Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

September 13, 2018

Vulmon [Ultimate Vulnerability Search Engine (self-description)]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:10 pm

Vulmon

From the about page:

Vulmon is a vulnerability search engine. Vulmon conducts full text search in its database therefore you can search everything related with vulnerabilities. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.

Vulmon aims to be both simple and advanced tool for cyber security researchers. Researchers can search everything with its simple interface and get detailed information about vulnerability and related exploits.

Offer recent vulnerabilities, discussion, trends.

Consult while you are waiting for radare2 complete its daily re-build (recommended by Megabeets).

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

September 11, 2018

EveryCRSReport.com [Better than Liberal and Conservative News Sources]

Filed under: Fake News,Journalism,News,Reporting — Patrick Durusau @ 8:42 pm

EveryCRSReport.com

From the homepage:

We’re publishing reports by Congress’s think tank, the Congressional Research Service, which provides valuable insight and non-partisan analysis of issues of public debate. These reports are already available to the well-connected — we’re making them available to everyone for free.

From the about page:

Congressional Research Service reports are the best way for anyone to quickly get up to speed on major political issues without having to worry about spin — from the same source Congress uses.

CRS is Congress’ think tank, and its reports are relied upon by academics, businesses, judges, policy advocates, students, librarians, journalists, and policymakers for accurate and timely analysis of important policy issues. The reports are not classified and do not contain individualized advice to any specific member of Congress. (More: What is a CRS report?)

Congressional Research Service reports have a point of view. Any report worth reading has a point of view. CRS reports name and evaluate their sources, give reasons for the views reported, they empower readers to evaluate reports, as opposed to swallowing them whole. (Contrast that with average media reporting.)

For example, Decision to Stop U.S. Funding of UNRWA (for Palestinian Refugees) gives a brief background on this controversial issue, followed by a factual recitation of events up to the date of the report, an evaluation of the possible impact of ending funding for UNRWA, folowed by options for Congress.

If you are at all aware of the bitterness that surrounds any discussion of Palestine and/or the Palestinians, the CRS report is a tribute to the even-handedness of the Congressional Research Service.

New reports appear daily so check back often and support this project.

Sploitus – First Search – Check It Out!

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Sploitus

New to me search engine for vulnerabilities and exploits. Archive.org reports its first mirroring of Sploitus as of today, 11 September 2018, so I assume I’m not too far behind in hearing about it.

Nice presentation of “Exploits of the week” on the homepage.

I searched for “xml injection” but the query as sent reads:

https://sploitus.com/?query=%22xml%20injection%22#exploits

Without the links, Sploitus returned (in part):

  • Microsoft Baseline Security Analyzer 2.3 – XML External Entity Injection
  • Microsoft Baseline Security Analyzer 2.3 XML Injection
  • MedDream PACS Server Premium 6.7.1.1 – ’email’ SQL Injection
  • Softneta MedDream PACS Server Premium 6.7.1.1 SQL Injection
  • Apache Roller 5.0.3 XML Injection / File Disclosure
  • Opsview Monitor 5.x Command Execution Vulnerability

Some vulnerabilties were covered by different sources, hence the duplication.

It isn’t clear to me how “xml injection” returns “SQL Injection” but I do like the sort by severity or date or default options.

Certainly a place I will be exploring more.

PS: Not to put too much emphasis on technical hacking. You could just call up tech support and have them reset the password for a known user account. Sometimes simple solution is the better solution.

Censorship Fail (no surprise) at Facebook

Filed under: Censorship,Facebook,Free Speech — Patrick Durusau @ 6:01 pm

Facebook’s idea of ‘fact-checking’: Censoring ThinkProgress because conservative site told them to by Ian Millhiser

From the post:

Last year, Facebook announced that it would partner with The Weekly Standard, a conservative magazine, to “fact check” news articles that are shared on Facebook. At the time, ThinkProgress expressed alarm at this decision.

The Weekly Standard has a history of placing right-wing ideology before accurate reporting. Among other things, it labeled the Iraq War “A War to Be Proud Of” in 2005, and it ran an article in 2017 labeling climate science “Dadaist Science,” and promoted that article with the phrase “look under the hood on climate change ‘science’ and what you see isn’t pretty.”

The Weekly Standard brought its third-party “fact-checking” power to bear against ThinkProgress on Monday, when the outlet determined a ThinkProgress story about Supreme Court nominee Brett Kavanaugh was “false,” a category defined by Facebook to indicate “the primary claim(s) in this content are factually inaccurate.”

To save you the suspense, the ThinkProgress story was true by any literate reading of its report and the claims by The Weekly Standard are false.

Millhiser details the financial impact of a “false” rating from Facebook, which reverberates through the system and the lack of responsiveness of The Weekly Standard when questioned about its “false” rating.

The Weekly Standard has been empowered by Facebook to become a scourge on free expression. Hold Facebook and The Weekly Standard accountable for their support and acts of censorship.

Middle Earth Map Style

Filed under: Cartography,Mapping,Maps — Patrick Durusau @ 4:23 pm

Middle Earth Map Style by John Nelson.

