Follow by Email

Wednesday, November 26, 2014

Great Firewall of China Blocks Edgecast CDN, Thousands of Websites Affected

Starting about a week ago, The Great Firewall of China began blocking the Edgecast CDN. This was spurred by Great Fire's Collateral Freedom project, which used CDNs to get around censorship of individual domains. It left China with either letting go of censorship, or breaking significant chunks of the Internet for their population. China chose to do the latter, and now many websites are no longer functional for Chinese users.  Just helping to diagnose this problem with the company's site, so it's likely many people are still just starting to discover what's happened and the economic impact is yet to be fully realized. Hopefully pressure on China will reverse the decision.

Revealing Gorilla Glass 4, Promises No More Broken IPhones 

Corning introduced next-generation Gorilla Glass, which it said is ten times tougher than any competitive cover glass now in the market. The company says that the Gorilla Glass 4 so launched is to address the No.1 problem among the smartphones users- screen breakage due to everyday drops.

Nuclear Weapons Create Their Own Security Codes With Radiation

Nuclear weapons are a paradox. No one in their right mind wants to use one, but if they're to act as a deterrent, they need to be accessible. The trick is to make sure that access is only available to those with the proper authority. To prevent a real life General Jack D Ripper from starting World War III, Livermore National Laboratory's (LLNL) Defense Technologies Division is developing a system that uses a nuclear weapon's own radiation to protect itself from tampering.

Interesting  Assumptions In Cryptography

Nice article on some of the security assumptions we rely on in cryptographic algorithms.

Yet Another Malware

Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.

Sunday, November 23, 2014

Whatsapp Is Now End-to-End Encrypted

Whatapp is now offering end-to-end message encryption:
Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device.
I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives me some confidence that it's a robust implementation.

Encrypt Your Website For Free

Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.
This is an absolutely fantastic idea.
The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It's tricky to install correctly. It's a pain to update.
Let's Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
The key principles behind Let's Encrypt are:
  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server's native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let's Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let's Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

Wednesday, November 19, 2014

Work and life, balance

What does work/life balance mean to you? Most likely, it means something different to what it means to me.
There are many ways to define work and life, and the balance between the two, but I’m going to focus on two, that I’ll label, ungenerously to one of them, the “old way” and the “new way”.

The old way

In the old way, work and life are clearly distinct, as night and day. Work is a curse (sometimes biblical), the time you spend toiling and sweating and bleeding to earn a living, and life is a blessing, the thing you work for, which must be distinct from work and much better than work, to justify all the toiling and sweating and bleeding.
You work (an activity that by definition you do not enjoy most of the time) to earn money, that you then spend on things that you do enjoy, during your “life” time. The work is an unfortunate necessity, something that you would avoid if you could. The ideal life is the infinite holiday. If you had millions of dollars instead of thousands, in this mental framework, you would probably go on an extended holiday, until you’re either ruined by unfortunate circumstances or you die.
This is still the dominant paradigm, and one that drives most of our discussions of work/life balance. In fact, the very term “work/life balance” implies belief in this old way of defining work and life. Whenever you say “work/life balance”, you imply to your subconscious that you believe in these two concepts of work and life and their contrast and the need to balance them.
How to balance them? Well, with the definition of work as something unpleasant and life as something pleasant, obviously work should be minimised and life maximised. So we have fixed working hours, 40 hours a week, then 35, then 30. We scrupulously “leave our work behind” when we go home. We take holidays where we make sure to disconnect. We look at people who work longer hours, take their work home and work on holiday as workaholics – a clearly, obviously pejorative term. Something to be avoided.

The new way

The new way of talking about work and life is from the point of view of passionate people doing work they care about deeply. The traditional view here is that only artists and vocational people like charity workers, priests or doctors can do that, but today’s reality is that many people engaged in a wide range of jobs can and do feel passionate about their work, and find personal accomplishment and fulfilment in them.
One obvious case of the passionate worker is the entrepreneur, but they are rare so let’s leave them aside. Another is people who work in open cultures, or at least in jobs that somehow have some mysterious characteristics like a sense of purpose and challenge and autonomy.
People in these kinds of jobs can frequently feel they are in an awkward place, because they feel that they enjoy working hard, but then the “old way” of thinking tells them that they’re working too hard. Adopting the language of the old way, they might end up “realising” that they’re workaholics and try to cut back, or go on holiday and deliberately disconnect from everything to try and recover some “work/life balance”.
The sad thing about this is that it is wrong and actually makes the passionate person’s life worse, not better. Being passionate about your work is not a curse, it’s a blessing. We can argue all year long about what the meaning of life is, and each person can and needs to come up with their own answer, but there is no argument that achieving a state of flow is a desirable thing. Being passionate about your work leads to being in a state of flow more often.
How tragic, then, when definitions imagined by people who worked in a state of pain rise up out of your subconscious to say, effectively, “hey, you shouldn’t spend that much time in a state of flow, you’re a workaholic with no work/life balance!” An exaggerated view of that is akin to interrupting Leonardo in the middle of painting the Mona Lisa to tell him he’s done his eight hours and needs to go home now.
This conflict between working according to the new way but letting your thinking err along the old way is not helpful, and in my opinion should be avoided. I propose a new way of thinking about work/life balance, in terms of stages of work, with a clear, opinionated scale from worse to better. Each stage has different ways of thinking about work/life balance.

