Tor Keeps You Off #KRACK

October 17th, 2017

You have seen the scrambling to address KRACK (Key Reinstallation Attack), a weakness in the WPA2 protocol. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more by Dan Goodin, Falling through the KRACKs by John Green, are two highly informative and amusing posts out of literally dozens on KRACK.

I won’t repeat their analysis here but wanted to point out Tor users are immune from KRACK, unpatched, etc.

A teaching moment to educate users about Tor!

Unicode Egyptian Hieroglyphic Fonts

October 16th, 2017

Unicode Egyptian Hieroglyphic Fonts by Bob Richmond.

From the webpage:

These fonts all contain the Unicode 5.2 (2009) basic set of Egyptian Hieroglyphs.

Please contact me if you know of any others, or information to include.

Also of interest:

UMdC Coding Manual for Egyptian Hieroglyphic in Unicode

UMdC (Unicode MdC) aims to provides guidelines for encoding Egyptian Hieroglyphic and related scripts In Unicode using plain text with optional lightweight mark-up.

This GitHub project is the central point for development of UMdC and associated resources. Features of UMdC are still in a discussion phase so everything here should be regarded as preliminary and subject to change. As such the project is initially oriented towards expert Egyptologists and software developers who wish to help ensure ancient Egyptian writing system is well supported in modern digital media.

The Manuel de Codage (MdC) system for digital encoding of Ancient Egyptian textual data was adopted as an informal standard in the 1980s and has formed the basis for most subsequent digital encodings, sometimes using extensions or revisions to the original scheme. UMdC links to the traditional methodology in various ways to help with the transition to Unicode-based solutions.

As with the original MdC system, UMdC data files (.umdc) can be viewed and edited in standard text editors (such as Windows Notepad) and the HTML <textarea></textarea> control. Specialist software applications can be adapted or developed to provide a simpler workflow or enable additional techniques for working with the material.

Also see UMdC overview [pdf].

A UMdC-compatible hieroglyphic font Aaron UMdC Alpha (relative to the current draft) can be downloaded from the Hieroglyphs Everywhere Fonts project.

For news and information on Ancient Egyptian in Unicode see https://hieroglyphseverywhere.blogspot.co.uk/.

I understand the need for “plain text” viewing of hieroglyphics, especially for primers and possibly for search engines, but Egyptian hieroglyphs can be written facing right or left, top to bottom and more rarely bottom to top. Moreover, artistic and other considerations can result in transposition of glyphs out of their “linear” order in a Western reading sense.

Unicode hieroglyphs are a major step forward for the interchange of hieroglyphic texts but we should remain mindful “linear” presentation of inscription texts is a far cry from their originals.

The greater our capacity for graphic representation, the more we simplify complex representations from the past. Are the needs of our computers really that important?

A cRyptic crossword with an R twist

October 13th, 2017

A cRyptic crossword with an R twist

From the post:

Last week’s R-themed crossword from R-Ladies DC was popular, so here’s another R-related crossword, this time by Barry Rowlingson and published on page 39 of the June 2003 issue of R-news (now known as the R Journal). Unlike the last crossword, this one follows the conventions of a British cryptic crossword: the grid is symmetrical, and eschews 4×4 blocks of white or black squares. Most importantly, the clues are in the cryptic style: rather than being a direct definition, cryptic clues pair wordplay (homonyms, anagrams, etc) with a hidden definition. (Wikipedia has a good introduction to the types of clues you’re likely to find.) Cryptic crosswords can be frustrating for the uninitiated, but are fun and rewarding once you get to into it.

In fact, if you’re unfamiliar with cryptic crosswords, this one is a great place to start. Not only are many (but not all) of the answers related in some way to R, Barry has helpfully provided the answers along with an explanation of how the cryptic clue was formed. There’s no shame in peeking, at least for a few, to help you get your legs with the cryptic style.

Another R crossword for your weekend enjoyment!

Enjoy!

Fact-Free Reporting on Kaspersky Lab – Stealing NSA Software Tip

October 12th, 2017

I tweeted:

@thegrugq Israelis they hacked Kerspersky, saw Russians there, tell NSA, lots of he, they, we say, few facts.

[T]the grugq‏ @thegrugq responded with the best question on the Kaspersky story:

What would count as a fact here? Kaspersky publicised the hack when it happened. Does that count as a fact?

What counts as a fact is central to my claim that thus far, all we have seen is fact-free reporting on the alleged use of Kaspersky Lab software to obtain NSA tools.

Opinions are reported but not facts you could give to an expert like Bruce Schneier ask for an opinion.

What would I think of as “facts” in this case?

What did Israeli intelligence allegedly see when it hacked into Kaspersky Lab?

Not some of the data, not part of the data, but a record of all the data seen upon which they then concluded the Russians were using it to search for NSA software.

To the automatic objection this was a “secret intelligence operation,” let me point out that without that evidence, the NSA and anyone else further down the chain of distribution of the Israeli opinion, were being manipulated by that opinion in the absence of facts.

Just as the NSA wants to foist its opinion on the public, through unnamed sources, without any evidence for the public to form its own opinion based on facts.

The prevention of contrary opinions or avoiding questioning of an opinion, can only be achieved by blocking access to the alleged evidence that “supports” the opinion.

Without any “facts” to speak of, the Department of Homeland Security, is attempting to govern all federal agencies and their use of Kaspersky security software.

Stating the converse, how do you dispute claims made by unnamed sources that say the Israelis saw the Russians using Kaspersky Lab software to look for NSA software?

The obvious answer is that you can’t. There are no facts to check, no data to examine, and that, in my opinion, is intentional.

PS: If you want to steal NSA software, history says the easiest route is to become an NSA contractor. Much simpler than hacking anti-virus software, then using it to identify likely computers, then hacking identified computers. Plus, you paid vacation every year until you are caught. Who can argue with that?

Cheap Tracking of Public Officials/Police

October 12th, 2017

The use of license plate readers by law enforcement and others is on the rise. Such readers record the location of your license plate at a particular time and place. They also relieve public bodies of large sums of money.

How I replicated an $86 million project in 57 lines of code by Tait Brown details how he used open source software to create a “…good enough…” license plate reader for far less than the ticket price of $86 million.

Brown has an amusing (read unrealistic) good Samaritan scenario for his less expensive/more extensive surveillance system:


While it’s easy to get caught up in the Orwellian nature of an “always on” network of license plate snitchers, there are many positive applications of this technology. Imagine a passive system scanning fellow motorists for an abductors car that automatically alerts authorities and family members to their current location and direction.

