Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 7, 2019

TLP:GREEN Leak to Lossen Your Bowels

Filed under: Classification,Government,Security — Patrick Durusau @ 4:45 pm

Zak Doffman in FBI Issues Surprise New Cyber Attack Warning posted a link to: Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication, which is clearly marked:

TLP:GREEN:

This PIN has been released TLP:GREEN: The information in this product is useful for the awareness of all participating organizations within their sector or community, but should not be shared via publicly accessible channels.

Do you think Forbes.com qualifies as a “publicly accessible channel?”

I ask just to highlight the absurdity of information restriction that has taken over government and cybersecurity in general. Notice that the evils doers in this scenario are already informed and the only people left uninformed, are members of the public.

I’m sure someone at the FBI has the authority to assign TPL:GREEN classification, but not anything lower or higher, plus they have auditing routines to check their work, monthly reports, etc. Now imagine all the turf protection and routines that must go on for other security classifications. All to hide information from the voting public.

Ask your 2020 candidates to sweep away all but launch code and location of nuclear submarine secrecy. It’s not like a modern army can conceal its intentions to invade. Think of all the classification staff that will become availabe to fill the front ranks.

October 4, 2019

Avoided Ethics Guidelines

Filed under: Ethics,Facebook,Google+,Government — Patrick Durusau @ 10:46 am

Ethical guidelines issued by engineers’ organization fail to gain traction by Nicolas Kayser-Bril.

The world’s largest professional association of engineers released its ethical guidelines for automated systems last March. A review by AlgorithmWatch shows that Facebook and Google have yet to acknowledge them.

In early 2016, the Institute of Electrical and Electronics Engineers, a professional association known as IEEE, launched a “global initiative to advance ethics in technology.” After almost three years of work and multiple rounds of exchange with experts on the topic, it released last April the first edition of Ethically Aligned Design, a 300-page treatise on the ethics of automated systems.

If you want to intentionally ignore these guidelines as well, they are at: Ethics in Action.

Understanding “ethics” are defined within and are supportive of a system, given the racist, misogynistic, homophobic, transphobic, capitalist exploitation economy of today, I find discussions of “ethics” quixotic.

Governments and corporations have no “ethics” even within the present system and following ethics based on what should be the system, only disarms you in the presence of impacable enemies. The non-responses by Google and Facebook are fair warning that you are “ethical” in your relationships with them, only with due regard for the police lurking nearby.

May I suggest you find a sharper stick than “you’re unethical” when taking on governments, corporations and systems. They shrug that sort of comment off like water off a duck’s back. Look around, new and sharper sticks are being invented everyday.

July 5, 2019

Surveilling Concentration Camps (Weaponizing Data)

Filed under: Government,Protests,Weaponize Data,Weaponized Open Data,Weather Data — Patrick Durusau @ 4:32 pm

A tweet I saw yesterday suggested surveilling U.S. concentration camps using a drone. That’s certainly possible but hobbyist type drones put you within easy visual distance of government forces. There are long range drones, all of which carry hefty price tags. What if you don’t have access to a long range drone? Alternatives?

Low-cost, low-tech answer: Consider the lowly helium balloon. With some experimenting, you can discover a stable buoyancy height for a ballon suitable for carrying a wireless digital camera.

Unlike a short range drone, you can launch a balloon plus digital camera from random and distant locations from an actual concentration camp. Launch locations are chosen based on weaponizing weather data, made available by most governments. In the United States, the National Weather Service provides current wind data and maintains historical weather data.

Once you have a stable buoyancy height for your balloon plus digital camera (password protected), record the harness and camera weight so you can create other balloons to accompany the one or more balloons with cameras at a similar height. Authorities will go nuts trying to chase every balloon down as “evidence” and it creates opportunities for balloon spotters (BSers) to call in reports of balloon sightings and landings.

For surveillance purposes, use maps of wind conditions to select launch points that will result in your balloons passing over the concentration camps of interest. Concentration camps tend to be fixed locations and as you develop more experience with local wind patterns, the more successful you will be on a regular basis.

Perhaps old school but I would insure that every balloon has a physical limit to its travels. If you can’t think of any ways to do that, ask your former eight grade (US educational system) science teacher. That’s good for the environment. Should you find balloons released by others, remember that some devices bite upon discovery. Report discovered balloons to local law enforcement.

Balloons are cheap, annoying to government officials, and provide low-risk ways to document government activities, from rain forests to concentration camps. Weaponizing weather data for surveillance is only one way to use the common balloon. Other suggestions are forthcoming.

PS: Here is one list of U.S. concentration camps. I express no opinion about the accuracy of that list or the legality of surveilling any location mentioned therein. To avoid being U.S. specific, I’m happy to update this portion of the post with pointers to other lists of concentration camps around the world. Go carefully.

April 28, 2019

Ex-Police Chief, Outs Self as Extremist!

Filed under: Censorship,Government — Patrick Durusau @ 4:20 pm

The Ex-Met Police assistant commissioner Sir Mark Rowley has outed himself as an extremist (or an idiot, take your pick) in remarks to BBC Radio Programme 4, saying:

The top-ranked search referred to by Sir Mark takes users to the Wikipedia entry for Anjem Choudary, who was released from prison last year, halfway through a five-year jail term for encouraging support for the so-called Islamic State group.

He told Today: “I think I mentioned on your programme a few months ago, if you Google ‘British Muslim spokesman’ you get Anjem Choudary. That’s a disgrace.”

Sir Mark said: “These algorithms are designed to push us towards contentious material because that feeds their bottom line of advertising revenues, by pushing readers to extremist material.”

