Mapping U.S. wildfire data from public feeds

August 29th, 2016

Mapping U.S. wildfire data from public feeds by David Clark.

From the post:

With the Mapbox Datasets API, you can create data-based maps that continuously update. As new data arrives, you can push incremental changes to your datasets, then update connected tilesets or use the data directly in a map.

U.S. wildfires have been in the news this summer, as they are every summer, so I set out to create an automatically updating wildfire map.

An excellent example of using public data feeds to create a resource not otherwise available.

Historical fire data can be found at: Federal Wildland Fire Occurrence Data, spanning 1980 through 2015.

The Outlooks page of the National Interagency Coordination Center provides four month (from current month) outlook and weekly outlook fire potential reports and maps.

Looking For Your Next Cyber Jedi

August 29th, 2016

DoD Taps DEF CON Hacker Traits For Cybersecurity Training Program by Kelly Jackson Higgins.

The Department of Defense sends Frank DiGiovanni, director of force training in DoD’s Office of the Assistant Secretary of Defense for Readiness, to DEF CON 24.

His mission?


“My purpose was to really learn from people who come to DEF CON … Who are they? How do I understand who they are? What motivates them? What sort of attributes” are valuable to the field, the former Air Force officer and pilot who heads overall training policy for the military, says.

DiGiovanni interviewed more than 20 different security industry experts and executives during DEF CON. His main question: “If you’re going to hire someone to either replace you or eventually be your next cyber Jedi, what are you looking for?”

The big takeaway from DiGiovanni’s DEF CON research: STEM, aka science, technology, engineering, and mathematics, was not one of the top skills organizations look for in their cyber-Jedis. “Almost no one talked about technical capabilities or technical chops,” he says. “That was the biggest revelation for me.”

DiGiovanni compiled a list of attributes for the cyber-Jedi archetype based on his interviews. The ultimate hacker/security expert, he found, has skillsets such as creativity and curiosity, resourcefulness, persistence, and teamwork, for example.
… (emphasis added)

The DoD has $millions to throw at creating cyber-Jedis.

If you plan to stay ahead, now would be a good time to start.

PS: If you attend the next DEF CON, keep an eye out for Frank:

DiGiovanni_Frank

ISIS Turns To Telegram App After Twitter Crackdown [Farce Alert + My Telegram Handle]

August 29th, 2016

ISIS Turns To Telegram App After Twitter Crackdown

From the post:

With the micro-blogging site Twitter coming down heavily on ISIS-sponsored accounts, the terrorist organisation and its followers are fast joining the heavily-encrypted messaging app Telegram built by a Russian developer.

On Telegram, the ISIS followers are laying out detailed plans to conduct bombing attacks in the west, voanews.com reported on Monday.

France and Germany have issued statements that they now want a crackdown against them on Telegram.

“Encrypted communications among terrorists constitute a challenge during investigations. Solutions must be found to enable effective investigation… while at the same time protecting the digital privacy of citizens by ensuring the availability of strong encryption,” the statement said.

Really?

Oh, did you notice the source? “Voanews.com reported on Monday.”

If you skip over to that post: IS Followers Flock to Telegram After being Driven from Twitter (I don’t want to shame the author so omitting their name), it reads in part:

With millions of IS loyalists communicating with one another on Telegram and spreading their message of radical Islam and extremism, France and Germany last week said that they want a continent wide effort to allow for a crackdown on Telegram.

“Encrypted communications among terrorists constitute a challenge during investigations,” France and Germany said in a statement. “Solutions must be found to enable effective investigation… while at the same time protecting the digital privacy of citizens by ensuring the availability of strong encryption.”

On private Telegram channels, IS followers have laid out detailed plans to poison Westerners and conduct bombing attacks, reports say.

What? “…millions of IS loyalists…?” IS in total is about 30K of active fighters, maybe. Millions of loyalists? Documentation? Citation of some sort? Being the Voice of America, I’d say they pulled that number out of a dark place.

Meanwhile, while complaining about the strong encryption, they are party to:

detailed plans to poison Westerners and conduct bombing attacks, reports say.

You do know wishing Westerners would choke on their Fritos doesn’t constitute a plan. Yes?

Neither does wishing to have an unspecified bomb, to be exploded at some unspecified location, at no particular time, constitute planning either.