From the post:

Here are a couple maps made to resemble the epic collaboration of JRR Tolkien and Pauline Baynes. I would consume every little pen stroke as a kid, pouring over the insert maps of Middle Earth in my sister’s LOTR set (which mysteriously now live on my shelf)…

If you are interested in trying out making digital Middle Earths, here is an ArcGIS Pro style file with all the doodads you’ll need. If you don’t run that, then here is a zip file with all of the textures and graphics that you can use to symbolize your layers.

The format of my blog would mar examples of Nelson’s maps beyond recognition. Visit them at Nelson’s site and spread word of them and the aids for producing more such maps.

Any bets on where I would locate Mordor on a map of the United States? 😉

September 10, 2018

Make Yourself and Staff, Legitimate Military Targets

Filed under: Censorship,Free Speech — Patrick Durusau @ 8:20 pm

YouTube Shuts Down All Syrian State Channels As Idlib Assault Begins

From the post:

Syrian state YouTube channels have been shut down this morning just as the Syrian Army’s ground offensive has officially begun.

This includes the following now terminated Syrian state and pro-government channels: Syrian Presidency, Syria MoD (Ministry of Defense), SANA, and Sama TV. This follows YouTube reportedly closing Syria’s Ortas News last week.

The post goes on to point out that perhaps this latest censorship by YouTube is just that, more censorship.

However, YouTube and its staff should be aware that coordination, apparent or otherwise, with forces opposed to the Syrian government, makes them legitimate military targets.

Unlikely military targets but if you are allergic to military action and employed by YouTube, you should consider other employment at your earliest opportunity.

September 6, 2018

Using cURL through Tor on Ubuntu 18.04

Filed under: Cybersecurity,Tor — Patrick Durusau @ 3:01 pm

When I found Making Tor Requests with command-line cURL by NanoDano, I thought I had hit gold!

Easy enough:

Except that when I do:

curl –socks5-hostname localhost:9150 https://check.torproject.org

I get:

curl: (7) Failed to connect to localhost port 9150: Connection refused

Quick answers: Yes, the Tor browser is running, the syntax is correct, ….

I spent several minutes trying to identify the source of the problem before doing this:

curl –socks5-hostname 127.0.0.1:9150 https://check.torproject.org

Success!

Yes, I have a local mis-configuration, which I can correct, but you may find situations where correction isn’t possible.

Try substitution of 127.0.0.1 for localhost and vice-versa, before looking for more obscure causes. (That also quickly identifies this particular mis-configuration.)

Guidance for Leakers

Filed under: Journalism,Leaks,News,Reporting — Patrick Durusau @ 2:19 pm

Our who, what, why leak explainer by Hamish Boland-Rudder.

From the post:

Whistleblowers, like Deep Throat, Daniel Ellsberg, Karen Silkwood, Mordechai Vanunu, Linda Tripp, Jeffrey Wigand, Edward Snowden, Bradley — now Chelsea — Manning and John Doe, come from all walks of life, and stigma and myth tend to surround them.

The International Consortium of Investigative Journalists has lots of experience with information leaks. In the past five years alone, we’ve sifted through about 30 million leaked documents to produce groundbreaking investigations like the Panama Papers, Paradise Papers, Swiss Leaks and Lux Leaks.

The common denominator? Whistleblowers providing information, secretly, in an attempt to expose hidden wrongs.

Famously, whistleblowers have toppled President Richard Nixon, effectively ended the Vietnam War, exposed an Oval Office tryst, revealed nuclear secrets, uncovered environmental and health catastrophes and focused global attention on offshore tax havens.

ICIJ is often approached by concerned citizens who believe they’ve found an injustice that they’d like us to investigate, but few know the first thing about becoming a whistleblower or how to provide information to journalists.

So we thought a basic guide to leaking might prove useful, one laid out using an old journalistic tool: the five W’s and a H (loosely interpreted!)

I deeply respect the work the International Consortium of Investigative Journalist (ICIJ) has done in the past, is doing in the present and will continue to do in the future. Amazing work that has made a real difference for millions of ordinary people around the world.

On the other hand, I have been, am and will be highly critical of the ICIJ over its hoarding of leaks for limited groups of reporters and editing those leaks in a display of paternalism for readers, who haven’t asked for their help.

All that said, do pass this information from the ICIJ around. You never know where the next leaker may be found.

PS: I would not target anyone in government with the material. Better to send everyone in the EPA the same advice. So no one stands out. Same for other government agencies. Your a citizen, write to your government.

September 4, 2018

Of hosting files in url minifiers [Passing < 4k operational orders]

Filed under: Compression,Hosting,Intelligence,Web Server — Patrick Durusau @ 4:56 pm

Of hosting files in url minifiers by Paul Masurel.

From the post:

Today I had an epiphany while staring at a very long url. I thought: “Url minifiers are really nice to store all of this data for free”. And then it stroke me… One can really store 4KB of arbitrary data with a url minifier system and share it for free.

Now there’s a clever thought!

Apologies for missing this when it first appeared. I can imagine several interesting uses for this insight.

Such as the passing of operational orders via a url minifier system.

Tasking the intelligence community to discover and inspect every shortened url, everyday.

I saw < 4k operational orders because the more advanced the technique, the greater the technical overhead. The base 4k is trivial.

For example, https://bit.ly/2wHB3zH, which gives a 404, but also the text:

http://www.nowhere.com/Today-is-the-day-we-smite-our-oppressors-at-the-usual-location

All I needed was a public url minifier.