The new ladder of work

Level 1: Slavery

Level 1 - Slavery
Level 1 – Slavery
On the bottom of the ladder, I would like to put slavery – by which I do not mean wage slavery, but actual, real slavery. There is still an awful lot of this in the world. Some countries still have institutionalised slavery, and some high-profile international organisations do not bat an eyelid at using slavery to serve their goals, and most of humanity through most of history has operated at this level, sadly. As a slave with no control over your life, we can perhaps miraculously lift ourselves up to a higher level (like Joseph in the Biblical story), but most, by far, will not. The concept of work/life balance is irrelevant here: we have no life as a slave, our life belongs to our master.

Level 2: Survival

Level 2 - Survival
Level 2 – Survival
One level above, I would put the type of work that one does to ensure survival (of oneself or of one’s family). Throughout the industrial revolution, and still in many countries in Asia in industries such as textiles or manufacturing, much of the work is at this level. This is barely above slavery, the only difference being that we have a notional choice of working under equally bad conditions somewhere else. Work/life balance as a concept becomes theoretically important but is mostly out of our reach. We work (serve the curse) as much as we humanly can, and the rest of the time is a temporary interval between stretches of work. Much of the social progress of the industrial revolution was aimed at allowing people working at this level to live humane lives, and lifted much of the western world’s population to at least level 3.

Level 3: Balance

Level 3 - Balance
Level 3 – Balance
This is the level where the concept of work/life balance really has full meaning, and where most people are operating. In this perspective, work is undesirable but not oppressive. We have choice, so long as the economy is doing alright and our skills are in demand. We can choose to work reasonable working hours. We have control over the line between work and life. This is the old way done right. In this context, the concept of work/life balance is a good thing and it is important to balance the two, to stay in control of where that line shifts.

Level 4: Acceleration

Level 4 - Acceleration
Level 4 – Acceleration
Some fortunate people operating at level 3 may find that some aspects of their jobs are more engaging than others, and get caught up in those aspects from time to time. Another way to put it is that we may have work that is largely undesirable, that would not be worth doing if we weren’t paid for it, but there are some aspects of that work that put us in a state of flow, where we lose track of time and find ourselves working till silly hours or thinking about work on holiday, etc. This is where the level 3 way of thinking holds us back, by suggesting that this is a symptom of an out of control work/life balance. At this stage, the concept of work/life balance still makes sense overall, but it starts to lose its usefulness, and I think this is the stage where we must be careful not to let it hold us back from progressing to level 5.
Because at level 4, we start to get a glimpse of what life could be at level 5, since we begin to find out which activities are both productive (i.e. things society rewards with money) and put us in a state of flow (i.e. things we deeply enjoy doing for their own sake).

Level 5: Flow

Level 5 - Flow
Level 5 – Flow
Once we discover which activities we can do, which put us in a state of flow but are rewarded by society (i.e. are paid well enough), we have the option to start rebuilding our work (or finding another job or career) where we can spend most of our time doing the things we love and are passionate about. Of course, there are always going to be some unpleasant bits to any job, but because we see the bigger picture of what we’re doing (flow is impossible without a sense of purpose), we handle them without much effort, to get back to the bits we enjoy.
At this level, work/life balance makes no sense whatsoever. You wouldn’t put a time limit on flow any more than you’d put a time limit on any other enjoyable activity. Keep doing it as long as it’s fun! When it’s no longer fun, switch to another fun and productive thing. And so on, endlessly.
I don’t think it is possible to reach this level without letting go of the concept of work opposed to life, prevalent in level 3 thinking. A career/life where you spend most of your time in a state of flow is highly desirable, but it is not one we can reach while we meter out our efforts and keep thinking of work as something to be avoided.
A symptom of this state, in my opinion, is that we are constantly working: at home, during hobbies, on holiday, even while asleep! But much of that work is subconscious, thinking about how to do things even better or which things to do, rather than sitting down in front of a computer and “working”. The work is then just the natural outlet of the thinking, much like an artist’s work.
Whilst the shift from level 3 to 4 can happen accidentally without intention, the shift to level 5 only occurs if we really seek out this new way of working, which is why it’s important to embrace it rather than fight it.

Some final notes

There are a million objections to the ideas above. Some obvious ones are “what about if I have children?” or “what if my job sucks? no one could possibly enjoy my job!”. I believe that a careful reading of the article combined with some thinking will present answers to those objections though. Have a think before you disagree.

