Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 31, 2018

BaseX 9.1: The Autumn Edition [No Weaponized Email Leaks for Mid-Term Elections to Report]

Filed under: BaseX,XML,XQuery — Patrick Durusau @ 3:41 pm

Christian Gruin writes in an email:

Dear XML and XQuery aficionados,

It’s been exactly 5 months ago when BaseX 9 was released, and we are happy to announce version 9.1 of our XML framework, database system
and XQuery 3.1 processor! The latest release is online:

http://basex.org

The most exciting addition is support for WebSockets, which enable you to do bidirectional (full-duplex) client/server communication with
XQuery web applications:

http://docs.basex.org/wiki/WebSockets

Moreover, we have added convenient syntax extensions (ternary if, Elvis operator, if without else) to XQuery. Some of them may be made available in other implementations of XQuery as well (we’ll keep you updated):

http://docs.basex.org/wiki/XQuery_Extensions#Expressions

Other new features are as follows:

XQuery:
– set local locks via pragmas and function annotations
– Database Module: faster processing of value index functions
– Jobs Module: record and return registration times
– ENFORCEINDEX option: support for predicates with dynamic values
– Update Module, update:output: support for caching maps and arrays

GUI:
– Mac, Windows: Improved rendering support for latest Java versions
– XQuery editor: choose and display current query context

Visit http://docs.basex.org to get more information on the added features.

Your feedback is welcome! Have fun,

Christian
BaseX Team

I know of no examples of weaponized email leaks using BaseX for the mid-term elections in less than a week.

That absence is more than a little disappointing because industrial strength weapons are available, such as BaseX, and computer security remains on a Hooterville level of robustness.

Despite this missed opportunity, there are elections scheduled (still) for 2020.

ICC Metadata – Vulnerability Pattern?

Filed under: Steganography,Tweets,Twitter — Patrick Durusau @ 2:07 pm

This Tiny Picture on Twitter Contains the Complete Works of Shakespeare by Joseph Cox.

From the post:


The trick works by leveraging how Twitter handles metadata. Buchanan explained that Twitter strips most metadata from images, but the service leaves a particular type called ICC untouched. This is where Buchanan stored his data of choice, including ZIP and RAR archives.

“So basically, I wrote a script which parses a JPG file and inserts a big blob of ICC metadata,” he said. “The metadata is carefully crafted so that all the required ZIP headers are in the right place.” This process was quite fiddly, he added, saying it took a few hours to complete, although he wrote the script itself over a span of a couple of months.

“I was just testing to see how much raw data I could cram into a tweet and then a while later I had the idea to embed a ZIP file,” Buchanan added.

The ICC link points to PhotoMe:

PhotoME is a powerful tool to show and edit the meta data of image files. Thanks to the well organised layout and intuitive handling, it’s possible to analyse and modify Exif and IPTC-NAA data as well as analyse ICC profiles – and it’s completely FREE!

Useful link/software but it doesn’t define ICC metadata.

I’m curious because the handling of ICC metadata may be a vulnerability pattern found in other software.

ICC metadata is a color profile defined by the International Color Consortium. The ICC specifications page has links to the widely implemented version 4, Specification ICC.1:2010-12 (Profile version 4.3.0.0); its successor, now in development, Specification ICC.2:2018 (iccMAX); and, the previous ICC Profile, Specification ICC.1:2001-04.

The member list of ICC alone testifies to the reach of any vulnerability enabled by ICC metadata. Add to that implementers of ICC metadata and images with it.

How does your image processing software manage ICC metadata?

FeatherCast – Apache Software Foundation Podcast – Follow @FeatherCast

Filed under: Data Science,Podcasting — Patrick Durusau @ 9:25 am

FeatherCast – Apache Software Foundation Podcast

From the about page:

The Apache Software Foundation is a highly diverse organisation, with projects covering a wide range of technologies. Keeping track of them all is no easy task, nor is keeping track of all the news that it generates.

This podcast aims to provide a regular update and insight into the world of the foundation. We’re going to try and bring you interviews from the people who make the decisions and guide the foundation and its projects, giving you the chance to have your questions put to them.

FeatherCast was created by David Reid and Rich Bowen, both of whom are members of the Apache Software Foundation. Over time we have added and lost a number of interviewers. Right now, our active interviewers include Rich, and Sharan Foga.

Like many of you, my first visit to the Apache.org website is lost in the depths of time. It was certainly to explore the HTTP Server Project, which even today appears outside the list of equally important software projects.

Add @FeatherCast to the list of Twitter accounts you follow. The content is about what you would expect from one of the defining forces of the Internet and data science as we know it. That is to say, excellent!

Enjoy and please spread the news about Feathercast!

October 30, 2018

Fake News about Russian Porn Infection

Filed under: Cybersecurity,Hacking,Porn — Patrick Durusau @ 7:49 pm

Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says

From the post:

The agency’s inspector general traced the malicious software to a single unnamed USGS employee, who reportedly used a government-issued computer to visit some 9,000 adult video sites, according to a report published Oct. 17.