Not to mention that “reports say” is a euphemism for: “…we just made it up.”

Get yourself to Telegram!

telegram-01-460

telegram-03-460

They left out my favorite:

Annoy governments seeking to invade a person’s privacy.

Reclaim your privacy today! Telegram!


Caveat: I tried using one device for the SMS to setup my smartphone. Nada, nyet, no joy. Had to use my cellphone number to setup the account on the cellphone. OK, but annoying.

BTW, on Telegram, my handle is @PatrickDurusau.

Yes, my real name. Which excludes this account from anything requiring OpSec. ;-)

Hunters Bag > 400 Database Catalogs

August 29th, 2016

Transparency Hunters Capture More than 400 California Database Catalogs by Dave Maass.

The post in its entirety:

A team of over 40 transparency activists aimed their browsers at California this past weekend, collecting more than 400 database catalogs from local government agencies, as required under a new state law. Together, participants in the California Database Hunt shined light on thousands upon thousands of government record systems.

California S.B. 272 requires every local government body, with the exception of educational agencies, to post inventories of their “enterprise systems,” essentially every database that holds records on members of the public or is used as a primary source of information. These database catalogs were required to be posted online (at least by agencies with websites) by July 1, 2016.

EFF, the Data Foundation, the Sunlight Foundation, and Level Zero, combined forces to host volunteers in San Francisco, Washington, D.C., and remotely. More than 40 volunteers scoured as many local agency websites as we could in four hours—cities, counties, regional transportation agencies, water districts, etc. Here are the rough numbers:

680 - The number of unique agencies that supporters searched

970 - The number of searches conducted (Note: agencies found on the first pass not to have catalogs were searched a second time)

430 – Number of agencies with database catalogs online

250 – Number of agencies without database catalogs online, as verified by two people

Download a spreadsheet of the local government database catalogs we found: Excel/TSV

Download a spreadsheet of cities and counties that did not have S.B. 272 catalogs: Excel/TSV

Please note that for each of the cities and counties identified as not posting database catalogs, at least two volunteers searched for the catalogs and could not find them. It is possible that those agencies do in fact have S.B. 272-compliant catalogs posted somewhere, but not in what we would call a “prominent location,” as required by the new law. If you represent an agency that would like its database catalog listed, please send an email to dm@eff.org.

We owe a debt of gratitude to the dozens of volunteers who sacrificed their Saturday afternoons to help make local government in California a little less opaque. Check out this 360-degree photo of our San Francisco team on Facebook.

In the coming days and weeks, we plan to analyze and share the data further. Stay tuned, and if you find anything interesting perusing these database catalogs, please drop us a line at dm@eff.org.

Of course, bagging the database catalogs is like having a collection of Christmas catalogs. It’s great, but there are more riches within!

What data products would you look for first?


Updated to mirror changes (clarification) in original.

DataScience+ (R Tutorials)

August 29th, 2016

DataScience+

From the webpage:

We share R tutorials from scientists at academic and scientific institutions with a goal to give everyone in the world access to a free knowledge. Our tutorials cover different topics including statistics, data manipulation and visualization!

I encountered DataScience+ while running down David Kun’s RDBL post.

As of today, there are 120 tutorials with 451,129 reads.

That’s impressive! Whether you are looking for tutorials or you are looking to post your R tutorial where it will be appreciated.

Enjoy!

RDBL – manipulate data in-database with R code only

August 29th, 2016

RDBL – manipulate data in-database with R code only by David Kun.

From the post:

In this post I introduce our own package RDBL, the R DataBase Layer. With this package you can manipulate data in-database without writing SQL code. The package interprets the R code and sends out the corresponding SQL statements to the database, fully transparently. To minimize overhead, the data is only fetched when absolutely necessary, allowing the user to create the relevant joins (merge), filters (logical indexing) and groupings (aggregation) in R code before the SQL is run on the database. The core idea behind RDBL is to let R users with little or no SQL knowledge to utilize the power of SQL database engines for data manipulation.

It is important to note that the SQL statements generated in the background are not executed unless explicitly requested by the command as.data.frame. Hence, you can merge, filter and aggregate your dataset on the database side and load only the result set into memory for R.