In conclusion

Life and work need not and should not be in opposition. When they are in harmony, both get better. But if you let the oppositional thinking of work vs life drive your thinking, it will impair your ability to progress from level 3 to level 5.
Don’t let old assumptions determine how you live your life today. Think for yourself about what makes sense for you.

  1. Obviously, this is an artificial dichotomy and there is a whole continuum of definitions between the two, and there are of course other dimensions to the definition that I’m not exploring here! But for the sake of argument…↩
  2. Another historical distortion is the concept that to matter in this way, work must be of great cultural or societal import. Actually, to put you in that same state of flow, work must simply matter greatly to you personally.↩

Tuesday, November 18, 2014

World's Youngest Microsoft Certificated Professional Is Five Years Old

Gurvinder Gill writes at BBC that Ayan Qureshi is the world's youngest Microsoft Certified Professional after passing the tech giant's exam when he was just five years old. Qureshi's father introduced his son to computers when he was three years old. He let him play with his old computers, so he could understand hard drives and motherboards. "I found whatever I was telling him, the next day he'd remember everything I said, so I started to feed him more information," Qureshi explained. "Too much computing at this age can cause a negative effect, but in Ayan's case he has cached this opportunity." Ayan has his own computer lab at his home in Coventry, containing a computer network which he built and spends around two hours a day learning about the operating system, how to install programs, and has his own web site.

Microsoft Certified Professional (MCP) is a certification that validates IT professional and developer technical expertise through rigorous, industry-proven, and industry-recognized exams. MCP exams cover a wide range of Microsoft products, technologies, and solutions. When the boy arrived to take the Microsoft exam, the invigilators were concerned that he was too young to be a candidate. His father reassured them that Ayan would be all right on his own. "There were multiple choice questions, drag and drop questions, hotspot questions and scenario-based questions," Ayan's father told the BBC Asian Network. "The hardest challenge was explaining the language of the test to a five-year-old. But he seemed to pick it up and has a very good memory.

Facebook Planning a Professional Version To Rival LinkedIn, Google

Facebook may be coming out with an office version to take on LinkedIn. Facebook at Work would “allow users to chat with colleagues, connect with professional contacts and collaborate over documents.
Facebook is reportedly gearing up to take on LinkedIn, Google's Drive and services, Microsoft's Outlook and Yammer with a workplace-friendly version of the social networking site, but such a dream is unlikely to appeal to the enterprise. As reported last week by the Financial Times, "Facebook at Work" is a new product designed to allow professional users to message colleagues, connect with professional contacts and collaborate over documents. The website will have the same look as standard Facebook — including a news feed and groups — but according to people familiar with the matter, the idea is to keep work and personal accounts separate. It makes sense for the social networking giant. Launching a professional version can boost ad revenue, keep engagement up and give the company a valuable new market to tap. But in application, cracking the corporate world won't be easy.

Group Tries To Open Source Seeds

The Open Source Seed Initiative is a passionate group that wants to ensure their seeds are never patented, but making sure seeds are free for use and distribution by anyone isn't as easy as you might think. Part of the equation are plant characteristics, like an extended head on lettuce — is that an invention? Or, would you argue that it is the product of the collective sharing of material that improves the whole crop over time? In this report, one farmer says, "If you're not exchanging germplasm, you're cutting your own throat.

Monday, November 17, 2014

Open Source Self-Healing Software For Virtual Machines

Computer scientists have developed Linux based software that not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them. If a virus or attack stops the service, A3 could repair it in minutes without having to take the servers down. The software then prevents the invader from ever infecting the computer again. "It's pretty cool when you can pick the Bug of the Week and it works.

Thursday, November 13, 2014

How To End Online Harassment

Gendered bigotry against women is widely considered to be "in bounds" by Internet commenters (whether they openly acknowledge it or not), and subsequently a demographic that comprises half of the total human population has to worry about receiving rape threats, death threats, and the harassment of angry mobs simply for expressing their opinions. This needs to stop, and while it's impossible to prevent all forms of harassment from occurring online, we can start by creating a culture that shames individuals who cross the bounds of decency.

We can start by stating the obvious: It is never appropriate to use slurs, metaphors, graphic negative imagery, or any other kind of language that plays on someone's gender, race/ethnicity, sexual orientation, or religion. Not only is such language inappropriate regardless of one's passion on a given subject, but any valid arguments that existed independently of such rhetoric should have been initially presented without it. Once a poster crosses this line, they should lose all credibility.

Similarly, it is never acceptable to dox, harass, post nude pictures, or in any other way violate someone's privacy due to disagreement with their opinions. While most people would probably agree with this in theory, far too many are willing to access and distribute this humiliating (and often illegal) content. Instead of simply viewing stories of doxing, slut-shaming, and other forms of online intimidation as an unfortunate by-product of the digital age, we should boycott all sites that publish these materials.

