maxomai: dog (dog)
If you all don't read Bruce Schneier's blog, you should.

Originally posted by [livejournal.com profile] bruce_schneier at Bizarre High-Tech Kidnapping

This is a story of a very high-tech kidnapping:



FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.



The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.



The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.



Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.

maxomai: dog (dog)
EDIT You can mitigate the damage this vulnerability does by shutting off auto-loading of MMS messages. This article tells you how to do it.

Originally posted by [livejournal.com profile] bruce_schneier at Stagefright Vulnerability in Android Phones

The Stagefright vulnerability for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.



The worst part of this is that it's an Android exploit, so most phones won't be patched anytime soon -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)

maxomai: dog (dog)
(Wherein Bruce Schneier shares my skepticism about the latest "unbreakable" encryption.)

Originally posted by [livejournal.com profile] bruce_schneier at "Unbreakable" Encryption Almost Certainly Isn't

This headline is provocative: "Human biology inspires 'unbreakable' encryption."



The article is similarly nonsensical:



Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack.

Information can be encrypted with an array of different algorithms, but the question of which method is the most secure is far from trivial. Such algorithms need a "key" to encrypt and decrypt information; the algorithms typically generate their keys using a well-known set of rules that can only admit a very large, but nonetheless finite number of possible keys. This means that in principle, given enough time and computing power, prying eyes can always break the code eventually.



The researchers, led by Dr. Tomislav Stankovski, created an encryption mechanism that can generate a truly unlimited number of keys, which they say vastly increases the security of the communication. To do so, they took inspiration from the anatomy of the human body.



Regularly, someone from outside cryptography -- who has no idea how crypto works -- pops up and says "hey, I can solve their problems." Invariably, they make some trivial encryption scheme because they don't know better.



Remember: anyone can create a cryptosystem that he himself cannot break. And this advice from 15 years ago is still relevant.



Another article, and the paper.

maxomai: dog (dog)
(Remember Firesheep? --maxomai)

Originally posted by [livejournal.com profile] bruce_schneier at Mass Surveillance by Eavesdropping on Web Cookies

Interesting research:



Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user’s IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user’s real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies.



Blog post.

maxomai: dog (dog)
maxomai: dog (dog)
ImperialViolet has this concise explanation of what caused the problems in Apple's SSL stack. In short, it has to do with a duplicate goto statement.

Actually, no, it doesn't. While goto statements might be a bad idea (PDF), it's the proximate cause of the problem, but not the root cause. The root causes are much more difficult to fix:


  • The SSL stack is actually very hard to unit-test thoroughly, and therefore even a proper test wouldn't necessarily have caught this bug.

  • Programmers assume that code behaves according to its indentation, but it doesn't (unless its Python-like). So, even if another coder caught this errant goto, they might have assumed that the errant goto was tied to the previous if statement, and would thus never run.



Apple is deploying patches to fix the problem on iOS devices (iPhones, iPads, certain iPods). They have yet to deploy a patch to OS X, which, as a Mac user, I find personally irritating.
maxomai: dog (dog)
Originally posted by [livejournal.com profile] briankrebs_rss at Fire Sale on Cards Stolen in Target Breach

Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices.


asdf

Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.


Earlier today, the underground card shop Rescator[dot]so moved at least 2.8 million cards stolen from U.S.-based shoppers during the Target breach. This chunk of cards, dubbed “Beaver Cage” by Rescator, was the latest of dozens of batches of cards stolen from Target that have gone on sale at the shop since early December.


The Beaver Cage batch of cards have fallen in price by as much as 70 percent compared to those in “Tortuga,” a huge chunk of several million cards stolen from Target that sold for between $26.60 and $44.80 apiece in the days leading up to Dec. 19 — the day that Target acknowledged a breach. Today, those same cards are now retailing for prices ranging from $8 to $28. The oldest batches of cards stolen in the Target breach –i.e., the first batches of stolen cards sold –are at the top of legend in the graphic above; the “newer,” albeit less fresh, batches are at the bottom.