In general the design principle behind RDBL is to keep the models as close as possible to the usual data.frame logic, including (as shown later in detail) commands like aggregate, referencing columns by the \($\) operator and features like logical indexing using the \([]\) operator.

RDBL supports a connection to any SQL-like data source which supports a DBI interface or an ODBC connection, including but not limited to Oracle, MySQL, SQLite, SQL Server, MS Access and more.

Not as much fun as surfing mall wifi for logins/passwords, but it is something you can use at work.

The best feature is that you load resulting data sets only. RDBL uses databases for what they do well. Odd but efficient practices do happen from time to time.

I first saw this in a tweet by Christophe Lalanne.
Enjoy!

Wifi Fishing

August 29th, 2016

4th grader’s project on cyber security proves people will click on anything by Erin Cargile.

Evan Robertson programmed a mobile hot spot with this pop-up to connect:

…You allow any and all data you transmit to be received, reused, modified and/or redistributed in any way we deem fit. You agree to allow your connecting device to be accessed and/or modified by us in any way, including but not limited to harvesting personal information, reading and responding to your emails…If you are still reading this you should definitely not connect to this network. It’s not radical, dude. Also, we love cats. Have a good day!”

More than half of the people who connected, accepted the terms!

Sounds like a great group project for the holidays! Especially if you will be at the shopping mall anyway.

Come to think of it, use a bank logo, with more reasonable terms and you will attract unwary hackers as well.

For an extra webpage or two, you may collect some logins and passwords as well.

Enjoy!

Open Source Software & The Department of Defense

August 29th, 2016

Open Source Software & The Department of Defense by Ben FitzGerald, Peter L. Levin, and Jacqueline Parziale.

A great resource for sharing with Department of Defense (DoD) staff who may be in positions to influence software development, acquisition policies.

In particular you may want to point to the “myths” about security and open source software:

Discussion of open source software in national security is often dismissed out of hand because of technical security
concerns. These are unfounded.

To debunk a few myths:

  • Using open source licensing does not mean that changes to the source code must be shared publicly.
  • The ability to see source code is not the same as the ability to modify deployed software in production.
  • Using open source components is not equivalent to creating an entire system that is itself open sourced.

As In-Q-Tel’s Chief Information Security Officer Dan Geer explains, security is “the absence of unmitigatable surprise.”23 It is particularly difficult to mitigate surprise with closed proprietary software, because the source code, and therefore the ability to identify and address its vulnerabilities, is hidden. “Security through obscurity” is not an effective defense against today’s cybersecurity threats.

In this context, open source software can generate better security outcomes than proprietary alternatives. Conventional anti-malware scanning and intrusion detection are inadequate for many reasons, including their “focus on known vulnerabilities” that miss unknown threats, such as zero-day exploits. As an example, a DARPA-funded team built a flight controller for small quadcopter drones based on an open source autopilot readily downloaded from the Internet. A red team “found no security flaws in six weeks with full access [to the] source code,” making their UAV the most secure on the planet.24

Except that “security” to a DoD contractor has little to do with software security.

No, for a DoD contractor, “security” means change orders, which trigger additional software development cycles, which are largely unauditable, software testing, changes to documentation, all of which could be negatively impacted by “…an open source autopilot.”

If open source is used, there are fewer billing opportunities and that threatens the “security” of DoD contractors.

The paper makes a great case for why the DoD should make greater use of open source software and development practices, but the DoD will have to break the strangle hold of a number of current DoD contractors to do so.

Status of the Kernel Self Protection Project

August 29th, 2016

Status of the Kernel Self Protection Project by Kees (“Case”) Cook.

Slides from the Linux Security Summit 2016.

Kernel Self Protection Project links:

kernel-hardening mailing list archive.

Kernel Self Protection Project – wiki page.

Kees’ review of bug classes provides a guide to searching for new bugs and capturing data about existing one.

Enjoy!

PS: Motivation to participate in this project:

Every bug fix, makes users safer from cybercriminals and incrementally diminishes government spying.

Ethics for Powerful Algorithms

August 28th, 2016

Ethics for Powerful Algorithms by Abe Gong.

Abe’s four questions:

  1. Are the statistics solid?
  2. Who wins? Who loses?
  3. Are those changes to power structures healthy?
  4. How can we mitigate harms?