This is something Google denies, pointing out that it actually wants to get people off the platform and on to a third-party site as quickly as possible.

‘Extremist’ Google algorithms concern ex-police chief

Extremist may sound harsh but using the results of one “Google” search to condemn search algorithms untested and unseen, is clearly extreme. Public policy cannot be reasonably based on ad hoc reports by public figures and their reactions to search result content. Any student writing a paper on the recent history of Muslims in the UK would likely appreciate the pointer to Anjem Choudary.

Unless Sir Mark intends to expunge Choudary from BBC and other news reports held in libraries. And prohibiting discussion of Choudary online and in the news, opps, Sir Mark has already violated his own rule! Discussion of Choudary as “British Muslim spokesman.” Which now shows up as the first “hit” in a competiting search engine.


April 24, 2019

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 [Defining “foreign” government]

Filed under: Cybersecurity,Government,Hacking,Radare2 — Patrick Durusau @ 12:30 pm

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 by Itay Cohen.

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

The deobfuscation plugin requires Cutter, the official GUI of the open-source reverse engineering framework – radare2. Cutter is a cross-platform GUI that aims to expose radare2’s functionality as a user-friendly and modern interface.  Last month, Cutter introduced a new Python plugin system, which figures into the tool we’ll be constructing below. The plugin itself isn’t complicated, and neither is the solution we demonstrate below. If simple works, then simple is best.

Way beyond my present skills but I can read and return to it in the future.

I don’t know how Cohen defines foreign government but for my purposes, a foreign government is one that isn’t paying me. Simple, direct and to the point. That may be a U.S.-centric definition. The U.S. government spends $billions on oppressing people around the world but cybersecurity sees it with a begging cup out for volunteer assistance. On a scale of volunteer opportunities, the U.S. government and its fellow travelers should come out dead last.


Government Countermeasures, Traffic Cams

Filed under: Government,Hacking,Protests — Patrick Durusau @ 10:52 am

If you use public feeds from traffic cams to guide or monitor disruptions, Public Spy (Traffic) Cams, or “leak” that you are using public feeds in that manner, government authorities are likely to interrupt public access to those feeds.

The presence of numerous wi-fi hotspots and inexpensive wi-fi video cameras suggests the most natural counter to such interruptions.

Unlike government actors, you know which locations are important, which disruptions are false flags (including random events that attract attention), and you benefit from public uncertainly caused by any interruption of public services, such as traffic cams.

As an illustration and not a suggestion, if cars caught in gridlock come under attack, say a pattern of attacks over several days, motorists caught in ordinary gridlock become more nervous and authorities view accidents or other causes with hightened suspicion. Whether you are the cause of the gridlock or not.

Authorities suffer from apophenia, that is “seeing apparently meaningful connections between unrelated patterns, data or phenomena.” What is pareidolia? (a sub-class of apophenia) Perhaps more than apophenia, because actively searching for patterns, makes them more likely to discover false ones. With an eye for patterns, you can foster their recognition of false ones. [FYI, false patterns are “subjects” in the topic maps. May include data on their creation.]

April 23, 2019

Best OCR Tools – Side by Side

Filed under: Government,Government Data,OCR — Patrick Durusau @ 8:34 pm

Our Search for the Best OCR Tool, and What We Found by Ted Han and Amanda Hickman.

From the post:

We selected several documents—two easy to read reports, a receipt, an historical document, a legal filing with a lot of redaction, a filled in disclosure form, and a water damaged page—to run through the OCR engines we are most interested in. We tested three free and open source options (Calamari, OCRopus and Tesseract) as well as one desktop app (Adobe Acrobat Pro) and three cloud services (Abbyy Cloud, Google Cloud Vision, and Microsoft Azure Computer Vision).

All the scripts we used, as well as the complete output from each OCR engine, are available on GitHub. You can use the scripts to check our work, or to run your own documents against any of the clients we tested.

The quality of results varied between applications, but there wasn’t a stand out winner. Most of the tools handled a clean document just fine. None got perfect results on trickier documents, but most were good enough to make text significantly more comprehensible. In most cases if you need a complete, accurate transcription you’ll have to do additional review and correction.

Since government offices are loathe to release searchable versions of important documents (think Mueller report), reasonable use of those documents requires OCR tools.

Han and Hickman enable you to compare OCR engines on your documents, an important step before deciding on which engine best meets your needs.

Should you find yourself in a hacker forum, no doubt by accident, do mention agencies which force OCR of their document releases. That unnecessary burden on readers and reporters should not go unrewarded.

Weaponized USB Drives and Beyond

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:19 pm

Weaponized USB devices as an attack vector by Alex Perekalin.

USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

Perekalin takes us beyond flash drives with a reminder that any USB device can be an attack vector.

An incomplete list of USB devices includes:

  • Speaker
  • Microphone
  • Sound card
  • MIDI
  • Modem
  • Ethernet adapter
  • Wi-Fi adapter
  • RS-232 serial adapter
  • Keyboard
  • Mouse
  • Joystick
  • Webcam
  • Scanner
  • Laser printer
  • Inject printer
  • USB flash drive
  • Memory card reader
  • Digital audio player
  • Digital camera

Just to name some of the more common ones. 

So it’s a little more expensive to do: “Congratulations! You were selected at random for a free digital camera!” (make sure it is a nice one) If it gets you inside the ******* agency, it’s worth every penny. Weaponized USB devices should be standard part of your kit.