Many of the prohibited pages were linked to Russian websites containing malware, which was ultimately downloaded to the employee’s computer and used to infiltrate USGS networks, auditors found. The investigation found the employee saved much of the pornographic material on an unauthorized USB drive and personal Android cellphone, both of which were connected to their computer against agency protocols.

Many people breathed a sigh of relief when it was reported the USGS staff used their computer:

…to visit some 9,000 adult video site, …

They hadn’t visited 9,000 adult video sites and that’s a lot of sites, assuming you had other job duties.

Sorry to disappoint but the IG report says in fact:

…Many of the 9,000 web pages ****** visited routed through websites that originated in Russia and contained malware.

Ah, “9,000 web pages,” not “…9,000 adult video sites.” That’s quite a difference.

More than a few but a much more plausible number.

Aside from poor fact checking, the real lesson here is to realize porn is a great carrier for malware, if you didn’t know that already.

My favorite AI newsletters…

Filed under: Artificial Intelligence,Machine Learning — Patrick Durusau @ 7:10 pm

My favorite AI newsletters, run by people working in the field by Rosie Campbell.

Campbell lists her top five (5) AI newsletters. That’s a manageable number, at least if I discontinue other newsletters that fill my inbox.

Not that my current newsletter subscriptions aren’t valuable, but I’m not the web archive for those mailings and if I lack the time to read them, what’s the point?

It’s not Spring so I need to do some Fall cleaning of my newsletter subscriptions.

Any additions to those suggested by Campbell?

r2con 2018 – videos [Dodging Political Ads]

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:56 pm

r2con 2018 – videos

Avoid the flood of political ads this final week before the US mid-term elections! May I suggest the videos from r2con 2018?

Unlike with political ads and news coverage, laced with false information, r2con videos won’t make you dumber. May not make you smarter but you will be better informed about r2 topics.

Should you accidentally encounter political news coverage or a political ad, run to your computer and watch an r2con video. You will feel better.

Enjoy!

Caselaw Access Project – 360 Years of United States Caselaw

Filed under: Law,Law - Sources,Legal Informatics — Patrick Durusau @ 6:41 pm

Caselaw Access Project – 360 Years of United States Caselaw

From the about page:

The Caselaw Access Project (“CAP”) expands public access to U.S. law.

Our goal is to make all published U.S. court decisions freely available to the public online, in a consistent format, digitized from the collection of the Harvard Law Library.

CAP includes all official, book-published United States case law — every volume designated as an official report of decisions by a court within the United States.

Our scope includes all state courts, federal courts, and territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. Our earliest case is from 1658, and our most recent cases are from 2018.

Each volume has been converted into structured, case-level data broken out by majority and dissenting opinion, with human-checked metadata for party names, docket number, citation, and date.

We also plan to share (but have not yet published) page images and page-level OCR data for all volumes.

On the bright side, 6.4 million unique cases, 40M pages scanned. On the dark side, access is limited in some situations. See the website for details.

Headnotes for volumes after 1922 are omitted (a symptom of insane copyright laws) but that presents the opportunity/necessity for generating headnotes automatically. A non-trivial exercise but an interesting one.

Take note:


You can report errors of all kinds at our Github issue tracker, where you can also see currently known issues. We particularly welcome metadata corrections, feature requests, and suggestions for large-scale algorithmic changes. We are not currently able to process individual OCR corrections, but welcome general suggestions on the OCR correction process.

What extra features would you like?

October 29, 2018

DeepCreamPy – Decensoring Hentai with Deep Neural Networks

Filed under: Deep Learning,Neural Networks,Porn — Patrick Durusau @ 4:18 pm

DeepCreamPy – Decensoring Hentai with Deep Neural Networks

From the webpage:

This project applies an implementation of Image Inpainting for Irregular Holes Using Partial Convolutions to the problem of hentai decensorship. Using a deep fully convolutional neural network, DeepCreamPy can replace censored artwork in hentai with plausible reconstructions. The user needs to specify the censored regions in each image by coloring those regions green in a separate image editing program like GIMP or Photoshop.

Limitations

The decensorship is intended to work on color hentai images that have minor to moderate censorship of the penis or vagina. If a vagina or penis is completely censored out, decensoring will be ineffective.

It does NOT work with:

  • Black and white/Monochrome image
  • Hentai containing screentones (e.g. printed hentai)
  • Real life porn
  • Censorship of nipples
  • Censorship of anus
  • Animated gifs/videos

… (emphasis in original)

Given the project limitations, there is a great opportunity for a major contribution.

Albeit I don’t know how “decensored drawings of anuses” would look on a resume. You might need to re-word that part.

What images do you want to decensor?

October 28, 2018

Conway’s Game of Life in R: … [Simple Rules Lead to Complex Behaviors]

Filed under: Cellular Automata,Chaos — Patrick Durusau @ 8:27 pm

Conway’s Game of Life in R: Or On the Importance of Vectorizing Your R Code byJohn Mount.

From the post:

R is an interpreted programming language with vectorized data structures. This means a single R command can ask for very many arithmetic operations to be performed. This also means R computation can be fast. We will show an example of this using Conway’s Game of Life.

A demonstration of a 10x speed increase from vectorized R code.