Remind me of my favorite scene from Labyrinth:

Transcript:

Sarah: That’s not fair!
Jareth: You say that so often, I wonder what your basis for comparison is?

Isn’t the question of “fairness” one for your client?

Twitter Said to Work on Anti-Harassment Keyword Filtering Tool [Good News!]

August 28th, 2016

Twitter Said to Work on Anti-Harassment Keyword Filtering Tool by Sarah Frier.

From the post:

Twitter Inc. is working on a keyword-based tool that will let people filter the posts they see, giving users a more effective way to block out harassing and offensive tweets, according to people familiar with the matter.

The San Francisco-based company has been discussing how to implement the tool for about a year as it seeks to stem abuse on the site, said the people, who asked not to be identified because the initiative isn’t public. By using keywords, users could block swear words or racial slurs, for example, to screen out offenders.

Nice to have good news to report about Twitter!

Suggestions before the code gets set in stone:

  • Enable users to “follow” filters of other users
  • Enable filters to filter on nicknames in content and as sender
  • Regexes anyone?

A big step towards empowering users!

srez: Image super-resolution through deep learning

August 28th, 2016

srez: Image super-resolution through deep learning. by David Garcia.

From the webpage:

Image super-resolution through deep learning. This project uses deep learning to upscale 16×16 images by a 4x factor. The resulting 64×64 images display sharp features that are plausible based on the dataset that was used to train the neural net.

Here’s an random, non cherry-picked, example of what this network can do. From left to right, the first column is the 16×16 input image, the second one is what you would get from a standard bicubic interpolation, the third is the output generated by the neural net, and on the right is the ground truth.

srez_sample_output-460

Once you have collected names, you are likely to need image processing.

Here’s an interesting technique using deep learning. Face on at the moment but you can expect that to improve.

The Court That Rules The World

August 28th, 2016

The Court That Rules The World by Chris Hamby.

If the Trans-Pacific Partnership (TPP) and investor-state dispute settlement (ISDS) don’t sound dangerous to you, this series will change your mind.

Imagine a private, global super court that empowers corporations to bend countries to their will.

Say a nation tries to prosecute a corrupt CEO or ban dangerous pollution. Imagine that a company could turn to this super court and sue the whole country for daring to interfere with its profits, demanding hundreds of millions or even billions of dollars as retribution.

Imagine that this court is so powerful that nations often must heed its rulings as if they came from their own supreme courts, with no meaningful way to appeal. That it operates unconstrained by precedent or any significant public oversight, often keeping its proceedings and sometimes even its decisions secret. That the people who decide its cases are largely elite Western corporate attorneys who have a vested interest in expanding the court’s authority because they profit from it directly, arguing cases one day and then sitting in judgment another. That some of them half-jokingly refer to themselves as “The Club” or “The Mafia.”

And imagine that the penalties this court has imposed have been so crushing — and its decisions so unpredictable — that some nations dare not risk a trial, responding to the mere threat of a lawsuit by offering vast concessions, such as rolling back their own laws or even wiping away the punishments of convicted criminals.

This system is already in place, operating behind closed doors in office buildings and conference rooms in cities around the world. Known as investor-state dispute settlement, or ISDS, it is written into a vast network of treaties that govern international trade and investment, including NAFTA and the Trans-Pacific Partnership, which Congress must soon decide whether to ratify.

These trade pacts have become a flashpoint in the US presidential campaign. But an 18-month BuzzFeed News investigation, spanning three continents and involving more than 200 interviews and tens of thousands of documents, many of them previously confidential, has exposed an obscure but immensely consequential feature of these trade treaties, the secret operations of these tribunals, and the ways that business has co-opted them to bring sovereign nations to heel.

The BuzzFeed News investigation explores four different aspects of ISDS. In coming days, it will show how the mere threat of an ISDS case can intimidate a nation into gutting its own laws, how some financial firms have transformed what was intended to be a system of justice into an engine of profit, and how America is surprisingly vulnerable to suits from foreign companies.

(emphasis in original)

Read carefully and take names.

Few, if any, are beyond one degree of separation from the Internet.

Do Your Part! Illegally Download Scientific Papers

August 28th, 2016

download-papers-460

From Rob Beschizza’s post at: Do Your Part! Illegally Download Scientific Papers, which has a poster size, 1940 x 2521 pixel resolution, version.