Public Spy (Traffic) Cams

Filed under: Government,Protests — Patrick Durusau @ 3:21 pm

See the Road Ahead with Traffic Camera Images on Bing Maps

From the post:

The Bing Maps Routing and Traffic Team is constantly working to make navigation and route planning easier! Hot on the heels of our previous announcement about traffic coloring, the Bing Maps team is proud to announce that we have made it possible for users to access traffic camera images along a planned driving route! You can now see traffic camera icons along a short to moderate-length route. By clicking on a traffic camera icon, you can view the latest image from the traffic camera at that location.

Bing Maps with traffic cameras:

  • Enable real time routing of “breakdowns” for maximum impact
  • Monitor highways for enhancement of unplanned blockages
  • Support live tweeting/messaging/blogging of highway conditions

Access to traffic cams is not news but Bing is making them easy for casual users. The more users, the more noise and the safer you will be accessing traffic cams for your purposes.

Assuming the worst outcome in the 2021 presidential elections, you may want to consult Defeating Police Formations – Parallel Distributed Protesting, a post that I badly need to re-write. The lesson there is one of stopping cars on the Beltway around Washington, D.C., to effectively interrupt any inaguration ceremony. Traffic cams and management of “breakdowns” go hand in hand.

If you want to ineffectively interrupt any inaguration ceremony, mug for the press cameras at subways entrances. Your call.

March 29, 2019

Pentagon Adopts Hostile Adoption Strategy

Filed under: Cybersecurity,FBI,Government,Hacking,Security — Patrick Durusau @ 10:44 am

Pentagon’s Multibillion-Dollar DEOS Contract is Guaranteed for Microsoft

High-five traffic saturated networks between groups of North Korean, Chinese and Russian hackers when they read:

In the coming weeks, the Pentagon—through its partner, the General Services Administration—will bid out a cloud-based contract for enterprisewide email, calendar and other collaboration tools potentially worth as much as $8 billion over the next decade.


Yet former defense officials, contracting analysts and industry experts tell Nextgov the Defense Enterprise Office Solutions contract is one that tech giant Microsoft—with its Office 365 Suite—simply cannot lose.

Yes, the Pentagon, through a variety of bidders, all of who offer Microsoft based solutions, is adopting a hostile adoption strategy, described as:

According to Defense Department spokeswoman Elissa Smith, the intent is for DEOS to replace all the disparate, duplicative collaboration tools Defense Department agencies use around the world. Components, including the Army, Navy and Air Force, “will be required” to use the same cloud-based business tools.

“It is expected that DEOS will be designated as an enterprise solution for DOD-wide adoption and organizations,” Smith told Nextgov. “Components that have already implemented different solutions with similar functionality will be required to migrate to DEOS.”

You may remember how successful the FBI Virtual Case File project was, $170 million in the toilet, where local FBI offices were to be “forced” to migrate to a new system. Complete and utter failure.

Undeterred by previous government IT failures, the Pentagon is upping the stakes 47 X the losses in the FBI Virtual Case File project and, even more importantly, risking national security on hostile adoption of an unwanted product.

If that weren’t bad enough, the Office 365 Suite offers a security single point of failure (SPOF). Once the system is breached for one instance, it has been breached for all. Hackers can now abandon their work on other systems and concentrate on Microsoft alone. (A thanks on their behalf to the Pentagon.)

Hackers are unlikely to take up my suggestion because an eight year slog to complete failure leaves non-Microsoft systems in operation during and past the project’s failure date. Not to mention that a hostile transition to an unwanted system is likely to leave openings for exploitation. Happy hunting!

February 23, 2019

USA Confirms Hacking Only Viable Path To Transparency

Filed under: Government,Hacking,Transparency — Patrick Durusau @ 5:12 pm

After years of delays and democratic regression, USA releases weak open government plan from: E Pluribus Unum

From the post:

If the American public wants to see meaningful progress on transparency, accountability or ethics in U.S. government, it should call on Congress to act, not the Trump White House.
With little fanfare or notice, the United States of America has published a fourth National Action Plan for Open Government for the Open Government Partnership (OGP). The USA was automatically placed under review in January, but not because of two years of regression on transparency, accountability, and brazen corruption. The plan was was simply late, after failing to deliver a new plan for the multi-stakeholder initiative for years.
The new “national action plan” is notable for its lack of ambition, specificity or relevance to backsliding on democracy in the USA under the Trump administration.

Calling on the U.S. Congress for “…meaningful progress on transparency, accountability or ethics in U.S. government…” is a jest too cruel for laughter.

The current U.S. president has labored mightly to reduce government transparency but Congress is responsible for the crazy quilt laws enabling agencies to practice secrecy as their default position. Any sane system of transparency starts with transparency as the default setting, putting the burden of secrecy on those who desire it.

You can waste supporter dollars on yearly tilts at the transparency windmill in Congress, or bi-annual elections of members of Congress who promise (but don’t deliver) transparency, or presidential elections every four years. The resulting government structures will not be meaningfully more transparent at any future point in time.

If you see a viable (as in effective) alternative to hacking as a means of making government transparent, please leave it in a comment below.

February 11, 2019

White/Black Hats – Swiss E-Voting Systems – $$$ (or rather CHF)

Filed under: Bugs,Cybersecurity,Government — Patrick Durusau @ 3:59 pm

Switzerland Launches Bug Bounty Program for E-Voting Systems by Eduard Kovacs

From the post:


Hackers can earn between $30,000 and $50,000 if they find vulnerabilities that can be exploited to manipulate votes without being detected by voters and auditors. Voting manipulation methods that are detectable can earn participants up to $20,000.