Cellular automata, Conway’s Game of Life is one, have a rich history, as well as being part of the focus of the Santa Fe Institute.

Suffice it to say that simple rules lead to complex and unpredictable behaviors.

Keep that in mind when people suggest simple solutions to complex behaviors, such as regulating social media in response to acts of violence.

October 27, 2018

How To Learn Data Science If You’re Broke

Filed under: Data Science — Patrick Durusau @ 8:30 pm

How To Learn Data Science If You’re Broke by Harrison Jansma.

From the post:

Over the last year, I taught myself data science. I learned from hundreds of online resources and studied 6–8 hours every day. All while working for minimum wage at a day-care.

My goal was to start a career I was passionate about, despite my lack of funds.

Because of this choice I have accomplished a lot over the last few months. I published my own website, was posted in a major online data science publication, and was given scholarships to a competitive computer science graduate program.

In the following article, I give guidelines and advice so you can make your own data science curriculum. I hope to give others the tools to begin their own educational journey. So they can begin to work towards a more passionate career in data science.

Great resource to keep bookmarked for people who ask about getting started in data science.

October 26, 2018

Best-First Search [Inspiration for Hackers]

Filed under: D3,Graphics — Patrick Durusau @ 9:09 pm

Best-First Search by Mike Bostock.

Take my first “best-first search” result:

as encouragement to see this “live code” for yourself!

Best-First Search represents, figuratively speaking, the process of breaching cybersystems of pipeline construction companies, pipeline operators, their lawyers, investors, etc. Magic bullets work but so does following best-first paths until success is achieved.

Good hunting!

October 25, 2018

DMCA Exemptions – 10/26/18 or White Hat Advertising Rules

Filed under: Cybersecurity,Hacking,Intellectual Property (IP) — Patrick Durusau @ 7:57 pm

Beau Woods posted a tweet with the URL for: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies.

Cutting to the chase:


(i)Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.

(ii) For purposes of this paragraph (b)(11), “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.
… (page 65)

I have long puzzled over claims of fearing DMCA enforcement by security researchers. The FBI is busy building illegal silencers for the mentally ill. Or engaging in other illegal, if not insane, activities. When would the FBI find the time to pursue security researchers when fantasies about Russian/Chinese/North Korean election “interference” are rippling through Washington?

Although phrased as “fear of prosecution,” the DCMA issue for white hats was one of advertising. Advertising a hack could annoy a vendor. Annoying vendors along with your identity and location seemed like a bad plan. But with a DMCA exemption, white hats are free to spam the Internet with their latest “research.”

Not that I mind white hats advertising but drawing lines based on the economic interests of stakeholders doesn’t always point to greater freedom. Today it worked in favor of security researchers and possibly consumers, but there’s no guarantee that will always be the result.

CVE-2018–8414: A Case Study in Responsible Disclosure

Filed under: Cybersecurity,Hacking,Reverse Engineering — Patrick Durusau @ 3:21 pm

CVE-2018–8414: A Case Study in Responsible Disclosure by Matt Nelson.

From the post:

The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly.

I submit a lot of bugs, through both bounty programs (Bugcrowd/HackerOne) and direct reporting lines (Microsoft). I’m not here to discuss ethics. I’m not here to provide a solution to the great “vulnerability disclosure” debate. I am simply here to share one experience that really stood out to me, and I hope it causes some reflection on the reporting processes for all vendors going forward.

First, I’d like to give a little background on myself and my relationship with vulnerability research.

I’m not an experienced reverse engineer. I’m not a full-time developer. Do I know C/C++ well? No. I’m relatively new to the industry (3 years in). I give up my free time to do research and close my knowledge gaps. I don’t find crazy kernel memory leaks, rather, I find often overlooked user-mode logic bugs (DACL overwrite bugs, anyone?).

Most importantly, I do vulnerability research (VR) as a hobby in order to learn technical concepts I’m interested in that don’t necessarily apply directly to my day job. While limited, my experience in VR comes with the same pains that everyone else has.

I mention this as one data point in the submission of bug reports and as encouragement to engage in bug hunting, even if you aren’t a kernel geek.

If you follow the disclosure “ethics” described in this post, the “us” who benefits includes the CIA, NSA, Saudi Arabia, Israel, and a host of others.

October 24, 2018

Bloomberg’s “China Hack” Conspiracy

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:16 pm

Mathew Ingram writes in Pressure increases on Bloomberg to verify its China hack story:

It was a certified bombshell: Bloomberg News reported on October 4 that the Chinese government had been able to infiltrate both Apple and Amazon’s hardware systems by putting hacked microchips into the third-party motherboards they used in their servers. But as the days following the report have turned into weeks, doubts about the validity of the story have continued to grow, while the amount of independent verification and/or supporting material proving such a hack actually occurred remains at zero.

In a column on Tuesday, Washington Post media critic Erik Wemple argued the chorus of voices in opposition to the allegations in the piece—including strenuous and detailed denials from the companies involved—have put the onus on Bloomberg to come up with additional verification, or else risk casting even more doubt on its scoop. “The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics,” Wemple wrote. “Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.” Wemple also criticized the news outlet for using a photo of a generic microchip on the cover of Bloomberg BusinessWeek magazine, despite the fact that the news outlet has no photos of the actual chip that was allegedly used in the hacks.
… (emphasis in original)

Ingram has collected links to a number of the posts and refutations of the original Bloomberg claims.