Microsoft takes .NET open source

Good article  here is the github page

Wednesday, November 12, 2014

NSA Oversight and Transparency

Orin Kerr has a new article that argues for narrowly constructing national security law:
This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a "rule of lenity," ambiguity in the powers granted to the executive branch in the sections of the United States Code on national security surveillance should trigger a narrow judicial interpretation in favor of the individual and against the State. A rule of lenity would push Congress to be the primary decision maker to balance privacy and security when technology changes, limiting the rulemaking power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.
This is certainly not a panacea. As Jack Goldsmith rightly points out, more Congressional oversight over NSA surveillance during the last decade would have gained us more NSA surveillance. But it's certainly better than having secret courts make the rules after only hearing one side of the argument.

Google reveals inner workings of manual hijacking

In Google's study, the firm gets up close and personal with hijackers that target not businesses or governments, but you personally.

Our digital identity is more important than ever. The data that can be traced back to us can include social media contacts, messages, our work details, bank accounts and purchase patterns.
So, it's no surprise when a recent poll in the US found that citizens were more concerned about online accounts being hijacked than their houses being robbed -- if you have insurance, goods can be replaced. If you lose an online account, you're at risk not only of losing the account forever -- but the heartbreak of identity theft.
One of the most common methods to take control of an account is mass hijacking. In this case, an automated process uses compromised systems to send out countless spam messages, malware, and phishing campaigns to add more hijacked accounts to the roster. In other cases, state-sponsored attacks target political institutions, universities, governments and corporations to access accounts and steal sensitive data or act as a gateway to spy on networks.
However, there is another category -- dubbed by Google "manual hijacking." What makes them different? These attacks are personal, time-consuming, and a cybercriminal is dedicated to infiltrating an individual's accounts -- often with the aim of plundering a person's bank account.
The tech giant says these account hijacks are rare -- with only nine incidents per mission users per day -- but they can be devastating to the victim.
In a new study, Google decided to explore this tactic further, looking at the sources of phishing emails, websites, and how these cybercriminals operate.
In these cases, we're not talking about remote, impersonal servers, brute-force attacks or phishing campaigns sent to thousands. Instead, imagine individuals working business hours, rifling through your accounts and tempting you to hand over your credentials for seemingly legitimate purposes.
A phishing email, crafted for you, can be far more believable than a supposedly long-lost uncle in Africa or a congratulatory note telling you you've won the Spanish lottery. Password guesses and malware installation were also popular methods used to access an account, according to the firm's researchers.
In addition, tactics change frequently. As an example, Google said that once the company started asking people which city they most frequently logged in most from, hijackers "almost immediately started phishing for the answers."
Once a hacker has obtained a single credential, around 20 percent of accounts are accessed within 30 minutes. This single point of entry into your life is then barricaded against your entry by changing the details, before a search of other links begins -- such as banking and social media accounts.
The next step? The cyberattacker uses your account and credentials to send out phishing emails to those in your address book. Since many in your network are liable to trust you -- and this happened last week to me through a PR contact whose account was taken over -- they may be more susceptible to seemingly innocent links and downloads, which monetizes the effort required in manual hijacking.
According to the paper (.PDF), many of these hijackers appear to be working out of China, the Ivory Coast, Malaysia, Nigeria and South Africa. To keep these attacks as legitimate-looking as possible, campaigns are organized by language, so French-speakers work on the French community, for example.
While we often consider ourselves too smart to fall for such lures, Google found that some malicious websites were effective 45 percent of time, with people submitting their details 14 percent of the time -- and even the most 'obviously' fake websites still managed to fool 3 percent of us.
When cyberattacks can send out millions of messages, this figure is rather concerning.
Rare manual hijacking cases may be, but severe they certainly are -- and how are we to protect against them?
Google says the study's findings have been used to implement changes in the firm's account security settings and systems, but in the end, it is up to us to maintain our own levels of security. First of all, change your password frequently, and don't give in to easily-remembered passwords or patterns like QWERTY1, Jesus or ninja. Humans are more similar to each other than we'd like to believe, and if its easy for us to remember, it is easy for someone to crack.
Secondary levels of verification are also useful. This does mean you have to hand over your phone number or another email address to companies like Google and PayPal, but in the end, this does give account access a second step which makes brute-force password cracking on its own less successful. In addition, if you do lose your account, you do have a way to verify your identity and potentially wrestle control back.

Verizon 'supercookies' could be a boon to advertisers, hackers

Supercookies could take a bigger bite out of your privacy than you think, say researchers. Here's what they're worried about.