Server-side flaws that allow an attacker to find out who voted and what they voted can earn hackers as much as $10,000, while vote corruption issues can be worth up to $5,000. The smallest bounty, $100, will be paid out for server configuration weaknesses. Participants will be allowed to make their findings public.

The source code for the e-voting system is publicly available, but Swiss Post noted that source code vulnerabilities must be reported separately if they cannot be exploited against the test system.

If you are a registered White Hat hacker, submit your findings for awards as described.

If you are a Black Hat hacker, sell your hack to one of the participating White Hat hackers. 😉

Something for everyone.

January 19, 2019

Targeting Government Contractors/Subcontractors (U.S.)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:18 pm

You may have seen: China’s been hacking Navy contractors for 18 months, new report reveals, which among other things says:


“It’s extremely hard for the Defense Department to secure its own systems,” Bossert said. “It’s a matter of trust and hope to secure the systems of their contractors and subcontractors.”

Subcontractors of all branches are frequently attacked by hackers due to inadequate cybersecurity measures. Officials say subcontractors are not being held accountable for those inadequacies.

Sadly, that article and the WSJ report it summarizes, Chinese Hackers Breach U.S. Navy Contractors fail to provide any actionable details, like which Navy subcontractors?

If you knew which subcontractors, you could target advertising of your services to strengthen their defenses or not be outdone by alleged Chinese hackers. I say “alleged Chinese hackers” because attribution of hacking seems to follow a “villain of the week” pattern. Last year it was super-human North Koreans, or was that the year before? Then it has been the Russians and Chinese off and on. Now it’s the Chinese again.

To correct the lack of actionable data in those reports, I have a somewhat dated (2014) RAND report, Findings from Existing Data on the Department of Defense Industrial Base by Nancy Young Moore, Clifford A. Grammich, Judith D. Mele, that gives you several starting places for finding government subcontractors.

I need to extract the specific resources they list and update/supplement them with others but for weekend reading you could do far worse.

Think of this as one example of weaponizing public data. There are others. If gathered in book form, would you be interested?

January 4, 2019

Crypto-Cash for Crypto-Cache : The Dark Overlord

Filed under: Government,Government Data,Hacking,Intelligence — Patrick Durusau @ 8:24 pm
Crypto-Cash for Crypto-Cache

This is the thedarkoverlord here to deliver a message.


Our Official Bitcoin Wallet Address: 192ZobzfZxAkacLGmg9oY4M9y8MVTPxh7U


As the world is aware, we released our first decryption key for the ‘Preview_Documents.container’ Veracrypt container that contained a small sample of documents to continue to verify the authenticity of our claims. The decryption key for this container is: *CZ4=I{YZ456zGecgg9/cCz|zNP5bZ,nCvJqDZKrq@v?O5V$FezCNs26CD;e:%N^

There’s five layers to go. Layer 1, 2, 3, 4, and fine finally Layer 5. Each layer contains more secrets, more damaging materials, more SSI, more SCI, more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full. However, in the interest of public awareness and transparency, we’re officially announcing our tiered compensation plan. …

This press release is reviewed at: Hacker group releases ‘9/11 Papers’, says future leaks will ‘burn down’ US deep state.

Nothing explosive in the initial documents but you have to wonder why they were scrubbed from Reddit, Pastebin, and Twitter, “immediately.”

I don’t see any ethical issue with The Dark Overlord charging for these documents. We are held hostage by utility, cable, ISP, mortgage and other hostiles. It’s a proven money-making model so why the tension over it being used here?

For further details, see the press release by The Dark Overlord. Please consider contributing to fund the release of these documents.

P.S. I rather doubt any document or report is going to bring down the “deep state.” Remember that it employs hundreds of thousands of people and numerous contractors and vendors. Shutting it down would cripple local economies in a number of places. It likely exists because it is needed to exist.

December 5, 2018

Open Letter to NRCC Hackers

Filed under: Cybersecurity,Government,Hacking,Politics,Wikileaks — Patrick Durusau @ 11:04 am

We have never met or communicated but I wanted to congratulate you on the hack of top NRCC officials in 2018. Good show!

I’m sure you remember the drip-drip-drip release technique used by Wikileads with the Clinton emails. I had to check the dates but the first batch was in early October 2016, before the presidential election in November 2016.

The weekly release cycle, with the prior publicity concerning the leak, kept both alternative and mainstream media on the edge of climaxing every week. Even though the emails themselves were mostly office gossip and pettiness found in any office email system.

The most obvious target event for weekly drops of the NRCC emails is the 2020 election but that is subject to change.

Please consider the Wikileaks partial release tactic, which transformed office gossip into front-page news, when you select a target event for releasing the NRCC emails.

Your public service in damaging the NRCC will go unrewarded but not unappreciated. Once again, good show!

December 4, 2018

Bulk US Congress Bills, Laws in XML

Filed under: Government,Government Data,Law,Legal Informatics,XML — Patrick Durusau @ 8:47 am

GPO Makes Documents Easy To Download and Repurpose in New XML Format

From the news release:

The U.S. Government Publishing Office (GPO) makes available a subset of enrolled bills, public and private laws, and the Statutes at Large in Beta United States Legislative Markup (USLM) XML, a format that makes documents easier to download and repurpose. The documents available in the Beta USLM XML format include enrolled bills and public laws beginning with the 113th Congress (2013) and the Statutes at Large beginning with the 108th Congress (2003). They are available on govinfo, GPO’s one-stop site to authentic, published Government information. https://www.govinfo.gov/bulkdata.

