want to police the “public conversation.” So that its nameless and faceless censors can shape the public conversation.

Twitter censorship favors the same values I do, but even so, I find it objectionable in all respects.

If you know anyone working at Twitter, challenge them to empower users with followable content filters and block lists.

I have and all I get is silence in response.

PS: If you are interested in feminist power analysis, silence is the response of the privileged when challenged. They don’t even have to acknowledge your argument or produce facts. Just silence. Maybe I should write a post: Twitter and Patterns of Privilege. What do you think?

September 24, 2018

What Would Qualify as a Cyber 9/11?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:17 pm

One of the participants in a discussion reported by Troy Schneider in: Cybersecurity the right way attributes the formation of the Department of Homeland Security (DHS) to “…planes flew into buildings, right?”

I’m not sure reduction of 9/11 down to “…planes flew into buildings…” will be popular, but it did result in a wasted $5+ Trillion to date. If you are looking for funding, a 9/11 equivalent event would be hard to beat.

The question that came to me: What qualifies as a cyber 9/11?

I have a short list of things that didn’t:

  1. Office of Personnel Management (OPM) – “…greatest theft of sensitive personal data in history.” Why the OPM Hack Is Far Worse Than You Imagine Data on all prospective, former and current federal employees since 1985.
  2. National Security Agency hacking tools stolen and leaked on the Internet. Shadow Brokers Group Leaks Stolen National Security Agency Hacking Tools
  3. CIA hacking tools known as Vault 7 leaked by Wikileaks. Wikileaks releases document trove allegedly containing CIA hacking tools
  4. US-South Korea war plans. North Korea ‘hackers steal US-South Korea war plans’

Based on public response of the government and industry, none of those events was a cyber 9/11. (I remember the Clinton email breach, but stealing a gmail password hardly qualifies as a “hack.”)

There is an interactive visualization of data breaches that allows you to filter by organization and method of leak, then viewing the results by calendar year: World’s Biggest Data Breaches (losses > 30,000 records)

By implication, none of those breaches were sufficient to be a cyber 9/11.

I’m really at a loss to say what the cyber equivalent of “…planes flew into buildings…” would look like.

Perhaps the primary reason for the lack of a cyber 9/11 event is the distraction of hackers with more profitable targets. It might be interesting to have a copy of the National Crime Information Center (NCIC) databases, but it would be a niche item. Unless you are into suppressing civil dissent, etc.

On the other hand, the genealogy people might go nuts over it. Would need to test the market before putting a lot of effort into it.

Cyber 9/11 events? Suggestions?

September 23, 2018

Scan4You: Not Sharing Is A Crime?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:48 am

Hacker gets 14 years jail time for operating Scan4You malware scanning service by Waqas.

I’ve been puzzling over what crime was committed here, especially when I read:


The purpose was to assess whether the malicious code was detected or not during routine security checks. Scan4You is also regarded in the infosec industry as a non-distribute-scanner. The difference between VirusTotal and Scan4You is that the latter doesn’t let antivirus engines to report back results to vendors and the malware detections are kept discreet while the former does so.

The Scan4You service, according to the court documents, was hosted on Amazon Web Services servers while malware developers used to pay to get full access to its features. Trend Micro also stated that Bondars also made a very common mistake that almost every malware developer has made in the past, which is that he blocked antivirus engines from the reporting of file scans.

If you track down the indictment, Ruslans Bondars and Jurijs Martisevs incitement (h/t Catalin Cimpanu for uploading),

On a quick read, section 11 of the indictment appears to be its most worrisome point:


11. The Defendants intentionally marketed (omission) to computer hackers using the website (omission) and a hidden service accessible via The Onion Router (TOR), an online network for enabling anonymity. The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII). Moreover, the (omission) service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community, and notify their users they will do so, (omission) instead informed its users the could upload anonymously, and that data about the uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

The indictment does not contain the advertisements posted by the defendants: “The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII).” so it’s not possible to judge the intent evidenced by those ads.

On the other hand:

  • “a hidden service accessible via The Onion Router (TOR)”
  • anonymous uploads
  • not sharing with the antivirus community

By themselves, surely don’t support the conclusion:


As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

Don’t rely on this post as legal advice but I can easily see a legitimate virus scanning service offering a hidden service with anonymous uploads, for the purpose of staying ahead of its competition in detection of malware. If malware authors are more likely to upload to a service anonymously, doing otherwise makes little business sense.