Text To Image Synthesis Using Thought Vectors

August 28th, 2016

Text To Image Synthesis Using Thought Vectors by Paarth Neekhara.

Abstract:

This is an experimental tensorflow implementation of synthesizing images from captions using Skip Thought Vectors. The images are synthesized using the GAN-CLS Algorithm from the paper Generative Adversarial Text-to-Image Synthesis. This implementation is built on top of the excellent DCGAN in Tensorflow. The following is the model architecture. The blue bars represent the Skip Thought Vectors for the captions.

OK, that didn’t grab my attention, but this did:

generated-images-tensorflow-460

Full size image.

Not quite “Tea, Earl Grey, Hot,” but a step in that direction!

D3 in Depth

August 27th, 2016

D3 in Depth by Peter Cook.

From the introduction:

D3 is an open source JavaScript library for:

  • data-driven manipulation of the Document Object Model (DOM)
  • working with data and shapes
  • laying out visual elements for linear, hierarchical, network and geographic data
  • enabling smooth transitions between user interface (UI) states
  • enabling effective user interaction

Let’s unpick these one by one.

Peter forgets to mention, there will be illustrations:

d3-tree-view-460

Same data as a packed circle:

d3-packed-circle-460

Same data as a treemap:

d3-treemap-460

The first two chapters are up and I’m waiting for more!

You?

PS: Follow Peter at: @animateddata.

SkySafari 5 for Android

August 27th, 2016

SkySafari 5 for Android

I say go for the SkySafari 5 Pro!

SkySafari 5

SkySafari 5 shows you 119,000 stars, 220 of the best-known star clusters, nebulae, and galaxies in the sky; including all of the Solar System’s major planets and moons, and more than 500 asteroids, comets, and satellites. ($1.49)

SkySafari 5 Plus

SkySafari 5 Plus shows you 2.6 million stars, and 31,000 deep sky objects; including the entire NGC/IC catalog, and 18,000 asteroids, comets, and satellites with updatable orbits. Plus, state of the art mobile telescope control. ($7.49)

SkySafari 5 Pro

SkySafari 5 Pro includes over 27 million stars, 740,000 galaxies down to 18th magnitude, and 620,000 solar system objects; including every comet and asteroid ever discovered. Plus, state of the art mobile telescope control. ($19.99)

(prices as of today and as always, subject to change)

I may start using my smartphone for more than monitoring my tweet stream. ;-)

Linux debugging tools you’ll love: the zine

August 27th, 2016

Linux debugging tools you’ll love: the zine by Julia Evans.

From the website:

There are a ton of amazing debugging tools for Linux that I love. strace! perf! tcpdump! wireshark! opensnoop! I think a lot of them aren’t as well-known as they should be, so I’m making a friendly zine explaining them.

Donate, subscribe (PDF or paper)!

If you follow Julia’s blog (http://jvns.ca) or twitter (@b0rk), you know what a treat the zine will be!

If you don’t (correct that error now) and consider the following sample:

julia-sample-460

It’s possible there are better explanations than Julia’s, so if and when you see one, sing out!

Until then, get the zine!

“…without prior written permission…” On a Public Website? Calling BS!

August 27th, 2016

I mentioned in Your assignment, should you choose to accept it…. that BAE Systems has been selling surveillance technology to the United Arab Emirate, the nice people behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

Since then, Joseph Cox posted: British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes.

From his post:

Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas.

Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology.

“At a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses,” Edin Omanovic, research officer at Privacy International, told Motherboard in an email.

Joseph’s report explains the technology and gives examples of some of the sales to the worst offenders. He also includes a link to the dataset of export sales.

Joseph obtained a list of the exporters from the UK Department for International Trade. But that list is included as an image. I created this HTML list from that image:

In an attempt to seem fierce, Cellxion Ltd has this unfriendly greeting at the bottom of their public homepage:

Your IP address, [**.**.**.**], has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. (emphasis added, I obscured my IP number)

What does Dogbert say? Oh, yeah,

Cellxion, kiss my wager!

As you already know, use TAILS, Tor and VPN as you pursue these leads.

Good hunting!