The conversion of legacy formats into Beta USML XML will provide a uniform set of laws for the public to download. This new format maximizes the number of ways the information can be used or repurposed for mobile apps or other digital or print projects. The public will now be able to download large sets of data in one click rather than downloading each file individually, saving significant time for developers and others who seek to repurpose the data.

GPO is collaborating with various legislative and executive branch organizations on this project, including the Office of the Clerk of the House, the Office of the Secretary of the Senate, and the Office of the Federal Register. The project is being done in support of the Legislative Branch Bulk Data Task Force which was established to examine the increased dissemination of Congressional information via bulk data download by non-Governmental groups for the purpose of supporting openness and transparency in the legislative process.

“Making these documents available in Beta USLM XML is another example of how GPO is meeting the technological needs of Congress and the public,“ said GPO Acting Deputy Director Herbert H. Jackson, Jr. “GPO is committed to working with Congress on new formats that provide the American people easy access to legislative information.“

GPO is the Federal Government’s official, digital, secure resource for producing, procuring, cataloging, indexing, authenticating, disseminating, and preserving the official information products of the U.S. Government. The GPO is responsible for the production and distribution of information products and services for all three branches of the Federal Government, including U.S. passports for the Department of State as well as the official publications of Congress, the White House, and other Federal agencies in digital and print formats. GPO provides for permanent public access to Federal Government information at no charge through www.govinfo.gov and partnerships with approximately 1,140 libraries nationwide participating in the Federal Depository Library Program. For more information, please visit www.gpo.gov.

Not that I have lost any of my disdain and distrust for government, but when any government does something good, they should be praised.

Making “enrolled bills, public and private laws, and the Statues at Large in Beta United States Legislative markup (USML) XML” is a step towards to tracing and integrating legislation with those it benefits.

I’m not convinced that if you could trace specific legislation to a set of donations that the outcomes on legislation would be any different. It’s like tracing payments made to a sex worker. That’s their trade, why should they be ashamed of it?

The same holds true for most members of Congress, save that the latest election has swept non-sex worker types into office. It remains to be seen how many will resist the temptation to sell their offices and which will not.

In either case, kudos to the GPO and Lauren Wood, who I understand has been a major driver in this project!

November 17, 2018

IMSI-Catcher in 30 Minutes

Filed under: Government,Privacy,STINGER — Patrick Durusau @ 9:51 pm

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes by Joseph Cox.

From the post:

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Once you get up and running, project’s github page, other extensions and uses will occur to you.

I deeply disagree with the assessment:

The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

The greater danger comes when secret agencies and even police agencies, operate with no effective oversight. Either because their operations are too secret to be known to others or a toady, such as the FISA court, is called upon to pass judgment.

As the “threat” from IMSI-catchers increases, manufacturers will engineer phones that resist attacks from the government and the public. A net win for the public, if not the government.

IMSI-catchers and more need to be regulars around government offices and courthouses. Governments like surveillance so much, let’s provide them with a rich and ongoing experience of the same.

October 24, 2018

Hacking Rent-A-Spy Vendors (Partial Target List)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:49 pm

Does “hacking” apply to data found in publicly accessible locations? Lorenzo Franceschi-Bicchierai thinks so in Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See.

However you answer that question, the post is an amusing tale of a spyware startup that left 20 gigabytes of data exposed to the public.

And it’s a valuable article, given the targeting data gthered:


Wolf Intelligence is part of the so-called “lawful intercept” industry. This is a relatively unregulated—but legal—part of the surveillance market that provides hacking and spy software to law enforcement and intelligence agencies around the world. Hacking Team, FinFisher, and NSO Group are the more well-known companies in this sector. According to a recent estimate, this market is expected to be worth $3.3 billion in 2022.

These companies generally sell spyware that infects computers and cell phones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications. But in the past, companies like Hacking Team, FinFisher, and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.

As demand for these technologies has grown, many smaller players have entered the market. Some of them have made embarrassing mistakes that have helped cybersecurity researchers expose them.

You can spend $$$ on R&D developing cutting-edge malware or wait for rent-a-spy vendors and the like to leak it. Rent-a-spy vendors hire from the same gene pool that makes phishing the #1 means of cybersecurity breaches. Picking up malware litter has a higher ROI.

Is anyone keeping a list of rent-a-spy vendors? Pointers? Thanks!

October 12, 2018

EraseIt! Requirements for an iPhone Security App

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:40 pm

Joseph Cox writes in: Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out:


As Apple has improved its security protections against attackers who have physical access to a phone—Touch and Face ID, the Secure Enclave Processor that handles these tools, and robust encryption used by default—law enforcement agencies have come up with varying techniques for getting into devices they seize. In the UK, police officers simulated a mugging to steal a suspect’s phone while he was using it, so it would be unlocked, and the officer repeatedly swiped the screen to make sure the phone did not close itself off again. Police lawyers determined that they would have no legal power to force the suspect to place his finger on the device, so opted for this unusual, albeit novel, approach.

In the US, however, law enforcement agencies have used both technical and legal means to get into devices. Courts have compelled suspects to unlock their device with their face or fingerprint, but the same approach does not necessarily work for demanding a passcode; under the Fifth Amendment, which protects people from incriminating themselves, a passcode may be considered as “testimonial” evidence. A number of warrants have focused on forcing suspects to place their finger onto an iPhone, and, as Forbes noted in its recent report, some warrants now include boilerplate language that would cover unlocking a device with a person’s face as well. Law enforcement agencies across the country have also bought GrayKey, a small and relatively cheap device that has had success in unlocking modern iPhones by churning through different passcode combinations.