But you don’t need the protests of innocence and/or deep technical analysis to be wary of the Bloomberg story.

On the face of the original report, how many people do you think would “know” about the subversion of the motherboards?

  1. Designers of the subversive chip
  2. Motherboard designers to create a motherboard that uses the subversive chip
  3. Development and testing staff for the chip and the motherboards
  4. Users of capabilities offered by the subversive chips
  5. Handlers of the intelligence produced by the subversive chips
  6. Funders for #1 – #5

Would you concede those in the “know” about the chips would have to number in the thousands?

I ask because research on conspiracies estimates to keep a secret for five years, the maximum number of participants has an upper limit of 2521 agents. On the Viability of Conspiratorial Beliefs, David Robert Grimes, PLOS, Published: January 26, 2016, https://doi.org/10.1371/journal.pone.0147905.

On the face of it, the ‘China Hack’ more closely resembles the NASA Moon-landing conspiracy than technological legerdemain.

Especially given Bloomberg’s explanation for the absence of any motherboard with the “extra” chip:


In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

Failure to detect becomes evidence of the cleverness of these conspirators.

Looks like a conspiracy theory, walks like a conspiracy theory, talks like a conspiracy theory, the absence of evidence proves the conspiracy theory, all suggests Bloomberg’s “China Hack” is a conspiracy theory.

Hacking Rent-A-Spy Vendors (Partial Target List)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:49 pm

Does “hacking” apply to data found in publicly accessible locations? Lorenzo Franceschi-Bicchierai thinks so in Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See.

However you answer that question, the post is an amusing tale of a spyware startup that left 20 gigabytes of data exposed to the public.

And it’s a valuable article, given the targeting data gthered:


Wolf Intelligence is part of the so-called “lawful intercept” industry. This is a relatively unregulated—but legal—part of the surveillance market that provides hacking and spy software to law enforcement and intelligence agencies around the world. Hacking Team, FinFisher, and NSO Group are the more well-known companies in this sector. According to a recent estimate, this market is expected to be worth $3.3 billion in 2022.

These companies generally sell spyware that infects computers and cell phones with the goal of extracting evidence for police or intelligence operations, which can be particularly useful when authorities need to get around encryption and have a warrant to access the content of a target’s communications. But in the past, companies like Hacking Team, FinFisher, and NSO Group have all sold their malware to authoritarian regimes who have used it against human rights defenders, activists, and journalists.

As demand for these technologies has grown, many smaller players have entered the market. Some of them have made embarrassing mistakes that have helped cybersecurity researchers expose them.

You can spend $$$ on R&D developing cutting-edge malware or wait for rent-a-spy vendors and the like to leak it. Rent-a-spy vendors hire from the same gene pool that makes phishing the #1 means of cybersecurity breaches. Picking up malware litter has a higher ROI.

Is anyone keeping a list of rent-a-spy vendors? Pointers? Thanks!

October 21, 2018

Why You Should Start Doing CTFs (Women in RE)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:16 pm

Why You Should Start Doing CTFs by Oryan De Paz.

From the post:

Capture The Flag (CTF) is a competition in the Information Security field. The main idea is to simulate different kinds of attack concepts with various challenges such as Reverse Engineering, Networks and Protocols, Programming, Crypto, Web Security, Exploits, etc.

All these challenges have one goal — capture the flag: solve the puzzle and use your skills in order to find a string that you can eventually type-in as your solution. If the solution is correct — you get the challenge points, which depend on the task difficulty. These days you can find CTF competitions in many of the infosec conferences.

De Paz has five (5) good reasons for doing Capture The Flag (CTF) exercises and pointers to additional resources.

De Paz mentions these reverse engineers as guideposts for her journey into CTF (in a Twitter thread on her post):

Great advice and leads to exploring CTF for yourself!

October 16, 2018

There’s a Spectre Haunting the Classics, It’s Called the TLG

Filed under: Classics,Greek,Humanities — Patrick Durusau @ 6:50 pm

Index of Ancient Greek Lexica

Today being National Dictionary Day (a U.S. oddity), I was glad to see a tweet boasting of 28 Greek lexica for online searching.

While it is true that 28 Greek lexica are available for searching, only the results are available for eight (8) of them, access to the other twenty (20), depending upon a subscription to the TLG project.

Funded entirely with public monies and donations, the TLG created IP agreements with publishers of Greek texts, which succeeded in walling off this collection from the public for decades. Some of the less foul guardians at the TLG have prevailed upon it to offer a limited subset of the corpus for free. How kind.

Advances in digitization and artificial intelligence aided transcription promise access to original Greek materials in the not too distant future.

I look forward to a future when classicists look puzzled at mention of the TLG and then brighten to say: “Oh, that was when classics resources were limited to the privileged few.”

October 14, 2018

A Map of Every Building in America (NYT)

Filed under: Mapping,Maps — Patrick Durusau @ 6:54 pm

A Map of Every Building in America by Tim Wallace, Derek Watkins and John Schwartz.