Moreover, not sharing with the antivirus community rests on the mistaken assumption computer security is a shared concern. That’s demonstrably false by collection and use of zero-day vulnerabilities by the NSA. See: The challenge of offensive hacking: the NSA and zero days

Governments around the world use cyber vulnerabilities and call on you to make unpaid contributions of time and labor to improve “cybersecurity.”

I’ll pass on that request.

Hacker represent the QA staffs software vendors refuse to hire. If governments want more secure software, decriminalize hacking and establish civil liability for software vendors, contractors and users.

Incentivize security as opposed to preaching about it.

September 22, 2018

What’s The Buzz? Tell Me What’s Happening – Meltdown

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:22 pm

Meltdown: Reading Kernel Memory from User Space by Moritz Lipp, et al.

Abstract:

The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security guarantees provided by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.

A lucid presentation that has you cheering for U.S. Department of Defense migration to the cloud plans.

Go ahead, step just a little bit further into light.

September 21, 2018

Senate GMail Attack – eXist-db 5.0.0 RC 4 Release – Coincidence?

Filed under: Cybersecurity,eXist,Government,XML,XML Database,XQuery — Patrick Durusau @ 6:16 pm

First I see Senators’ Gmail accounts targeted by foreign hackers from today that reads in part:

The personal Gmail accounts of an unspecified number of US senators and Senate staff have been targeted by foreign government hackers, a Google spokesperson confirmed to CNN on Thursday.

then I see in my Twitter feed:

[eXist-db] v5.0.0-RC4 – September 21, 2018.

The campaign season has been devoid of any Clinton-like email leaks, which is both disappointing and a little surprising.

It worked so well last time, taking no news office gossip and by timed release, make back-biting chatter into widely reported news.

You should grab a copy of eXist-db v.5.0.0-RC4 or the current stable version. Practicing now will keep you in shape for any flood of congressional emails.

eXistDB is NOT in league with any hackers anywhere.

I like feeding the paranoid delusions of the IC with groundless gossip. They will write it down, talk about it, do research, all the while they are not out harming US citizens and/or hopefully citizens of any other countries.

September 20, 2018

Software disenchantment (a must read)

Filed under: Computer Science,Design,Programming,Software,Software Engineering — Patrick Durusau @ 3:34 pm

Software disenchantment by Nikita Prokopov.

From the post:


Windows 95 was 30Mb. Today we have web pages heavier than that! Windows 10 is 4Gb, which is 133 times as big. But is it 133 times as superior? I mean, functionally they are basically the same. Yes, we have Cortana, but I doubt it takes 3970 Mb. But whatever Windows 10 is, is Android really 150% of that?

Google keyboard app routinely eats 150 Mb. Is an app that draws 30 keys on a screen really five times more complex than the whole Windows 95? Google app, which is basically just a package for Google Web Search, is 350 Mb! Google Play Services, which I do not use (I don’t buy books, music or videos there)—300 Mb that just sit there and which I’m unable to delete.

Yep, that and more. Brim full of hurtful remarks but also suggestions for a leaner, faster and more effective future.

Prokopov doesn’t mention malware but “ratio of bugs per line of code” has a great summary of various estimates of bugs to lines of code.

Government programmers and their contractors should write as much bloated code as their funding will support.

Programmers working in the public interest, should read Prokopov deeply and follow his advice.

New Hacking Challenge: CLIP OS (French Cybersecurity OS)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 2:44 pm

French cyber-security agency open-sources CLIP OS, a security hardened OS by Catalin Cimpanu.

From the post:

The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

In a press release, ANSSI described CLIP OS as a “Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information.”

More details are available at The CLIP OS Project, including version 4 (current release, documentation in French), and version 5 (alpha version, documentation in English).

The lack of a build version makes me wonder the breadth of CLIP OS deployment. Within ANSSI or the French government more generally.

Not that you want to rely on security by obscurity, but if CLIP OS is a substantial security advance over comparable systems, why open source it?

The open source motivation could be to boost a French vendor has a commercial product along similar lines. Perhaps former members of the ANSSI?

In any event, enjoy getting the CLIP OS up and running as preparation to finding its soft spots.

Free CCTV Surveillance Camera Networks

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 12:51 pm

You don’t get to pick the locations but as Tom Spring details in: Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras, not only can you take over up to 800,000 existing CCTV cameras with the bugs discussed, all those cameras will require a manual upgrade.