Of all the breaches of iPhone security mentioned, GreyKey is the most disturbing. It bypasses the repeated attempt limitation and GreyKey can crack a six-digit PIN in 22.2 hours (at worst) and 11.1 hours on average. Estimates in this tweet by @matthew_d_green:

While mulling over the implications of GrayKey, I found How to Set iPhone to Erase All Data After 10 Failed Passcode Attempts by Leomar Umpad.

The downside being you may be too excited (one word for it) when the door bursts open and a flash bang grenade goes off to quickly enter the wrong passcode in your iPhone. Or your freedom of movement may be restricted by armed police officers even after calm is restored.

You iPhone needs an EraseIt! app that:

  1. Responds to verbal commands
  2. User supplied command starts erasure process
  3. Once started, erasure process disables all input, including the power button
  4. Erases all data (among other things I don’t know, how effective is data erasure in iPhones?)
  5. (Refinement) Writes 0 or 1 to all memory locations until battery failure

Relying on passcodes reminds me of Bruce Schneier’s classification of cryptography in Applied Cryptography (2 ed.):

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.

Passcodes are the former.

What other requirements would you have for an EraseIt! app?

PS: Go carefully. Most government forces differ from those of Saudi Arabia (Jamal Khashoggi) only in their preference to kill with plausible deniability.

October 11, 2018

Morally Blind Reporting – 32 million Muslim Dead vs. Trade Secrets

Filed under: Government,News,Politics — Patrick Durusau @ 2:17 pm

You don’t need citations from me to know bias in news coverage is all the rage these days. But there is precious little discussion of what is meant by “bias,” other than the speaker knowing it when they see it.

Here’s my example of morally blind (biased) news reporting or the lack thereof:

Yanjun Xu, a high-ranking director in China’s Ministry of State Security (MSS), the country’s counter-intelligence and foreign intelligence agency…” was arrested for alleged economic espionage and attempts to steal trade secrets in the United States.

You will see much hand wringing and protests of how necessary such a step was to protect American companies and their trade secrets. Add in a dash of prejudice against China and indignation that a nation of thieves (the U.S.) should be stolen from by others and you complete the scene.

When you find stories about Yanjun Xu, check the same sources for reporting on U.S. responsibility for 32 million Muslim dead since 9/11.

In any moral calculus worthy of the name “moral,” surely the deaths of millions are more important than the intellectual property rights of U.S. industries. Yes?

The value U.S. news organizations place on Muslim deaths versus theft of trade secrets is made self-evident by their reporting.

I don’t want to re-live the 1960’s where people dying were a daily staple of the evening news (even then it was almost always Americans). However, fair and balanced reporting does not exist when millions perish without every man, woman and child being made aware of it on a daily basis. Along with the lack of even a flimsy excuse for their murders.

The U.S. media can start by televising the nearly daily murder of protesters in Gaza and work their way out from there. Close-ups, talk to families, bring the cruelty the U.S. is financing into our living rooms. Sicken us with our own inhumanity.

PS: Don’t bother commenting the media lacks access, permission, etc. If you want to be butt-puppets of government, say so, don’t sully the title reporter.

September 28, 2018

LoJax – Coming to a Corporation/Government Near You!

Filed under: Cybersecurity,Government,Hacking,Security — Patrick Durusau @ 8:58 pm

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild by Swati Khandelwal.

From the post:

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

Khandelwal has a great explanation of LoJax with pointers to more detailed information.

At present the result of governmental development, it’s not unreasonable to expect LoJax to become commodity malware in a period of a year or two, perhaps less. Not unlike the first atomic bomb. The first one was true research, the second one and following, were matters of engineering.

Any number of governments and corporations merit being gifted with installations of LoJax.

Watching the anti-woman antics in the US Senate this week, made me think of several likely targets.

September 21, 2018

Senate GMail Attack – eXist-db 5.0.0 RC 4 Release – Coincidence?

Filed under: Cybersecurity,eXist,Government,XML,XML Database,XQuery — Patrick Durusau @ 6:16 pm

First I see Senators’ Gmail accounts targeted by foreign hackers from today that reads in part:

The personal Gmail accounts of an unspecified number of US senators and Senate staff have been targeted by foreign government hackers, a Google spokesperson confirmed to CNN on Thursday.

then I see in my Twitter feed:

[eXist-db] v5.0.0-RC4 – September 21, 2018.

The campaign season has been devoid of any Clinton-like email leaks, which is both disappointing and a little surprising.

It worked so well last time, taking no news office gossip and by timed release, make back-biting chatter into widely reported news.

You should grab a copy of eXist-db v.5.0.0-RC4 or the current stable version. Practicing now will keep you in shape for any flood of congressional emails.

eXistDB is NOT in league with any hackers anywhere.

I like feeding the paranoid delusions of the IC with groundless gossip. They will write it down, talk about it, do research, all the while they are not out harming US citizens and/or hopefully citizens of any other countries.

September 20, 2018

HIDE AND SEEK… (Pegasus Spyware)

Filed under: Government,Pegasus,Privacy — Patrick Durusau @ 12:27 pm

HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert.

From the post:


Key Findings

  • Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
  • We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
  • Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
  • Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.

(The image of Pegasus infections looks far better and is more informative in the original post.)

The NSO Group responded to the Hide and Seek post here.

Any defense against the NSO Group and/or users of their software is up to you. Governments are clearly not on the side of citizens when it comes to the NSO Group.