From the post:

Most of the time, The New York Times asks you to read something. Today we are inviting you, simply, to look. On this page you will find maps showing almost every building in the United States.

Why did we make such a thing? We did it as an opportunity for you to connect with the country’s cities and explore them in detail. To find the familiar, and to discover the unfamiliar.

So … look. Every black speck on the map below is a building, reflecting the built legacy of the United States.

I’m sure maps of greater value are possible, but this interactive map of buildings by the New York Times sets a high bar.

If that weren’t good enough, Microsoft has released USBuildingFootprints, described as:

This dataset contains 125,192,184 computer generated building footprints in all 50 US states. This data is freely available for download and use.

The datasets are listed by state.

What other data set(s) would take this map from being a curiousity to being actionable?

October 13, 2018

“Oh I wish that I could be Melania Trump [Richard Cory]”

Filed under: Feminism,Politics — Patrick Durusau @ 2:24 pm

Among the shallow outpourings of scorn on Melania Trump, Arwa Mahdawi‘s Melania Trump claims of victimhood have a hollow ring, is representative of the rest.

Consider this snippet from her post:


In an interview with ABC News, the first lady said, “I support the women and they need to be heard” but added that if they come forward as victims they must “show the evidence”. Unfortunately, Melania did not elaborate on what sort of evidence she considers acceptable. Might she accept, for example, a tape of her husband boasting about grabbing women’s crotches without their consent?

Despite her immense advocacy for women, I’m sorry to report that Melania feels let down by the sisterhood. “I could say I’m the most bullied person in the world,” she said in her interview.

Listen, I support the Melanias and they need to be heard, but if you’re going to come forward as a victim, you must show the evidence. And right now all the evidence seems to point at the first lady being just as morally bankrupt as the president and deserving every ounce of criticism she attracts. If you do feel any spark of sympathy for Melania, I suggest you redirect your attention to the thousands of migrant children the Trump administration has kidnapped.

As far as Melania’s “show the evidence” comment, in context she clearly says that the media, emphasis on the media, goes too far when someone says they have been assaulted. Not quite the same impression as you get from Mahdawi’s account.

Melania may have been sexually abused or assaulted and being unable to “show the evidence,” she has suffered in silence along with millions of women around the world. If speaking out without evidence makes your life worse, then her advice may not be too far off the mark.

If she has abuse issues in her past, like any other survivor, she has an absolute right to speak or NOT speak about her prior abuse. Neither Mahdawi nor anyone else has the right to demand Melania shed her personal privacy so they can judge her legitimacy.

It’s not clear what Mahdawi find surprising about:

I could say I’m the most bullied person in the world

A question was asked and Melania answered. What other source of information would you use to judge a person’s view of the world?

Mahdawi’s projection of an imaginary world that Melania occupies reminds me of Richard Cory by Edwin Arlington Robinson, re-written by Paul Simon as Paul Simon – Richard Cory Lyrics, which reads in part:

They say that Richard Cory owns one half of this whole town
with political connections to spread his wealth around
born into society a banker’s only child
He had everything a man could want power, grace and style
But I work in his factory and I curse the life I’m living
and I curse my poverty and I wish that I could be
Oh I wish that I could be, Oh I wish that I could be Richard Cory

oh he surely must be happy with everything he’s got

“Richard Cory went home last night and put a bullet through his head.”

In Mahdawi’s imaginary world projection, Melania is not bullied by Trump and his band-of-sycophants. Nor has she paid a high price reach her present position and/or to remain there. Mahdawi is welcome to her fiction, but it’s not a valid basis for judging the words or actions of Melania Trump.

Spend less time fantasying about the First Lady and more on bringing the Trump administration to an end.

PS: To help you remember this lesson in the future:

October 12, 2018

EraseIt! Requirements for an iPhone Security App

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 3:40 pm

Joseph Cox writes in: Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out:


As Apple has improved its security protections against attackers who have physical access to a phone—Touch and Face ID, the Secure Enclave Processor that handles these tools, and robust encryption used by default—law enforcement agencies have come up with varying techniques for getting into devices they seize. In the UK, police officers simulated a mugging to steal a suspect’s phone while he was using it, so it would be unlocked, and the officer repeatedly swiped the screen to make sure the phone did not close itself off again. Police lawyers determined that they would have no legal power to force the suspect to place his finger on the device, so opted for this unusual, albeit novel, approach.

In the US, however, law enforcement agencies have used both technical and legal means to get into devices. Courts have compelled suspects to unlock their device with their face or fingerprint, but the same approach does not necessarily work for demanding a passcode; under the Fifth Amendment, which protects people from incriminating themselves, a passcode may be considered as “testimonial” evidence. A number of warrants have focused on forcing suspects to place their finger onto an iPhone, and, as Forbes noted in its recent report, some warrants now include boilerplate language that would cover unlocking a device with a person’s face as well. Law enforcement agencies across the country have also bought GrayKey, a small and relatively cheap device that has had success in unlocking modern iPhones by churning through different passcode combinations.