Please share this post with anyone who has a need to pass < 4k operational orders or information.

Be sure to credit Paul Masurel with this discovery. Me, I find interesting use cases and applications of technology.

…Access to Evidence and Encryption [Not One Step Backwards]

Filed under: Encryption,Privacy — Patrick Durusau @ 1:34 pm

Statement of Principles on Access to Evidence and Encryption (United States, the United Kingdom, Canada, Australia and New Zealand)

From the preamble:

The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights. Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

Each of the Five Eyes jurisdictions will consider how best to implement the principles of this statement, including with the voluntary cooperation of industry partners. Any response, be it legislative or otherwise, will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process. We recognize that, in giving effect to these principles, governments may have need to engage with a range of stakeholders, consistent with their domestic environment and legal frameworks.

This joint statement memorializes Five Eyes jurisdictions’ ignorance of computer encryption. Or perhaps basic logic, that material cannot be accessible and yet not accessible (encrypted) at the same time. It’s called a contradiction in terms.

The Five Eye jurisdictions may as well decide to round Pi off to 3.14. (STOP! That was sarcasm, please don’t meddle with Pi. All sorts of things, missiles, rockets, aircraft, etc., will suddenly go horribly wrong.)

Do not engage with any of the Five Eye jurisdictions on any proposal to give governments access to encrypted materials.

I mean that quite literally. There are no facts to be produced, no trade-offs to discuss, no supervisory mechanisms to considered. Cybersecurity experts have already established that data either is or is not encrypted. Any backdoor into an encryption system means it isn’t secure. (full stop)

There aren’t any viable issues open for discussion.

By your non-participation, the Five Eye jurisdictions will write their regulations more poorly than with your presence.

The poorer the regulations, the more easily breached the resulting encryptions will be.

Penetration Testing / OSCP Biggest Reference Bank

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:38 pm

Penetration Testing / OSCP Biggest Reference Bank by OlivierLaflamme (Boschko)

Forty-three (43) penetration cheatsheets as of today (4 September 2018), all dating from August 1, 2018.

Opportunity to grab cheatsheets and to contribute back to the community with comments and suggestions.

Note the difference between some communities of hackers and white-hat hackers, who practice secrecy and non-sharing. That’s the real advantage in cybersecurity matters.

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

Tor Sites – Is Your Public IP Showing? [Terrorist-in-a-Box]

Filed under: Cybersecurity,Dark Web,Tor — Patrick Durusau @ 9:32 am

Public IP Addresses of Tor Sites Exposed via SSL Certificates by Lawrence Abrams.

From the post:

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing hwo to properly configure a hidden service.

One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.

The failure of people who intentionally walk on the wild side to properly secure their sites holds out great promise that government and industry sites are even more poorly secured.

If you are running a Tor site or someday hope to run a Tor site, read this post and make sure your public IP isn’t showing.

Unless your Tor site is a honeypot for government spy agencies. They lap up false information like there is no tomorrow.

Not something I have time for now but consider mining intelligence reports as a basis for creating a Tor site, complete with information, chats, discussion forums, etc., download (not public) name “Terrorist-in-a-Box.” Unpack, install, configure (correctly) and yet another terrorist site is on the Dark Web. Have an AI running all the participants on the site. A challenging project to make it credible.

The intelligence community (IC) makes much of their ability to filter noise from content, so you can help them test that ability. It’s almost a patriotic duty.

Install OpenCV on Ubuntu – Success!

Filed under: Image Processing,Image Recognition,OpenCV — Patrick Durusau @ 8:51 am

I tried following How to install OpenCV on Ubuntu 18.04, only to crash and burn in several different ways.

Let’s see, two version of python (2.7 and 3.6), lack of some of the default packages of Ubuntu, etc. Correcting the version of python being called was easy enough, but when I ran into the dependency issues, I took the easy way out!

I downloaded Ubuntu 18.04 from OSBoxes.org, installed it on VirtualBox and then followed the instructions in How to install OpenCV on Ubuntu 18.04.

Success!

I didn’t explore the highways and byways of why my Ubuntu 18.04 doesn’t support the installation of OpenCV, but then my goal was the installation and use of OpenCV. That goal stands accomplished.

If at first you don’t succeed, grab a VM!

More on why the more than casual interest in OpenCV in a future post.

August 31, 2018

Leonardo da Vinci’s Notebooks [IIIF + Topic Maps]

Filed under: Archives,Art,History,IIIF (International Image Interoperability Framework),Image Processing,Topic Maps — Patrick Durusau @ 3:02 pm

Victoria and Albert Museum brings Leonardo da Vinci’s notebooks to life online by Gareth Harris.

From the post:

Scholars and digital experts at the Victoria and Albert Museum (V&A) in London have posted online the contents of two notebooks by Leonardo da Vinci, enabling devotees of the Renaissance polymath to zoom in and examine his revolutionary ideas and concepts.

On the technical front, the use of IIIF (International Image Interoperability Framework) to present a digital version of the notebooks is an innovation. “It’s our use of the IIIF standard that has enabled us to present the codex in a new way. The V&A digital team has been doing a lot of work in the last 18 months using IIIF. We’ve used the deep-zoom functionality enabled through IIIF to present some of the most spectacular and detailed items in our collection,” says Kati Price, the V&A’s head of digital media and publishing.