September 13, 2018

OpenOversight: A public, searchable database of law enforcement officers

Filed under: Government,Transparency — Patrick Durusau @ 2:41 pm

OpenOversight: A public, searchable database of law enforcement officers

From the about page:

OpenOversight is a Lucy Parsons Labs project that aims to improve law enforcement visibility and transparency using public and crowdsourced data. We maintain databases, digital galleries, and profiles of individual law enforcement officers from departments across the United States that consolidate information including names, birthdates, mentions in news articles, salaries, and photographs.

The remarkable resource was forwarded to me by Camille Fassett.

Similar resources for members of legislatures, fracking companies, etc.?

August 28, 2018

Hackers – Government Partnership? A New Model

Filed under: Cybersecurity,Government — Patrick Durusau @ 7:09 pm

The trials and tribulations of hiring hackers, much less hiring them by governments, are but a quick search away. A few of the articles I have encountered: Hiring hackers: The good, the bad and the ugly, Top 10 Pros and Cons of Hiring Hackers to Enhance Security, and, Hiring a hacker: Why and how you should do it.

These posts and others suffer from a lack of imagination in harnessing hackers for bettering government security.

Governments want fewer cybersecurity risks. Hackers want less risk from their hacking activities. Here’s one way to lessen the risks on both sides:

  1. Government creates a PGP key for encryption of method and proof of hack on a government information system.
  2. The encrypted package is signed by the hacker in question for proof of ownership of that hack.
  3. Uploading of the encrypted package to a public website, along with which a hacker can claim their handle, automatically grants the hacker immunity for the hack and use of its results. Additionally, the hack cannot be used in any other prosecution for any purpose.
  4. The government can solicit solutions for submitted hacks from the submitting hacker(s) or from hackers more generally.

Governments, any government, are already hemorrhaging data. Anyone who says differently is selling a mythical security solution. Be forewarned.

The proposed hack/immunity system gives governments notice of hacks and their specifics, in exchange for immunity in the unlikely event that anyone will be prosecuted for a hack.

Moreover, the privacy of hackers is preserved since they must produce the key to verify the signing of the encrypted package, which they would only do in case of a prosecution based on or using that hack.

The cybersecurity community as a whole gains greater reliability of breach information compared to:

…This year’s report is based on a global survey conducted by 451 Research during October and November of 2017.

In contrast to last year’s report, we surveyed 1,200+ senior security executives from across the globe (up from 1,100), including respondents from key regional markets in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea and India. We also surveyed key segments within those countries including federal government, retail, finance and healthcare. While all 1,200 respondents have at least some degree of influence in data security decision-making, more than one-third (34%) have ‘major’ influences on these decisions and nearly half (46%) have sole decision-making authority.
2018 THALES DATA THREAT REPORT

Misgivings over the trustworthiness of hackers is highly selective. Thales relies on people with an interest in their fails looking similar to everyone else’s. Rather odd “research” technique.

PS: Should anyone (US prosecutors, FBI, etc.) protest the automatic granting of immunity, ask them for their prosecution statistics versus the number of known breaches in their districts.

You can waste money on by chance prosecutions and cybersecurity myths or, you can correct your systems against the best hackers in the world. Your call.

Cybersecurity Fails Set To Spread Beyond Beltway Defense Contractors

Filed under: Cybersecurity,Government,Government Data — Patrick Durusau @ 3:01 pm

I’m sure you were as amused as I was to read: U.S. Department Of Defense Awards $37 Million Contract To Cybersecurity Startup Qadium. It’s only fair you know. Startups can fail at cybersecurity just as well as traditional contractors (names omitted to protect the guilty).

In transparency unlike most media outlets, the post includes a disclaimer that the following was written by Qadium:

Cybersecurity startup Qadium has been awarded a $37.6 million contract by the U.S. Department of Defense, making it the latest venture-backed startup from Silicon Valley to win a major federal contract over traditional Beltway defense contractors.

Qadium is the first company to provide real-time monitoring of the entire global Internet for customers’ assets. In a new era of machine-speed attacks, Qadium helps the world’s most sophisticated organizations define and secure their dynamic network edge.

The contract was awarded by the U.S. Navy’s Space and Warfare Command after the Department of Defense validated Qadium’s commercial software. Qadium is now recognized among a small handful of cybersecurity providers, with DoD making its software accessible department-wide.

“The Defense Department used to love to build its own IT, often poorly and at high cost to taxpayers,” said Qadium CEO and CIA veteran Tim Junio. “The times are finally changing. In the face of the greatest cybersecurity challenges in our nation’s history, we’re seeing the government and private tech companies coming together, making both sides better off.”

I can name one side that will be better off, to the tune of $37 Million.

Hackers also benefit from this news, Qadium becoming a known target for social engineering and other attention.

August 22, 2018

Data and the Midterm Elections:… [Enigma contest, swag prizes, September 21 deadline]

Filed under: Data Science,Government,Python — Patrick Durusau @ 4:44 pm

Data and the Midterm Elections: Enigma Public Call for Submissions

Calling all public data enthusiasts! To celebrate the launch of Enigma Public’s Python SDK, Enigma is hosting a contest for projects – ranging from data science to data visualization, data journalism and more – featuring Enigma’s public data in exploration of the upcoming U.S. elections.

We are excited to incentivize the creation of data-driven projects, exploring the critical U.S. midterm elections this fall. In this turbulent and confusing period in U.S. politics, data can help us interpret and understand both the news we’re reading and changes we’re seeing.

One of the suggested ideas:

Census Bureau data on voter registration by demographic category.

shows that Lakoff’s point about Clinton losing educated women around Philadelphia, “her” demographic, has failed to register with political types.

Let me say it in bold type: Demographics are not a reliable indicator of voting behavior.

Twice? Demographics are not a reliable indicator of voting behavior.