Hard to imagine a greater deterrent to upgrading than requiring manual upgrading of each and every camera.

From the post:


The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.

The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.

Which CCTV surveillance camera networks do you have control of? (Rhetorical question. Don’t answer! Bad OpSec.)

HIDE AND SEEK… (Pegasus Spyware)

Filed under: Government,Pegasus,Privacy — Patrick Durusau @ 12:27 pm

HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert.

From the post:


Key Findings

  • Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
  • We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
  • Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
  • Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.

(The image of Pegasus infections looks far better and is more informative in the original post.)

The NSO Group responded to the Hide and Seek post here.

Any defense against the NSO Group and/or users of their software is up to you. Governments are clearly not on the side of citizens when it comes to the NSO Group.

Learning by Porting (Oldie but Goodie (2008))

Filed under: Clojure,Functional Programming,Lisp — Patrick Durusau @ 11:52 am

PCL -> Clojure by Stuart Halloway.

From the post:

My current leisure-time project is porting the examples from Peter Seibel's excellent Practical Common Lisp (PCL) to Clojure.

I think Clojure is interesting for three reasons:

  1. Clojure is Lisp, but minus historical baggage.
  2. Clojure gives full access to the JVM and Java libraries.
  3. Clojure groks concurrency and state.

My ground rules are simple:

  • I am not going to port everything, just the code samples that interest me as I re-read Practical Common Lisp.
  • Where Peter introduced Common Lisp features in a planned progression, I plan to use whatever Clojure feature come to mind. So I may jump straight into more "advanced" topics, even in the intro chapters.

Please do not assume that this port is a good introduction to Common Lisp! I am cherry-picking examples that are interesting to me from a Clojure perspective. If you want to learn Common Lisp, read PCL. In fact, you should probably read the relevant chapters in PCL first, no matter what.

Halloway credits Ola Bini with the idea for porting examples but the links to Bini’s post aren’t working at the moment.

You know the adage “the best way to learn something is to teach it.” Take this as a variant on that idea.

Porting examples avoids “nodding” understanding (one of my weaknesses). If the ported example doesn’t work, assuming it did in the original, your understanding of the example and/or porting language has failed.

September 16, 2018

Radare2 – Perils of e – 492 Settings in 32 Namespaces

Filed under: Hacking,Radare2 — Patrick Durusau @ 10:31 am

If you are new to Radare2 (that includes me), you will execute the e command at an r2 prompt, and be overwhelmed by 492 possible settings.

The manual helpfully says that you can use e (namespace). to see all the setting within a namespace.

e cfg.

returns:

cfg.bigendian = false
cfg.debug = false
cfg.editor = emacs
cfg.fortunes = true
cfg.fortunes.clippy = false
cfg.fortunes.tts = false
cfg.fortunes.type = tips,fun
cfg.hashlimit = 0x00a00000
cfg.log = false
cfg.newtab = false
cfg.plugins = true
cfg.prefixdump = dump
cfg.r2wars = false
cfg.sandbox = false
cfg.user = pid386
cfg.wseek = false

But if you don’t know the namespaces, that’s not very helpful advice.

The namespaces as of 16 September 2018 are:

  1. anal
  2. asm
  3. bin
  4. cfg
  5. cmd
  6. dbg
  7. diff
  8. dir
  9. emu
  10. esil
  11. file
  12. fs
  13. graph
  14. hex
  15. http
  16. hud
  17. io
  18. key
  19. lines
  20. magic
  21. pdb
  22. prj
  23. rap
  24. rop
  25. scr
  26. search
  27. stack
  28. str
  29. tcp
  30. time
  31. zign
  32. zoom

The use of namespaces with e produces more manageable setting listings. Ping me if you find this useful.

September 13, 2018

OpenOversight: A public, searchable database of law enforcement officers

Filed under: Government,Transparency — Patrick Durusau @ 2:41 pm

OpenOversight: A public, searchable database of law enforcement officers

From the about page:

OpenOversight is a Lucy Parsons Labs project that aims to improve law enforcement visibility and transparency using public and crowdsourced data. We maintain databases, digital galleries, and profiles of individual law enforcement officers from departments across the United States that consolidate information including names, birthdates, mentions in news articles, salaries, and photographs.

The remarkable resource was forwarded to me by Camille Fassett.

Similar resources for members of legislatures, fracking companies, etc.?

« Newer PostsOlder Posts »

Powered by WordPress