Shield laws and journalist’s privilege: … [And Beyond]

August 27th, 2016

Jonathan Peters‘s Shield laws and journalist’s privilege: The basics every reporter should know is a must read … before a subpoena arrives.

From his post:

COMPELLED DISCLOSURE is in the air.

A federal judge has ordered Glenn Beck to disclose the names of confidential sources he used in his reporting that a Saudi Arabian man was involved in the Boston Marathon bombing. The man sued Beck for defamation after he was cleared of any involvement.

Journalist and filmmaker Mark Boal, who wrote and produced The Hurt Locker and Zero Dark Thirty, has asked a judge to block a subpoena threatened by military prosecutors who want to obtain his confidential or unpublished interviews with US Army Sgt. Bowe Bergdahl, accused of being a deserter.

A state judge has ruled that a New York Times reporter must testify at a murder trial about her jailhouse interview with the man accused of killing Anjelica Castillo, the toddler once known as Baby Hope. The judge said the interview included the only statements the man made about the crime other than those in his police confession.

If my inbox is any indication, those cases have prompted a surge of interest in shield laws and the practice of compelled disclosure. What is a shield law, exactly? When can a government official require a reporter to disclose sources or information? Who counts as a journalist under a shield law? What types of sources or information are protected? Is there a big difference between a subpoena and a search warrant?

Those are the questions I’ve been asked most often in this area, as a First Amendment lawyer and scholar, and this post will try to answer them. (Please keep in mind that I’m a lawyer, not your lawyer, and these comments shouldn’t be construed as legal advice.)

As useful as Jonathan’s advice, in conjunction with advice from your own lawyer, I would point out by the time a subpoena arrives, you have already lost.

Because of circumstances, a jail house interview where you are the only possible source, or bad OpSec, you have been identified as possessing information state authorities want.

As Jonathan points out, there are governments with shield laws and notions of journalist privilege, but even those have fallen on hard times.

Outside of single source situations, consider anonymous posting of information needed for your story.

You can cite the public posting, as can others, which leaves the authorities without a target for their “name of the source” subpoena. It’s public information.

No one will be able to duplicate months of research and writing with a week or two and public posting may keep the you out of the cross-hairs of local government.

Posting unpublished information is an anathema to some, who think hoarding is the only path to readers. They are the best judges of whether they are read because they hoard or because of their skills as story tellers and analysts.

As an additional precaution, I assume you have a documented story development trail that you can fight tooth and nail to keep, which when disclosed shows your reliance on the publicly posted data. Yes?

PS: Wikilinks is one example of a public posting venue. Dark web sites for states (or other administrative divisions) or cities might be more appropriate. My suggestion is to choose one that doesn’t censor data dumps. Ever.

A Reproducible Workflow

August 26th, 2016

The video is 104 seconds and highly entertaining!

From the description:

Reproducible science not only reduce errors, but speeds up the process of re-runing your analysis and auto-generate updated documents with the results. More info at: www.bit.ly/reprodu

How are you making your data analysis reproducible?

Enjoy!

Germany and France declare War on Encryption to Fight Terrorism

August 26th, 2016

Germany and France declare War on Encryption to Fight Terrorism by Mohit Kumar.

From the post:

Yet another war on Encryption!

France and Germany are asking the European Union for new laws that would require mobile messaging services to decrypt secure communications on demand and make them available to law enforcement agencies.

French and German interior ministers this week said their governments should be able to access content on encrypted services in order to fight terrorism, the Wall Street Journal reported.
(emphasis in original)

On demand decryption? For what? Rot-13 encryption?

The Franco-German text transmitted to the European Commission.

The proposal wants to extend current practices of Germany and France with regard to ISPs but doesn’t provide any details about those practices.

In case you have influence with the budget process at the EU, consider pointing out there is no, repeat no evidence that any restriction on encryption will result in better police work combating terrorism.

But then, what government has ever pushed for evidence-based policies?

New Virus Breaks The Rules Of Infection – Cyber Analogies?

August 26th, 2016

New Virus Breaks The Rules Of Infection by Michaeleen Doucleff.

From the post:

Human viruses are like a fine chocolate truffle: It takes only one to get the full experience.

At least, that’s what scientists thought a few days ago. Now a new study published Thursday is making researchers rethink how some viruses could infect animals.