Crucially, IIIF also lets scholars compare similar objects across several institutions’ collections. “Researchers can easily see the images together with Leonardo da Vinci items held by other institutions using IIIF, for side-by-side digital comparison,” Yvard says.

These two notebooks, not to mention those to be posted next year for the 500th anniversary of Leonardo’s death, are important in their own right.

However, I want to draw your attention to the use of International Image Interoperability Framework (IIIF) in this project.

From the IIIF FAQ:

What is IIIF?

The International Image Interoperability Framework (IIIF) is a set of shared application programming interface (API) specifications for interoperable functionality in digital image repositories. The IIIF is comprised of and driven by a community of libraries, museums, archives, software companies, and other organizations working together to create, test, refine, implement and promote the IIIF specifications. Using JSON-LD, linked data, and standard W3C web protocols such as Web Annotation, IIIF makes it easy to parse and share digital image data, migrate across technology systems, and provide enhanced image access for scholars and researchers. In short, IIIF enables better, faster and cheaper image delivery. It lets you leverage interoperability and the fabric of the Web to access new possibilities and new users for your image-based resources, while reducing long term maintenance and technological lock in. IIIF gives users a rich set of baseline functionality for viewing, zooming, and assembling the best mix of resources and tools to view, compare, manipulate and work with images on the Web, an experience made portable–shareable, citable, and embeddable.

What are the benefits of IIIF?

….

Advanced, interactive functionality for end users

  • Fast, rich, zoom and pan delivery of images
  • Manipulation of size, scale, region of interest, rotation, quality and format.
  • Annotation – IIIF has native compatibility with the W3C annotation working group’s Web Annotation Data Model, which supports annotating content on the Web. Users can comment on, transcribe, and draw on image-based resources using the Web’s inherent architecture.
  • Assemble and use image-based resources from across the Web, regardless of source. Compare pages, build an exhibit, or view a virtual collection of items served from different sites.
  • Cite and Share – IIIF APIs provide motivation for persistence, providing portable views of images and/or regions of images. Cite an image with confidence in stable image URIs, or share it for reference by others–or yourself in a different environment.

If you are looking to enhance your topic map with images, this sounds like the right way to go. Ping me with your examples of your uses of IIIF with topic maps.

BTW, the Draft IIIF v.3.0 Specifications have been released for review.

Latin Terms … Early Printed Books

Filed under: Books,Library — Patrick Durusau @ 11:46 am

Glossary of Common Latin Terms Found in Imprints of Early Printed Books Compiled by Robert L. Maxwell.

Despite my association with markup technologies, I have a long standing fascination with libraries and research into materials created long before the advent of digital texts.

One aspect of using such materials is decoding the meaning of Latin terms, known to scholars at the time of publication, but that have passed from scholarly practice over the centuries.

This glossary by Maxwell will be useful for Latin terms, but I’m also putting A Manual of European Languages for Librarians on my wish list. That link is to the 1976 edition, as the more recent (1999) lists for $128 and some change. With better pricing, the 1999 edition could be part of every scholar’s bookself. Given the publisher, that seems unlikey.

August 30, 2018

Censorship: Compensating for Poor Design, Assumed User Incompetence

Filed under: Censorship,Free Speech — Patrick Durusau @ 12:58 pm

Tumblr is explicitly banning hate speech, posts that celebrate school shootings, and revenge porn by Shannon Liao.

From the post:

Tumblr is changing its community guidelines to more explicitly ban hate speech, glorifying violence, and revenge porn. The new rules go into effect on September 10th.

“It’s on all of us to create a safe, constructive, and empowering environment,” Tumblr writes in its blog post. “Our community guidelines need to reflect the reality of the internet and social media today.” The previous version of the guidelines can still be viewed on GitHub for comparison.

Some people cheer censorship of undefined “hate speech, glorifying violence, and revenge porn.” At least until they realize that censorship is made necessary by poor design and assumptions about user incompetence.

Poor Design

The filtering options for a Tumblr account are especially sparse:

“Safe” mode is a shot-in-the-dark filter with no known settings.

You can only choose “tags” to filter on. As though “tags” are going to be assigned in good faith by bad actors.

A better design of filtering would include user (with wildcarding), terms (with wildcarding), tags, dates (with ranges), along with the ability to “follow” filters created by other Tumblr users. (That could be a commercial incentive for users to create and sell such filters.)

Centralized censorship at Tumblr is an attempt to correct for an engineering failure, a failure that denies users the ability to choose the content they wish to view.

Assuming User Incompetence

Closely allied with the lack of even minimal, shareable filters, is the Tumblr assumption that users are incompetent to filter their own content. Hence, Tumblr has to step in to filter content for everyone.

I don’t recall Tumblr (or any other Internet censor) offering any evidence that users are incapable of choosing the content they wish to view or avoid.

Are you incapable of making that choice?

I ask because the Spanish Inquisition censors made similar fact-free assumptions about readers. Why should Tumblr repeat the mistakes of the Spanish Inquisition?

Censorship shouts at everyone they aren’t competent to choose their own reading materials.

Conclusion

Tumblr isn’t the only Internet forum that is covering up poor design and making false assumptions about users and their competence to in choosing material. I mention it here only as a sign that censorship is spreading and should be resisted without quarter.

I think you are smart enough to choose the content you wish to view and I extend that assumption to all other users.

Do you disagree?

August 29, 2018

How-To Read Kathy Griffin’s Thread on Sexism in the Workplace (For Men Only)

Filed under: Feminism,sexism — Patrick Durusau @ 4:29 pm

While describing sexism in the context of comedy, Kathy Griffin also points out the same could be said for any job or workplace.

Titled “(For Men Only)” because I have suggestions for how men should read Kathy Griffin’s thread. (I have no idea how women will or should read it.)

First, men should read this thread (A – Z) aloud to other men. Silently skimming it and nodding along may provide some benefit, but not much.

Second, read slowly and offer comments and discussion after every tweet. Reflecting back on women in your workplaces, are there instances that resonate with Griffin’s comments? What if anything did you do then? What if anything would you do differently now?

Third, telecommuting is no excuse for not doing #1 and #2. Find yourself a discussion partner to work through this thread.

I make these suggestions because changing ourselves (men) and hence workplace environments, requires effort. Saying we are different, getting a certificate we have been trained, assuring each other we are different, or that we aren’t as bad as Louis CK, doesn’t count.

Effort requires that we think about ourselves, our history with women, what a better future for women requires of us and steps we can take towards putting our new awareness into action.

Only we, by listening to women (#1), can work with women to create a better world for our mothers, sisters, wives, daughters,… for us all.

August 28, 2018

Hackers – Government Partnership? A New Model

Filed under: Cybersecurity,Government — Patrick Durusau @ 7:09 pm

The trials and tribulations of hiring hackers, much less hiring them by governments, are but a quick search away. A few of the articles I have encountered: Hiring hackers: The good, the bad and the ugly, Top 10 Pros and Cons of Hiring Hackers to Enhance Security, and, Hiring a hacker: Why and how you should do it.

These posts and others suffer from a lack of imagination in harnessing hackers for bettering government security.

Governments want fewer cybersecurity risks. Hackers want less risk from their hacking activities. Here’s one way to lessen the risks on both sides:

  1. Government creates a PGP key for encryption of method and proof of hack on a government information system.
  2. The encrypted package is signed by the hacker in question for proof of ownership of that hack.
  3. Uploading of the encrypted package to a public website, along with which a hacker can claim their handle, automatically grants the hacker immunity for the hack and use of its results. Additionally, the hack cannot be used in any other prosecution for any purpose.
  4. The government can solicit solutions for submitted hacks from the submitting hacker(s) or from hackers more generally.

Governments, any government, are already hemorrhaging data. Anyone who says differently is selling a mythical security solution. Be forewarned.

The proposed hack/immunity system gives governments notice of hacks and their specifics, in exchange for immunity in the unlikely event that anyone will be prosecuted for a hack.

Moreover, the privacy of hackers is preserved since they must produce the key to verify the signing of the encrypted package, which they would only do in case of a prosecution based on or using that hack.

The cybersecurity community as a whole gains greater reliability of breach information compared to:

…This year’s report is based on a global survey conducted by 451 Research during October and November of 2017.

In contrast to last year’s report, we surveyed 1,200+ senior security executives from across the globe (up from 1,100), including respondents from key regional markets in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea and India. We also surveyed key segments within those countries including federal government, retail, finance and healthcare. While all 1,200 respondents have at least some degree of influence in data security decision-making, more than one-third (34%) have ‘major’ influences on these decisions and nearly half (46%) have sole decision-making authority.
2018 THALES DATA THREAT REPORT

Misgivings over the trustworthiness of hackers is highly selective. Thales relies on people with an interest in their fails looking similar to everyone else’s. Rather odd “research” technique.

PS: Should anyone (US prosecutors, FBI, etc.) protest the automatic granting of immunity, ask them for their prosecution statistics versus the number of known breaches in their districts.

You can waste money on by chance prosecutions and cybersecurity myths or, you can correct your systems against the best hackers in the world. Your call.

Cybersecurity Fails Set To Spread Beyond Beltway Defense Contractors

Filed under: Cybersecurity,Government,Government Data — Patrick Durusau @ 3:01 pm

I’m sure you were as amused as I was to read: U.S. Department Of Defense Awards $37 Million Contract To Cybersecurity Startup Qadium. It’s only fair you know. Startups can fail at cybersecurity just as well as traditional contractors (names omitted to protect the guilty).

In transparency unlike most media outlets, the post includes a disclaimer that the following was written by Qadium:

Cybersecurity startup Qadium has been awarded a $37.6 million contract by the U.S. Department of Defense, making it the latest venture-backed startup from Silicon Valley to win a major federal contract over traditional Beltway defense contractors.

Qadium is the first company to provide real-time monitoring of the entire global Internet for customers’ assets. In a new era of machine-speed attacks, Qadium helps the world’s most sophisticated organizations define and secure their dynamic network edge.

The contract was awarded by the U.S. Navy’s Space and Warfare Command after the Department of Defense validated Qadium’s commercial software. Qadium is now recognized among a small handful of cybersecurity providers, with DoD making its software accessible department-wide.

“The Defense Department used to love to build its own IT, often poorly and at high cost to taxpayers,” said Qadium CEO and CIA veteran Tim Junio. “The times are finally changing. In the face of the greatest cybersecurity challenges in our nation’s history, we’re seeing the government and private tech companies coming together, making both sides better off.”

I can name one side that will be better off, to the tune of $37 Million.

Hackers also benefit from this news, Qadium becoming a known target for social engineering and other attention.

More GMail Addresses? Increasing Malware or Spam Chances?

Filed under: Email — Patrick Durusau @ 2:20 pm

I’m not sure why you would want to increase your malware/spam changes by having multiple gmail addresses, but, fyi, it is possible.

J. D. Biersdorfer details how to generate multiple gmail addresses from one gmail address in Make Several Gmail Addresses Out of One.

I like Biersdorfer’s suggestion of the use of multiple gmail addresses for tracking which “registration” shared your address with spammers. On the other hand, so long as it all goes to /dev/null, why would I care?

I assume all registrations are for the benefit those asking for the registration, they not meant to benefit me. So /dev/null it is, without further examination.

August 24, 2018

Compositionality: Now Open For Submissions [One Burning Editorial Policy Question]

Filed under: Category Theory,Mathematics — Patrick Durusau @ 4:48 pm

Compositionality: Now Open For Submissions by John Baez.

Our new journal Compositionality is now open for submissions!

It’s an open-access journal for research using compositional ideas, most notably of a category-theoretic origin, in any discipline. Topics may concern foundational structures, an organizing principle, or a powerful tool. Example areas include but are not limited to: computation, logic, physics, chemistry, engineering, linguistics, and cognition.

Compositionality is free of cost for both readers and authors.

After looking at the editorial policies, there is one burning question:

Can authors be listed as anonymous?

I ask because a friend of a friend recently confessed to using category theory on a medical domain ontology and concealed that fact from his users. My friend was cautioned to never reveal the use of category theory to those users.

Publications in Compositionality could show up in casual search results, tipping off users on the use of category theory.

A useful and productive tool could suddenly turn opaque and obscure.

The new journal sounds great but needs to be tweaked to hide authors from casual searches on the Internet. (Is this akin to the EU right to be forgotten? A right to not be found?)

Enjoy!

Looking forward to the first issue!

August 22, 2018

Politics of Code [If a question is not about power…, you didn’t understand the question.]

Filed under: Ethics,Programming,sexism — Patrick Durusau @ 9:04 pm

Politics of Code by Prof. Jacob Gaboury.

From the syllabus:

This course begins with the twin propositions that all technology is inherently political, and that digital technologies have come to define our contemporary media landscape. Software, hardware, and code shape the practices and discourses of our digital culture, such that in order to understand the present we must take seriously the politics of the digital. Beginning with an overview of cybernetics, information theory, systems theory, and distributed communications networks, the course will primarily focus on the politics and theory of the past twenty years, from the utopian discourses of the early web to the rise of immaterial labor economies and the quantification and management of subjects and populations. The course will be structured around close readings of specific technologies such as distributed networks, programming languages, and digital software platforms in an effort to ground critical theory with digital practice. Our ultimate goal will be to identify a political theory of the present age – one that takes seriously the role of computation and digitization.

If you don’t already have a reading program for the Fall of 2018, give this syllabus and its reading list serious consideration!

If time and interest permit, consider my suggestion: “If a question is not about power…, you didn’t understand the question.”

Uncovering who benefits from answers won’t get you any closer to a neutral decision making process but you can be more honest about the side you have chosen and why.

Data and the Midterm Elections:… [Enigma contest, swag prizes, September 21 deadline]

Filed under: Data Science,Government,Python — Patrick Durusau @ 4:44 pm

Data and the Midterm Elections: Enigma Public Call for Submissions

Calling all public data enthusiasts! To celebrate the launch of Enigma Public’s Python SDK, Enigma is hosting a contest for projects – ranging from data science to data visualization, data journalism and more – featuring Enigma’s public data in exploration of the upcoming U.S. elections.

We are excited to incentivize the creation of data-driven projects, exploring the critical U.S. midterm elections this fall. In this turbulent and confusing period in U.S. politics, data can help us interpret and understand both the news we’re reading and changes we’re seeing.

One of the suggested ideas:

Census Bureau data on voter registration by demographic category.

shows that Lakoff’s point about Clinton losing educated women around Philadelphia, “her” demographic, has failed to register with political types.

Let me say it in bold type: Demographics are not a reliable indicator of voting behavior.

Twice? Demographics are not a reliable indicator of voting behavior.

Demographics are easy to gather. Demographics are easy to analyze. But easy to gather and analyze, does not equal useful in planning campaign strategy.

Here’s an idea: Don’t waste money on traditional demographics, voting patterns, etc., but enlist vendors who market to those voting populations to learn what they focus on for their products.

There’s no golden bullet but repeating the mistakes of the past is a step towards repeating the failures of the past. (How would you like to be known as the only candidate for president beaten by a WWF promoter? That’s got to sting.)

Journal of the Ancient Near Eastern Society (JANES)

Filed under: Ancient World,Bible — Patrick Durusau @ 4:08 pm

Journal of the Ancient Near Eastern Society (JANES)

JANES, the Journal of the Ancient Near Eastern Society, was founded in 1968 at Columbia University, and has been housed at the Jewish Theological Seminary since 1982. Over these approximately forty years 30 volumes have been published under the editorship of former JTS professor Ed Greenstein and JTS professor David Marcus. The volumes include approximately three hundred and fifty articles written by over two hundred scholars and students from all over the world. The impressive array of scholars that have contributed articles to these volumes includes well-known names such as G. R. Driver, H. L. Ginsberg, Jonas Greenfield, William Hallo, Thorkild Jacobsen, Jacob Milgrom, A. L. Oppenheim, to mention but a few. Over the years there have been five special issues celebrating JTS and Columbia scholars Elias Bickerman, Meir Bravmann, Theodor Gaster, Moshe Held, and Yochanan Muffs. Articles have been written on all aspects of the Bible and Ancient Near East covering areas such as art history, archaeology, anthropology, language, linguistics, philology, and religion. There are articles on Assyriology, Ugaritic, Phoenician, Hittite, and all areas of Hebrew and Aramaic and on almost every book of the Bible. Manuscripts should be composed according to the SBL style sheet and sent to the Editors, c/o Ed Greenstein (greenstein.ed@gmail.com)

Biblical and Ancient Near Eastern studies were my primary focus area when I was drawn into markup languages and standardization efforts.

If you are looking for challenging material to index, consider those listed in AWOL – The Ancient World On Line. The languages range from ancient to modern, materials from images to digital texts.

Enjoy!

Battle of Impressively Bad Military Graphics

Filed under: Communication,Graphics,Visualization — Patrick Durusau @ 3:32 pm

Cav The Knife started a thread on Twitter with this image:

The original can be found in Joint Intelligence Preparation of the Operational Environment, page I-3.

Rob Levinson counters with:

The original can be found in Dynamic Planning for COIN in Afghanistan at page 22. The slide deck includes numerous other offenses against the art of explanation and visualization.

The contest is somewhat unfair because the Joint Intelligence graphic was composed by military lifers versus the COIN in Afghanistan, created by professionals at PA Consulting Group.

For my money, COIN in Afghanistan takes the prize in this comparison as the worst graphic, but Joint Intelligence should get a “best in amateur class” mention.

Other contestants?

August 21, 2018

EPIC APP CHALLENGE [Intelligence on Intelligence Community, Street Cred, Cash Prizes]

Filed under: Contest,Intelligence — Patrick Durusau @ 7:45 pm

EPIC APP CHALLENGE

From the post:

The EPIC App Challenge is an Intelligence-Community-focused challenge for developers directed at one or more hard problems the IC is facing today. Participating in the App Challenge is a great way to show off your school or company’s developers and technical talent to 3 esteemed judges and over 1,000 attendees at the 2018 Intelligence and National Security Summit. Similar to a hackathon, teams will be competing against each other in a 10-day sprint to create the best solution to the problem involved. Instead of running the challenge on-site, teams will work from their home, office, or school to create their solutions and then present them on the kickoff day of the Summit, September 4.

There will be cash prizes given to the first, second, and third place teams, which will be announced following the keynote luncheon on the opening day of the conference.

  • Grand Prize: $3,000
  • Second Place: $2,000
  • Third Place: $1,000

Phase 1: August 24 – September 4

  • We will host a virtual kick off at 11am on Friday, August 24 to provide all teams with the problem statement, as well as answer any questions you may have. We will also provide contact information if you have any questions along the way. You will have until 8:00am on Tuesday, September 4 to work on your project. Your solution can be presented in PowerPoint or Keynote slides, a Word document, a Prezi, video, etc.

Phase 2: September 4

  • You will arrive by 8:15am to present your solution to the judges. We will kick off the event with opening remarks, and then each team will present their solution. Judging will be done science fair style. Judges will give each team approximately 15 minutes to present their solution. Judging will conclude at 11:00am. Following the round of judging, the winners will be selected and recognized on stage following the opening keynote luncheon, which begins at 11:45am.
  • Teams are allowed to leave their solutions set up the rest of the day for the 1,000+ INSS attendees to come by and see your solution.

Problem Set

The App Challenge problem will focus on anticipating events based on open source data sets that may include data for natural disasters, social unrest, cyber attacks, or disease patterns. Participants will be judged on their ability to develop anticipatory intelligence solutions based on the final judging criteria. 

Utilize a publicly available open data set (i.e., CIA World Factbook, Data.gov, more) to provide indictors and warning (i.e., anticipatory intelligence, predictive analytics, pattern recognition) for an ongoing or upcoming global event that would be relevant to National Security Interests of the United States. Your solution will be judged on two prongs: First, on the problem sets impact to national security; and, second, the technical solution and how well the proposed solution will meet that need. Further details to be provided during the kickoff on Aug. 24.

Examples of data sets and technology to support the development of your solution:

  • Data sets: CIA World Factbook, Data.gov, US Census, Github, Socrata, DIUx, more
  • Indictors and warning: pattern recognition, machine learning, anticipatory intelligence, predictive analytics, etc.
  • Potential events with national security implications that could be of focus (this is not inclusive):
    • Cyber attacks
    • Natural disasters (i.e., fires, earthquakes, Tsunami)
    • Biological events (i.e., disease outbreak patterns)

Team Entry

  • Minimum of 1 person with a maximum of 5 team members
  • Participants in the EPIC App Challenge will be provided complimentary registration to the conference, as well as a complimentary ticket to the opening keynote luncheon
  • Teams must be able to attend the morning of September 4 to present your solution.
  • Cost is $50 per team to participate.

Register here!

If you want to gather intelligence on the intelligence community, here’s a cheap ($50) way to start. Not only will you discover what the intelligence community (IC) considers to be hard problems, you may come to the attention (assuming that’s desired) of members of the IC. They are further sources of what interests the IC.

Anyone up for a team using merging based on subject identity? Ping me.

Hacking: The hope for corporate and governmental transparency

Filed under: FOIA,Government,Hacking,Transparency — Patrick Durusau @ 1:31 pm

DEF CON 26 (2018) was the source of many headlines, including Hacking the US Midterms? It’s Child’s play., Hacking Medical Protocols to Change Vital Signs, and, Tesla Plans to Open-source its Vehicle Security Software, to say nothing of zero-day bugs and new attacks on old ones.

The most encouraging news, at least for transparency of corporations and governments comes from Breaking Badge – The DEFCON Crazy 8s by NodyaH.

“DEF CON City” is the location of a text-based adventure that can be solved only with interactions between 8 card types (depends on type of attendee) as well as hacking the cards themselves. The goal is to turn all the letters DEFCON green. There are resources at the end of the post, if you already have a badge.

NodyaH does a great job describing the starts, stops and re-tracing steps of participants as they rushed to break the badges.

It’s a fast moving tale so take a few minutes to read it. After having read it, can you name a corporate or governmental agency that would be more difficult to hack than the DEFCON badges?

The solution to grudging transparency and documents that mis-led more than they inform, is not more FOIA. Transparency requires hackers who peel corporate and government agencies like navel oranges.

Are you one of them or aspire to be?

Keep up with DEFCON!

August 15, 2018

Against Laptops & Phones in Class [Note Taking and Conference Videos]

Filed under: Education — Patrick Durusau @ 5:06 pm

Against Laptops & Phones in Class by Andrew Mills.

A great collection of studies on the negative impact on memory and student performance from having laptops and/or phones in class.

I certainly have my phone and main computer screens available while I watch conference videos.

Without a controlled scientific study, I venture those distractions have a negative impact on my learning from video presentations.

Mills advocates manual note taking and lists resources on same (two of which are working today):

It’s certainly possible to create transcriptions of videos but I suspect notes give a better view of video content. (Well, except for where your pen scrawls off the page because you went to sleep. Been there, done that.)

No promises but thinking of applying the lessons Mills advocates for the classroom in a home learning environment.

If you try this, ping me with your experiences.

Enjoy!

The Talk-First Strategy of Poster Design

Filed under: Conferences,Presentation — Patrick Durusau @ 1:22 pm

The Talk-First Strategy of Poster Design by Xanda Schofield and Prof. David Mimno.

From the post:

Posters are a great way to learn how to communicate your work, but designing and writing a poster is hard. Our group has developed a simple technique that works well, and we thought it could be helpful to others.

Presenting at poster sessions at conferences can be exhausting. You stand by your poster for several hours and, when people ask you for a description of your work, must give a tight three-to-five-minute talk. If you’re successful in grabbing the attention of passersby (and that in itself is a skill), this cycle could easily happen 10-20 times, each with a unique set of follow-up questions about what struck the listener as interesting or confusing. By the end of the session, we often find ourselves with a much clearer mental model of our work: you learn how to get someone’s interest quickly, what terms you need to define, what parts are confusing, and what the best examples are to illustrate successes and failures.

The problem with this pattern, of course, is that the great mental model arrives at the *end* of the process, when you are pulling out the thumb tacks and rolling up the poster. Oftentimes, we have presented posters that were full of things that we didn’t actually want to discuss. The clearest sign we had made this mistake was when we would find ourselves repeatedly pointing to one or two specific spots on the poster, and not really using anything else. It’s not that that content was bad or wrong; it may have been the key material of a longer talk. But in three to five minutes, there may not be space to actually explain everything.

So rather than spending a lot of time creating a poster in PowerPoint or OmniGraffle or something similar, and then figuring out what works and doesn’t at the poster session, we started what you might call the “talk first” method. The goal is to move away from thinking about a poster as a static document or a paper summary. Instead, we try to think of them as visual aids for mini-presentations — a series of things you want to point to as you are talking about your work. It’s not a bad thing for a poster to work as a self-contained, unattended unit. But it’s more important that it be the visual complement to your in-person description. By starting with that goal in mind, we have been able to design much more effective posters for our work,
… (emphasis in original)

Top three (3) lessons from Schofield and Mimno:

  1. Effective communication is NOT a matter of chance.
  2. People don’t luck into being good presenters.
  3. You can improve your presentation/poster skills. (with practice)

Schofield and Mimno provide a process for improving your poster presentation skills.

Caveat: You have to supply the practice on your own.

Good luck!

August 14, 2018

Process Doppelgänging meets…

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:29 pm

Process Doppelgänging meets Process Hollowing in Osiris dropper by hasherezade.

From the post:

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process Doppelgänging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process Doppelgänging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process Doppelgänging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.

Way beyond my current skill level but it may not be beyond yours.

It also serves as an inspiration/target for a skill level sufficient to read along with a fair degree of understanding.

Enjoy!

« Newer PostsOlder Posts »

Powered by WordPress