Of all the breaches of iPhone security mentioned, GreyKey is the most disturbing. It bypasses the repeated attempt limitation and GreyKey can crack a six-digit PIN in 22.2 hours (at worst) and 11.1 hours on average. Estimates in this tweet by @matthew_d_green:

While mulling over the implications of GrayKey, I found How to Set iPhone to Erase All Data After 10 Failed Passcode Attempts by Leomar Umpad.

The downside being you may be too excited (one word for it) when the door bursts open and a flash bang grenade goes off to quickly enter the wrong passcode in your iPhone. Or your freedom of movement may be restricted by armed police officers even after calm is restored.

You iPhone needs an EraseIt! app that:

  1. Responds to verbal commands
  2. User supplied command starts erasure process
  3. Once started, erasure process disables all input, including the power button
  4. Erases all data (among other things I don’t know, how effective is data erasure in iPhones?)
  5. (Refinement) Writes 0 or 1 to all memory locations until battery failure

Relying on passcodes reminds me of Bruce Schneier’s classification of cryptography in Applied Cryptography (2 ed.):

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.

Passcodes are the former.

What other requirements would you have for an EraseIt! app?

PS: Go carefully. Most government forces differ from those of Saudi Arabia (Jamal Khashoggi) only in their preference to kill with plausible deniability.

October 11, 2018

Lost Opportunity for Microsoft Edge Remote Execution Bug

Filed under: Cybersecurity,Hacking,Microsoft — Patrick Durusau @ 8:55 pm

Proof-of-concept code published for Microsoft Edge remote code execution bug by Catalin Cimpanu.

From the post:


The proof-of-concept (PoC) code is for a Microsoft Edge vulnerability —CVE-2018-8495— that Microsoft patched this week, part of its October 2018 Patch Tuesday.

The vulnerability was discovered by Kuwaiti security researcher Abdulrahman Al-Qabandi, who reported his findings to Microsoft via Trend Micro’s Zero-Day Initiative program.

Today, after making sure Microsoft had rolled out a fix, Al-Qabandi published in-depth details about the Edge vulnerability on his blog.

Such PoCs are usually quite complex, but Al-Qabandi’s code is only HTML and JavaScript, meaning it could be be hosted on any website.

When was the last time you heard of North Korean, Russian or Chinese security researchers (sounds classier than “hackers”) reporting a zero-day exploit to a vendor?

Same here.

Consider the opportunities presented by an HTML and Javascript zero-day with regard to governments, military installations and/or corporate entities.

All of those lost by the use of a zero-day submission process and issuance of a patch by Microsoft.

Follow your own conscience but remember, none of the aforementioned are on your side. Why should you be on theirs?

“I Can See You!” * 9 million (est.)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:04 pm

Millions at risk from default webcam passwords

From the post:


The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.

Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.

The article goes on to point out how to locate these insecure devices, which are estimated at a population of 9 million around the world.

Suggestions on AI-assisted recognition software to distinguish baby pics from more interesting content?

Morally Blind Reporting – 32 million Muslim Dead vs. Trade Secrets

Filed under: Government,News,Politics — Patrick Durusau @ 2:17 pm

You don’t need citations from me to know bias in news coverage is all the rage these days. But there is precious little discussion of what is meant by “bias,” other than the speaker knowing it when they see it.

Here’s my example of morally blind (biased) news reporting or the lack thereof:

Yanjun Xu, a high-ranking director in China’s Ministry of State Security (MSS), the country’s counter-intelligence and foreign intelligence agency…” was arrested for alleged economic espionage and attempts to steal trade secrets in the United States.

You will see much hand wringing and protests of how necessary such a step was to protect American companies and their trade secrets. Add in a dash of prejudice against China and indignation that a nation of thieves (the U.S.) should be stolen from by others and you complete the scene.

When you find stories about Yanjun Xu, check the same sources for reporting on U.S. responsibility for 32 million Muslim dead since 9/11.

In any moral calculus worthy of the name “moral,” surely the deaths of millions are more important than the intellectual property rights of U.S. industries. Yes?

The value U.S. news organizations place on Muslim deaths versus theft of trade secrets is made self-evident by their reporting.

I don’t want to re-live the 1960’s where people dying were a daily staple of the evening news (even then it was almost always Americans). However, fair and balanced reporting does not exist when millions perish without every man, woman and child being made aware of it on a daily basis. Along with the lack of even a flimsy excuse for their murders.

The U.S. media can start by televising the nearly daily murder of protesters in Gaza and work their way out from there. Close-ups, talk to families, bring the cruelty the U.S. is financing into our living rooms. Sicken us with our own inhumanity.

PS: Don’t bother commenting the media lacks access, permission, etc. If you want to be butt-puppets of government, say so, don’t sully the title reporter.

October 10, 2018

Passwords: Philology, Security, Authentication

Filed under: Cryptography,Humanities,Security — Patrick Durusau @ 4:29 pm

Passwords: Philology, Security, Authentication by Brian Lennon.

Disclaimer: I haven’t seen Passwords, yet, but it’s description and reviews prompted me to mention it here.