A team at the U.S. Army Medical Research Institute of Infectious Diseases has found a mosquito virus that’s broken up into pieces. And the mosquito needs to catch several of the pieces to get an infection.

“It’s the most bizarre thing,” says Edward Holmes, a virologist at the University of Sydney, who wasn’t involved in the study. It’s like the virus is dismembered, he says.

“If you compare it to the human body, it’s like a person would have their legs, trunk and arms all in different places,” Holmes says. “Then all the pieces come together in some way to work as one single virus. I don’t think anything else in nature moves this way.”

Also from the post:

These are insect cells infected with the Guaico Culex virus. The different colors denote cells infected with different pieces of the virus. Only the brown-colored cells are infectious, because they contain the complete virus. Michael Lindquist/Cell Press

new-virus-pieces-460

The full scale image.

How very cool!

Any known analogies in computer viruses?

Your assignment, should you choose to accept it….

August 26th, 2016

You may (may not) remember the TV show, Mission Impossible. It had a cast of regulars who formed a spy team to undertake “impossible” tasks that could not be traced back to the U.S. government.

Stories like: BAE Systems Sells Internet Surveillance Gear to United Arab Emirates make me wish for a non-nationalistic, modern equivalent of the Mission Impossible team.

You may recall the United Arab Emirates (UAE) were behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

So much for the UAE needing spyware for legitimate purposes.

From the article:


In a written statement, BAE Systems said, “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.”

The Danish Business Authority told Andersen it found no issue approving the export license to the Ministry of the Interior of the United Arab Emirates after consulting with the Danish Ministry of Foreign Affairs, despite regulations put in place by the European Commission in October 2014 to control exports of spyware and internet surveillance equipment out of concern for human rights. The ministry told Andersen in an email it made a thorough assessment of all relevant concerns and saw no reason to deny the application.

It doesn’t sound like any sovereign government is going to restrain BAE Systems and/or the UAE.

Consequences for their mis-deeds will have to come from other quarters.

Like the TV show started every week:

Your assignment, should you choose to accept it….

Restricted U.S. Army Geospatial Intelligence Handbook

August 26th, 2016

Restricted U.S. Army Geospatial Intelligence Handbook

From the webpage:

This training circular provides GEOINT guidance for commanders, staffs, trainers, engineers, and military intelligence personnel at all echelons. It forms the foundation for GEOINT doctrine development. It also serves as a reference for personnel who are developing doctrine; tactics, techniques, and procedures; materiel and force structure; and institutional and unit training for intelligence operations.

1-1. Geospatial intelligence is the exploitation and analysis of imagery and geospatial information to describe, assess, and visually depict physical features and geographically referenced activities on the Earth. Geospatial intelligence consists of imagery, imagery intelligence, and geospatial information (10 USC 467).

Note. TC 2-22.7 further implements that GEOINT consists of any one or any combination of the following components: imagery, IMINT, or GI&S.

1-2. Imagery is the likeness or presentation of any natural or manmade feature or related object or activity, and the positional data acquired at the same time the likeness or representation was acquired, including: products produced by space-based national intelligence reconnaissance systems; and likenesses and presentations produced by satellites, aircraft platforms, unmanned aircraft vehicles, or other similar means (except that such term does not include handheld or clandestine photography taken by or on behalf of human intelligence collection organizations) (10 USC 467).

1-3. Imagery intelligence is the technical, geographic, and intelligence information derived through the interpretation or analysis of imagery and collateral materials (10 USC 467).

1-4. Geospatial information and services refers to information that identifies the geographic location and characteristics of natural or constructed features and boundaries on the Earth, including: statistical data and information derived from, among other things, remote sensing, mapping, and surveying technologies; and mapping, charting, geodetic data, and related products (10 USC 467).

geospatial-intel-1-460

You may not have the large fixed-wing assets described in this handbook, the “value-added layers” are within your reach with open data.

geospatial-intel-2-460

In localized environments, your value-added layers may be more current and useful than those produced on longer time scales.

Topic maps can support geospatial collations of information along side other views of the same data.

A great opportunity to understand how a modern military force understands and uses geospatial intelligence.

Not to mention testing your ability to recreate that geospatial intelligence without dedicated tools.