It's bad enough that Verizon and AT&T have unleashed a new breed of "supercookie" that can track your every online move, even as you switch between your smartphone, tablet and TV. Far worse is the possibility of abuse by advertisers, governments and hackers, privacy experts warn.
"Any website you're going to end up on is going to get this supercookie," said Marc Maiffret, chief technology officer of cybersecurity company BeyondTrust. That opens the potential for these supercookies to be exploited by many more people than Verizon anticipated with its tracking program, he said.
Verizon, the largest mobile carrier in the US, uses information gleaned from its supercookies to understand your interests and concerns by tracking the websites you visit and links you click on. It then supplies that information to its advertisers so they can craft finely targeted advertising campaigns.
About 106 million of Verizon's consumer customers have been tracked this way for over two years by the company's Precision Market Insights program, according to a report by the Electronic Frontier Foundation published last week. AT&T tracks fewer customers, but only because the company says its program is still being tested.
Verizon and AT&T are the largest wireless carriers in the US.
"You're making it very difficult for people who want privacy to find it on the Internet," Paul Ohm, a senior policy adviser to the Federal Trade Commission and associate professor at the Colorado Law School, told The Washington Post, which reported the tracking programs last week.
Supercookies aren't called "super" for nothing. It's hard if not outright impossible to delete them. Verizon does allows customers to opt out of the tracking program: To opt out, consumers must unsubscribe from Precision Market Insights via Verizon's Wireless Web portal, its mobile app or over the phone.
"Customer privacy is a top priority. We never, ever share customer information with third-parties," said Verizon Wireless representative Adria Tomaszewski.
Verizon also changes its supercookie once a week, at the least. That's frequently enough to prevent third parties from exploiting Verizon's supercookie to their advantage, Tomaszewski said.
AT&T's supercookie is similar, although the company changes its supercookie every 24 hours and doesn't attach it after a customer deactivates it, the company told CNET News.
Cryptography researcher Kenneth White said his research indicates those supercookies never really go away.
And that's the problem, added Jacob Hoffman-Andrews, a senior technologist at the Electronic Frontier Foundation. "Your identity can be [rebuilt] from the cookies," he said.
T-Mobile said it has no plans to use supercookies. Sprint didn't return a request for comment.

Adobe Patches 18 Vulnerabilities in Flash

Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today.

The Patch Tuesday updates, available for Windows, Macintosh, and Linux machines, remedy vulnerabilities in several builds of Flash Player and AIR, Adobe’s run-time system.
The lion’s share of the vulnerabilities – 15 of the 18 – a use-after-free, double free, memory corruption, type confusion and buffer overflow vulnerability, could lead to code execution if left unpatched. Other vulnerabilities patched include issues that could trigger session tokens to be disclosed, and cause privilege escalation.
Researchers with Google Project Zero, the Chromium Rewards Project, Microsoft, and several other firms dug up the vulnerabilities.
Adobe is urging users running older versions of Flash Player ( and earlier, and earlier 13.x versions, and earlier for Linux) and older versions of AIR ( and earlier, SDK and earlier, SDK & Compiler and earlier, and earlier for Android) to update as soon as possible.
In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit. Independent malware researcher Kafeine wrote at the time that it was a “really fast integration” into an exploit kit and that whoever coded it must have reversed the patch in two days. It remains to be seen whether any of the 18 vulnerabilities that were fixed today are either currently being exploited in the wild or if they’ll eventually be incorporated into a future exploit kit.
- See more at:

The lion’s share of the vulnerabilities – 15 of the 18 – a use-after-free, double free, memory corruption, type confusion and buffer overflow vulnerability, could lead to code execution if left unpatched. Other vulnerabilities patched include issues that could trigger session tokens to be disclosed, and cause privilege escalation.

Researchers with Google Project Zero, the Chromium Rewards Project, Microsoft, and several other firms dug up the vulnerabilities.

Adobe is urging users running older versions of Flash Player ( and earlier, and earlier 13.x versions, and earlier for Linux) and older versions of AIR ( and earlier, SDK and earlier, SDK & Compiler and earlier, and earlier for Android) to update as soon as possible.

In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit. Independent malware researcher Kafeine wrote at the time that it was a “really fast integration” into an exploit kit and that whoever coded it must have reversed the patch in two days. It remains to be seen whether any of the 18 vulnerabilities that were fixed today are either currently being exploited in the wild or if they’ll eventually be incorporated into a future exploit kit.

Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today. - See more at:

Hijacking The Secret Sauce: Intellectual Property

I’m always amazed when an employee steals intellectual property (IP) from their company. Only to take it with them as they head out the door for a new job. I wonder what is the thought process that they go through? I’m sure you may know a story or two about people who helped themselves. At one company that I was working for years back, I had set up SNMP (simple network management protocol) monitoring of the printers in the company. In turn that data was fed back into the centralized logging solution. One Friday afternoon I noticed a series of print jobs from a person who I knew had given their notice already two weeks previous. I read the names on the print jobs and I could not stop laughing. He was printing out internal documentation that was not meant to be distributed, let alone taken to his next job.
I picked up my coffee and stifled a smile. I decided to stroll by his desk. I walked by his, let’s call him Frank, desk. I took a sip and said, “Hey Frank. Just packing up?” He looked at me visibly unnerved. “Yup, last day you know.” I took another sip and answered back, “Oh right. Well, best of luck at the new gig.” I winked and walked away.
I positioned myself in a meeting room down the hall and around the corner. I was in a spot where I could see people leaving the building but, I was not readily visible unless someone looked back as they exited. I set up access to the CCTV on my screen and I waited. Thankfully, I didn’t have to wait long at all. Here he came along the hallway with three massive binders full of printouts. I just shook my head. Did “Frank” really think he was pulling one over on people? I was absolutely confused as to his logic.
I picked up the phone and called “Frank’s” boss. After I let him know what was transpiring he quickly slipped down the stairs and was sitting at the front door before the elevator made it to the lobby. They’re slow as molasses in January but, sometimes you really have to love hydraulic elevators.
Needless to say “Frank” was met in the lobby and he surrendered his binders claiming he wasn’t doing anything wrong. He also returned the other large binders that were in the trunk of his car.
This is a type of behaviour that seems to happen a lot. An example that I can point to from another former job is from this article on Ars Technica.
AMD filed a complaint yesterday alleging that four of its former employees—one former vice-president and three former managers—transferred sensitive AMD documents before joining competing graphics chip maker Nvidia and then violated a “no-solicitation of employees” promise. The company alleges that Robert Feldstein, Manoo Desai, and Nicolas Kociuk collectively downloaded over 100,000 files onto external hard drives in the six months before leaving the company. All three and another manager, Richard Hagen, were accused of recruiting AMD employees after leaving for Nvidia.
Since this is already in the public domain I will merely nod my head. I wish I could comment at length on this one but, I can merely say that operations security or OPSEC was not high on their list of priorities.
Another example is the recent case of Dr. Franklin R. Cockerill III who was the president/CEO of Mayo Medical Labs. He was alleged to have been siphoning trade secrets for months prior to moving to a competitor.


Data Breach in U.S. Postal Service  

The Federal Bureau of Investigation is leading an investigation into a data breach at the U.S. Postal Service, which affected employees and customers.
In a Nov. 10 statement, which provides few details, USPS says it recently learned of a "cybersecurity intrusion" into some of its information systems. All operations are now functioning normally, according to the statement.
More than 800,000 employees were impacted in the breach, says David Partenheimer, spokesperson for the USPS. Employee information potentially compromised includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information.
Customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16 were also potentially affected, although USPS is still investigating the exact number of individuals impacted, Partenheimer says. Potentially compromised customer details include names, addresses, telephone numbers and e-mail addresses.

CNN, citing a U.S. official familiar with the breach, says 2.9 million postal service customers were affected by the breach.
Transactional systems in post offices, as well as on, where customers pay for services with credit and debit cards, have not been affected by the breach, USPS says. There is also no evidence that any customer credit card information from retail or online purchases, such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised, officials say.

China Involved?

Some news reports are indicating China may be behind the attacks, but Partenheimer says he cannot confirm that because "the source of the intrusion is under investigation."
But security consultant Richard Stiennon, author of Surviving Cyberwar, doesn't suspect China is behind the USPS breach. "They are still in the espionage and reconnaissance phase of their cyber-evolution," he says. "On the other hand ... one has to question the timing of the notification considering that President [Obama] arrived in China today."
Karl Rauscher, ambassador-at-large and chief architect for cyberspace policy at the Institute of Electrical and Electronics Engineers, says that cyber-attacks, like the one that targeted USPS, are becoming more sophisticated, "and even those best capable of reacting to them are overwhelmed. Cybersecurity today is typically practiced in a reactive posture to an ever growing number of threats."

No Evidence of Fraud

The USPS says it's not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in malicious activity.
But Dan Waddell, director of government affairs at (ISC)2, a global information security training and certification organization, warns that the incident, which involved the theft of e-mail addresses, could lead to targeted spear-phishing attacks. "USPS employees should be on the lookout for any suspicious e-mail that would serve as a mechanism to extract additional information, such as intellectual property, credit card information and other types of sensitive data," he says.
Impacted individuals are being offered one year of free identity theft protection services, Partenheimer says.
In addition to the FBI, the USPS is working on the investigation with the Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. Private-sector specialists have also been brought in to assist in the investigation and remediation.
"We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline," Partenheimer says. "We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption."


Technical Hack Of ballot from Wireless Routers

Good paper, and layman's explanation.
 It gives hackers the potential to seriously disrupt our democratic processes.Its really scary and will leave the democracy no more exist.

Luxurious Attack Using Hotel Network 

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given.
This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.
Good article. This seems pretty obviously a nation-state attack. It's anyone's guess which country is behind it, though.
Targets in the spear -- phishing attacks include high-profile executives -- among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. "All nuclear nations in Asia," Raiu notes. "Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments." Recently there has been a spike in the attacks against the U.S. defense industry.
We usually infer the attackers from the target list. This one isn't that helpful. Pakistan? China? South Korea?

 Incident Management its 10X ?