That and finding an essay with the same titie, verbatim, by the same author, published in Diacritics, Volume 43.1 (2015) 82-104. Try: Passwords: Philology, Security, Authentication. (Hosted on the Academia site so you will need an account (free) to download the essay (also free).

From the publisher:

Cryptology, the mathematical and technical science of ciphers and codes, and philology, the humanistic study of natural or human languages, are typically understood as separate domains of activity. But Brian Lennon contends that these two domains, both concerned with authentication of text, should be viewed as contiguous. He argues that computing’s humanistic applications are as historically important as its mathematical and technical ones. What is more, these humanistic uses, no less than cryptological ones, are marked and constrained by the priorities of security and military institutions devoted to fighting wars and decoding intelligence.

Lennon’s history encompasses the first documented techniques for the statistical analysis of text, early experiments in mechanized literary analysis, electromechanical and electronic code-breaking and machine translation, early literary data processing, the computational philology of late twentieth-century humanities computing, and early twenty-first-century digital humanities. Throughout, Passwords makes clear the continuity between cryptology and philology, showing how the same practices flourish in literary study and in conditions of war.

Lennon emphasizes the convergence of cryptology and philology in the modern digital password. Like philologists, hackers use computational methods to break open the secrets coded in text. One of their preferred tools is the dictionary, that preeminent product of the philologist’s scholarly labor, which supplies the raw material for computational processing of natural language. Thus does the historic overlap of cryptology and philology persist in an artifact of computing—passwords—that many of us use every day.

Reviews (from the website):

Passwords is a fascinating book. What is especially impressive is the author’s deft and knowing engagements with both the long histories of computational text processing and the many discourses that make up literary philology. This is just the sort of work that the present mania for the digital demands, and yet books that actually live up to those demands are few and far between. Lennon is one of the few scholars who is even capable of managing that feat, and he does so here with style and erudition.”—David Golumbia, Virginia Commonwealth University

“A stunning intervention, Passwords rivets our attention to the long history of our present fascination with the digital humanities. Through a series of close, contextual readings, from ninth-century Arabic philology and medieval European debates on language to twentieth-century stylometry and machine translation, this book recalls us to a series of engagements with language about which ‘all of us—we scholars, we philologists,’ as Lennon puts it, ought to know more. Passwords is eloquent and timely, and it offers a form of deep, institutional-lexical study, which schools us in a refusal to subordinate scholarship in the humanities to the identitarian and stabilizing imperatives of the national-security state.”—Jeffrey Sacks, University of California, Riverside

Not surprisingly, I think a great deal was lost when humanities, especially those areas focused on language, stopped interacting with computer sciences. Sometime after the development of the first compilers but I don’t know that history in detail. Suggested reading?

Dodging Paywalls: Zotero Adds Improved PDF Retrieval

Filed under: Open Source,Zotero — Patrick Durusau @ 2:57 pm

How often do you hit paywalls? Every week? Every day?

You find an article of interest to ~200 researchers in your sub-field and the publisher wants $39.95 for you to “buy” the article. The research was free to the publisher, usually supported by public grants. The copy editing and peer review was free to the publisher. Yet they are squatting like Cerberus over value they didn’t create.

Not quite Hercules or Virgil but Zotero makes it easier to find open source PDFs to replace those behind firewalls.

Improved PDF retrieval with Unpaywall integration

From the post:

As an organization dedicated to developing free and open-source research tools, we care deeply about open access to scholarship. With the latest version of Zotero, we’re excited to make it easier than ever to find PDFs for the items in your Zotero library.

While Zotero has always been able to download PDFs automatically as you save items from the web, these PDFs are often behind publisher paywalls, putting them out of reach of many people.

Enter Unpaywall, a database of legal, full-text articles hosted by publishers and repositories around the world. Starting in Zotero 5.0.56, if you save an item from a webpage where Zotero can’t find or access a PDF, Zotero will automatically search for an open-access PDF using data from Unpaywall.

Which reminds me, I need to upgrade my current Zotero installation!

Don’t forget to harry, harass and penalize those who seek to deny access to materials being produced on 17th century economic models. Whatever befalls them, it won’t be severe enough.

Microsoft Open-Sources Patent Portfolio: OIN ~1,300 + 60,000 = ~61,300 Patents

Filed under: Open Source,Patents — Patrick Durusau @ 1:06 pm

Kudos! Microsoft Open-Sources Patent Portfolio by Steven J Vaughan-Nichols.

From the post:

Several years ago, I said the one thing Microsoft has to do — to convince everyone in open source that it’s truly an open-source supporter — is stop using its patents against Android vendors. Now, it’s joined the Open Invention Network (OIN), an open-source patent consortium. Microsoft has essentially agreed to grant a royalty-free and unrestricted license to its entire patent portfolio to all other OIN members.

Before Microsoft joined, OIN had more than 2,650 community members and owns more than 1,300 global patents and applications. OIN is the largest patent non-aggression community in history and represents a core set of open-source intellectual-property values. Its members include Google, IBM, Red Hat, and SUSE. The OIN patent license and member cross-licenses are available royalty-free to anyone who joins the OIN community.

In a conversation, Erich Andersen, Microsoft’s corporate vice president and chief intellectual property (IP) counsel — that is, Microsoft top patent person — added: We “pledge our entire patent portfolio to the Linux system. That’s not just the Linux kernel, but other packages built on it.”

This is huge

How many patents does this affect? Andersen said Microsoft is bringing 60,000 patents to OIN.
(emphasis in original)

If approximately 1,300 patents attracted members to Open Invention Network (OIN), imagine the attractive force exerted by an additional 60,000!

Suggestion: None of us are who we were yesterday, much less ten or twenty years ago. Let’s take these new facts on the patent landscape and move forward.

Discussions of “could have, should have, what if had, etc.,” are non-contributions to building a new tomorrow.

October 9, 2018

Are You A “Lesser Skilled” Hacker? [Build Your Own Car Did Ya?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods by Jai Vijayan.

From this long prose ad for CrowdStrike:

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike’s Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike’s OverWatch and security response team. “Sophisticated techniques are becoming a little more commoditized,” she says. “Anything goes. Anyone can be a target.”

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses.

In addition to being gratuitiously ugly to hackers who use tools developed by others, Vijayan includes CrowdStrike attributed remarks about Russian hackers, of course.

When you have no evidence to present, throw off on the Russians. At least this season. Not so long ago it was those masterminds of everything digital, the North Koreans. Then the Chinese, or is it now the Chinese?

Check with the ministry of truth, sorry, Department of Homeland Security to see who the current “enemy” and greatest cyberthreat is today. It changes.

You are very unlikely to have written your own compiler, debugger, or other tools you use in cybersecurity. Building on the work of others, even nation-states, carries no shame.

By analogy, you could claim people are “lesser skilled” drivers because they didn’t assemble their own cars. Try that in a bar and watch other patrons start to edge away from you. Keep it up long enough and you will have public accomodations for the night (jail).

Find, use, build upon and share any “…tactics, techniques and procedures (TTPs)…” that you find, nation-state or otherwise.

So will I.

Weapon Systems Cybersecurity:… [Opportunity Knocks!]

Filed under: Cybersecurity,Hacking,Military,Security — Patrick Durusau @ 4:14 pm

Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities

From the webpage:

The cited reason for the “fictitious weapon system” is “classification reasons.”

Maybe, but identifying weaknesses in named weapon systems, encourages use of those security flaws as excuses for flaws in other systems. “Everybody has flaw ….. You can’t penalize me for a market standard flaw.”

Under the section title: Test Teams Easily Took Control (page 22):


Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

For “security” reasons none of the systems were named, guranteeing the same failing vendors in the same congressional districts will continue to produce failing weapon systems.

Not only does opportunity knock for present US weapon systems, but additional opportunities await in every country where such systems are sold.

Remember, “…one hour to gain initial access … one day to gain full control….” If that’s not opportunity, I don’t know what is.

October 8, 2018

Hurricane Florence Twitter Dataset – Better Twitter Interface?

Filed under: Data,Tweets,Twitter — Patrick Durusau @ 3:56 pm

Hurricane Florence Twitter Dataset by Mark Edward Phillips.

From the webpage:

This dataset contains Twitter JSON data for Tweets related to Hurricane Florence and the subsequent flooding along the Carolina coastal region. This dataset was created using the twarc (https://github.com/edsu/twarc) package that makes use of Twitter’s search API. A total of 4,971,575 Tweets and 347,205 media files make up the combined dataset.

No hyperlink in the post but see: twarc.

Have you considered using twarc to create a custom Twitter interface for yourself? At present just a thought but once you have the JSON, your ability to manipulate your Twitter feed is limited only by your imagination.

Once a base archive is constructed, create a cron job that updates base. Not “real time” like Twitter but then who makes decisions of any consequence in “real time?” You can but its not a good idea.

While you are learning twarc, consider what other datasets you could create.

Slacking Hackers? Google API Bug – 13 Internet Years

Filed under: Cybersecurity,Google+,Hacking — Patrick Durusau @ 3:29 pm

Google chose not to go public about bug that exposed Google Plus users’ data by Graham Cluley.

From the post:


No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data – it has not seen any evidence that any profile data was misused.

Estimates of an Internet year vs. a calendar year range from 1 calendar year = 2 Internet years; 1 calendar year = 4.7 Internet years; and, a high of 1 calendar year = 7 Internet years.

To be fair, let’s arbitrarily pick 1 year = 4 Internet years, which means the Google API bug has been around for 13 Internet years.

I’m not a hacker so I certainly wasn’t helping but geez. Not that anyone should have pointed the flaw out to Google by any means. Google’s moves to hide the existence of the bug, speaks volumes about some of us being in ocean going yachts and others in leaking life rafts.

There is no commonality of interests in computer security between the average user and Google. Google offers security as a commodity (think DoD in the cloud) and whether you are secure, well, have you paid Google for your security?

I’m certain that Google will protest, should they bother to notice but can you guess who has a financial interest in your free or nearly so reports of security bugs? (Hint: It’s not me.)

I’ve tried to avoid Google+ since its inception so its death won’t impact me.

I do need to set about learning how to check APIs for security flaws. 😉

Older Posts »

Powered by WordPress