The Teslas vehicles are already brimming with cameras and sensors with the ability to receive OTA updates — imagine turning them into a virtual fleet of good samaritans. Ubers and Lyft drivers could also be outfitted with these devices to dramatically increase the coverage area.

Using open source technology and existing components, it seems possible to offer a solution that provides a much higher rate of return — for an investment much less than $86M.

The better use of Brown’s less expensive/more extensive surveillance system is tracking police and public official cars. Invite them to the gold fish bowl they have created for all the rest of us.

A great public data resource for testing testimony about the presence/absence of police officers at crime scenes, protests, long rides to the police station and public officials consorting with co-conspirators.

ACLU calls for government to monitor itself, reflect an unhealthy confidence in governmental integrity. Only a close watch on government by citizens enables governmental integrity.

XML Prague 2018 – Apology to Procrastinators

October 12th, 2017

Apology to all procrastinators, I just saw the Call for Proposals for XML Prague 2018

You only have 50 days (until November 30, 2017) to submit your proposals for XML Prague 2018.

Efficient people don’t realize that 50 days is hardly enough time to put off thinking about a proposal topic, much less fail to write down anything for a proposal. Completely unreasonable demand but, do try to procrastinate quickly and get a proposal done for XML Prague 2018.

The suggestion of doing a “…short video…” seems rife with potential for humor and/or NSFW images. Perhaps XML Prague will post the best “…short videos…” to YouTube?

From the webpage:

XML Prague 2018 now welcomes submissions for presentations on the following topics:

  • Markup and the Extensible Web – HTML5, XHTML, Web Components, JSON and XML sharing the common space
  • Semantic visions and the reality – micro-formats, semantic data in business, linked data
  • Publishing for the 21th century – publishing toolchains, eBooks, EPUB, DITA, DocBook, CSS for print, …
  • XML databases and Big Data – XML storage, indexing, query languages, …
  • State of the XML Union – updates on specs, the XML community news, …
  • XML success stories – real-world use cases of successful XML deployments

There are several different types of slots available during the conference and you can indicate your preferred slot during submission:

30 minutes
15 minutes
These slots are suitable for normal conference talks.
90 minutes (unconference)
Ideal for holding users meeting or workshop during the unconference day (Thursday).

All proposals will be submitted for review by a peer review panel made up of the XML Prague Program Committee. Submissions will be chosen based on interest, applicability, technical merit, and technical correctness.

Authors should strive to contain original material and belong in the topics previously listed. Submissions which can be construed as product or service descriptions (adverts) will likely be deemed inappropriate. Other approaches such as use case studies are welcome but must be clearly related to conference topics.

Proposals can have several forms:

full paper
In our opinion still ideal and classical way of proposing presentation. Full paper gives reviewers enough information to properly asses your proposal.
extended abstract
Concise 1-4 page long description of your topic. If you do not have time to write full paper proposal this is one possible way to go. Try to make your extended abstract concrete and specific. Too short or vague abstract will not convince reviewers that it is worth including into the conference schedule.
short video (max. 5 minutes)
If you are not writing person but you still have something interesting to present. Simply capture short video (no longer then 5 minutes) containing part of your presentation. Video can capture you or it can be screen cast.

I mentioned XSLT security attacks recently, perhaps you could do something similar on XQuery? Other ways to use XML and related technologies to breach cybersecurity?

Do submit proposals and enjoy XML Prague 2018!

Online Verification Course (First Draft) [Open To Public – January 2018]

October 11th, 2017

First Draft launches its online verification training course

From the post:

Journalists strive to get the story right, but as we are bombarded by far more information than ever before, the tools and skills crucial to telling the whole story are undergoing a profound change. Understanding who took the photo or video, who created the website and why, enables journalists to meet these challenges. Verification training, up until now, has largely been done on the job and as needed. But today, we’re thrilled to announce the launch of our online verification course.

In this course, we teach you the steps involved in verifying the eyewitness media, fabricated websites, visual memes and manipulated videos that emerge on social media. The course is designed so that anyone can take the course from start to finish online, or educators can take elements and integrate into existing classroom teaching. For newsroom training managers, we hope the you can encourage your staff to take the course online, or you can take individual videos and tutorials and use during brown-bag lunches. We provide relevant and topical examples — from events such as Hurricane Irma and the conflict in Syria — to show how these skills and techniques are put into practice.

The course is open only to First Draft partners until January 2018, so consider that as an incentive for your organization to become a First Draft partner!

I haven’t seen the course material but the video introduction:

and the high quality of all other First Draft materials, sets high expectations for the verification course.

Looking forward to a First Draft course on skepticism for journalists, which uses the recent Wall Street Journal repetition of government slanders about Kerspersky Lab, which is subsequently discovered to be: “we (Israel) broke into the Kerpersky house and while robbing the place saw another burglar (Russia) there and they were looking for NSA software, so we alerted the NSA.” How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

Only an editor suffering from nationalism to the point being a mental disorder would publish such a story without independent verification. Could well all be true but when all the sources are known liars, something more is necessary before reporting it as “fact.”

Busting Fake Tweeters

October 10th, 2017

The ultimate guide to bust fake tweeters: A video toolkit in 10 steps by Henk van Ess.

From the post:

Twitter is full of false information. Even Twitter co-founder Ev Williams recognizes that there is a “junk information epidemic going on,” as “[ad-driven platforms] are benefiting from people generating attention at pretty much any cost.”

This video toolkit is intended to help you debunk dubious tweets. It was first developed in research by the Institute for Strategic Dialogue and the Arena Program at the London School of Economics to detect Russian social media influence during the German elections. It was also the basis for a related BuzzFeed article on a Russian bot farm and tweets about the AfD  — the far-right party that will enter the German parliament for the first time.

This is an excellence resource for teaching users skepticism about Twitter accounts.

For your use in creating a personal cheatsheet (read van Ess for the links):

  1. Find the exact minute of birth
  2. Find the first words
  3. Check the followers
  4. Find Twitter users in Facebook
  5. Find suspicious words in tweets
  6. Searching in big data
  7. Connect a made up Twitter handle to a real social media account
  8. Find a social score
  9. How alive is the bot?
  10. When (and how) is your bot tweeting?

Deciding that a Twitter account maybe a legitimate is only the first step in evaluating tweeted content.