Hair Ball Graphs

August 26th, 2016

An example of a non-useful “hair ball” graph visualization:

hairball-01-460

That image is labeled as “standard layout” at a site that offers this cohesion adapted layout alternative:

hairball-alternative-B02b-460

The full-size image is quite impressive.

If you were attempting to visualize vulnerabilities, which one would you pick?

The Hanselminutes Podcast

August 26th, 2016

The Hanselminutes Podcast: Fresh Air for Developers by Scott Hanselman.

I went looking for Felienne’s podcast on code smells and discovered along with it, The Hanselminutes Podcast: Fresh Air for Developers!

Felienne’s podcast is #542 so there is a lot of content to enjoy! (I checked the archive. Yes, there really are 542 episodes as of today.)

Exploring Code Smells in code written by Children

August 26th, 2016

Exploring Code Smells in code written by Children (podcast) by Dr. Felienne

From the description:

Felienne is always learning. In exploring her PhD dissertation and her public speaking experience it’s clear that she has no intent on stopping! Most recently she’s been exploring a large corpus of Scratch programs looking for Code Smells. How do children learn how to code, and when they do, does their code “smell?” Is there something we can do when teaching to promote cleaner, more maintainable code?

Felienne discusses a paper due to appear in September on analysis of 250K Scratch programs for code smells.

Thoughts on teaching programmers to detect bug smells?

Apple/NSO Trident 0days – Emergency or Another Day of 0days?

August 26th, 2016

For an emergency view of the Apple/NSO Trident 0days issues, you can read Apple tackles iPhone one-tap spyware flaws (BBC), Apple issues security update to prevent iPhone spyware (USATODAY), or IPhone Users Urged to Update Software After Security Flaws Are Found (NYT).

On the other hand, Robert Graham, @ErrataRob, says its just another day of 0days:


Press: it’s news to you, it’s not news to us

I’m seeing breathless news articles appear. I dread the next time that I talk to my mom that she’s going to ask about it (including “were you involved”). I suppose it is new to those outside the cybersec community, but for those of us insiders, it’s not particularly newsworthy. It’s just more government malware going after activists. It’s just one more set of 0days.

I point this out in case press wants to contact for some awesome sounding quote about how exciting/important this is. I’ll have the opposite quote.

Don’t panic: all patches fix 0days

We should pay attention to context: all patches (for iPhone, Windows, etc.) fix 0days that hackers can use to break into devices. Normally these 0days are discovered by the company itself or by outside researchers intending to fix (and not exploit) the problem. What’s different here is that where most 0days are just a theoretical danger, these 0days are an actual danger — currently being exploited by the NSO Group’s products. Thus, there’s maybe a bit more urgency in this patch compared to other patches.

Don’t panic: NSA/Chinese/Russians using secret 0days anyway

It’s almost certain the NSA, the Chinese, and the Russian have similar 0days. That means applying this patch makes you safe from the NSO Group (for a while, until they find new 0days), but it’s unlikely this patch makes you safe from the others.
… (Notes on the Apple/NSO Trident 0days)

Taking all communication systems as insecure, digital ones in particular, ErrataRob’s position has merit.

However, the consequences of a lapse of security for someone like Ahmed Mansoor, are far from trivial.

Consider this passage from the executive summary in The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender:

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.

ErrataBob’s point that 0days are everywhere and all governments have them, doesn’t diminish the importance of the patch for iPhone users or provide a sense of direction for what’s next?

Here’s a 0day policy question:

Does disclosure of 0days to vendors disarm citizens while allowing governments to retain more esoteric 0days?

Governments are not going to dis-arm themselves of 0days so I see no reason for “responsible disclosure” to continue to disarm the average citizen.

Technical analysis of the NSO Trident 0days: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, and Technical Analysis of Pegasus Spyware.

Both of those reports will give you insight into this attack and hopefully spur ideas for analysis and attack.

BTW, the Apple software update.

A Tiny Whiff Of Freedom – But Only A Tiny One

August 26th, 2016

No guarantees that it will last but CNN reports: French court suspends burkini bans.

Just in case you haven’t defamed the French police, recently, do use the image from that article or from my post: Defame the French Police Today!

I am sickened anyone finds it acceptable for men to force women to disrobe.

It is even more disturbing no one in the immediate area intervened on her behalf.

Police abuse will continue and escalate until average citizens step up and intervene.