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services.
This decade is one of response. Over the past few years, we've started seeing incident response (IR) products and services. Security teams are incorporating them into their arsenal because of three trends in computing. One, we've lost control of our computing environment. More of our data is held in the cloud by other companies, and more of our actual networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures.
Two, attacks are getting more sophisticated. The rise of APT (advanced persistent threat)--attacks that specifically target for reasons other than simple financial theft--brings with it a new sort of attacker, which requires a new threat model. Also, as hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights.
And three, companies continue to under-invest in protection and detection, both of which are imperfect even under the best of circumstances, obliging response to pick up the slack.
Way back in the 1990s, they used to say that "security is a process, not a product." That was a strategic statement about the fallacy of thinking you could ever be done with security; you need to continually reassess your security posture in the face of an ever-changing threat landscape.
At a tactical level, security is both a product and a process. Really, it's a combination of people, process, and technology. What changes are the ratios. Protection systems are almost technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.
Lorrie Faith Cranor once wrote, "Whenever possible, secure system designers should find ways of keeping humans out of the loop." That's sage advice, but you can't automate IR. Everyone's network is different. All attacks are different. Everyone's security environments are different. The regulatory environments are different. All organizations are different, and political and economic considerations are often more important than technical considerations. IR needs people, because successful IR requires thinking.
This is new for the security industry, and it means that response products and services will look different. For most of its life, the security industry has been plagued with the problems of a lemons market. That's a term from economics that refers to a market where buyers can't tell the difference between good products and bad. In these markets, mediocre products drive good ones out of the market; price is the driver, because there's no good way to test for quality. It's been true in anti-virus, it's been true in firewalls, it's been true in IDSs, and it's been true elsewhere. But because IR is people-focused in ways protection and detection are not, it won't be true here. Better products will do better because buyers will quickly be able to determine that they're better.
The key to successful IR is found in Cranor's next sentence: "However, there are some tasks for which feasible, or cost effective, alternatives to humans are not available. In these cases, system designers should engineer their systems to support the humans in the loop, and maximize their chances of performing their security-critical functions successfully." What we need is technology that aids people, not technology that supplants them.
The best way I've found to think about this is OODA loops. OODA stands for "observe, orient, decide, act," and it's a way of thinking about real-time adversarial situations developed by US Air Force military strategist John Boyd. He was thinking about fighter jets, but the general idea has been applied to everything from contract negotiations to boxing--and computer and network IR.
Speed is essential. People in these situations are constantly going through OODA loops in their head. And if you can do yours faster than the other guy--if you can "get inside his OODA loop"--then you have an enormous advantage.
We need tools to facilitate all of these steps:

  • Observe, which means knowing what's happening on our networks in real time. This includes real-time threat detection information from IDSs, log monitoring and analysis data, network and system performance data, standard network management data, and even physical security information--and then tools knowing which tools to use to synthesize and present it in useful formats. Incidents aren't standardized; they're all different. The more an IR team can observe what's happening on the network, the more they can understand the attack. This means that an IR team needs to be able to operate across the entire organization.

  • Orient, which means understanding what it means in context, both in the context of the organization and the context of the greater Internet community. It's not enough to know about the attack; IR teams need to know what it means. Is there a new malware being used by cybercriminals? Is the organization rolling out a new software package or planning layoffs? Has the organization seen attacks form this particular IP address before? Has the network been opened to a new strategic partner? Answering these questions means tying data from the network to information from the news, network intelligence feeds, and other information from the organization. What's going on in an organization often matters more in IR than the attack's technical details.

  • Decide, which means figuring out what to do at that moment. This is actually difficult because it involves knowing who has the authority to decide and giving them the information to decide quickly. IR decisions often involve executive input, so it's important to be able to get those people the information they need quickly and efficiently. All decisions need to be defensible after the fact and documented. Both the regulatory and litigation environments have gotten very complex, and decisions need to be made with defensibility in mind.

  • Act, which means being able to make changes quickly and effectively on our networks. IR teams need access to the organization's network--all of the organization's network. Again, incidents differ, and it's impossible to know in advance what sort of access an IR team will need. But ultimately, they need broad access; security will come from audit rather than access control. And they need to train repeatedly, because nothing improves someone's ability to act more than practice.
Pulling all of these tools together under a unified framework will make IR work. And making IR work is the ultimate key to making security work. The goal here is to bring people, process and, technology together in a way we haven't seen before in network security. It's something we need to do to continue to defend against the threats.

Wednesday, November 5, 2014

US Mobile Operator Tracks Your Internet Usage

Verizon is tracking the Internet use of its phones by surreptitiously modifying URLs. This is a good description of how it works

Saturday, November 1, 2014

Apple Copies Your Files Without Your Knowledge or Consent

The latest version of Apple's OS automatically syncs your files to iCloud Drive, even files you choose to store locally. Apple encrypts your data, both in transit and in iCloud, with a key it knows. Apple, of course, complies with all government requests: FBI warrants, subpoenas, and National Security Letters -- as well as NSA PRISM and whatever-else-they-have demands.

This is a more nuanced discussion of this issue. At this point, it seems clear that there is a lot less here than described in the blog post below.
 There is something here. It only affects unsaved documents, and not all applications. But the OS's main text editor is one of them. Yes, this feature has been in the OS for a while, but that's not a defense. It's both dangerous and poorly documented.