Demographics are easy to gather. Demographics are easy to analyze. But easy to gather and analyze, does not equal useful in planning campaign strategy.

Here’s an idea: Don’t waste money on traditional demographics, voting patterns, etc., but enlist vendors who market to those voting populations to learn what they focus on for their products.

There’s no golden bullet but repeating the mistakes of the past is a step towards repeating the failures of the past. (How would you like to be known as the only candidate for president beaten by a WWF promoter? That’s got to sting.)

August 21, 2018

Hacking: The hope for corporate and governmental transparency

Filed under: FOIA,Government,Hacking,Transparency — Patrick Durusau @ 1:31 pm

DEF CON 26 (2018) was the source of many headlines, including Hacking the US Midterms? It’s Child’s play., Hacking Medical Protocols to Change Vital Signs, and, Tesla Plans to Open-source its Vehicle Security Software, to say nothing of zero-day bugs and new attacks on old ones.

The most encouraging news, at least for transparency of corporations and governments comes from Breaking Badge – The DEFCON Crazy 8s by NodyaH.

“DEF CON City” is the location of a text-based adventure that can be solved only with interactions between 8 card types (depends on type of attendee) as well as hacking the cards themselves. The goal is to turn all the letters DEFCON green. There are resources at the end of the post, if you already have a badge.

NodyaH does a great job describing the starts, stops and re-tracing steps of participants as they rushed to break the badges.

It’s a fast moving tale so take a few minutes to read it. After having read it, can you name a corporate or governmental agency that would be more difficult to hack than the DEFCON badges?

The solution to grudging transparency and documents that mis-led more than they inform, is not more FOIA. Transparency requires hackers who peel corporate and government agencies like navel oranges.

Are you one of them or aspire to be?

Keep up with DEFCON!

August 1, 2018

Printable Guns – When Censorship Fails

Filed under: 3D Printing,Government,Politics — Patrick Durusau @ 7:24 pm

It’s always nice when censorship fails. If you think about it for a minute, there were several places this AM where printable guns could be downloaded.

In anticipation that you will find unlooked for places with 3D printable gun designs, these may be useful resources:

20 Best 3D Printing Software Tools of 2018 (All Are Free)

20 Best Free STL File Viewer Tools of 2018

Before you try firing a printed gun, be sure to read 2018 3D Printed Gun Report – All You Need to Know very carefully.

There are reasons why no known military force uses 3D printed guns. Failure of the weapon and injury to its operator are two of them.

Interest in 3D printed guns has the potential to drive the market for better and cheaper 3D printers, as well as faster development of the technology.

All in all, not a bad result.

July 31, 2018

Assassination Market Clickbait

Filed under: CryptoCurrency,Government,Politics — Patrick Durusau @ 3:46 pm

The First Augur Assassination Markets Have Arrived by David Floyd.

From the post:

“Killed, not die of natural causes or accidents.”

Pretty much everyone saw them coming, but it was no less disturbing when assassination markets actually began to appear on Augur, a decentralized protocol for betting on the outcomes of real-world events and that launched two weeks ago on ethereum.

The markets – which allow users to bet on the fates of prominent politicians, entrepreneurs and celebrities – in some cases explicitly specify assassination, as the quote above shows. (CoinDesk is intentionally not providing links to these markets or naming the individuals concerned.)

In addition to targeting individuals, some markets offer bets on whether mass shootings and terrorist attacks with certain minimum numbers of casualties will occur.

By creating a market for an assassination and placing a large “no” bet (actually, selling shares in the outcome), an individual or group could in effect place a bounty on the targeted person. The would-be assassin could then place a bet on “yes” (buy shares) and manipulate the outcome, to put it delicately.

An Augur assassination markets sounds like a way to democratize murder. Governments spend $billions every year killing people with their citizens exercising little or no influence of the choice of murder targets. An assassination market has the potential for a more democratic process. Or so it would seem.

The first thing you need is an Ethereum wallet. I choose a FireFox browser extension called MetaMask, but there are others, The Top 10 Best Ethereum Wallets (2018 Edition) by Sudhir Khatwani.

Next up, the Augur app. (GitHub) Augur isn’t long on documentation for the beginning users so here are screen shots and text about my installation process.

  1. I used sudo dpkg -i linux-Augur-1.0.7.deb, encountered dependency issues and so then ran apt-get install -f.

    OK, first screen shot, the default screen when I started Augur from the panel bar:

    I accepted all of the defaults, saved the configuration.

  2. After selecting connect, with the default configuration values, this is the next screen:

    As you can tell by the % meter, this is going to take a while. I didn’t time it precisely but would guess it is 90 minutes or longer to synch up.

  3. You probably don’t have to wait as long as I did but when it was over 99% synched, I connected with the Augur app:

  4. I should have expected it, next was the scroll down agreement to activate the checkbox and then agree to terms window, which in part reads:

    Right! I’ve taken numerous steps to conceal both my identity and activity, so sure, I’m going to try to tag Augus in court if something goes sideways.

    Sigh, old habits die hard. 😉

  5. The Augur default homepage (in part only):

    Then you choose “MARKETS” in the upper left-hand corner and look for assasinations.

A lot of installing to realize the reason why:

(CoinDesk is intentionally not providing links to these markets or naming the individuals concerned.)

There’s only one (1) such market and it has only one target, without any “no” money. As you might suspect, it’s the fav of all late night talk show hosts:

I don’t regret installing the new tools but was disappointed by the “assassination market clickbait” approach.

PS: Putin doesn’t even make my top 100. You?

Older Posts »

Powered by WordPress