The core reason for the price drop appears to be the falling “valid rate” associated with each batch. Cards in the Tortuga base were advertised as “100 percent valid,” meaning that customers who bought ten cards from the store could expect all 10 to work when they went to use them at retailers to purchase high-priced electronics, gift cards and other items that can be quickly resold for cash.


This latest batch of Beaver Cage cards, however, carries only a 60 percent valid rate, meaning that on average customers can expect at least 4 out of every 10 cards they buy to come back declined or canceled by the issuing bank.


The most previous batch of Beaver Cage cards — pushed out by Rescator on Feb. 6 — included nearly 4 million cards stolen from Target and carried a 65 percent valid rate. Prior to Beaver Cage, the Target cards were code-named “Eagle Claw.” On Jan. 29, Rescator debuted 4 million cards bearing the Eagle Claw name and a 70 percent valid rate. The first two batches of Eagle Claw-branded cards — a chunk of 2 million cards — were released on Jan. 21 with a reported 83 percent valid rate.



Rescator[dot]so card shop announcing the availability of new bases of Target cards.

Rescator[dot]so card shop announcing the availability of new bases of Target cards.

HARBOR FREIGHT


The same pattern can be observed in another major breach from 2013. Relying on much the same method I used to validate the Target breach, I approached several financial institutions to determine if other batches of cards sold by Rescator’s various shops could be traced to specific breaches in 2013.


Sure enough, it didn’t take long to identify the midsummer 2013 breach at Harbor Freight Tools as the source of at least two major batches (they are called “bases” in the card shops, not batches) of cards sold by Rescator’s shops last year. Beginning in late June 2013, Rescator began selling a base called “Lepid,” moving new batches of Lepid cards onto the market almost every week in chunks of 100,000 cards at at time.


Just as with the Target breach, the Lepid cards initially were advertised as 100 percent valid, and came with a hefty price tag. But by mid-July 2013, the valid rates had begun to dip down to 95 percent, most likely because by that time banks had begun seeing the fraud and canceling cards. A month later, the valid rates were below 75 percent, and by the time the Target breach was disclosed in December, fewer than half of the cards were still active.


Prices on cards stolen in the Harbor Freight Tools breach fall as more cards come back declined.

Prices on cards stolen in the Harbor Freight Tools breach fall as more cards come back declined.


In late July, Harbor Freight disclosed a breach of its payment card system that lasted for seven weeks between May 6 and June 30, 2013. The company has not said how many customer cards were stolen, but from the volume of Lepid cards pushed onto Rescator’s shop as well as those from other bases tied to cards all used at Harbor Freight during the breach time frame (including bases “Laurentius” and “Sidonius”), it’s likely to have been several million.


The data from both Target and Harbor Freight Tools raise several questions. For starters, why did the valid rate decline so much faster with the Target cards than with those stolen from Harbor Freight? After all, it took nearly six months for the valid rates on cards stolen from Harbor Freight to reach 50 percent, while we’re already fast approaching that rate with the Target cards just two months after that breach was disclosed. I’m guessing the obvious answer is most likely the correct one: That the Target breach simply received a great deal more attention, both from the media and from card-issuing banks nationwide. 


Does this mean the Target and Harbor Freight breaches are connected? I have no idea, although I strongly suspect that Rescator and his merry band of thieves played a key role in both breaches — beyond merely offloading stolen cards. In several instances, Rescator himself referred to Lepid as “our” base, indicating the batch was from a firsthand source.


The analysis of some of the malware used in the Target breach suggests that Rescator may have been directly involved in that attack. I don’t have any such clues from the Harbor Freight breach; the company has not responded to requests for comment, and Mandiant —  the forensics firm which was called in to investigate the Harbor Freight breach —   declined to comment.


Finally, a number of folks with whom I’ve shared this research wondered why any cards that were suspected as stolen in the breach at Target would not already have been canceled by issuing banks. It’s not clear how accurate Rescator’s valid rates are — certainly Rescator has a vested interest in fudging the numbers.


But assuming the percentages are relatively accurate, many factors could explain why some banks haven’t simply canceled and reissued all cards potentially impacted in the breach. One source I spoke with earlier this year from a fairly larger card issuer said his institution still had not reissued at least 40 percent of their cards affected by the Target breach. The source said those cards generally fell into two categories: Cards that had only recently been reissued prior to the Target breach discovery, and those that were expected to naturally reach their expiration dates in the next month or so.


I should note that the above analysis ignores several million non-US cards stolen from Target shoppers and sold under the international “Barbarossa” label (the outlier in orange from the first graphic above), which at one time fetched prices in excess of $120 per card.

maxomai: dog (dog)
Editorial: Bruce Schneier is one of the most trusted names in computer security. He literally wrote the book on Applied Cryptography. Until recently, he was the Chief Security Officer at British Telecom, and he recently joined as Chief Technology Officer for a startup, Co3Systems. His opinion carries a lot of weight in the security world, which is part of the reason why his critiques of the US National Security effort after 9/11 has been so damning.

Below, we are shown an example of how the NSA has exploited a commonly used firewall appliance.

By the way - if the NSA has this exploit, so does everyone to whom the NSA has divulged the details of this exploit, willingly or unwillingly, officially or unofficially.

--maxomai

Originally posted by [livejournal.com profile] bruce_schneier at HALLUXWATER: NSA Exploit of the Day

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:



HALLUXWATER

(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.



Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.



HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.



Status: (U//FOUO) On the shelf, and has been deployed.



Page, with graphics, is here. General information about TAO and the catalog is here.



In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.



This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn't want to have been the State Department employee to receive that phone call.

maxomai: dog (dog)
Thanks to Edward Snowden, we now know this:

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September.

...

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.


In other words, if you used RSA products and the default random number generator, you basically gave the NSA the keys to your kingdom....not to mention anyone to whom the NSA disclosed this information, willingly or otherwise.

You would do well to dump RSA products and find an open source substitute immediately.
maxomai: dog (dog)
SnapChat, for those of you not familiar with it, is a photo- and video-sharing service for Android and Apple devices. Much hay has been made recently that teenagers are turning away from FaceBook and towards SnapChat; then came news that SnapChat turned down a $3,000,000,000.00 (yes, that's three billion dollars) offer from FaceBook (Slashdot has a discussion here). Clearly, this is a hot commodity, and so I went to check it out. Having checked it out, I have decided to pass. But I can see its appeal. In fact, I admit that my passing is a sign that I'm getting old.

The main feature of LiveJournal, for me, is permanence. I can look back on my LJ going back to when I started it, and it's like reading old diaries and seeing old photos. I can convert my entire LJ to a book (as of now it's over 6000 pages long). John Crow, back when he was using LJ as his primary blogging platform, used to speak about saving each year of FaceBook into a book. The flip side is that I'm accountable for everything I've written unless I restrict my audience. This is why I post my predictions here, in fact; so that people can go back during the year, review them, and judge how I've done. (By "people," I mostly mean "me" right now. Such is life.)

The main feature of SnapChat, meanwhile, is that the photos and videos don't last. They disappear within seconds of being seen from the receiver's screen. SnapChat stories, a new feature being rolled out by the company, have a montage of photos and videos, each of which have a lifetime of 24 hours. It's about the ephemeral, claims the app sales language. Or maybe it's about lack of accountability.

Snapchat's user base is young. Younger than FaceBook's. Therefore, younger than LiveJournal's. And I'm thinking that it's that quality of impermanence, ephemerality, lack of accountability, that appeals most to the younger generation. If so, that speaks to an interesting generation gap.

Edit: Come to think of it, 4chan uses a similar model.
maxomai: dog (dog)
Lavabit won a victory in court that allowed them to reveal the FBI's secret demand: turn over your SSL root certificate or go to jail. Quoting Wired:

“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.


The complete document set can be found here.

So basically, in order to go after one person - and by all indications, that person is Edward Snowden - the FBI demanded the metadata for all Lavabit users, and then eventually demanded the keys to all Lavabit traffic, encrypted or not. In response, Lavabit shut their doors and risked criminal prosecution. I give them ten out of ten for integrity.

It's important not to read too much into this case with respect to the NSA's wiretapping program, by the way. The FBI and NSA are operating by different sets of rules with respect to how they are allowed to gather information, and the NSA in particular has their own secret court to approve their activities. Note, also, that the FBI is using a vacuum cleaner approach to go after one suspect, whereas the NSA is using a vacuum cleaner approach to profile literally everyone.
maxomai: dog (dog)
One of Obamacare's biggest cheerleaders is pissed off, because Healthcare.gov is a complete clusterfuck this morning.

Dear government developers, at all levels: this is why you talk to your private sector colleagues. There are ways to load test your applications with artificial data, and with live data through beta testing. You're just too lazy to find them before the shit hits the fan, because you mistake your tenure for an excuse to be lazy as opposed to an opportunity to take risks. Hopefully this morning is a counterexample.
maxomai: dog (dog)
Those of you familiar with the Twitter feed Horse_eBooks may know it as a weird automatic spam account that occasionally produces entertaining results.

Turns out it's a long-running work of performance art (2).

Slashdot has a discussion.

Metaphysics question: what does it mean if a person deliberately fails the Turing test?
maxomai: dog (dog)
Quoting NBC News's coverage of Apple's unveiling of the latest iPhone:

This phone has had a massive overhaul inside the case, despite its cosmetic similarity to its predecessor: A new camera, core chipset, motion processing system, even a fingerprint scanner for security and ease of use.


Got that? They just want to store your fingerprints on their device. It's as secure as a passcode because you only leave them around every time you touch something and they're really hard to change. It's good security. Really. Trust them.

nope photo: nope nope.gifnope photo: Nope nope_zps55acaccf.gifnope photo: Nope nope.gifnope photo: nope nope.jpg
nope photo: NOPE NOPE.jpg
nope photo: nope nope.jpg
maxomai: dog (dog)
maxomai: dog (dog)
maxomai: dog (dog)

  • In Egypt, we learn that the United States helped bankroll the anti-Morsi movement. Which means, in effect, that all this hand-wringing about whether Morsi's ouster was a coup is just kabuki. Justin Raimondo lays it out for us here.

  • Meanwhile, Saudi Arabia and the UAE are throwing money at the interim Egyptian government ... probably with the tacit understanding that elections, civil liberties, and the like, should not be a priority. If there's anyone who's threatened by the Arab Spring, it's the arthritic monarchies of the Peninsula.

  • A Q-poll of 2014 American voters shows that a majority view NSA leaker Snowden as a whistleblower, not a traitor; which once again goes to show that the political leadership and pundits are painfully out of touch.

  • Microsoft is undergoing a massive reorganization after more than a decade of stagnation and losing ground to Apple, Google, Amazon, and others. And yet, Steve Ballmer remains at the helm, when any reputable analyst would suggest that his first move should be to fire himself. Still, there is good news - you can't get fired for buying Microsoft. (Parenthetically, remember when IBM was, you know, relevant?)

  • Are you on the J. D. Holmes mailing list? You should be. If you were, then you'd know that the re-release of Cults of the Shadow is now available for pre-order.

  • College students are really enthusiastic about math and science, until they realize that they're actually really hard. Draw your own parallels.

maxomai: (angry-penguin)
I was wondering why Snowden chose to bivouac in Hong Kong while he spills the beans on how the US Government is violating our 4th Amendment rights. Hong Kong, after all, is part of China, which has an extradition treaty with the US and no particular desire to piss off Washington.

Then, Snowden revealed that the US has been hacking China for some time; that, in fact, they're hacking everyone, all the time. This may file under the heading of "Captain Obvious to the rescue," but stating it publicly like ends up benefiting China at the expense of the US Government. Between, that, and Snowden's enormous popularity with Chinese Internet users, I'm guessing that China is now motivated to give Snowden some more room.

I will confess, there is a part of me that thinks this might have too much of a Fitzmas feel to it. Stay tuned.
maxomai: dog (dog)
Back in 2009, I found out that Oracle was buying Sun Microsystems, and let out a shriek of horror. Sun was a company in trouble, but their IP portfolio was impressive - it included Java, OpenOffice, and MySQL, all essential technologies for open source computing at that time. Since then, my worst fears for those technologies have been realized. First, MySQL forked after the core development group revolted - the future of that DBMS is now MariaDB and SkySQL. Then, the core OpenOffice developers revolted, and formed LibreOffice, leaving Oracle with little choice but to hand OpenOffice over to the Apache Group.

As for Java, Oracle was already threatening its future by trying to claim ownership of the Java APIs, which are basically the standards for what makes a Java implementation a "real" implementation. Now, they are taking the unprecedented step of charging its customers for bugfixes to some of the core Java libraries.

I think I understand what Oracle is doing. They figure that if they can charge for Java bugfixes, they can monetize the billions of lines of Java business code out there, and also have a shot at a piece of the Android market. (Java is required to write native apps for Android, at least for now.)

Unfortunately, this is bad news for the future of Java, which may soon itself relegated to the status of a legacy langage, COBOL-style, if IBM and other vendors can't pressure Oracle to change its tune. More unfortunately, there's not much else out there that matches Java's portability. If Oracle wanted to mess with millions of people's careers, they couldn't have picked a better technology to mess with.

The way I see it, IBM, Google, and others have three choices. The first is to give Oracle the finger and fork Java, the way MariaDB and SkySQL forked MySQL and LibreOffice forked OpenOffice. IBM and Oracle certainly have the talent to do it, and it would make Oracle's claims of copyright over the APIs all the more pressing. The second is to deprecate Java in favor of another widely adopted language, such as Python. (In fact, I think a good case could be made for Python to replace Java. Python is easy to learn, absolutely enterprise-grade, rather powerful in the right hands, and runs on Windows, Linux, various kinds of UNIX, and Mac. If you want Python on iSeries or Python on zOS, you're kinda taking your chances right now; but if IBM adopts Python, then it won't take long for them to get these ports up to speed. Ports of Python to Android already exist, and it would make sense for Google to make Python and Go into alternative languages for native Android development, just as they are now used for Google App Engine development. Several good IDEs for Python exist, including IDLE, Aptana, and classic Eclipse with PyDev.)

The third choice is to grin and bear it, paying Oracle a huge sum of money for bugfixes to distribute to their customers. Somehow, I don't see them, or Oracle, agreeing to this.

In the meanwhile, that ancient curse, "may you live in interesting times," seems to have re-asserted itself onto the computing world. Bummer.
maxomai: dog (dog)
Working on open source projects usually requires one to submit patch files and gzipped tarballs to one's compatriots. This isn't a big deal on most UNIX (including Linux) machines. On Windows one can do this with 7Zip, excepting that newlines in Windows are usually represented by \r\n instead of \n. On Macs, one can do this on command line, but it's more Mac-like to do it in Finder.

There are instructions here for setting up just such a service in Finder. Unfortunately it only tells one how to create tarballs, not how to create gzipped tarballs. It also zips normally hidden Mac copy files along with the expected files, which can leave one's compatriots with a mess.

You can fix both of these messes by using the below script instead of the one provided by Mr Miller. All I've done here is change the last line in accordance with this hint. Hope it's useful.

(I know, I know, the code isn't indented. Unfortunately the only way to really ensure indentation in LiveJournal is to play with CSS, and my CSS-fu is weak. You'll have to make it pretty yourself.)


Tarfile="$1.tar.gz"
count=1
cd "${@%/*}"
if [ $# -eq 1 ]; then
while [ -e "$Tarfile" ]
do
let count++
Tarfile="$1 $count.tar"
done
else
Tarfile="Archive.tar"
while [ -e "$Tarfile" ]
do
let count++
Tarfile="Archive $count.tar"
done
fi
COPYFILE_DISABLE=true /usr/bin/tar -chzf "$Tarfile" "${@##*/}"

Profile

maxomai: dog (Default)
maxomai

April 2017

S M T W T F S
      1
2345678
9101112131415
16171819202122
2324 2526272829
30      

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2017 08:40 am
Powered by Dreamwidth Studios