The @WSJ account belongs to the Wall Street Journal, but it doesn’t follow their tweets are accurate or even true. Witness their repetition of government rumors about Kerpersky Lab for example. Not one shred of evidence, but WSJ repeats it.

Be skeptical of all Tweets, not just ones attributed to the “enemy of the day.”

Wall Street Journal Misses Malvertising Story – Congressional Phishing Tip

October 10th, 2017

Warning: Millions of POrnhub Users Hit With Maltertising Attack by Mohit Kumar.

From the post:

Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.

Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.

The KovCoreG hacking group initially took advantage of POrnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.

According to the Proofpoint researchers, the infections in this campaign first appeared on POrnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems.

When you spend your time spreading government directed character assassination rumors about Kerpersky Lab, you miss opportunities to warn your readers about malvertising infections from PornHub.

Just today, the Wall Street Journal WSJ left its readers in the dark about Kovter ad fraud malware from PornHub.

You can verify that claim by using site:wsj.com plus KovCoreG, Kovter, and PornHub to search wsj.com. As of 15:00 on October 9, 2017, I got zero “hits.”

The WSJ isn’t a computer security publication but an infection from one of the most popular websites in the world, especially one of interest to likely WSJ subscribers, Harvey Weinstein, Donald Trump, for example, should be front page, above the fold.

Yes?

PS: Congressional Phishing Tip: For phishing congressional staffers, members of congress, their allies and followers, take a hint from the line: “…POrnHub—one of the world’s most visited adult websites….” Does that suggest subject matter for phishing that has proven to be effective?

Euromyths A-Z index

October 9th, 2017

Euromyths A-Z index an index of foolish acts by the EU that are false.

See the EU site for foolish acts that are true.

Enjoy!

PS: There are Snopes and Politifact for US politics, should there be a more legislation/regulation oriented resource?

The IRS hiring Equifax after its data breach for security, for example (true). I don’t find that surprising, compared to government security practices, Equifax is the former KGB.

How To Be A Wizard Programmer – Julia Evans @b0rk

October 9th, 2017

See at full scale.

Criticism: Julia does miss one important step!

Follow: Julia Evans @b0rk

😉

OnionShare – Safely Sharing Email Leaks – 394 Days To Mid-terms

October 8th, 2017

FiveThirtyEight concludes Clinton’s leaked emails had some impact on the 2016 presidential election, but can’t say how much. How Much Did WikiLeaks Hurt Hillary Clinton?

Had leaked emails been less boring and non-consequential, “smoking gun” sort of emails, their impact could have been substantial.

The lesson being the impact of campaign/candidate/party emails is impossible to judge until they have been leaked. Even then the impact may be uncertain.

“Leaked emails” presumes someone has leaked the emails, which in light of the 2016 presidential election, is a near certainty for the 2018 congressional mid-term elections.

Should you find yourself in possession of leaked emails, you may want a way to share them with others. My preference for public posting without edits or deletions, but not everyone shares my confidence in the public.

One way to share files securely and anonymously with specific people is OnionShare.

From the wiki page:

What is OnionShare?

OnionShare lets you securely and anonymously share files of any size. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable URL to access and download the files. It doesn’t require setting up a server on the internet somewhere or using a third party filesharing service. You host the file on your own computer and use a Tor onion service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you.

How to Use

http://asxmi4q6i7pajg2b.onion/egg-cain. This is the secret URL that can be used to download the file you’re sharing.

Send this URL to the person you’re sending the files to. If the files you’re sending aren’t secret, you can use normal means of sending the URL, like by emailing it, or sending it in a Facebook or Twitter private message. If you’re sending secret files then it’s important to send this URL securely.

The person who is receiving the files doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.
(emphasis in original)

Download OnionShare 1.1. Versions are available for Windows, Mac OS X, with instructions for Ubuntu, Fedora and other flavors of Linux.

Caveat: If you are sending a secret URL to leaked emails or other leaked data, use ordinary mail, no return address, standard envelope from a package of them you discard, on the back of a blank counter deposit slip, with letters from a newspaper, taped in the correct order, sent to the intended recipient. (No licking, it leaves trace DNA.)

Those are the obvious security points about delivering a secret URL. Take that as a starting point.

PS: I would never contact the person chosen for sharing about shared emails. They can be verified separate and apart from you as the source. Every additional contact puts you in increased danger of becoming part of a public story. What they don’t know, they can’t tell.

Shaming Hackers – New (Failing) FBI Strategy

October 8th, 2017

There are times, not often, when government agencies are so clueless that I feel pity for them.

Case in point, the FBI strategy reported in FBI’s Cyber Strategy: Shame the Hackers.

From the post:

The Federal Bureau of Investigation wants to publicly shame cyber criminals after they’ve been caught as part of an effort to make sure malicious actors don’t count on anonymity.

“You will be identified pursued, and held to account no matter where you are in the world,” Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, said at a U.S. Chamber of Commerce event in Washington Wednesday.

The FBI’s cyber response team is focused on tracking down “high-level network and computer intrusion,” carried out by “state-sponsored hackers and global organized criminal syndicates,” Abbate said. Often, these malicious actors are operating from overseas, using “foreign technical infrastructure” that makes the threats especially difficult to detect.

Once those actors are identified, the FBI tries to “impose costs on them,” which might include ”economic sanctions, prison terms, or battlefield death.” It also aims to “publicly name them, shame them, and let everyone know who they are…[so they] don’t feel immune or anonymous.”

Hmmmm, but if being anonymous is the goal of hackers, why do so many claim credit for hacks?

A smallish sampling of such claims: “Anonymous” claims credit for hacking into Federal Reserve (“Anonymous”), Guccifer 2.0 takes credit for hacking another Democratic committee (Guccifer 2.0), Hacker claims credit for WikiLeaks takedown (Jester), Hacker Group Claims Credit For Taking Xbox Live Offline (Lizard Squad), Hacking Group From Russia, China Claims Credit For Massive Cyberattack (New World Hackers), OurMine claims credit for attack on Pokemon Go servers (OurMine), Grandpa, patriot who goes by ‘The Raptor,’ claims credit for taking down Al Qaeda websites (The Raptor), Iranian Group Claims Credit for Hack Attack on New York Dam (SOBH Cyber Jihad), etc., etc.

Oh, the FBI equates being “anonymous” with:

You didn’t use your home/work email address, leaving your home/work phone numbers and addresses on an “I hacked your computer” note on the victim’s computer.

Hackers avoid leaving their true identity information just like skilled bank robbers don’t write robbery notes on their own deposit slips, it’s a way of avoiding interaction with the police. That’s not shame, that’s just good sense.

As far as “shaming” hackers, the FBI learned nothing from the case of Aaron Swartz, Aaron Swartz stood up for freedom and fairness – and was hounded to his death. Swartz was known among geeks but no where nearly as widely known until prosecutors hounded him to death. How’d shaming work for the FBI in that case?

Public “shaming” of hackers, most of who attack the least sympathetic targets in society, is going to build the public (as opposed to hacker) reputations of “shamed” hackers.

Go ahead FBI, grant hackers the benefit of your PR machinery. “Shame” away.

Building Data Science with JS – Lifting the Curtain on Game Reviews

October 7th, 2017

Building Data Science with JS by Tim Ermilov.

Three videos thus far:

Building Data Science with JS – Part 1 – Introduction

Building Data Science with JS – Part 2 – Microservices

Building Data Science with JS – Part 3 – RabbitMQ and OpenCritic microservice

Tim starts with the observation that the percentage of users assigning a score to a game isn’t very helpful. It tells you nothing about the content of the game and/or the person rating it.

In subject identity terms, each level, mighty, strong, weak, fair, collapses information about the game and a particular reviewer into a single summary subject. OpenCritic then displays the percent of reviewers who are represented by that summary subject.

The problem with the summary subject is that one critic may have down rated the game for poor content, another for sexism and still another for bad graphics. But a user only knows for reasons unknown, a critic whose past behavior is unknown, evaluated unknown content and assigned it a rating.

A user could read all the reviews, study the history of each reviewer, along with the other movies they have evaluated, but Ermilov proposes a more efficient means to peak behind the curtain of game ratings. (part 1)

In part 2, Ermilov designs a microservice based application to extract, process and display game reviews.

If you thought the first two parts were slow, you should enjoy Part 3. 😉 Ermilov speeds through a number of resources, documents, JS libraries, not to mention his source code for the project. You are likely to hit pause during this video.

Some links you will find helpful for Part 3:

AMQP 0-9-1 library and client for Node.JS – Channel-oriented API reference

AMQP 0-9-1 library and client for Node.JS (Github)

https://github.com/BuildingXwithJS

https://github.com/BuildingXwithJS/building-data-science-with-js

Microwork – simple creation of distributed scalable microservices in node.js with RabbitMQ (simplifies use of AMQP)

node-unfluff – Automatically extract body content (and other cool stuff) from an html document

OpenCritic

RabbitMQ. (Recommends looking at the RabbitMQ tutorials.)

A cRossword about R [Alternative to the NYTimes Sunday Crossword Puzzle]

October 6th, 2017

A cRossword about R by David Smith.

From the post:

The members of the R Ladies DC user group put together an R-themed crossword for a recent networking event. It’s a fun way to test out your R knowledge. (Click to enlarge, or download a printable version here.)

Maybe not a complete alternative to the NYTimes Sunday Crossword Puzzle but R enthusiasts will enjoy it.

I suspect the exercise of writing a crossword puzzle is a greater learning experience than solving it.

Thoughts?

Computational Data Analysis Workflow Systems

October 6th, 2017

Computational Data Analysis Workflow Systems

An incomplete list of existing workflow systems. As of today, approximately 17:00 EST, 173 systems in no particular order.

I first saw this mentioned in a tweet by Michael R. Crusoe.

One of the many resources found at: Common Workflow Language.

From the webpage:

The Common Workflow Language (CWL) is a specification for describing analysis workflows and tools in a way that makes them portable and scalable across a variety of software and hardware environments, from workstations to cluster, cloud, and high performance computing (HPC) environments. CWL is designed to meet the needs of data-intensive science, such as Bioinformatics, Medical Imaging, Astronomy, Physics, and Chemistry.

You should take a quick look at: Common Workflow Language User Guide to get a feel for CWL.

Try to avoid thinking of CWL as “documenting” your workflow if that is an impediment to using it. That’s a side effect but its main purpose is to make your more effective.

Lauren Duca Declares War!

October 6th, 2017

The latest assault on women’s health, which impacts women, men and children, is covered by Jessie Hellmann in: Trump officials roll back birth-control mandate.

Lauren is right, this is war. It is a war on behalf of women, men and children. Women are more physically impacted by reproduction issues but there are direct impacts on men and children as well. When the reproductive health of women suffers, the women, men in their lives and children suffer as well. The reproductive health of women is everyone’s concern.

For OpSec reasons, don’t post your answer, but have you picked a specific target for this war?

I ask because diffuse targets, Congress for example, leads to diffuse results.

Specific targets, now former representative Tim Murphy for example, can have specific results.

PS: Follow and support Lauren Duca, @laurenduca!

XSLT Server Side Injection Attacks

October 6th, 2017

XSLT Server Side Injection Attacks by David Turco.

From the post:

Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. Examples of XSLT remote code execution vulnerabilities with public exploits are CVE-2012-5357 affecting the .Net Ektron CMS; CVE-2012-1592 affecting Apache Struts 2.0; and CVE-2005-3757 which affected the Google Search Appliance.

From the examples above it is clear that XSLT vulnerabilities have been around for a long time and, although they are less common than other similar vulnerabilities such as XML Injection, we regularly find them in our security assessments. Nonetheless the vulnerability and the exploitation techniques are not widely known.

In this blog post we present a selection of attacks against XSLT to show the risks of using this technology in an insecure way.

We demonstrate how it is possible to execute arbitrary code remotely; exfiltrate data from remote systems; perform network scans; and access resources on the victim’s internal network.

We also make available a simple .NET application vulnerable to the described attacks and provide recommendations on how to mitigate them.

A great post for introducing XML and XSLT to potential hackers!

Equally great potential for a workshop at a markup conference.

Enjoy!

Software McCarthyism – Wall Street Journal and Kaspersky Lab

October 5th, 2017

The Verge reports this instance of software McCarthyism by the Wall Street Journal against Kaspersky Lab saying:


According to the report, the hackers seem to have identified the files — which contained “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks” — after an antivirus scan by Kaspersky antivirus software, which somehow alerted hackers to the sensitive files.
… (emphasis added)

Doesn’t “…somehow alerted hackers to the sensitive files…” sound a bit weak? Even allowing for restating the content of the original WSJ report?

The Wall Street Journal reports in Russian Hackers Stole NSA Data on U.S. Cyber Defense:

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The facts reported by the Wall Street Journal support guilt by association style McCarthyism but in a software context.

Here are the only facts I can glean from the WSJ report and common knowledge of virus software:

  1. NSA contractor removed files from NSA and put them on his home computer
  2. Home computer was either a PC or Mac (only desktops supported by Kaspersky)
  3. Kaspersky anti-virus software was on the PC or Mac
  4. Kaspersky anti-virus software is either active or runs at specified times
  5. Kaspersky anti-virus software scanned the home computer one or more times
  6. Hackers stole NSA files from the home computer

That’s it, those are all the facts reported in the Wall Street Journal “story,” better labeled a slander against Kaspersky Lab.

The following claims are made with no evidence whatsoever:

  1. “after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
  2. “believe the contractor’s use of the software alerted Russian hackers to the presence of files”
  3. “whether Kaspersky technicians programed the software to look for specific parameters”
  4. “unclear is whether Kaspersky employees alerted the Russian government to the finding”
  5. “armed with the knowledge that Kaspersky’s software provided”

The only evidence in the possession of investigators is the co-locations of the NSA files and Kaspersky anti-virus software on the same computer.

All the other beliefs, suppositions, assumptions, etc., of investigators are attempts to further the government’s current witch hunt against Kaspersky Labs.

The contractor’s computer likely also had MS Office, the home of more than a few security weaknesses. To say nothing of phishing emails, web browsers, and the many other avenues for penetration.

As far as “discovering” the contractor to get the files in question, it could have been by chance and/or the contractor bragging to a waitress about his work. We’re not talking about the sharpest knife in the drawer on security matters.

Judging hacking claims based on co-location of software is guilt by association pure and simple. The Wall Street Journal should not dignify such government rumors by reporting them.

Visualizing Nonlinear Narratives with Story Curves [Nonlinear Investigations, Markup, Statements]

October 5th, 2017

Visualizing Nonlinear Narratives with Story Curves by Nam Wook Kim, et al.

From the webpage:

A nonlinear narrative is a storytelling device that portrays events of a story out of chronological order, e.g., in reverse order or going back and forth between past and future events. Story curves visualize the nonlinear narrative of a movie by showing the order in which events are told in the movie and comparing them to their actual chronological order, resulting in possibly meandering visual patterns in the curve. We also developed Story Explorer, an interactive tool that visualizes a story curve together with complementary information such as characters and settings. Story Explorer further provides a script curation interface that allows users to specify the chronological order of events in movies. We used Story Explorer to analyze 10 popular nonlinear movies and describe the spectrum of narrative patterns that we discovered, including some novel patterns not previously described in the literature. (emphasis in original)

Applied here to movie scripts, an innovative visualization that has much broader application.

Investigations by journalists or police officers don’t develop in linear fashion. There are leaps forwards and backwards in time as a narrative is assembled. The resulting “linear” narrative bears little resemblance to its construction.

Imagine being able to visualize and compare the nonlinear narratives of multiple witnesses to a series of events. Use of the same nonlinear sequence isn’t proof they are lying but should suggest at least coordination of their testimony.

Linear markup systems struggle with nonlinear narratives and there may be value here for at least visualizing those pinch points.

Sadly the code for Story Curve and Story Explorer is temporarily unavailable as of 5 October 2017. Hoping that gets sorted out in the near future.

Printer Exploitation Toolkit: PRET [398 Days to Congressional MidTerm Elections]

October 5th, 2017

Printer Exploitation Toolkit: PRET

From the post:

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. PRET connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers today. This allows PRET to do cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and a printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Billed in the post as:

The tool that made dumpster diving obsolete (emphasis in original)

I would not go that far, after all, there are primitives without networked printers, or so I have heard. For those cases, dumpster diving remains a needed skill.

Reading Exploiting Network Printers – A Survey of Security Flaws in Laser Printers and Multi-Function Devices (the master’s thesis) isn’t required, but it may help extend this work.

Abstract:

Over the last decades printers have evolved from mechanic devices with microchips to full blown computer systems. From a security point of view these machines remained unstudied for a long time. This work is a survey of weaknesses in the standards and various proprietary extensions of two popular printing languages: PostScript and PJL. Based on tests with twenty laser printer models from various vendors practical attacks were systematically performed and evaluated including denial of service, resetting the device to factory defaults, bypassing accounting systems, obtaining and manipulating print jobs, accessing the printers’ file system and memory as well as code execution through malicious firmware updates and software packages. A generic way to capture PostScript print jobs was discovered. Even weak attacker models like a web attacker are capable of performing the attacks using advanced cross-site printing techniques.

As of July of 2016, Appendix A.1 offers a complete list of printer CVEs. (CVE = Common Vulnerabilities and Exposures.)

The author encountered a mapping issue when attempting to use vFeed to map between CVEs to CWE (CWE = Common Weakness Enumeration).


Too many CWE identifier however match a single CVE identifier. To keep things clear, we instead grouped vulnerabilities into nine categories of attack vectors as shown in Table 3.2. It is remarkable that half of the identified security flaws are web-related while only one twelfth are caused by actual printing languages like PostScript or PJL.
… (page 11 of master’s thesis)

I haven’t examined the mapping problem but welcome suggestions from those of you who do. Printer exploitation is a real growth area in cybersecurity.

I mentioned the 398 Days to Congressional MidTerm Elections in anticipation that some bright lasses and lads will arrange for printers to print not only at a local location but remote one as well.

Think of printers as truthful but not loyal campaign staffers.

Enjoy!

TruthBuzz: Announcing the winners! [Does Fake/False News Spread Differently?]

October 4th, 2017

TruthBuzz: Announcing the winners! by Oren Levine.

From the post:

Caricatures of politicians, time-lapse videos and an app modeled on a classic video game were among the winners of TruthBuzz, the Viral Fact-Checking Challenge.

Organized by the International Center for Journalists (ICFJ) with support from the Craig Newmark Foundation, the TruthBuzz contest aimed to find new ways to help verified facts reach the widest possible audience. The competition sought creative solutions to take fact-checking beyond long-form explanations and bullet points.

The goal of the contest was to “…make the truth go viral…,” which the winners did with style.

Except no distinction is offered between the spread of fake/false news and “truth.”

Enjoy reading about the winners but then ask yourself:

Could these same techniques be used to spread fake/false news?

My answer is yes.

What’s yours?

PS: My answer to why fake/false news spreads unchecked? There are fewer ad dollars in corrections than headline stories. You?

Defeating Israeli Predictive Policing Algorithm

October 4th, 2017

The Israeli algorithm criminalizing Palestinians for online dissent by Nadim Nashif and Marwa Fatafta.

From the post:

The Palestinian Authority’s (PA) arrest of West Bank human rights defender Issa Amro for a Facebook post last month is the latest in the the PA’s recent crackdown on online dissent among Palestinians. Yet it’s a tactic long used by Israel, which has been monitoring social media activity and arresting Palestinians for their speech for years – and has recently created a computer algorithm to aid in such oppression.

Since 2015, Israel has detained around 800 Palestinians because of content they wrote or shared online, mainly posts that are critical of Israel’s repressive policies or share the reality of Israeli violence against Palestinians. In the majority of these cases, those detained did not commit any attack; mere suspicion was enough for their arrest.

The poet Dareen Tatour, for instance, was arrested on October 2015 for publishing a poem about resistance to Israel’s 50-year-old military rule on her Facebook page. She spent time in jail and has been under house arrest for over a year and a half. Civil rights groups and individuals in Israel, the Occupied Palestinian Territory (OPT), and abroad have criticized Israel’s detention of Tatour and other Palestinian internet users as violations of civil and human rights.

Israeli officials have accused social media companies of hosting and facilitating what they claim is Palestinian incitement. The government has pressured these companies, most notably Facebook, to remove such content. Yet the Israeli government is mining this content. Israeli intelligence has developed a predictive policing system – a computer algorithm – that analyzes social media posts to identify Palestinian “suspects.”

One response to Israel’s predictive policing is to issue a joint statement: Predictive Policing Today: A Shared Statement of Civil Rights Concerns.

Another response, undertaken by Nadim Nashif and Marwa Fatafta, is to document the highly discriminatory and oppressive use of Israel’s predictive policing.

Both of those responses depend upon 1) the Israeli government agreeing it has acted wrongfully, and 2) the Israeli government in fact changing its behavior.

No particular reflection on the Israeli government but I don’t trust any government claiming, unverified, to have changed its behavior. How would you ever know for sure? Trusting any unverified answer from any government (read party) is a fool’s choice.

Discovering the Israeli algorithm for social media based arrests

What facts do we have about Israeli monitoring of social media?

  1. Identity of those arrested on basis of social media posts
  2. Content posted prior to their arrests
  3. Content posted by others who were not arrested
  4. Relationships with others, etc.

Think of the problem as being similar to breaking the Engima machine during WWII. We don’t have to duplicate the algorithm in use by Israel, we only have to duplicate it output. We have on hand some of the inputs and the outcomes of those inputs to start our research.

Moreover, as Israel uses social media monitoring, present guesses at the algorithm can be refined on the basis of more arrests.

Knowing Israeli’s social media algorithm is cold comfort to arrested Palestinians, but that knowledge can help prevent future arrests or make the cost of the method too high to be continued.

Social Media Noise Based on Israeli Social Media Algorithm

What makes predictive policing algorithms effective is their narrowing of the field of suspects to a manageable number. If instead of every male between the ages of 16 and 30 you have 20 suspects with scattered geographic locations, you can reduce the number of viable suspects fairly quickly.

But that depends upon being able to distinguish between all the males between the ages of 16 and 30. What if based on the discovered parallel algorithm to the Israeli predictive policing one, a group of 15,000 or 20,000 young men were “normalized” so they present the Israeli algorithm with the same profile?

If instead of 2 or 3 people who seem to be angry enough to commit violence, you have real and fake, 10,000 people right on the edge of extreme violence.

Judicious use of social media noise, informed by a parallel to the Israeli social media algorithm, could make the Israeli algorithm useless in practice. There would be too much noise for it to be effective. Or the resources required to eliminate the noise would be prohibitively expensive.

For predictive policing algorithms based on social media, “noise” is its Achilles heel.

PS: Actually defeating a predictive policing algorithm, to say nothing of generating noise on social media, isn’t a one man band sort of project. Experts in data mining, predictive algorithms, data analysis, social media plus support personnel. Perhaps a multi-university collaboration?

PPS: I don’t dislike the Israeli government any more or less than any other government. It was happenstance Israel was the focus of this particular article. I see the results of such research as applicable to all other governments and private entities (such as Facebook, Twitter).

Law Library of Congress Chatbot

October 4th, 2017

We are Excited to Announce the Release of the Law Library of Congress Chatbot by Robert Brammer.

From the webpage:

We are excited to announce the release of a new chatbot that can connect you to primary sources of law, Law Library research guides and our foreign law reports. The chatbot has a clickable interface that will walk you through a basic reference interview. Just click “get started,” respond “yes” or “no” to its questions, and then click on the buttons that are relevant to your needs. If you would like to return to the main menu, you can always type “start over.”

(image omitted)

The chatbot can also respond to a limited number of text commands. Just type “list of commands” to view some examples. We plan to add to the chatbot’s vocabulary based on user interaction logs, particularly whenever a question triggers the default response, which directs the user to our Ask A Librarian service. To give the chatbot a try, head over to our Facebook page and click the blue “Send Message” button.

The response to “list of commands” returns in part this content:

This page provides examples of text commands that can be used with the Law Library of Congress chat bot. The chat bot should also understand variations of these commands and its vocabulary will increase over time as we add new responses. If you have any questions, please contact us through Ask A Librarian.

(I deleted the table of contents to the following commands)


Advance Healthcare Directives
-I want to make an advanced health care directive
-I want to make a living will

Caselaw
– I want to find a case

Civil Rights
My voting rights were violated
– I was turned away at the polling station
– I feel I have been a victim of sexual harassment

Constitutional Law
– I want to learn about the U.S. Constitution
– I want to locate a state constitution
-I want to learn about the history of the U.S. Constitution

Employment Law
-I would like to learn more about employment law
-I was not paid overtime

Family Law
– I have been sued for a divorce
– I want to sue for child custody
– I want to sue for child support
– My former spouse is not paying child support

Federal Statutes
– I want to find a federal statute

File a Lawsuit
– I want to file a lawsuit

Foreclosure
– My house is in foreclosure

Immigration
– I am interested in researching immigration law
-I am interested in researching asylum law

Landlord-Tenant Law
– My landlord is violating my lease
-My landlord does not maintain my property

Legal Drafting
Type “appeal”, “motion”, or “complaint”

Lemon Laws
– I bought a car that is a lemon

Municipal Law
– My neighbor is making loud noise
-My neighbor is letting their dog out without a leash
-My neighbor is not maintaining their property
-My neighbor’s property is overgrown

Real Estate
-I’m looking for a deed
– I’m looking for a real estate form

State Statutes
I want to find state statutes

Social Security Disability
– I want to apply for disability

Wills and Probate
– I want to draft a will
– I want to probate an estate

Unlike some projects, the Law Library of Congress chat bot doesn’t learn from its users, at least not automatically. Interactions are reviewed by librarians and content changed/updated.

Have you thought about a chat bot user interface to a topic map? The user might have no idea that results are merged and otherwise processed before presentation.

When I say “user interface,” I’m thinking of the consumer of a topic map, who may or may not be interested in how the information is being processed, but is interested in a useful answer.

Procrastinators – Dates/Location for Balisage: The Markup Conference 2018

October 4th, 2017

Procrastinators can be caught short, without enough time for proper procrastination on papers and slides.

To insure ample time for procrastination, Balisage: The Markup Conference 2018 has published its dates and location.

31 July 2018–3 August 2018 … Balisage: The Markup Conference
30 July 2018 … Symposium – topic to be announced
CAMBRiA Hotel & Suites
1 Helen Heneghan Way
Rockville, Maryland 20850
USA

For indecisive procrastinators, Balisage offers suggestions for your procrastination:

The 2017 program included papers discussing XML vocabularies, cutting-edge digital humanities, lossless JSON/XML roundtripping, reflections on concrete syntax and abstract syntax, parsing and generation, web app development using the XML stack, managing test cases, pipelining and micropipelinging, electronic health records, rethinking imperative algorithms for XSLT and XQuery, markup and intellectual property, digitiziging Ethiopian and Eritrean manuscripts, exploring “shapes” in RDF and their relationship to schema validation, exposing XML data to users of varying technical skill, test-suite management, and use case studies about large conversion applications, DITA, and SaxonJS.

Innovative procrastinators can procrastinate on other related topics, including any they find on the Master Topic List (ideas procrastinated on for prior Balisage conferences).

Take advantage of this opportunity to procrastinate early and long on your Balisage submissions. You and your audience will be glad you did!

PS: Don’t procrastinate on saying thank you to Tommie Usdin and company for another year of Balisage. Balisage improves XML theory and practice every year it is held.

BuzzFeed News Animates Jewish Folktale

October 3rd, 2017

Zahra Hirji and Lam Thuy Vo team up in Here’s Why Debunking Viral Climate Myths Is Almost Impossible, In One Animated Chart to animate a Jewish folktale, A Pillow Full of Feathers (as retold by Shoshannah Brombacher).

In the folktale, a businessman repeats all the gossip he hears, enjoying the attention it brings. One day his repeating of gossip brings real harm to another. The businessman asks his rabbi what he can do to undo his deed. At the direction of the rabbi, he cuts into a feather pillow, which scatters feathers all over the room, some fly out the window, etc. Now the rabbi commands him to recover every feather that came from the pillow.

The businessman protests it is impossible to recover all the feathers and the rabbi points out the same is true for undoing his gossip. He can’t ever reach everyone who heard his gossip. (Brombacher’s retelling is much better than mine so see his version. Please.)

Hirji and Vo are concerned with a story published on February 4 (2017) and admitted to be false on September 16 (2017). They write:

When a British newspaper published an exposé in February alleging proof that US government scientists had used flawed data to show recent global warming and rushed to publish their research to sway the Paris climate talks, conservative media was lit.

“The latest example of misinformation from the left comes directly from the federal government,” SarahPalin.com said about the article, published in Britain’s Mail on Sunday. It was a “bombshell,” according to the climate skeptic blog Watts Up With That, and “explosive,” according to The Federalist Papers Project. “BUSTED: NOAA Lied About Climate Change Data to Manipulate World Leaders,” blared the website Louder with Crowder.

The story centered on a two-year-old Science study showing that the rise in global temperatures had not recently stalled, as previous data had suggested. The Science paper had repeatedly been attacked by climate skeptics, including House Science Committee chair Lamar Smith (R-Tex.). After the Mail on Sunday’s piece, Smith demanded, for at least the sixth time, that the National Oceanic and Atmospheric Administration turn over its correspondence about the Science data.

Now, some seven months later, the Mail on Sunday has begrudgingly admitted its story was wrong. But will this update change anyone’s minds?

That seems unlikely, based on a BuzzFeed News review of how widely the article was shared across social media compared to early attempts to debunk it.

Hirji and Vo have a great visualization of the rapid spread of Daily Mail story by the Internet. BTW, they reach the same conclusion as the businessman and the rabbi on undoing fake news once it spreads.

Pillow Full of Feathers differs from this account of the spread of a climate myth in the following exchange:


When the nice man with the nasty problem heard from the rabbi how devastated his colleague was, he felt truly sorry. He honestly had not considered it such a big deal to tell this story, because it was true; the rabbi could check it out if he wanted. The rabbi sighed.

True, not true, that really makes no difference! You just cannot tell stories about people. This is all lashon hara, slander, and it’s like murder—you kill a person’s reputation.” He said a lot more, and the man who started the rumor now felt really bad and sorry. “What can I do to make it undone?” he sobbed. “I will do anything you say!”
… (emphasis added)

It’s popular to talk about the spread of false or mis-leading news, but the mechanisms for spreading true and false news are the same.

The emphasis on false or mis-leading news has a hidden assumption that we have correctly identified false or mis-leading news.

That’s certainly not my presumption when I hear the management at Facebook, Twitter, Google or any of the other common suspects discussing false or mis-leading news.

What about you?

Facebook Hiring 1,000+ Censors

October 3rd, 2017

Facebook‘s assault on free speech, translated into physical terms:

That is a scene of violence as Spanish police assault voters on Catalonia independence.

Facebook is using social and mainstream media to cloak its violence in high-minded terms:

  1. “…thwart deceptive ads crafted to knock elections off course.” Facebook knows the true “course” of elections?
  2. “…hot-button issues to turn people against one another ahead of last year’s US election.” You never saw the Willy Horton ad?
  3. “Many appear to amplify racial and social divisions.” Ditto on the Willy Horton ad
  4. “…exacerbating political clashes ahead of and following the 2016 US presidential election.” Such as: 10 Most-Shared 2012 Republican Campaign Ads on YouTube
  5. “…ads that touted fake or misleading news or drove traffic to pages with such messages…” And Facebook is going to judge this? The same Facebook that knows “how” elections are supposed to go?

Quotations from Facebook beefing up team to thwart election manipulation by Glenn Chapman.

Like the Spanish police, Facebook has chosen the side of oppression and censorship, however much it wants to hide that fact.

When you think of Facebook, think of police swinging their batons, beating, kicking protesters.

Choose your response to Facebook and anyone proven to be a Facebook censor accordingly.

Searching for Butt Plugs in Congressional Offices

October 3rd, 2017

It’s a click-bait title but I’m entirely serious. There are security flaws in IoT adult toys, flaws that enable you to discover and manipulate those toys. I use Congress as an example but the same principles apply to banks, Wall Street offices, government agencies, law firms, etc.

Discovering such a device could result in a lower mortgage interest rate, a favorable administrative decision, changes to pending legislation, dismissal of charges, any number of things normally associated with class-based privilege.

I encountered John Leyden‘s report Dildon’ts of Bluetooth: Pen test boffins sniff out Berlin’s smart butt plugs – You’ve heard of wardriving – say hello to screwdriving (warning NSFW image) first:

Security researchers have figured out how to locate and exploit smart adult toys.

Various shenanigans are possible because of the easy discoverability and exploitability of internet-connected butt plugs and the like running Bluetooth’s baby brother, Bluetooth Low Energy (BLE), a wireless personal area network technology. The tech has support for security but it’s rarely implemented in practice, as El Reg has noted before.

The shortcoming allowed boffins at Pen Test Partners to hunt for Bluetooth adult toys, a practice it dubbed screwdriving, in research that builds on its earlier investigation into Wi-Fi camera dildo hacking earlier this year.

BLE devices also advertise themselves for discovery. The Lovense Hush, an IoT-enabled butt plug, calls itself LVS-Z001. Other Hush devices use the same identifier.

The Hush, like every other sex toy tested by PTP (the Kiiroo Fleshlight, Lelo, Lovense Nora and Max), all lacked adequate PIN or password protection. If the devices did have a PIN it was generic (0000 / 1234 etc). This omission is for understandable reasons. PTP explains: “The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN. Where do you put a UI on a butt plug, after all?
… (bold emphasis added)

Indeed, a UI for a butt plug is difficult to imagine. 😉

For the technical details, with more NSFW images, Alex Lomas describes the insecurity of adult toys in great detail in Screwdriving. Locating and exploiting smart adult toys.

From the post:

Alex is using LightBlue Explorer® — Bluetooth Low Energy (Google Play), (AppStore), although other Bluetooth discovery apps would work just as well.

Searching Congressional Offices For Newbies

If you are comfortable with Bluetooth and hex commands, you have all you need to surf for butt plugs in congressional offices.

Others, especially those who only use smart phone apps, may need some additional instructions.

At the risk of more NSFW images, the Hush butt plug homepage advises:

(Google Play), (AppStore),

You install the Hush app, fire it up (sorry), walk about waiting for a connection to appear. How hard is that? (Scanning tip, 360 degrees, standing, up to 30 feet; sitting, 5 to 10 feet.)

Cautions?

Unauthorized interception of even advertised signals may be a crime in some jurisdictions. Not to mention unauthorized interaction with a remote device is likely to constitute battery (a crime).

That said, the insecurity of Bluetooth devices and other cyberinsecurities are opportunities to challenge existing privilege systems. Whether you take up that challenge or choose to support the status quo, is entirely up to you.

Who Does Cyber Security Benefit?

October 3rd, 2017

Indoctrinating children to benefit the wealthy starts at a young age: ‘Hackathon’ challenges teens to improve cyber security.

Improving cyber security is taught as an ethical imperative, but without asking who that “imperative” benefits.

OxFam wrote earlier this year:

Eight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity, according to a new report published by Oxfam today to mark the annual meeting of political and business leaders in Davos.

Oxfam’s report, ‘An economy for the 99 percent’, shows that the gap between rich and poor is far greater than had been feared. It details how big business and the super-rich are fuelling the inequality crisis by dodging taxes, driving down wages and using their power to influence politics. It calls for a fundamental change in the way we manage our economies so that they work for all people, and not just a fortunate few.

New and better data on the distribution of global wealth – particularly in India and China – indicates that the poorest half of the world has less wealth than had been previously thought. Had this new data been available last year, it would have shown that nine billionaires owned the same wealth as the poorest half of the planet, and not 62, as Oxfam calculated at the time.
… From: Just 8 men own same wealth as half the world

It’s easy to see the cyber security of SWIFT, “secure financial messaging system,” benefits:

the “[the e]ight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity”

more than “…the 3.6 billion people who make up the poorest half of humanity.”

Do you have any doubt about that claim in principle? The exact numbers of inequality don’t interest me as much as the understanding that information systems and their cyber security benefit some people more than others.

Once we establish the principle of differential in benefits from cyber security, then we can ask: Who does cyber security X benefit?

To continue with the SWIFT example, I would not volunteer to walk across the street to improve its cyber security. It is an accessory to a predatory financial system that exploits billions. You could be paid to improve its cyber security but tech people at large have no moral obligation to help SWIFT.

If anyone says you have an obligation to improve cyber security, ask who benefits?

Yes?

Machine Translation and Automated Analysis of Cuneiform Languages

October 2nd, 2017

Machine Translation and Automated Analysis of Cuneiform Languages

From the webpage:

The MTAAC project develops and applies new computerized methods to translate and analyze the contents of some 67,000 highly standardized administrative documents from southern Mesopotamia (ancient Iraq) from the 21st century BC. Our methodology, which combines machine learning with statistical and neural machine translation technologies, can then be applied to other ancient languages. This methodology, the translations, and the historical, social and economic data extracted from them, will be offered to the public in open access.

A recently funded (March 2017) project that strikes a number of resonances with me!

“Open access” and cuneiform isn’t an unheard of combination but many remember when access to cuneiform primary materials was a matter of whim and caprice. There are dark pockets where such practices continue but projects like MTAAC are hard on their heels.

The use of machine learning and automated analysis have the potential, when all extant cuneiform texts (multiple projects such as this one) are available, to provide a firm basis for grammars, lexicons, translations.

Do read: Machine Translation and Automated Analysis of the Sumerian Language by Émilie Pagé-Perron, Maria Sukhareva, Ilya Khait, Christian Chiarcos, for more details about the project.

There’s more to data science than taking advantage of sex-starved neurotics with under five second attention spans and twitchy mouse fingers.