 Attack Against Credit Card Verification

Here's a physical attack against a credit card verification system. Basically, the attack disrupts the communications between the retail terminal and the system that identifies revoked credit cards. Since retailers generally default to accepting cards when the system doesn't work, the attack is generally successful.

Spritz:  RC4 Cipher

Last week, Ron Rivest gave a talk at MIT about Spritz, a new stream cipher by him and Jacob Schuldt. It's basically a redesign of RC4, given current cryptographic tools and knowledge.
RC4 is an example of what I think of as a too-good-to-be-true cipher. It looks so simple. It is so simple. In classic cryptographic terms, it's a single rotor machine. It's a single self-modifying rotor, but it modifies itself very slowly. Even so, it's very hard to cryptanalyze. Even though the single rotor leaks information about its internal state with every output byte, its self-modifying structure always seems to stay ahead of analysis. But RC4 been around for over 25 years, and the best attacks are at the edge of practicality.
Spritz is Rivest and Schuldt's redesign of RC4. It retains all of the problems that RC4 had. It's built on a 256-element array of bytes, making it less than ideal for modern 32-bit and 64-bit CPUs. It's not very fast. (It's 50% slower than RC4, which was already much slower than algorithms like AES and Threefish.) It has a long key setup. But it's a very clever design.
Here are the cores of RC4 and Spritz:
1: i = i + 1
2: j = j + S[i]
3: SWAP(S[i];S[j])
4: z = S[S[i] + S[j]]
5: Return z
1: i = i + w
2: j = k + S[j + S[i]]
2a: k = i + k + S[j]
3: SWAP(S[i];S[j])
4: z = S[j + S[i + S[z + k]]]
5: Return z
S is an 8-bit permutation. In theory, it can be any size, which is nice for analysis, but in practice, it's a 256-element array. RC4 has two pointers into the array: i and j. Spritz adds a third: k. The parameter w is basically a constant. It's always 1 in RC4, but can be any odd number in Spritz (odd because that means it's always relatively prime to 256). In both ciphers, i slowly walks around the array, and j -- or j and k -- bounce around wildly. Both have a single swap of two elements of the array. And both produce an output byte, z, a function of all the other parameters. In Spritz, the previous z is part of the calculation of the current z.
That's the core. There are also functions for turning the key into the initial array permutation, using this as a stream cipher, using it as a hash function, and so on. It's basically a sponge function, so it has a lot of applications.
What's really interesting here is the way Rivest and Schuldt chose their various functions. They basically tried them all (given some constraints), and chose the ones with the best security properties. This is the sort of thing that can only be done with massive computing power.
I have always really liked RC4, and am happy to see a 21st-century redesign. I don't know what kind of use it'll get with its 8-bit word size, but surely there's a niche for it somewhere.

Handling The Risk of Ebola

Good essay.
Worry about Ebola (or anything) manifests physically as what's known as a fight, flight, or freeze response. Biological systems ramp up or down to focus the body's resources on the threat at hand. Heart rate and blood pressure increase, immune function is suppressed (after an initial burst), brain chemistry changes, and the normal functioning of the digestive system is interrupted, among other effects. Like fear itself, these changes are protective in the short term. But when they persist, the changes prompted by chronic stress -- defined as stress beyond the normal hassles of life, lasting at least one to two weeks -- are associated with increased risk of cardiovascular disease (the leading cause of death in America); increased likelihood and severity of clinical depression (suicide is the 10th leading cause of death in America); depressed memory formation and recall; impaired fertility; reduced bone growth; and gastrointestinal disorders.
Perhaps most insidious of all, by suppressing our immune systems, chronic stress makes us more likely to catch infectious diseases, or suffer more­ -- or die­ -- from diseases that a healthy immune system would be better able to control. The fear of Ebola may well have an impact on the breadth and severity of how many people get sick, or die, from influenza this flu season. (The CDC reports that, either directly or indirectly, influenza kills between 3,000 and 49,000 people per year.)
There is no question that America's physical, economic, and social health is far more at risk from the fear of Ebola than from the virus itself.
The State of Louisiana is prohibiting researchers who have recently been to Ebola-infected countries from attending a conference on tropical medicine. So now we're at a point where our fear of Ebola is inhibiting scientific research into treating and curing Ebola.

Enigma enciphering/deciphering machine was patented in Holland

Good article, with pictures, diagrams, and code.

Spyware Sold to Despots and Cops Worldwide

The Intercept has published the complete manuals for Hacking Team's attack software. This follows a detailed report on Hacking Team's products from August. Hacking Team sells computer and cell phone hacking capabilities to the governments of Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan... and probably others as well.
This is important. The NSA's capabilities are not unique to the NSA. They're not even unique to countries like the US, UK, China, Russia, France, Germany, and Israel. They're available for purchase by any totalitarian country that wants to spy on foreign governments or its own citizens. By ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive.